In this Document

Goal
Solution
Recommendation for SSL V3.0 "Poodle" Vulnerability - CVE-2014-3566
How to Configure Oracle Web Cache 11g to Use a Specific SSL/TLS Protocol
New Protocols for Web Cache 11.1.1.9 Only
Known Issues With Oracle Web Cache 11.1.1.9
References

APPLIES TO:

Web Cache - Version 11.1.1.2.0 to 11.1.1.9.0 [Release Oracle11g]

Information in this document applies to any platform.

GOAL

This document provides steps on how to configure Oracle Web Cache 11g to use a
specific SSL/TLS protocol, along with some known issues.

SOLUTION

It is first important to review a protocol security issue since the release of Oracle
Web Cache 11g:

Recommendation for SSL V3.0 "Poodle" Vulnerability - CVE-2014-3566

It is now highly recommended to disable SSL 3.0 and only use TLS protocol as
per the following:

SSL V3.0 "Poodle" Vulnerability - CVE-2014-3566 -

http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-
2339408.html

See the following as it referenced for Oracle Fusion Middleware :

Note 1936300.1 How to Change SSL Protocols (to Disable SSL 3.0) in Oracle
Fusion Middleware Products
 
o Read above documents for full information
o Steps below are provided to configure SSL protocol specifically with
Oracle Web Cache 11g
o This is not possible in 10g as per Note 467854.1 How to Configure
Web Cache to Use a Specific SSL Protocol or Ciphersuite in Oracle
Application Server 10.1.2.X.X

How to Configure Oracle Web Cache 11g to Use a Specific SSL/TLS Protocol

In Oracle Web Cache 11g, you can select the version of SSL protocol to use. The
steps to follow depend on whether Web Tier is associated with a Weblogic Server
domain, or whether it is a standalone Web Tier.

-- If Web Tier 11 is associated with Weblogic domain, you can follow the
steps from Web Cache Administration Guide:

Oracle Fusion Middleware Administrator's Guide for Oracle Web Cache 11g
Release 1 (11.1.1)
5 Configuring Security
5.4.2 Task 2: Configure an HTTPS Listening Port

-- If you installed standalone Oracle Web Tier 11g without associating Web
Tier components with an existing WebLogic domain, then you can edit
the SSLENABLED for the selected listen port
in $INSTANCE_HOME/config/WebCache/webcache1/webcache.xml to one of the
following values for versions 11.1.1.2-11.1.1.7:

SSL: This selection enables the TLSv1, SSL v3, and SSL v3-v2Hello options.
TLSV1: This selection supports TLS version 1 traffic.
SSLV3_V2H: This selection combines the SSL version 2 hello message format
with SSL version 3 handling to support SSL version upgrade during handshake
operations.
SSLV3: This selection provides SSL version 3 traffic.
SSLV1V3: This selection supports TLS version 1 and SSL version 3 traffic.

 This assumes you have already followed Note 1233972.1 for configuring Web
Cache with HTTPS.
 Note versions newer than TLS 1.0 (e.g. 1.1 or 1.2) are not supported with
Web Cache 11g.
 Oracle Web Cache is a deprecated product, and it is recommended to make
plans to only use Oracle HTTP Server going into the 12c release
See Note 1576588.1 Oracle Web Tier - Statement of Direction

In the following example, the configuration was changed to support

only TLSv1.0 where older versions will not be used:
<LISTEN SSLCRLENABLE="NO" CLIENT_CERT="NO" SSLENABLED="TLSV1" PORTTYPE="NORM"
PORT="8090" IPADDR="ANY">
<WALLET>$INSTANCE_HOME/config/WebCache/webcache1/keystores/default</WALLET>
</LISTEN>

For Oracle Web Cache 11.1.1.7, ensure you are applying Critical Patch Updates for
Oracle Web Cache, OPMN, and SSL/Networking components in unison.

New Protocols for Web Cache 11.1.1.9 Only

Oracle Web Cache 11.1.1.9 now supports TLS 1.1 and 1.2, See Note 2003468.1 for
announcement highlights and reference to Note 2041410.1, "Support Status of New
SSL Features Released with Oracle HTTP Server and Oracle Web Cache 11.1.1.9" . It
is important to see that not everyone can upgrade to 11.1.1.9, cases like Oracle
Portal 11.1.1.6/7 need to keep the installed Oracle Web Cache 11.1.1.7.

If you are using Oracle Web Cache 11.1.1.9 in a supported topology, you can edit
the SSLENABLED for the selected listen port
in $INSTANCE_HOME/config/WebCache/webcache1/webcache.xml to one of the
following values for version 11.1.1.9:

TLSV1_1: This selection supports TLS 1.1

TLSV1_2: This selection supportsTLS 1.2
TLSV1V1_1: This selection supports TLS 1.0 and TLS 1.1
TLSV1V1_2: This selection supports TLS 1.0 and TLS 1.2
TLSV1_1V1_2: This selection supports TLS 1.1 and TLS 1.2
TLSV1V1_1V1_2: This selection supports TLS 1.0, TLS 1.1 and TLS 1.2

See the Oracle Web Cache 11.1.1.9 Release Notes for further
documentation: https://docs.oracle.com/middleware/11119/webtier/releasenotes-
webcache/toc.htm

Known Issues With Oracle Web Cache 11.1.1.9

Bug 21114347 - SSLENABLED VALUES DO NOT WORK AND CAUSE

WEBCACHE ADMIN TO FAIL

A problem occurred with this setting with WebCacheAdmin failing to start

after the configuration was changed to support all three TLS protocols:
 <LISTEN SSLCRLENABLE="NO" CLIENT_CERT="NO"
SSLENABLED="TLSV1V1_1V1_2" PORTTYPE="NORM" PORT="8090"
IPADDR="ANY">
<WALLET>$INSTANCE_HOME/config/WebCache/webcache1/keystores/
default</WALLET>
</LISTEN>

The error seen in logs:

[error 13113] [ecid: -] Syntax error in

<INSTANCE_HOME>/config/WebCache/webcache1/webcache.xml.
Exception: "webcache:cfg:invalid_value" in attribute "SSLENABLED" having
value "TLSV1_1" in element LISTEN<-MULTIPORT<-CACHE<-CALYPSO


o
 The fix is to apply Patch 21114347

Update: This is now in the CPU patching beginning with CPU

Jan 2016, Patch 21905371

See also: Note 2095166.1 Oracle Web Cache 11.1.1.7/11.1.1.9

SSL Cipher Suite Changes Beginning with CPU January 2016
Note 551453.1 How to Find the Correct Critical Patch
Update Patches for Oracle Fusion Middleware Products

Bug 21946137 - ENABLE SSL CHECKBOX IS UNCHECKED IN FMW

CONTROL THOUGH WEBCACHE IS LISTENING IN SSL PORT

New SSL features for Oracle Web Cache are not enabled in FMW Control
(EM) or Oracle Web Cache Admin tool. Using the webcache.xml is the
expected method to configure. See the following:

11.1.1.9 Release Notes for Oracle Web Cache

https://docs.oracle.com/middleware/11119/webtier/releasenotes-
webcache/toc.htm

"
3 Enabling TLS Security Protocols
The current release of Oracle Web Cache adds support for the TLSv1.1
and TLSv1.2 security protocols. The security protocol used by Oracle
Web Cache is indicated by the value of the SSLENABLED parameter of
the LISTEN directive in the webcache.xml file.

...

To set different protocols or combinations of protocols, you must

 manually edit the webcache.xml file. There is no GUI support for the
new protocols.
"

However, if you use FMW Control for other reasons, you lose the protocol
settings when updating through the UI. You may workaround this by
manually reinserting the SSL Protocol entries into the webcache.xml file and
restarting webcache every time you use FMW Control.


o
 The fix is to apply Patch 21946137
 This is a generic patch, updating .jar and .ear files
 Ensure to follow readme to redeploy
NonJ2EEManagement.ear