Aimstar

AIMSTAR Blog

Securing WebLogic Servers Part 2 - Configuring the Admin Server

Posted by Theodore Williams on Aug 22, 2017 5:30:00 PM

Configuring the Admin Server

Securing_WebLogic_Servers_Part_2-Admin_Server.png

This article is the second in a three-part series that details how to secure a WebLogic server.  

The Oracle WebLogic Admin Server can be configured through the Admin Console to run on a secure port.  WebLogic provides default keystores that can be used to simulate SSL access in a test environment.  This article details the steps in configuring the WebLogic Admin Server to use keystores with certificates that can be used in a production environment.

Relevant Topics: Oracle DBA,  Oracle WebLogic, Admin Server, Keystores, WebLogic Security,  NIST SP 800-53

Following are variables used in the article.

 Environment Variables

 MW_HOME: This variable refers to the location where Oracle Fusion Middleware resides.

For this example, MW_HOME is:

 /u01/app/weblogic/wls12130

 WL_HOME: This variable refers to the location which contains installed files necessary to host a WebLogic Server.  For this example, WL_HOME is:

/u01/app/weblogic/wls/wlserver

 

DOMAIN_HOME: This is the home for our current WebLogic domain.  For this example, DOMAIN_HOME is:

/u01/app/weblogic/wls12130/user_projects/domains/base_domain

 

Configure WebLogic to Use the Keystores

 

  1. Make a copy of the WebLogic configuration file – config.xml before making any changes. The config.xml file is found in

$MW_HOME/user_projects/domains/<domain_name>/config/config.xml

            This should be the same as:

$DOMAIN_HOME/config/config.xml

This backup file can be used to restore the config.xml file if there are any problems with the configuration.

 

 WebLogic-APEX-Oracle Checklist

  1. Login to the WebLogic Server

 weblogic_home.png

  1. Make sure the domain is in production mode. Once a domain is changed to production mode, it can’t be changed back to development mode.

 Click base_domain on the left hand side under Domain Structure.

  production_mode_true_select.png

Select the box next to Production Mode.

Click Save.

 

  1. The screen indicates that the servers must be restarted.

production_mode_true_must_restart.png

 Click on Servers --> Control.

 

  1. The Summary of Servers screen displays.

summary_of_servers_control.png

 

  1. Select the box next to the managed server.

 shutdown_managed_server.png

Select Shutdown.  Select “When work completes” from the drop down.

 

  1. The screen will indicate that the managed server has been shut down.

 managed_server_shutdown.png

  1. Click on the AdminServer. The AdminServer settings screen displays.

 admin_server_settings.png

 

 

 Select the Configuration --> Keystores tab.

 

  1. The AdminServer Settings, Configuration --> Keystores screen displays.

 ssl_keystore_settings.png

 

Click on the Keystores Change button. 

Choose Custom Identity and Custom Trust.

Click Save.

 

Identity

 

Custom Identity Keystore: <directory containing the keystores>/identity_keystore.jks

Custom Identity Keystore Type:  JKS

Custom Identity Keystore Passphrase: 

<password for identity_keystore.jks that was specified when it was created>

Confirm Custom Identity Keystore Passphrase:

<password for identity_keystore.jks that was specified when it was created>

 

Trust

Custom Trust Keystore: <directory containing the keystores>/trust_keystore.jks

Custom Trust Keystore Type:  JKS

Custom Trust Keystore Passphrase: 

<password for trust_keystore.jks that was specified when it was created>

Confirm Custom Trust Keystore Passphrase:

<password for trust_keystore.jks that was specified when it was created>

 

Click Save

Click the SSL tab.

 

  1. The AdminServer Settings General --> SSL screen displays.

 ssl_keystore_settings.png

 

Identity and Trust Locations:   Make sure this is set to Keystores

Identity

Private Key Location:    from Custom Identity Keystore

Private Key Alias:       This is the private key that we defined in the identity keystore

                              For example forge_private_key

Private Key Passphrase:  <The password defined when the private key was created in the keystore>

Confirm Private Key Passphrase:  <The password defined when the private key was created in the keystore>

Certificate Location:            from Custom Identity Keystore

Trust

Trusted Certificate Authorities:   from Custom Trust Keystore

Click Save

 

  1. The screen indicates that the server must be restarted in order for the new settings to take effect.

 ssl_keystore_settings_must_restart.png

 

Click Servers.

 

  1. The Summary of Servers screen displays.

 summary_of_servers.png

 

Click the Control tab.

 

  1. Select the box next to the AdminServer.

 shutdown_admin_server.png

 

Select Shutdown.  Select “When work completes” from the drop down.

 

  1. A screen displays showing that the AdminServer has been shut down. It must be restarted in order for the web interface to be available.

 admin_server_shutdown_status.png

 

 

  1. Restart WebLogic on the server with the following command.

startWebLogic.sh

For example:

[oracle@Forge ~]$ cd $MW_HOME/user_projects/domains/base_domain

[oracle@Forge base_domain]$ ./startWebLogic.sh &

.

.

.

<Server state changed to RUNNING.>

 

  1. Once the server state is changed to RUNNING, the web interface will be available.  Log back into WebLogic.  Note the Change Center in the upper left since WebLogic has been changed from development mode to production mode.

 weblogic_home_after_admin_server_restart.png

 

 Click on Servers

 

  1. The Summary of Servers screen displays.

 summary_of_servers2.png

 

Click on the AdminServer.

 

  1. The Settings for AdminServer screen displays. Click Lock & Edit in the Change Center on the left hand side. 

enable_ssl_listen_port_for_admin_server.png 

Select the box next to SSL Listen Port Enabled.  Enter a port number for SSL Listen Port.

Click Save.

 

Enabling the SSL port could have been done prior to shutting down the AdminServer in Step 12, but this is an example of using the Change Center in Production Mode.

 

  1. Shutdown the AdminServer and restart WebLogic as in Steps 12 – 15 above.

 

  1. You can now use the secure SSL Listen Port to run WebLogic. Note that the site is now locked and verified.

 site_secured.png


For security, for example to satisfy NIST SP 800-53 security controls, the non-secure Listen Port can be disabled.

 

 WebLogic-APEX-Oracle Checklist

Topics: Oracle DBA, Oracle Database Administration, WebLogic, NIST SP 800-53, WebLogic Security, Keystores

Oracle APEX Configuration White Paper

Get detailed information on integrating WebLogic, APEX, and Oracle Rest Data Services

Oracle APEX allows rapid development of database applications utilizing the Oracle database.  Oracle WebLogic may be used as the web server for Oracle APEX applications by utilizing Oracle REST Data Services (ORDS), formerly named the APEX Listener.  This white paper details the steps needed to set up an Oracle APEX environment using Oracle Rest Data Services (ORDS) on Oracle WebLogic.

Please click the button below to get detailed information on:

  • Installing APEX
  • Configuring WebLogic
  • Securing WebLogic
  • Installing ORDS
  • Configuring APEX for LDAP Authentication
 

Download This Free White Paper

Subscribe to Email Updates

Recent Posts