3 WebLogic Server Security Standards

This chapter describes the security standards supported by WebLogic Server 12.1.3.

This chapter includes the following topics:

Supported Security Standards

WebLogic Server supports the security standards shown in Table 3-1.

Table 3-1 WebLogic Server Security Standards Support

Standard Version Additional Considerations


JAAS version depends on the Java SE version.

See http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/AcnOnly.html.

See Configuring a Domain to Use JAAS Authorization.



See Chapter 45, "Configuring JASPIC Security".



See Using the Java Authorization Contract for Containers.



RSA JCE: Crypto-J V6.1.1

JDK 7 JCE provider (SunJCE) is also supported.

nCipher JCE is also supported.

See Chapter 36, "Using JCE Providers with WebLogic Server".

See http://www.ncipher.com for nCipher JCE information.


Default SSL implementation based on JDK 7 Java Secure Socket Extension (JSSE).

RSA JSSE is also supported

See Chapter 39, "Using the JSSE-Based SSL Implementation".
See Using the RSA JSSE Provider in WebLogic Server.

Note: Although JSSE supports Server Name Indication (SNI) in its SSL implementation, WebLogic Server does not support SNI.


Version 5

See Chapter 21, "Configuring Single Sign-On with Microsoft Clients".



See Chapter 14, "Configuring LDAP Authentication Providers".
Also see Chapter 28, "Managing the Embedded LDAP Server".


1.1, 2.0

See Chapter 23, "Configuring SAML 1.1 Services".
See Chapter 24, "Configuring SAML 2.0 Services".


Specified by http://tools.ietf.org/html/rfc4178.

See Chapter 21, "Configuring Single Sign-On with Microsoft Clients".


v3. (WebLogic Server does not support SSL 2.0.)

See Chapter 38, "Specifying the SSL Protocol Version" for version-specific information.


Via Microsoft Clients


See Chapter 21, "Configuring Single Sign-On with Microsoft Clients".

See Chapter 22, "Configuring Single Sign-On with Web Browsers and HTTP Clients Using SAML".


v1.0, v1.1, v1.2.

Note: Oracle recommends the use of TLS V1.1 or later in a production environment.

See Chapter 38, "Specifying the SSL Protocol Version" for version-specific information.



WebLogic Server supports 4096-bit keys. (4096-bit keys may require substantially more compute time for some operations.)

Certificates generated with CertGen have a default 2048-bit key size. You specify the key size with the -strength option.

The WebLogic Server demo CA has a 2048-bit key length.

As of JDK 7u40, the use of x.509 certificates with RSA keys less than 1024 bits in length is restricted.

xTensible Access Control Markup Language (XACML)


See Chapter 7, "Configuring Authorization and Role Mapping Providers".

Partial implementation of Core and Hierarchical Role Based Access Control (RBAC) Profile of XACML


Specified by http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf.


Supported FIPS Standards and Cipher Suites

Table 3-2 lists the supported FIPS versions and cipher suites.

Table 3-2 Cipher Suites and FIPS 140-2 Supported Versions

Standard Version Additional Considerations

FIPS 140-2

RSA Crypto-J V6.1.1

RSA SSL-J V6.1.2

RSA Cert-J V6.1.1

See Chapter 37, "Enabling FIPS Mode".

You can also use the RSA JSSE and JCE providers in non-FIPS mode:

See Using the RSA JCE Provider

See Using the RSA JSSE Provider in WebLogic Server

Cipher Suites for JSSE JDK 7

The preferred negotiated cipher combination is AES + SHA2.

The set of cipher suites supported by the JDK 7 SunJSSE is listed here: http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider.

Cipher Suites for RSA JSSE

Product Dependent

See http://www.emc.com/security/rsa-bsafe.htm

Cipher suites supported in the (removed) WebLogic Server Certicom SSL implementation and the SunJSSE equivalent.

Product Dependent

Documented for backward compatibility. See Table 39-2.

When using Certicom, WebLogic Server does not support SHA256 hashing, or signature algorithms that include SHA256.