It's all about Weblogic..!!

June 22, 2010

Setting up a distributed environment over SSL :

Filed under: * Security — streethawkz @ 12:16 pm

Below are the steps to run a managed server on remote machine by setting up a distributed environment :

.
Consider two physical boxes with weblogic installation on each ( of any required version )
Note :

  • Make sure that the directory structure of WLS on both the physical boxes are identical.
  • Same WLS versions installed on both of them.
  • If you want to set up a distributed environment over SSL with host name verification set as true then make sure that the virtual machine name created on the console should have the fully qualified host name of the respective physical box.
  • Create a domain on both the physical boxes.
  • If the name of the virtual machine is different from the fully qualified host name of the physical box where the remote managed server resides, then set the host name verification to false or you will get BAD_CERTIFICATE errors..!!
.

Configuration that needs to be done on the local machine ( i.e the physical box where the Admin server is running )

  1. Start the Admin server and login to the console.
  2. Create a managed server ( say MS_remote ) and let the listen address of this server be the IP address/DNS name of the remote physical box.
  3. Now create a virtual machine on the console ( say remote_mac )and add the managed server ” MS_remote ” to it. Let the listen address of this machine be the IP address/DNS name of the remote physical box.
  4. Click remote_mac –> ” Nodemanager ” tab. Specify the nodemanager listen address as the the IP address/DNS name of the remote physical box.
  5. Check if the listen port is “5556” and type is plain. ( or SSL if you want to configure node manager over SSL ).

Below are the configurations that needs to be done on the remote physical box :

  • Edit the nodemanager.properties files located in <bea_home>/<weblogic_home>/common/nodemanager/ and make the folowing changes :
– ListenAddress=<IP address/DNS name of the remote physical box>
– ListenPort=5556
– SecureListener=false
– StartScriptEnabled=false
.
Note : If you want the nodemanager to run on ssl then check for the following in nodemager.properties file :
.
– ListenAddress=<IP address/DNS name of the remote physical box>
– ListenPort=5556
– SecureListener=true
– StartScriptEnabled=false
  • Open a command prompt on the remote physical box and run the following commands :
  • – Run setDomain.env to set the environment. ( located in <bea_home>/user_projects/domains/<domain_name>/bin )
  • – Start WLST using the command below :
– C:\ java weblogic.WLST
Initializing Weblogic Scripting Tool (WLST)…
Welcome to Weblogic Server Administration Scripting Shell
Type help () for help on available commands
wls:/offline>
*************************************************************
– wls:/offline> connect()
Now you will be prompted for the required details as follows
Please enter your username [weblogic]: weblogic
Please enter your password [weblogic]: ********
Please enter your server URL [t3://localhost:7001]: t3://10.10.71.24:7001
Connecting to t3://10.10.71.24:7001 with userid weblogic…
Successfully connected to Admin Server ‘AdminServer’ that belongs to domain ‘base_domain’.
.
  • Now lets enroll this machine using the command nmEnroll()
Wls: /base_domain/serverConfig> nmEnroll ()
Enrolling this machine with the domain directory at D:/BEA_Home/WLS_Home/com
mon/nodemanager…
Successfully enrolled this machine with the domain directory at D:/BEA_Home/WLS_Home/com
mon/nodemanager
.
Note : Most of the time we get errors while running the nmEnroll command, check out the NOTES at the end of this document to learn more about nmEnroll().
  • Now goto admin console and check the status of the node manger. It should be active –> reachable
  • Start the managed server ‘MS_remote ‘.
  • You can see the folder ‘MS_remote’ created under <weblogic_home>/common/nodemanager/servers in which you can see the logs. ( on the remote physical box ).
Remote managed server is successfully configured now and its status should be running🙂
—————-
.

