My Oracle Support Banner

XML Decryption Filter Throwing Unhandled Exception Resulting in NullPointerException when wrong Certificate is Used (Doc ID 2132250.1)

Last updated on MARCH 27, 2021

Applies to:

Oracle API Gateway - Version and later
Information in this document applies to any platform.


In OAG SP2 with <Patch 22509139> applied, a decryption policy works fine if the message is encrypted with expected certificate. It fails if the message is not encrypted with expected certificate, and this failure is expected.

However, the exception is not handled by the OAG exception handling framework when a failure occurs. The failure produces a 500 Internal Server Error followed by a NullPointerException.

The expectation is that any exception thrown by the API Gateway will be handled by a Fault Handler if configured.  In this case, the NullPointerException is bypassing three levels of Fault Handlers (including the Global Fault Handler policy) which results in the HTTP 500 error.

1. Apply patch 22509139 on top of OAG SP2
2. Create a decryption policy where the message is encrypted with the wrong certificate to trigger the failure.
3. The error will occur.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.