2 WebLogic Server Security Standards

The Oracle WebLogic Server WebLogic Security Service is built upon and supports standard Java security technologies such as the Java Authentication and Authorization Service (JAAS), Java Secure Sockets Extensions (JSSE), Java Cryptography Extensions (JCE), Jakarta Authentication, Jakarta Authorization, Jakarta Security, and more.

This chapter includes the following topics:

Supported Security Standards

WebLogic Server supports several Java security standards such as JAAS, JCE, Jakarta Authentication, Jakarta Authorization, Jakarta Security, and more.

The complete set of supported security standards are provided in Table 2-1.

Table 2-1 WebLogic Server Security Standards Support

Standard Version Additional Considerations

JAAS

JAAS version depends on the Java SE version.

See:

See Configuring a Domain to Use JAAS Authorization.

Jakarta Authentication

2.0

See Configuring Jakarta Authentication Security.

Jakarta Authorization

2.0

See Using Jakarta Authorization.

Jakarta EE application packaged permissions

Jakarta EE 9.1 Platform Specification

  

JCE

Jipher JCE 10.32

SunJCE

See Using JCE Providers with WebLogic Server.

JSSE

Default SSL implementation based on Java Secure Socket Extension (JSSE).

See Using the JSSE-Based SSL Implementation

Note: Although JSSE supports Server Name Indication (SNI) in its SSL implementation, WebLogic Server does not support SNI.

Kerberos

Version 5

See Configuring Single Sign-On with Microsoft Clients.

LDAP

v3

See:

SAML

2.0

See:

Jakarta Security

2.0

See Using Jakarta Security in WebLogic Server.

SLO Via SAML Supported by the Service Provider only.

See Configure SAML Single Logout

SPNEGO

Specified by https://datatracker.ietf.org/doc/html/rfc4178.

See Configuring Single Sign-On with Microsoft Clients.

SSO

Via Microsoft Clients

Via SAML

See:

TLS

v1.2, v1.3

  • TLS v1.2 is the default minimum protocol version configured in WebLogic Server. Oracle recommends the use of TLS v1.2 or later in a production environment. WebLogic Server logs a warning if the TLS version is set below 1.2.

  • Oracle strongly recommends that you do not use TLS v1.0 and v1.1. In addition, these versions may be disabled by default in certain JDK updates by the underlying JSSE provider.

See Specifying the SSL/TLS Protocol Version for version-specific information.

Uncovered HTTP methods

Servlet 3.1

  

X.509

v3

  • WebLogic Server supports 4096-bit keys. (4096-bit keys may require substantially more compute time for some operations.)

  • Certificates generated with CertGen have a default 2048-bit key size. You specify the key size with the -strength option.

  • The WebLogic Server demo CA has a 2048-bit key length.

  • As of JDK 8, the use of X.509 certificates with RSA keys less than 1024 bits in length are blocked.

xTensible Access Control Markup Language (XACML)

2.0

See Configuring Authorization and Role Mapping Providers.

Partial implementation of Core and Hierarchical Role Based Access Control (RBAC) Profile of XACML

2.0

Specified by http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf.

Supported FIPS Standards and Cipher Suites

WebLogic Server supports Federal Information Processing Standard (FIPS) publication 140-2 and cipher suites for JSSE JDK.

Table 2-2 lists the supported FIPS versions and cipher suites.

Table 2-2 Cipher Suites and FIPS 140-2 Supported Versions

Standard Version Additional Considerations

FIPS 140-2

Jipher JCE 10.35

See Enabling FIPS Mode.

Cipher Suites for JSSE JDK 17

The preferred negotiated cipher combination is AES + SHA2.

To see the set of cipher suites supported by the JDK SunJSSE, see the SunJSSE Provider section in Java SE Security Developer's Guide .