This chapter contains the following topics:
Infrastructure hardening is the act of applying security to each component of the infrastructure, including:
Web servers,
application servers,
identity and access management solutions, and
database systems.
Note:
Oracle WebLogic Server uses a more specific type of hardening known as lockdown, which refers to securing the subsystems and applications that run on a server instance. In contrast, infrastructure hardening is more general and involves doing a security survey to determine the threat model that may impact your site, and identifying all aspects of your environment (such as components in the Web tier) that could be insecure.More specifically, Oracle Fusion Middleware administrators focus on these aspects of infrastructure security:
SSL-enabling components and component routes, for example Oracle Web Cache to Oracle HTTP Server
SSL-enabling web services
managing ports and other features of the site such as:
default deployed application
demonstration,
and samples management
Password management
Objects necessary for SSL communication, including private keys, digital certificates, and trusted CA certificates are stored in keystores.
Oracle Fusion Middleware provides two types of keystores for keys and certificates:
JKS-based keystore and truststore
A JKS keystore is the default JDK implementation of Java keystores provided by Sun Microsystems. In 11gR1, all Java components and JavaEE applications use the JKS-based KeyStore and TrustStore.
You use a JKS-based keystore for the following:
Oracle Virtual Directory
Applications deployed on Oracle WebLogic Server, including:
Oracle SOA Suite
Oracle WebCenter
An Oracle wallet is a keystore for credentials, such as certificates, certificate requests, and private keys.
You use an Oracle Wallet for the following components:
Oracle HTTP Server
Oracle Web Cache
Oracle Internet Directory
For details, see " Managing Keystores, Wallets, and Certificates" in the Oracle Fusion Middleware Administrator's Guide.
SSL management capabilities in 11g Release 1 (11.1.1) are as follows:
Oracle WebLogic Server provides SSL capability for client and server communications
Oracle Fusion Middleware 11g offers a new SSL configuration capability which supports SSL enablement for these Oracle Fusion Middleware system components:
Oracle Web Cache
Oracle HTTP Server
Oracle Internet Directory
Oracle Virtual Directory
The SSL configuration feature:
abstracts the steps involved in configuring SSL from other management tasks
makes SSL configuration consistent and uniform across all Oracle Fusion Middleware system components
validates SSL during configuration
provides default values for various SSL parameters to simplify configuration
SSL Configuration Tools in Oracle Fusion Middleware
Depending on the task, a range of configuration tools are available:
Oracle Enterprise Manager Fusion Middleware Control and the WLST command-line tool to SSL-enable listeners for system components and to manage Oracle wallets and JKS keystores for those components
Oracle Wallet Manager and the orapki command-line tool for Oracle wallets
Refer to the following for details:
SSL Configuration in Oracle Fusion Middleware in the Oracle Fusion Middleware Administrator's Guide
Managing Keystores, Wallets, and Certificates in the Oracle Fusion Middleware Administrator's Guide
SSL Configuration Tools in Oracle WebLogic Server
Oracle Weblogic Server uses these tools to manage keystores and enable SSL on connections coming into the server:
the JDK keytool utility
Oracle WebLogic Server supports the Java KeyStore (JKS) provided by the JDK. The keytool utility is used to manage keystores in addition to creating key pairs, and generating and reading self-signed certificates.
The WebLogic Server administrator console
This console is used to manage the SSL configuration of WebLogic Server listeners. For example, Oracle SOA Suite and Oracle WebCenter running on Oracle WebLogic Server utilize these facilities to enable SSL.
Refer to the following documents for details:
Getting Started with Oracle WebLogic Server Administration Console in the Oracle Fusion Middleware Administrator's Guide
The Oracle Fusion Middleware WebLogic Scripting Tool Command Reference
Documented procedures for ports management address the following topics:
In a firewall protected deployment environment, how do we keep the number of ports open to a minimum
How to manage and administer the ports in such an environment
Oracle also recommends the following best practices for handling default, demonstrations and samples that are shipped with the product:
Remove unneeded default applications
Restrict access to administrative applications
Restrict access to deployed applications
For more information, see Managing Ports in the Oracle Fusion Middleware Administrator's Guide.
In Oracle Fusion Middleware 11gR1, Oracle recommends storing passwords in the Credential Store rather than in connection.xml or data-sources.xml files.
The Credential Store Framework in Oracle Platform Security Services provides a mechanism for securely storing and managing credentials for any Java-based (Java SE and Java EE) applications. It is designed to hold account information, user names and passwords for connecting to any systems that applications may need to access.
The WebLogic Security Service provides a powerful and flexible set of software tools for securing the subsystems and applications that run on a server instance. For details, see "Securing the WebLogic Security Service" in the Oracle Fusion Middleware Developing Web Applications, Servlets, and JSPs for Oracle WebLogic Server.