Hi David,
And really thanks for your balanced answer (again, I do admit my high tone was wrong, still I also do maintain a "commercial" answer is not really helpful in a forum).
but to the point: indeed we do not want to disable TLS. If not for other reason then because we need it to activate SAML authentication for other applications.
So basic authentication is not enough overall.
And anyway, in the end we did find the solution: manually add the server's certificate into client java's "cacerts" keystore. Sure enough, not so convenient and reliable as a simple entry into a dedicated configuration file but for now it worked fine.
Best regards.