It's all about Weblogic..!!

May 31, 2010

Configure node manager over SSL ( Custom Certifcates )

Filed under: * Security — streethawkz @ 9:11 pm

Below are the steps to configure Node Manager over SSL :

.

First create custom certificates using the commands below:

.

1) keytool -genkey -alias mykey -keyalg RSA -keysize 1024 -dname “CN=Puneeth, OU=Oracle, O=BEA, L=Denver, ST=Colorado, C=US” -keypass password -keystore identity.jks -storepass password

2) keytool -selfcert -v -alias mykey -keypass password -keystore identity.jks -storepass password -storetype jks

3) keytool -export -v -alias mykey -file rootCA.der -keystore identity.jks -storepass password

4) keytool -import -v -trustcacerts -alias mykey -file rootCA.der -keystore trust.jks –storepass password

.

Now configure “Custom Identity and Customer Trust “for Admin and managed servers as shown below:

.

.

Now enter the Key Alias and Private Key Passphrase under SSL tab for both the servers:

.

.

Make the following changes in nodemanager.properties file :

  • AuthenticationEnabled=true
  • ListenAddress=   ( Leave it blank if you are using localhost for server Listen Address )
  • ListenPort=5556
  • SecureListener=true
  • StartScriptEnabled=true
  • KeyStores=CustomIdentityAndCustomTrust
  • CustomIdentityKeyStoreFileName=C\:\\bea10.3\\user_projects\\domains\\custom_certificate_nodemanager\\identity.jks
  • CustomIdentityAlias=mykey
  • CustomIdentityPrivateKeyPassPhrase=password
  • CustomTrustKeyStoreFileName=C\:\\bea10.3\\user_projects\\domains\\custom_certificate_nodemanager\\trust.jks
  • .
  • .

Add the following flags in setDomainEnv.cmd:

-Dweblogic.security.IdentityKeyStore=CustomIdentity

-Dweblogic.security.CustomIdentityKeyStoreFileName=filename

-Dweblogic.security.CustomIdentityKeyStorePassPhrase=passphrase

-Dweblogic.security.Identity.KeyStoreType=type

-Dweblogic.security.TrustKeyStore=CustomTrust

-Dweblogic.security.CustomTrustKeyStoreFileName=filename

-Dweblogic.security.CustomTrustKeyStoreType=type

-Dweblogic.security.CustomTrustKeyStorePassPhrase=passphrase

.

.

Add the following flag in startNodeManager.cmd :

set JAVA_OPTIONS=-Dweblogic.nodemanager.sslHostNameVerificationEnabled=false%JAVA_OPTIONS%

.

.

Now check the status of NodeManager. It should be reachable:

.

.

Now start the server..!!

Node manager is now configured over SSL🙂

19 Comments »

  1. While configuring node manager over SSL on a distributed environment, make sure of the following :

    – the root certificate of all the servers should be imported to the trust of the node manager, the reason being that the node manager will communicate with the admin server and the managed servers and will throw bad certificate exceptions if it does not find all the certificates of all the servers ( located in different boxes )

    Example :

    If we have 2 physical machine q30 and q31 then rootCA of both machine ( with cn = q30 and cn = q31 ) should be present in the trust.jks file that is pointed to by the node manager.

    Use the command below to list the certificates in keystore :

    – keytool -list -v – keystore -storepass

    The command below can be used to export a root certificate from the keystore into a file rootCA.der :

    – keytool -export -v -alias -file rootCA.der -keystore -storepass mystorepass

    Finally use the command below to import this root certificate that we generated into the trust of the other machine :

    – keytool -import -v -trustcacerts -alias mykey -file rootCA.der -keystore trust.jks –storepass password

    —————–

    In the nodemanage.properties file of the remote managed server make sure that the property :

    StopScriptEnabled=false

    or else it will throw an exception that startMangerServer.sh was not found.
    —————–

    If the custom certificates are not being picked up by the node manager ( you can check this by looking at node manager log files ) then check if there are any unwanted spaces in the nodemanager.properties file ( this issue was seen on linux box )

    Comment by streethawkz — June 2, 2010 @ 7:39 pm

  2. Note that ” Adding flags in setDomainEnv.cmd ” in the above configuration is optional..!!!!

    Comment by streethawkz — June 3, 2010 @ 4:47 pm

  3. […] Configure node manager over SSL ( Custom Certifcates ) […]

    Pingback by Its all about weblogic — June 22, 2010 @ 12:17 pm

  4. […] Configure node manager over SSL ( Custom Certifcates ) […]

    Pingback by Setting up a distributed environment over SSL : « Its all about weblogic — June 22, 2010 @ 12:18 pm

  5. If the following error was seen in the logs :

    and we were not able to start the managed servers.

    You can add the following parameters in the nodemanager.properties file to overcome the issue :

    CustomIdentityKeyStoreFileName=/products/oracle/mw/wlserver_10.3/server/lib/identity1.jks
    CustomIdentityAlias=node1
    CustomIdentityPrivateKeyPassPhrase=TMONodePassPhrase
    CustomTrustKeyStoreFileName=/products/oracle/mw/wlserver_10.3/server/lib/trust.jks

    Also make sure that the ListenAddress=

    and change the node manager port ( which would be 5556 by default ) — change it to the port mentioned in the machines tab of the console ( eg : 26005 )

    Comment by streethawkz — June 25, 2010 @ 11:08 pm

  6. Hi Puneeth,

    How could I get in touch with you?

    I am William here..

    Comment by William — July 29, 2011 @ 12:23 am

  7. Hi William,

    u can post your queries here..

