WBLC-05-000177 - Oracle WebLogic must utilize FIPS 140-2 approved encryption modules when authenticating users and processes - JAVA_OPTIONS

Information

Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms.

FIPS 140-2 is the current standard for validating cryptographic modules, and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware-based encryption modules.

Application servers must provide FIPS-compliant encryption modules when authenticating users and processes.

Solution

1. Shut down any running instances of WebLogic server
2. On disk, navigate to the DOMAIN_HOME directory
3. View the contents of the appropriate WebLogic server start script:
On UNIX operating systems: startWebLogic.sh
On Microsoft Windows operating systems: startWebLogic.cmd
4. Ensure the JAVA_OPTIONS variable is set:
On UNIX operating systems:
JAVA_OPTIONS=' -Djava.security.properties==/<mylocation>/java.security ${JAVA_OPTIONS}'
On Microsoft Windows operating systems:
set JAVA_OPTIONS= -Djava.security.properties==C:<mylocation>java.security %JAVA_OPTIONS%
5. Ensure the <mylocation> path specified above contains a valid java.security file (Refer to section 2.2.4 of the Overview document)
6. Ensure the PRE_CLASSPATH variable is set:
On UNIX operating systems:
PRE_CLASSPATH='%MW_HOME%wlserverserverlibjcmFIPS.jar;%MW_HOME%wlserverserverlibsslj.jar ${PRE_CLASSPATH}'
On Microsoft Windows operating systems:
set PRE_CLASSPATH= %MW_HOME%wlserverserverlibjcmFIPS.jar;%MW_HOME%wlserverserverlibsslj.jar;%PRE_CLASSPATH%
7. Refer to section 2.2.4 of the Overview document

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_WebLogic_Server_12c_V2R1_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-7, CAT|II, CCI|CCI-000803, Rule-ID|SV-235976r628706_rule, STIG-ID|WBLC-05-000177, STIG-Legacy|SV-70555, STIG-Legacy|V-56301, Vuln-ID|V-235976

Plugin: Unix

Control ID: 4edff9d73bb23747efeec92436e2262a6ef41494ce2de86ccae25af1713a2d70