UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system.


Overview

Finding ID Version Rule ID IA Controls Severity
V-56309 WBLC-08-000211 SV-70563r1_rule Medium
Description
Without a trusted communication path, the application server is vulnerable to a man-in-the-middle attack. Application server user interfaces are used for management of the application server so the communications path between client and server must be trusted or management of the server may be compromised.
STIG Date
Oracle WebLogic Server 12c Security Technical Implementation Guide 2018-08-30

Details

Check Text ( C-56861r3_chk )
1. Access AC
2. From 'Domain Structure', select 'Environment' -> 'Servers'
3. From the list of servers, select one which needs check for SSL configuration verification
4. From 'Configuration' tab -> 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected
5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002
6. From 'Configuration' tab -> 'Keystores' tab, ensure 'Custom Identity and Java Standard Trust' is selected in 'Keystores' section
7. Repeat steps 3-6 for all servers requiring SSL configuration checking

If any of the servers requiring SSL have the 'Listen Port Enabled' selected or 'SSL Listen Port Enable' not selected or 'Custom Identity and Java Standard Trust' is not selected for the keystores, this is a finding.
Fix Text (F-61189r5_fix)
1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) to configure on the server
2. Create Identity keystore and load private key and certificate using ImportPrivateKey java utility, example:
$ java utils.ImportPrivateKey -certfile -keyfile [-keyfilepass ] -keystore -storepass [-storetype ] -alias [-keypass ]
3. Access AC
4. Utilize 'Change Center' to create a new change session
5. From 'Domain Structure', select 'Environment' -> 'Servers'
6. From the list of servers, select one which needs SSL set up
7. From 'Configuration' tab -> 'General' tab, deselect 'Listen Port Enabled' checkbox
8. Select 'SSL Listen Port Enabled' checkbox and enter a valid port number in 'SSL Listen Port' field, e.g., 7002
9. From 'Configuration' tab -> 'Keystores' tab, click 'Change' button in 'Keystores' section
10. From dropdown, select 'Custom Identity and Java Standard Trust' and click 'Save'
11. Enter the fully qualified path to Identity keystore, from step 2, in 'Custom Identity Keystore' field
12. Enter 'JKS' in the 'Custom Identity Keystore Type' field
13. Enter the Identity keystore password in 'Custom Identity Keystore Passphrase' and 'Confirm Custom Identity Keystore Passphrase' fields
14. Enter the Java Standard Trust keystore (cacerts) password in 'Java Standard Trust Keystore Passphrase' and 'Confirm Java Standard Trust Keystore Passphrase' fields
15. Leave all other fields blank and click 'Save'
16. From 'Configuration' tab -> 'SSL' tab, enter values from step 2 into corresponding fields, as follows:
- Enter into 'Private Key Alias'
- Enter into 'Private Key Passphrase'
- Enter into 'Confirm Private Key Passphrase'
17. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes
18. Repeat steps 4-17 for all servers requiring SSL configuration
19. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab
20. Select checkbox for all servers configured in previous steps and click 'Restart SSL'