About the Security Checkup Tool

Oracle WebLogic Server Administration console includes a security checkup tool that displays security check warnings.

In case of Oracle WebLogic Server for OKE instances created after July 20, 2021, or the instances on which the July 2021 PSUs are applied, the message Security warnings detected. Click here to view the report and recommended remedies is displayed at the top of the Oracle WebLogic Server Administration console. When you click the message, a list of security warnings are displayed as listed in the following table.

The warning messages listed in the table are examples.

Security Warnings

Warning Message Resolution

Warning Message	Resolution
`Production mode is enabled but the file or directory <directory_name>/startWebLogic.sh is insecure since its permission is not a minimum of umask 027.`	Run the following command in the administration server as `oracle` user: `chmod 640 /u01/data/domains/<domain_name>/bin`
`Remote Anonymous RMI T3 or IIOP requests are enabled. Set the RemoteAnonymousRMIT3Enabled and RemoteAnonymousRMIIIOPEnabled attributes to false.`	Set the java properties for anonymous RMI T3 and IIOP requests during server start up. See Set the Java Properties.

Production mode is enabled but the file or directory <directory_name>/startWebLogic.sh is insecure since its permission is not a minimum of umask 027.

Run the following command in the administration server as oracle user:

chmod 640 /u01/data/domains/<domain_name>/bin

Remote Anonymous RMI T3 or IIOP requests are enabled. Set the RemoteAnonymousRMIT3Enabled and RemoteAnonymousRMIIIOPEnabled attributes to false.

Set the java properties for anonymous RMI T3 and IIOP requests during server start up. See Set the Java Properties.

Note:

For existing Oracle WebLogic Server for OKE instances (created before July 20, 2021), you see the SSL host name verification warnings. For details, see Security Checkup Tool Warnings.

After you address the warnings, you must click Refresh Warnings to see the warnings removed in the console.

For Oracle WebLogic Server for OKE instances created after July 20, 2021, though the java properties to disable anonymous requests for preventing anonymous RMI access are configured, the warnings still appear. This is a known issue in Oracle WebLogic Server.

Set the Java Properties

To set the java properties for anonymous RMI T3 and IIOP requests:

Edit the domain.yaml located in /u01/shared/weblogic-domains/<domain_name>/domain.yaml for all instances of serverPod definitions as follows:

serverPod:
      env:
      - name: USER_MEM_ARGS
        #admin server memory is explicitly set to min of 256m and max of 512m and GC algo is G1GC
        value: "-Xms256m -Xmx512m -XX:+UseG1GC -Djava.security.egd=file:/dev/./urandom"
      - name: JAVA_OPTIONS
        value: "-Dweblogic.store.file.LockEnabled=false 
		-Dweblogic.rjvm.allowUnknownHost=true 
		-Dweblogic.security.remoteAnonymousRMIT3Enabled=false 
		-Dweblogic.security.remoteAnonymousRMIIIOPEnabled=false"

Apply the domain.yaml using the kubectl command:
```
kubectl -f <path_to_domain.yaml>
```