If you are managing and administering a WebLogic domain which serves for;
- Bank applications
- Government applications
- e-Business web applications that open to the internet
You must strongly secure your WebLogic domain among internal and external hacking attacks.
Here are the crucial settings for securing mission critical WebLogic domains:
- Do not use default ports for admin server and managed servers
- Do not use “weblogic” value for default admin username
- Do not use username|password parameters and values in start scripts.
Use “-Dweblogic.system.BootIdentityFile=$PATH/boot.properties” parameter and encrypted boot file.
Administrative Engineering: Secure your WebLogic Domain
- Enable administration ports
- Enable “Cross Domain Security”
- Change your console context path
- Use custom Identity and Custom Trust (JKS)
- Use custom Hostname Verifier
- Load real SSL certificate even for internally traffic
- Set “Max Post Size” (by default it’s unlimited) value
- Set ”Frontedn Host” and “Frontend Https Port” values
- Set “Minimum, Maximum, IO Buffer Size” values
- Secure JMS Resources by Security Policies
- Disable “Default Connection Factories” for JMS
- Integrate and define LDAP authenticator
- Enable administration auditing by setting “Configuration Audit Type
Most of WebLogic domains are insecure. Especially, they are vulnerable and unguarded among to internal/LAN network.
In general, 99% percentage of the list items, that I’ve shared above basically, are not configured by the administrator.
If you are administering or managing a mission critical WebLogic domain, think twice and reconfigure your security settings.
Do not hesitate contact to us to support your mission critical applications. Just drop us an email.
Share Date: 17, 2014