Professional Documents
Culture Documents
Goal
Solution
Recommendation for SSL V3.0 "Poodle" Vulnerability - CVE-2014-3566
How to Configure Oracle Web Cache 11g to Use a Specific SSL/TLS Protocol
New Protocols for Web Cache 11.1.1.9 Only
Known Issues With Oracle Web Cache 11.1.1.9
References
APPLIES TO:
GOAL
This document provides steps on how to configure Oracle Web Cache 11g to use a
specific SSL/TLS protocol, along with some known issues.
SOLUTION
It is first important to review a protocol security issue since the release of Oracle
Web Cache 11g:
It is now highly recommended to disable SSL 3.0 and only use TLS protocol as
per the following:
Note 1936300.1 How to Change SSL Protocols (to Disable SSL 3.0) in Oracle
Fusion Middleware Products
o Read above documents for full information
o Steps below are provided to configure SSL protocol specifically with
Oracle Web Cache 11g
o This is not possible in 10g as per Note 467854.1 How to Configure
Web Cache to Use a Specific SSL Protocol or Ciphersuite in Oracle
Application Server 10.1.2.X.X
How to Configure Oracle Web Cache 11g to Use a Specific SSL/TLS Protocol
In Oracle Web Cache 11g, you can select the version of SSL protocol to use. The
steps to follow depend on whether Web Tier is associated with a Weblogic Server
domain, or whether it is a standalone Web Tier.
-- If Web Tier 11 is associated with Weblogic domain, you can follow the
steps from Web Cache Administration Guide:
Oracle Fusion Middleware Administrator's Guide for Oracle Web Cache 11g
Release 1 (11.1.1)
5 Configuring Security
5.4.2 Task 2: Configure an HTTPS Listening Port
-- If you installed standalone Oracle Web Tier 11g without associating Web
Tier components with an existing WebLogic domain, then you can edit
the SSLENABLED for the selected listen port
in $INSTANCE_HOME/config/WebCache/webcache1/webcache.xml to one of the
following values for versions 11.1.1.2-11.1.1.7:
SSL: This selection enables the TLSv1, SSL v3, and SSL v3-v2Hello options.
TLSV1: This selection supports TLS version 1 traffic.
SSLV3_V2H: This selection combines the SSL version 2 hello message format
with SSL version 3 handling to support SSL version upgrade during handshake
operations.
SSLV3: This selection provides SSL version 3 traffic.
SSLV1V3: This selection supports TLS version 1 and SSL version 3 traffic.
This assumes you have already followed Note 1233972.1 for configuring Web
Cache with HTTPS.
Note versions newer than TLS 1.0 (e.g. 1.1 or 1.2) are not supported with
Web Cache 11g.
Oracle Web Cache is a deprecated product, and it is recommended to make
plans to only use Oracle HTTP Server going into the 12c release
See Note 1576588.1 Oracle Web Tier - Statement of Direction
For Oracle Web Cache 11.1.1.7, ensure you are applying Critical Patch Updates for
Oracle Web Cache, OPMN, and SSL/Networking components in unison.
Oracle Web Cache 11.1.1.9 now supports TLS 1.1 and 1.2, See Note 2003468.1 for
announcement highlights and reference to Note 2041410.1, "Support Status of New
SSL Features Released with Oracle HTTP Server and Oracle Web Cache 11.1.1.9" . It
is important to see that not everyone can upgrade to 11.1.1.9, cases like Oracle
Portal 11.1.1.6/7 need to keep the installed Oracle Web Cache 11.1.1.7.
If you are using Oracle Web Cache 11.1.1.9 in a supported topology, you can edit
the SSLENABLED for the selected listen port
in $INSTANCE_HOME/config/WebCache/webcache1/webcache.xml to one of the
following values for version 11.1.1.9:
See the Oracle Web Cache 11.1.1.9 Release Notes for further
documentation: https://docs.oracle.com/middleware/11119/webtier/releasenotes-
webcache/toc.htm
o
The fix is to apply Patch 21114347
New SSL features for Oracle Web Cache are not enabled in FMW Control
(EM) or Oracle Web Cache Admin tool. Using the webcache.xml is the
expected method to configure. See the following:
"
3 Enabling TLS Security Protocols
The current release of Oracle Web Cache adds support for the TLSv1.1
and TLSv1.2 security protocols. The security protocol used by Oracle
Web Cache is indicated by the value of the SSLENABLED parameter of
the LISTEN directive in the webcache.xml file.
...
However, if you use FMW Control for other reasons, you lose the protocol
settings when updating through the UI. You may workaround this by
manually reinserting the SSL Protocol entries into the webcache.xml file and
restarting webcache every time you use FMW Control.
o
The fix is to apply Patch 21946137
This is a generic patch, updating .jar and .ear files
Ensure to follow readme to redeploy
NonJ2EEManagement.ear