Behavior difference for web service host name validation

When running web services on Liberty, the host name given in the HTTPS URL is validated with the certificate by default, whereas in WebSphere Application Server traditional it is not. If the host name is not valid, the Liberty server throws the following exception:

java.io.IOException: The https URL hostname does not match the Common Name (CN) on the server certificate in the client's truststore. Make sure the server certificate is correct, or to disable this check (NOT recommended for production) set the CXF client TLS configuration property disableCNCheck to true.

This behavior difference affects client applications that use the Java API for XML Web Services (JAX-WS), which is provided by the javax.xml.ws package. If the JAX-WS APIs are referenced, the project is flagged once.

The recommended solution is to create a server certificate with the correct host name. Alternatively, you can customize the validation behavior by setting the http.conduit.tlsClientParameters.disableCNCheck property on JAX-WS clients that require disabling the hostname validation. This can be done by adding the <webservices-bnd> application binding in the server.xml file, and setting the property on a per-client basis with the <service-ref> element as seen in the following example: 

<enterpriseApplication id="SimpleEcho" name="SimpleEcho"  location="SimpleEcho.ear">
  <webservices-bnd moduleName="SimpleEcho">
    <service-ref name="service/SimpleEchoService">
      <port name="SimpleEchoPort">
        <properties vendor="IBM"/>
      </port>
      <properties http.conduit.tlsClientParameters.disableCNCheck="true"/>
    </service-ref>      
  </webservices-bnd>
</enterpriseApplication>

The hostname validation can also be disabled by adding the property to the <service-ref> element of the ibm-ws-bnd.xml file as seen in the following example:

<service-ref name="service/SimpleEchoService">
  <port name="SimpleEchoPort">
    <properties vendor="IBM"/>
  </port>
  <properties http.conduit.tlsClientParameters.disableCNCheck="true"/>
</service-ref>

For detailed information about configuring the web services reference configurations for a web services client on Liberty, see the following resource: