1. Administering Oracle Java Cloud Service
  2. Troubleshoot Oracle Java Cloud Service
  3. Security Checkup Tool Warnings

Security Checkup Tool Warnings

Learn about the security check warnings that are displayed in the Oracle WebLogic Server Administration console and how to troubleshoot them.

At the top of the WebLogic Server Administration console, the message Security warnings detected. Click here to view the report and recommended remedies is displayed for Oracle Java Cloud Service instances created after July 20, 2021, or the instances on which the July 2021 PSUs are applied.

When you click the message, a list of security warnings are displayed as listed in the following table.

Note:

The SSL host name verification and the umask warnings are displayed for existing Oracle Java Cloud Service instances created before release 21.3.2 (August 26, 2021).

The warning messages listed in the table are examples.

Security Warnings

Warning Message Resolution

Tunneling is enabled on server channel channel-dep. Allowing T3 or IIOP to be tunneled on a server channel may allow deserialization of specially crafted, malicious serialized objects that can potentially cause denial of service.

Note: This warning is displayed only for existing Oracle Java Cloud Service instances created before release 22.1.1 (January 31, 2022) on which the October 2021 PSUs are applied.

Disable tunneling on channel-dep server channel. See Disable Tunneling on Server Channel.

SSL hostname verification is disabled by the SSL configuration.

Review your applications before you make any changes to address these SSL host name security warnings.

For applications that connect to SSL endpoints with a host name in the certificate, which does not match the local machine's host name, the connection fails if you configure the BEA host name verifier in Oracle WebLogic Server. See Using the BEA Host Name Verifier in Administering Security for Oracle WebLogic Server.

For applications that connect to Oracle provided endpoints such as Oracle Identity Cloud Service (for example,*.identity.oraclecloud.com), the connection fails if you did not configure the wildcard host name verifier or a custom host name verifier that accepts wildcard host names.

If you are not sure of the SSL configuration settings you should configure to address the warning, Oracle recommends that you configure the wildcard host name verifier. See Configure the Wildcard Host Name Verifier.

For existing Oracle Java Cloud Service instances (created before July 20, 2021), to address this SSL host name verification warning, in addition to configuring the host name verifier, you must edit the startup.properties file for administration server instances and restart the managed server instances. See Configure the Wildcard Host Name Verifier, Update Administration Server Startup Properties, and Restart Managed Server Using Node Manager.

Production mode is enabled but the file or directory /u01/data/domains/<domain_name>/servers/<domainname>_adminserver/security/boot.properties is insecure

Run the following command in the administration server as oracle user:

chmod -R 750 /u01/data/domains/<domain_name>/servers/<adminserver_name>/security/

Note: This permission setting is applicable only for existing Oracle Java Cloud Service instances created before release 21.3.2 (August 26, 2021) on which the July 2021 PSUs are applied.

Remote Anonymous RMI T3 or IIOP requests are enabled. Set the RemoteAnonymousRMIT3Enabled and RemoteAnonymousRMIIIOPEnabled attributes to false.

Disable the anonymous RMI T3 and IIOP requests in the WebLogic Server Administration Console as soon as possible unless your deployment requires anonymous T3 or IIOP (not typical). See Disable Remote Anonymous RMI T3 and IIOP Requests.

Note: These attribute settings are also applicable to Oracle Traffic Director, but only for service instances running Oracle Traffic Director 12.2.1.4.

After you address the warnings, you must click Refresh Warnings to see the warnings removed in the console.

For Oracle Java Cloud Service instances created after July 20, 2021, though the java properties to disable anonymous requests for preventing anonymous RMI access are configured, the warnings still appear. This is a known issue in Oracle WebLogic Server.

If you want to perform anonymous RMI requests, you must set the java properties for anonymous RMI T3 and IIOP requests. See Set the Java Properties.