Saturday, July 29, 2017

TLS Support on Weblogic 12C & JDK8


SSL in Weblogic
Secure Sockets Layer (SSL) provides secure connections by allowing two applications connecting over a network to authenticate each other's identity and by encrypting the data exchanged between the applications.
SSL in WebLogic Server 12.1/12.2 is an implementation of the Transport Layer Security (TLS) 1.2 specifications (backward compatible hence 1.0 & 1.1 supported)
JSSE is currently the default SSL implementation in Weblogic Server. (Certicom deprecated and supported in Weblogic 10.3.6)


So why are we having this discussion?
Oracle WebLogic Server should configured exclude SSL 2.0 and/or SSL 3.0 to in order to mitigate the Poodle vulnerability. This often comes as a direction from security teams. There were configurations needed to be done on Weblogic 10.3.6 and JDK7 installs to exclude these protocols. 
So are there any such configurations needed to be done for Weblogic 12c (12.1 & 12.2) installed with JDK 8? For Weblogic 10.3.6 and JDK 1.7 please refer to my post here.

So what’s the answer?

The answer is NO. Let’s talk in a bit detail here. I will be talking about both Inbound and Outbound connections.

Inbound
  • JDK 8 will use TLS 1.2 as default (No external setting needed) 
  • Supports TLS 1.0/1.1 as well – (backward compatible)
  • You may also disable older protocols by configuring a higher minimum protocol. For example, to gain TLS 1.1 and 1.2 support, (if supported by the JDK version), use the following as a JAVA_OPTION:
         -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.1 
Outbound
  • The JDK 8 default allows both TLS 1.1 and 1.2 by default. 
  • You may also set a minimum by removing the older versions, but it is important to consider the external servers the application is connecting to
  • The protocol will always be negotiated to the highest supported level between the client and server.
  • Set a minimum by removing the older versions as shown below (let's say you want to not support TLS 1.0).
         -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2
So in short if your,Weblogic/JDK versions are 12.2.1/1.8,the default SSL implementation is JSSE and the default TLS version supported is TLS 1,2.TLS 1.0/1.1 are also supported (since backward compatible). 
Hence unlike Weblogic 10.3.6/1.7 we need to set no extra JAVA parameters to disable SSL V2/V3.Use above parameters highlighted in yellow only if you want to restrict certain older TLS versions. The 12C/JDK1.8 install will support all TLS versions (1.0 to 1.2). The protocol will always be negotiated to the highest supported level between the client and server.

Please feel free to ask any questions you may have in the comment section. Keep learning and spread the word! 

Soumya


No comments:

Post a Comment