XML Gateway Outbound PO Errors With Filenotfoundexception On Cwallett.Sso in EBS Oracle Apps


Setup xml gateway with trading partner for outbound transmission of Purchase Order to the Oracle Supplier Network. Generated approved purchase order.  However transaction monitor shows Delivery Status or Error and Delivery Message of Invalid CACert File. The xml_sql output shows following error:

oracle.apps.ecx.oxta.ConnectionFailureException: Connection failure resulting from:
java.io.FileNotFoundException: /inst/apps/<$CONTEXT_NAME>/certs/Apache/cwallet.sso


The cwallet.sso did not exist in the location specified in the $INST_TOP/ora/10.1.3/j2ee/oafm/config/oc4j.properties.   This is the configuration file used by XML Gateway in EBS version 12.1.3.  


For EBS 12.1.3 only

Configure XML Gateway to use the JKS wallet instead of the SSO wallet.   This allows for TLS authentication.   

1.  Ensure that the JDK version is 1.7.131 or higher in order to support TLS authentication for EBS 12.1.3.  

2.   Update the autoconfig $CONTEXT_FILE parameters:

s_ssl_truststore = $AF_JRE_TOP/jre/lib/security/cacerts
- Be sure to confirm the path to the cacerts file and insert the correct path here.   

- You will need to import your trading partner certificates into this wallet. 

s_ssl_truststoretype = JKS

s_ssl_trustmanageralgorithm = SunX509


Note:   By default,  the keystore is set to the cwallet.sso which is also the same as the default truststore.   These are SSO storetypes. 

While this configuration will work in most cases,  our guidance is to setup and configure a JKS keystore in addition to the truststore,  but either case should work. 

s_ssl_keystore = <path to the server key certificate keystore>   see Note 2042654.1 'Inbound Connections'  for an example on how to create a JKS keystore

s_ssl_keystoretype = JKS

s_ssl_keymanageralgorithm = SunX509


Note:   s_ssl_trustmanageralgorithm and s_ssl_keymanageralgorithm default to the SSO value of OracleX509.  If you are using JKS keystore types then use SunX509.  


3.  Run Autoconfig. 

4.  Restart the OAFM container or middle tier. 

5.  Retest the connection to verify that it works. 

In Release 12.2, OTA now runs under the weblogic server. The system properties are read from the oafm_wls.properties file of the oafm managed server, which is $INST_TOP/appl/admin/oafm_wls.properties.

Also, In Release 12.2,  the OTA is client authentication enabled by default. The default wallet used by the Weblogic server already has a user certificate. The same certificate will automatically be used for client authentication during the handshake, if client authentication is required by the server OTA is connecting to.

If there is a chain of certificates issues by CA(s), the CA certificates should be added as trusted certificates in the same wallet. The default location for the wallet is {s_web_ssl_directory}/Apache. Refer to the Application Context file for the exact location of the {s_web_ssl_directory} variable.

If you create a new wallet in a different location than {s_web_ssl_directory}/Apache, then the parameters javax.net.ssl.trustStore and javax.net.ssl.keyStore in the $INST_TOP/appl/admin/oafm_wls.properties file have to be manually edited to point to the new wallet.

 Update each $INST_TOP/appl/admin/oafm_wls.properties to point to the keystore and not the wallet

For example,

          # Added for OXTA


          # StoreType Parameters





          # Store Parameters


            javax.net.ssl.trustStore= $AF_JRE_TOP/jre/lib/security/cacerts

            javax.net.ssl.keyStore= $AF_JRE_TOP/jre/lib/security/cacerts


3. Shutdown and restart adoafmctl.sh so the changes to the properties files are seen:

            sh $ADMIN_SCRIPTS_HOME/adoafmctl.sh stop

            sh $ADMIN_SCRIPTS_HOME/adoafmctl.sh start

Note: Any time you make changes to the configuration or properties files, you must bounce the services for that server.

If you like please follow and comment