This blog describes the Configuring Security in Weblogic Domain.
After you have created your domain and have started it, perform the following tasks to optimize the domain’s security:
- Configure the Password Validation provider to manage and enforce password composition rules. The Password Validation provider is configured out-of-the-box to work with several WebLogic authentication providers.
- As you create or add users to the security realm, check that the User Lockout options on user accounts are set for maximum protection. Note that the configuration of User Lockout is defined on a per-realm basis. Therefore, if the default User Lockout settings are not suitable for your needs, you might need to customize these settings whenever you create a new security realm.
- If you have configured Node Manager to start, shut down and restart the Administration Server and Managed Server instances distributed across multiple machines, make sure that Node Manager security is properly configured.
- Enable auditing, which provides an automated way of collecting and storing information about events and other activity occurring in the system. Auditing is available through either of the following means:
- Configuration auditing — When this is enabled, the Administration Server emits log messages and generates audit events when a user changes the configuration of any resource within a domain or invokes management operations on any resource within a domain.
- WebLogic Auditing provider — Optional security provider that collects, stores, and distributes information about operating requests and the outcome of those requests for non-repudiation. When configuration auditing is enabled, the WebLogic Auditing provider also logs configuration auditing events.
Note that auditing may impose a performance overhead that should be taken into consideration. However, by adjusting how auditing is configured, this additional overhead can be minimized. When enabling auditing, make sure that sufficient disk space is available for the audit log to make sure that the JVM platform MBean server cannot be accessed remotely.
5. Create and configure the key stores used for holding identity and trust; the key stores containing identity certificates and the key store containing trusted Certificate Authority (CA) certificates.
Configure certificate validation and revocation checking to ensure that:
Each certificate in a certificate chain was issued by a certificate authority revocation status of each certificate WebLogic Server validates is current.
6. Configure a hostname verifier. When making an SSL connection, the hostname verifier ensures that the hostname in the URL to which the client connects matches the hostname in the digital certificate that the server sends back.
7. Configure SSL for the administration port, network channels, database connections, LDAP server connections, and other resources handling communication that must be secured. In particular, make sure that connections to remote server instances in the domain are secured with SSL. The specific components for which either one- or two-way SSL needs to be configured depends on the overall topology of the production environment. For details, see the following topics:
SSL Configuration Topics
|Details to keep in mind and reference below.|
|An overview of using SSL to secure communications in a basic WebLogic domain|
|Where to use one-way and two-way SSL in a basic WebLogic domain|
|Steps to configure SSL in a basic WebLogic domain|
|Configuring an administration port for secure communication with the domain Administration Server|
|Securing database connections|
|An overview of using SSL in Oracle Fusion Middleware to secure components in web, middle, and data tiers|
|Best practices for configuring SSL in WebLogic Server|
- By default, WebLogic Server is configured for one-way SSL authentication; however, the SSL port is disabled. Oracle strongly recommends enabling the SSL port in all server instances in a production domain.
- The demonstration digital certificates, private keys, and trusted CA certificates provided in WebLogic Server should never be used in a production environment.
- Restrict the size and the time limit of requests on external channels to prevent Denial of Service attacks
- If you use multiple Authentication providers, be sure to set the JAAS control flag correctly.
- Ensure that you have correctly assigned users and groups to the default WebLogic Server security roles.
Getting Private Keys, Digital Certificates, and Trusted Certificate Authority Certificates:
You have multiple choices for getting private keys, digital certificates, and trusted CA certificates for your WebLogic Server environment. When choosing, note the following considerations:
- For production environments, Oracle strongly recommends obtaining private keys and digital certificates only from a reputable certificate authority such as Entrust or Symantec Corporation.
- For development environments only, you can use the digital certificates, private keys, and trusted CA certificates provided by WebLogic Server. You can also use the key tool or the CertGen utility to generate self-signed certificates.
Storing Private Keys, Digital Certificates, and Trusted Certificate Authority Certificates:
Once you have got private keys, digital certificates, and trusted CA certificates, you need to store them so that WebLogic Server can use them to find and verify identity. Private keys, their associated digital certificates, and trusted CA certificates are stored in key stores. Then you need to configure those key stores with WebLogic Server.
Steps to Creating
|A key store creating|
|Configuring a key store to be used with WebLogic Server|
|A step-by-step example of using the key tool utility to create a key store and store keys and certificates in it|
|Displaying the certificates in a key store|
|Updating certificates due to expire|
Protecting User Accounts:
WebLogic Server defines a set of configuration options to protect user accounts from intruders. In the default security configuration, these options are set for maximum protection. You can use the WebLogic Server Administration Console to change these options using the Configuration > User Lockout page, which is available for each security realm.
As a system administrator, you have the option of turning off all the configuration options, increasing the number of login attempts before a user account is locked, increasing the time in which invalid login attempts are made before locking the user account and changing the time a user account is locked. Remember that changing the configuration options lessens security and leaves user accounts vulnerable to security attacks.
The User Lockout options apply to the default security realm and all its security providers. User Lockout works in all security realms, is layered on top of all configured providers, including custom ones, and is enabled by default.
If you are using an Authentication provider that has its own mechanism for protecting user accounts, consider if disabling User Lockout on the security realm is appropriate because other Authentication providers might be configured in the security realm.
If a user account becomes locked and you delete the user account and add another user account with the same name and password, the User Lockout configuration options will not be reset.
So this is all about Configuring Security in Weblogic Domain. Please go through the blog to know.
We offer Oracle WebLogic Training, where we discuss topics like Architecture, File System, JDBC, JMS, HA, Clustering, Security, Patching, Upgrade, Backup, and Recovery etc.
Are you planning to Learn WebLogic Server or would like to check some of the common Oracle WebLogic Interview Questions then get them from here (sent over email)
- [Video] Oracle Weblogic Server: Weblogic Admin Tasks & Tools. Click Here
- Troubleshooting Oracle Weblogic Server: Startup Issue: OutOfMemoryError PermGen Space. Click Here
- [Video] Oracle WebLogic Administration: Weblogic Domain Topology. Click Here
- [Video] Oracle WebLogic Administration: Weblogic Domain Home and Server, Click Here
- Oracle Weblogic Administration: Introduction to Multitenancy, Click Here
- [Video-Blog] Oracle WebLogic Administration: Admin Server and Managed Server, Click Here
- [Video] Oracle WebLogic Administration: Clusters and Dynamic Cluster, Click Here
- [Video] Oracle WebLogic Administration: Data Sources (JDBC) & JMS, Click Here
- [Video] Oracle WebLogic Administration: Machine and Node Manager, Click Here
- Oracle Weblogic Administration: Weblogic 12c Architecture & New Features, Click Here
- [Video] Oracle WebLogic Administration: Security Realm, Click Here
- Oracle WebLogic Server Continuous Availability, Click here
Join 3500+ Oracle Professionals like you to discuss Oracle Weblogic Server, Ask Questions or Help Others in Private Facebook Group for Oracle Weblogic Server
Join our free live webinar to polish your learnings and basics for WebLogic.
Did You Find this Blog useful?
Leave a Comment.