About the Security Checkup Tool

Oracle WebLogic Server Administration console includes a security checkup tool that displays security check warnings.

In case of Oracle WebLogic Server for OKE instances created after July 20, 2021, or the instances on which the July 2021 PSUs are applied, the message Security warnings detected. Click here to view the report and recommended remedies is displayed at the top of the Oracle WebLogic Server Administration console. When you click the message, a list of security warnings are displayed as listed in the following table.

The warning messages listed in the table are examples.

Security Warnings

Warning Message Resolution

Warning Message	Resolution
`The configuration for key stores for this server are set to Demo Identity and Demo Trust. Trust Demo certificates are not supported in production mode domains.`	Configure the identity and trust keystores for each server and the name of the certificate in the identity keystore that the server uses for SSL communication. See Configure Keystore Attributes for Identity and Trust. Note: This warning is displayed for Oracle WebLogic Server for OKE instances created after October 20, 2021, or the instances on which the October PSUs are applied.
`Production mode is enabled but the file or directory <directory_name>/startWebLogic.sh is insecure since its permission is not a minimum of umask 027.`	Run the following command in the administration server as `oracle` user: `chmod 640 /u01/data/domains/<domain_name>/bin`
`Remote Anonymous RMI T3 or IIOP requests are enabled. Set the RemoteAnonymousRMIT3Enabled and RemoteAnonymousRMIIIOPEnabled attributes to false.`	Set the java properties for anonymous RMI T3 and IIOP requests during server start up. See Set the Java Properties.

The configuration for key stores for this server are set to Demo Identity and Demo Trust. Trust Demo certificates are not supported in production mode domains.

Configure the identity and trust keystores for each server and the name of the certificate in the identity keystore that the server uses for SSL communication. See Configure Keystore Attributes for Identity and Trust.

Note: This warning is displayed for Oracle WebLogic Server for OKE instances created after October 20, 2021, or the instances on which the October PSUs are applied.

Production mode is enabled but the file or directory <directory_name>/startWebLogic.sh is insecure since its permission is not a minimum of umask 027.

Run the following command in the administration server as oracle user:

chmod 640 /u01/data/domains/<domain_name>/bin

Remote Anonymous RMI T3 or IIOP requests are enabled. Set the RemoteAnonymousRMIT3Enabled and RemoteAnonymousRMIIIOPEnabled attributes to false.

Set the java properties for anonymous RMI T3 and IIOP requests during server start up. See Set the Java Properties.

Note:

For existing Oracle WebLogic Server for OKE instances (created before July 20, 2021), you see the SSL host name verification warnings. For details, see Security Checkup Tool Warnings.

After you address the warnings, you must click Refresh Warnings to see the warnings removed in the console.

For Oracle WebLogic Server for OKE instances created after July 20, 2021, though the java properties to disable anonymous requests for preventing anonymous RMI access are configured, the warnings still appear. This is a known issue in Oracle WebLogic Server.

Set the Java Properties

To set the java properties for anonymous RMI T3 and IIOP requests:

Edit the domain.yaml located in /u01/shared/weblogic-domains/<domain_name>/domain.yaml for all instances of serverPod definitions as follows:

serverPod:
      env:
      - name: USER_MEM_ARGS
        #admin server memory is explicitly set to min of 256m and max of 512m and GC algo is G1GC
        value: "-Xms256m -Xmx512m -XX:+UseG1GC -Djava.security.egd=file:/dev/./urandom"
      - name: JAVA_OPTIONS
        value: "-Dweblogic.store.file.LockEnabled=false 
		-Dweblogic.rjvm.allowUnknownHost=true 
		-Dweblogic.security.remoteAnonymousRMIT3Enabled=false 
		-Dweblogic.security.remoteAnonymousRMIIIOPEnabled=false"

Apply the domain.yaml using the kubectl command:
```
kubectl -f <path_to_domain.yaml>
```

Configure Keystore Attributes for Identity and Trust

To configure the identity and trust keystore files and the name of the certificate in the identity keystore in the WebLogic Server Administration console:

Locate the Change Center and click Lock & Edit to lock the editable configuration hierarchy for the domain.
Under Domain structure, select Environment and then select Servers.
In the Servers table, select the server you want to configure.
On the Configuration tab, click Keystores, and then click Change.
Select Custom Identity and Custom Trust, and then click Save.
Under Identity, provide the following details:
1. Enter the full path of your identity keystore.
  
  For example: /u01/data/keystores/identity.jks
2. For Custom Identity Keystore Type, enter JKS.
3. For Custom Identity Keystore Passphrase, enter your keystore password. Enter the same value for Confirm Custom Identity Keystore Passphrase.
Under Trust, provide the following details:
1. Enter the full path of your identity keystore.
  
  For example, /u01/data/keystores/trust.jks
2. For Custom Trust Keystore Type, enter JKS.
3. For Custom Trust Keystore Passphrase, enter your keystore password. Enter the same value for Confirm Custom Trust Keystore Passphrase.
Click Save.
Click the SSL tab.
Under Identity, provide the following details:
1. For Private Key Alias, enter the name of the certificate (private key) in the identitykeystore, server_cert.
2. For Private Key Passphrase, enter the password for this certificate in the keystore. Enter the same value for Confirm Private Key Passphrase.
  
  By default, the password for the certificate is the same as the identity keystore password.
Click Save.

After saving the changes, return to Change Center and click Activate Changes.
Repeat steps 3 to 9 to configure each server in the domain.