Wednesday Jan 21, 2015

Critical Patch Update Advisory includes WebLogic, Forms, Glassfish, Reports, WebCenter – January 2015

Oracle Critical Patch Update Advisory - January 2015

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to: Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Affected Products and Versions include the following Fusion Middleware solutions:

Oracle Fusion Middleware, version(s) 10.1.3.5, 11.1.1.7, 11.1.2.1, 11.1.2.2, 12.1.2, 12.1.3

Oracle Access Manager, version(s) 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2

Oracle Adaptive Access Manager, version(s) 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2

Oracle BI Publisher, version(s) 10.1.3.4.2, 11.1.1.7

Oracle Business Intelligence Enterprise Edition, version(s) 10.1.3.4.2, 11.1.1.7

Oracle Containers for J2EE, version(s) 10.1.3.5

Oracle Directory Server Enterprise Edition, version(s) 7.0, 11.1.1.7

Oracle Exalogic Infrastructure, version(s) 2.0.6.2.0 (for all X2-2, X3-2, X4-2)

Oracle Forms, version(s) 11.1.1.7, 11.1.2.1, 11.1.2.2

Oracle GlassFish Server, version(s) 3.0.1, 3.1.2

Oracle HTTP Server, version(s) 10.1.3.5.0, 11.1.1.7.0, 12.1.2.0, 12.1.3.0

Oracle OpenSSO, version(s) 8.0 Update 2 Patch 5

Oracle Real-Time Decision Server, version(s) 11.1.1.7, RTD Platform 3.0.x

Oracle Reports Developer, version(s) 11.1.1.7, 11.1.2.2

Oracle SOA Suite, version(s) 11.1.1.7, 12.1.3.0

Oracle Waveset, version(s) 8.1.1

Oracle WebCenter Content, version(s) 11.1.1.8.0

Oracle WebLogic Portal, version(s) 10.0.1.0, 10.2.1.0, 10.3.6.0

Oracle WebLogic Server, version(s) 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0

For more information please visit the OTN here.

WebLogic Partner Community

For regular information become a member in the WebLogic Partner Community please visit: http://www.oracle.com/partners/goto/wls-emea ( OPN account required). If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn Forum Wiki

Technorati Tags: ,,,,,,

Friday May 23, 2014

IT-Security (Part 3): WebLogic Server and Java Security Features by Mohammad Esad-Djou

WebLogic Server and Java Security Features [1]  WebLogic Server supports the Java SE and Java EE Security to protect the resources of whole system. The resources could be Web applications, Uniform Resource Locator (URL), Enterprise JavaBeans (EJBs), and Connector components.

Java SE capabilities: Security APIs p3_realm_1Java uses APIs to access security features and functionality and its architecture contains a large set of application programming interfaces (APIs), tools, and implementations of commonly-used security algorithms, and protocols. This delivers the developer a complete security framework for writing applications and enables them to extend the platform with new security mechanisms.[2]

Java Authentication and Authorization Services (JAAS) WebLogic Server uses the Java Authentication and Authorization Service (JAAS) classes to consistently and securely authenticate to the client. JAAS is a part of Java SE Security APIs and a set of Java packages that enable services to authenticate and enforce access controls upon users and /or fat-client authentication for applications, applets, Enterprise JavaBeans (EJB), or servlets.

JAAS uses a Pluggable Authentication Module (PAM) framework, and permits the use of new or updated authentication technologies without requiring modifications to the application. Therefore, only developers of custom Authentication providers and developers of remote fat client applications need to be involved with JAAS directly. Users of thin clients or developers of within-container fat client applications do not require the direct use or knowledge of JAAS.

JAAS LoginModules All LoginModules are responsible for authenticating users within the security realm (we are going to discuss about that later) and for populating a subject with the necessary principals (users/groups). LoginModules contains necessary methods for Login Context, Accounts, Credentials, configuration of them, and different ways to exception handling. Each Authentication providers will be configured in a security realm, its LoginModules will store principals within the same subject too. I try to present that with an example: Via WebLogic Server Admin Console: Home >myDomain > Domain Structure click on Security Realms and then create a new realm “Moh_Realm-0” and then click on “OK” Read the complete article here.

WebLogic Partner Community

For regular information become a member in the WebLogic Partner Community please visit: http://www.oracle.com/partners/goto/wls-emea ( OPN account required). If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn Mix Forum Wiki

Tuesday Apr 15, 2014

Improve SSL Support for Your WebLogic Domains by Olaf Heimburger

Every WebLogic Server installation comes with SSL support. But for some reason many installations get this interesting error message at startup:

Ignoring the trusted CA certificate “CN=Entrust Root Certification Authority – G2,OU=(c) 2009 Entrust, Inc. – for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust, Inc.,C=US”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.

