Securing a Production Environment
Determining Your Security Needs
Before you deploy WebLogic Server and your Java EE applications into a production environment, determine your security needs and make sure that you take the appropriate security measures, as described in the following sections:
- Understand Your Environment
- Hire Security Consultants or Use Diagnostic Software
- Read Security Publications
- Install WebLogic Server in a Secure Manner
Understand Your Environment
To better understand your security needs, ask yourself the following questions:
- Which resources am I protecting?
Many resources in the production environment can be protected, including information in databases accessed by WebLogic Server and the availability, performance, applications, and the integrity of the Web site. Consider the resources you want to protect when deciding the level of security provide.
- From whom am I protecting the resources?
For most Web sites, resources must be protected from everyone on the Internet. But should the Web site be protected from the employees on the intranet in your enterprise? Should your employees have access to all resources within the WebLogic Server environment? Should the system administrators have access to all WebLogic resources? Should the system administrators be able to access all data? You might consider giving access to highly confidential data or strategic resources to only a few well trusted system administrators. Perhaps it would be best to allow no system administrators access to the data or resources.
- What will happen if the protections on strategic resources fail?
In some cases, a fault in your security scheme is easily detected and considered nothing more than an inconvenience. In other cases, a fault might cause great damage to companies or individual clients that use the Web site. Understanding the security ramifications of each resource will help you protect it properly.
Hire Security Consultants or Use Diagnostic Software
Whether you deploy WebLogic Server on the Internet or on an intranet, it is a good idea to hire an independent security expert to go over your security plan and procedures, audit your installed systems, and recommend improvements. Oracle On Demand offers services and products that can help you to secure a WebLogic Server production environment. See the Oracle On Demand page at http://www.oracle.com/ondemand/index.html.
Read Security Publications
- For the latest information about securing Web servers, Oracle recommends the “Security Practices & Evaluations” information available from the CERT Coordination Center operated by Carnegie Mellon University.
- For security advisories, refer to the Oracle WebLogic Advisories and Notifications page at the following location:
https://support.bea.com/application_content/product_portlets/securityadvisories/index.html
Here, you can download security-related patches and register to receive notifications of newly available security advisories. Report possible security issues in Oracle WebLogic products to secalert@bea.com.
Install WebLogic Server in a Secure Manner
Currently, the WebLogic Server installation includes the entire JDK and some additional WebLogic Server development utilities (for example, beasvc). These development programs could be a security vulnerability. The following are recommendations for making a WebLogic Server installation more secure:
- Do not install the WebLogic Server sample applications. When installing WebLogic Server, select the Custom option and unclick the Samples option.
- Minimize the WebLogic Server installation by doing the following:
There is always a potential of making mistakes when deleting executables, files, and directories from the WebLogic Server installation. Therefore, Oracle recommends testing your changes in a secure, development environment before implementing them in a production environment.
- Run with the JRE instead of the Java SDK. The Javasoft SDK offers a JRE download and installation. When installing WebLogic Server, use the Configuration Wizard and select the JRE option. This option eliminates the Java compiler and other development tools.
- When using JRockit, delete the software components of the Java SDK that are not in the JRockit JRE.
- Delete development tools such as the Configuration Wizard, WebLogic Builder, and the jCOM tools if you don't plan to use them in production.
- Delete the Pointbase database which is included for evaluation purposes and it is not supported in the production environments.