I was completely ignorant around the OEM security area until the PCI police struck ! Until this point we had been using our of the box configurations - blissfully ignorant of all the issues these cause in the security world. I have found the documentation surrounding the many issues we encountered totally confusing - possibly because this is not a set of straight forwards issues. The only ports that failed for us were 7101- EMGC_ADMINSERVER and 7301 - EMGC_OMS1.
I spent hours reading notes which lead to other notes - which recommended JAVA upgrades or weblogic upgrades - digging through the multitude of *.ssl and *.xml files without really understanding what configs went with what weblogic.
The final solution was really quite straight forwards :- amendments to gc_inst/user_projects/domains/GCDomain/bin/startEMServer.sh and to gc_inst/user_projects/domains/GCDomain/config/config.xml this has reslved 90% of all the issues.
I have just 1 remaininag now - nessus call it "35291 SSL certificate signed using weak hashing algorithm" for both ports 7101 7301. reading note 1527874.1 has confused me about wallets and keystores - is it either wallet or keystore ? how do I generate an acceptable strength key ? The police tell me I used an MD5 hash.
I tried using note 1510058.1 regenerating the EM12c-WLS Demo Identity Certificate with 1024 bit keystrength replacing DemoIdentity.jks but I suspect I am barking up the wrong tree.
any advice to help with this final security exposure would be most gratefully received