We are using HttpsUrlConnection in a WebSphere TAI in WebSphere Liberty Profile to connect to a security server. I had a lot of problems with SSL cert errors, until I discovered that it is looking for signer certs in the WLP keystore, not the WLP truststore or JVM truststore. There is nothing in the code setting this, it must be a default. But I am confused, because when we use an HTTP client in other code, it uses the JVM's truststore.

How can I make the HttpsUrlConnection use the WLP or JVM truststore, and not the keystore?

You can load your trust store as below and set it to SSLContext which can be set into HttpsUrlConnection. As this is an example I used defaults, you should replace them with appropriate algorithms, protocol and truststore type.

        try (FileInputStream truststoreFile = new FileInputStream("path/to/your/truststore.jks")) {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            KeyStore truststore = KeyStore.getInstance(KeyStore.getDefaultType());
            char[] trustorePassword = "<truststorePassword".toCharArray();
            truststore.load(truststoreFile, trustorePassword);
            trustManagerFactory.init(truststore);
            SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
            KeyManager[] keyManagers = {};//if you have key managers;

            sslContext.init(keyManagers, trustManagerFactory.getTrustManagers(), new SecureRandom());

            URL httpsUrl = new URL("<your https url>");
            URLConnection urlConnection = httpsUrl.openConnection();

        } catch (NoSuchAlgorithmException | KeyStoreException | CertificateException | IOException e) {
            //handle exception
        } catch (KeyManagementException e) {
           //handle exception
        }