One of the new features of Oracle Utilities Application Framework V4.3.0.0.1 for Oracle WebLogic customers is that new installation of the product will be using HTTPS rather than HTTP by default. In past releases it was always possible to use HTTPS instead of HTTP but the decision was an opt-in decision. In this release since the use of HTTPS is provided as the default option, the decision is an opt-out if you do not want to use the HTTPS installation option.
Customers upgrading will not be affected as the configuration decision is retained across upgrades.
If you do use the default HTTPS setup you should be aware of the following:
- By default, a demonstration development certification is provided with Oracle WebLogic. This certificate is limited in its scope and is only provided to complete a basic HTTPS configuration within Oracle WebLogic. The certificate will be detected as not valid by your browser. This is not a bug but intentional behavior as Oracle cannot issue production quality certificates in Oracle WebLogic as part of its base installation. If the default certificate is used, developers can accept the certificate according their browser preferences (Mozilla Firefox will ask you to add an exception and Internet Explorer will ask you to confirm that is ok to proceed). If you proceed the browser will indicate you are using a digital certificate visually on the address bar of the browser (this will vary from browser to browser).
- It is HIGHLY recommended that customers who want to use the HTTPS functionality obtain a valid digital certificate from a valid certificate issuing authority and implement the certificate as per the Installation Guide or WebLogic documentation.
- To find out the valid Certificate issuing authorities supported by the java version you have use the following command:
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
The bottom line is that if you want to use HTTPS then get a valid certificate for your organization, otherwise you can opt-out and use HTTP if that is valid for your site. Typically, most installations are expected to use HTTP for non-production and HTTPS for production to minimize costs.