SSL Vulnerabilites

SSL Server allows Anonymous Authentication Vulnerability This basically means that the client will be able to connect to the Server without using any authentication algorithm. Some SSL Ciphers allow anonymous authentication. Choosing the right cipher suites as explained in an earlier post, and disabling null cipher from the admin console

Continue reading »

JMS Resources using JMX

import java.io.IOException; import java.net.MalformedURLException; import java.util.ArrayList; import java.util.HashMap; import java.util.Hashtable; import java.util.Iterator; import javax.management.MBeanServerConnection; import javax.management.MalformedObjectNameException; import javax.management.ObjectName; import javax.management.remote.JMXConnector; import javax.management.remote.JMXConnectorFactory; import javax.management.remote.JMXServiceURL; import javax.naming.Context; import javax.naming.InitialContext; import weblogic.j2ee.descriptor.wl.JMSBean; import weblogic.j2ee.descriptor.wl.JMSConnectionFactoryBean; import weblogic.j2ee.descriptor.wl.QueueBean; import weblogic.jms.extensions.JMSModuleHelper; import weblogic.management.configuration.JMSSystemResourceMBean; public class JMSResource { private static MBeanServerConnection connection; private static JMXConnector connector;

Continue reading »

Using Canned Policy with Weblogic Server.

SimpleWS.java package demo; import weblogic.jws.WLHttpTransport; import weblogic.jws.Policies; import weblogic.jws.Policy; import javax.jws.WebService; import javax.jws.WebMethod; import javax.jws.soap.SOAPBinding; @WebService(name=”SimpleWSPortType”, serviceName=”SimpleWSService”, targetNamespace=”http://www.oracle.com”) @SOAPBinding(style=SOAPBinding.Style.DOCUMENT, use=SOAPBinding.Use.LITERAL, parameterStyle=SOAPBinding.ParameterStyle.WRAPPED) @WLHttpTransport(contextPath=”SimpleWSService”, serviceUri=”SimpleWSService”, portName=”SimpleWSServicePort”) @Policy(uri=”policy:Sign.xml”) public class SimpleWS { @WebMethod() public String sayHello(String s) { return “Hello ” + s; } } Client.java package demo; import demo.*; import java.security.cert.X509Certificate; import

Continue reading »

Configure JCE Provider with Weblogic Server

Download any JCE Provider. These JCE providers provide additional cryptographic algorithms to secure the communication. Bouncy castle is one such freely available JCE provider. To configure it place the provider jar file in the java-home/jre/lib/ext/ folder and add the following line in java.security file in the jre\lib\security folder. security.provider.n=org.bouncycastle.jce.provider.BouncyCastleProvider Where

Continue reading »

Import and Export users from Embedded LDAP using WLST

Export connect(‘weblogic’,’weblogic’, ‘t3://localhost:8003′) domainRuntime() cd(‘/DomainServices/DomainRuntimeService/DomainConfiguration/DomainA/SecurityConfiguration/DomainA/DefaultRealm/myrealm/AuthenticationProviders/DefaultAuthenticator’) cmo.exportData(‘DefaultAtn’,’c:/export.ldif’, Properties()) Import connect(‘weblogic’,’weblogic’, ‘t3://localhost:8003′) domainRuntime() cd(‘/DomainServices/DomainRuntimeService/DomainConfiguration/DomainB/SecurityConfiguration/DomainB/DefaultRealm/myrealm/AuthenticationProviders/DefaultAuthenticator’) cmo.importData(‘DefaultAtn’,’c:/export.ldif’, Properties())

Continue reading »

Troubleshooting Kerberos Issues with Weblogic Server

Found NTLM token when expecting SPNEGO The browser is not set up correctly to send a spnego token, go back to the client configuration, and double check the browser configuration. IE needs to be configured with Integrated Windows Authentication should be turned on and the site listed in the Intranet

Continue reading »

Securing Webservices using BASIC Authentication on Weblogic Server.

To secure the Webservice to use Basic Authentication, we just need to use the @RolesAllowed annotation. No change needs to be done in the deployment descriptor. Here is a sample JWS. package demo; import javax.jws.*; import weblogic.jws.security.RolesAllowed; import weblogic.jws.security.SecurityRole; @RolesAllowed ( { @SecurityRole (role=”Adminstrators”,mapToPrincipals{“weblogic”}), } ) @WebService public class TestBasic

Continue reading »

Create Active Directory Authentication Provider from WLST

connect(‘weblogic’,’weblogic’,’t3://localhost:7001′) edit() startEdit(-1,-1,’false’) cmo.getSecurityConfiguration().getDefaultRealm().createAuthenticationProvider(‘ADAuthenticator’, ‘weblogic.security.providers.authentication.ActiveDirectoryAuthenticator’) cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider(‘ADAuthenticator’).setControlFlag(‘OPTIONAL’) cd(‘/SecurityConfiguration’) cd(‘base_domain’) cd(‘Realms/myrealm/AuthenticationProviders’) cd(‘ADAuthenticator’) cmo.setGroupBaseDN(‘CN=Users,DC=faisal,DC=bea,DC=com’) cmo.setUserBaseDN(‘CN=Users,DC=faisal,DC=bea,DC=com’) cmo.setAllGroupsFilter(‘(objectclass=group)’) cmo.setPrincipal(‘CN=Administrator,CN=Users,DC=faisal,DC=bea,DC=com’) cmo.setCredential(‘Passw0rd’) cmo.setPort(389) cmo.setHost(‘localhost’) save() activate()

Continue reading »

BASIC Authentication with Apache

Create user.txt with the username and password separated by colon user.txt testuser:testuser Then use the htpasswd to encrypt the password Apache2\bin>htpasswd.exe -b user.txt testuser testuser Automatically using MD5 format. Updating password for user testuser Add the following in the httpd.conf file present in C:\Program Files\Apache Group\Apache2\bin LoadModule weblogic_module modules/mod_wl128_20.so <Location

Continue reading »

Updating invalidation-interval-secs Using Plan.xml

This article describes the usage of plan.xml to update deploment descriptors on the fly. In this example we will update the value of invalidation-interval-secs from 90 seconds to 30 seconds using plan.xml. invalidation-interval-secs Sets the time, in seconds, that WebLogic Server waits between doing house-cleaning checks for timed-out and invalid

Continue reading »