Advertisements
RSS

Category Archives: Weblogic

Using the Weblogic External Listen Address to support Network Address Translation (NAT) firewalls

When trying to connect or deploy from JDeveloper 12.2.2 to our Oracle Fusion Middleware 12.2.1 domain in the Amazon EC cloud I keep having connection problems. Contacting the consoles is not a problem, however extending the IDE Connection results in this error:

Pic0

t3://127.0.0.1:7011: [RJVM:000575]Destination 127.0.0.1, 7011 unreachable.; nested exception is:
java.net.ConnectException: Connection refused: connect; [RJVM:000576]No available router to destination.; nested exception is: java.rmi.ConnectException: [RJVM:000576]No available router to destination.Dec 08, 2015 9:50:35 AM oracle.tip.tools.ide.soabrowser.LogUtil logStackTrace

And deploying an artifact to the server results the same

PicError

Weblogic configuration

I couldn’t find anything regarding the error on Oracle Support, but luckily my collegue Daljit Singh had the answer. Since the Amazon EC2 uses a public IP (which we use to connect to the admin server) the internal passthrough to the Managed Servers fails. To solve this we should use the Weblogic “external listen address” configuration. The external listen address and port are used to support Network Address Translation (NAT) firewalls. These should match the IP address or DNS name that clients use to access application on the server.

Go to the Weblogic console -> Environment -> Servers -> Managed Server -> Configuration -> General -> Advanced

Make sure the public ip-adres is stored in the External Listen Address here

Pic2

Your managed server requires a restart afterwards. But then the connection issue is solved.

restart

Advertisements
 
2 Comments

Posted by on 08-12-2015 in Weblogic

 

Tags: , , ,

JPS-01050: Opening of wallet based credential store failed

After installing a new Oracle Fusion Middleware 12.2.1 domain on a Ubuntu server (for development purposes) and starting the AdminServer I get the following error:

<Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason: There are 1 nested errors: oracle.security.jps.JpsException: JPS-01050: Opening of wallet based credential store failed. Reason java.io.IOException at oracle.security.jps.internal.config.OpssCommonStartup.preStart(OpssCommonStartup.java:334)
at oracle.security.jps.JpsStartup.preStart(JpsStartup.java:286) at oracle.security.jps.wls.JpsBootStrapService.start(JpsBootStrapService.java:80)

However, when checking the cwallet file it is there with proper access rights

ubuntu@ip-10-0-1-170:/opt/oracle/config/domains/rbx_dev/config/fmwconfig$ ls -l cwallet.sso
-rw——- 1 ubuntu ubuntu 194 Dec 1 13:11 cwallet.sso

So when searching we found this Oracle Support Doc ID 1923395.1

Unable Start AdminServer: JPS-01050: Opening of wallet based credential store failed. The FMW WebLogic Server (WLS) installation has been configured to use a non-default Java temporary files directory, i.e. the following has been set in the WebLogic startup or setDomainEnv.sh script:

EXTRA_JAVA_PROPERTIES=”-Djava.io.tmpdir=/appl/oracle/temp_java_files ${EXTRA_JAVA_PROPERTIES}”

Reference: How to Change the WebLogic Server Location for Temporary Files (Doc ID 1336002.1)
When the Middleware home was restored the directory specified by java.io.tmpdir parameter was missing,
Therefore an IOException occurred when opening the wallet and WLS was unable to initialize the OPSS successfully.

The description however is not completely accurate for our specific problem, but pointed us in the right direction. Since in our case the default /tmp folder is owned by root on Ubuntu and the “normal” ubuntu:ubuntu user/group running the Weblogic scripts has no access.

So we could fix the issue in 2 ways:

    1. Using a custom tmp folder in our setDomainEnv.sh script which the ubuntu user had access
      ## CUSTOM FOR RBX_DEV ##
      EXTRA_JAVA_PROPERTIES=”-Djava.io.tmpdir=/opt/oracle/tmp -Djava.security.egd=file:/dev/./urandom ${EXTRA_JAVA_PROPERTIES}”
      export EXTRA_JAVA_PROPERTIES
      ## CUSTOM FOR RBX_DEV ##
    2. Giving access to the default /tmp folder for our ubuntu user
      sudo chmod o+rwx /tmp
 
1 Comment

Posted by on 08-12-2015 in Weblogic

 

Tags: , ,

Error with Weblogic Domain Configuration Wizard (containing UCM)

When creating a new DEV domain for BPM, SOA and UCM 11.1.1.6 and using the config.sh wizard the following error occured:

DomainCreationError

ERROR create_gui com.oracle.cie.wizard.domain.gui.tasks.DomainCreationGUITask - Generation Error!!
Traceback (innermost last):
File "<iostream>", line 17, in ?
TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'

The solution is simple when you now the answer (as always). Instead of using the “default” config script in %MIDDLEWARE_HOME%/wlserver_10.3/common/bin

You should use the config.sh script in:
%MIDDLEWARE_HOME%/Oracle_ECM1/common/bin

References:

 
2 Comments

Posted by on 25-02-2013 in Oracle, Weblogic

 

Tags: , ,

How to Configure WebLogic Server to Send a Notification When Its Configuration is Changed

My former collegue, Java maven (no not that one, this one) and friend Pierluigi contacted me about my post regarding the Weblogic Security Audit Provider. As always Pier is very political correct ;)

Comment

To my positive surprise he found a great solution for the limitation of the security audit provider. He discovered a way to configure WebLogic server to send a notification when it’s configuration is changed [Knowledge Base ID 1377733.1].

Which is awesome if you have a large Oracle environment and maintenance team and want to keep track of all the changes. Wish we knew this last year at the huge envuironment I was working then.

His blogpost contains all the code, scripts, etc so go and check it out!!! :)

And to end with his favourite quote:

Failure is not an option

References:

 
Leave a comment

Posted by on 21-02-2013 in Java, Oracle, Weblogic, WLST

 

Tags: , , , ,

Overview of Oracle SOA Suite 11.1.1.6 diagnostics tools

This post on the SOA Community blog by Jürgen linked me to this very very very interesting article on the Oracle.com website it’s SOA ProActive Support section. The article explains the multiple tools available, and how they relate, for diagnosing SOA Suite 11g issues. The tools addressed are:

Because I know 100% for sure that in the next years I will need this article I just had to create a perma-link like this on my own blog. Check out the full article for all the details.

 
Leave a comment

Posted by on 08-08-2012 in Oracle, SOA Suite, Weblogic

 

Tags: , ,

Weblogic EJB security roles

In my earlier blog I’ve mentioned the option for a Oracle Service Bus custom reporting provider and used a simple MDB to show the content of the report java objects. To make sure I have an example at my disposal at all time, and to help out in general: during deployment you might run into the next error/warning:

<Warning> <EJB> <BEA-010061> <The Message-Driven EJB: QueueMessageDrivenEJBBean is unable to  connect to the JMS destination: wli/reporting/jmsprovider/queue. The Error was: javax.naming.NoPermissionException: User <anonymous> does not have permission on wli.reporting to perform lookup operation.

The reason for this is the fact that your EJB wants to connect to the queue wli/reporting/jmsprovider/queue where unauthorised access is prohibited. If we check the queues security policy (select queue -> security -> policies) we can see that only 2 roles have authorisation:

So we can change the policy on the queue (not to be advised) or make sure our EJB uses proper authentication. The most basic version could be:

basic weblogic-ejb-jar.xml


<?xml version="1.0" encoding="UTF-8"?>
<!--weblogic-version:10.3.5-->
<wls:weblogic-ejb-jar xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-ejb-jar" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd http://xmlns.oracle.com/weblogic/weblogic-ejb-jar http://xmlns.oracle.com/weblogic/weblogic-ejb-jar/1.2/weblogic-ejb-jar.xsd">

<!-- this 1st segment is not necessary, if no run-as-principal-name is specified in
 run-as-role-assignment or in bean specific run-as-principal-name tag, then EJB container
 chooses first principal-name in the security-role-assignment below and uses that
 principal-name as run-as-principal-name -->
 <wls:weblogic-enterprise-bean>
 <wls:ejb-name>CustomOsbReportProvider</wls:ejb-name>
 <wls:run-as-principal-name>weblogic</wls:run-as-principal-name>
 </wls:weblogic-enterprise-bean>

<wls:security-role-assignment>
 <wls:role-name>adminsEJB</wls:role-name>
 <wls:principal-name>weblogic</wls:principal-name>
 </wls:security-role-assignment>
</wls:weblogic-ejb-jar>

basic ejb-jar.xml


<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:ejb="http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" version="3.0">
<display-name>CustomOsbReportProvider </display-name>

<enterprise-beans>
 <message-driven>
 <ejb-name>CustomOsbReportProvider</ejb-name>
 <ejb-class>nl.rubix.CustomOsbReportHandler</ejb-class>
 <transaction-type>Container</transaction-type>
 <security-identity>
 <run-as>
 <description>EJB role used</description>
 <role-name>adminsEJB</role-name>
 </run-as>
 </security-identity>
 </message-driven>
 </enterprise-beans>

<ejb-client-jar>CustomOsbReportProviderClient.jar</ejb-client-jar>
</ejb-jar>

However with the help of the original JMSReportingProvider.jar it’s fairly easy to create a more elegant version:

deluxe weblogic-ejb-jar.xml

</pre>
<wls:weblogic-ejb-jar xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-ejb-jar" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd http://xmlns.oracle.com/weblogic/weblogic-ejb-jar http://xmlns.oracle.com/weblogic/weblogic-ejb-jar/1.2/weblogic-ejb-jar.xsd">
 <!--weblogic-version:10.3.5-->

