Security Checkup Tool Warnings
Learn about the security check warnings that are displayed in the Oracle WebLogic Server Administration console and how to troubleshoot them.
At the top of the WebLogic Server Administration console, the message
Security warnings detected. Click here to view the report and recommended
remedies
is displayed for Oracle Java Cloud
Service instances created after July 20, 2021, or the instances on which the July 2021 PSUs
are applied.
When you click the message, a list of security warnings are displayed as listed in the following table.
Note:
The SSL host name verification and the umask warnings are displayed for existing Oracle Java Cloud Service instances created before release 21.3.2 (August 26, 2021).The warning messages listed in the table are examples.
Security Warnings
Warning Message | Resolution |
---|---|
Note: This warning is displayed only for existing Oracle Java Cloud Service instances created before release 22.1.1 (January 31, 2022) on which the October 2021 PSUs are applied. |
Disable tunneling on |
|
Review your applications before you make any changes to address these SSL host name security warnings. For applications that connect to SSL endpoints with a host name in the certificate, which does not match the local machine's host name, the connection fails if you configure the BEA host name verifier in Oracle WebLogic Server. See Using the BEA Host Name Verifier in Administering Security for Oracle WebLogic Server. For applications that connect to Oracle provided
endpoints such as Oracle Identity Cloud Service (for
example, If you are not sure of the SSL configuration settings you should configure to address the warning, Oracle recommends that you configure the wildcard host name verifier. See Configure the Wildcard Host Name Verifier. For existing Oracle Java Cloud
Service instances (created before July 20, 2021), to address this SSL
host name verification warning, in addition to configuring the
host name verifier, you must edit the
|
|
Run the following command in the administration
server as
Note: This permission setting is applicable only for existing Oracle Java Cloud Service instances created before release 21.3.2 (August 26, 2021) on which the July 2021 PSUs are applied. |
|
Disable the anonymous RMI T3 and IIOP requests in the WebLogic Server Administration Console as soon as possible unless your deployment requires anonymous T3 or IIOP (not typical). See Disable Remote Anonymous RMI T3 and IIOP Requests. Note: These attribute settings are also applicable to Oracle Traffic Director, but only for service instances running Oracle Traffic Director 12.2.1.4. |
After you address the warnings, you must click Refresh Warnings to see the warnings removed in the console.
For Oracle Java Cloud Service instances created after July 20, 2021, though the java properties to disable anonymous requests for preventing anonymous RMI access are configured, the warnings still appear. This is a known issue in Oracle WebLogic Server.
If you want to perform anonymous RMI requests, you must set the java properties for anonymous RMI T3 and IIOP requests. See Set the Java Properties.