API Gateway SSL configuration in Production by Gaurav Gupta



This blog provides steps to configure SSL certificate in Oracle API Gateway node’s trust store. It becomes necessary when API gateway in installed in “production” mode. Without SSL certificate you won’t able to deploy an API to gateway node, because in production mode gateway must communicate with APIP management tier over SSL. Another use-case is when backend service is SSL enabled.

  1. We will discuss both the scenarios in this blog.
  2. 1. Configure certificate in gateway node for SSL based communication with APIP management tier
    2. Configure certificate in gateway node when API is consuming SSL enabled backend service.

Scenario#1 : When gateway is installed in Production mode (gatewayExecutionMode=”Production”), it communicates with APIP management tier over SSL.

There are certain configurations need to be done in gateway for successful SSL Handshake with management tier. Before we jump into the gateway configuration, let’s see types of certificates configured in management tier.

Mostly there are 2 types of Digital certificates configured in management tier.

(i) WebLogic Self-signed certificate (Provided by default as WebLogic “demo” certificate. Not recommended for Production environment)
(ii) Custom CA Signed certificate (It is recommended that you should replace WebLogic demo cert with CA signed cert for production usage) (To learn how to configure CA singed certificate you can refer A-team blog – http://www.ateam-oracle.com/api-platform-custom-host-name-and-certificate/)

Now, Let’s see kind of problems you may face in absence of certificate.


  • Once GW is installed & registered successfully to management tier, If you try to deploy an API on gateway it won’t get deployed and will remain in “waiting” state. If you check apics.log file in gateway node you are likely to see SSLHandshakeException as shown in snippet below. (apics.log file location – <GatewayInstallDirectory>/domain/gateway1/apics/logs). Read the complete article here.


PaaS Partner Community

For regular information on Oracle PaaS become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.

clip_image003 Blog clip_image005 Twitter clip_image004 LinkedIn image[7][2][2][2] Facebook clip_image002[8][4][2][2][2] Wiki

Technorati Tags: SOA Community,Oracle SOA,Oracle BPM,OPN,Jürgen Kress

About Jürgen Kress
As a middleware expert Jürgen works at Oracle EMEA Alliances and Channels, responsible for Oracle’s EMEA Fusion Middleware partner business. He is the founder of the Oracle SOA & BPM and the WebLogic Partner Communities and the global Oracle Partner Advisory Councils. With more than 5000 members from all over the world the Middleware Partner Community is the most successful and active community at Oracle. Jürgen manages the community with monthly newsletters, webcasts and conferences. He hosts his annual Fusion Middleware Partner Community Forums and the Fusion Middleware Summer Camps, where more than 200 partners get product updates, roadmap insights and hands-on trainings. Supplemented by many web 2.0 tools like twitter, discussion forums, online communities, blogs and wikis. For the SOA & Cloud Symposium by Thomas Erl, Jürgen is a member of the steering board. He is also a frequent speaker at conferences like the SOA & BPM Integration Days, JAX, UKOUG, OUGN, or OOP.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: