Archive for April 2012
3rd OUG Harmony Conference
On May 31th I will be speaking at the 3rd OUG Harmony Conference organized by Oracle User Group Finland. This conference will be held at Aulanko, Hämeenlinna Finland. My session will be about a core component that you need to understand to really manage Fusion Middleware: WebLogic’s NodeManager.
Handling WebLogic’s lifecycle is a core activity while managing Fusion Middleware. This is done mostly through an agent called NodeManager. This session is all about the subtleties and caveats of
NodeManager. Topics covered include:
– Role of the nodemanager in the middleware topology
– Nodemanager properties
– WebLogic startup sequence
– Starting and stopping through NodeManager
– Crash recovery
– Security and SSL
The agenda looks great and early bird registration is still open (till April 30th). So if you plan to go, now would be a good time to register
Securing embedded ldap access with a connection filter
Numerous people have written about the embedded ldap (see here). These blog posts show that access to the embedded ldap is always enabled, just the username and password is unknown.
Others have posted about connection filters (see here). A connection filter allows the server to reject unwanted connections based on some filter criteria.
Since the embedded ldap is probe to brute force attacks, one should secure the ldap (and ldaps) port using a connection filter. When constructing the connection filter, you should remember that the managed servers use each others embedded ldap, therefore you should only block remote traffic.
For single server setups this rule would suffice:
0.0.0.0/0 * * deny ldap ldaps
Breakdown:
For all remote IP’s deny access to any server running on any local IP adres and any port for protocols ldap and ldaps
For clustered setups I would advice to allow local addresses in your server backbone and block all remote addresses. If your local server backbone would run on 172.16.X.X these two rules would be applicable:
172.16.0.0/0 * * allow
0.0.0.0/0 * * deny ldap ldaps
Breakdown:
Allow access to any server running on any port for all protocols if the originating IP address is in the 172.16.0.0 range. If the originating IP address is in any other range, deny access to any server running on any port for protocols ldap and ldaps.
Hope this helps.