2 Determining Your Security Needs

The security requirements you establish for your WebLogic Server environment are based upon multiple considerations, such as the types of resources hosted on WebLogic Server that need to be protected, the users and other entities that access those resources, recommendations from Oracle as well as in-house or independent security consultants, and more.

This chapter includes the following sections:

Understand Your Environment

The WebLogic Server environment includes not only the resources that are hosted on WebLogic Server, but also the software systems and other entities with which those WebLogic Server resources interoperate, such as databases, and load balancers, and the users who have access to that environment.

To better understand your security needs, ask yourself the following questions:

  • Which resources am I protecting?

    Many resources in the production environment can be protected, including information in databases accessed by WebLogic Server and the availability, performance, applications, and the integrity of the Web site. Consider the resources you want to protect when deciding the level of security you must provide.

  • From whom am I protecting the resources?

    For most Web sites, resources must be protected from everyone on the Internet. But should the Web site be protected from the employees on the intranet in your enterprise? Should your employees have access to all resources within the WebLogic Server environment? Should the system administrators have access to all WebLogic resources? Should the system administrators be able to access all data? You might consider giving access to highly confidential data or strategic resources to only a few well trusted system administrators. Perhaps it would be best to allow no system administrators access to the data or resources.

  • What will happen if the protections on strategic resources fail?

    In some cases, a fault in your security scheme is easily detected and considered nothing more than an inconvenience. In other cases, a fault might cause great damage to companies or individual clients that use the Web site. Understanding the security ramifications of each resource will help you protect it properly.

Hire Security Consultants or Use Diagnostic Software

It is good to hire an independent security expert to go over your security plan when deploying WebLogic Server on the internet or intranet.

Whether you deploy WebLogic Server on the Internet or on an intranet, it is a good idea to hire an independent security expert to go over your security plan and procedures, audit your installed systems, and recommend improvements. Oracle Consulting offers services and products that can help you to secure a WebLogic Server production environment. See the Oracle Consulting page at https://www.oracle.com/consulting/index.html.

Read Security Publications

Staying current with security publications, such as those made available on My Oracle Support, is critical to maintaining a secure operational environment for WebLogic Server.

Read about security issues:

Install and Configure WebLogic Server in a Secure Manner

Creating a secure environment for WebLogic Server begins with a planning a secure installation, which includes restricting access to the WebLogic Server host machine only to authorized users, installing only the components of WebLogic Server that are needed in for the target environment, and selecting the installer option to receive security updates through My Oracle Support.

The WebLogic Server installation includes some additional WebLogic Server development utilities (for example, wlsvc). These development programs could also pose a security vulnerability. The following are recommendations for making a WebLogic Server installation and configuration more secure:

  • Do not install the WebLogic Server sample applications. When installing WebLogic Server, make sure that the option to install the Server Examples component is not selected.

  • Do not run WebLogic Server when configured in development mode. Rather, you must make sure that your domain is configured to run in either production mode or secured production mode. Production mode sets the server to run with settings that are appropriate for a production environment; whereas secured production mode enforces more restrictive and stringent security settings, which in turn ensures less vulnerability to threats. To configure secured production mode, you must ensure that your domain is in production mode. The secured production mode option is not available for domains that are running in the development mode.

    See Creating a WebLogic Domain for Production Use in Administering Security for Oracle WebLogic Server for information about configuring your domain for use in the production environment.

    Note:

    When WebLogic Server is configured in development mode, certain error conditions, such as a misbehaving application or an invalid configuration of WebLogic Server, may result in a trace stack being displayed. While error responses generally are not dangerous, they have the potential to give attackers information about the application or the WebLogic Server installation that can be used for malicious purposes.

  • Depending on your application usage and the domain configuration, some internal applications may not be used in a particular domain. Limit access to internal applications by doing the following:

    • Disable unused internal applications by using the configuration settings. This reduces the attack surface. Some internal applications are disabled by default; they must be enabled only if needed. The following table provides a list of internal applications that can be disabled and the process to disable them.

      Table 2-1 Disabling Internal Applications

      Internal Application Process to Disable

      WebLogic Server Administration Console

      Set the ConsoleEnabled attribute in the DomainMBean to false, or deselect the Console Enabled check box under advanced configuration settings for your domain in the Administration Console.

      Restful Services

      Set the Enabled attribute in the RestfulManagementServicesMBean to false, or deselect the Enable RESTful Management Services check box under advanced configuration settings for your domain in the Administration Console.

