1 Getting Started

Learn about locking down your WebLogic Server production environment and see a list of the critical tasks that you need to perform to ensure that your system is secure.

Topics include:


To ensure the security of your production environment, it is critical that you lockdown your system to prevent unauthorized access to your WebLogic Server resources and applications.

Lockdown refers to configuring your system to prevent unwanted intrusions. A comprehensive lockdown of a WebLogic Server production environment includes securing the host machine and database, ensuring that you install only the necessary WebLogic Server components, and limiting access only to authorized users. Lockdown also includes other configuration such as securing your domain using a domain-wide secure port for Administration Server communications, securing network resources using network channels and firewalls to limit access, and configuring the system to use SSL.

Oracle strongly recommends that you follow all of the guidelines provided in this document to protect your WebLogic Server environment.

Documentation Update History

This section summarizes the changes that were made to this book, Securing a Production Environment for Oracle WebLogic Server version, since March 2023.

Review Table 1-1 to ensure you are aware of the latest changes.

Table 1-1 Update History

Date Document Revision Description of Updates
October 2023 F18318-12
  • Table 3-7: Updated the SAML2 Application row to mention the SAML Single Logout feature added in the October 2023 PSU.
December 2023 F18318-13 (current)

Critical Tasks for Locking Down WebLogic Server

To ensure the security of your system, Oracle strongly recommends that you complete these critical tasks to lockdown your WebLogic Server system.


Keep in mind that these are not the only tasks that you need to complete to lockdown your system. However, Oracle strongly recommends that these are the tasks that you must complete, but you should do them in combination with more general security guidelines described in Understand and Secure Your Environment and the other tasks described in Lock Down WebLogic Server.

Table 1-2 Critical Tasks for Locking Down WebLogic Server

Task Description More Information

Install WebLogic Server in a secure manner.

Performing a secure installation includes steps to secure the host machine on which WebLogic Server is installed, to limit access to that host to only authorized users, and to install only the components necessary to run WebLogic Server.

Apply the latest WebLogic Server, Java, and database Critical Patch Updates on a quarterly basis.

To ensure that your system is protected against vulnerabilities, it is critical that you apply the latest Java, database, and WebLogic Server Critical Patch Updates (CPUs) as soon as they are released.

Configure your domains to use secured production mode.

Secured production mode enforces more restrictive and stringent security settings to ensure less vulnerability to threats.

Use a domain-wide administration port for administrative traffic.

An administration port limits all administrative traffic between server instances in a WebLogic Server domain to a single port. The administration port accepts only secure, SSL traffic, and all connections via the port require authentication.

The administration port is enabled by default in secured production mode.

Set permissions to restrict the access of the user account used to run WebLogic Server to just the WebLogic resources and domain data stored on disk. Ensure that this account is not an administrator account.

WebLogic domain and server configuration files should be accessible only by the operating system users who configure or execute WebLogic Server. No other operating system user (apart from the system administrators) should have read, write, or execute access to WebLogic Server product files nor to your domain files.

Knowledgeable operating system users may be able to bypass WebLogic Server security if they are given write access, and in some cases read access to domain data stored on disk and in the persistent store.

Use network channels to isolate incoming application traffic.

Use a firewall to limit access to only HTTPS application traffic and block access to non-HTTPS traffic (T3/T3s/LDAP/IIOP/IIOPs).

Oracle strongly recommends that you do not expose non-HTTPS traffic (T3/T3s/LDAP/IIOP/IIOPs) outside of the external firewall. You can control this access using a combination of network channels and firewalls.

Block access to internal applications by disabling unneeded applications and using a firewall to block access to internal application context paths.

Depending on your application usage and the domain configuration, some internal applications may not be used in a particular domain. To reduce the attack surface, Oracle strongly recommends that you configure a firewall to block external access to internal applications and disable access to these applications.

Use SSL/TLS, but do not use the demonstration digital certificates in a production environment.

Configure SSL/TLS for the administration port, network channels, database connections, LDAP server connections, and other resources handling communication that must be secured. In particular, make sure that connections to remote server instances in the domain are secured with SSL.

WebLogic Server includes a set of demonstration private keys, digital certificates, and trusted certificate authorities that are for development only. Oracle highly recommends that you use third-party Certificate Authority (CA) signed certificates in a production environment.

Restrict incoming serialized objects.

Serialization in Java can be used to inject malicious code using serialized Java objects that can cause Denial of Service (DoS) or Remote Code Execution (RCE) attacks during deserialization. WebLogic Server uses the JDK JEP 290 mechanism to filter incoming serialized Java objects to protect against these malicious attacks.

Disable remote anonymous RMI T3 and IIOP requests.

Disabling remote anonymous T3 and IIOP RMI requests will require that clients authenticate before invoking on WebLogic Server. Unauthenticated clients will be rejected.

Review the Security Warnings Report.

Check the Security Warnings Report to identify if any potential security issues are currently affecting your domain and how to resolve those issues.