NOTES :

.
nmEnroll :
.
Command Category: Node Manager Commands
Use with WLST: Online
.
Description
.
Enrolls the machine on which WLST is currently running.
WLST must be connected to an Administration Server to run this command;
WLST does not need to be connected to Node Manager.
.
This command downloads the following files from the Administration Server:
.
– Node Manager secret file (nm_password.properties), which contains the encrypted username and password that is used for server authentication
– SerializedSystemIni.dat file
– This command also updates the nodemanager.domains file under the WL_HOME/common/nodemanager directory with the domain information, where WL_HOME refers to the top-level installation directory for WebLogic Server.
You must run this command once per domain per machine unless that domain shares the root directory of the Administration Server.
If the machine is already enrolled when you run this command, the Node Manager secret file (nm_password.properties) is refreshed with the latest information from the Administration Server.
In the event of an error, the command returns a WLSTException.
.
Syntax :
.
nmEnroll([domainDir], [nmHome])
.
Argument – domainDir – Optional.
Path of the domain directory to which you want to save the Node Manager secret file (nm_password.properties) and SerializedSystemIni.dat file.
This argument defaults to the directory in which WLST was started.
.
Argument – nmHome – Optional.
Path to the Node Manager home.
The nodemanager.domains file, containing the domain information, is written to this directory.
This argument defaults to WL_HOME/common/nodemanager, where WL_HOME refers to the top-level installation directory for WebLogic Server.
.
Example :
.
The following example enrolls the current machine with Node Manager and saves the Node Manager secret file (nm_password properties) and SerializedSystemIni.dat file to c:/bea/mydomain/common/nodemanager/nm_password.properties.
The nodemanager.domains file is written to WL_HOME/common/nodemanager by default.
wls:/mydomain/serverConfig> nmEnroll(‘c:/bea/mydomain/common/nodemanager’)
Enrolling this machine with the domain directory at c:\bea\mydomain\common\nodemanager….
Successfully enrolled this machine with the domain directory at C:\bea\mydomain\common\nodemanager
wls:/mydomain/serverConfig>
—————-
Syntax for WLST Commands :
.
Follow this syntax when entering WLST commands or writing them in a script:
Command names and arguments are case sensitive.
Enclose arguments in single or double quotes. For example,
‘newServer’
or
“newServer”.
If you specify a backslash character (\) in a string, either precede the backslash with another backslash or precede the entire string with a lower-case r character.
The \ or r prevents Jython from interpreting the backslash as a special character.
For example when specifying a file pathname that contains a backslash:
readTemplate(‘c:\\userdomains\\mytemplates\\mytemplate.jar’)
or
readTemplate(r’c:\userdomains\mytemplates\mytemplate.jar’)
On Linus Machines you can use the following syntax :
Example :
nmEnroll (‘//opt//app//beaprd//osb//user_projects//domains//amp’)
or
nmEnroll (‘//opt//app//beaprd//osb//user_projects//domains//amp’,’//opt//app//beaprd//osb//wlserver_10.3//common//nodemanager’)
Enrolling this machine with the domain directory at //opt//app//beaprd//osb//user_projects//domains//amp …
Successfully enrolled this machine with the domain directory at /opt/app/beaprd/osb/user_projects/domains/amp.
or
nmEnroll()
—————-
When you configure node manager over SSL i.e when you set the type as SSL ( in machines–>”remote_mac”–> nodemanager–> type then by default the demo identity and deno trust will be used. You can make your SSL connection more secured by using either ” Custom identity custom trust ” , ” Custom Identity JAVA Standard Trust ” :
.

Below are the changes that you need to make to configure ” Custom Identity and Custom Trust ” :

.
– Make the following changes in nodemanager.properties file : ( Custom Identity and Custom Trust )
  • AuthenticationEnabled=true
  • ListenAddress=(Specify the listen address of the managed server. If managed server listen address is localhost then you can leave this blank )
  • ListenPort=5556
  • SecureListener=true
  • StartScriptEnabled=false
  • KeyStores=CustomIdentityAndCustomTrust
  • CustomIdentityKeyStoreFileName=C\:\\bea10.3\\user_projects\\domains\\custom_certificate_nodemanager\\identity.jks
  • CustomIdentityAlias=mykey
  • CustomIdentityPrivateKeyPassPhrase=privatepassword
  • CustomTrustKeyStoreFileName=C\:\\bea10.3\\user_projects\\domains\\custom_certificate_nodemanager\\trust.jks
– Make the following changes in nodemanager.properties file : ( Custom Identity and Java Standard Trust )
  • AuthenticationEnabled=true
  • ListenAddress=(Specify the listen address of the managed server. If managed server listen address is localhost then you can leave this blank )
  • ListenPort=5556
  • SecureListener=true
  • StartScriptEnabled=false
  • KeyStores=CustomIdentityAndJavaStandardTrust
  • CustomIdentityKeyStoreFileName=C\:\\bea10.3\\user_projects\\domains\\custom_certificate_nodemanager\\identity.jks
  • CustomIdentityAlias=mykey
  • CustomIdentityPrivateKeyPassPhrase=privatepassword
For more information have a look at the link below :
—————-
Below are the configurations that has to be done on the ” keystore ” tab under each server :
Configuring Keystores :
By default, WebLogic Server is configured with two keystores:
DemoIdentity.jks—Contains a demonstration private key for WebLogic Server. This keystore contains the identity for WebLogic Server.
DemoTrust.jks—Contains the trusted certificate authorities from the WL_HOME\server\lib\DemoTrust.jks and the JDK cacerts keystores. This keystore establishes trust for WebLogic Server.
—————-

