WebLogic Safety Configuration requirements and operating instructions

Range
Applies to the Weblogic server used. This specification proposes a Weblogic server security configuration
requirements, applicable to all safety levels, can be used as the preparation of equipment network testing, safety acceptance, security inspection norms, etc.
A reference to the document.
Due to different versions, configuration operation differs, this specification takes weblogic9.x on UNIX platform as an example, gives
Refer to Configuration actions.
2 Normative reference Documents
gb/t22239-2008 "Basic requirements for security level protection of information security technology information System"
yd/t 1736-2008 "Internet Security Protection Requirements"
yd/t 1738-2008 "value-added service network-message network security protection Requirements"
yd/t 1740-2008 "value-added service network-Intelligent Network security protection Requirements"
yd/t 1758-2008 "Non-core production unit safety protection Requirements"
YD/T 1752-2008 "Support Network Safety protection Requirements"
3 Abbreviations

SSL secure Sockets Layer Security sockets
HTTP hypertext Transfer Protocol Hypertext Transfer Protocol

4 Security Configuration Requirements
4.1 Accounts
Item No: 1
Require content to assign different roles to different administrative users
Reference operation

Log in to the console as an administrator

1. Click the "Security" folder on the left panel to expand "REALM"
2. Click on the "Users" folder to modify the non-privileged user as the role
   One of Administrators, Deployers, Monitors, Operators

2 Detection method
1. Conditions of determination
2. Detection operation
Log in to the console as an administrator

1. Click the "Security" folder on the left panel to expand "REALM"
2. Click the "Users" folder to view the groups and groups that the user belongs to, and the global role configuration

Item No: 2
Required content should be deleted from the device operation, maintenance and other work unrelated to the account
Reference operation

Log in to the console as an administrator

1. Click the "Security" folder on the left panel to expand "REALM"
2. Click on the "Users" folder to remove any extraneous tasks that are not related to device operation, maintenance, etc.
   Account
   Detection Method 1, the determination condition
   No accounts that are unrelated to the operation, maintenance, and other work of the device

Item No: 3
Require content to prohibit running as a privileged user WebLogic
Operation Guide 1, reference configuration action
Log in to the admin console as an WebLogic administrator and execute:

1. In the left panel, click on the "Machine" folder
2. In the right panel, select "Configure a New Unix machine link"
3. Enter the UNIX machine name, tick "Enable post-bind UID Field" and enter the user name,
   The user name must have full control of the Bea_home and subdirectories, enter the corresponding group (with
   User name and group name must be created separately in the OS), click on the "Apply" button. Note: Do not use
   The default nobody user.

4. Select the "Servers" tab. Move each desired server instance from "Available list" to
   "Chosen list". Then click on the "Apply" button

Detection Method 1, the determination condition
Start the application server as a privileged user, bind the port and change the UID and GID to a nonspecific
Rights Users and groups
2. Detection operation
EXECUTE AS Root:

Ps–ef| Grep–i WebLogic

Log in to the admin console as an WebLogic administrator and execute:

1. In the left panel, click on the "Machine" folder
2. In the right panel, see if the Unix machine link is configured

No. 4:
Require the content to turn on hostname authentication, set Hostname verification value to "Bea Hostname
Verifier "
Reference operation
Set Hostname verification value to "Bea Hostname Verifier"
Log in to the administration console as an administrator:

1. Click the left panel domain folder, then click the "Servers" folder, click the

4
Server name

2. In the Keystore &ssl tab in the configuration panel of the right panel, click
   "Show" Item in Advanced option, view hostname under Client attribute
   Verification value, set to "Bea Hostname Verifier"
   Detection Method 1, the determination condition
   2. Detection operation
   Log in to the administration console as an administrator:
3. Click the left panel domain folder, then click the "Servers" folder, click the
   Server name
4. In the Keystore &ssl tab in the configuration panel of the right panel, click
   "Show" Item in Advanced option, view hostname under Client attribute
   Verification value

4.2 Password
Item No: 1
Required content for devices with static password Authentication technology, the password length is at least 8 bits and includes several
Words, lowercase letters, capitals, and special symbols at least 3 classes in class 4
Operations Guide Log in to the console as an administrator

1. Click the "Security" folder on the left panel to expand "REALM"
2. Click the "Users" folder to set a password of at least 8 digits and include numbers, lowercase
   Female, uppercase, and special symbols at least 3 classes in class 4
   Check the parameters in the Weblogic.properties configuration file under the WebLogic installation directory
   Weblogic.system.minpasswordlen=8
   Detection Method 1, the determination condition
   2. Detection operation

Item No: 2
Requirements content for devices with static password authentication technology, should be configured when the user continuous authentication failure times exceed
6 times (not including 6), lock the user's account
Operation Guide 1, reference configuration action
Set account lockout times and Times
Log in to the console as an administrator

1. Click the "Security" folder on the left panel to expand "REALM"
2. Click on the "User Lock" tab in the right panel to set lockout enabled,lockout
   5
   Threshold value is 5,lockout Duration is 30 (minutes)

Detection Method 1, the determination condition
2. Detection operation
Log in to the console as an administrator

1. Click the "Security" folder on the left panel to expand "REALM"
2. Click on the "User Lock" tab in the right-hand panel to view the lockout threshold, lock the duration,
   Lockout Reset Duration
   4.3 logs
   No. 1:
   Requirements within
   Capacity
   Turn on log function
   Reference operator
   For

Log in to the admin console as an administrator

1. Click on the domain name and select the "Configuration" tab in the right panel.
2. Select the Logging tab, set the domain level log, tick the red Mark section

6

3. Click the server name under servers in the domain name, select the "Logging" tab in the right panel, select
   Domain, tick "log to Domain log file"

4. As above, click on the Server tab, configure server-level logs, tick "log to stdout", etc., such as
   Under Red Mark Item
   7

5. As above, click on the "HTTP" tab and configure it as shown in the Red flag section below

8
Detection Method 1, the determination condition
Turn on log function

No. 2:
Requirements within
Capacity
Configuring Log Auditing
Reference
Operation

Log in to the console as an administrator

1. Click the left Panel Security folder, expand Provider, and then click Auditing Folder

2. Check if Auditor is configured, select Configure a new Default Auditor if none and set
   The audit level is also failure.

3. Click on the server under the domain name in the left panel and set it in the "General" tab on the right panel.
   Configuration Auditing to Logaudit

Detection Party
Method
1. Conditions of determination
Auditing is configured and the audit level is set to Failure,configuration Auditing
Logaudit
2. Detection operation
Log in to the console as an administrator

1. Click the left Panel Security folder, expand Provider, and then click Auditing Folder

2. Check to see if the Auditor is configured, as compared to the Red Flag section configuration

   9

3. Click on the server under the domain name in the left panel, and select the red tag
   4.4 Keystore and SSL settings
   No. 1:
   Request content set WebLogic Keystore and SSL appropriately
   Operations Guide Create a user's own private key and digital certificate
   Log in to the administration console as an administrator:
4. Click the left panel domain folder, then click the "Servers" folder, click the
   Server name
5. In the Keystore &ssl tab in the configuration panel of the right panel, click
   Click the "Change" item in the KeyStore configuration, changing the default private key setting
6. Click the "Change" item in SSL configuration to alter the default private key setting
7. Click "Show" in "Advanced option" and tick "sslrejection
   Logging Enabled "
   Detection method Log in to the admin console as an administrator:
8. Click the left panel domain folder, then click the "Servers" folder, click the
   Server name

10

2. View in the Keystore &ssl tab in the configuration panel of the right panel
   such as the corresponding red mark part and the blue Mark part

4.5 Sockets Max Open Quantity
No. 1:
Request content Reasonable Set Application server Sockets Max Open quantity
Operation Guide 1, reference configuration operation:
11
Log in to the admin console as an administrator

1. Click the domain name folder on the left panel, then click the Servers folder, double
   Click the server you want to manage
2. Select the "Tuning" tab under the "Configuration" Panel on the right panel
3. Set "Maximum Open Sockets" to 254 or other user set value
   Note: This operation requires the developer to test the test machine after the modification, the application is normal and then
   and modify it on the production machine.
   Detection method Log in to the admin console as an administrator
4. Click the domain name folder on the left panel, then click the Servers folder, double-click
   The server to manage
5. Select the "Tuning" tab under the "Configuration" Panel on the right panel to view
   Maximum Open Sockets Value

4.6 File and Directory permissions
Item No: 1
Require content to set file and directory permissions, no unnecessary permissions, there is no unnecessary
of the file
Reference operation

Restrict permissions to startup and environment scripts to 710, confirming that the bea_home owner is
WebLogic user, set permissions to unnecessary tool files to 700 and change suffix name
For. predeleted
Perform the following actions as root:

Chown–r "Weblogicuser" $BEA _homefind $BEA _home/-name *.sh |xargs chmod 710

#检查不必要工具文件, and limit permissions to 700

Tar cvf beahome. date ‘+%y%m%d‘. Tar $BEA _homefind $WL _home/-name config_builder.sh |xargs chmod 700Find $WL _home/-name startwlbuilder.sh |xargs chmod 700Find $WL _home/-name Jcommon-0.7.0.jar |xargs chmod 700Find $WL _home/-name pointbase |xargs chmod 700Find $WL _home/-name medrec |xargs chmod 700