This looks odd and many people ignore these error messages. However, if your strategy is to show real error messages only, you are quickly looking for a solution. The Internet is full of possible solutions. Some recommend to remove the certificates from the JDK trust store, some recommend to use a different trust store. But is this the best solution and what are the side effects?

Main Article

Our way to the solution starts by understanding the error message. Here it is again.

Ignoring the trusted CA certificate “CN=Entrust Root Certification Authority – G2,OU=(c) 2009 Entrust, Inc. – for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust, Inc.,C=US”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.

The first sentence is the result while the second sentence explains the reason. Looking at the reason, we quickly find the “certificate parsing exception“. But what does “PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11” tell us?

  • PKIX stands for the Public Key Infrastructure (X.509). X.509 is the standard used to export, exchange, and import SSL certificates.
  • OID stands for the Object Identifier. Object Identifiers are globally unique and organized in a hierarchy. This hierarchy is maintained by the standards bodies in every country. Every standards body is responsible for a specific branch and can define and assign entries into the hierarchy.

With this background information we can lookup the number 1.2.840.113549.1.1.11 in the OID Repository (see References for the link) and get this result “iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) sha256WithRSAEncryption(11)“.

Combining the certificate information in the first sentence and the information from the OID lookup we have the following result:

The certificate from CN=Entrust Root Certification Authority – G2,OU=(c) 2009 Entrust, Inc. – for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust, Inc.,C=US uses SHA256WithRSAEncryption which is not supported by the JDK!

You will probably see more messages for similar or different encryption algorithms used in other certificates.

The Root Cause

These factors cause this (and similar) error messages:

  • By default the Java Cryptography Extension (JCE), that comes with the JDK, implements only limited strength jurisdication policy files.
  • The default trust store of the JDK that holds this and other certificates can be found in JAVA_HOME/jre/lib/security/cacerts.
  • WebLogic Server versions before 12c come with the Certicomm JSSE implementation. The Certicomm implementation will not be updated because the required JDK already comes with the standard SunJSSE implementation.

Read the complete article here.

WebLogic Partner Community

For regular information become a member in the WebLogic Partner Community please visit: http://www.oracle.com/partners/goto/wls-emea ( OPN account required). If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn Mix Forum Wiki

Friday Jun 07, 2013

WebLogic Server Security Workshop June 27th 2013 Germany

Oracle WebLogic Server Security
For all WebLogic Administrators and Developers we offer a WebLogic Security workshop 27.06.2013  in Düsseldorf Germany.

For details and agenda please visit our registration page.

clip_image002

WebLogic Partner Community

For regular information become a member in the WebLogic Partner Community please visit: http://www.oracle.com/partners/goto/wls-emea ( OPN account required). If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn Mix Forum Wiki

Monday Apr 08, 2013

SSL in WebLogic (CA, KeyStore, Identity & Trust Store) : Things you must know – Part I by Atul Kumar

This post covers basics of SSL in WebLogic Server and how to configure SSL with Custom Certificates and Certifying Authority. For SSL in Oracle E-Business Suite click here, SSL in Oracle Internet Directory (OID) click here , SSL in Oracle Virtual Directory (OVD) click here , and for SSL in Oracle Access Manager (OAM) click here
Secure Socket Layer (SSL) is used to encrypt data between client and Server (WebLogic in this case).

  • When user connects to WebLogic Server they can connect
    • a) Directly to WebLogic Server (Admin or Managed Server Port , more on WebLogic Admin/Managed Server here ) or
    • b) via Web Server or Load Balancer (Web Server or Load Balancer then connects to WebLogic Server). To configure WebServer (OHS) in front of WebLogic Server click here
  • User –> Load Balancer (or WebServer) –> WebLogic Server
  • User –> WebLogic Server Read the full article here.

WebLogic Partner Community

For regular information become a member in the WebLogic Partner Community please visit: http://www.oracle.com/partners/goto/wls-emea ( OPN account required). If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn Mix Forum Wiki

Friday Aug 31, 2012

Java update

Oracle has just released Security Alert CVE-2012-4681 to address 3 distinct but related vulnerabilities and one security-in-depth issue affecting Java running in desktop browsers.  These vulnerabilities are: CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, and CVE-2012-0547.  These vulnerabilities are not applicable to standalone Java desktop applications or Java running on servers, i.e. these vulnerabilities do not affect any Oracle server based software." (Read more at https://blogs.oracle.com/security/entry/security_alert_for_cve_20121)
Updates are available at http://www.oracle.com/technetwork/java/javase/overview/index.html or Check your Java version online: http://www.java.com/de/download/testjava.jsp

image

WebLogic Partner Community

For regular information become a member in the WebLogic Partner Community please visit: http://www.oracle.com/partners/goto/wls-emea ( OPN account required). If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn Mix Forum Wiki

Search

Archives
« February 2015
SunMonTueWedThuFriSat
7
28
       
       
Today