1.7 Securing the Application

The following guidelines serve to secure the application deployed on Oracle WebLogic Server.
  1. Setting up Secure Flag for Cookies:

    If the secure flag is set on a cookie, then browsers do not submit the cookie in any requests that use an unencrypted HTTP connection, there-by preventing the cookie from being trivially intercepted by an attacker monitoring network traffic.

    Below configuration has to be ensured in weblogic.xml within the deployed application EAR.
    1. Cookie secure flag set to true
      <wls:session-descriptor>
  <wls:cookie-secure>true</wls:cookie-secure>
  <wls:url-rewriting-enabled>false</wls:url-rewriting-enabled>
</wls:session-descriptor>
    Always make sure Cookies are set with always Auth Flag enabled by default for WebLogic server and also recommended to apply the weblogic patch 10.3.5 for versions using below weblogic 10.3.5 to reflect the above changes.
  2. Credential Over mail:
    To enable this feature mail server details needs to be provided at the time of property file creation. Below are the required parameters:
    • Host Server
    • User ID
    • User Password
    • JNDI Name
  3. Session time out and Token Management:

    Session timeout represents the event occurring when a user do not perform any action on a web site during a interval (defined in application). The event, on server side, change the status of the user session to invalid (that is, not used anymore) and instruct the Application/web server to destroy it (deleting all data contained into it). Application allows defining the session time out.

    The default value for session time out is 30 minutes.

    The entire subsequent request within the session has the Authenticated and Cross-site request forgery tokens .Every request send to the application from the browser is validated against the IsAuthenticated attribute and Cross-site request forgery token.

  4. Two-way SSL Connection:

    A two-way SSL is used when the server needs to authenticate the client. In a two-way SSL connection the client verifies the identity of the server and then passes its identity certificate to the server. The server then validates the identity certificate of the client before completing the SSL handshake.

    In order to establish a two-way SSL connection, need to have two certificates, one for the server and the other for client.

    For solutions, need to configure a single connector. This connector is related to SSL/TLS communication between host or browser and the branch which uses two-way authentication.

    For details on implementation of Two-way SSL process, refer to the document available for FLEXCUBE < SSL_OR_TLS_ Configuration.doc>.
  5. Securely store the credentials in CSF:

    Application uses CSF to securely store the credentials (encryption key / symmetric key) in a credentials store and the additional benefits of CSF, such as the ability to manage / operations use Oracle Fusion Middleware user interfaces / em console.

    For details on implementation of OPSS CSF, refer to the document installation / configuration documents in user manuals.

Parent topic: Prerequisite