#检查不必要工具文件, and renamed. predeleted
#mv config_builder.sh config_builder.sh.predeleted
#mv startwlbuilder.sh startWLBuilder.sh.predeleted
#mv Jcommon-0.7.0.jar jcommon-0.7.0.jar.predeleted
#mv Pointbase pointbase.predeleted
#mv Medrec Medrec. predeleted
Detection method
Perform the following actions as root:

LS–ALR $BEA _homefind $BEA _home/-name *.sh |xargs ls –al

12
#查找不必要的工具文件

Find $BEA _home/-name config_builder.sh |xargs ls –alFind $BEA _home/-name startwlbuilder.sh |xargs ls –alFind $BEA _home/-name Jcommon-0.7.0.jar |xargs ls –alFind $WL _home/-name pointbase |xargs ls –alFind $WL _home/-name medrec |xargs ls –al

4.7 WebLogic Operating mode
Item No: 1
Require content to change run mode to "Production mode"
Reference operation

Log in to the admin console as an administrator

1. Click on the domain name and select the "Genaral" tab in the right panel
2. Tick "Production mode" and change the operating mode to "Production
   Mode "
   Detection method
   EXECUTE AS Root:
3. Find $BEA _home/-name myserver.log | Grep–i

   "Production Mode"

   Find $BEA _home/-name setenv.sh | Grep–i "Production

   Mode "

4. Log in to the admin console as an administrator, click the domain name, and in the right panel, select
   "Genaral" tab to see if "Production Mode" is checked

4.8 Sender Server Header
Item No: 1
Require content to disable the Send Server header
Reference operation

Log in to the admin console as an administrator

1. Click the Servers folder under the domain name to select the server you want to manage
2. In the right panel, under the Protocols Panel, click the HTTP tag
3. Remove the tick in front of the send server header to prohibit the Send server
   Header
   Detection method
   Log in to the admin console as an administrator
4. Click the Servers folder under the domain name to select the server you want to manage
5. In the right panel, under the Protocols Panel, click the HTTP tag
6. Check whether the Send Server header is ticked

4.9 Deleting the sample program
13
Item No: 1
Requirements
Content
Delete sample Program
Reference
Operation

Log in to the admin console as an administrator
1. Click on the "Deployment" folder to see if any of the following forms of application exist:
2. # Find $BEA _home/-name Sample | Xargs rm –rf
Detection
Method

1. Execute find $BEA _home/-name with root privileges sample–print

2. Log in to the admin console as an administrator
   A) Click on the "Deployment" folder to see if any of the following forms of application exist:

   b) Expand the "Deployment" subfolder to see if any of the above forms of content are present in the path package
   Contains "samples" directories, such as

14

4.10 Setting Default error page
Item No: 1
Require content to re-define default error page in application Web. xml
Reference operation

Edit <application Home>/web-inf/web.xml, join Error-page
Defined
Detection method
1. Judging basis:

2, check the operation:
EXECUTE AS Root:

Cat <application Home>/web-inf/web.xml

4.11 Session Timeout Period
Item No: 1
Request content according to the specific application, reasonable set session timeout time
Reference operation

Define the session timeout in the application's Web. XML, for example, under
The session timeout period is 15 minutes
15
<session-config>
<session-timeout>15</session-timeout>
</session-config>

The detection method checks whether the session timeout is defined in the application's Web. xml

4.12 Patches
Item No: 1
Requires content to be upgraded to the latest patch without impacting the business, and the patch is
Verification Test
Reference operation
Install the latest security-related patch Pack, security patch download requires BEA company authorization,
WebLogic Security Bulletin URL:
http://dev2dev.bea.com/advisoriesnotifications/

Detection method

1. Log in to the admin console as an administrator, right-click on the left panel Conwle diagram
   Select "View Server & Browser Info" To view the version number
   2. EXECUTE AS root: Cat $BEA _home/logs/log.txt

4.13 HTTP Encryption Protocol
Requirements content for devices that are remotely maintained over the HTTP protocol, the device should support the use of
HTTPS and other cryptographic protocols.
Operation Guide 1, reference configuration action
Log in to the administration console as an administrator:

1. Click on the left panel domain folder, then click "Servers" folder, click
   Server name of the manager
2. "Keystore &ssl" tab in the configuration panel of the right panel
   , Enable SSL Configure
   Detection Method 1, the determination condition
   2. Detection operation

4.14 Connection Number Settings
Requires content to set the maximum minimum number of connections based on machine performance and business requirements.
Operation Guide 1, reference configuration action

16
Log in to the admin console as an administrator

1. Click the domain name folder on the left panel, then click the Servers folder and double-click to manage
   The server
2. Select the "Tuning" tab under the "Configuration" Panel on the right panel
3. Set "Maximum Open Sockets" to 254 or other user set value
   2. Supplementary operation instructions
   Detection Method 1, the determination condition
   2. Detection operation
   Check the current number of connections

WebLogic Safety Configuration requirements and operating instructions