Custom Certificates for Fusion SOAP APIs

October 31, 2022 | 7 minute read
Greg Mally
Consulting Solutions Architect
Text Size 100%:

When orchestrating business flows, you often need to interact with other systems via their APIs. Most organizations will choose to leverage REST-based APIs, but scenarios exist where alternative APIs are required. One use case with Oracle Fusion Applications (FA) is asynchronous requests with a callback, accomplished using FA SOAP APIs. This blog post will focus on the asynchronous get purchase order SOAP API ( As we will see later, this API requires message protection (encryption) for the callback. This requirement forces the client application to include its public certificate that FA will use to encrypt the callback message.

Purchase Order Service V2 WSDL

One of the first things you will notice is there are no details around sync vs. async operations in the online documentation. However, the WSDL contains all the supported operations and details (https://fs-your-cloud-hostname:443/fscmService/PurchaseOrderServiceV2?wsdl). Open the WSDL and then search for getPurchaseOrder. You should be able to locate something like the following:

Graphical user interface, text, application, email

Description automatically generated

You will notice that for every synchronous operation there is a corresponding asynchronous (i.e., the asynchronous operations have an Async suffix for the operation name). Additionally, if you keep searching, you will locate the getPurchaseOrderAsyncResponse (aka, callback):

Graphical user interface, text, application

Description automatically generated with medium confidence

Operation Security Policy

Finally, if you look at the binding for both the PurchaseOrderService (request operations) and the PurchaseOrderServiceResponse (callback operations), you will find they have a PolicyReference of wss11_saml_or_username_token_with_message_protection_service_policy and wss11_saml_token_with_message_protection_client_policy respectively. For our use case, the focus is on the client policy associated with the callback. Because of this policy, we will need to provide the public key for the client application's certificate in the SOAP Header of the getPurchaseOrderAsync operation:


Description automatically generated

FA Certificate Self-Service

If your client application includes the public certificate in the SOAP Header (see above) and your getPurchaseOrderAsync operation returns an HTTP 202 Accepted response, but you get no callback from FA, then there is a high probability you need to add the public certificate to your FA environment. Luckily, we can manage the certificates via the FA console under Tools > Security Console > API Authentication:

A screenshot of a computer

Description automatically generated with medium confidence

Once on the API Authentication page, you can either "Create Oracle API Authentication Provider" or select an existing one. For our example, a new Trusted Issuer was created with the Token Type of JWT: