2 Understand and Secure Your Environment

The security requirements you establish for your WebLogic Server environment are based upon multiple considerations, such as the types of resources hosted on WebLogic Server that need to be protected, the users and other entities that access those resources, recommendations from Oracle as well as in-house or independent security consultants, and more.

This chapter includes the following sections:

Understand Your Environment

The WebLogic Server environment includes not only the resources that are hosted on WebLogic Server, but also the software systems and other entities with which those WebLogic Server resources interoperate, such as databases, and load balancers, and the users who have access to that environment.

To better understand your security needs, ask yourself the following questions:

  • Which resources am I protecting?

    Many resources in the production environment can be protected, including information in databases accessed by WebLogic Server and the availability, performance, applications, and the integrity of the Web site. Consider the resources you want to protect when deciding the level of security you must provide.

  • From whom am I protecting the resources?

    For most Web sites, resources must be protected from everyone on the Internet. But should the Web site be protected from the employees on the intranet in your enterprise? Should your employees have access to all resources within the WebLogic Server environment? Should the system administrators have access to all WebLogic resources? Should the system administrators be able to access all data? You might consider giving access to highly confidential data or strategic resources to only a few well trusted system administrators. Perhaps it would be best to allow no system administrators access to the data or resources.

  • What will happen if the protections on strategic resources fail?

    In some cases, a fault in your security scheme is easily detected and considered nothing more than an inconvenience. In other cases, a fault might cause great damage to companies or individual clients that use the Web site. Understanding the security ramifications of each resource will help you protect it properly.

Hire Security Consultants or Use Diagnostic Software

Whether you deploy WebLogic Server on the Internet or on an intranet, it is a good idea to hire an independent security expert to go over your security plan and procedures, audit your installed systems, and recommend improvements.

Oracle Consulting offers services and products that can help you to secure a WebLogic Server production environment. See the Oracle Consulting page at https://www.oracle.com/consulting/index.html.

Read Security Publications

Staying current with security publications, such as those made available on My Oracle Support, is critical to maintaining a secure operational environment for WebLogic Server.

Read about security issues:

  • Register your WebLogic Server installation with My Oracle Support. By registering, Oracle Support will notify you immediately of any security updates that are specific to your installation. You can create a My Oracle Support account by visiting http://www.oracle.com/support/index.html.

  • For security advisories, refer to the Critical Patch Updates, Security Alerts and Bulletins page at the following location:

    https://www.oracle.com/security-alerts/

  • When developing your web applications, ensure that they minimize the risks identified in the OWASP Top Ten Web Application Security Risks at https://owasp.org/www-project-top-ten/.

Secure the Host Environment

A WebLogic Server production environment is only as secure as the security of the machine on which it is running. It is important to secure the host on which WebLogic Server is running such as the physical machine, the operating system, and all other software that is installed on the host machine.

The following table lists the recommendations for securing a WebLogic Server host environment. Also check with the manufacturer of the machine and operating system for recommended security measures. For details about securing WebLogic Server, see Lock Down WebLogic Server.

Table 2-1 Secure the WebLogic Server Host Environment

Security Action Description

Physically secure the hardware.

Keep your hardware in a secured area to prevent unauthorized operating system users from tampering with the deployment machine or its network connections.

Secure networking services that the operating system provides.

Have an expert review network services such as e-mail programs or directory services to ensure that a malicious attacker cannot access the operating system or system-level commands. The way you do this depends on the operating system you use.

Sharing a file system with other machines in the enterprise network imposes risks of a remote attack on the file system. Be certain that the remote machines and the network are secure before sharing the file systems from the machine that hosts WebLogic Server.

Make sure that the file system on each WebLogic Server host can prevent unauthorized access to protected resources. For example, on a Windows computer, use only NTFS.

Limit the number of user accounts on the host machine.

Avoid creating more user accounts than you need on WebLogic Server host machines, and limit the file access privileges granted to each account. On operating systems that allow more than one system administrator user, the host machine should have two user accounts with system administrator privileges and one user with sufficient privileges to run WebLogic Server. Having two system administrator users provides a back up at all times. The WebLogic Server user must be a restricted user, not a system administrator user. One of the system administrator users can always create a new WebLogic Server user if needed.

Review active user accounts regularly and when personnel leave.

Background Information: Some WebLogic Server configuration data and some URL (Web) resources, including Java Server Pages (JSPs) and HTML pages, are stored in clear text on the file system. A sophisticated user or intruder with read access to files and directories might be able to defeat any security mechanisms you establish with WebLogic Server authentication and authorization schemes.

On each host computer, give only one operating system (OS) user account access to WebLogic resources (in addition to the two system administrator users who also have access privileges).

Important: WebLogic domain and server configuration files must be accessible only by the operating system user who configures or executes WebLogic Server. No other operating system user (apart from the system administrators) should have read, write, or execute access to WebLogic Server product files, nor to your domain files.

See Set Permissions to Restrict Access to WebLogic Resources to One User Account

Do not develop on a production machine.

Develop first on a development machine and then move code to the production machine when it is completed and tested. This process prevents bugs in the development environment from affecting the security of the production environment.

Do not install development or sample software on a production machine.

Do not install development tools on production machines. Keeping development tools off the production machine reduces the leverage intruders have should they get partial access to a WebLogic Server production machine.

Do not run Web servers as root.

When you run a Web server on Unix systems — such as Apache HTTP Server, Microsoft IIS, or Oracle iPlanet Web Server — make sure of the following:

  • The Web server must run only as an unprivileged user, never as root.

  • The directory structure in which the Web server is located, including all files, must be protected from access by unprivileged users.

Taking these steps helps ensure that unprivileged users cannot insert code that can potentially be executed by the Web server.

Enable security auditing.

If the operating system on which WebLogic Server runs supports security auditing of file and directory access, Oracle recommends using audit logging to track any denied directory or file access violations. Administrators must ensure that sufficient disk space is available for the audit log.

Consider using additional software to secure your operating system.

Most operating systems can run additional software to secure a production environment. For example, an Intrusion Detection System (IDS) can detect attempts to modify the production environment.

Refer to the vendor of your operating system for information about available software.

Apply operating-system patch sets and security patches.

Refer to the vendor of your operating system for a list of recommended patch sets and security-related patches.

Secure Your Database

Most Web applications use a database to store their data. Common databases used with WebLogic Server are Oracle, Microsoft SQL Server, IBM DB2, and MySQL. 

The databases frequently hold the Web application's sensitive data including customer lists, customer contact information, credit card information, and other proprietary data. When creating your Web application you must consider what data is going to be in the database and how secure you need to make that data. You also need to understand the security mechanisms provided by the manufacturer of the database and decide whether they are sufficient for your needs. If the mechanisms are not sufficient, you can use other security techniques to improve the security of the database, such as encrypting sensitive data before writing it to the database. For example, leave all customer data in the database in plain text except for the encrypted credit card information.