Monday, 27 August 2018

"Internal Server Error" while invoking https service from Oracle API CS platform

In most of the cases, we configure back-end services in API CS which are SSL enabled. So while invoking such service via browser or POSTMAN tool, we face a generic error "Internal Server Error" which is very difficult to figure out the root cause of the error.

Important Blogs to learn more about API CS

In this blog, we are going to handle such a situation and show how to resolve this.

Issue: "Internal Server Error" while invoking the SSL enabled services in API CS

So before we get into the detailed solution, we'll describe the problem statement

Consider the https enabled service (Image-1) which we have configured in API CS and the same has been deployed on API CS physical gateway. While hitting the service either from the browser (Image-2) or POSTMAN the error will be occurred as shown in the below screenshot:

Image-1


Image-2


SSL handshake exception ("javax.net.ssl.SSLHandshakeException") exception can be found in the log {GW_Install_DIR}/domain/gateway1/servers/managedServer1/trace/default.log


Solution:

The solution of the issue is to import the back-end service SSL certificate chain into the WebLogic Keystore of  API CS physical Gateway node.

So first is to export the back-end service SSL certificate chain via the browser. To export the certificate of back-end service follow the below steps:

  • Hit the back-end service using firefox browser
  • Click on Security Report and More Information
  • Go to Security Tab and Click on View Certificate button
  • Click on Details tab and click on the Export button
  • Select X.509 Certificate with Chain (PEM) (*.crt, *.pem) from Save as type list
  • Click on Save button
Import Certificate into physical gateway node

Login into the Gateway WebLogic gateway node and see the path of WebLogic Keystore path. Navigate to Servers -> managedServer1 -> Configuration -> Keystores 




In above screenshot we'll notice that WebLogic is using two keystore files to validate what is cert Weblogic needs to trust. We can import downloaded cert into either of DemoTrust.jks or cacerts file.

In that case, we are importing the downloaded certificate into DemoTrust.jks file.

  • Login into the gateway node via Putty and navigate to the path of DemoTrust.jks
  • Take a backup of the original file DemoTrust.jks
  • keytool command will be used to import the certificate into the keystore. Use below command to import certificate
 keytool -keystore DemoTrust.jks -import -alias servicecert -file /home/oracle/certificatechain.crt -storepass DemoTrustKeyStorePassPhrase
Where DemoTrustKeyStorePassPhrase is the default password of DemoTrust.jks file
  • After importing the certificate, just restart the GW node. Please see the article how to restart GW node
After successful, hit the service again. That time error will not come and back-end service will serve the request


This concludes that, if we need to invoke any SSL service via API CS, the associated back-end SSL certificate must be imported into the WebLogic keystore.

No comments:

Post a Comment