Detections
Analytics

3.4 - Default Weblogic Keystores is used

Information

Keystores ensure the secure storage and management of private keys and trusted certificate authorities (CAs).By default, WebLogic Server is configured with two keystores, to be used for development only.
DemoIdentity.jks: Contains a demonstration private key for WebLogic Server. This keystore establishes an identity for WebLogic Server.
DemoTrust.jks: Contains a list of certificate authorities trusted by WebLogic Server. This keystore establishes trust for WebLogic Server.
These keystores are located in the WL_HOME\server\lib directory and the JAVA_HOME\jre\lib\security directory. These Keystores are not be used in production environment because the digital certificates and trusted CA certificates in the demonstration keystores are signed by a WebLogic Server demonstration certificate authority.

If default keystores is used, the weblogic sever will trust any WebLogic Server installation that also uses the demonstration keystores.

Solution

1. In the left pane of the Console, expand Environment and select Servers.
2. Click the name of the server for which you want to configure the identity and trust keystores.
3. Select Configuration > Keystores.
4. In the Keystores field, select the method for storing and managing private keys/digital certificate pairs and trusted CA certificates. These options are available:
Demo Identity and Demo Trust: The demonstration identity and trust keystores, located in the BEA_HOME\server\lib directory and the JDK ca-certs keystore, are configured by default. Use for development only.
Custom Identity and Java Standard Trust: A keystore you create and the trusted CAs defined in the ca-certs file in the JAVA_HOME\jre\lib\security directory.
Custom Identity and Custom Trust: Identity and trust keystores you create.
Custom Identity and Command Line Trust: An identity keystore you create and command-line arguments that specify the location of the trust keystore.
5. In the Identity section, define attributes for the identity keystore.
Custom Identity Keystore: The fully qualified path to the identity keystore.
Custom Identity Keystore Type: The type of the keystore. Generally, this attribute is Java KeyStore (JKS); if left blank, it defaults to JKS.
Custom Identity Keystore Passphrase: The password you will enter when reading or writing to the keystore. This attribute is optional or required depending on the type of keystore.
6. In the Trust section, define properties for the trust keystore.
If you chose Java Standard Trust as your keystore, specify the password defined when creating the keystore. Confirm the password.
If you chose Custom Trust, define the following attributes:
Custom Trust Keystore: The fully qualified path to the trust keystore.
Custom Trust Keystore Type: The type of the keystore. Generally, this attribute is JKS; if left blank, it defaults to JKS.
Custom Trust Keystore Passphrase: The password you will enter when reading or writing to the keystore. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server only reads from the keystore so whether or not you define this property depends on the requirements of the keystore.
7. Click Save

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-12

Plugin: Windows

Control ID: 1b48d77dbcba87ff3eb9791604d7578ab2126e813853b622703828088e71fab5