How To Disable Anonymous and Weak Cipher Suites in Oracle WebLogic Server
Last updated on JANUARY 17, 2018
Applies to:Oracle WebLogic Server - Version 8.1 and later
Oracle Fusion Middleware - Version 22.214.171.124.0 and later
Information in this document applies to any platform.
- This document is applicable to all versions, however newer versions will have newer defaults eliminating the previously used weak and anonymous ciphers.
This article provides steps on how to disable anonymous and weak SSL cipher suites in Oracle WebLogic Server. Weak can be defined as cipher strength less than 128 bit or those which have been found to be vulnerable to attacks. You may see various scan reports saying "SSL Server Allows Anonymous Authentication Vulnerability" or "SSL Server Allows Weak Ciphers" or error from clients referring to ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY, sl_error_weak_server_ephemeral_dh_key, or ssl_error_no_cypher_overlap.
- The quick answer is to apply the latest WLS PSU and update the JDK used with WebLogic Server, either the latest JDK 6 or latest JDK 7. But there are other considerations with high level steps listed below:
By following Oracle advice between multiple components this is the combined summary of steps to be performed in unison:
1. Disable SSLv3
- See <Note 1936300.1> How to Change SSL Protocols (to Disable SSL 3.0) in Oracle Fusion Middleware Products
2. Apply latest PSU
- See <Note 1306505.1> Announcing Oracle WebLogic Server PSUs (Patch Set Updates)
3. Enable JSSE on 10.3.6
- See http://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm#SECMG494
4. Update JDK to latest Java 6 or 7 (depending on what is certified - this affecting protocols, ciphers and key strength supported)
- See <Note 1492980.1> How to Maintain the Java SE Installed or Used with FMW 11g/12c Products
5. Remove weak ciphers (automatic by updating JDK, if previously manually configured, might now be incorrect)
- See explanations in this Doc ID 1067411.1
6. If required, update certificate key strength to greater than 1024
- See <Note 1607170.1> SSL Authentication Problem Using WebLogic 10.3.6 and 12.1.1 With JDK1.7.0_40 or Higher and JRockit R28.3.7
- Update any demo certificates using <Note 2097194.1> Impact of Jan 19, 2016 JDK CPU Updates on SSL/TLS and WLS 10.3.6 Demo Certificates - WLS 10.3.6 w/SSL
The remainder of this document goes into further explanation, more configuration options and resolving known issues...
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms