PaaS Partner Community

API Gateway SSL configuration in Production by Gaurav Gupta

Juergen Kress
PaaS Partner Adoption



This blog provides steps to configure SSL certificate in Oracle API Gateway node’s trust store. It becomes necessary when API gateway in installed in “production” mode. Without SSL certificate you won’t able to deploy an API to gateway node, because in production mode gateway must communicate with APIP management tier over SSL. Another use-case is when backend service is SSL enabled.

  1. We will discuss both the scenarios in this blog.
  2. 1. Configure certificate in gateway node for SSL based communication with APIP management tier
    2. Configure certificate in gateway node when API is consuming SSL enabled backend service.

Scenario#1 : When gateway is installed in Production mode (gatewayExecutionMode=”Production”), it communicates with APIP management tier over SSL.

There are certain configurations need to be done in gateway for successful SSL Handshake with management tier. Before we jump into the gateway configuration, let’s see types of certificates configured in management tier.

Mostly there are 2 types of Digital certificates configured in management tier.

(i) WebLogic Self-signed certificate (Provided by default as WebLogic “demo” certificate. Not recommended for Production environment)
(ii) Custom CA Signed certificate (It is recommended that you should replace WebLogic demo cert with CA signed cert for production usage) (To learn how to configure CA singed certificate you can refer A-team blog – http://www.ateam-oracle.com/api-platform-custom-host-name-and-certificate/)

Now, Let’s see kind of problems you may face in absence of certificate.


  • Once GW is installed & registered successfully to management tier, If you try to deploy an API on gateway it won’t get deployed and will remain in “waiting” state. If you check apics.log file in gateway node you are likely to see SSLHandshakeException as shown in snippet below. (apics.log file location – <GatewayInstallDirectory>/domain/gateway1/apics/logs). Read the complete article here.


PaaS Partner Community

For regular information on Oracle PaaS become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.

clip_image003 Blog clip_image005 Twitter clip_image004 LinkedIn image[7][2][2][2] Facebook clip_image002[8][4][2][2][2] Wiki

Technorati Tags: SOA Community,Oracle SOA,Oracle BPM,OPN,Jürgen Kress

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.