1. Introduction
Some time ago, Java's deserialization vulnerability was so popular that weblogic needs to be configured for security due to work reasons. The security configuration of weblogic on the Internet was not comprehensive, probably because weblogic is mature. This article summarizes some pitfalls encountered throughout the process and provides the correct posture.
2. Password complexity and change cycle policy
By default, weblogic requires a password of at least 8 bits, but there is no limit on password complexity. Therefore, you need to manually set a complex password during installation. For weblogic11g, set the following password: "We8_Q7% * 5 @ 1 @ Oracle ".
WLST (Weblogic Scripting Tool) weblogic script Tool. If you do not want to modify Weblogic configurations on the console, try WLST. You can use it to monitor and manage Weblogic Server instances and domains.
In Weblogic9.2, "C: \ bea \ weblogic92 \ common \ bin \ wlst. cmd" is the WLST script tool.
In the Weblogic11g version:
If the default weblogic weak password is used, you need to modify the password as follows:
1) Log on to the console.Manage the console and change the password.
Select "base_domain"-> "Environment"-> "Security Realms"-> "Users and Groups"-> "Passwords" and change the password.
2) restart the weblogicbase_domain service.
After you restart weblogic, you will find that weblogic reports an error. The error message is mainly because the password in the boot. properties file is inconsistent with the new password, so here we can reset this configuration file. Path: C: \ bea \ user_projects \ domains \ base_domain \ servers \ AdminServer \ security \ boot. properties changes the username and password in the file to our new password. Here, do not worry that plaintext will cause insecure factors. At the next restart, it will be automatically encrypted by weblogic with 3DES.
3) change boot. properties **User name and password **
Change the password.
4) Restart weblogicbase_domainThe domain service can be accessed normally.
3. Enable the management Port
Log on to the console and click "Domain Structure". On the "Settings for base_domain" Configuration page, select "Configuration"-> "General ".
EnableAdministration Port: management Port
To enable the security management console port and URL path:
1) log on to the weblogic console.
Select the management port in the management console and click activate change.
2) restart the service
Try to access the weblogic console through https: // localhost: 9002/console.
4. Log security configuration
Weblogic logs include SERVER running logs, HTTP access logs, and DOMAIN running logs. The SERVER running logs and HTTP access logs can be configured through the Weblogic background graphical interface.
SERVER running log:WebLogic SERVER encounters an error during startup or running. The error message is displayed on the screen and recorded in a LOG file. The default file name is AdminServer. log. This file also records other running information such as WebLogic startup and shutdown. On the General properties page, you can set the path and name of the file, and the wrong output level.
Each log message has an associated severity level. The level of log messages indicates the importance or urgency level. WebLogic Server has a predefined severity level from TRACE to EMERGENCY. When a log request is scheduled to the recorder, the corresponding severity is converted to the log level. Log-level objects can specify any of the following values in the order of least impact and maximum impact:
TRACE, DEBUG, INFO, NOTICE, WARNING, ERROR, CRITICAL, ALERT, and EMERGENCY can set the log severity level on the recorder and the processing program. When setting on the recorder, no handler will receive the events that the recorder has rejected. For example, if the log level is set to NOTICE on the recorder, no handler will receive INFO-level events. When setting the log level on the processing program, only the processing program application is restricted, but not other program applications. For example, disabling DEBUG for the file handler means that no DEBUG messages are written to the log file, but the DEBUG messages are written to the standard output.
HTTP access log:In WebLogic, you can record all files on the server accessed through HTTP or HTTPS. The default name of this LOG file is Access. log, the content is as follows. The file is recorded at a specific time, and the client of an IP address accesses the file on the server.
DOMAIN running log:Record the running status of a DOMIAN. Each WebLogic SERVER in a DOMAIN can send some of their running information (such as serious errors) to the Administratior SERVER in a DOMAIN, the Administratior SERVER sends the information to the DOMAIN log. Default name: domain_name.log
1) log on to the console and view "Domain Structure"-> "Environment"-> "Servers" options. Select "AdminServer (admin)" and click the "Logging" tab, set General and http as follows:
1) log on to the console and check the "DomainStructure"-> "Configuration"-> "logging" option to set the domain as follows:
5. Minimal installation
The code is as follows: |
Copy code |
1) you are prohibited from using weblogic as the administrator's username by default. We recommend that you use usernames that are not easy to guess, such as "root_domain.
2) disable the use of sample applications
|
6. Management console access address restriction and management console closure
Log on to the console and click "Domain Structure". On the "Settings for base_domain" Configuration page, select "Configuration"-> "General" and click "Advanced" to view the Configuration information:
In addition to the above methods, you can also disable the console by modifying the configuration file.
1) select domain-> configuration-> General tab and click Advanced option to change the following parameters:
2) remove the selected ConsoleEnabled option, save it, and activate the configuration;
The config. xml configuration file in the enabled state is as shown in the preceding figure by default.
Disable the config. xml configuration parameters in the console, as shown in the figure above.
3) after the service is restarted, access the management console again and an Error 404-Not Found occurs ".
How can I enable the console once it is closed?
| 1. Modify the config. xml configuration file:
True admin console-ext |-| 2. Restart the domain service. |
7. Recreate the weblogic user name and password
If you forget the administrator password of weblogic server, you can reset the password of weblogic as follows.
1) to ensure operation security, back up all the files in the following folder in the main domain directory of % DOMAIN_HOME %/security (C: \ bea \ user_projects \ domains \ base_domain \ security), such as defaauthauthenticatorinit. ldift.
2) go to the % DOMAIN_HOME %/security Directory and execute the following command:
| Run java-cp/usr/local/bea/weblogic92/server/lib/weblogic. jar weblogic. security. utils. adminAccount <new user name> <new password>. note that ". ", a space and a point: after execution, a new DefaultAuthenticatorInit will be generated in the current directory. ldift file, and then replace the original/security/DefaultAuthenticatorInit. ldift file. |-|
Recreate the DefaultAuthenticatorInit. ldift file, as shown in the figure above, and generate the file as shown in the following figure:
3) go to the security Directory of the management server.
Cd % DOMAIN_HOME %/servers/AdminServer. Rename the data directory, for example, data_old, or back up it to another place.
4) go to the./AdminServer/security directory to delete boot. properties.
Re-Create: boot. properties, add the following content:
Username = adminuserpassword = weblogic
Re-create the boot. properties password file
5) you will find that the password of the console has been changed and the user name has been replaced with adminuser.
3. Summary
The above only takes into account the security configuration method of weblogic in standalone mode. I hope you can give more advice on the shortcomings.