1. Security Guide
  2. Security Guide
  3. Security Guidelines for the Middle Tier

Security Guidelines for the Middle Tier

This section describes the security guidelines for the Oracle Healthcare Foundation middle tier:

Parent topic: Security Guide

Removing Unused Applications from Oracle WebLogic Server

Currently, the Oracle WebLogic Server installation includes JDK and some additional Oracle WebLogic Server development utilities (for example, wlsvc). These development programs are not needed at runtime and can be safely removed. The following are recommendations for making a Oracle WebLogic Server installation more secure:

  • Do not install the Oracle WebLogic Server sample applications.
  • Delete development tools, such as the Configuration Wizard and the jCOM tools.
  • Delete the Derby database, which is bundled with Oracle WebLogic Server for use by the sample applications and code examples as a demonstration database.

For more details, refer to the Determining Your Security Needs section in Oracle® Fusion Middleware Securing a Production Environment for Oracle WebLogic Server 12c (12.2.1.4)

Parent topic: Security Guidelines for the Middle Tier

Enabling TLS

To create an unique private identity key and trust certificate, TLS is not enabled by default during the installation. Communications between the browser and the application servers should be restricted to TLS. It is optional to enable TLS, but Oracle recommends TLS for a production environment. To enable TLS:

  1. Log into Oracle WebLogic Server Administration Console.
  2. Click the Environment node in the Domain Structure pane and click Servers in the Environment table.
  3. Click the server where you deployed the .ear file.
  4. Click the Configuration tab.
  5. Click the General tab.
  6. If Save is disabled, click Lock & Edit in the Change Center pane.
  7. Select the SSL Listen Port Enabled check box and enter a port number.
  8. To disable non-SSL port, deselect the Listen Port Enabled check box.
  9. Click Save.
  10. Click Activate Changes in the Change Center pane, if it is enabled.
  11. Click the Control tab.
  12. Click the Start/Stop tab.
  13. Click Restart SSL.
  14. Click Yes.

The TLS channels have been successfully restarted. message appears.

You must also configure SSL, identity, and trust. For more information, see Oracle®Fusion Middleware Securing Oracle WebLogic Server 12c (12.2.1.4).

Parent topic: Security Guidelines for the Middle Tier

Configuring TLS

To set up TLS:

  1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) for Oracle WebLogic Server.

    Use the digital certificates, private keys, and trusted CA certificates provided by Oracle WebLogic Server, the CertGen utility, the keytool utility, or a reputable vendor such as Entrust or Verisign to perform this step.

  2. Store the identity and trust. Private keys and trusted CA certificates which specify identity and trust are stored in keystores.
  3. Configure the identity and trust keystores for Oracle WebLogic Server in the Oracle WebLogic Server Administration Console.
  4. Set SSL configuration options for the private key alias and password in the Oracle WebLogic Server Administration Console. Optionally, set configuration options that require the presentation of client certificates (for two-way SSL).
  5. As per Oracle Software Security standards, it is recommended to configure TLS 1.2. For more details, see the Configuring SSL section in Oracle® Fusion Middleware Securing Oracle WebLogic Server 12c (12.2.1.4).

    You must start the Oracle WebLogic Server with a parameter to exclude SSL 2.0 and/or SSL 3.0 to mitigate the SSL V3.0 "Poodle" Vulnerability, CVE-2014-3566. For more information, see How to Change SSL Protocols (to Disable SSL 3.0) in Oracle Fusion Middleware Products (Doc ID 1936300.1) on My Oracle Support (https://support.oracle.com). Oracle recommends that you disable the insecure SSL and TLS protocols, such as SSLv1, SSLv2, SSLv3, and TLSv1.1 and below.

Parent topic: Security Guidelines for the Middle Tier

Protecting User Accounts

Oracle WebLogic Server defines a set of configuration options to protect user accounts from intruders. In the default security configuration, these options are set for maximum protection. You can use the Administration Console to modify these options on the Configuration > User Lockout page.

As a system administrator, you have the option of turning off all the configuration options, increasing the number of login attempts before a user account is locked, increasing the time period in which invalid login attempts are made before locking the user account, and changing the amount of time a user account is locked. Remember that changing the configuration options lessens security and leaves user accounts vulnerable to security attacks. For more details, refer to Configuring Security for a WebLogic Domain section in Oracle® Fusion Middleware Securing Oracle WebLogic Server 12c (12.2.1.4).

For more information, see:

Parent topic: Security Guidelines for the Middle Tier

Password Validation Providers

Oracle WebLogic Server includes a Password Validation provider, which is configured by default in each security realm. The Password Validation provider manages and enforces a set of configurable password composition rules, and is automatically invoked by a supported authentication provider whenever a password is created or updated for a user in the realm. When invoked, the Password Validation provider performs a check to determine whether the password meets the criteria established by the composition rules. The password is then accepted or rejected as appropriate. For more information on the Password Validation provider, see the Oracle® Fusion Middleware Administering Security for Oracle WebLogic Server 12c (12.2.1.4).

Parent topic: Protecting User Accounts