Securing Oracle WebLogic Server – Pre-Install (Part 1)

This post discusses the tasks for preparing the operating system before installing WebLogic Server.

1) Validate Operating System

The very first thing to do is to validate that the latest critical updates and patches are applied. Everyone talks about it. However, breaches occur regularly because it is not done.

I recommend manually running the process to validate that the latest critical updates and patches are all applied before starting the installation. This means running Windows update on Windows machines. Linux and Unix provide similar capabilities.

Next, I recommend validating that the process is scheduled to run regularly to retrieve and install the latest critical updates and patches. It is one thing to check manually; it is another to be proactive about it.

Another aspect that is critical is subscribing to vulnerability alerts. It is simple, if you are serious about information security, you must subscribe. Software vendors such as IBM, Microsoft, Novell, Oracle, Red Hat and many more publish them. You must be proactive about it. There might be a delay before a critical update or patch is available. This window presents an opportunity. I suggest being paranoid about it and assume your systems are at risk instead of scrambling to deal with a breach.

2) Create Dedicated User and Group

Linux and Unix security best practices recommend using dedicated users and groups for operations, administration, and management (OA&M) of application software, services and components that can be accessed remotely. The same approach applies to a Windows machine. Obviously, when installing WebLogic Server, I recommend applying this practice. Many Oracle products are installed using a user named oracle. Here again, I suggest being paranoid and using an original user name.

3) Create Installation Directories

Generally, on Unix and Linux machines, I recommend installing WebLogic Server following the Filesystem Hierarchy Standard (FHS). As an example, I usually install WebLogic Server on Linux in a directory such as /usr/local/oracle/middleware. On Windows, I will install in a directory such as \oracle\middleware (obviously in the root of the drive). In beyond basics, I will explore the benefits and tradeoffs of using a known or common path to install WebLogic Server.

Most importantly, you must secure the installation directory. Assuming WebLogic Server will be installed to /usr/local/oracle/middleware, access control should be set up to limit access to the /usr/local/oracle directory (all files and subdirectories it includes) to the account used for installing WebLogic Server. I even recommend removing all permissions for the group, not just world (or everyone in Windows).

Furthermore, following OA&M best practices, I recommend locating (application and user) data separately from software products. The WebLogic domain could easily be located in the /var hierarchy on Linux or within the home or user directory to the account used for installing WebLogic Server. Similarly, this directory must be “locked down”, and only accessible to the account used for installing WebLogic Server.

In Closing…

Those are general basic recommendations to prepare the environment before proceeding with the installation. Some are basic, well-known, and common practices. However, as stated before breaches occur regularly because they are not followed.

When preparing the operating system, there are other practices that can be applied depending on the level of risks, and/or your appetite for risks. I suggest having a look at the NSA Hardening Guides. You can also find many additional resources on the internet along the same lines.

In my next post, I will discuss additional security practices (e.g. software firewalls) to consider before proceeding with installing WebLogic Server.

About the Author

Alan Belisle is a solution architect within the Emerging Platform Solutions (EPS) National Business Unit (NBU). He is responsible for providing subject matter expertise on Oracle Fusion Middleware products and business integration practices such as Service-Oriented Architecture (SOA), Business Process Management (BPM), Event-Driven Architecture (EDA), Complex Event Processing (CEP), Master Data Management (MDM) and Enterprise Application Integration (EAI). Alan has more than 22 years of IT experience, with 17 years of technology consulting experience working with Fortune 500 and small business clients, and state and federal agencies. He holds a Bachelor of Science in Computer Science from Universite de Sherbrooke in Canada, and is currently completing his Master of Science in Managing Innovation and Information Technology at Champlain College in Burlington, VT.

More from this Author

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to the Weekly Blog Digest:

Sign Up