Use two-way SSL

Oracle recommends using two-way SSL while using WebLogic Application Server. HRL and XCA Gateway applications are standard Java EE applications and can utilize an industry standard security infrastructure and framework. There is no configuration required on the applications.

The WebLogic Application Server provides SSL service. For more information about configuring SSL, see the Application Server's documentation.

When SSL or TLS is configured, it is recommended to use TLS_RSA_WITH_AES_128_CBC_SHA cipher instead of SSL_RSA_WITH_DES_EDE_CBC_SHA for TLS authentication.

Oracle recommends that you disable the insecure SSL and TLS protocols, such as SSLv1, SSLv2, SSLv3, and TLSv1.0 and below.

For instructions on enabling SSL, see the Oracle WebLogic Server 12c guidelines or Enable SSL (for middle tier). You must start the Oracle WebLogic Server with a parameter to exclude SSL 2.0 and/or SSL 3.0 to in order to mitigate the SSL V3.0 "Poodle" Vulnerability, CVE-2014-3566. For more information, see How to Change SSL/TLS Protocols in Oracle WebLogic Server - Disable SSL 2.0/3.0 and Enable TLS 1.x Options (Doc ID 2162789.1) on My Oracle Support (https://support.oracle.comhttps://support.oracle.com). Oracle recommends that you disable the insecure SSL and TLS protocols, such as SSLv1, SSLv2, SSLv3, and TLSv1.0 and earlier.