Setting up a distributed environment over SSL

Consider two physical boxes with weblogic installation on each ( of any required version )

Note :

• Make sure that the directory structure of WLS on both the physical boxes are identical.
• Same WLS versions installed on both of them.
• If you want to set up a distributed environment over SSL with host name verification set as true then make sure that the virtual machine name created on the console should have the fully qualified host name of the respective physical box.
• Create a domain on both the physical boxes.
• If the name of the virtual machine is different from the fully qualified host name of the physical box where the remote managed server resides, then set the host name verification to false or you will get BAD_CERTIFICATE errors..!!

.

Configuration that needs to be done on the local machine ( i.e the physical box where the Admin server is running )

1. Start the Admin server and login to the console.
2. Create a managed server ( say MS_remote ) and let the listen address of this server be the IP address/DNS name of the remote physical box.
3. Now create a virtual machine on the console ( say remote_mac )and add the managed server ” MS_remote ” to it. Let the listen address of this machine be the IP address/DNS name of the remote physical box.
4. Click remote_mac –> ” Nodemanager ” tab. Specify the nodemanager listen address as the the IP address/DNS name of the remote physical box.
5. Check if the listen port is “5556″ and type is plain. ( or SSL if you want to configure node manager over SSL ).

Below are the configurations that needs to be done on the remote physical box :

• Edit the nodemanager.properties files located in <bea_home>/<weblogic_home>/common/nodemanager/ and make the folowing changes :

- ListenAddress=<IP address/DNS name of the remote physical box>

- ListenPort=5556

- SecureListener=false

- StartScriptEnabled=false

.

Note : If you want the nodemanager to run on ssl then check for the following in nodemager.properties file :

.

- ListenAddress=<IP address/DNS name of the remote physical box>

- ListenPort=5556

- SecureListener=true

- StartScriptEnabled=false

• Open a command prompt on the remote physical box and run the following commands :
• - Run setDomain.env to set the environment. ( located in <bea_home>/user_projects/domains/<domain_name>/bin )
• - Start WLST using the command below :

- C:\ java weblogic.WLST

Initializing Weblogic Scripting Tool (WLST)…

Welcome to Weblogic Server Administration Scripting Shell

Type help () for help on available commands

wls:/offline>

*************************************************************

- wls:/offline> connect()

Now you will be prompted for the required details as follows

Please enter your username [weblogic]: weblogic

Please enter your password [weblogic]: ********

Please enter your server URL [t3://localhost:7001]: t3://10.10.71.24:7001

Connecting to t3://10.10.71.24:7001 with userid weblogic…

Successfully connected to Admin Server ‘AdminServer’ that belongs to domain ‘base_domain’.

.

• Now lets enroll this machine using the command nmEnroll()

Wls: /base_domain/serverConfig> nmEnroll ()

Enrolling this machine with the domain directory at D:/BEA_Home/WLS_Home/com

mon/nodemanager…

Successfully enrolled this machine with the domain directory at D:/BEA_Home/WLS_Home/com

mon/nodemanager

.

Note : Most of the time we get errors while running the nmEnroll command, check out the NOTES at the end of this document to learn more about nmEnroll().

• Now goto admin console and check the status of the node manger. It should be active –> reachable
• Start the managed server ‘MS_remote ‘.
• You can see the folder ‘MS_remote’ created under <weblogic_home>/common/nodemanager/servers in which you can see the logs. ( on the remote physical box ).

Remote managed server is successfully configured now and its status should be running 

NOTES :

.

nmEnroll :

.

Command Category: Node Manager Commands

Use with WLST: Online

.

Description

.

Enrolls the machine on which WLST is currently running.

WLST must be connected to an Administration Server to run this command;

WLST does not need to be connected to Node Manager.

.

This command downloads the following files from the Administration Server:

.

- Node Manager secret file (nm_password.properties), which contains the encrypted username and password that is used for server authentication

- SerializedSystemIni.dat file

- This command also updates the nodemanager.domains file under the WL_HOME/common/nodemanager directory with the domain information, where WL_HOME refers to the top-level installation directory for WebLogic Server.

You must run this command once per domain per machine unless that domain shares the root directory of the Administration Server.

If the machine is already enrolled when you run this command, the Node Manager secret file (nm_password.properties) is refreshed with the latest information from the Administration Server.

In the event of an error, the command returns a WLSTException.

.

