WebLogic 11g: Protecting Against Attacks

Posted on July 20, 2012 by Jianming Li

Contents

  1. Configure secure sockets layer (SSL) for WLS
  2. Use the keytool utility to create and manage certificates
  3. Configure hostname verification (anti-man-in-the-middle)
  4. Configure a network filter (anti-denial-of-service)
    1. Three Basic Types of DoS Attacks
    2. Filter Network Connections
    3. weblogic.security.net.ConnectionFilterImpl
  5. Set max post size (anti-large-buffer)
  6. Set post timeout (anti-connection-starvation)
  7. Configure username lockout via the admin console
    1. Use Admin Port
    2. Change Admin Console Context Root or Disable Admin Console
 

<< Previous

Configure secure sockets layer (SSL) for WLS

* See this post

Use the keytool utility to create and manage certificates

* keytool is a standard Java tool
* can be used to
– generate private keys
– store private keys (keystore)
– store trusted certificates (truststore)
– display key info
* WLS does not support DSA which is default for keytool

keytool –genkeypair –alias mykey –keypass mykeypass
–keyalg RSA –keysize 512 -dname "CN=payroll.mycompany.com..."
-keystore mykeys.jks –storepass mypass
 
keytool –importcert –file payroll.pem –alias mykey –keypass
mykeypass -keystore mykeys.jks –storepass mypass
 
keytool –list –v -keystore mykeys.jks –storepass mypass

Configure hostname verification (anti-man-in-the-middle)

* Enabled by default:

* Custom hostname verifier class must implement: weblogic.security.SSL.HostnameVerifier
* Command line properties
– ignore hostname verification: -Dweblogic.security.SSL.ignoreHostnameVerification=true
– enforce hostname verification: -Dweblogic.security.SSL.HostnameVerifier=hostnameverifier_class

Configure a network filter (anti-denial-of-service)

Three Basic Types of DoS Attacks

* Consumption of limited resources
* Destruction or alteration of configuration
* Physical destruction or alteration of network components

Filter Network Connections

* Accept or deny network connections based on
– origin of clients
– type of connections (e.g. SSL or not)

weblogic.security.net.ConnectionFilterImpl

* Filter rules: targetAddr localAddr localPort action protocols
* Example:

# allow connection from 192.168.1.0 to 24 on local port 8001
192.168.1.0/24 127.0.0.1 8001 allow
10.10.0.0/16 127.0.0.1 8002 deny
 
# deny connection from badguy.com on local port 7001
*.badguy.com 127.0.0.1 7001 deny
 
# catch all deny
0.0.0.0/0 * * deny

Set max post size (anti-large-buffer)

Set post timeout (anti-connection-starvation)

Configure username lockout via the admin console

Use Admin Port

Change Admin Console Context Root or Disable Admin Console

Next >>

[mv_include id=’3268′]

This entry was posted in certification, weblogic11g and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.