Oracle MVA

Tales from a Jack of all trades

Archive for April 2012

3rd OUG Harmony Conference

with one comment

On May 31th I will be speaking at the 3rd OUG Harmony Conference organized by Oracle User Group Finland. This conference will be held at Aulanko, Hämeenlinna Finland. My session will be about a core component that you need to understand to really manage Fusion Middleware: WebLogic’s NodeManager.

Handling WebLogic’s lifecycle is a core activity while managing Fusion Middleware. This is done mostly through an agent called NodeManager. This session is all about the subtleties and caveats of
NodeManager. Topics covered include:
– Role of the nodemanager in the middleware topology
– Nodemanager properties
– WebLogic startup sequence
– Starting and stopping through NodeManager
– Crash recovery
– Security and SSL

The agenda looks great and early bird registration is still open (till April 30th). So if you plan to go, now would be a good time to register

Written by Jacco H. Landlust

April 18, 2012 at 9:49 pm

Securing embedded ldap access with a connection filter

leave a comment »

Numerous people have written about the embedded ldap (see here). These blog posts show that access to the embedded ldap is always enabled, just the username and password is unknown.

Others have posted about connection filters (see here). A connection filter allows the server to reject unwanted connections based on some filter criteria.

Since the embedded ldap is probe to brute force attacks, one should secure the ldap (and ldaps) port using a connection filter. When constructing the connection filter, you should remember that the managed servers use each others embedded ldap, therefore you should only block remote traffic.

For single server setups this rule would suffice:


0.0.0.0/0 * * deny ldap ldaps

Breakdown:
For all remote IP’s deny access to any server running on any local IP adres and any port for protocols ldap and ldaps

For clustered setups I would advice to allow local addresses in your server backbone and block all remote addresses. If your local server backbone would run on 172.16.X.X these two rules would be applicable:


172.16.0.0/0 * * allow
0.0.0.0/0 * * deny ldap ldaps

Breakdown:
Allow access to any server running on any port for all protocols if the originating IP address is in the 172.16.0.0 range. If the originating IP address is in any other range, deny access to any server running on any port for protocols ldap and ldaps.

Hope this helps.

Written by Jacco H. Landlust

April 11, 2012 at 11:28 am

Posted in security, Weblogic