2 WebLogic Server Security Standards
The Oracle WebLogic Server WebLogic Security Service is built upon and supports standard Java EE security technologies such as the Java Authentication and Authorization Service (JAAS), Java Secure Sockets Extensions (JSSE), Java Cryptography Extensions (JCE), Java Authentication Service Provider Interface for Containers (JASPIC), Java Authorization Contract for Containers (JACC), and more.
This chapter includes the following topics:
Supported Security Standards
WebLogic Server supports several Java EE security standards such as JAAS, JASPIC, JACC, JCE, and more.
The complete set of supported security standards are provided in Table 2-1.
Table 2-1 WebLogic Server Security Standards Support
| Standard | Version | Additional Considerations |
|---|---|---|
|
JAAS |
JAAS version depends on the Java SE version. See |
|
|
JASPIC |
1.1 |
|
|
JACC |
1.5 |
|
|
Java EE application packaged permissions |
Java EE 7 Platform Specification |
|
|
JCE |
1.4 RSA JCE: Crypto-J V6.2.4.0.1 Note: The April 2021 Patch Set Update (PSU) adds support for RSA JCE: Crypto-J V6.2.5 The JDK 8 JCE provider (SunJCE) and the nCipher JCE are also supported. |
|
|
JSSE |
Default SSL implementation based on JDK 8 Java Secure Socket Extension (JSSE). RSA JSSE is also supported |
Note: Although JSSE supports Server Name Indication (SNI) in its SSL implementation, WebLogic Server does not support SNI. |
|
Kerberos |
Version 5 |
|
|
LDAP |
v3 |
|
|
SAML |
1.1, 2.0 |
|
| SLO | Via SAML | Supported by the Service Provider only. |
|
SPNEGO |
Specified by |
|
|
SSL |
v3. (WebLogic Server does not support SSL 2.0.) |
See Specifying the SSL/TLS Protocol Version for version-specific information. |
|
SSO |
Via Microsoft Clients Via SAML |
See Configuring Single Sign-On with Microsoft Clients. See Configuring Single Sign-On with Web Browsers and HTTP Clients Using SAML. |
|
TLS |
v1.0, v1.1, v1.2, v1.3. Note: Support for TLS v1.0 and v1.1 is deprecated. |
See Specifying the SSL/TLS Protocol Version for version-specific information. |
|
Uncovered HTTP methods |
Servlet 3.1 |
|
|
X.509 |
v3 |
WebLogic Server supports 4096-bit keys. (4096-bit keys may require substantially more compute time for some operations.) Certificates generated with CertGen have a default 2048-bit key size. You specify the key size with the The WebLogic Server demo CA has a 2048-bit key length. As of JDK 8, the use of x.509 certificates with RSA keys less than 1024 bits in length are blocked. |
|
xTensible Access Control Markup Language (XACML) |
2.0 |
|
|
Partial implementation of Core and Hierarchical Role Based Access Control (RBAC) Profile of XACML |
2.0 |
Specified by |
Supported FIPS Standards and Cipher Suites
WebLogic Server supports Federal Information Processing Standard (FIPS) publication 140-2 and cipher suites for JSSE JDK and RSA JSSE.
Table 2-2 lists the supported FIPS versions and cipher suites.
Table 2-2 Cipher Suites and FIPS 140-2 Supported Versions
| Standard | Version | Additional Considerations |
|---|---|---|
|
FIPS 140-2 |
RSA Crypto-J V6.2.4.0.1 RSA SSL-J V6.2.4 RSA Cert-J V6.2.4 Note: The April 2021 Patch Set Update (PSU) adds support for:
|
See Enabling FIPS Mode. You can also use the RSA JSSE and JCE providers in non-FIPS mode: |
|
Cipher Suites for JSSE JDK 8 |
The preferred negotiated cipher combination is AES + SHA2. |
The set of cipher suites supported by the JDK 8 SunJSSE is listed here: |
|
Cipher Suites for RSA JSSE |
Product Dependent |
N/A |
|
Cipher suites supported in the (removed) WebLogic Server Certicom SSL implementation and the SunJSSE equivalent. |
Product Dependent |
Documented for backward compatibility. See Table 38-2. When using Certicom, WebLogic Server does not support SHA256 hashing, or signature algorithms that include SHA256. |