Skip to main content

Cloud

Securing Oracle WebLogic Server – Install

This post discusses the actual installation of WebLogic Server. Generally speaking, the installation of Oracle WebLogic Server, in reality, involves installing two software products: Java – typically a Java software development kit (SDK) – and WebLogic Server.

In a secured deployment, I will install the Java SDK in the same location as WebLogic Server. On Linux as an example, assuming the Fusion Middleware home directory is /usr/local/oracle/middleware, I install the Java SDK to a directory such as /usr/local/oracle/middleware/jdk1.6.0_25 (for Java SDK version 1.6.0 Update 25). As a reminder, the Fusion Middleware home is simply a convention used for installing all the Oracle Fusion Middleware products within the same file hierarchy. During the execution of the installation wizard of the Java SDK, there is no specific security concern or task to perform. Although it is not primarily a security concern, I typically do not install the Java SDK samples and source code on a server. Finally, the installation of the Java SDK will be secured as part of the process of securing the installation of WebLogic Server since the two are collocated.

On Linux as an example, assuming the Fusion Middleware home directory is /usr/local/oracle/middleware, WebLogic Server 11g will typically be installed to the directory /usr/local/oracle/middleware/wlserver_10.3. I very seldom change this path. During the install I recommend subscribing to received security updates (if not already subscribed). Similarly, there is no specific security concern or task to perform during the execution of the installation wizard. Here as well, I do not install samples and examples (e.g. WebLogic Server examples, Coherence examples).

Finally, when both products are installed, I locked down the Fusion Middleware home directory. Assuming it is /usr/local/oracle/middleware, specifically:

  1. I ensure that the directory /usr/local/oracle is owned by the dedicated user account and group created as part of the pre-installation of the WebLogic Server. If making a change, it is critical to ensure the update is recursive (i.e. affects the full file system hierarchy, all subdirectories and files this directory includes).
  2. Next, I remove all permissions for the group and world (or everyone in Windows environments). Only the dedicated user account should have access to the directory /usr/local/oracle and all subdirectories and files it includes.

These two steps prevent access from any other user, limiting access to the Java SDK and WebLogic Source product files. This limits the number of users who can access and temper those directories and files. This may seem paranoia once again. However, a secured WebLogic domain and its critical configuration files could be breached by tampering with the Java classes that make up WebLogic Server as an example.

In my next post, I will discuss the configuration of WebLogic Server, which consists in creating the WebLogic domain and securing its critical files.

Thoughts on “Securing Oracle WebLogic Server – Install”

  1. Very useful information I follow these instructions to secure oracle weblogic server install.Thank You for sharing info.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Alan Belisle

Alan Belisle is a solution architect within the Emerging Platform Solutions (EPS) National Business Unit (NBU). He is responsible for providing subject matter expertise on Oracle Fusion Middleware products and business integration practices such as Service-Oriented Architecture (SOA), Business Process Management (BPM), Event-Driven Architecture (EDA), Complex Event Processing (CEP), Master Data Management (MDM) and Enterprise Application Integration (EAI). Alan has more than 22 years of IT experience, with 17 years of technology consulting experience working with Fortune 500 and small business clients, and state and federal agencies. He holds a Bachelor of Science in Computer Science from Universite de Sherbrooke in Canada, and is currently completing his Master of Science in Managing Innovation and Information Technology at Champlain College in Burlington, VT.

More from this Author

Categories
Follow Us