I’m attempting to make a service call to salesforce.com. I’ve added the certificate chain to my keystore but when the service verifies the domain certificate it gets hung up on the wild card for the sub domain part of the CN but this is the cert that I have taken directly from the site. I’ve found that WebLogic doesn’t support wildcards in the certificate CN. Is it possible to modify the CN without invalidating the cert.
The error when I test the service from within WebLogic OSB is:
The invocation resulted in an error: [Security:090504]Certificate chain received from sensis-proxy-vs.sensis.com.au – 161.117.32.128 –> cs5.salesforce.com failed hostname verification check. Certificate contained *.salesforce.com but check expected cs5.salesforce.com.
Answer
The problem here is that the default hostname verifier for WebLogic doesn’t support SSL certificates where the CN contains a wildcard for the hostname.
It is possible to change WebLogic’s hostname verifier, and WebLogic ships with a class that can verify CNs with wildcards.
-
Go to the WebLogic admin console -> Environment -> Servers -> your server -> Configuration -> SSL
-
Click “Lock & Edit”
-
Open the “Advanced” flap
-
Change “Hostname Verification” from “BEA Hostname Verifier” to “Custom Hostname Verifier”
-
Set “Custom Hostname Verifier” to
weblogic.security.utils.SSLWLSWildcardHostnameVerifier -
Click “Save” and then “Activate Changes”
-
Restart your server.
Attribution
Source : Link , Question Author : Fergal , Answer Author : Stuart Caie
