How to Secure Oracle WebLogic 12c

A best practices guide to deploying Oracle WebLogic to a production environment.

Created byChris Parent

Last updated 4/2016

English

What you'll learn

Securely install WebLogic
Create delegated administrators
Define password policies
Prevent Denial-of-Service attacks
Prevent brute force dictionary attacks
Encrypt network traffic using SSL
Patch WebLogic
Use domain administration ports

Course content

6 sections • 38 lectures • 3h 33m total length

Introduction6:41
Just an introduction to the course. I'll go over course objectives, ask some questions, and give a brief introduction of my self.
The Lab Guide4:12
This video will go over the lab guide and how you should use it. This is also where you will download the lab guide.

Secure Installation11:47
This lecture will discuss how to prepare the OS and environment for a production install of Oracle WebLogic. I will go over the installation process and discuss what components should be removed from WebLogic.
Lab 1.1 - Prepare Production Environment6:58
This lab goes over preparing your production environment.
Lab 1.2 - Installing WebLogic11:24
This lab walks through installing WebLogic and removing components not safe for production.
Lab 1.3 Patching6:24
This lab walks through patching a WebLogic installation.
Lab 1.4 Patch Rollback0:42
This lab shows you how to rollback a patch.

Tip #1 - Production Mode6:58
In this lecture you will learn the differences between production and development domain modes.
Tip #2 - Delegated Administration1:51
This lecture discusses delegated administration and its uses.
Tip #3 - Passwords3:09
This lecture will discuss how to define a password policy using the default password validator.
Tip #4 - User Lockout0:17
This lecture will discuss how to configure user login timeouts, retries, and lockouts to prevent brute force and dictionary attacks.
Tip #5 - Auditing1:32
This lecture discusses how to audit security events in WebLogic using the Default Auditing Provider.
Tip #6 - Cross Domain Security3:36
Learn how to enable trust between two WebLogic domains using Cross Domain Security.
Lab 2.1 - Create Domains7:05
Lab 2.2 - boot.properties4:32
Lab 2.3 - Admin Console3:38
Lab 2.4 - Delegated Administration5:28
Lab 2.5 - Password Policy4:07
Lab 2.6 - Auditing5:39

Tip #1 - Secure Network Architecture11:10
In this lecture I discuss deploying WebLogic in a multi-tiered network architecture, including using firewalls and access control lists to restrict network traffic in a WebLogic environment.
Tip #2 - Denial of Service Attacks3:11
Learn how to prevent Denial of Service attacks by setting message size limits and network timeouts.
Tip #3 - Connection Filters2:27
In this lecture I discuss how to use connection filters to filter traffic based upon port and protocol.
Lab 3.1 - Discover open ports8:43
This lab will show you how to view what ports are open on your system and identify what ports WebLogic has open.
Lab 3.2 - Connection Filters6:47
In this lab you'll learn how to configure a connection filter to restrict network traffic.
Lab 3.3 - Denial of Service2:19

SSL/TLS Overview6:40
Identity and Trust4:06
In this lecture I provide an overview of SSL/TLS and get into describing identity and trust as it pertains to WebLogic.
Configuring SSL5:24
In this lecture I describe how SSL is configured for WebLogic.
Debugging SSL2:48
In this lecture I discuss how to debug SSL using JVM flags.
Summary and Lab Overview1:23
In this short lecture I summarize Network Security.
Lab 4.1 - Create Identity and Trust8:34
Lab 4.3 Configure Identity and Trust for WebLogic4:37
Lab 4.4 - Configure SSL10:28
Lab 4.5 - Debug SSL7:02
Lab 4.6 - SSL for NodeManager10:12
Lab 4.7 - SSL Protocols and Cipher Suites12:10

Requirements

A server or workstation with elevated priveleges
Linux/Unix environments are prefered, but Windows is supported
Oracle JDK 1.7 or 1.8 installed
WebLogic 12.1.3 Generic Installer downloaded, but NOT installed. We will cover this in the lab.
Basic understand of networks and SSL

Description

This course introduces the student to some best practices for installing and securing Oracle WebLogic in production environments. There are many differences between Development and Production environments which this course will highlight.

This course is targeted at IT professionals, systems administrators, DevOps engineers, and architects who need to understand and deal with network, information, and application security. The course assumes a beginner to intermediate knowledge of Oracle WebLogic. Prior experience with installation and administration, either hands-on or conceptually is highly recommended.

The course is organized into a series of video lectures followed by a hands-on tutorial. This course comes with a detailed Lab Guide that you can use at home or work.

As an Architect during the day, I am responsible for ensuring that any solutions or services that are deployed to production are architected and deployed in a secure manner. Security is of the utmost importance and it should be yours too.

If you have enterprise deployments of WebLogic in production and you are responsible for how these systems are deployed and secured, then this course will help you understand where to start with securing WebLogic.

Security is a broad and deep topic. This course does not attempt to cover every possible security topic related to WebLogic, however. This course does attempt though to cover what I feel are some of the most important aspects of securing a deployment.

Who this course is for:

This course is intended for anyone interested in Weblogic security best practices. This course assumes a basic understanding of Oracle Weblogic with some familiarity with installing and using the administration console.
This course is geared mostly toward system administrators, DevOps engineers, and architects.

How to Secure Oracle WebLogic 12c

What you'll learn

Explore related topics

Course content

Welcome to Oracle WebLogic Security2 lectures • 11min

Lecture #1 - Secure Installation5 lectures • 37min

Lecture #2 - Domain Security12 lectures • 48min

Network Security6 lectures • 35min

Network Security - SSL/TLS11 lectures • 1hr 13min

Administrative Security2 lectures • 9min

Requirements

Description

Who this course is for: