Browser SSL issue & fix – For Weblogic only

We have found latest version of different browsers are not working with https. Please find details on this issue below.

 

Affected Browser:

  • > Chrome 45
  • > Firefox 40
  • > Internet explorer 11

 

Issue:

Security protocol used for https, SSLv3 has security vulnerability, it is known as POODLE(Padding Oracle On Downgraded Legacy Encryption) attack which can be used for Man-In-Middle attack.

Hence browser companies have stopped support for SSL 3.0 in latest versions, please read these articles for more details. Internet Explorer Firefox Chrome

In latest version of browsers we can see page like following on hitting https flow.

firefox ssl issue

chrome ssl issue

 

 

Fix:

Server must use >TLS 1.0 protocol instead of SSL 3.0.

Apache server is already configured with protocol > TLS 1.0. Hence no changes are required for environment where apache is configured correctly.

For the environments where application server ports (weblogic) are expected to be used over web server ports (Apache), please do following change.

 

  1. Stop application server
  2. Go to weblogic domain <Domain Name>/config
  3. Take back up of config.xml
  4. Edit original config.xml
  5. Search for Server name in the file e.g. “<name>ATGCommerce</name>”
  6. Look for ssl tag under this “<ssl>”
  7. Enter following two lines under SSL tag.

<use-java>true</use-java>

<jsse-enabled>true</jsse-enabled>

<ciphersuite>SSL_RSA_WITH_RC4_128_MD5</ciphersuite>

8. Save file

9. Start application server

 

Please follow the similar sequence of tags else there can be issue. Do not worry about tags you do not have in your config file.

 

ConfigFileSequence

 

Note:

This fix is to be used for development environments only, for TEST and higher environments web server (APACHE) is to be used.

If this fix is required in higher environments, confirmation from product company(Oracle) is must.

Weblogic MBeans

Run-time MBeans

  • Contain information about the run-time state of a server and its resources.
  • They generally contain only data about the current state of a server or resource, and they do not persist this data.
  • when you start a server instance, the server instantiates aServerRuntimeMBean and populates it with the current run-time data. Each resource updates the data in its run-time MBean as its state changes.
  • When you shut down a server instance, all run-time statistics and metrics from the run-time MBeans are destroyed.

Configuration MBeans

  • Contain information about the configuration of servers and resources.
  • They represent the information that is stored in the domain’s XML configuration documents.
  • contain information about the configuration of services such as JDBC data sources and JMS

Weblogic server installation 12.1.1.0 on Windows

  • Double click on the executable.
        In windows it can be something like this “wls1211_win32.exe”
        In linux you need to look for setup starter and execute from command prompt.
  • In both case it would look something like below

image1

  • Click “Next” button.

image2

  • Choose Middleware home directory, all the middleware tool will be installed in this directory not only weblogic.
  • Weblogic will be installed under middleware directory as it’s a part of middleware.

image3

  • This is optional, you may wish to receive upadates via email.

image4

  • Select “Typical” to install default set components.
  • Select “Custom” to see or modify set of components to be installed.

image5

  • Screen after selecting “custom”, you may check or uncheck any component.

image6

  • Two JDK come with Java
    • Sun JDK is believed to be better for development
    • Oraccle JRockit JDK is believed to be better for production.

image7

  • You may edit path for weblogic server home or coherence home.

image8

  • Select if you wish to install node manger service.

image9

image10

image11 image12 image13

 

Structure after installation under middleware directory

C:\Oracle\Middleware

image14