Syntax :

.

nmEnroll([domainDir], [nmHome])

.

Argument – domainDir – Optional.

Path of the domain directory to which you want to save the Node Manager secret file (nm_password.properties) and SerializedSystemIni.dat file.

This argument defaults to the directory in which WLST was started.

.

Argument – nmHome – Optional.

Path to the Node Manager home.

The nodemanager.domains file, containing the domain information, is written to this directory.

This argument defaults to WL_HOME/common/nodemanager, where WL_HOME refers to the top-level installation directory for WebLogic Server.

.

Example :

.

The following example enrolls the current machine with Node Manager and saves the Node Manager secret file (nm_password properties) and SerializedSystemIni.dat file to c:/bea/mydomain/common/nodemanager/nm_password.properties.

The nodemanager.domains file is written to WL_HOME/common/nodemanager by default.

wls:/mydomain/serverConfig> nmEnroll(‘c:/bea/mydomain/common/nodemanager’)

Enrolling this machine with the domain directory at c:\bea\mydomain\common\nodemanager….

Successfully enrolled this machine with the domain directory at C:\bea\mydomain\common\nodemanager

wls:/mydomain/serverConfig>

—————-

Syntax for WLST Commands :

.

Follow this syntax when entering WLST commands or writing them in a script:

Command names and arguments are case sensitive.

Enclose arguments in single or double quotes. For example,

‘newServer’

or

“newServer”.

If you specify a backslash character (\) in a string, either precede the backslash with another backslash or precede the entire string with a lower-case r character.

The \ or r prevents Jython from interpreting the backslash as a special character.

For example when specifying a file pathname that contains a backslash:

readTemplate(‘c:\\userdomains\\mytemplates\\mytemplate.jar’)

or

readTemplate(r’c:\userdomains\mytemplates\mytemplate.jar’)

On Linus Machines you can use the following syntax :

Example :

nmEnroll (‘//opt//app//beaprd//osb//user_projects//domains//amp’)

or

nmEnroll (‘//opt//app//beaprd//osb//user_projects//domains//amp’,'//opt//app//beaprd//osb//wlserver_10.3//common//nodemanager’)

Enrolling this machine with the domain directory at //opt//app//beaprd//osb//user_projects//domains//amp …

Successfully enrolled this machine with the domain directory at /opt/app/beaprd/osb/user_projects/domains/amp.

or

nmEnroll()

—————-

When you configure node manager over SSL i.e when you set the type as SSL ( in machines–>”remote_mac”–> nodemanager–> type then by default the demo identity and deno trust will be used. You can make your SSL connection more secured by using either ” Custom identity custom trust ” , ” Custom Identity JAVA Standard Trust ” :

.

Below are the changes that you need to make to configure ” Custom Identity and Custom Trust ” :

.

- Make the following changes in nodemanager.properties file : ( Custom Identity and Custom Trust )

• AuthenticationEnabled=true
• ListenAddress=(Specify the listen address of the managed server. If managed server listen address is localhost then you can leave this blank )
• ListenPort=5556
• SecureListener=true
• StartScriptEnabled=false
• KeyStores=CustomIdentityAndCustomTrust
• CustomIdentityKeyStoreFileName=C\:\\bea10.3\\user_projects\\domains\\custom_certificate_nodemanager\\identity.jks
• CustomIdentityAlias=mykey
• CustomIdentityPrivateKeyPassPhrase=privatepassword
• CustomTrustKeyStoreFileName=C\:\\bea10.3\\user_projects\\domains\\custom_certificate_nodemanager\\trust.jks

- Make the following changes in nodemanager.properties file : ( Custom Identity and Java Standard Trust )

• AuthenticationEnabled=true
• ListenAddress=(Specify the listen address of the managed server. If managed server listen address is localhost then you can leave this blank )
• ListenPort=5556
• SecureListener=true
• StartScriptEnabled=false
• KeyStores=CustomIdentityAndJavaStandardTrust
• CustomIdentityKeyStoreFileName=C\:\\bea10.3\\user_projects\\domains\\custom_certificate_nodemanager\\identity.jks
• CustomIdentityAlias=mykey
• CustomIdentityPrivateKeyPassPhrase=privatepassword

For more information have a look at the link below :

Link : http://download.oracle.com/docs/cd/E13222_01/wls/docs81/adminguide/confignodemgr.html

—————-

Below are the configurations that has to be done on the ” keystore ” tab under each server :

Configuring Keystores :

By default, WebLogic Server is configured with two keystores:

DemoIdentity.jks—Contains a demonstration private key for WebLogic Server. This keystore contains the identity for WebLogic Server.

