inlumi blog

    Keeping Oracle HTTP Server TLS compliant

    Keeping Oracle HTTP Server TLS compliant

    April 11th, 2018

    One of the problems with Oracle’s software is its release schedule: the underlying middleware layer can remain un-updated for quite some time. For example, EPM 11.1.2.4 is the latest Oracle Hyperion EPM release but is based on an Oracle Middleware stack dating from as far back as 2012.

    By default, EPM ships with:

    • Fusion Middleware 11.1.1.7 which was released in April 2013
    • Java 6 update 35 released in August 2012
    • Weblogic 10.3.6.0 released in Feb 2012

    So everything is well and truly out of date by default.

    What about when the underlying technology reaches End of Life? We have seen this recently with Java 6 support ending in December 2018 (see here about upgrading to Java 7 on your EPM Servers).

    Vulnerabilities and exploits in these ageing versions raise serious security concerns and bring risks to your EPM system. Some of this can be mitigated by patching with Oracle’s Critical Patch Updates and placing your EPM Servers in a separate secure network which does not allow direct access.

    You may have thought that this is fine as we encrypt our traffic, but the ageing nature of the Fusion Middleware stack means that EPM 11.1.2.4 encryption is a real issue for customers who do their http encryption at the Oracle HTTP Server level.

    Just as pressing as Java support is the push from various security organisations to move away from certain encryption levels deemed weak or ineffective, such as all SSL versions and TLS 1.0. The PCI Council, for example, have a deadline of June 2018 for all Payments to be made over TLS 1.1 or higher only.

    TLS 1.0 is the latest encryption protocol supported by Oracle HTTP Server 11.1.1.7. Some Oracle EPM environments utilise Oracle HTTP Server for SSL/TLS encryption, so they can never be made secure in their default form.

    Luckily there are some ways to mitigate these insecurities in smaller environments where offloading to dedicated SSL/TLS offload devices is not an option. Oracle has tried to address this in a recently published article in which they describe support for Oracle HTTP Server 11.1.1.9 with EPM (Oracle Support Doc ID 2179810.1), this introduces support for the more recent TLS 1.2 protocol and potentially TLS 1.3 once its standards have solidified.

    While this will not single-handedly resolve every security risk inherent to EPM, it is another step in the right direction to ensure that your EPM system remains compliant, up-to-date and as secure as can be today.