Security Guidelines for the Middle Tier
This section describes the security guidelines for the Oracle Healthcare Foundation middle tier:
- Removing Unused Applications from Oracle WebLogic Server
- Enabling TLS
- Configuring TLS
- Protecting User Accounts
Parent topic: Security Guide
Removing Unused Applications from Oracle WebLogic Server
Currently, the Oracle WebLogic Server installation includes JDK and some additional Oracle WebLogic Server development utilities (for example, wlsvc). These development programs are not needed at runtime and can be safely removed. The following are recommendations for making a Oracle WebLogic Server installation more secure:
- Do not install the Oracle WebLogic Server sample applications.
- Delete development tools, such as the Configuration Wizard and the jCOM tools.
- Delete the Derby database, which is bundled with Oracle WebLogic Server for use by the sample applications and code examples as a demonstration database.
For more details, refer to the Determining Your Security Needs section in Oracle® Fusion Middleware Securing a Production Environment for Oracle WebLogic Server 12c (12.2.1.4)
Parent topic: Security Guidelines for the Middle Tier
Enabling TLS
To create an unique private identity key and trust certificate, TLS is not enabled by default during the installation. Communications between the browser and the application servers should be restricted to TLS. It is optional to enable TLS, but Oracle recommends TLS for a production environment. To enable TLS:
- Log into Oracle WebLogic Server Administration Console.
- Click the Environment node in the Domain Structure pane and click Servers in the Environment table.
- Click the server where you deployed the
.ear
file. - Click the Configuration tab.
- Click the General tab.
- If Save is disabled, click Lock & Edit in the Change Center pane.
- Select the SSL Listen Port Enabled check box and enter a port number.
- To disable non-SSL port, deselect the Listen Port Enabled check box.
- Click Save.
- Click Activate Changes in the Change Center pane, if it is enabled.
- Click the Control tab.
- Click the Start/Stop tab.
- Click Restart SSL.
- Click Yes.
The TLS channels have been successfully restarted. message appears.
You must also configure SSL, identity, and trust. For more information, see Oracle®Fusion Middleware Securing Oracle WebLogic Server 12c (12.2.1.4).
Parent topic: Security Guidelines for the Middle Tier
Protecting User Accounts
Oracle WebLogic Server defines a set of configuration options to protect user accounts from intruders. In the default security configuration, these options are set for maximum protection. You can use the Administration Console to modify these options on the Configuration > User Lockout page.
As a system administrator, you have the option of turning off all the configuration options, increasing the number of login attempts before a user account is locked, increasing the time period in which invalid login attempts are made before locking the user account, and changing the amount of time a user account is locked. Remember that changing the configuration options lessens security and leaves user accounts vulnerable to security attacks. For more details, refer to Configuring Security for a WebLogic Domain section in Oracle® Fusion Middleware Securing Oracle WebLogic Server 12c (12.2.1.4).
For more information, see:
Password Validation Providers
Oracle WebLogic Server includes a Password Validation provider, which is configured by default in each security realm. The Password Validation provider manages and enforces a set of configurable password composition rules, and is automatically invoked by a supported authentication provider whenever a password is created or updated for a user in the realm. When invoked, the Password Validation provider performs a check to determine whether the password meets the criteria established by the composition rules. The password is then accepted or rejected as appropriate. For more information on the Password Validation provider, see the Oracle® Fusion Middleware Administering Security for Oracle WebLogic Server 12c (12.2.1.4).
Parent topic: Protecting User Accounts