About the Security Checkup Tool

Oracle WebLogic Server Administration console includes a security checkup tool that displays security check warnings. These security check warnings are displayed for Oracle WebLogic Server for OCI instances that are created using WebLogic Server versions 12.2.1.4 and 14.1.1.0.

In case of Oracle WebLogic Server for OCI instances created after July 20, 2021, or the instances on which the July 2021 PSUs are applied, the message Security warnings detected. Click here to view the report and recommended remedies is displayed at the top of the Oracle WebLogic Server Administration console. When you click the message, a list of security warnings are displayed as listed in the following table.

The warning messages listed in the table are examples.

Security Warnings

Warning Message Resolution

Warning Message	Resolution
`The configuration for key stores for this server are set to Demo Identity and Demo Trust. Trust Demo certificates are not supported in production mode domains.`	Configure the identity and trust keystores for each server and the name of the certificate in the identity keystore that the server uses for SSL communication. See Configure Keystore Attributes for Identity and Trust. Note: This warning is displayed for Oracle WebLogic Server for OCI instances created after October 20, 2021, or the instances on which the October PSUs are applied.
`Remote Anonymous RMI T3 or IIOP requests are enabled. Set the RemoteAnonymousRMIT3Enabled and RemoteAnonymousRMIIIOPEnabled attributes to false.`	Disable the anonymous RMI T3 and IIOP requests in the WebLogic Server Administration Console as soon as possible unless your deployment requires anonymous T3 or IIOP (not typical). See Disable Remote Anonymous RMI T3 and IIOP Requests.

The configuration for key stores for this server are set to Demo Identity and Demo Trust. Trust Demo certificates are not supported in production mode domains.

Configure the identity and trust keystores for each server and the name of the certificate in the identity keystore that the server uses for SSL communication. See Configure Keystore Attributes for Identity and Trust.

Note: This warning is displayed for Oracle WebLogic Server for OCI instances created after October 20, 2021, or the instances on which the October PSUs are applied.

Remote Anonymous RMI T3 or IIOP requests are enabled. Set the RemoteAnonymousRMIT3Enabled and RemoteAnonymousRMIIIOPEnabled attributes to false.

Disable the anonymous RMI T3 and IIOP requests in the WebLogic Server Administration Console as soon as possible unless your deployment requires anonymous T3 or IIOP (not typical). See Disable Remote Anonymous RMI T3 and IIOP Requests.

Note:

For existing Oracle WebLogic Server for OCI instances created before release 21.3.2 (August 17, 2021), you see the SSL host name verification warnings. See Security Checkup Tool Warnings.

After you address the warnings, you must click Refresh Warnings to see the warnings removed in the console.

For Oracle WebLogic Server for OCI instances created after July 20, 2021, though the java properties to disable anonymous requests for preventing anonymous RMI access are configured, the warnings still appear. This is a known issue in Oracle WebLogic Server.

If you want to perform anonymous RMI requests, you must disable the java properties. Go to the nodemanager.properties file located under DOMAIN_HOME/nodemanager and remove the weblogic.startup.Arguments property.

Disable Remote Anonymous RMI T3 and IIOP Requests

To disable the remote anonymous RMI T3 and IIOP requests in the WebLogic Server Administration console:

Locate the Change Center and click Lock & Edit to lock the editable configuration hierarchy for the domain.
Under Domain structure, select the domain name, and then select the Security tab.
Expand Advanced and deselect Remote anonymous RMI access via IIOP and Remote anonymous RMI access via T3.

After saving the changes, return to Change Center and click Activate Changes.

Configure Keystore Attributes for Identity and Trust

To configure the identity and trust keystore files and the name of the certificate in the identity keystore in the WebLogic Server Administration console:

Locate the Change Center and click Lock & Edit to lock the editable configuration hierarchy for the domain.
Under Domain structure, select Environment and then select Servers.
In the Servers table, select the server you want to configure.
On the Configuration tab, click Keystores, and then click Change.
Select Custom Identity and Custom Trust, and then click Save.
Under Identity, provide the following details:
1. Enter the full path of your identity keystore.
  
  For example: /u01/data/keystores/identity.jks
2. For Custom Identity Keystore Type, enter JKS.
3. For Custom Identity Keystore Passphrase, enter your keystore password. Enter the same value for Confirm Custom Identity Keystore Passphrase.
Under Trust, provide the following details:
1. Enter the full path of your identity keystore.
  
  For example, /u01/data/keystores/trust.jks
2. For Custom Trust Keystore Type, enter JKS.
3. For Custom Trust Keystore Passphrase, enter your keystore password. Enter the same value for Confirm Custom Trust Keystore Passphrase.
Click Save.
Click the SSL tab.
Under Identity, provide the following details:
1. For Private Key Alias, enter the name of the certificate (private key) in the identitykeystore, server_cert.
2. For Private Key Passphrase, enter the password for this certificate in the keystore. Enter the same value for Confirm Private Key Passphrase.
  
  By default, the password for the certificate is the same as the identity keystore password.
Click Save.

After saving the changes, return to Change Center and click Activate Changes.
Repeat steps 3 to 9 to configure each server in the domain.