My Oracle Support Banner

WebLogic Server Not Using Default Identity And Trust Keystores When Using -DUseSunHttpHandler=true (Doc ID 2413410.1)

Last updated on JUNE 22, 2018

Applies to:

Oracle WebLogic Server - Version 12.1.3.0.0 and later
Information in this document applies to any platform.

Symptoms

WebLogic 12.1.3 server not using default identity and trust keystores when using -DUseSunHttpHandler=true

When we try to make 2-way SSL outbound communication from WebLogic Server to External system.

From WebLogic we recommend to use –DuseSunHttpHandler=true to make outbound socket connection using SUN handlers. Which is recommended from WebLogic Server 12c onwords.

When we use the sun handlers (-DUseSunHttpHandler=true) to enforce to use javax.net.* for socket connection, SSL doesn't honor the trust store settings of WLS Console when WebLogic server acting as a client, so we need to use javax.net.ssl.trustStore properties.

It make a Successful SSL outbound Handshake after adding the javax.net.ssl.trustStore properties as below

-DUseSunHttpHandler=true -Djavax.net.ssl.trustStore=D:\MW\WebLogic\Home-AC\Java\jre\lib\security\cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=D:\MW\WebLogic\Home-AC\Domains\Bus-PT\SSL\IdentityKeystore.jks -Djavax.net.ssl.keyStorePassword=######## (Plain Text format password )

However the –Djavax.net.ssl.keyStoerPassword we have to specify in clear text password which can be a security concern

It was also tried to encrypt the password using, java weblogic.security.Encrypt utility, and use the encrypted password but it doesn’t taking the encrypted password for the -Djavax.net.ssl.keyStorePassword option.

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.