API Platform Custom Host Name and Certificate

Once you have provisioned an Oracle API Platform CS instance, one of the first things you will notice is the access to the various consoles are done via Public IP addresses:



Another issue you will come across is that the certificate used for the instance is “Not Secure”, and therefore HTTPS is disabled due to an invalid certificate:


The focus of this blog is to walk through the details of how to customize your APIPCS environment for your business, which includes defining a host name and changing the default demo certificate to one that matches your new host name. This will allow your consumers/users to leverage the APIPCS specific to your company vs. some random IP address/cryptic host name.

High-Level Steps/Checklist

Host Name

The first thing you will want to do is come up with a host name that makes sense for your APIPCS instance. For example, if your company’s domain name is ateam.com then you could use something like apip.ateam.com as the host name for your APIPCS. Once you have identified this new host name, you will want to work with your network administrator to define a new A record with your DNS provider such that the new host name maps to the Public IP of the Oracle Load Balancer. When you have verification from your network administrator that the DNS configuration has been completed, you can test with a simple ping to your new host name to validate it is resolving to the Oracle load balancer Public IP.

SSL Certificate

Now that the custom host name is ready, you will see that the certificate is still invalid when you try to access the APIP portal (e.g., https://api.ateam.com/apiplatform). Furthermore, if you try to login (and are successful) you will be redirected back to the load balancer Public IP. To fix this problem, there are two steps involved:

1. Update the Oracle Load Balancer with a signed certificate that matches your new host name
2. Update the WebLogic Server (WLS) Frontend Host for the APIPCS cluster to your new host name

For step 1, we will be following the Oracle online documentation for the Fusion Middleware Administering Oracle Traffic Director for Managing Security. This documentation covers details about SSL/TLS concepts as well as how to configure/manage certificates for the Oracle Traffic Director (OTD). The following will help guide you through this configuration as well as point out some important details that are not obvious and can trip you up:

1. Generate a Keypair and CSR in the opc-config of the OTD console.

From the Oracle API Platform Cloud Service console, open the OTD console via the Open Load Balancer Console menu:



From the WebLogic Domain menu, locate and open the OTD Configurations:

We are interested in the opc-config:

At this point we are now in the OTD configuration portion of the console. To get to the certificate section, use the Traffic Director Configuration menu to locate the Manage Certificates section:

Now that we are in the Manage Certificates area, we can generate the Keypair and CSR:








2. Provide the CSR to your network administrator (or certificate manager) to get a CA-signed certificate.
3. Obtain the CA-signed certificate (including the complete chain of certificates) from your network administrator (or certificate manager).
4. Import the complete chain of certificates into the opc-config of the OTD console.

To import the certificate chain into OTD, we need to return to the Manage Certificates section of the OTD console. Now we simply select the Alias we created during the Generate Keypari and CSR and then click on Import to begin the import process:

*IMPORTANT* … the certificate chain must be in the following order in the file being uploaded or string being pasted:
1. server certificate, 2. intermediate certificate, and 3. root certificate






5. Change the OTD HTTP Listener (https-listener-1) to use the imported certificates.

We now have a valid certificate imported into the Oracle load balancer, but need to configure OTD to use this new certificate. This configuration is located in the Listeners section of the Traffic Director Configuration:

You should see only one HTTPS listener enabled (https-listener-1), so select it to change its configuration to use the new certificate:





At this point, if you access the APIP portal you will see that the certificate is now valid. However, when you Sign In to the portal you are redirected to the Public IP. The missing configuration to fix this redirect is to update the WLS Frontend Host:

1. Open the WebLogic Server Console.

Access to the WebLogic Server Console is done through the Oracle API Platform Cloud Service console (like with the OTD console):





2. Navigate to the APIP cluster.



3. Go to the Configuration tab and then the HTTP sub-tab.



4. Update the Frontend Host in the WLS console for the APIP cluster.




You will notice that when the changes have been activated, there are 2 items that must be restarted:





5. Bounce the APIP managed servers.





6. Access your APIP portal and/or developer portal.



Now we have a customized APIPCS instance for your company/domain. I hope you have found this useful and ties together the various touch points for getting a custom host name and certificate in place with your APIPCS environment.

Add Your Comment