Handling security validations

After applying the July2021 PSU, I’m now seeing security warnings, such as:

Description: Production Mode is enabled but user lockout settings are not secure in realm: myrealm, i.e. LockoutThreshold should not be greater than 5, LockoutDuration should not be less than 30.

SOLUTION: Update the user lockout settings (LockoutThreshold, LockoutDuration) to be secure.

WebLogic Server has a new, important feature to ensure and help you secure your WLS domains when running in production. With the July 2021 PSU applied, WebLogic Server regularly validates your domain configuration settings against a set of security configuration guidelines to determine whether the domain meets key security guidelines recommended by Oracle. For more information and additional details, see MOS Doc 2788605.1 “WebLogic Server Security Warnings Displayed Through the Admin Console” and Review Potential Security Issues in Securing a Production Environment for Oracle WebLogic Server.

Warnings may be at the level of the JDK, or that SSL is not enabled. Some warnings may recommend updating your WebLogic configuration. You can make the recommended configuration changes using an approach that depends on your domain home source type:

  • For Domain on PV, use the WebLogic Scripting Tool (WLST), WebLogic Server Administration Console, WebLogic Deploy Tooling (WDT), or configuration overrides.

  • For Domain in Image, create a new image with the recommended changes or use configuration overrides.

  • For Model in Image, supply model files with the recommended changes in its image’s modelHome directory or use runtime updates.

Msg ID: 090985

Description: Production Mode is enabled but the the file or directory /u01/oracle/user_projects/domains/domain/bin/setDomainEnv.sh is insecure since its permission is not a minimum of umask 027.

SOLUTION: Change the file or directory permission to at most allow only write by owner, read by group.

Description: The file or directory SerializedSystemIni.dat is insecure since its permission is not a minimum of umask 027.

SOLUTION: Change the file or directory permission to at most allow only write by owner, read by group.

When the WebLogic Image Tool (WIT) creates a Domain Home in Image, you can specify the --target OpenShift option so that when WIT creates the domain, it sets the correct permissions in the domain home. When no --target option is specified, then the domain home directory has a umask of 027.

For information about handling file permission warnings on the OpenShift Kubernetes Platform, see the OpenShift documentation.