Secure, out of the box!

Jacco Landlust and I have been presenting together for a few years now, mostly around building robust and secure Fusion Middleware platforms. One point that we have made every single year has been to set up SSL/TLS properly, which means using freshly-created certificates and not doing silly things like disabling hostname verification in WebLogic.

There’s nothing at all controversial in this approach – in fact I attended a presentation at OpenWorld 2014 given by Will Hopkins, Oracle’s WebLogic Security Architect, where he too said the same thing:

Slide from Will Hopkins' session at OOW14

WebLogic makes it pretty obvious that this isn’t recommended behaviour in its log too:

<Alert> <Security> <BEA-090152> <Demo trusted CA certificate is being used in production mode: The system is vulnerable to security attacks, since it trusts certificates signed by the demo trusted CA.>

<Security> <...> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1413115751661> <BEA-090152> <Demo trusted CA certificate is being used in production mode:

Version: V3
Subject: CN=CACERT, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

Then, over a drink at the DOAG 2014 conference in November, Jacco and I were both lamenting the fact that we’d seen demo certificates in use in production again this year, and thought we needed a better way to get the message across… so we came up with this idea for a T-shirt!

Leaving the key in the lock...

Needless to say we had a bit of debate about whether this was leaving the system unlocked, giving out a master key, wearing a blindfold, etc, but I think this phrase that Jacco came up with was most catchy alternative!

A less serious moment at the UKOUG Tech14 conference...

A less serious moment at the UKOUG Tech14 conference…


Oh, and in case it wasn’t obvious…

O-box: secure, out of the box(With thanks to Lonneke for taking the photos!)

One Comment:

  1. Vengat Maran

    Nice blog….

Comments are closed