Oracle WebLogic must utilize encryption when using LDAP for authentication.

An XCCDF Rule

Description

<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Application servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected during transmission, sensitive authentication credentials can be stolen. When the application server utilizes LDAP, the LDAP traffic must be encrypted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-235972r628694_rule
Severity: High
References: CCI-000197
Updated: about 1 year ago

1. Access AC
2. From 'Domain Structure', select 'Environment' -> 'Servers' 
3. From the list of servers, select one which is assigned 'LDAP' protocol
4. Utilize 'Change Center' to create a new change session 
5. From 'Configuration' tab -> 'General' tab, deselect the 'Listen Port Enabled' checkbox
6. Select the 'SSL Listen Port Enabled checkbox7. Enter a valid port value in the 'SSL Listen Port' field and click 'Save'
8. Review the 'Port Usage' table in EM again to ensure the 'Protocol' column does not contain the value 'LDAP'

Oracle WebLogic must utilize encryption when using LDAP for authentication.

Description

Remediation - Manual Procedure