{"id":5318,"date":"2014-11-20T12:58:40","date_gmt":"2014-11-20T12:58:40","guid":{"rendered":"https:\/\/pitss.org\/us\/?p=5318"},"modified":"2017-09-05T15:44:40","modified_gmt":"2017-09-05T19:44:40","slug":"switching-from-ssl-to-tls-for-oracle-weblogic-server","status":"publish","type":"post","link":"https:\/\/pitss.org\/us\/2014\/11\/20\/switching-from-ssl-to-tls-for-oracle-weblogic-server\/","title":{"rendered":"Switching from SSL to TLS for Oracle WebLogic Server"},"content":{"rendered":"

[et_pb_section bb_built=”1″ admin_label=”section” custom_padding=”0px||50px|” _builder_version=”3.0.51″][et_pb_row custom_padding=”0px|||” _builder_version=”3.0.51″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”][et_pb_column type=”4_4″][et_pb_text _builder_version=”3.0.64″ custom_margin=”||30px|”]<\/p>\n

Switching from SSL to TLS for Oracle WebLogic Server<\/h1>\n

By default, when Oracle WebLogic Server uses HTTPS for secure connections such as for Forms and Reports, SSL (Secure Socket Layer) v3.0 and TLS (Transport Layer Security) v1.0 are configured. SSL is the original protocol used for secure connections via HTTPS where TLS is the newer, more secure protocol. In recent months, a security vulnerability known as Poodle, \u201cPaddling Oracle On Downgraded Legacy Encryption\u201d, was discovered to be. In summary, Poodle is a \u201cman-in-the-middle\u201d exploit which can allow hackers to view encrypted information.<\/p>\n

[\/et_pb_text][et_pb_divider color=”#e2e2e2″ show_divider=”on” divider_position=”center” _builder_version=”3.0.51″ custom_css_main_element=”margin-bottom:30px !important;” \/][et_pb_text _builder_version=”3.0.64″ custom_margin=”||30px|” background_layout=”light” text_orientation=”left” border_style=”solid”]<\/p>\n

What you’ll learn in this article:<\/strong><\/h3>\n

\u2713<\/strong> Learn more about the Poodle vulnerability
\n\u2713<\/strong>\u00a0How to configure an Oracle WebLogic Server with TLS<\/span><\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row custom_padding=”40px|40px|30px|40px” background_color=”#006bb3″ background_position_1=”top_left” background_repeat_1=”no-repeat” _builder_version=”3.0.51″][et_pb_column type=”4_4″][et_pb_text background_layout=”dark” _builder_version=”3.0.64″ background_color=”#006bb3″]<\/p>\n

Fill out this form to get immediate access to the article.
\n<\/strong><\/h2>\n

[\/et_pb_text][et_pb_code module_class=”white-text” _builder_version=”3.0.64″][ninja_form id=14][\/et_pb_code][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

Switching from SSL to TLS for Oracle WebLogic Server By default, when Oracle WebLogic Server uses HTTPS for secure connections such as for Forms and Reports, SSL (Secure Socket Layer) v3.0 and TLS (Transport Layer Security) v1.0 are configured. SSL is the original protocol used for secure connections via HTTPS where TLS is the newer, […]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"

By default, when Oracle WebLogic Server uses HTTPS for secure connections such as for Forms and Reports, SSL (Secure Socket Layer) v3.0 and TLS (Transport Layer Security) v1.0 are configured. SSL is the original protocol used for secure connections via HTTPS where TLS is the newer, more secure protocol. In recent months, a security vulnerability known as Poodle, \u201cP<\/strong>addling O<\/strong>racle O<\/strong>n D<\/strong>owngraded L<\/strong>egacy E<\/strong>ncryption\u201d, was discovered to be. In summary, Poodle is a \u201cman-in-the-middle\u201d exploit which can allow hackers to view encrypted information. More information on Poodle can be found on Oracle\u2019s website: http:\/\/www.oracle.com\/technetwork\/topics\/security\/poodlecve-2014-3566-2339408.html<\/a><\/p>

The vulnerability exists with SSL v3.0, which is commonly used as the secure protocol used for HTTPS connections with using Oracle WebLogic Server. However, the TLS protocol does not contain this vulnerability. If WebLogic is configured for both (it is by default) and the end-user\u2019s Web browser has SSL v3.0 and TLS v1.0 both enabled, there is a possibility that the WebLogic connection via HTTPS may be done using SSL v3.0 instead of TLS v1.0. A WebLogic connection is defined by any connection going to an application (JSP, Forms & Reports, ADF, Discoverer, etc.) which is deployed in Oracle WebLogic Server.<\/p>

The best approach is to configure WebLogic to only use TLS v1.0. With this, all end-users will be forced to use TLS 1.0 on all HTTPS connections to the WebLogic server whether it is used for running deployed JSP applications, Oracle Forms and Reports applications, Oracle ADF applications, or other Oracle Fusion Middleware applications. The changes are quick and easy to deploy. Also, no new SSL\/TLS certificates will need to be created<\/strong>. Implementing TLS v1.0 only for WebLogic can be done with these steps:<\/p>

1. Log into the WebLogic Administration Console (Example: http:\/\/server.domain:7001\/console)<\/p>

2. Log in with the weblogic username and password<\/p>

3. Go to Environment \u2013> Servers<\/p>

\"image\"<\/a><\/p>

4. Select a WebLogic server where SSL has been set up. We\u2019ll use WLS_FORMS as an example.<\/p>

\"image\"<\/a><\/p>

5. In the top-left corner, click \u201cLock & Edit\u201d.<\/p>

\"image\"<\/a><\/p>

6. Make sure the Configuration tab is enabled. Select the \u201cServer Start\u201d sub-tab.<\/p>

\"image\"<\/a><\/p>

7. In the Arguments<\/strong> section, type in the following parameter:<\/p>

-Dweblogic.security.SSL.protocolVersion=TLS1<\/p><\/blockquote>

NOTE: This will force the WebLogic server to use TLS instead of SSL.<\/p>

When finished, click the \u201cSave\u201d button.<\/p>

\"image\"<\/a><\/p>

8. For any other WebLogic servers using SSL\/TLS, repeat steps 4-7 (except for step 5 as you will be in \u201cLock & Edit\u201d mode already).<\/p>

9. In the top-left corner, click \u201cActivate Changes\u201d to apply all changes.<\/p>

\"image\"<\/a><\/p>

10. If any WebLogic servers which had the changes applied are currently running, they will need to be restarted using the Admin Console. If this includes the AdminServer, you will need to use WLST to start up the AdminServer as you will not be able to use the Admin Console if the AdminServer is down.<\/p>

Now that WebLogic is configured for TLS v1.0, all end users will need to make sure that TLS 1.0 is enabled in their Web browsers:Internet Explorer:<\/strong>NOTE: It is likely that TLS 1.0 is enabled in Internet Explorer, but it is recommended to check anyway.<\/strong>Go to Tools \u2013> Internet Options (or simply Internet Options from the menu in the top-right corner)In the Advanced tab, scroll down to the Security section. Make sure \u201cUse TLS 1.0\u201d is enabled.<\/p>

\"SNAGHTMLaf2c8f\"<\/a><\/p>

Mozilla Firefox and Google Chrome:<\/strong>All current releases of Firefox and Chrome have at least TLS 1.0 already enabled.After applying the steps above, you should be using TLS when running anything on the WebLogic server (JSP applications, ADF applications, Forms, etc.) using the HTTPS protocol.<\/p>

Source: Oracle Support note 1936300.1<\/strong><\/p>","_et_gb_content_width":"","footnotes":""},"categories":[49,22,4,36,19,71,10],"tags":[11,16,48,25,23,37,50,40],"class_list":["post-5318","post","type-post","status-publish","format-standard","hentry","category-adf-jdeveloper","category-forms","category-install-config","category-reports","category-unix-linux","category-weblogic-software","category-windows","tag-11g","tag-11gr2","tag-adf","tag-customer-support-request","tag-forms","tag-reports","tag-ssl","tag-weblogic"],"_links":{"self":[{"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/posts\/5318","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/comments?post=5318"}],"version-history":[{"count":10,"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/posts\/5318\/revisions"}],"predecessor-version":[{"id":9828,"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/posts\/5318\/revisions\/9828"}],"wp:attachment":[{"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/media?parent=5318"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/categories?post=5318"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/tags?post=5318"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}