Technical data
SSL Certificate Validation
Administration Guide 14-77
Table 14-23 describes the options for the command-line argument.
Table 14-23 Options for -Dweblogic.security.SSL.enforceConstraints
Option Description
strong or
true
Use this option to check that the Basic Constraints extension on the CA
certificate is
defined as CA.
For example:
-Dweblogic.security.SSL.enforceConstraints=strong
or
-Dweblogic.security.SSL.enforceConstraints=true
By default, WebLogic Server performs this level of certificate
validation.
strict
Use this option to check the Basic Constraints extension on the CA
certificate is
defined as CA and set to critical. This option enforces the
IETF RFC 2459 standard.
For example:
-Dweblogic.security.SSL.enforceConstraints=strict
This option is not the default because a number of commercially
available CA certificates do not conform to the
IETF RFC 2459
standard
.
off
Use this option to disable certificate validation. Use this option
carefully. For example, if you purchased CA certificates from a
reputable commercial certificate authority and the certificates do not
pass the new validation, use this option. However, CA certificates from
most commercial certificate authorities should work with the default
strong option.
For example:
-Dweblogic.security.SSL.enforceConstraints=off
BEA does not recommend use this option in production environment.
Instead, purchase new CA certificates that comply with the IETF RFC
2459 standard.