2 WebLogic Server Security Standards

The Oracle WebLogic Server WebLogic Security Service is built upon and supports standard Java EE security technologies such as the Java Authentication and Authorization Service (JAAS), Java Secure Sockets Extensions (JSSE), Java Cryptography Extensions (JCE), Java Authentication Service Provider Interface for Containers (JASPIC), Java Authorization Contract for Containers (JACC), the Java EE Security API (JSR 375), and more.

This chapter includes the following topics:

• Supported Security Standards

• Supported FIPS Standards and Cipher Suites

Supported Security Standards

WebLogic Server supports several Java EE security standards such as JAAS, JASPIC, JACC, JCE, the Java EE Security API (JSR 375), and more.

The complete set of supported security standards are provided in Table 2-1.

Table 2-1 WebLogic Server Security Standards Support

Standard	Version	Additional Considerations
JAAS	JAAS version depends on the Java SE version. See http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/AcnOnly.html.	See Configuring a Domain to Use JAAS Authorization.
JASPIC	1.1	See Configuring JASPIC Security.
JACC	1.5	See Using the Java Authorization Contract for Containers.
Java EE application packaged permissions	Java EE 8 Platform Specification
JCE	1.4 RSA JCE: Crypto-J V6.2.4.0.1 Note: The April 2021 Patch Set Update (PSU) adds support for RSA JCE: Crypto-J V6.2.5 The JDK 8 JCE provider (SunJCE) and the nCipher JCE are also supported.	See Using JCE Providers with WebLogic Server.
JSSE	Default SSL implementation based on JDK 8 Java Secure Socket Extension (JSSE). RSA JSSE is also supported	See: Using the JSSE-Based SSL Implementation Using the RSA JSSE Provider in WebLogic Server Note: Although JSSE supports Server Name Indication (SNI) in its SSL implementation, WebLogic Server does not support SNI.
Kerberos	Version 5	See Configuring Single Sign-On with Microsoft Clients.
LDAP	v3	See: Configuring LDAP Authentication Providers Managing the Embedded LDAP Server
SAML	1.1, 2.0	See: Configuring SAML 1.1 Services Configuring SAML 1.1 Services Configuring SAML 2.0 Services
Security API (JSR 375)	1.0	See Using the Java EE Security API in WebLogic Server.
SLO	Via SAML	Supported by the Service Provider only. See Configure SAML Single Logout
SPNEGO	Specified by https://datatracker.ietf.org/doc/html/rfc4178.	See Configuring Single Sign-On with Microsoft Clients.
SSO	Via Microsoft Clients Via SAML	See: Configuring Single Sign-On with Microsoft Clients Configuring Single Sign-On with Web Browsers and HTTP Clients Using SAML.
TLS	v1.0, v1.1, v1.2, v1.3 Note: Support for TLS v1.0 and v1.1 is deprecated.	TLS v1.2 is the default minimum protocol version configured in WebLogic Server. Oracle recommends the use of TLS v1.2 or later in a production environment. WebLogic Server logs a warning if the TLS version is set below 1.2. Oracle strongly recommends that you do not use TLS v1.0 and v1.1. In addition, these versions may be disabled by default in certain JDK updates by the underlying JSSE provider. WebLogic Server supports TLS v1.3 only with JDK 8 Update 261 (JDK 8u261) or later, and JDK 11. If you are running an earlier JDK version, then TLS v1.3 may not be available. See Specifying the SSL/TLS Protocol Version for version-specific information.
Uncovered HTTP methods	Servlet 3.1
X.509	v3	WebLogic Server supports 4096-bit keys. (4096-bit keys may require substantially more compute time for some operations.) Certificates generated with CertGen have a default 2048-bit key size. You specify the key size with the -strength option. The WebLogic Server demo CA has a 2048-bit key length. As of JDK 8, the use of X.509 certificates with RSA keys less than 1024 bits in length are blocked.
xTensible Access Control Markup Language (XACML)	2.0	See Configuring Authorization and Role Mapping Providers.
Partial implementation of Core and Hierarchical Role Based Access Control (RBAC) Profile of XACML	2.0	Specified by http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf.

Supported FIPS Standards and Cipher Suites

WebLogic Server supports Federal Information Processing Standard (FIPS) publication 140-2 and cipher suites for JSSE JDK and RSA JSSE.

Table 2-2 lists the supported FIPS versions and cipher suites.

Table 2-2 Cipher Suites and FIPS 140-2 Supported Versions

Standard	Version	Additional Considerations
FIPS 140-2	RSA Crypto-J V6.2.4.0.1 RSA SSL-J V6.2.4 RSA Cert-J V6.2.4 Note: The April 2021 Patch Set Update (PSU) adds support for: RSA Crypto-J V6.2.5 RSA SSL-J V6.2.6 RSA Cert-J V6.2.4.0.1	See Enabling FIPS Mode. You can also use the RSA JSSE and JCE providers in non-FIPS mode: See Using the RSA JCE Provider See Using the RSA JSSE Provider in WebLogic Server
Cipher Suites for JSSE JDK 8	The preferred negotiated cipher combination is AES + SHA2.	The set of cipher suites supported by the JDK 8 SunJSSE is listed here: http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
Cipher Suites for RSA JSSE	Product Dependent	N/A
Cipher suites supported in the (removed) WebLogic Server Certicom SSL implementation and the SunJSSE equivalent.	Product Dependent	Documented for backward compatibility. See Table 37-2. When using Certicom, WebLogic Server does not support SHA256 hashing, or signature algorithms that include SHA256.