By default, when Oracle WebLogic Server uses HTTPS for secure connections such as for Forms and Reports, SSL (Secure Socket Layer) v3.0 and TLS (Transport Layer Security) v1.0 are configured. SSL is the original protocol used for secure connections via HTTPS where TLS is the newer, more secure protocol. In recent months, a security vulnerability known as Poodle, âPaddling Oracle On Downgraded Legacy Encryptionâ, was discovered to be. In summary, Poodle is a âman-in-the-middleâ exploit which can allow hackers to view encrypted information. More information on Poodle can be found on Oracleâs website: http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
The vulnerability exists with SSL v3.0, which is commonly used as the secure protocol used for HTTPS connections with using Oracle WebLogic Server. However, the TLS protocol does not contain this vulnerability. If WebLogic is configured for both (it is by default) and the end-userâs Web browser has SSL v3.0 and TLS v1.0 both enabled, there is a possibility that the WebLogic connection via HTTPS may be done using SSL v3.0 instead of TLS v1.0. A WebLogic connection is defined by any connection going to an application (JSP, Forms & Reports, ADF, Discoverer, etc.) which is deployed in Oracle WebLogic Server.
The best approach is to configure WebLogic to only use TLS v1.0. With this, all end-users will be forced to use TLS 1.0 on all HTTPS connections to the WebLogic server whether it is used for running deployed JSP applications, Oracle Forms and Reports applications, Oracle ADF applications, or other Oracle Fusion Middleware applications. The changes are quick and easy to deploy. Also, no new SSL/TLS certificates will need to be created. Implementing TLS v1.0 only for WebLogic can be done with these steps:
1. Log into the WebLogic Administration Console (Example: http://server.domain:7001/console)
2. Log in with the weblogic username and password
3. Go to Environment â> Servers
4. Select a WebLogic server where SSL has been set up. Weâll use WLS_FORMS as an example.
5. In the top-left corner, click âLock & Editâ.
6. Make sure the Configuration tab is enabled. Select the âServer Startâ sub-tab.
7. In the Arguments section, type in the following parameter:
NOTE: This will force the WebLogic server to use TLS instead of SSL.
When finished, click the âSaveâ button.
8. For any other WebLogic servers using SSL/TLS, repeat steps 4-7 (except for step 5 as you will be in âLock & Editâ mode already).
9. In the top-left corner, click âActivate Changesâ to apply all changes.
10. If any WebLogic servers which had the changes applied are currently running, they will need to be restarted using the Admin Console. If this includes the AdminServer, you will need to use WLST to start up the AdminServer as you will not be able to use the Admin Console if the AdminServer is down.
Now that WebLogic is configured for TLS v1.0, all end users will need to make sure that TLS 1.0 is enabled in their Web browsers:Internet Explorer:NOTE: It is likely that TLS 1.0 is enabled in Internet Explorer, but it is recommended to check anyway.Go to Tools â> Internet Options (or simply Internet Options from the menu in the top-right corner)In the Advanced tab, scroll down to the Security section. Make sure âUse TLS 1.0â is enabled.
Mozilla Firefox and Google Chrome:All current releases of Firefox and Chrome have at least TLS 1.0 already enabled.After applying the steps above, you should be using TLS when running anything on the WebLogic server (JSP applications, ADF applications, Forms, etc.) using the HTTPS protocol.
Source: Oracle Support note 1936300.1