      Management EJB (Java EE Management APIs)

      Set the ManagementEJBEnabled attribute in the JMXMBean to false, or deselect the Management EJB Enabled check box under advanced configuration settings for your domain in the Administration Console.

      Default Internal Servlets

      Set the DefaultInternalServletsDisabled attribute in the ServerMBean to true.

      Web Service Asynchronous Request-Response

      Use the OptionalFeatureMBean to add an asynchronous request-response internal application with the name JAXRPC_ASYNC_RESPONSE, and set the feature to false. You can do this using WLST as shown in the following snippet:
      optf = cmo.getOptionalFeatureDeployment()
      async = optf.createOptionalFeature("JAXRPC_ASYNC_RESPONSE")
      async.setEnabled(false)
      

      Web Service Atomic Transactions (WSAT)

      Use the OptionalFeatureMBean to add a WSAT internal application with the name WSAT, and set the feature to false. You can do this using WLST as shown in the following snippet:
      optf = cmo.getOptionalFeatureDeployment()
      wsat = optf.createOptionalFeature("WSAT")
      wsat.setEnabled(false)
      

      Ready App

      Use the OptionalFeatureMBean to add a feature with the name READYAPP, and set the feature to false. You can do this using WLST as shown in the following snippet:

      optf = cmo.getOptionalFeatureDeployment()
      ra = optf.createOptionalFeature("READYAPP")
      ra.setEnabled(false)
      
    • Enable the Administration port for your domain, and configure a firewall to prevent external access to internal applications on the Administration port.

    • Limit access to internal applications, such as SAML and web services, that are accessible on the non-Administration ports. To do so, configure a firewall to disable access to the appropriate context paths.

How Domain Mode Affects the Default Security Configuration

The domain mode you select determines the default security configuration for your domain. When configuring a domain, be sure to select the domain mode that best meets the security requirements of the environment in which WebLogic Server runs.

Table 2-2 describes how the security and performance-related configuration parameters differ depending on whether your domain is configured in development mode, production mode, or secured production mode.

Table 2-2 Differences in Domain Modes

Feature Development Mode Production Mode Secured Production Mode

SSL

You can use the demonstration digital certificates and the demonstration keystores provided by the WebLogic Server security services. With these certificates, you can design your application to work within environments secured by SSL.

See Overview of Configuring SSL in WebLogic Server in Administering Security for Oracle WebLogic Server.

Demonstration digital certificates and the keystores are not recommended in production mode. If you do so, a warning message appears.

In this mode, WebLogic Server logs a warning if the SSL configuration is insecure. WebLogic Server validates the minimum SSL/TLS version, constraints, and ciphers.

Administration port

The Administration port is not enabled by default.

The Administration port is not enabled by default.

To enable Administration port for your domain, see Configure the domain-wide administration port in the Oracle WebLogic Server Administration Console Online Help.

The Administration port is enabled by default. The administrative traffic is no longer allowed on the non-administration ports. In this mode, you must specify T3s protocol and the Administration port when using WLST to connect to the Administration server. The Administration Console is available only via https on the Administration Port (default is 9002).

You can disable the Administration port if desired.

Listen Port

The server listen port is enabled by default. The default port value is 7001.

The server listen port is enabled by default. The default port value is 7001.

The listen port is not enabled by default. You can enable the listen port for servers in your domain.

To configure and manage listen ports, see Configure listen ports in the Oracle WebLogic Server Administration Console Online Help.

SSL listen Port

The SSL listen port is not enabled by default.

The SSL listen port is not enabled by default.

You can enable the SSL listen port for servers in your domain. See Configure listen ports in the Oracle WebLogic Server Administration Console Online Help.

The SSL listen port is enabled by default. The default port value is 7002.

Auditing

Security or configuration auditing is not enabled by default.

Security or configuration auditing is not enabled by default.

When the domain is created, the WebLogic Auditing provider is configured by default. Configuration changes are audited. WebLogic Server logs a warning if an Auditing provider is not configured.

Deploying applications

WebLogic Server instances can deploy and update applications that reside in the domain_name/autodeploy directory automatically. Oracle recommends that you use this method only in a single-server development environment. See Deploying Applications and Modules with weblogic.deployer in Deploying Applications to Oracle WebLogic Server.

The auto-deployment feature is disabled. Use the WebLogic Server Administration Console, the weblogic.deployer tool, or the WebLogic Scripting Tool.

The auto-deployment feature is disabled. Use the WebLogic Server Administration Console, the weblogic.deployer tool, or the WebLogic Scripting Tool.

