4 Infrastructure Hardening

This chapter contains the following topics:

4.1 What is Infrastructure Hardening?

Infrastructure hardening is the act of applying security to each component of the infrastructure, including:

  • Web servers,

  • application servers,

  • identity and access management solutions, and

  • database systems.


Oracle WebLogic Server uses a more specific type of hardening known as lockdown, which refers to securing the subsystems and applications that run on a server instance. In contrast, infrastructure hardening is more general and involves doing a security survey to determine the threat model that may impact your site, and identifying all aspects of your environment (such as components in the Web tier) that could be insecure.

More specifically, Oracle Fusion Middleware administrators focus on these aspects of infrastructure security:

  • SSL-enabling components and component routes, for example Oracle Web Cache to Oracle HTTP Server

  • SSL-enabling web services

  • managing ports and other features of the site such as:

    • default deployed application

    • demonstration,

    • and samples management

  • Password management

4.2 Keystores

Objects necessary for SSL communication, including private keys, digital certificates, and trusted CA certificates are stored in keystores.

Oracle Fusion Middleware provides two types of keystores for keys and certificates:

  • JKS-based keystore and truststore

    A JKS keystore is the default JDK implementation of Java keystores provided by Sun Microsystems. In 11gR1, all Java components and JavaEE applications use the JKS-based KeyStore and TrustStore.

    You use a JKS-based keystore for the following:

    • Oracle Virtual Directory

    • Applications deployed on Oracle WebLogic Server, including:

      • Oracle SOA Suite

      • Oracle WebCenter

  • Oracle wallet

    An Oracle wallet is a keystore for credentials, such as certificates, certificate requests, and private keys.

    You use an Oracle Wallet for the following components:

    • Oracle HTTP Server

    • Oracle Web Cache

    • Oracle Internet Directory

For details, see " Managing Keystores, Wallets, and Certificates" in the Oracle Fusion Middleware Administrator's Guide.

4.3 Enabling SSL

SSL management capabilities in 11g Release 1 (11.1.1) are as follows:

  • Oracle WebLogic Server provides SSL capability for client and server communications

  • Oracle Fusion Middleware 11g offers a new SSL configuration capability which supports SSL enablement for these Oracle Fusion Middleware system components:

    • Oracle Web Cache

    • Oracle HTTP Server

    • Oracle Internet Directory

    • Oracle Virtual Directory

The SSL configuration feature:

  • abstracts the steps involved in configuring SSL from other management tasks

  • makes SSL configuration consistent and uniform across all Oracle Fusion Middleware system components

  • validates SSL during configuration

  • provides default values for various SSL parameters to simplify configuration

SSL Configuration Tools in Oracle Fusion Middleware

Depending on the task, a range of configuration tools are available:

  • Oracle Enterprise Manager Fusion Middleware Control and the WLST command-line tool to SSL-enable listeners for system components and to manage Oracle wallets and JKS keystores for those components

  • Oracle Wallet Manager and the orapki command-line tool for Oracle wallets

Refer to the following for details:

SSL Configuration Tools in Oracle WebLogic Server

Oracle Weblogic Server uses these tools to manage keystores and enable SSL on connections coming into the server:

  • the JDK keytool utility

    Oracle WebLogic Server supports the Java KeyStore (JKS) provided by the JDK. The keytool utility is used to manage keystores in addition to creating key pairs, and generating and reading self-signed certificates.

  • The WebLogic Server administrator console

    This console is used to manage the SSL configuration of WebLogic Server listeners. For example, Oracle SOA Suite and Oracle WebCenter running on Oracle WebLogic Server use these facilities to enable SSL.

Refer to the following documents for details:

4.4 Port and Environment Management

Documented procedures for ports management address the following topics:

  • In a firewall protected deployment environment, how do we keep the number of ports open to a minimum

  • How to manage and administer the ports in such an environment

Oracle also recommends the following best practices for handling default, demonstrations and samples that are shipped with the product:

  • Remove unneeded default applications

  • Restrict access to administrative applications

  • Restrict access to deployed applications

For more information, see Managing Ports in the Oracle Fusion Middleware Administrator's Guide.

4.5 Password Management

In Oracle Fusion Middleware 11gR1, Oracle recommends storing passwords in the Credential Store rather than in connection.xml or data-sources.xml files.

The Credential Store Framework in Oracle Platform Security Services provides a mechanism for securely storing and managing credentials for any Java-based (Java SE and Java EE) applications. It is designed to hold account information, user names and passwords for connecting to any systems that applications must access.

4.6 Lockdown

The WebLogic Security Service provides a powerful and flexible set of software tools for securing the subsystems and applications that run on a server instance. For details, see "Securing Applications" in the document titled Oracle Fusion Middleware Securing a Production Environment for Oracle WebLogic Server.