BEA Logo BEA WebLogic Server Release 1.1

  Corporate Info  |  News  |  Solutions  |  Products  |  Partners  |  Services  |  Events  |  Download  |  How To Buy

Securing a WebLogic Server Deployment


An application server resides in the sensitive layer between end users and your valued data and resources. WebLogic Server provides authentication, authorization, and encryption services, but these are no protection from an intruder who gains access by discovering and exploiting some weakness in your deployment environment.

This document describes the measures you should take to secure a WebLogic Server deployment. It describes assumptions that WebLogic Server makes about the security of your environment and how to configure WebLogic Server security parameters for optimum security.

Whether you deploy WebLogic Server on the Internet or on an intranet, it is a good idea to hire an independent security expert to go over your security plan and procedures, audit your installed systems, and recommend improvements. This document makes some specific and general recommendations related to WebLogic Server, but a well-secured deployment depends on the total environment.

For specific WebLogic Server security configuration and documentation information, see the Guide to WebLogic Server Security Documentation.

Security Environment Assumptions

WebLogic Server depends upon a well-secured environment, including physical plant, operating system, file system, network, and organizational security policies and procedures. Here are some general recommendations on policies and practices concerning your security environment:

Setting up a Firewall

A firewall limits traffic between two networks. Firewalls can be a combination of software and hardware, including routers and dedicated gateway machines. They employ filters that allow or disallow traffic to pass based on the protocol, the service requested, routing information, and the origin and destination hosts or networks. They may also allow access for authenticated users.

There are many ways to combine firewalls, WebLogic Server, and other network servers. Figure 6-1 illustrates a typical setup with a firewall that filters traffic destined for a WebLogic Server cluster.

Figure 6-1 Typical firewall setup

Another common firewall configuration restricts access to only HTTP or HTTPS web connections. The firewall permits clients to connect only to a web server, which usually runs at the standard HTTP port 80 or SSL port 443. The web server could be a WebLogic Server or a third-party web server set up to proxy requests to WebLogic Server. For example, you could set up Netscape Enterprise Server, Microsoft Internet Server, or an Apache Server to serve static web pages and proxy servlet and JSP requests to WebLogic Server. Figure 6-2 illustrates the architecture.

With this configuration, the web server is a gateway, operating in the "demilitarized zone" (DMZ). Clients interact exclusively with the web server. WebLogic Server connections come only from proxied web server requests, enhancing the security of your WebLogic Server applications and back-end resources.

Figure 6-2 Firewall with web server gateway

If you use a supported third-party web server as a gateway, you can use the WebLogic-to-Netscape Enterprise Server Bridge (NSAPI), WebLogic-to-Microsoft IIS Bridge (ISAPI), or WebLogic-to-Apache Server Bridge to redirect requests to WebLogic Server. If you use WebLogic Server as the gateway, no bridge is needed to redirect to another WebLogic Server or cluster.

WebLogic Server SSL Configuration

Realm and Acl Configuration