WebLogic should be hardened with strict admin-plane isolation, current CPU patches, and robust domain credential management.
¶ 1) Isolate and secure the Administration Server
- Keep Administration Server reachable only from management networks.
- Separate admin and managed-server traffic paths.
- Enforce role-based administrative access and MFA/SSO where integrated.
- Disable unnecessary protocols and services.
- Track Oracle CPU advisories for WebLogic and apply on schedule.
- Validate domains and deployed apps in staging before production rollout.
- Keep JDK aligned with supported, patched versions.
- Maintain rollback plans for PSU/CPU patch windows.
¶ 3) Harden domain secrets and keystores
- Protect
SerializedSystemIni.dat, boot identity files, and wallet/keystore files.
- Restrict filesystem access to Oracle OS user only.
- Enforce TLS for admin and application channels.
- Rotate credentials and certificates on policy schedule.
¶ Verification commands
sudo ss -tulpn | grep -E ':7001|:7002|:9002'
grep -R "ListenAddress\|SSL\|AdministrationPort" /opt/oracle/middleware/user_projects/domains/*/config 2>/dev/null | head
find /opt/oracle/middleware/user_projects/domains -name "boot.properties" -o -name "SerializedSystemIni.dat"
- Oracle WebLogic docs: https://docs.oracle.com/en/middleware/fusion-middleware/weblogic-server/
- Oracle Critical Patch Updates: https://www.oracle.com/security-alerts/
- Oracle WebLogic product/security page: https://www.oracle.com/middleware/technologies/weblogic.html