WBLC-05-000176 - Oracle WebLogic must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data - JAVA_OPTIONS

Information

Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms.

FIPS 140-2 is the current standard for validating cryptographic modules, and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware-based encryption modules.

Application servers must provide FIPS-compliant encryption modules when storing encrypted data and configuration settings.

Solution

1. Shut down any running instances of WebLogic server
2. On disk, navigate to the DOMAIN_HOME directory
3. View the contents of the appropriate WebLogic server start script:
On UNIX operating systems: startWebLogic.sh
On Microsoft Windows operating systems: startWebLogic.cmd
4. Ensure the JAVA_OPTIONS variable is set:
On UNIX operating systems:
JAVA_OPTIONS=' -Djava.security.properties==/<mylocation>/java.security ${JAVA_OPTIONS}'
On Microsoft Windows operating systems:
set JAVA_OPTIONS= -Djava.security.properties==C:<mylocation>java.security %JAVA_OPTIONS%
5. Ensure the <mylocation> path specified above contains a valid java.security file (Refer to section 2.2.4 of the Overview document)
6. Ensure the PRE_CLASSPATH variable is set:
On UNIX operating systems:
PRE_CLASSPATH='%MW_HOME%wlserverserverlibjcmFIPS.jar;%MW_HOME%wlserverserverlibsslj.jar ${PRE_CLASSPATH}'
On Microsoft Windows operating systems:
set PRE_CLASSPATH= %MW_HOME%wlserverserverlibjcmFIPS.jar;%MW_HOME%wlserverserverlibsslj.jar;%PRE_CLASSPATH%
7. Refer to section 2.2.4 of the Overview document

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_WebLogic_Server_12c_V1R6_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13, CAT|II, CCI|CCI-000803, Rule-ID|SV-235975r628703_rule, STIG-ID|WBLC-05-000176, STIG-Legacy|SV-70553, STIG-Legacy|V-56299, Vuln-ID|V-235975

Plugin: Unix

Control ID: ff513648fd62a7e20519db332dd250d805136b9dc8d6c7317c13dce9238f1792