Security Guidelines for the Middle Tier

This section describes the security guidelines for the OHTR middle tier.

• Remove unused applications from WebLogic
  
• Enable SSL/ TLS
  
• Configure SSL/ TLS
  
• Protect user accounts
  

Remove unused applications from WebLogic

Currently, the WebLogic Server installation includes the entire JDK and some additional WebLogic Server development utilities (for example, wlsvc). These development programs are not needed at runtime and can be safely removed. The following are recommendations for making a WebLogic Server installation more secure:

• Do not install the WebLogic Server sample applications.
• Delete development tools, such as the Configuration Wizard and the jCOM tools.
• Delete the Derby database, which is bundled with WebLogic Server for use by the sample applications and code examples as a demonstration database.

For more details, see the section on Determining Your Security Needs section in Oracle® Fusion Middleware Securing a Production Environment for Oracle WebLogic Server 12c (12.2.1.4) available at

http://docs.oracle.com/middleware/12211/wls/LOCKD/practices.htm#LOCKD116

Enable SSL/ TLS

To create a unique private identity key and trust certificate, TLS is not enabled by default during the installation. Enabling TLS is optional, but we recommend TLS for a production environment.

Note:

Communication between the browser and the application servers should be restricted to TLS.

To enable Transport Layer Security:

1. Log into WebLogic Server Administration Console.
2. Click the Environment node in the Domain Structure pane and click Servers in the Environment table.
3. Click the server where you deployed the TrcApp.ear.
4. Click the Configuration tab.
5. Click the General tab.
6. If Save is disabled, click Lock & Edit in the Change Center pane.
7. Select the SSL Listen Port Enabled check box and enter a port number.
8. To disable non-SSL port, deselect the Listen Port Enabled check box.
9. Click Save.
10. Click Activate Changes in the Change Center pane, if it is enabled.
11. Click the Control tab.
12. Click the Start/Stop tab.
13. Click Restart.
14. Click Yes.

    The message appears:

    TLS channels have been successfully restarted.

You must also configure SSL, identity, and trust. For more information, see the Oracle® Fusion Middleware Securing Oracle WebLogic Server 12c (12.2.1.4).

Configure SSL/ TLS

To set up TLS, perform the following steps:

1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) for WebLogic Server.

   Use the digital certificates, private keys, and trusted CA certificates provided by WebLogic Server, the CertGen utility, the keytool utility, or a reputable vendor such as Entrust or Verisign to perform this step.

2. Store the identity and trust. Private keys and trusted CA certificates that specify identity and trust are stored in keystores.
3. Configure the identity and trust keystores for WebLogic Server in the WebLogic Server Administration Console.
4. Set SSL configuration options for the private key alias and password in the WebLogic Server Administration Console. Optionally, set configuration options that require the presentation of client certificates (for two-way SSL).
5. Oracle Software Security standards recommend that you configure TLS 1.2. weak SSL cyphers, that is, TLS lower than v1.1 and SSL v3 and v2.

For further instructions on specifying the protocol and version, see the Specifying the SSL Protocol Version chapter in Oracle® Fusion Middleware Administering Security for Oracle WebLogic Server 12.2.1 available at

https://docs.oracle.com/middleware/1221/wls/SECMG/ssl_version.htm#SECMG636

For more details, see the section on Configuring SSL in Oracle® Fusion Middleware Securing Oracle WebLogic Server 12c (12.2.1.4) available at

https://docs.oracle.com/middleware/1221/core/ASADM/sslconfig.htm#ASADM1800

Protect user accounts

Oracle WebLogic Server defines a set of configuration options to protect user accounts from intruders. In the default security configuration, these options are set for maximum protection. You can use the Administration Console to modify these options on the Configuration > User Lockout page.

As a system administrator, you have the option of turning off all the configuration options, increasing the number of login attempts before a user account is locked, increasing the time period in which invalid login attempts are made before locking the user account, and changing the amount of time a user account is locked. Remember that changing the configuration options lessens security and leaves user accounts vulnerable to security attacks. For more details, see the section on Configuring Security for a WebLogic Domain section in Oracle® Fusion Middleware Securing Oracle WebLogic Server 12c (12.2.1.4) available at

https://docs.oracle.com/middleware/1221/wls/SECMG/conf-security-for-domain.htm#SECMG777

Monitor logs

If you suspect any unusual transactions in the Cohort UI, monitor the diagnostic logs for any real-time, abnormal business activity.

Application transactions should be monitored and real time corrective measures should be implemented to limit transaction rates outside application Service Level Agreements.

• Password Validation Providers
  

Password Validation Providers

WebLogic Server includes a Password Validation provider, which is configured by default in each security realm. The Password Validation provider manages and enforces a set of configurable password composition rules, and is automatically invoked by a supported authentication provider whenever a password is created or updated for a user in the realm. When invoked, the Password Validation provider performs a check to determine whether the password meets the criteria established by the composition rules. The password is then accepted or rejected as appropriate. For more information on the Password Validation provider, see the Oracle® Fusion Middleware Administering Security for Oracle WebLogic Server 12c (12.2.1.4) available at

https://docs.oracle.com/middleware/1221/wls/SECMG/password_atn.htm#SECMG206