Aimstar

AIMSTAR Blog

Securing WebLogic Servers Part 2 - Configuring the Admin Server

Posted by Theodore Williams on Aug 22, 2017 5:30:00 PM

Configuring the Admin Server

Securing_WebLogic_Servers_Part_2-Admin_Server.png

This article is the second in a three-part series that details how to secure a WebLogic server.  

The Oracle WebLogic Admin Server can be configured through the Admin Console to run on a secure port.  WebLogic provides default keystores that can be used to simulate SSL access in a test environment.  This article details the steps in configuring the WebLogic Admin Server to use keystores with certificates that can be used in a production environment.

Relevant Topics: Oracle DBA,  Oracle WebLogic, Admin Server, Keystores, WebLogic Security,  NIST SP 800-53

Following are variables used in the article.

 Environment Variables

 MW_HOME: This variable refers to the location where Oracle Fusion Middleware resides.

For this example, MW_HOME is:

 /u01/app/weblogic/wls12130

 WL_HOME: This variable refers to the location which contains installed files necessary to host a WebLogic Server.  For this example, WL_HOME is:

/u01/app/weblogic/wls/wlserver

 

DOMAIN_HOME: This is the home for our current WebLogic domain.  For this example, DOMAIN_HOME is:

/u01/app/weblogic/wls12130/user_projects/domains/base_domain

 

Configure WebLogic to Use the Keystores

 

  1. Make a copy of the WebLogic configuration file – config.xml before making any changes. The config.xml file is found in

$MW_HOME/user_projects/domains/<domain_name>/config/config.xml

            This should be the same as:

$DOMAIN_HOME/config/config.xml

This backup file can be used to restore the config.xml file if there are any problems with the configuration.

 

WebLogic APEX Oracle Checklist

 

  1. Login to the WebLogic Server

 weblogic_home.png

  1. Make sure the domain is in production mode. Once a domain is changed to production mode, it can’t be changed back to development mode.

 Click base_domain on the left hand side under Domain Structure.

  production_mode_true_select.png

Select the box next to Production Mode.

Click Save.

 

  1. The screen indicates that the servers must be restarted.

production_mode_true_must_restart.png

 Click on Servers --> Control.

 

  1. The Summary of Servers screen displays.

summary_of_servers_control.png

 

  1. Select the box next to the managed server.

 shutdown_managed_server.png

Select Shutdown.  Select “When work completes” from the drop down.

 

  1. The screen will indicate that the managed server has been shut down.

 managed_server_shutdown.png

  1. Click on the AdminServer. The AdminServer settings screen displays.

 admin_server_settings.png

 

 

 Select the Configuration --> Keystores tab.

 

  1. The AdminServer Settings, Configuration --> Keystores screen displays.

 ssl_keystore_settings.png

 

Click on the Keystores Change button. 

Choose Custom Identity and Custom Trust.

Click Save.

 

Identity

 

Custom Identity Keystore: <directory containing the keystores>/identity_keystore.jks

Custom Identity Keystore Type:  JKS

Custom Identity Keystore Passphrase: 

<password for identity_keystore.jks that was specified when it was created>

Confirm Custom Identity Keystore Passphrase:

<password for identity_keystore.jks that was specified when it was created>

 

Trust

Custom Trust Keystore: <directory containing the keystores>/trust_keystore.jks

Custom Trust Keystore Type:  JKS

Custom Trust Keystore Passphrase: 

<password for trust_keystore.jks that was specified when it was created>

Confirm Custom Trust Keystore Passphrase:

<password for trust_keystore.jks that was specified when it was created>

 

Click Save

Click the SSL tab.

 

  1. The AdminServer Settings General --> SSL screen displays.

 ssl_keystore_settings.png

 

Identity and Trust Locations:   Make sure this is set to Keystores

Identity

Private Key Location:    from Custom Identity Keystore

Private Key Alias:       This is the private key that we defined in the identity keystore

                              For example forge_private_key

Private Key Passphrase:  <The password defined when the private key was created in the keystore>

Confirm Private Key Passphrase:  <The password defined when the private key was created in the keystore>

Certificate Location:            from Custom Identity Keystore

Trust

Trusted Certificate Authorities:   from Custom Trust Keystore

Click Save

 

  1. The screen indicates that the server must be restarted in order for the new settings to take effect.

 ssl_keystore_settings_must_restart.png

 

Click Servers.

 

  1. The Summary of Servers screen displays.

 summary_of_servers.png

 

Click the Control tab.

 

  1. Select the box next to the AdminServer.

 shutdown_admin_server.png

 

Select Shutdown.  Select “When work completes” from the drop down.

 

  1. A screen displays showing that the AdminServer has been shut down. It must be restarted in order for the web interface to be available.

 admin_server_shutdown_status.png

 

 

  1. Restart WebLogic on the server with the following command.

startWebLogic.sh

For example:

[[email protected] ~]$ cd $MW_HOME/user_projects/domains/base_domain

[[email protected] base_domain]$ ./startWebLogic.sh &

.

.

.

<Server state changed to RUNNING.>

 

  1. Once the server state is changed to RUNNING, the web interface will be available.  Log back into WebLogic.  Note the Change Center in the upper left since WebLogic has been changed from development mode to production mode.

 weblogic_home_after_admin_server_restart.png

 

 Click on Servers

 

  1. The Summary of Servers screen displays.

 summary_of_servers2.png

 

Click on the AdminServer.

 

  1. The Settings for AdminServer screen displays. Click Lock & Edit in the Change Center on the left hand side. 

enable_ssl_listen_port_for_admin_server.png 

Select the box next to SSL Listen Port Enabled.  Enter a port number for SSL Listen Port.

Click Save.

 

Enabling the SSL port could have been done prior to shutting down the AdminServer in Step 12, but this is an example of using the Change Center in Production Mode.

 

  1. Shutdown the AdminServer and restart WebLogic as in Steps 12 – 15 above.

 

  1. You can now use the secure SSL Listen Port to run WebLogic. Note that the site is now locked and verified.

 site_secured.png


For security, for example to satisfy NIST SP 800-53 security controls, the non-secure Listen Port can be disabled.

 

WebLogic APEX Oracle Checklist

 

Topics: Oracle DBA, Oracle Database Administration, WebLogic, NIST SP 800-53, WebLogic Security, Keystores

Oracle APEX Configuration

WebLogic-ORDS-APEX Installation and Configuration Checklist

APEX allows rapid development of database applications utilizing the Oracle database.  Oracle WebLogic may be used as the web server for Oracle APEX applications by utilizing Oracle REST Data Services (ORDS), formerly named the APEX Listener.  Download a checklist containing a list of steps to install, configure, and secure ORDS on WebLogic. 

Lists:

  • Includes checklist steps for APEX
  • Includes checklist steps for WebLogic
  • Includes checklist steps for ORDS

 

WebLogic APEX Oracle Checklist

Subscribe to Email Updates