<wls:weblogic-enterprise-bean>
 <wls:ejb-name>CustomOsbReportProvider</wls:ejb-name>
 <wls:message-driven-descriptor>
 <wls:pool>
 <wls:max-beans-in-free-pool>100</wls:max-beans-in-free-pool>
 <wls:initial-beans-in-free-pool>3</wls:initial-beans-in-free-pool>
 </wls:pool>
 <wls:destination-jndi-name>wli.reporting.jmsprovider.queue</wls:destination-jndi-name>
 <wls:max-messages-in-transaction>5</wls:max-messages-in-transaction>
 </wls:message-driven-descriptor>
 <wls:transaction-descriptor>
 <wls:trans-timeout-seconds>600</wls:trans-timeout-seconds>
 </wls:transaction-descriptor>
 <wls:run-as-principal-name>alsb-system-user</wls:run-as-principal-name>
 </wls:weblogic-enterprise-bean>

<wls:transaction-isolation>
 <wls:isolation-level>TransactionReadCommitted</wls:isolation-level>
 <wls:method>
 <wls:description>Ensure the container starts a ReadCommitted transaction</wls:description>
 <wls:ejb-name>CustomOsbReportProvider</wls:ejb-name>
 <wls:method-name>*</wls:method-name>
 </wls:method>
 </wls:transaction-isolation>
 <wls:disable-warning>BEA-010001</wls:disable-warning>

</wls:weblogic-ejb-jar>
<pre>

deluxe ejb-jar.xml


</pre>
<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:ejb="http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" version="3.0">
 <display-name>CustomOsbReportProvider </display-name>
 <enterprise-beans>
 <message-driven>
 <description>Custom Reporting Provider for OSB</description>
 <ejb-name>CustomOsbReportProvider</ejb-name>
 <ejb-class>nl.rubix.CustomOsbReportHandler</ejb-class>
 <transaction-type>Container</transaction-type>
 <message-destination-type>javax.jms.Queue</message-destination-type>
 <activation-config>
 <activation-config-property>
 <activation-config-property-name>acknowledgeMode</activation-config-property-name>
 <activation-config-property-value>Auto-acknowledge</activation-config-property-value>
 </activation-config-property>
 </activation-config>
 <security-identity>
 <run-as>
 <description>EJB role used</description>
 <role-name>ALSBSystem</role-name>
 </run-as>
 </security-identity>
 </message-driven>
 </enterprise-beans>

 <assembly-descriptor>
 <container-transaction>
 <method>
 <ejb-name>CustomOsbReportProvider</ejb-name>
 <method-name>*</method-name>
 </method>
 <trans-attribute>Required</trans-attribute>
 </container-transaction>
 </assembly-descriptor>

 <ejb-client-jar>CustomOsbReportProviderClient.jar</ejb-client-jar>
</ejb-jar>
<pre>

References:

 
Leave a comment

Posted by on 22-02-2012 in Weblogic

 

Tags: , , ,

Changing the Weblogic user password

Since Weblogic stores it’s primary admin user account “weblogic” encrypted on disc, simply changing this users password in the console is not all there is.

Basic step: changing the password:

  • Go to: Security Realm -> myrealm > Users and Groups >weblogic -> Passwords
  • Change the password of the user, as you would normally do for every user

Stopping all managed servers

During step 3 we will change the NodeManager password. After this step the Admin console can no longer communicatie with the NodeManager so stopping/starting instances will not succeed.

Changing the Nodemanager password in the Weblogic Console:

  • Use the Weblogic /console
  • Go to Domain -> General -> Security -> Advanced
  • Change the value for the Nodemanager Password

Attention!!!: The next steps will be necessary on each physical server of the domain:

Changing the Nodemanager password:

If you start/stop the Managed Servers through the NodeManager you will need to edit the so called nm_properties file

  • Navigate your Linux/Windows file system and go to: %domain_home%/config/nodemanager
  • Open nm_properties
  • The file will hold encrypted values, replace all content with:

username=weblogic
password=myNewPassword01

  • Restart the NodeManager
  • Check nm_properties file for encrypted values

#Node manager user information
hashed=Y+kAE14jdmGFtI/wXxNRIoo0Jsb\=

Changing the Weblogic security file

If you decided to not use the NodeManager for start/stop Managed Servers but use the Weblogic start/stop scripts you will probably have your good reasons and you will need to edit the so called boot.properties file

  • Navigate your Linux/Windows file system and go to: %domain_home%/servers/myserver01/security
  • Open the boot.properties file
  • Change the values to

username=weblogic
password=myNewPassword01

Launching the ManagedServer through the Startscript will test the result and encrypt the content.
Example:  %domain%\bin\startManagedWeblogic rbx_dev_wls01 http://server01:7001

 
7 Comments

Posted by on 08-01-2012 in Weblogic

 

Tags: ,