About the Security Checkup Tool
Oracle WebLogic Server Administration console includes a security checkup tool that displays security check warnings.
In case of Oracle WebLogic Server for
OKE instances created after July 20, 2021, or the instances on which the July
2021 PSUs are applied, the message Security warnings detected. Click here to
view the report and recommended remedies
is displayed at the top of the
Oracle WebLogic Server Administration console. When you click the message, a list of
security warnings are displayed as listed in the following table.
The warning messages listed in the table are examples.
Security Warnings
Warning Message | Resolution |
---|---|
|
Configure the identity and trust keystores for each server and the name of the certificate in the identity keystore that the server uses for SSL communication. See Configure Keystore Attributes for Identity and Trust. Note: This warning is displayed for Oracle WebLogic Server for OKE instances created after October 20, 2021, or the instances on which the October PSUs are applied. |
|
Run the following command in the administration
server as
|
|
Set the java properties for anonymous RMI T3 and IIOP requests during server start up. See Set the Java Properties. |
Note:
For existing Oracle WebLogic Server for OKE instances (created before July 20, 2021), you see the SSL host name verification warnings. For details, see Security Checkup Tool Warnings.After you address the warnings, you must click Refresh Warnings to see the warnings removed in the console.
For Oracle WebLogic Server for OKE instances created after July 20, 2021, though the java properties to disable anonymous requests for preventing anonymous RMI access are configured, the warnings still appear. This is a known issue in Oracle WebLogic Server.
Set the Java Properties
-
Edit the
domain.yaml
located in/u01/shared/weblogic-domains/<domain_name>/domain.yaml
for all instances ofserverPod
definitions as follows:serverPod: env: - name: USER_MEM_ARGS #admin server memory is explicitly set to min of 256m and max of 512m and GC algo is G1GC value: "-Xms256m -Xmx512m -XX:+UseG1GC -Djava.security.egd=file:/dev/./urandom" - name: JAVA_OPTIONS value: "-Dweblogic.store.file.LockEnabled=false -Dweblogic.rjvm.allowUnknownHost=true -Dweblogic.security.remoteAnonymousRMIT3Enabled=false -Dweblogic.security.remoteAnonymousRMIIIOPEnabled=false"
-
Apply the
domain.yaml
using thekubectl
command:kubectl -f <path_to_domain.yaml>
Configure Keystore Attributes for Identity and Trust
To configure the identity and trust keystore files and the name of the certificate in the identity keystore in the WebLogic Server Administration console:
-
Locate the Change Center and click Lock & Edit to lock the editable configuration hierarchy for the domain.
-
Under Domain structure, select Environment and then select Servers.
-
In the Servers table, select the server you want to configure.
-
On the Configuration tab, click Keystores, and then click Change.
-
Select Custom Identity and Custom Trust, and then click Save.
-
Under Identity, provide the following details:
-
Enter the full path of your identity keystore.
For example:
/u01/data/keystores/identity.jks
-
For Custom Identity Keystore Type, enter JKS.
-
For Custom Identity Keystore Passphrase, enter your keystore password. Enter the same value for Confirm Custom Identity Keystore Passphrase.
-
-
Under Trust, provide the following details:
-
Enter the full path of your identity keystore.
For example,
/u01/data/keystores/trust.jks
-
For Custom Trust Keystore Type, enter JKS.
-
For Custom Trust Keystore Passphrase, enter your keystore password. Enter the same value for Confirm Custom Trust Keystore Passphrase.
-
-
Click Save.
-
Click the SSL tab.
-
Under Identity, provide the following details:
-
For Private Key Alias, enter the name of the certificate (private key) in the identitykeystore, server_cert.
-
For Private Key Passphrase, enter the password for this certificate in the keystore. Enter the same value for Confirm Private Key Passphrase.
By default, the password for the certificate is the same as the identity keystore password.
-
-
Click Save.
After saving the changes, return to Change Center and click Activate Changes.
-
Repeat steps 3 to 9 to configure each server in the domain.