I was going to write up a post about doing T3 over SSL as it seems to be something that people get hung up on.
However, Markus Eisele seems to have beaten me to it with an excellent and fairly comprehensive post.
I’d just like to add:
When you import the trusted CA into the default JVM cacert store make sure it is on the CLIENT JVM (and as the blog points out the correct JVM).
Also, rather than importing the trusted CA into the default JVM cacert store, you can create your own keystore and specify to the client SSL stack to use that store instead.
If you are using a standard J2SE stack for the client then you do this by starting the client with the following flags:
-Djavax.net.ssl.trustStore=**trustStore file path**
However, if you are using the WLS stack for the client you would do this with these flags:
-Dweblogic.security.CustomTrustKeyStoreFileName=**trust store file path**
-Dweblogic.security.CustomTrustKeyStorePassPhrase=**keystore pass phrase**