    Comment by streethawkz — July 29, 2011 @ 1:27 am

  8. Thanks..

    could you please confirm point 4 and 5 on the two servers (especially the alias):

    many thanks..

    on server01:

    1.

    keytool -genkey -alias server01 -keyalg RSA -keysize 1024 -dname “CN=server01.com, OU=ITS, O=ORG, L=NY, ST=NY, C=US” -keypass password -keystore identity01.jks -storepass password

    2.

    keytool -selfcert -v -alias server01 -keypass password -keystore identity01.jks -storepass password -storetype jks

    3.

    keytool -export – v – alias server01 -file rootcert01.der – keystore identity01.jks -storepass password

    4.

    keytool -import -v -trustcacerts – alias server01 – file rootcert01.der – keystore trust01.jks -storepass password

    5.

    keytool -import -v – trustcacerts -alias server01 -file rootcert02.der – keystore trust01.jks -storepass password

    on server02:

    1.

    keytool -genkey -alias server02 -keyalg RSA -keysize 1024 -dname “CN=server01.com, OU=ITS, O=ORG, L=NY, ST=NY, C=US” -keypass password -keystore identity02.jks -storepass password

    2.

    keytool -selfcert -v -alias server02 -keypass password -keystore identity02.jks -storepass password -storetype jks

    3.

    keytool -export – v – alias server02 -file rootcert02.der – keystore identity02.jks -storepass password

    4.

    keytool -import -v -trustcacerts – alias server02 – file rootcert02.der – keystore trust02.jks -storepass password

    5.

    keytool -import -v – trustcacerts -alias server02 -file rootcert01.der – keystore trust02.jks -storepass password

    Comment by William — July 29, 2011 @ 5:31 pm

    • Hi William,

      On Server1 :

      In the first step I see that you are creating a new identity keystore ” identity01.jks ”

      The second command is not necessary — first command will create a self signed cert in identity keystore ” identity01.jks ”

      In third step you are exporting the root certificate from the identity keystore ” identity01.jks ” to a file ” rootcert01.der ”

      In the fourth step you are creating a trust keystore ” trust01.jks ” with the root certificate ” rootcert01.der ”

      In the fifth step you are importing a root certificate ” rootcert02.der ” from a different server to this trust keystore ” trust01.jks “. But here the alias is ” server01 ” which cannot be the case.

      Every keystore should have unique alias. So give a different alias name here, say :

      keytool -import -v – trustcacerts -alias server02 -file rootcert02.der – keystore trust01.jks -storepass password

      —–

      On server2 everything looks fine except the last command.

      In the fourth step you are using the alias ” server02 ” for file ” rootcert02.der ”
      .
      So change the fifth step as follows :

      keytool -import -v – trustcacerts -alias server01 -file rootcert01.der – keystore trust02.jks -storepass password

      — Puneeth

      Comment by streethawkz — July 29, 2011 @ 5:47 pm

  9. thanks for the link..

    is setDomainEnv file same as setEnv. Cause I don’t see any setDomainEnv file in my environment.

    Comment by William — July 29, 2011 @ 8:23 pm

  10. Yes you can use setEnv.cmd

    setDomainEnv.cmd should be located here :

    D:\bea1033\user_projects\domains\\bin\

    Comment by streethawkz — July 29, 2011 @ 9:26 pm

  11. Hi,

    I have configured many peoplesoft clustered environments using apache RPS. They are functioning fine.

    I am configuring a node manager on each of the physical server hosting the clostered weblogic servers stated above. One of the configuration steps states that:

    Update the StartNodeManager script for environment variables:
    For both local and remote Node Managers, back up the “startNodeManager.cmd/.sh” script under
    “BEA_Home\wlserver_10.3\server\bin” directory.
    Open the “startNodeManager.cmd/.sh” and update the following:
    – Comment out the line of code: “call “%WL_HOME%\common\bin\commEnv.cmd”
    – Add a new line of code to call the setEnv.cmd/sh file under your PeopleSoft Domain\bin directory.

    My question: setEnv.sh is specific to a particular peoplesoft environment. I have multiple peoplesoft environments in the same physical server. So.. how can I use a specific setEnv.sh file in StartNodeManager script?

    Many thanks for your help.

    Regards,

    William

    Comment by William — August 2, 2011 @ 11:50 pm

  12. You mentioned that hostname verification should be set to false. According to Oracle, they recommend hostname verification be enabled for security purposes. If this is set to true, will the above configuration not work correctly?

    Comment by qjohnston — December 5, 2011 @ 11:45 pm

    • Hi,
      Yes, it is always recommended to keep hostname verification set to ” true ” in production environment.
      If you want to enable hostname verification make sure that you create a certificate with CN same as the hostname of the machine.
      – Puneeth

      Comment by streethawkz — December 6, 2011 @ 12:45 am

  13. Hi,

    Yes, it is always recommended to keep hostname verification set to ” true ” in production environment.

    If you want to enable hostname verification make sure that you create a certificate with CN same as the hostname of the machine.

    — Puneeth

    Comment by streethawkz — December 6, 2011 @ 12:44 am

  14. Exactly how much time did it take you to compose “Configure node manager over SSL ( Custom Certifcates ) It’s all about Weblogic..!!”? It contains plenty of very good knowledge. Thx ,Eula

    Comment by http://tinyurl.com/haliboyle43046 — February 5, 2013 @ 9:32 pm

  15. It’s amazing designed for me to have a web page, which is good in support of my experience. thanks admin

    Comment by pedicure medyczny szczecin — August 14, 2013 @ 3:52 pm

  16. I believe for newer version of weblogic we don’t need to mention -d parameters of truststore, while configuring the nodemanager. Since Nodemanager will act as a server so -d parameters for identity stores should be fine.

    Comment by Shubham — September 12, 2015 @ 1:49 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: