Oracle WebLogic Server implements host name verification when it acts as a SSL client; this prevents man-in-the-middle attacks from being performed against SSL itself.

It should be noted that the application deployed on WebLogic Server will establish outbound SSL connections in certain scenarios, for instance, when requests are made to the Oracle BI Publisher server. In such an event, Oracle WebLogic Server will behave as a SSL client.

Oracle WebLogic Server will behave as a SSL client in several scenarios besides the outbound SSL requests made by applications deployed on Oracle WebLogic Server. For instance, managed servers will establish SSL connections with the Admin server at boot time. Hence, it is recommended to ensure that host name verification is enabled in Oracle WebLogic Server, which happens to be the secure default.

Oracle Financial Services highly recommends the usage of certificates that will pass verification. Oracle Financial Services also recommends against the usage of demonstration certificates in production. It should be noted that usage of demonstration certificates in a testing or development environment containing a multi-server WebLogic cluster, will result in boot failures for managed servers.