SSL in Weblogic
Secure Sockets Layer (SSL) provides secure connections by
allowing two applications connecting over a network to authenticate each
other's identity and by encrypting the data exchanged between the applications.
SSL in WebLogic Server 12.1/12.2 is an implementation of the
Transport Layer Security (TLS) 1.2 specifications (backward compatible hence
1.0 & 1.1 supported)
JSSE is currently the default SSL implementation in Weblogic
Server. (Certicom deprecated and supported in Weblogic 10.3.6)
So why are we having
this discussion?
Oracle WebLogic Server should configured exclude
SSL 2.0 and/or SSL 3.0 to in order to mitigate the Poodle vulnerability. This
often comes as a direction from security teams. There were configurations
needed to be done on Weblogic 10.3.6 and JDK7 installs to exclude these
protocols.
So are there any such configurations needed to
be done for Weblogic 12c (12.1 & 12.2) installed with JDK 8? For Weblogic 10.3.6 and JDK 1.7 please refer to my post here.
So what’s the answer?
The answer is NO. Let’s talk in a bit detail
here. I will be talking about both Inbound and Outbound connections.
Inbound
- JDK 8 will use TLS 1.2 as default (No external setting
needed)
- Supports TLS 1.0/1.1 as well – (backward compatible)
- You may also disable older protocols by configuring a
higher minimum protocol. For example, to gain TLS 1.1 and 1.2 support, (if
supported by the JDK version), use the following as a JAVA_OPTION:
-Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.1
Outbound
- The JDK 8 default allows both TLS 1.1 and 1.2 by
default.
- You may also set a minimum by removing the older
versions, but it is important to consider the external servers the
application is connecting to
- The protocol will always be negotiated to the highest
supported level between the client and server.
- Set a minimum by removing the older versions as shown
below (let's say you want to not support TLS 1.0).
-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2
So in short if your,Weblogic/JDK versions are
12.2.1/1.8,the default SSL implementation is JSSE and the default TLS version
supported is TLS 1,2.TLS 1.0/1.1 are also supported (since backward
compatible).
Hence unlike Weblogic 10.3.6/1.7 we need to set
no extra JAVA parameters to disable SSL V2/V3.Use above parameters highlighted in yellow only if you want to restrict certain older TLS versions. The 12C/JDK1.8 install will
support all TLS versions (1.0 to 1.2). The protocol will always be negotiated
to the highest supported level between the client and server.
Please feel free to ask any questions you may
have in the comment section. Keep learning and spread the word!
Soumya
For SOA, We are having TLS 1.0 version installed at the load balancer level, and We are upgrading it to TLS 1.2. Do we need to implement any pre-requisites before turning off TLS 1.0 and using TLS 1.2 for SOA environment so it won’t affect any application functionality
ReplyDeleteProduct Version
---------------
JDK : java version "1.7.0_151"
WLS : WebLogic Server Version: 12.1.3.0
SOA : SOA 12.1.3.0
Hi Ashish,
DeleteDid you get any answer? I'm having the exact same configuration as you and would like to know if I had to do anything before blocking TLSv1.0 on the loadbalancer.
Regards,
Harihara V
This comment has been removed by the author.
ReplyDeleteHey Really Thanks for sharing the best information regarding Technology,hope you will write more great blogs.
ReplyDeleteoracle fusion scm online training
Hi Soumya,
ReplyDeleteWhere i put the yellow highlighted code?
Is it ok with startWeblogic.cmd java_option or any where else.
Please suggest me..
Sabirul
Great ! Excellent content to refer.
ReplyDeleteHi Soumya,
ReplyDeleteFor inbound connections is when server accepting the requests -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.1
for outbound connections server is when sending the requests --
-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2
can you please confirm if we apply parameter of inbound connections when we apply Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.1 will server accept and request TLSv1.1 correct. can you please clarify on this..
Agarwal packers and movers are shaping the logistics domain with their effective services. They acknowledge their customers at every phase of packing and moving. The charges assigned by them for packing and moving are highly negotiable. If packing and moving are required for a shifting, Agarwal packers and movers are the best option for sure.
ReplyDeleteAgarwal Packers Reviews
Agarwal Packers Feedback
Agarwal Packers Complaint
Hi, am trying to connect to the Microsoft AD 2016 from Weblogic 12.2.1.2 (jdk 1.8.121) & ODI 12.2.1.2.6 (jdk 1.8.121). Imported the required SSL certificates and restarted the server to see error- "curveid 29 not supported".
ReplyDeleteI then used the parameters to disabled ECC curve and minimumprotocolversion= TLSV1.1. It works fine but am unable to understand the issue here since both AD 2016 and WLS 12.2 supports TLSV1.2.
We have Weblogic 12.2 and JDK8. Vendor asked us to add "-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2" Do we need to set? Which file do I need to add? Thanks
ReplyDeleteI wish to show thanks to you just for bailing me out of this particular trouble. As a result of checking through the net and meeting techniques that were not productive, Same as your blog I found another one Oracle Fusion Financials.Actually I was looking for the same information on internet for Oracle Fusion Financials and came across your blog. I am impressed by the information that you have on this blog. Thanks once more for all the details.
ReplyDeletehttps://bayanlarsitesi.com/
ReplyDeleteGöktürk
Yenidoğan
Şemsipaşa
Çağlayan
77DİFD
sakarya
ReplyDeleteyalova
elazığ
van
kilis
MXNU4
2EE49
ReplyDeleteÇorum Evden Eve Nakliyat
Iğdır Evden Eve Nakliyat
Ağrı Evden Eve Nakliyat
Aydın Evden Eve Nakliyat
Silivri Çatı Ustası
EAD29
ReplyDeleteelazığ canlı sohbet odaları
Giresun Canli Goruntulu Sohbet Siteleri
tunceli rastgele görüntülü sohbet
ankara mobil sohbet siteleri
yalova yabancı canlı sohbet
Kars Canli Goruntulu Sohbet Siteleri
muş bedava görüntülü sohbet sitesi
Ankara Yabancı Sohbet
Çankırı Sesli Sohbet Sesli Chat