Hi, We needed to consume MOSS out of the box web services hosted on HTTPS protocol from a Java application running on WebLogic server. Do we need to import SSL certificate of the MOSS website into WebLogic server or can we simply bypass certificate validation? What is the best approach? We may need to support more than one web site as more MOSS web sites can be configured in future.
Thanks.
You can do that, or you can disable the SSL validation with a fake trust-manager. I think both subjects are described in this similar question:
http://stackoverflow.com/questions/875467/java-client-certificates-over-https-ssl
It can be a hassle to manage many SSL cerificates: expiration, changed domains, changed issuer ++ If SSL is not that important to you I say skip it
Hi, Thanks for the quick reply. We wanted to know the better approach. We cannot avoid HTTPS because some retricted sites are configured to be running on HTTPS. If we use fake trust-manager, is the request and response still encrypted? We want to use better approach in terms of not exposing any security risks. Is the better approach to import the server's SSL certificate and import into WebLogic key store so that WebLogic server validates the server. By the way, we also noticed that without bypassing the certificate, and also without importing the certificate, one of the HTTPS sites is still returning response. Do you know if there is any configuration setting in HTTPS, thats providing us the response back with out requiring to provide the certificate?
Thanks.
Hi, Thanks for your responses. Just one last question, it was also mentioned in my earlier post. Is there setting in HTTPS site that would let clients know to validate the server certificate. The reason I am asking this question is when we use Java code to connect HTTPS URLs, we are able to get response back from some URLs, but some URLs are throwing SSL Handshake failure exceptions. Just wondering if there is any setting in those HTTPS configurations which controls this behavior. Also, wanted to know what is MOSS default behavior if HTTPS is enabled.
Thanks.
Could any one please confirm my last comment that the certificate is trusted based on its issuer type? If an HTTPS site has a certificates issued by verisign, entrust, thwart may not need to be imported to WebLogic server key store if an application running on WebLogic server makes an HTTPSURLConnection, but if the certificate is a self signed or issues by some vendor which may not be avialable in default JDK, then such certificates need to be imported into key store to avoid SSLHandshake Exception.
Thanks