To configure Identity and Trust keystores for WebLogic Server:

.
  • Expand the Servers node.
  • Select the name of the server for which you want to configure keystores (for example, exampleserver).
  • Select the Configuration–>Keystores and SSL tab.
  • The information about the demonstration keystores is displayed in the Keystore Configuration.
  • Click the Change… link in the Keystore Configuration to configure new keystores.
  • Choose the type of keystore configuration being used.
  • The following options are available:
  1. Demo Identity and Demo Trust : The demonstration Identity and Trust keystores located in the WL_HOME\server\lib directory and configured by default and the cacerts file in the JAVA_HOME\jre\lib\security directory.
  2. Custom Identity and Java Standard Trust : An Identity keystore you create and the trusted CAs defined in the cacerts file in the JAVA_HOME\jre\lib\security directory.
  3. Custom Identity and Custom Trust—Identity and Trust keystores you create.
  4. Custom Identity and Command-Line Trust—An Identity keystore you create and command-line arguments that specify the location of the Trust keystore. Use this option in a production environment when the Administration port is enabled and Managed servers are started on the command-line instread of by the Node Manager.
  • Click Continue.
  • Define attributes for the Identity keystore.
  • Custom Identity Keystore File Name : The fully qualified path to the Identity keystore.
  • Custom Identity Keystore Type : The type of the keystore. Generally, this attribute is jks. If this attribute is not specified, the default keystore type defined in the security policy file for the JDK is used.
  • Custom Identity Keystore PassPhrase : The password defined when creating the keystore. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. Some keystores do not require the passphrase to read from the keystore. Whether or not you define this property depends on the requirements of the keystore. For example, WebLogic Server only reads from the keystore so a passphrase is not required, however, WebLogic Integration writes to keystores and therefore requires a passphrase. Confirm the password.
Note: The passphrase for the Demo Identity keystore is DemoIdentityKeyStorePassPhrase.
  • Define attributes for the Trust keystore.
  • If you choose Java Standard Trust, specify the password defined when creating the keystore. Confirm the password.
  • If you choose Custom Trust, define the following attributes:
  • Custom Trust Keystore File Name : The fully qualified path to the trust keystore.
  • Custom Trust Keystore Type : The type of the keystore. Generally, this attribute is jks. If this attribute is not specified, the default keystore type defined in the security policy file for the JDK is used.
  • Custom Trust Keystore PassPhrase : The password defined when creating the keystore. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. Some keystores do not require the passphrase to read from the keystore. Whether or not you define this property depends on the requirements of the keystore. For example, WebLogic Server only reads from the keystore so a passphrase is not required, however, WebLogic Integration writes to keystores and therefore requires a passphrase. Confirm the password.
  • Click Continue.
  • Click Finish.
  • Optionally, configure the SSL attributes for WebLogic Server. You do not have to perform this step if you are using keystores for the purpose of digital signing.
  • Reboot WebLogic Server.
——————

Configuring SSL :

