Hardening

Hardening is the act of applying security to each component of the infrastructure, including:

  • Web Servers
  • Application Servers
  • Identity and Access Management solutions
  • Database systems
  • Operating systems

Oracle WebLogic Server uses a more specific type of hardening known as lockdown, which refers to securing the subsystems and applications that run on a server instance. In contrast, hardening is more general and involves doing a security survey to determine the threat model that may impact your site, and identifying all aspects of your environment (such as components in the Web tier) that could be insecure. The following aspects of WebLogic Server should be considered for lockdown:

  • SSL-enabling components and component routes

    • Documaker web applications install with SSL enabled

    • LDAP Authentication providers should be configured for SSL

    • Configure two-way SSL - one-way SSL is a configuration where clients request a server certificate and the server accepts all connections. Two-way SSL configurations require the client and the server to exchange certificates, thereby providing an additional layer of trust by ensuring that non-trusted clients cannot invoke services.

  • SSL-enabling web services

    • Documaker Web Services install with SSL disabled and should be enabled

  • Managing ports and other features of the site such as:

    • default deployed application – remove any non-essential default apps such as the welcome page

    • demonstration/samples – remove demoApp, demo keystores, demo trust, and demo SSL certificate

    • change default ports for common services e.g. admin port – Documaker services ship with standard ports; however, these are not common and could remain as-is. The base WebLogic components (e.g. console) are configured standard ports and should be changed from the default (7001).

  • Password management

  • Roles and Policies for access – role- and policy-based security should be configured for authorized access to:

    • web services

    • data sources

    • applications: configured for DD-only security (deployment descriptor) which means that if you wish to add role- and/or policy-based security on top of this, you must modify the deployment descriptors for the affected application(s). Keep in mind this will affect upgrade capability as you have to re-apply deployment descriptor changes