Oracle WebLogic must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
An XCCDF Rule
Description
<VulnDiscussion>Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules, and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware-based encryption modules. Application servers must provide FIPS-compliant encryption modules when storing encrypted data and configuration settings.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-235975r628703_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
1. Shut down any running instances of WebLogic server
2. On disk, navigate to the DOMAIN_HOME directory
3. View the contents of the appropriate WebLogic server start script:
On UNIX operating systems: startWebLogic.sh
On Microsoft Windows operating systems: startWebLogic.cmd
4. Ensure the JAVA_OPTIONS variable is set: