Advertisements
RSS

Category Archives: WLST

Weblogic Scripting

How to Configure WebLogic Server to Send a Notification When Its Configuration is Changed

My former collegue, Java maven (no not that one, this one) and friend Pierluigi contacted me about my post regarding the Weblogic Security Audit Provider. As always Pier is very political correct ;)

Comment

To my positive surprise he found a great solution for the limitation of the security audit provider. He discovered a way to configure WebLogic server to send a notification when it’s configuration is changed [Knowledge Base ID 1377733.1].

Which is awesome if you have a large Oracle environment and maintenance team and want to keep track of all the changes. Wish we knew this last year at the huge envuironment I was working then.

His blogpost contains all the code, scripts, etc so go and check it out!!! :)

And to end with his favourite quote:

Failure is not an option

References:

Advertisements
 
Leave a comment

Posted by on 21-02-2013 in Java, Oracle, Weblogic, WLST

 

Tags: , , , ,

Why is there no Weblogic WLST Node Manager nmShutdown command ?

The great thing about the Weblogic Nodemanager is that you can control your Weblogic Admin and Managed servers through Weblogic Scripting Tool (WLST) without the AdminServer being online. Simply said, with a few basic WLST commands you can perform important administrative tasks to your Weblogic domain and don’t need a running AdminServer(!).

For instance, starting a server:


nmConnect('weblogic', 'welcome1', 'myserver3', '5555', 'rbx_dev_domain', 'd:/oracle/projects/domains/rbx_dev_domain')
nmStart('rbx_dev_soa_ms01')
nmDisconnect()

The problem arises when you want to gracefully shutdown a server through the Node Manager. As shown here there is no nmStop/nmShutdown or nmSuspend command, only a very blunt knife called nmKill. I tried nmKill to experiment with it, and concluded that it does exactly what it claims. However applications (and administrators) might not like this forcefully termination.

So how can we stop a Managed Server through WLST then ? The answer is simple, we need to connect with WLST to the running AdminServer and execute our commands in online mode:


# connect to the Admin running on server01, port 7001
wls:/offline> connect("weblogic","welkome1","t3://server01:7001")

# shutdown MS01, ignoreSessions=false, timeout=300sec, force=false, block=false
wls:/rbx_dev_domain/serverConfig> shutdown('rbx_dev_soa_ms01','Server','false',300000,'false','false')

wls:/rbx_dev_domain/serverConfig> disconnect()

The online (meaning you need to connect to a running Admin) WLST life cycle commands are all there: shutdown, start, suspend, resume and even migrate. Creating a powerful toolset to WLST script against your Weblogic domain.

Conclusion:

I personally think this is a limitation of the Weblogic Node Manager. The power of the NodeManager should be exactly what it name claims to be, managing a certain ‘node’. And I think that both starting and stopping should be a very basic requirement.

In this case I think it fails, since you can not perform this administrative tasks to your domain without connecting to a running AdminServer. Which is a shame if you don’t want/need your AdminServers to be running constantly. Yes you can script around it, using the nmStart() command to start the AdminServer if not running, then nmDisconnect() and connect() to the now running AdminServer but it’s a lot of effort if you could simply succeed with a nmShutdown.

Links:

 
3 Comments

Posted by on 13-12-2011 in Weblogic, WLST

 

Tags: , ,

Creating Weblogic JMS components with WLST

The previous post explained the different Weblogic JMS components. As promised I would share some WLST scripts which I use to create the different JMS components as an example.

The example set of scripts exist of 3 files:

  • a generic import.properties file which hold the connection settings
  • JMSCreateInfra.jy which configures the JMS persistent stores, servers, modules and CF
  • JMSCreateQueue.jy which creates a queue and configures redirect
The very basic import.properties
##################################################################
# Weblogic connection parameters                                 #
##################################################################
adminUrl=t3://localhost:7001
importUser=weblogic
importPassword=weblogic1

And the WLST script to configure the Persistent Store, JMS Server, JMS Module and CF on your environment. The script is based upon a Weblogic domain containing a Weblogic cluster with 2 Managed Servers. If you want to use these scripts make sure to change the:

– path for persistent store
– cluster name (rbx_dev_wls_cluster)
– managed server name (rbx_dev_wls_0*)
– persistent store name (FileStore_wls0*)
– jms server name (JmsServer_wls0*)
– jms module name (JmsModuleRubix)
– CF name (ConnFactoryGenericRubix*)
– queue names (SR01.getMyData.*)
– sub deployment name (RBX.myDivision)

Execute the script:  java weblogic.WLST scriptname.jy import.properties

#================================
from java.io import FileInputStream
import sys

#================================
# Generic definitions
#================================

def loadProps(configPropFile):
propInputStream = FileInputStream(configPropFile)
configProps = Properties()
configProps.load(propInputStream)
return configProps

#==========================================================================
# Load properties and connect to Weblogic server
#==========================================================================

importConfigFile = sys.argv[1]
exportConfigProp = loadProps(importConfigFile)
adminUrl = exportConfigProp.get("adminUrl")
importUser = exportConfigProp.get("importUser")
importPassword = exportConfigProp.get("importPassword")

#===============================
# Start the script
#===============================

connect(importUser, importPassword, adminUrl)
edit()
startEdit()

#================================
# Build JMS Filestores
# Filestores store the messages
#================================

cd('/')
cmo.createFileStore('FileStore_wls01')
cd('/FileStores/FileStore_wls01')
cmo.setDirectory('D:/oracle/projects/domains/rbx_dev_domain/filestores')
set('Targets', jarray.array([ObjectName('com.bea:Name=rbx_dev_wls_01,Type=Server')], ObjectName))
cd('/')
cmo.createFileStore('FileStore_wls02')
cd('/FileStores/FileStore_wls02')
cmo.setDirectory('D:/oracle/projects/domains/rbx_dev_domain/filestores')
set('Targets', jarray.array([ObjectName('com.bea:Name=rbx_dev_wls_02,Type=Server')], ObjectName))

#================================
# Build JMS Server(s)
# For every MS in cluster define a JMSserver and target a single MS server
#================================

cd('/')
cmo.createJMSServer('JmsServer_wls01')
cd('/Deployments/JmsServer_wls01')
cmo.setPersistentStore(getMBean('/FileStores/FileStore_wls01'))
set('Targets', jarray.array([ObjectName('com.bea:Name=rbx_dev_wls_01,Type=Server')], ObjectName))

## Threshold (values are default)
# cmo.setBytesThresholdHigh(-1)
# cmo.setBytesThresholdLow(-1)
# cmo.setMessagesThresholdHigh(-1)
# cmo.setMessagesThresholdLow(-1)
## Quotas (values are default, except MaxMsgSize set to 10MB)
# cmo.setBytesMaximum(-1)
# cmo.setMessagesMaximum(-1)
# cmo.setBlockingSendPolicy('FIFO')
cmo.setMaximumMessageSize(10000000)
cd('/Deployments/JmsServer_wls01/JMSMessageLogFile/JmsServer_wls01')
cmo.setRotationType('byTime')
cmo.setRotateLogOnStartup(false)
cmo.setRotationTime('00:00')
cmo.setFileTimeSpan(24)
cmo.setFileCount(30)
cmo.setNumberOfFilesLimited(true)
cmo.setFileName('D:/oracle/projects/domains/rbx_dev_domain/servers/rbx_dev_wls_01/logs/jmsServers/JmsServer_wls01_messages.log')

cd('/')
cmo.createJMSServer('JmsServer_wls02')
cd('/Deployments/JmsServer_wls02')
cmo.setPersistentStore(getMBean('/FileStores/FileStore_wls02'))
set('Targets', jarray.array([ObjectName('com.bea:Name=rbx_dev_wls_02,Type=Server')], ObjectName))
## Threshold (values are default)
# cmo.setBytesThresholdHigh(-1)
# cmo.setBytesThresholdLow(-1)
# cmo.setMessagesThresholdHigh(-1)
# cmo.setMessagesThresholdLow(-1)
## Quotas (values are default, except MsgMaxSize is 10MB)
# cmo.setBytesMaximum(-1)
# cmo.setMessagesMaximum(-1)
# cmo.setBlockingSendPolicy('FIFO')
cmo.setMaximumMessageSize(10000000)
cd('/Deployments/JmsServer_wls02/JMSMessageLogFile/JmsServer_wls02')
cmo.setRotationType('byTime')
cmo.setRotateLogOnStartup(false)
cmo.setRotationTime('00:00')
cmo.setFileTimeSpan(24)
cmo.setFileCount(30)
cmo.setNumberOfFilesLimited(true)
cmo.setFileName('D:/oracle/projects/domains/rbx_dev_domain/servers/rbx_dev_wls_02/logs/jmsServers/JmsServer_wls02_messages.log')

#================================
# Build JMS Module
# target preferrable cluster, single-server DEV domain use server
#================================

cd('/')
cmo.createJMSSystemResource('JmsModuleRubix')
cd('/SystemResources/JmsModuleRubix')
set('Targets',jarray.array([ObjectName('com.bea:Name=rbx_dev_wls_cluster,Type=Cluster')], ObjectName))

#================================
# Build JMS Connection Factory
#================================

cd('/JMSSystemResources/JmsModuleRubix/JMSResource/JmsModuleRubix')
cmo.createConnectionFactory('ConnFactoryGenericRubix')
cd('/JMSSystemResources/JmsModuleRubix/JMSResource/JmsModuleRubix/ConnectionFactories/ConnFactoryGenericRubix')
cmo.setJNDIName('jms/cf/RubixGeneric')
cmo.setDefaultTargetingEnabled(true)
cd('/JMSSystemResources/JmsModuleRubix/JMSResource/JmsModuleRubix/ConnectionFactories/ConnFactoryGenericRubix/SecurityParams/ConnFactoryGenericRubix')
cmo.setAttachJMSXUserId(false)

#================================
# Build JMS Connection Factory XA
#================================

cd('/JMSSystemResources/JmsModuleRubix/JMSResource/JmsModuleRubix')
cmo.createConnectionFactory('ConnFactoryGenericRubixXA')
cd('/JMSSystemResources/JmsModuleRubix/JMSResource/JmsModuleRubix/ConnectionFactories/ConnFactoryGenericRubixXA')
cmo.setJNDIName('jms/cf/RubixGenericXA')
cmo.setDefaultTargetingEnabled(true)
cd('/JMSSystemResources/JmsModuleRubix/JMSResource/JmsModuleRubix/ConnectionFactories/ConnFactoryGenericRubixXA/SecurityParams/ConnFactoryGenericRubixXA')
cmo.setAttachJMSXUserId(false)
cd('/JMSSystemResources/JmsModuleRubix/JMSResource/JmsModuleRubix/ConnectionFactories/ConnFactoryGenericRubixXA/TransactionParams/ConnFactoryGenericRubixXA')
cmo.setTransactionTimeout(3600)
cmo.setXAConnectionFactoryEnabled(true)

#==========================================================================
# Finalize
#==========================================================================

save()
activate()
disconnect()

#================================
# End
#================================

Create 3 queues, a request, response and a error queue.
Failure is configured to use redirect to the error queue.
A read service (hence the SR naming) mechanism I like to combine for the Oracle Service Bus

Execute the script:  java weblogic.WLST scriptname.jy import.properties


#================================================================
# Build JMS Subdeployment
#================================================================

cd('/SystemResources/JmsModuleRubix')
cmo.createSubDeployment('RBX.myDivision')
cd('/SystemResources/JmsModuleRubix/SubDeployments/RBX.myDivision')
set('Targets',jarray.array([ObjectName('com.bea:Name=rbx_dev_wls_cluster,Type=Cluster')], ObjectName))

#================================================================
# Build Queues: SR01.getMyData
#================================================================