DemoTrust.jks—Contains the trusted certificate authorities from the WL_HOME\server\lib\DemoTrust.jks and the JDK cacerts keystores. This keystore establishes trust for WebLogic Server.

—————-

To configure Identity and Trust keystores for WebLogic Server:

.

• Expand the Servers node.
• Select the name of the server for which you want to configure keystores (for example, exampleserver).
• Select the Configuration–>Keystores and SSL tab.
• The information about the demonstration keystores is displayed in the Keystore Configuration.
• Click the Change… link in the Keystore Configuration to configure new keystores.
• Choose the type of keystore configuration being used.
• The following options are available:

1. Demo Identity and Demo Trust : The demonstration Identity and Trust keystores located in the WL_HOME\server\lib directory and configured by default and the cacerts file in the JAVA_HOME\jre\lib\security directory.
2. Custom Identity and Java Standard Trust : An Identity keystore you create and the trusted CAs defined in the cacerts file in the JAVA_HOME\jre\lib\security directory.
3. Custom Identity and Custom Trust—Identity and Trust keystores you create.
4. Custom Identity and Command-Line Trust—An Identity keystore you create and command-line arguments that specify the location of the Trust keystore. Use this option in a production environment when the Administration port is enabled and Managed servers are started on the command-line instread of by the Node Manager.

• Click Continue.
• Define attributes for the Identity keystore.
• Custom Identity Keystore File Name : The fully qualified path to the Identity keystore.
• Custom Identity Keystore Type : The type of the keystore. Generally, this attribute is jks. If this attribute is not specified, the default keystore type defined in the security policy file for the JDK is used.
• Custom Identity Keystore PassPhrase : The password defined when creating the keystore. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. Some keystores do not require the passphrase to read from the keystore. Whether or not you define this property depends on the requirements of the keystore. For example, WebLogic Server only reads from the keystore so a passphrase is not required, however, WebLogic Integration writes to keystores and therefore requires a passphrase. Confirm the password.

Note: The passphrase for the Demo Identity keystore is DemoIdentityKeyStorePassPhrase.

• Define attributes for the Trust keystore.
• If you choose Java Standard Trust, specify the password defined when creating the keystore. Confirm the password.
• If you choose Custom Trust, define the following attributes:
• Custom Trust Keystore File Name : The fully qualified path to the trust keystore.
• Custom Trust Keystore Type : The type of the keystore. Generally, this attribute is jks. If this attribute is not specified, the default keystore type defined in the security policy file for the JDK is used.
• Custom Trust Keystore PassPhrase : The password defined when creating the keystore. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. Some keystores do not require the passphrase to read from the keystore. Whether or not you define this property depends on the requirements of the keystore. For example, WebLogic Server only reads from the keystore so a passphrase is not required, however, WebLogic Integration writes to keystores and therefore requires a passphrase. Confirm the password.
• Click Continue.
• Click Finish.
• Optionally, configure the SSL attributes for WebLogic Server. You do not have to perform this step if you are using keystores for the purpose of digital signing.
• Reboot WebLogic Server.

——————

Configuring SSL :

.

• By default, SSL is enabled and configured to use the demonstration Identity and Trust keystores.

To configure SSL:

.

• Expand the Servers node.
• Select the name of the server for which you want to configure keystores (for example, exampleserver).
• Select the Configuration–>Keystores and SSL tab.
• The Configure SSL page appears.
• Specify how the identity and trust for WebLogic Server is stored.
• The following options are available:

1. Key Stores : Use this option if you created Identity and Trust keystores for WebLogic Server.
2. Files or Key Store Providers—Use this option if you stored private keys and trusted CA certificates in a file or in a JKS keystore accessed via the WebLogic Keystore provider ( for backward compatibility )( now depricated )

• Private Key Alias : The alias specified when loading the private key for WebLogic Server from the keystore.
• Private Key Passphrase : The password specified when loading the private key for WebLogic Server into the keystore.
• Confirm the password.
• Note : If you protected the private key file with a password, specify the weblogic.management.pkpassword command-line argument when starting the server.
• Click Continue.
• Click Finish.
• Reboot WebLogic Server.