Skip to main content

XML Gateway Outbound PO Errors With Filenotfoundexception On Cwallett.Sso in EBS Oracle Apps

XML Gateway Outbound PO Errors With Filenotfoundexception On Cwallett.Sso in EBS Oracle Apps


Error:


Setup xml gateway with trading partner for outbound transmission of Purchase Order to the Oracle Supplier Network. Generated approved purchase order.  However transaction monitor shows Delivery Status or Error and Delivery Message of Invalid CACert File. The xml_sql output shows following error:

oracle.apps.ecx.oxta.ConnectionFailureException: Connection failure resulting from:
java.io.FileNotFoundException: /inst/apps/<$CONTEXT_NAME>/certs/Apache/cwallet.sso


Reason:

The cwallet.sso did not exist in the location specified in the $INST_TOP/ora/10.1.3/j2ee/oafm/config/oc4j.properties.   This is the configuration file used by XML Gateway in EBS version 12.1.3.  


Solution:


For EBS 12.1.3 only

Configure XML Gateway to use the JKS wallet instead of the SSO wallet.   This allows for TLS authentication.   

1.  Ensure that the JDK version is 1.7.131 or higher in order to support TLS authentication for EBS 12.1.3.  

2.   Update the autoconfig $CONTEXT_FILE parameters:

s_ssl_truststore = $AF_JRE_TOP/jre/lib/security/cacerts
- Be sure to confirm the path to the cacerts file and insert the correct path here.   

- You will need to import your trading partner certificates into this wallet. 

s_ssl_truststoretype = JKS

s_ssl_trustmanageralgorithm = SunX509

 

Note:   By default,  the keystore is set to the cwallet.sso which is also the same as the default truststore.   These are SSO storetypes. 

While this configuration will work in most cases,  our guidance is to setup and configure a JKS keystore in addition to the truststore,  but either case should work. 

s_ssl_keystore = <path to the server key certificate keystore>   see Note 2042654.1 'Inbound Connections'  for an example on how to create a JKS keystore

s_ssl_keystoretype = JKS

s_ssl_keymanageralgorithm = SunX509

 

Note:   s_ssl_trustmanageralgorithm and s_ssl_keymanageralgorithm default to the SSO value of OracleX509.  If you are using JKS keystore types then use SunX509.  

 

3.  Run Autoconfig. 

4.  Restart the OAFM container or middle tier. 

5.  Retest the connection to verify that it works. 



In Release 12.2, OTA now runs under the weblogic server. The system properties are read from the oafm_wls.properties file of the oafm managed server, which is $INST_TOP/appl/admin/oafm_wls.properties.

Also, In Release 12.2,  the OTA is client authentication enabled by default. The default wallet used by the Weblogic server already has a user certificate. The same certificate will automatically be used for client authentication during the handshake, if client authentication is required by the server OTA is connecting to.

If there is a chain of certificates issues by CA(s), the CA certificates should be added as trusted certificates in the same wallet. The default location for the wallet is {s_web_ssl_directory}/Apache. Refer to the Application Context file for the exact location of the {s_web_ssl_directory} variable.

If you create a new wallet in a different location than {s_web_ssl_directory}/Apache, then the parameters javax.net.ssl.trustStore and javax.net.ssl.keyStore in the $INST_TOP/appl/admin/oafm_wls.properties file have to be manually edited to point to the new wallet.



 Update each $INST_TOP/appl/admin/oafm_wls.properties to point to the keystore and not the wallet

For example,

          # Added for OXTA

          #

          # StoreType Parameters

          #

             javax.net.ssl.trustStoreType=JKS

             javax.net.ssl.keyStoreType=JKS

          #

          # Store Parameters

          #

            javax.net.ssl.trustStore= $AF_JRE_TOP/jre/lib/security/cacerts

            javax.net.ssl.keyStore= $AF_JRE_TOP/jre/lib/security/cacerts

 

3. Shutdown and restart adoafmctl.sh so the changes to the properties files are seen:

            sh $ADMIN_SCRIPTS_HOME/adoafmctl.sh stop

            sh $ADMIN_SCRIPTS_HOME/adoafmctl.sh start

Note: Any time you make changes to the configuration or properties files, you must bounce the services for that server.







If you like please follow and comment
Labels:

Comments

Post a Comment

Popular posts from this blog

WebLogic migration to OCI using WDT tool

WebLogic migration to OCI using WDT tool Oracle WebLogic Deploy Tool (WDT) is an open-source project designed to simplify and streamline the management of Oracle WebLogic Server domains. With WDT, you can export configuration and application files from one WebLogic Server domain and import them into another, making it a highly effective tool for tasks like migrating on-premises WebLogic configurations to Oracle Cloud. This blog outlines a detailed step-by-step process for using WDT to migrate WebLogic resources and configurations. Supported WLS versions Why Use WDT for Migration? When moving Oracle WebLogic resources from an on-premises environment to Oracle Cloud (or another WebLogic Server), WDT provides an efficient and reliable approach to: Discover and export domain configurations and application binaries. Create reusable models and archives for deployment in a target domain. Key Pre-Requisites Source System: An Oracle WebLogic Server with pre-configured resources such as: Applica...
Post a Comment
Read more

How to Validate TDE Wallet Password in Oracle Database

How to Validate TDE Wallet Password in Oracle Database Validating the Transparent Data Encryption (TDE) wallet password is crucial, especially when ensuring that the password is correct without using the OPEN or CLOSE commands in the database. This blog post explains a straightforward method to validate the TDE password using the mkstore utility. Steps to Validate TDE Wallet Password Follow these steps to validate the TDE wallet password: Step 1: Copy the Keystore/Wallet File Navigate to your existing TDE wallet directory. Copy only the ewallet.p12 file to a new directory. If a cwallet.sso file exists, do not copy it . The absence of cwallet.sso ensures that the wallet does not use auto-login, forcing the utility to prompt for the password. Step 2: Validate Using mkstore Use the mkstore utility to check the contents of the wallet file. The mkstore utility will prompt you for the TDE wallet password, allowing you to validate its correctness. Command Syntax To display the conten...
Post a Comment
Read more

Rename a PDB in Oracle Database Multitenant Architecture in TDE and Non TDE Environment

Rename a PDB in Oracle Database Multitenant Architecture I am sharing a step-by-step guide to help you rename a PDB. This approach uses SQL commands. Without TDE or encryption Wallet Initial Check Check the Current Database Name and Open Mode: SQL > SELECT NAME, OPEN_MODE FROM V$DATABASE; NAME OPEN_MODE --------- -------------------- BEECDB READ WRITE List Current PDBs: SQL > SHOW PDBS; CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 2 PDB$SEED READ ONLY NO 3 FUAT READ WRITE NO We need to RENAME FUAT to BEE  Steps to Rename the PDB Step 1: Export ORACLE_SID Set the Oracle SID to the Container Database (CDB): export ORACLE_SID=BEECDB Step 2: Verify Target PDB Name Availability If the target PDB name is different from the current PDB name, ensure no service exists with the target PDB name. Run SQL to Check Exi...
Post a Comment
Read more