NIST Recommendation on Stronger Cryptosuites
(Doc ID 1553004.1)
Last updated on AUGUST 28, 2020
Oracle WebLogic Server - Version 10.3.1 and later Information in this document applies to any platform.
The U.S. National Institute of Standards and Technology (NIST) has published a recommendation on stronger cryptographic algorithms and key lengths (http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf) in light of advancement in computing power and availability of security tools. With the timeline suggested in the recommendation, PKI vendors have been recommending that customers upgrade their private keys and certificates that comply with NIST recommendations, particularly 2048-bit key, SHA-2 signed certificates.
Impact on WebLogic Server Customers
There are three primary use cases that have dependency on cryptographic algorithms for data protection or data integrity. They are SSL/TLS, message security, and credential data.
There are two SSL providers used in WebLogic Server: Certicom and Java Secure Socket Extension (JSSE). The Certicom SSL provider was the default SSL provider in WebLogic Server through WebLogic Server 10.3.6. Certicom SSL is no longer supported in WebLogic Server beginning in WebLogic Server 12.1.1. The JSSE SSL provider was introduced in WebLogic Server 10.3.3. The JSSE SSL provider is the default SSL provider in WLS 12.1.1.
Certicom SSL supports 2048-bit key, but not SHA-2 signed certificates.
JSSE SSL supports 2048-bit key, SHA-2 signed certificates.
Oracle recommends that WebLogic Server customers seeking to comply with the NIST recommendation as above should upgrade to WebLogic Server 10.3.6 in order to make use of JSSE SSL. JSSE SSL was introduced in WebLogic Server 10.3.3, with significant improvements and bug fixes made in WebLogic Server 10.3.4 and later releases. Customers upgrading for this purpose should consider the implications of the Oracle Error Correction Policy (see MOS Doc ID 950131.1) while choosing 10.3.x release. Upgrading to WebLogic Server 10.3.6 or later WebLogic Server 12c versions is recommended.
Alternatively, customers can consider terminating SSL in Web Servers such as OHS/iPlanet , or in 3rd-party load-balancers that meet NIST recommendations.
SAML Web SSO relies on XML security standards. The WebLogic Server SAML 1.1 and 2.0 implementations work well with SHA-256 signed certificates for signing and validating SAML assertions.
Web Service security relies on XML security standards. Web service security upgrade is a matter of choosing web service security policies that comply with NIST recommendations.
Credentials in config.xml: 3DES has been supported since WebLogic Server 8.1 and 9.0, 9.1, and 9.2., and AES is supported in later versions. Both 3DES and AES are compliant with the NIST recommendation.
Passwords in embedded LDAP: Passwords are hashed with SHA-1, which is acceptable for "Non-digital signature generation applications" in the NIST recommendation.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!