![]() ![]() ![]() ![]() ![]() ![]() |
Oracle recommends that you implement the following actions to ensure the security of your production environment:
A WLOC production environment is only as secure as the security of the machine on which it is running. It is important that you secure the physical machine, the operating system, and all other software that is installed on the host machine. The following are suggestions for securing a WLOC host in a production environment. Also check with the manufacturer of the machine and operating system for recommended security measures.
Avoid creating more user accounts than you need on WLOC hosts, and limit the file access privileges granted to each account. Ideally, the host machine would have two user accounts with system administrator privileges on operating systems that allow more than one system administrator user and another user with sufficient privileges to run WLOC. Having two system administrator users provides a backup at all times. The WLOC user should be a restricted user, not a system administrator user. One of the system administrator users can always create a new WLOC user if needed.
Background Information:
Some WLOC configuration data and some URL (Web) resources, including Java Server Pages (JSPs) and HTML pages, are stored in clear text on the file system. A sophisticated user or intruder with read access to files and directories might be able to defeat any security mechanisms you establish with WLOC authentication and authorization schemes. |
|
On each WLOC host computer, use the operating system to establish a special user account (for example,
wloc_owner ) specifically to run WLOC.
The Home directory is a repository for common files that are used by multiple Oracle products installed on the same machine. The WLOC product installation directory contains all the WLOC software components that you choose to install on your system, including program files. A user projects directory contains the configuration files, security files, log files, and other resources for a single WLOC Controller and Agent. If you install multiple users projects on a WLOC host computer, each directory must be protected.
By default, the installation program places all files and your user projects directories in a single directory tree, whose top directory is named You can, however, locate the WLOC product installation directory and your user projects directories outside the Home directory. For more information, refer to Selecting Directories for Your Installation in the Installation Guide. This protection limits the ability of other applications executing on the same machine as WLOC to access files and your user projects files. Without this protection, some other application could gain write access and insert malicious, executable code in JSPs and other files that provide dynamic content. The code would be executed the next time the file was served to a client. |
|
If you are responsible for security related issues at your site, register on the Oracle WebLogic Advisories and Notifications page at
https://support.bea.com/application_content/product_portlets/securityadvisories/index.html to receive notifications of newly available security advisories.
|
|
When designing network connections, you balance the need for a security solution that is easy to manage with the need to protect strategic WLOC resources. The following table describes options for securing your network connections.
A firewall limits traffic between two networks. Firewalls can be a combination of software and hardware, including routers and dedicated gateway machines. They employ filters that allow or disallow traffic to pass based on the protocol, the service requested, routing information, packet content, and the origin and destination hosts or networks. They can also limit access to authenticated users only.
|
|
See
Configuring Security in the WLOC Configuration Guide on restricting access to the console to https (SECURE mode). If the console is run in either UNSECURE mode or BOTH mode, an attacker with access to the network could sniff credentials off the wire.
|
|
See
Configuring Security in the WLOC Configuration Guide for more information on setting communications between the controller and agents to only use SSL. The agent’s operations are protected using SSL. If communication between the controller and agent is not SSL, an attacker with network access to the agent could attack it.
|
|
A number of Cross Site Scripting attacks (XSS) and Cross Site Request Forgery (CSRF) attacks rely on an authenticated user surfing to another site and unknowingly clicking a link, which can lead to malicious code being executed. If a user is logged into the WLOC console they should not surf to non-WLOC sites to reduce the chances of such an attack against WLOC.
|
The WLOC Security Service provides a powerful and flexible set of software tools for securing the subsystems and applications that run on a server instance. The following table provides a checklist of essential features that Oracle recommends you use to secure your production environment.
WLOC generates self-signed SSL certificates when the Configuration Wizard is run for Controller or Agent. You may want to replace these self-signed certificates with certificates signed by a certificate authority.
Refer to
Configuring Security in the WLOC Configuration Guide.
|
|
By default, all WLOC resources are protected by security policies that are based on a default set of security roles. Make sure you have assigned the desired set of users and groups to these default security roles.
Refer to
Configuring Security in the WLOC Configuration Guide.
|
|
![]() ![]() ![]() |