Log file rotation

By default, when you start the WebLogic Server instance, the server automatically renames (rotates) its local server log file as SERVER-NAME.log.n. For the remainder of the server session, messages accumulate in the log file until the file grows to a size of 500 kilobytes.

See Rotate Log Files in the Oracle WebLogic Server Administration Console Online Help.

The default value of the Limit number of retained files setting in Logging Configuration is true. This value limits the number of log files that the server instance creates to store old messages.

The server rotates the local log file after the size of the file reaches 5000 kilobytes.

When the server is configured for production mode, by default, all versions of the log files are kept. Administrators may want to customize the number of log files that are retained. Use the LogFile MBean attributes to configure the location, file-rotation criteria, and number of files that a WebLogic Server instance uses to store log messages.

The default value of the Limit number of retained files setting in Logging Configuration is true. The server creates 100 log files of 5 megabytes each. You must clean up the files as needed.

The server rotates the local log file after the size of the file reaches 5000 kilobytes.

The default value of the Limit number of retained files setting in Logging Configuration is true. The server creates 100 log files of 5 megabytes each. You must clean up the files as needed. Use the LogFile MBean attributes to configure the location, file-rotation criteria, and number of files that a WebLogic Server instance uses to store log messages.

boot.properties

A boot.properties file is created, which allows you to boot the server without specifying a user name and password.

A boot.properties file is not created.

A boot.properties file is not created.

Deployment of internal applications

For a development domain, the default is for WebLogic Server to deploy internal applications on the first access (on-demand).

For a production domain, the default is for WebLogic Server to deploy internal applications as part of server startup. You can control the default behavior by configuring the InternalAppsDeployOnDemandEnabled attribute in the Domain MBean. You can change the configuration setting using the WebLogic Server Administration Console or by using the WebLogic Scripting Tool (WLST).

See On-Demand Deployment of Internal Applications in Deploying Applications to Oracle WebLogic Server.

The default is for WebLogic Server to deploy internal applications as part of server startup. You can control the default behavior by configuring the InternalAppsDeployOnDemandEnabled attribute in the Domain MBean.

Node Manager user name and password

In development mode, Node Manager uses the default user name and password credentials.

When a domain is created in production mode using the config.sh script, then the user name and password for node manager are randomly generated.

See Specifying Node Manager User Name and Password in Administering Node Manager for Oracle WebLogic Server.

When a domain is created in secured production mode using the config.sh script, then the user name and password for node manager are randomly generated.

See Specifying Node Manager User Name and Password in Administering Node Manager for Oracle WebLogic Server.

Web Services Test Client

In a development environment, the Web Services Test Client is enabled, by default.

 In a production environment, the Web Services Test Client is disabled (and undeployed), by default. It is recommended that you not enable the Web Services Test Client in production mode.

You can enable or disable the Web Services Test Client using the Administration Console, Fusion Middleware Control, or WLST.

See Enabling and Disabling the Web Services Test Client in Fusion Middleware Administering Web Services.

The Web Services Test Client is disabled (and undeployed) by default in secured production mode. It is recommended that you not enable the Web Services Test Client in production mode.

You can enable or disable the Web Services Test Client using the Administration Console, Fusion Middleware Control, or WLST.

Classloader Analysis Tool

Classloader Analysis Tool (CAT) is deployed as an internal on-demand application only in development mode. Deployment happens upon first access.

If the server is running in production mode, it is not deployed automatically. You can deploy it in production mode; there are no limitations on its use, but you must deploy it manually, just like any other Web application.

See Using the Classloader Analysis Tool (CAT) in Developing Applications for Oracle WebLogic Server.

The CAT tool behavior in secured production mode is the same as in production mode.

FastSwap deployment

You can use FastSwap deployment to minimize redeployment. FastSwap is only supported when WebLogic Server is running in development mode.

See Using FastSwap Deployment to Minimize Redeploymentin Deploying Applications to Oracle WebLogic Server.

FastSwap is automatically disabled in production mode.

FastSwap is automatically disabled in secured production mode.

Administration Console Change Center

The Change Center in the Administration Console provides a way to lock a domain configuration so you can make changes to the configuration while preventing other accounts from making changes during your edit session.

This feature is disabled by default if your domain is running in development mode. It can be enabled or disabled in development domains.

See Enable and disable the domain configuration lock in the Oracle WebLogic Server Administration Console Online Help.

In production mode, you need to procure a lock and edit session before making configuration changes to the domain. Therefore, this domain configuration locking feature is always enabled in production domains.

The domain configuration locking feature is the same as in production mode.