{"id":5414,"date":"2012-07-20T16:27:16","date_gmt":"2012-07-20T21:27:16","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=5414"},"modified":"2012-08-25T23:11:04","modified_gmt":"2012-08-26T04:11:04","slug":"1z0-102-protecting-against-attacks","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=5414","title":{"rendered":"WebLogic 11g: Protecting Against Attacks"},"content":{"rendered":"
\n

Contents<\/h2>\n
    \n\t
  1. \n\t\tConfigure secure sockets layer (SSL) for WLS<\/a>\n\t<\/li>\n\t
  2. \n\t\tUse the keytool utility to create and manage certificates<\/a>\n\t<\/li>\n\t
  3. \n\t\tConfigure hostname verification (anti-man-in-the-middle)<\/a>\n\t<\/li>\n\t
  4. \n\t\tConfigure a network filter (anti-denial-of-service)<\/a>\n\t\t
      \n\t\t\t
    1. \n\t\t\t\tThree Basic Types of DoS Attacks<\/a>\n\t\t\t<\/li>\n\t\t\t
    2. \n\t\t\t\tFilter Network Connections<\/a>\n\t\t\t<\/li>\n\t\t\t
    3. \n\t\t\t\tweblogic.security.net.ConnectionFilterImpl<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
    4. \n\t\tSet max post size (anti-large-buffer)<\/a>\n\t<\/li>\n\t
    5. \n\t\tSet post timeout (anti-connection-starvation)<\/a>\n\t<\/li>\n\t
    6. \n\t\tConfigure username lockout via the admin console<\/a>\n\t\t
        \n\t\t\t
      1. \n\t\t\t\tUse Admin Port<\/a>\n\t\t\t<\/li>\n\t\t\t
      2. \n\t\t\t\tChange Admin Console Context Root or Disable Admin Console<\/a>\n\t\t\t<\/li>\n<\/ol>\n<\/ol>\n<\/ol>\n<\/div>\n
         <\/div>\n

        << Previous<\/a><\/p>\n

        Configure secure sockets layer (SSL) for WLS<\/h2><\/span>\n

        * See this post<\/a><\/p>\n

        \"\"<\/a><\/h6><\/span>\n
        \"\"<\/a><\/h6><\/span>\n

        Use the keytool utility to create and manage certificates<\/h2><\/span>\n

        * keytool<\/em> is a standard Java tool
        \n* can be used to
        \n– generate private keys
        \n– store private keys (keystore)
        \n– store trusted certificates (truststore)
        \n– display key info
        \n* WLS does not support DSA which is default for keytool<\/p>\n

        \r\nkeytool \u2013genkeypair \u2013alias mykey \u2013keypass mykeypass\r\n\u2013keyalg RSA \u2013keysize 512 -dname \"CN=payroll.mycompany.com...\"\r\n-keystore mykeys.jks \u2013storepass mypass\r\n\r\nkeytool \u2013importcert \u2013file payroll.pem \u2013alias mykey \u2013keypass\r\nmykeypass -keystore mykeys.jks \u2013storepass mypass\r\n\r\nkeytool \u2013list \u2013v -keystore mykeys.jks \u2013storepass mypass\r\n<\/pre>\n
        Configure hostname verification (anti-man-in-the-middle)<\/h2><\/span>\n
        * Enabled by default:<\/p>\n
        \"\"<\/a><\/h6><\/span>\n
        * Custom hostname verifier class must implement: weblogic.security.SSL.HostnameVerifier<\/em>
        \n* Command line properties
        \n– ignore hostname verification: -Dweblogic.security.SSL.ignoreHostnameVerification=true<\/em>
        \n– enforce hostname verification: -Dweblogic.security.SSL.HostnameVerifier=hostnameverifier_class<\/em><\/p>\n
        Configure a network filter (anti-denial-of-service)<\/h2><\/span>\n
        Three Basic Types of DoS Attacks<\/h3><\/span>\n
        * Consumption of limited resources
        \n* Destruction or alteration of configuration
        \n* Physical destruction or alteration of network components<\/p>\n
        Filter Network Connections<\/h3><\/span>\n
        * Accept or deny network connections based on
        \n– origin of clients
        \n– type of connections (e.g. SSL or not)<\/p>\n
        weblogic.security.net.ConnectionFilterImpl<\/h3><\/span>\n
        * Filter rules: targetAddr localAddr localPort action protocols<\/em>
        \n* Example:<\/p>\n
        \r\n# allow connection from 192.168.1.0 to 24 on local port 8001\r\n192.168.1.0\/24 127.0.0.1 8001 allow\r\n10.10.0.0\/16 127.0.0.1 8002 deny\r\n\r\n# deny connection from badguy.com on local port 7001\r\n*.badguy.com 127.0.0.1 7001 deny\r\n\r\n# catch all deny\r\n0.0.0.0\/0 * * deny\r\n<\/pre>\n
        \"\"<\/a><\/h6><\/span>\n
        Set max post size (anti-large-buffer)<\/h2><\/span>\n
        \"\"<\/a><\/h6><\/span>\n
        Set post timeout (anti-connection-starvation)<\/h2><\/span>\n
        \"\"<\/a><\/h6><\/span>\n
        Configure username lockout via the admin console<\/h2><\/span>\n
        Use Admin Port<\/h3><\/span>\n
        \"\"<\/a><\/h6><\/span>\n
        Change Admin Console Context Root or Disable Admin Console<\/h3><\/span>\n
        \"\"<\/a><\/h6><\/span>\n
        Next <\/a>>><\/p>\n
        [mv_include id=’3268′]<\/p>\n","protected":false},"excerpt":{"rendered":"
        > [mv_include id=’3268′]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[107,104],"tags":[180,168,595,576,167],"class_list":["post-5414","post","type-post","status-publish","format-standard","hentry","category-certification","category-weblogic11g","tag-1z0-102","tag-admin","tag-certification","tag-security","tag-wls"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-1pk","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/5414","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5414"}],"version-history":[{"count":6,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/5414\/revisions"}],"predecessor-version":[{"id":5712,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/5414\/revisions\/5712"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5414"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5414"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5414"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}