This post continues where we left off in discussing the pre-installation tasks of Oracle WebLogic Server.
1) Operating System Firewall
Most operating systems include a (software) firewall. The existence of the Windows firewall and Linux firewall (a.k.a. iptables) are common knowledge. Just in case, here are some articles for Solaris and AIX:
- Setting up a firewall with AIX TCP/IP filtering
- Solaris 11 Firewall https://blogs.oracle.com/vreality/entry/solaris_11_firewall
I am sad to say that it is not uncommon for system administrators to disable the firewall on Linux. It is also common practice of not installing and/or configuring a firewall on Unix. Typically, this is done to simplify general operations, administration, and management (OA&M). As an example, on a project, a consultant was installing a database on Linux. He did not want to deal with creating the rules in the firewall and simply disabled it (he also disabled SELinux).
I highly recommend running the firewall on machines where any Fusion Middleware product is installed; this obviously includes WebLogic Server. In addition, please do your due diligence; review all the rules, removing the unnecessary ones (e.g. closing all unused or irrelevant ports).
2) Security-Enhanced Linux (SELinux)
SELinux is another necessary component of a secured Linux environment. The National Security Agency (NSA) was involved in its inception. If you read their hardening guide, you know they recommend running it. The SELinux Project Wiki provides the following definition for SELinux: “SELinux is a security enhancement to Linux which allows users and administrators more control over access control”. If you have read about information security, or your role involves information security, you know that access control is a critical part of information security.
Sadly, it is not uncommon for system administrators to disable SELinux. Generally, it does not affect the Java virtual machine (e.g. JRockit) and WebLogic Server operations. There is no specific policy that need to be disabled. If you have a web server tier (e.g. Oracle HTTP Server, Apache HTTP Server) in front of the WebLogic Server tier, changes are required on the web tier, but not on the WebLogic Server tier. However, those challenges do not warrant disabling SELinux altogether.
Let me be explicit about it. I highly recommend enabling SELinux. Furthermore, please do your due diligence and consult the NSA’s hardening guide. It provides a full section on SELinux, and recommended practices to harden it.
3) Obtain the Software
A very common mistake is to download Oracle products from the Oracle Technology Network (OTN). If you are a licensed customer, you must download the software products from the Oracle Software Delivery Cloud. I recommend doing your due diligence and validating the checksum (a.k.a. digest, hash). Here’s how Oracle introduces this concept: “A message digest (also known as a checksum or hash) is used to verify data has not been altered in transit”. At this point, you may feel we are being paranoiac. However, it is best practices to validate the checksum for all software packages you download from the internet, not just Oracle products.
In closing…
In the last two posts, I have provided general basic recommendations to prepare the environment before proceeding with the installation of WebLogic Server. Some of those practices are common knowledge. For some system administrators, many of these practices are part of their standard operating procedures. Unfortunately, there are too many installations that are left unsecured. Please do me a favor; most importantly, do your organization a favor: don’t be complacent about information security. If you do not do your due diligence to harden your environment, taking a holistic approach, your information strategy is as strong as your weakest link.
In my next post, I will discuss the installation and configuration of WebLogic Server.
