Saturday, July 29, 2017

TLS Support on Weblogic 12C & JDK8


SSL in Weblogic
Secure Sockets Layer (SSL) provides secure connections by allowing two applications connecting over a network to authenticate each other's identity and by encrypting the data exchanged between the applications.
SSL in WebLogic Server 12.1/12.2 is an implementation of the Transport Layer Security (TLS) 1.2 specifications (backward compatible hence 1.0 & 1.1 supported)
JSSE is currently the default SSL implementation in Weblogic Server. (Certicom deprecated and supported in Weblogic 10.3.6)


So why are we having this discussion?
Oracle WebLogic Server should configured exclude SSL 2.0 and/or SSL 3.0 to in order to mitigate the Poodle vulnerability. This often comes as a direction from security teams. There were configurations needed to be done on Weblogic 10.3.6 and JDK7 installs to exclude these protocols. 
So are there any such configurations needed to be done for Weblogic 12c (12.1 & 12.2) installed with JDK 8? For Weblogic 10.3.6 and JDK 1.7 please refer to my post here.

So what’s the answer?

The answer is NO. Let’s talk in a bit detail here. I will be talking about both Inbound and Outbound connections.

Inbound
  • JDK 8 will use TLS 1.2 as default (No external setting needed) 
  • Supports TLS 1.0/1.1 as well – (backward compatible)
  • You may also disable older protocols by configuring a higher minimum protocol. For example, to gain TLS 1.1 and 1.2 support, (if supported by the JDK version), use the following as a JAVA_OPTION:
         -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.1 
Outbound
  • The JDK 8 default allows both TLS 1.1 and 1.2 by default. 
  • You may also set a minimum by removing the older versions, but it is important to consider the external servers the application is connecting to
  • The protocol will always be negotiated to the highest supported level between the client and server.
  • Set a minimum by removing the older versions as shown below (let's say you want to not support TLS 1.0).
         -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2
So in short if your,Weblogic/JDK versions are 12.2.1/1.8,the default SSL implementation is JSSE and the default TLS version supported is TLS 1,2.TLS 1.0/1.1 are also supported (since backward compatible). 
Hence unlike Weblogic 10.3.6/1.7 we need to set no extra JAVA parameters to disable SSL V2/V3.Use above parameters highlighted in yellow only if you want to restrict certain older TLS versions. The 12C/JDK1.8 install will support all TLS versions (1.0 to 1.2). The protocol will always be negotiated to the highest supported level between the client and server.

Please feel free to ask any questions you may have in the comment section. Keep learning and spread the word! 

Soumya


4 comments:

  1. BlueHost is definitely the best web-hosting provider for any hosting plans you need.

    ReplyDelete
  2. If you need your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you got to watch this video
    right away...

    (VIDEO) Get your ex back with TEXT messages?

    ReplyDelete
  3. For SOA, We are having TLS 1.0 version installed at the load balancer level, and We are upgrading it to TLS 1.2. Do we need to implement any pre-requisites before turning off TLS 1.0 and using TLS 1.2 for SOA environment so it won’t affect any application functionality

    Product Version
    ---------------
    JDK : java version "1.7.0_151"
    WLS : WebLogic Server Version: 12.1.3.0
    SOA : SOA 12.1.3.0

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete