Explicitly Configuring Ciphers in Oracle WebLogic Server
You may need to explicitly configure a cipher or cipher list depending on your version, business decisions, and other requirements. You should explicitly disable ciphers that support clear text communication. The server allows clear text communication either because strong cipher suites are not specified or null cipher suites are specified. To prevent clear text communications, avoid ciphers such as TLS_RSA_WITH_NULL_MD5 and TLS_RSA_WITH_NULL_SHA, as these have 0 Symmetric Key Strength. Refer to the Oracle Documentation specific to your version of Oracle WebLogic Server for which ciphers are supported.
On older 10.3 versions that do not support a newer JDK update, if no cipher suite is specifically mentioned in the config.xml file, then the cipher suites that allow clear text communication may be enabled on the server by default. To disable these clear text cipher suites, set the following as JAVA_OPTIONS during startup:
-Dweblogic.security.disableNullCipher=true
-Dweblogic.security.SSL.allowUnencryptedNullCipher=false
For all versions, the domain's config.xml file may also be configured for the cipher suite that you want to use. To specify a cipher suite, add the attributes below and specify any cipher suites as needed (and as supported by both sides of the communication to establish a handshake). For example:
In WebLogic Server 12c, you may add the
<ciphersuite>tag in the config.xml with ciphers you wish to use:Ensure
<ciphersuite>is added before the<listen-port>as below for admin and managed servers:<ssl> <name>AdminServer</name> <enabled>true</enabled> <ciphersuite>enter_a_cipher_of_your_choice_here</ciphersuite> <ciphersuite>enter_another_optional_cipher_of_your_choice_here</ciphersuite> <listen-port>7002</listen-port> <login-timeout-millis>25000</login-timeout-millis> ...You may have the Admin Server with a "false" setting because of this documentation. You edit it the same way, usually only because something is detecting an undesirable cipher.