WebLogic Server not Using Default Identity and Trust Keystores when Using -DUseSunHttpHandler=true (Doc ID 2413410.1)

Last updated on APRIL 03, 2024

Applies to:

Symptoms

WebLogic 12.1.3 server not using default identity and trust keystores when using -DUseSunHttpHandler=true.

When trying to make 2-way SSL outbound communication from WebLogic Server to External system.

From WebLogic it is recommended to use -DuseSunHttpHandler=true to make outbound socket connection using SUN handlers. Which is recommended from WebLogic Server 12c onwards.

When using the sun handlers (-DUseSunHttpHandler=true) to enforce to use javax.net.* for socket connection, SSL doesn't honor the trust store settings of WLS Console when WebLogic server acting as a client, so we need to use javax.net.ssl.trustStore properties.

It makes a Successful SSL outbound Handshake after adding the javax.net.ssl.trustStore properties as below:

-DUseSunHttpHandler=true -Djavax.net.ssl.trustStore=<PATH>\Java\jre\lib\security\cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=<PATH>\SSL\IdentityKeystore.jks -Djavax.net.ssl.keyStorePassword=######## (Plain Text format password )

However the –Djavax.net.ssl.keyStorePassword we have to specify in clear text password which can be a security concern.

It was also tried to encrypt the password using, java weblogic.security.Encrypt utility, and use the encrypted password but it doesn’t taking the encrypted password for the -Djavax.net.ssl.keyStorePassword option.

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.