Friday, November 13, 2015

EBS-- Workflow Mailer and Gmail certificates , unable to find valid certification path to requested target

One day, you may decide using gmail IMAP and SMTP services with your Oracle Workflow Mailer inbound and outbound processing. So if that day comes, here is a key information for you.

As you may know ; gmail operates in ssl. That both gmail smtp and imap services are operating in SSL and if you want to configure Oracle Workflow Mailer with gmail 's imap and smtp services, you need to configure Oracle Workflow Mailer with ssl.
Configuring Oracle Workflow MAiler with ssl , is not a big thing and it is documented already.

Generally, what we do for configuring SSL in imap and smtp processes of Oracle Workflow mailer is;  gathering the mail server's certificates from the mail server and making the Oracle Workflow mailer server use them.
We usually gather the certificates using openssl s_client .

For example:

openssl s_client -connect imap.gmail.com:993
openssl s_client -connect smtp.gmail.com:465


Then we copy and paste the ouputs of openssl to cer files and import these cer files to the cacert keystore.

For example:
keytool -import -trustcacerts -keystore $AF_JRE_TOP/lib/security/cacerts -storepass changeit -alias smtpimap -file gmailimap.cer
keytool -import -trustcacerts -keystore $AF_JRE_TOP/lib/security/cacerts -storepass changeit -alias smtpgmail -file gmailsmtp.cer

With this approach, you may download gmail's certificated using openssl and import them in to EBS to make Oracle Workflow Mailer be able to use them.
This method will work normally, but for gmail it will not work stably.

That is; if you are using gmail with your Oracle Workflow Mailer and even if you configure your Workflow mailer with SSL properly using the certificates gathered by accessing imap.gmail.com and smtp.gmail.com, you may encounter the following error randomly.

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Actually, this is a certificate problem , which is caused by Google, as Google has many servers spread out to hold the load from everyone connecting to them they would all use different SSL.

This problem can be fixed by using the gmail certificates located in "https://pki.google.com/"  ; with the title of“ Google's Issuing CA certificate” .
Note that: this certificates are like wildcard certificates(*.) and works with all the gmail servers.
This is direct link :  https://pki.google.com/GIAG2.crt 

After downloading the cer file from the link above;  we follow the standard Workflow Mailer SSL configuration documents and issue the following commands to import the cer file in to the cacerts file and make the workflow mailer use them. 

keytool -import -trustcacerts -keystore $AF_JRE_TOP/lib/security/cacerts -storepass changeit -alias GIAG2 -file GIAG2.cer

Also, both "Outbound SSL Enabled" and "Inbound SSL Enabled" checkboxes  located in Workflow Mailer's configuration page  should be checked.

Laslty, be sure that your SSL trust store is pointing the cacerts file that you import the gmail certificates.
[applmgr@ermanserver log]$ sqlplus apps/<pass> @$FND_TOP/sql/afsvcpup.sql

SQL*Plus: Release 10.1.0.5.0 - Production on Fri Nov 13 09:35:30 2015

Copyright (c) 1982, 2005, Oracle.  All rights reserved.
Connected to:

Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

Component Id Component Name                 Component Status Type            Containe
------------ ------------------------------ ---------------- --------------- --------
       10000 ECX Inbound Agent Listener     STOPPED          WF_AGENT_LISTEN GSM
       10001 ECX Transaction Agent Listener STOPPED          WF_AGENT_LISTEN GSM
       10002 Workflow Deferred Agent Listen RUNNING          WF_AGENT_LISTEN GSM
       10003 Workflow Deferred Notification RUNNING          WF_AGENT_LISTEN GSM
       10004 Workflow Error Agent Listener  RUNNING          WF_AGENT_LISTEN GSM
       10005 Workflow Inbound Notifications RUNNING          WF_AGENT_LISTEN GSM
       10006 Workflow Notification Mailer   RUNNING          WF_MAILER       GSM
       10020 Web Services IN Agent          STOPPED          WF_JAVA_AGENT_L GSM
       10021 Web Services OUT Agent         STOPPED          WF_DOCUMENT_WEB GSM
       10022 Workflow Java Deferred Agent L RUNNING          WF_JAVA_AGENT_L GSM
       10023 Workflow Java Error Agent List RUNNING          WF_JAVA_AGENT_L GSM
       10040 WF_JMS_IN Listener(M4U)        RUNNING          WF_JAVA_AGENT_L GSM
       10041 Workflow Inbound JMS Agent Lis STOPPED          WF_AGENT_LISTEN GSM

Enter Component Id: 10006

Example path:  " /u01/oracle/TEST/fs1/EBSapps/comn/util/jdk32/jre/lib/security/cacerts"

Note that : Dont use environment variables when specifying this path.

No comments :

Post a Comment