Oracle WebLogic must employ strong identification and authentication techniques when establishing nonlocal maintenance and diagnostic sessions.

From Oracle WebLogic Server 12c Security Technical Implementation Guide

Part of SRG-APP-000185-AS-000131

Associated with: CCI-000877

SV-70559r1_rule Oracle WebLogic must employ strong identification and authentication techniques when establishing nonlocal maintenance and diagnostic sessions.

Vulnerability discussion

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Application servers will typically utilize an HTTP interface for providing both local and remote maintenance and diagnostic sessions. In these instances, an acceptable strong identification and authentication technique consists of utilizing two-factor authentication via secured HTTPS connections. If the application server also provides maintenance and diagnostic access via a fat client or other client-based connection, then that client must also utilize two-factor authentication and use FIPS-approved encryption modules for establishing transport connections.

Check content

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs check for SSL configuration verification 4. From 'Configuration' tab -> 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 6. From 'Configuration' tab -> 'Keystores' tab, ensure 'Custom Identity and Java Standard Trust' is selected in 'Keystores' section 7. Repeat steps 3-6 for all servers requiring SSL configuration checking If any of the servers requiring SSL have the 'Listen Port Enabled' selected or 'SSL Listen Port Enable' not selected or 'Custom Identity and Java Standard Trust' is not selected for the keystores, this is a finding.

Fix text

1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) to configure on the server 2. Create Identity keystore and load private key and certificate using ImportPrivateKey java utility, example: $ java utils.ImportPrivateKey -certfile -keyfile [-keyfilepass ] -keystore -storepass [-storetype ] -alias [-keypass ] 3. Access AC 4. Utilize 'Change Center' to create a new change session 5. From 'Domain Structure', select 'Environment' -> 'Servers' 6. From the list of servers, select one which needs SSL set up 7. From 'Configuration' tab -> 'General' tab, deselect 'Listen Port Enabled' checkbox 8. Select 'SSL Listen Port Enabled' checkbox and enter a valid port number in 'SSL Listen Port' field, e.g., 7002 9. From 'Configuration' tab -> 'Keystores' tab, click 'Change' button in 'Keystores' section 10. From dropdown, select 'Custom Identity and Java Standard Trust' and click 'Save' 11. Enter the fully qualified path to Identity keystore, from step 2, in 'Custom Identity Keystore' field 12. Enter 'JKS' in the 'Custom Identity Keystore Type' field 13. Enter the Identity keystore password in 'Custom Identity Keystore Passphrase' and 'Confirm Custom Identity Keystore Passphrase' fields 14. Enter the Java Standard Trust keystore (cacerts) password in 'Java Standard Trust Keystore Passphrase' and 'Confirm Java Standard Trust Keystore Passphrase' fields 15. Leave all other fields blank and click 'Save' 16. From 'Configuration' tab -> 'SSL' tab, enter values from step 2 into corresponding fields, as follows: - Enter into 'Private Key Alias' - Enter into 'Private Key Passphrase' - Enter into 'Confirm Private Key Passphrase' 17. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes 18. Repeat steps 4-17 for all servers requiring SSL configuration 19. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 20. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer