Saturday, July 29, 2017

Disabling SSL 2.0/3.0 and enabling TLS 1.0 or higher in Weblogic 10.3.6 & JDK 7

SSL in Weblogic
Secure Sockets Layer (SSL) provides secure connections by allowing two applications connecting over a network to authenticate each other's identity and by encrypting the data exchanged between the applications.
SSL in WebLogic Server 10.3.6 is an implementation SSL 3.0 and Transport Layer Security (TLS) 1.0 specifications.
Certicom is currently the default SSL implementation in Weblogic Server.
JSSE may be enabled as an alternative SSL implementation.



So why disable SSL 2.0/3.0?
Oracle WebLogic Server should configured exclude SSL 2.0 and/or SSL 3.0 to in order to mitigate the Poodle vulnerability. This often comes as a direction from security teams. The recommended protocols are TLS 1.0 and preferably TLS 1.2 which is more recent.

What protocol to use if not SSL 2.0/3.0?
Transport layer Protocol (TLS) 1.0 and preferably 1.1 or 1.2.
Key Question 1 - So what configurations would a Middleware Admin make to disable SSL V2/V3 support on Weblogic and enable TLS protocols which are safer and recommended by Oracle?
Key Question 2 - How do we enable Weblogic to use TLS 1.0 and above SSL protocol for inbound and outbound connections?

Let’s try and answer it.

Now assuming the Weblogic version is 10.3.6 and JDK used is 1.7 plus below is some facts to know and consider before making changes.
      Before 10.3.3 (11g), Certicom SSL was the only SSL implementation.
      In 10.3.3 thru 10.3.6 (11g), Certicom SSL is the default SSL implementation, with JSSE available by enabling a property switch.
      TLS 1.1 and 1.2 is supported with a combination of JDK 7 Update 1 (or later) and JSSE enabled
      TLS 1.0 is supported on all releases using either Certicom or JSSE implementation
      Weblogic Server versions 10.3.6 and 12.1.1 and later are certified with JDK 7 in order to enable JSSE and TLS 1.1/1.2

Inbound
Dweblogic.security.SSL.protocolVersion=TLS1
The interpretation of this property is different depending on whether the Certicom or JSSE implementation is used.
q For Certicom, setting -Dweblogic.security.SSL.protocolVersion=TLS1 enables only TLS 1.0.
q For JSSE, setting -Dweblogic.security.SSL.protocolVersion=TLS1 enables any protocol starting with "TLS", for example TLS 1.0, TLS 1.1, and TLS 1.2.
You may also disable older protocols by configuring a higher minimum protocol. For example, to gain TLS 1.1 and 1.2 support, (if supported by the JDK version), use the following as a JAVA_OPTION:
      -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.1

Outbound
 To enable it, you need to use the following -D flags :
       -Dhttps.protocols="TLSv1.2“
Or as a list of choices (handshake is first attempted at the highest level protocol):
       -Dhttps.protocols="TLSv1,TLSv1.1,TLSv1.2"
You may also disable older protocols by configuring a higher minimum protocol.
      Add -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2
You may also have applications running as a client, (e.g. web services, scripts, or command line) for an outbound ssl connection. Within a Fusion Middleware environment there are also internal processes running where an ssl connection is made, (e.g. OPMN, DMS, EM/FMW Control). To control the outbound connections the following system property is available:

       -Djdk.tls.client.protocols=TLSv1.0,TLSv1.1,TLSv1.2

Hope this post has been helpful to you. I have tried answering the two questions I put to start our discussion.
For understanding the changes needed for disabling SSL V2/3 or enabling TLS on Weblogic 12C/JDK8 please refer here

Made the above changes and still not able to connect using TLS 1.2? Do you get the below error ? 

"javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure"

In case yes please refer to to the solution here.
Please feel free to ask any questions you may have in the comment section. Keep learning and spread the word! 


Soumya

13 comments:

  1. good article sir thank your given information its was help me to improve my knowledge i have some information read it Oracle Fusion HCM training in Bangalore

    ReplyDelete
  2. for weblogic 12c and jdk 1.7 how to Disable SSLv2/v3 Enable TLS v1.2

    ReplyDelete
  3. Can you post the link for the URL at the question for
    "javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure"

    ReplyDelete
  4. Which file or config do we set this up - -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2

    ReplyDelete
  5. As stated by Stanford Medical, It is in fact the SINGLE reason this country's women get to live 10 years longer and weigh an average of 19 KG lighter than we do.

    (By the way, it is not related to genetics or some secret-exercise and absolutely EVERYTHING related to "how" they are eating.)

    P.S, I said "HOW", and not "WHAT"...

    TAP on this link to discover if this quick questionnaire can help you decipher your real weight loss possibility

    ReplyDelete