We are working with an org that runs Weblogic 10.3. When we upgraded to a SHA2 certificate, they were no longer able to communicate to our REST endpoint. (We had to go back to SHA1, which is hard to get nowadays!)
They are planning an upgrade to Weblogic 12 (I think it is "12C"), and they report that they will not be able to support SHA1 at that point, forcing us to migrate certs at the exact same time (which seems like asking for trouble).
Does this sound right?
(IOW: Is there a straightforward way to support SHA2/256 on 10.3? Is there a straightforward way to support SHA1 on 12C?)
Best Answer
Microsoft and Google announced SHA-1 deprecation plans that may affect websites with SHA-1 certificates expiring as early as after December 31, 2015.
Certificates can be created with different 'hash algorithms', including
1) SHA1: a 160 bit hash
2) SHA2: a family of two similar hash functions with different block sizes, known as SHA-256 and SHA-512 (this is a newer algorithm)
Up until recently, only the SHA1 algorithm was supported with WebLogic. But starting with WebLogic 10.3.3, the SHA2 algorithm is supported as well.
If you wish to use a certificate with a SHA2 hash algorithm, then you will need to enable JSSE SSL (which trusts stronger certificates such as SHA2)
Oracle strongly recommend that you upgrade to the latest WebLogic Maintenence Pack and the latest JDK patch as there are some known issues with JSSE SSL and lower WebLogic maintenance packs and Java patches. You should be using WebLogic 10.3.6 at a minimum
You can check Frequently Asked Questions about SSL Certificates on WebLogic on official documentation of above on Oracle Metalink( support.oracle.com)
SHA2 (SHA256 etc.) is supported from weblogic 11g(10.3.6) on-wards but certificates will work only with the JSSE implementation(-Dweblogic.security.SSL.enableJSSE=true).
SHA2 Certificates and Ciphersuites are supported in WLS 12.1.X in the following circumstances:
WLS 12.1.1 with JDK 7 and JSSE enabled using the JDK's Sun JSSE provider (default) or RSA JSSE provider WLS 12.1.1 with JDK 6 and JSSE enabled using the RSA JSSE provider WLS 12.1.2 (or later) with JDK 7 (or later) and JSSE enabled using the JDK's Sun JSSE provider (default) or RSA JSSE provider
If you are on lower version than 10.3.6 then you can use the apache/OHS which will acts as reverse proxy in front of the entire environment. The reverse proxy acts as an SSL terminator for client connections using the latest SHA-2 SSL Certificates.
Check below link
https://technology.amis.nl/2014/12/07/securing-ohs-environments-latest-ssl-tls-protocols-sha-2-certificates/