Sunday, February 14, 2016

SOA : WSM-00138: The path to the certificate is invalid

Recently, I integrated a secured web service with Oracle SOA and faced following error when I tried to test the web service call. I used OWSM policy  'oracle/wss10_message_protection_client_policy' to sign the request message.

<Feb 03, 2016 10:30:56 AM CST>  <Error> <oracle.webservices.service> <OWS-04086> <javax.xml.rpc.soap.SOAPFaultException: oracle.fabric.common.FabricInvocationException: Unable to invoke endpoint URI "" successfully due to: oracle.fabric.common.PolicyEnforcementException: WSM-00276 : Validation failed for the identity published in the WSDL endpoint "".

Caused By: WSM-00138 : The path to the certificate is invalid.
 Validation failed for the certificate "Subject DN:- CN=dummy_key, OU=abc, O=XYZ, C=US, Serial Number:- 1430987244, Issuer DN:- CN=dummy_key, OU=abc, O=XYZ, C=US"
 Certificates in cert path used for validation are:-
"Subject DN:- CN=dummy_key, OU=abc, O=XYZ, C=US, Issuer DN:- CN=dummy_key, OU=abc, O=XYZ, C=US"
        at oracle.integration.platform.blocks.soap.WebServiceEntryBindingComponent.generateSoapFaultException(

Imported additional(intermediate/identity) certificates(X509) associated with secured web service into SOA's Keystore as trusted certificates and rebooted server(s).

I enabled WSSE debug flags in Weblogic Server to find out exact cause. Don't forget to disable the flags, otherwise you will confront excessive logging issue.

EXTRA_JAVA_PROPERTIES="${EXTRA_JAVA_PROPERTIES} -Dweblogic.wsee.verbose=* -Dssl.debug=true"


  1. great post !! can you please elaborate on "importing intermediate cert to SOA key store". Is it to the OWSM default-keystore.jks file?

  2. pls share more details on "importing intermediate cert to SOA keystore. Is it the OWSM config/fmwconfig/default-keystore.jks keystore?

    1. It could be default-keystore.jks or any Custome keystore located in fmwconfig folder.

      Follow below steps to find out the keystore which is configured for specific domain.

      Go to EM Console --> Weblogic Domain --> Right click on Domain --> Security --> Security Provider Configuration.


Provide your thoughts !