Advertisements
RSS

Weblogic WLST connections using SSL

08 Apr

When your Administration Server, NodeManager and Managed Servers use SSL to communicate with each other you have a decent basic security for your Weblogic domain. (And NO, the default demo certs/stores do not fullfill that requirement in production).

However communication from WLST to your weblogic domain needs some small adjustment. The normal steps would otherwise result in this error:

call "D:\myDomain\bin\setDomainEnv.cmd"
D:\myDomain>java weblogic.WLST

Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands

wls:/offline> connect('weblogic',weblogic','t3s://myserver.local.rubix.nl:7003')

Connecting to t3s://myserver.local.rubix.nl:7003 with userid weblogic ...

<8-apr-2010 13:39:55 uur CES> <Warning> <Security< <BEA-090542> <Certificate chain received from myserver.local.rubix.nl - 10.0.0.11 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>

Traceback (innermost last):

File "<console>", line 1, in ?

File "<iostream>", line 22, in connect WLSTException: Error occured while performing connect : Error getting the initial context. There is no server running at t3s://myserver.local.rubix.nl:7003 Use dumpStack() to view the full stacktrace

wls:/offline>

*note: I use port 7003 because the Domain Admin Port is enabled in my domain.

Anyway, the connection to the Admin Server can not be established through SSL because there is no trust between the two components. To fix this some additional arguments need to be added.

D:\myDomain>java -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.CustomTrustKeyStoreType="JKS" -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName="D:/myDomain/security/myDomain.truststore.jks" weblogic.WLST

wls:/offline> connect(‘weblogic’,’weblogic’,’t3s://myserver.local.rubix.nl:7003′)

Successfully connected to Admin Server myDomain_admin’ that belongs to domain ‘myDomain’

wls:/myDomain/serverConfig> disconnect()

Disconnected from weblogic server: myDomain_admin

No let’s try to connect to the Nodemanager as well:

wls:/offline> nmConnect('weblogic','weblogic','myserver.local.rubix.nl','5556','myDomain','d:/myDomain','ssl')

Connecting to Node Manager …

Successfully Connected to Node Manager.

wls:/nm/myDdomain>

Advertisements
 
4 Comments

Posted by on 08-04-2010 in Oracle, Weblogic, WLST

 

Tags: , ,

4 responses to “Weblogic WLST connections using SSL

  1. Philip N

    25-10-2011 at 03:06

    Thanks, jvzoggel for this article. The example in the article works fine for me. However, I wonder if the weblogic instance (at t3s://myserver.local.rubix.nl:7003) is already defined with 2-way SSL, i.e., it requires a client certificate (in addition to userid and password) for any connection (including connection from WLST), how can I define an identity keystore for WLST in order to issue the wlst connect() command? In my test, the WLST console shows that it receives the certificate from the weblogic server and accepts it (based on the correct CustomTrustKeyStore definition as per your example), but the weblogic server would rejects the connection because it does not receive a certificate from WLST. I tried to set up “Use Server Certificate” on the Weblogic server’s SSL config but the WLST connect () command still does not work.

     
  2. jvzoggel

    25-10-2011 at 15:53

    Hi Philip. The environment I used here (if i remember correctly) did not have 2-way SSL enforced on the Admin Server. The Admin Server had the regular “Client Certs not Requested” but the Managed Servers did have the “Client Certs Requested and Enforced setting” for 2-way SSL.

    I don’t believe the “Use Server Certs” setting will help you here. This setting is used when web service clients are running on WebLogic and allows these to use the Weblogic servers key as the client identity when initiating a connection.

    My guess would be that you should be looking in the direction of arguments like:
    Dweblogic.security.CustomIdentityKeyStoreFileName
    Dweblogic.security.CustomIdentityKeyStorePassPhrase
    Dweblogic.security.CustomIdentityAlias
    Dweblogic.security.CustomIdentityPrivateKeyPassPhrase

    However I haven’t used them myself yet.

    regards,

    Jan

     
  3. Philip N

    26-10-2011 at 05:00

    Thanks, Jan, for the reply. We work in a very secure environment and therefore we need to use 2-way SSL with “client certs requested and enforced”. I have tried the -Dweblogic.security.CustomIdentity… JVM options in the “java weblogic.WLST” command but WLST still seems to ignore all those options and still causes the error message “Required peer certificates not supplied by peer” at the weblogic server’s end (server log) and the error message “No suitable identity certificate chain has been found” at the WLST’s end (WLST console). I have also tried the -Djavax.net.ssl.keyStore… JVM options but again the outcome is still the same. Currently the WLST connect() command accepts as arguments a userid, a password and a URI for the targeted weblogic server. I think that perhaps Oracle should enhance that WLST connect () command so that it also accepts as optional arguments an IdentityKeystore and its password (as a replacement or a complement for the userid/password). We will continue to investigate this problem and might submit it to Oracle Support later on if we cannot find a solution. Thanks for your help, and the help of your blog. Philip

     
    • jvzoggel

      26-10-2011 at 11:30

      Your welcome, I find this 2-way SSL with WLST very interesting so curious if you get it to work. I agree that WLST and SSL configuration is unclear and Oracle will hopefully make this more clear. The same with the current SSL implementation of Certicom vs JSSE which is a bit unclear what to use when. I don’t have access to the environment right now and only have a test environment which is fully running on the demo stores. Your remark regarding -Djavax. triggered me however that maybe you could specify both WLST and Weblogic to use the JSSE implementation for SSL and try the -Djavax arguments instead of the Dweblogic arguments.

      I configured the Admin to use JSSE (SSL tab -> Advanced) and try to force the WLST client to do the same, but when I use:
      java -Dweblogic.ssl.JSSEEnabled=true -Dssl.debug=true -Djavax.net.debug=all -Dweblogic.security.SSL.verbose -Djavax.net.ssl.keyStore=D:/../DemoIdentity.jks -Djavax.net.ssl.keyStorePassword=DemoIdentityKeyStorePassPhrase -Djavax.net.ssl.trustStore=D:/../DemoTrust.jks -Djavax.net.ssl.trustStorePassword=DemoTrustKeyStorePassPhrase weblogic.WLST

      I get:

      Security / BEA-090542 / Certificate / chain received from hostname- 10.0.0.14 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or n
      ot. If it should be trusted, then update the client trusted CA configuration totrust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>

      So I guess WLST noticed that I use the DemoStores so my configuration is not great for helping you out at the moment.
      I Hope you can get it tot work, maybe with Oracle support as you mentioned.

      http://download.oracle.com/docs/cd/E17904_01/web.1111/e13707/ssl.htm#BABFDJGB

       

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: