|
|
Oracle recommends that you implement the following actions to ensure the security of your production environment:
SSL clients start the SSL handshake by connecting to the server. As part of the connection, the client sends the server a list of the cipher suites it supports.
A cipher suite is an SSL encryption method that includes the key exchange algorithm, the symmetric encryption algorithm, and the secure hash algorithm. A cipher suite is used to protect the integrity of a communication. For example, the cipher suite called RSA_WITH_RC4_128_MD5 uses RSA for key exchange, RC4 with a 128-bit key for bulk encryption, and MD5 for message digest.
The server selects a mutually-supported cipher suite from the list supplied by the client for the client and server to use for this session.
However, a misconfigured client might specify a set of cipher suites that contain only null ciphers.
A null cipher passes data on the wire in clear-text. (An example of a cipher suite with a null cipher is TLS_RSA_WITH_NULL_MD5.) Using a null cipher makes it possible to see the SSL messages by using a network packet sniffer. In essence, SSL is used but does not provide any security.
The server selects the null cipher only when it is the only cipher suite they have in common.
If the server selects a null cipher from the client's cipher suite list, the log contains the following message: "SSL has established a session that uses a Null cipher."
This message is output only when the server has selected a null cipher from the client's list.
| Note: | If there is any potential whatsoever that an SSL client might use a null cipher to inappropriately connect to the server, you should check the log file for this message. It is recommended that new client configurations be given extra attention with respect to the use of a null cipher to ensure that they are properly configured. |
| Note: | It is unlikely that an existing client configuration would suddenly start using null ciphers if it had not been doing so previously. However, an existing client configuration that is unknowingly misconfigured could be using null ciphers. |
Other SSL errors unrelated to null ciphers are possible as well, and each will display an appropriate error message in the log.
For information on configuring SSL, see Configuring SSL in Securing WebLogic Server. For information on viewing log files, see View and configure logs in the Administration Console Online Help.
As of release 10g Release 3 (10.1.3), WebLogic Server includes an Administration Console control to prevent the server from using a null cipher.
The Allow Unencrypted Null Cipher control, which is available on the WebLogic Server Administration Console ServerName 
Configuration SSL Advanced page, determines whether null ciphers are allowed. By default, this control is not set and the use of a null cipher is not allowed on the server. In such a configuration, if the SSL clients want to use the null cipher suite (by indicating TLS_RSA_WITH_NULL_MD5 as the only supported cipher suite), the SSL handshake will fail.
If you set this control, the null cipher suite (for example, TLS_RSA_WITH_NULL_MD5) is added to the list of supported cipher suites by the server. The SSL connection has a chance to use the null cipher suite if the client wants to do so. If the null cipher suite is used, the message will be unencrypted.
| Caution: | Do not set this control in a production environment unless you are aware of the implications and consequences of doing so. |
This control is also exposed as a system runtime parameter, weblogic.security.SSL.allowUnencryptedNullCipher, and as an
AllowUnencryptedNullCipher attribute on the SSLMBean.
A WebLogic Server production environment is only as secure as the security of the machine on which it is running. It is important that you secure the physical machine, the operating system, and all other software that is installed on the host machine. The following are suggestions for securing a WebLogic Server host in a production environment. Also check with the manufacturer of the machine and operating system for recommended security measures.
| Note: | To enable a WebLogic Server instance to use a FIPS-compliant (FIPS 140-2) crypto module in the server’s SSL implementation, make sure that the server start script (for example, startWebLogic.cmd/sh) contains the following: |
| Note: | FIPS 140-2 is a standard that describes U.S. Federal government requirements for sensitive, but unclassified use. |
Set operating system file access permissions to restrict access to data stored on disk. This data includes, but is not limited to, the following:
|
|||
|
|||
Avoid creating more user accounts than you need on WebLogic Server hosts, and limit the file access privileges granted to each account. Ideally, the host machine would have two user accounts with system administrator privileges on operating systems that allow more than one system administrator user and another user with sufficient privileges to run WebLogic Server. Having two system administrator users provides a back up at all times. The WebLogic Server user should be a restricted user, not a system administrator user. One of the system administrator users can always create a new WebLogic Server user if needed.
Background Information:
Some WebLogic Server configuration data and some URL (Web) resources, including Java Server Pages (JSPs) and HTML pages, are stored in clear text on the file system. A sophisticated user or intruder with read access to files and directories might be able to defeat any security mechanisms you establish with WebLogic Server authentication and authorization schemes. |
|||
The passwords for user accounts on production machines should be difficult to guess and should be guarded carefully.
|
|||
On each WebLogic Server host computer, use the operating system to establish a special user account (for example,
wls_owner) specifically to run WebLogic Server.
The Home directory is a repository for common files that are used by multiple Oracle products installed on the same machine. The WebLogic Server product installation directory contains all the WebLogic Server software components that you choose to install on your system, including program files. A domain directory contains the configuration files, security files, log files, Java EE applications, and other Java EE resources for a single WebLogic domain. If you install multiple domains on a WebLogic Server host computer, each domain directory must be protected.
By default, the Oracle installation program places all files and your domain directories in a single directory tree, whose top directory is named You can, however, locate the WebLogic Server product installation directory and your domain directories outside the Home directory. For more information, refer to “Selecting Directories for the WebLogic Platform Installation” in Preparing for Installation in the Installation Guide. This protection limits the ability of other applications executing on the same machine as WebLogic Server to access files and your domain files. Without this protection, some other application could gain write access and insert malicious, executable code in JSPs and other files that provide dynamic content. The code would be executed the next time the file was served to a client. |
|||
Knowledgeable operating system users may be able to bypass WebLogic Server security if they are given write access, and in some cases read access, to the following files:
Everything that uses the persistent store, such as JMS SAF files, has sensitive data that should be protected from read access as well as from write access. The persistent store supports persistence to a file-based store or to a JDBC-enabled database.
If you use the file store to store files on WebLogic Server, the applications can be stored anywhere. You must remember the locations of all of the files in order to protect them from read and write access.
If you use the JDBC store to store applications, make sure to properly secure the database by protecting it from read and write access.
For more information on using the persistent store, see
Using the WebLogic Persistent Store in Configuring Server Environments.
|
|||
On UNIX systems, only processes that run under a privileged user account (in most cases, root) can bind to ports lower than 1024. UNIX systems allow only one system administrator (root) user.
However, long-running processes like WebLogic Server should not run under these privileged accounts. Instead, you can do either of the following:
If you use Node Manager to start the server instance, configure Node Manager to accept requests only on a secure port and only from a single, known host. Note that Node Manager needs to be started under a privileged user account. See Create and configure machines to run on UNIX in the Administration Console Online Help. |
|||
Do not install development tools on production machines. Keeping development tools off the production machine reduces the leverage intruders have should they get partial access to a WebLogic Server production machine.
Do not install the WebLogic Server sample applications on a production machine. When the installation program asks whether you want a Typical Installation or Custom Installation:
|
|||
If you are responsible for security related issues at your site, register on the Oracle Advisories and Notifications page at
https://support.bea.com/application_content/product_portlets/securityadvisories/index.html to receive notifications of newly available security advisories.
|
|||
When designing network connections, you balance the need for a security solution that is easy to manage with the need to protect strategic WebLogic resources. The following table describes options for securing your network connections.
A firewall limits traffic between two networks. Firewalls can be a combination of software and hardware, including routers and dedicated gateway machines. They employ filters that allow or disallow traffic to pass based on the protocol, the service requested, routing information, packet content, and the origin and destination hosts or networks. They can also limit access to authenticated users only.
The WebLogic Security Service supports the use of third-party Identity Assertion providers, which perform perimeter-based authentication (Web server, firewall, VPN) and handle multiple security token types/protocols (SOAP, IIOP-CSIv2). For more information, refer to
Perimeter Authentication in Understanding WebLogic Security.
For more information about using firewalls with WebLogic Server, refer to
Security Options for Cluster Architectures in Using Clusters.
|
|
Instead of, or in addition to, using hardware and third-party software to create firewalls, consider using WebLogic Server connection filters to limit network traffic based on protocols, IP addresses, and DNS node names.
Connection filters are most appropriate when the machines in a WebLogic Server domain can access each other without going through a firewall. For example, you might use a firewall to limit traffic from outside the network, and then use WebLogic Server connection filters to limit traffic behind the firewall.
See
Using Connection Filters in Securing WebLogic Server.
|
|
An Administration Port limits all administrative traffic between server instances in a WebLogic Server domain to a single port. When the server is run without an Adminstrative Port, an application can inadvertently transmit confidential server configuration on the wire in clear-text. Running the server with an Administration Port significantly reduces the chances of this happening. Furthermore, having an Administrative Port configured is helpful should a denial-of-service attack occur because the resources for handling requests for, and the limitations on Administration Port requests are separate from those of the rest of the server.
When used in conjunction with a connection filter, you can specify that a WebLogic Server instance accepts administrative requests only from a known set of machines or subnets and only on a single port.
Enabling the Administration Port requires clients to interact with the Administration Console using SSL which protects sensitive data from being sniffed on the wire by an attacker and protects against some cross site scripting attacks.
See
Configure the domain-wide administration port and
Enable configuration auditing in the Administration Console Online Help.
|
|
To protect the embedded LDAP port against brute force attacks, close off the embedded LDAP listen port using a connection filter in a single server configuration.
While this does not protect the embedded LDAP port in a multiple server configuration, the default connection filter implementation supports filtering based on the source IP address which should be used to allow access only from servers that are part of the domain. As a result, only the machines in the domain can access the LDAP port. For more information on using connection filters, see
Using Network Connection Filters in Programming WebLogic Security.
|
|
As of JDK 1.5, the JDK provides an MBean server (the platform MBean server) and a set of MBeans that contain monitoring information about the JVM. You can configure the WebLogic Server Runtime MBean Server to run as the platform MBean server, which enables JMX clients to access the JVM MBeans and WebLogic Server MBeans from a single MBean server connection.
Remote access to the platform MBean server can be secured only by standard JDK 1.5 security features (see
http://java.sun.com/j2se/1.5.0/docs/guide/management/agent.html#remote). If you have configured the WebLogic Server Runtime MBean Server to be the platform MBean server, enabling remote access to the platform MBean server creates an access path to WebLogic Server MBeans that is not secured through the WebLogic Server security framework.
If it is essential that remote JMX clients have access to the JVM MBeans, Oracle recommends that you access them through the WebLogic Server Runtime MBean Server. See
Registering MBeans in the JVM Platform MBean Server in Developing Manageable Applications with JMX.
|
|
The Simple Network Management Protocol version 2 (SNMPv2), which is supported by WebLogic Server in versions 6.x through 10g Release 3 (10.1.3), lacks security. By default, SNMP is disabled in WebLogic Server. However, once you enable SNMP, the SNMPv2 protocol forces certain potential security problems to occur on the SNMP service, including unauthorized access and denial-of-service attacks.
To limit these security problems when SNMPv2 is enabled, make sure that your network is secure and that the firewall is configured to restrict access to the ports in your WebLogic Server environment.
For more information, see the WebLogic SNMP Management Guide.
|
Most Web applications use a database to store their data. Common databases used with WebLogic Server are Oracle, Microsoft SQL Server, and Informix. The databases frequently hold the Web application’s sensitive data including customer lists, customer contact information, credit card information, and other proprietary data. When creating your Web application you must consider what data is going to be in the database and how secure you need to make that data. You also need to understand the security mechanisms provided by the manufacturer of the database and decide whether they are sufficient for your needs. If the mechanisms are not sufficient, you can use other security techniques to improve the security of the database, such as encrypting sensitive data before writing it to the database. For example, leave all customer data in the database in plain text except for the encrypted credit card information.
The WebLogic Security Service provides a powerful and flexible set of software tools for securing the subsystems and applications that run on a server instance. The following table provides a checklist of essential features that Oracle recommends you use to secure your production environment.
The WebLogic Security Service uses a pluggable architecture in which you can deploy multiple security providers, each of which handles a specific aspect of security.
By default WebLogic Server includes its own security providers that provide a complete security solution. If you have purchased or written your own security providers:
|
|||
|
WebLogic Server includes a set of demonstration private keys, digital certificates, and trusted certificate authorities that are for development only. Everyone who downloads WebLogic Server has the private keys for these digital certificates. Do not use the demonstration identity and trust.
Refer to
Configure keystores in the Administration Console Online Help and
Configuring SSL in Securing WebLogic Server.
|
|||
When communicating by SSL, by default WebLogic Server rejects any digital certificates in a certificate chain that do not have the Basic Constraint extension defined by the Certificate Authority. This level of enforcement protects your Web site from the spoofing of digital certificates.
Make sure that no server startup command includes the following option, which disables this enforcement:
For more information about this option, see
SSL Certificate Validation in Securing WebLogic Server.
In your development environment, you might have disabled the enforcement of security constraints to work around incompatibilities with demonstration digital certificates that WebLogic Server provided in releases prior to 7.0 Service Pack 2. Make sure you enable this feature in your production environment.
|
|||
By default, the WebLogic SSL implementation validates that the host to which a connection is made is the intended or authorized party. However, during the implementation of WebLogic Server at your site, you might have disabled host name verification.
To enable host name verification, see
Configure a custom host name verifier in the Administration Console Online Help.
Refer to
Using Host Name Verification in Securing WebLogic Server.
Background Information:
A man-in-the-middle attack occurs when a machine inserted into the network captures, modifies, and retransmits messages to the unsuspecting parties. One way to avoid man-in-the-middle attacks is to validate that the host to which a connection is made is the intended or authorized party. An SSL client can compare the host name of the SSL server with the digital certificate of the SSL server to validate the connection. The WebLogic Server HostName Verifier protects SSL connections from man-in-the-middle attacks. |
|||
To prevent some denial-of-service attacks, WebLogic Server can restrict the size of a message as well as the maximum time it takes a message to arrive. The default setting for message size is 10 megabytes and 480 seconds for the complete message timeout.
To configure these settings for the HTTP, T3, and IIOP protocols refer to the following tasks in the Administration Console Online Help:
|
|||
To prevent some denial-of-service attacks, limit the number of sockets allowed for a server so that there are fewer than the number of sockets allowed to the entire process. This ensures that the number of file descriptors allowed by the operating system limits is not exceeded.
Even after the server’s limit is exceeded, administrators can access the server through the Administration Port.
In the Administration Console Online Help, see
Servers: Configuration: Tuning.
|
|||
Configure WebLogic Server to avoid overload conditions in order to allow WebLogic Server sufficient processing power so that an administrator can connect to it and attempt to correct the problem in case the server comes under heavy load.
Because communication over administration channels is not prevented when the system is overloaded, administrators can always connect regardless of any current overload condition.
In case of heavy load, the administrator should bring the server into the admin state, locate the offending user, and then prevent that user from overloading the server with requests.
To configure WebLogic Server to avoid overload conditions, set the shared capacity attribute in the overload protection MBean. The setting you choose for this attribute is the threshold after which no more non-administrator requests are accepted by WebLogic Server.
For more information on overload conditions, see
Avoiding and Managing Overload in Configuring Server Environments.
|
|||
By default, the WebLogic Security Service provides security against dictionary and brute force attacks of user accounts. If during development you changed the settings for the number of invalid login attempts required before locking the account, the time period in which invalid login attempts have to take place before locking the account, or the amount of time the user account is locked, review the settings and verify that they are adequate for your production environment.
See
Protect user accounts in the Administration Console Online Help.
|
|||
If a security realm has multiple Authentication providers configured, configure the order and precedence of each provider by setting the JAAS control flags.
See
Set the JAAS control flag in the Administration Console Online Help.
|
|||
Auditing is the process of recording key security events in your WebLogic Server environment. When the Auditing provider that the WebLogic Security Service provides is enabled, it logs events in
DomainName\DefaultAuditRecorder.log
You enable an Auditing provider in the Administration Console on the Security Realms
RealmName Providers Auditing page.
See
Configure Auditing providers in the Administration Console Online Help.
Review the auditing records periodically to detect security breaches and attempted breaches. Noting repeated failed logon attempts or a surprising pattern of security events can prevent serious problems.
If you develop your own custom Auditing provider and would like more information on posting audit events from a provider’s Mbean, refer to the
Best Practice: Posting Audit Events from a Provider's MBean section in Developing Security Providers for WebLogic Server.
|
|||
By default, all WebLogic resources are protected by security policies that are based on a default set of security roles.
Refer to Users, Groups, And Security Roles in Securing WebLogic Resources Using Roles and Policies.
|
|||
Although much of the responsibility for securing the WebLogic resources in a WebLogic Server domain fall within the scope of the server, some security responsibilities lie within the scope of individual applications. For some security options, the WebLogic Security Service enables you to determine whether the server or individual applications are responsible. For each application that you deploy in a production environment, review the items in the following table to verify that you have secured its resources.
| Note: | The HTTP Publish-Subscribe server included in WebLogic Server has specific lockdown steps, which are described in Using the HTTP Publish-Subscribe Server in Developing Web Applications, Servlets, and JSPs for Oracle WebLogic Server. |
By default, each Web application and EJB uses deployment descriptors (XML files) to declare its secured resources and the security roles that can access the secured resources.
Instead of declaring security in Web application and EJB deployment descriptors, you can use the Administration Console to set security policies that secure access to Web applications and EJBs. This technique provides a single, centralized location from which to manage security for all Web applications and EJBs.
You can combine these two techniques and configure WebLogic Server to copy security configurations from existing deployment descriptors upon the initial deployment of a URL (Web) or EJB resource. Once these security configurations are copied, the Administration Console can be used for subsequent updates.
Refer to
Options for Securing Web Application and EJB Resources in Securing WebLogic Resources Using Roles and Policies.
|
|
Comments in JSP files that might contain sensitive data and or other comments that are not intended for the end user should use the JSP syntax of
<%/* ... */%> instead of the HTML syntax <!-- ... -->. The JSP comments, unlike the HTML comments, are deleted when the JSP is compiled and therefore cannot be viewed in the browser.
|
|
Always keep source code off of the production machine. Getting access to your source code allows an intruder to find security holes.
Consider precompiling JSPs and installing only the compiled JSPs on the production machine. For information about precompiling JSPs, refer to
Precompiling JSPs in Developing Web Applications, Servlets, and JSPs in WebLogic Server.
|
|
Set the
transport-guarantee to CONFIDENTIAL in the user-data-constraint element of the web.xml file whenever appropriate.
Refer to
security-constraint in Developing Web Applications, Servlets, and JSPs in WebLogic Server.
|
|
|
Instead, map servlets to URIs explicitly. Remove all existing mappings between WebLogic servlets and the
Servlet servlet from all Web applications before using the applications in a production environment.
For information on mapping servlets, refer to
Configuring Servlets in Developing Web Applications, Servlets, and JSPs in WebLogic Server.
|
|
Oracle does not recommend using the
FileServlet servlet as the default servlet a production environment.
For information on setting up a default servlet, refer to
Setting Up a Default Servlet in Developing Web Applications, Servlets, and JSPs in WebLogic Server.
|
|
In WebLogic Server 7.0, security policies replace ACLs and answer the question “who has access” to a WebLogic resource.
|
|
There are instances where an application can lead to a security vulnerability. Many of these instances are defined by third-party organizations such as Open Web Application Security Project (see
http://www.owasp.org/documentation/topten for a list of common problems).
Of particular concern is code that uses Java native interface (JNI) because Java positions native code outside of the scope of Java security. If Java native code behaves errantly, it is only constrained by the operating system. That is, the Java native code can do anything WebLogic Server itself can do. This potential vulnerability is further complicated by the fact that buffer overflow errors are common in native code and can be used to run arbitrary code.
|
|
The Java security manager defines and enforces permissions for classes that run within a JVM. In many cases, where the threat model does not include malicious code being run in the JVM, the Java security manager is unnecessary. However, when third parties use WebLogic Server and untrusted classes are being run, the Java security manager may be useful.
To enable the Java security manager for a server instance, use the following Java options when starting the server:
Refer to
Using the Java Security Manager to Protect WebLogic Resources in Programming WebLogic Security.
|
|
The ability to return user-supplied data can present a security vulnerability called cross-site scripting, which can be exploited to steal a user’s security authorization. For a detailed description of cross-site scripting, refer to “Understanding Malicious Content Mitigation for Web Developers” (a CERT security advisory) at
http://www.cert.org/tech_tips/malicious_code_mitigation.html.
To remove the security vulnerability, before you return data that a user has supplied, scan the data for HTML special characters. If you find any such characters, replace them with their HTML entity or character reference. Replacing the characters prevents the browser from executing the user-supplied data as HTML.
See
Securing User-Supplied Data in JSPs and
Securing Client Input in Servlets in Developing Web Applications, Servlets, and JSPs in WebLogic Server.
|
|
|