Weblogic 10.3.3 and SSL SHA256 certs

Question

I have a Weblogic Server (version 10.3.3) in each of 4 environments (dev, test, preprod, prod) and I hit about a dozen web services from each Weblogic server. The SSL cert for one of these web services changed last week for Preprod, test and dev servers, and the encryption type changed to SHA256RSA from SHA1.

I came across some information from Oracle saying that I had to swap over to JSSE SSL then the WL server should accept SHA2+ certs. This solution has worked for both the Test and Dev environment, but not the Preprod environment, with the only difference being that the Preprod Environment has Hostname Verification turned on.

I'm not sure if the whole certificate chain needs to be replaced or if I need to patch the Weblogic server, but this will be an issue in production in a few weeks, and I'd like to get a secure solution in this environment first, before I end up with a P1.

The cert is stored in cacerts, and I'm confident that i've swapped everything out correctly, using the proper keytools, etc.

I have also passed in the following startup variables to try and debug what's happening with this service, but had no joy with it, maybe I'm looking in the wrong place..

-Dssl.debug=true 
-Dweblogic.StdoutDebugEnabled=true 
-Dweblogic.security.SSL.verbose=true 
-Dweblogic.security.SSL.enableJSSE=true

info: JDK java 1.6.0_20_2b WLS 10.3.3 SSL SHA256RSA

If you need any information, logs, screenshots, etc, then please let me know, I've ties dozens of solutons and still haven't nailed this one.

Thanks a million, Ben

Answer 1

It's pretty late but https://blogs.oracle.com/LuzMestre/entry/jsse_and_weblogic_server_in recommends to patch the server. The 10.3.3 version seems to be buggy.