.
  • By default, SSL is enabled and configured to use the demonstration Identity and Trust keystores.
To configure SSL:
.
  • Expand the Servers node.
  • Select the name of the server for which you want to configure keystores (for example, exampleserver).
  • Select the Configuration–>Keystores and SSL tab.
  • The Configure SSL page appears.
  • Specify how the identity and trust for WebLogic Server is stored.
  • The following options are available:
  1. Key Stores : Use this option if you created Identity and Trust keystores for WebLogic Server.
  2. Files or Key Store Providers—Use this option if you stored private keys and trusted CA certificates in a file or in a JKS keystore accessed via the WebLogic Keystore provider ( for backward compatibility )( now depricated )
  • Private Key Alias : The alias specified when loading the private key for WebLogic Server from the keystore.
  • Private Key Passphrase : The password specified when loading the private key for WebLogic Server into the keystore.
  • Confirm the password.
  • Note : If you protected the private key file with a password, specify the weblogic.management.pkpassword command-line argument when starting the server.
  • Click Continue.
  • Click Finish.
  • Reboot WebLogic Server.
———————

Click on the link below to know more about ” Configuring node manager over SSL using custom identity and custom trust ”

.
< References >
———–

8 Comments »

  1. Good post. I absolutely appreciate this site. Keep it up!

    Comment by Homesite — May 20, 2014 @ 10:15 am

  2. This is my first time visit at here and i am genuinely pleassant
    to read all at single place.

    Comment by Holly — December 5, 2014 @ 9:48 am

  3. Greetings I am not sure if it is me or perhaps your webblog but it’s loading slowly for me, I had to spend sort of a minute to successfully load and yet gmail does work perfectly to
    me. Nevertheless, I’m going to thank you so much for adding wonderful content.

    I believe it has already been incredibly useful to individual who seem to visit here.
    I personally must state that you really have
    done excellent job with this as well as wish to check out further awesome things through you.
    Right after looking at the post, I have book-marked the website.

    Comment by Earlene — February 12, 2015 @ 11:06 am

  4. Hey there Your main web site loads up seriously slow for me, I’m not sure who’s issue is that however
    , facebook starts relatively quick. Anyways, I would like to thank
    you so much for placing beautiful content. I’m guessing this has already been beneficial to many individuals
    . I have to tell you that you have done amazing work with this plus expect to
    check out more brilliant things from you. To get more understanding through content which you write-up, I actually have book marked this web site.

    Comment by gta5forpsp.com — June 9, 2015 @ 1:06 am

  5. Hello! Your websites are running slow for me personally,
    this kind of took just like a minute or two to actually
    load, I actually have no idea whether or not it’s just me or maybe your web page
    but twitter worked for me. Around the other hand I appreciate you for publishing impressive articles.
    Nearly everybody who actually discovered this site should have discovered this article literally handy.
    I hope I will be able to find more amazing information and I really should flatter by stating you’ve
    done wonderful job. To obtain additional knowledge
    by articles that you post, I have book-marked this
    website.

    Comment by www.free-fifa15coins.com — June 22, 2015 @ 9:27 am

  6. Hello Your entire site loads up seriously slow in my
    situation, I don’t know who’s problem is that however , twitter and facebook starts relatively fast.
    Anyways, I have to appreciate you for including fantastic post.
    In my opinion it has already been incredibly beneficial to user who click here.
    I ought to say that you actually have done amazing work with
    this as well as hope to discover even more awesome things from you.
    I already have your site bookmarked to see blog you post.

    Comment by Lauren — August 17, 2015 @ 6:26 pm

  7. Hi Google and yahoo performs great to me yet your
    site is running slowly which took close to one minute to successfully load up,
    I don’t know if it is my personal problem perhaps site issue.
    Around the other hand thanks for putting up impressive articles.
    I think it has been literally useful to visitor who actually click here.
    I hope I will be able to find further amazing stuff and I should complement your site
    by stating you have done fantastic work. To obtain more knowledge from articles
    which you publish, I have saved to my bookmarks this url.

    Comment by Homer — November 28, 2015 @ 12:48 am

  8. Hello there Google and yahoo performs perfectly to me yet your website is starting steadily
    which actually had taken approximately one minute to actually
    load up, I don’t know whether or not it’s my personal problem or
    maybe your web site issue. Anyway, Thanks for placing an incredibly excellent blog post.
    Nearly everybody who came to this website should have observed this content really beneficial.
    I am hoping I will be able to find even more amazing
    things and I also really should compliment you by
    telling you have done amazing work. I already have you saved to my bookmarks to see new stuff you post.

    Comment by gta5wii.com — March 28, 2016 @ 4:47 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: