Restrict Key Size Larger that 128 bit on Weblogic Server.
WebLogic Server uses SSL/TLS certificates with varying key sizes for encryption. Some security policies require enforcing a minimum key size (e.g., 128-bit or larger). Below are methods to configure this restriction.
Restricting Key Size in WebLogic (SSL Configuration):
Via Admin Console
Navigate to SSL Settings:
Go to
Environment → Servers → [Your_Server] → SSL → Advanced
Set Minimum Key Size (bits) to
128 (or higher, e.g., 256).Apply & Restart:
To restrict keysize larger than 128 bit we need to select only those cipher suites in the configuration which use 128 bit key.
Using WLST (WebLogic Scripting Tool)
connect('weblogic', 'password', 't3://localhost:7001')
edit()
startEdit()
cd('/Servers/AdminServer/SSL/AdminServer')
cmo.setMinimumKeySize(128) # Enforce 128-bit minimum
save()
activate()
disconnect()
Enforcing at JVM Level (Java Security):
WebLogic’s SSL settings are insufficient, enforce restrictions via Java security policies.
Modify java.security File
Locate
java.security(typically in$JAVA_HOME/jre/lib/security).Update
jdk.tls.disabledAlgorithmsto restrict weak keys:jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 224, RSA keySize < 2048, ECDH keySize < 224
- Restart WebLogic.
JVM Arguments
Add tostartWebLogic.sh:-Djdk.tls.disabledAlgorithms="SSLv3, TLSv1, TLSv1.1, RSA keySize < 2048"Validating Key Size Enforcement:Check WebLogic Logs:
grep -i "SSL" $DOMAIN_HOME/servers/AdminServer/logs/AdminServer.log
Sample config:-
<ssl>
<enabled>true</enabled>
<ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite>
<ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite>
<hostname-verification-ignored>true</hostname-verification-ignored>
<listen-port>7002</listen-port>
<server-private-key-alias>xxxxxxx </server-private-key-alias>
<server-private-key-pass-phrase-encrypted>xxxxxx</server-private-key-pass-phrase-encrypted>
</ssl>
<enabled>true</enabled>
<ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite>
<ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite>
<hostname-verification-ignored>true</hostname-verification-ignored>
<listen-port>7002</listen-port>
<server-private-key-alias>xxxxxxx </server-private-key-alias>
<server-private-key-pass-phrase-encrypted>xxxxxx</server-private-key-pass-phrase-encrypted>
</ssl>
List of Ciphersuites Supported by Weblogic Server are:-
Cipher Suite Symmetric Key Strength
TLS_RSA_WITH_RC4_128_SHA 128
TLS_RSA_WITH_RC4_128_MD5 128
TLS_RSA_WITH_DES_CBC_SHA 56
TLS_RSA_EXPORT_WITH_RC4_40_MD5 40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 40
TLS_RSA_WITH_3DES_EDE_CBC_SHA 112
TLS_RSA_WITH_NULL_SHA 0
TLS_RSA_WITH_NULL_MD5 0
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA 56
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 56
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_RC4_128_SHA 128
TLS_RSA_WITH_RC4_128_MD5 128
TLS_RSA_WITH_DES_CBC_SHA 56
TLS_RSA_EXPORT_WITH_RC4_40_MD5 40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 40
TLS_RSA_WITH_3DES_EDE_CBC_SHA 112
TLS_RSA_WITH_NULL_SHA 0
TLS_RSA_WITH_NULL_MD5 0
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA 56
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 56
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_AES_256_CBC_SHA 256
Comments
Post a Comment