Certificate chain is invalid because the issuer DN does not match the next certificate subject
A careful examination of the error messages showed that weblogic was trying to process the cerificate chain in the wrong order. It started with "myserver" certificate, then immediately went and checked the "root" certificate. The issuer of "myserver" certificate was not the "root", instead it was an "intermediate" authority. So WL was expecting to see the "intermediate" cert as being next in the chain, but instead received the "root", giving the error above. This could be a problem with how that certificate is configured on the remote host. However it seems like most other client libraries are more forgiving, and don't consider this to be an error. Examining the certificate for the URL at the browser level, everything looks fine. And running command line tests to connect to the URL via java worked just fine too. So it appears that the default JDK SSL libraries can handle this situation, but the weblogic libraries can not. To work around this problem, we had to make the following setting change:
That will update web service connections which use Oracle's client libraries (like ADF connections, etc) to use the Sun JDK SSL handler, instead of the weblogic one.
There are also settings within weblogic console for "Use JSSE SSL", but that did not seem to have any effect on the web service connections, which apparently use a different set of libraries to connect. If you have other types of outgoing connections, and you run into this problem, you may need to set that flag as well.