# Error Queue
cd('/JMSSystemResources/JmsModuleRubix/JMSResource/JmsModuleRubix')
cmo.createUniformDistributedQueue('SR01.getMyData.Error')
cd('/JMSSystemResources/JmsModuleRubix/JMSResource/JmsModuleRubix/UniformDistributedQueues/SR01.getMyData.Error')
cmo.setJNDIName('jms/queue/SR/getMyData/Error')
cmo.setLoadBalancingPolicy('Round-Robin')
cmo.setSubDeploymentName('RBX.myDivision')

# Request queue
cd('/JMSSystemResources/JmsModuleRubix/JMSResource/JmsModuleRubix')
cmo.createUniformDistributedQueue('SR01.getMyData.Request')
cd('/JMSSystemResources/JmsModuleRubix/JMSResource/JmsModuleRubix/UniformDistributedQueues/SR01.getMyData.Request')
cmo.setJNDIName('jms/queue/SR/getMyData/Request')
cmo.setLoadBalancingPolicy('Round-Robin')
cmo.setSubDeploymentName('RBX.myDivision')
cd('/JMSSystemResources/JmsModuleRubix/JMSResource/JmsModuleRubix/UniformDistributedQueues/SR01.getMyData.Request/DeliveryFailureParams/SR01.getMyData.Request')
cmo.setRedeliveryLimit(3)
cmo.setExpirationPolicy('Redirect')
cmo.setErrorDestination(getMBean('/JMSSystemResources/JmsModuleRubix/JMSResource/JmsModuleRubix/UniformDistributedQueues/SR01.getMyData.Error'))

# Response Queue
cd('/JMSSystemResources/JmsModuleRubix/JMSResource/JmsModuleRubix')
cmo.createUniformDistributedQueue('SR01.getMyData.Response')
cd('/JMSSystemResources/JmsModuleRubix/JMSResource/JmsModuleRubix/UniformDistributedQueues/SR01.getMyData.Response')
cmo.setJNDIName('jms/queue/SR/getMyData/Response')
cmo.setLoadBalancingPolicy('Round-Robin')
cmo.setSubDeploymentName('RBX.myDivision')
cd('/JMSSystemResources/JmsModuleRubix/JMSResource/JmsModuleRubix/UniformDistributedQueues/SR01.getMyData.Response/DeliveryFailureParams/SR01.getMyData.Response')
cmo.setRedeliveryLimit(3)
cmo.setExpirationPolicy('Redirect')
cmo.setErrorDestination(getMBean('/JMSSystemResources/JmsModuleRubix/JMSResource/JmsModuleRubix/UniformDistributedQueues/SR01.getMyData.Error'))
 
3 Comments

Posted by on 01-12-2011 in Weblogic, WLST

 

Tags: , ,

Setting up the Weblogic Security Audit Provider for your domain

Imagine a huge landscape with multiple Weblogic domains where each domain has multiple administrators, operators and deployers working with the Weblogic console. Wouldn’t it be great if you could audit the changes that where made during each Lock & Edit session. Especially when your business requires this due to strict regulations.

The good news is: You can, but there are some small details you should be aware of.

Auditing with Weblogic logging:

In the Weblogic console click on the domain to the left, and then on the right select the Advanced section in Configuration -> General. One of the settings here is the Configuration Audit Type.

The setting has 4 values, where None is the default:

  • None = Configuration events will neither be written to the server log or directed to the Security Audit Framework.
  • Change Log = Configuration events will be written to the server log.
  • Change Audit = Configuration events will be directed to the Security Audit Framework.
  • Change Log and Audit = Configuration events will be written to the server log and directed to the Security Audit Framework.
The easiest part is to use the Change Log option, the audited changes will be written to the Weblogic server log. The following example is copied from the AdminServer.log. It shows the audit trail of a simple change to the environment where 2 ports are changed for a Managed Server.
####<someDate> <Info> <Configuration Audit> <someNode> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <...> <BEA-159907> <USER weblogic INVOKED ON com.bea:Name=rbx_dev_osb_01,Type=Server METHOD isSet PARAMS ListenAddress>
####<someDate> <Info> <Configuration Audit> <someNode> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <...> <BEA-159907> <USER weblogic INVOKED ON com.bea:Name=rbx_dev_osb_01,Type=Server METHOD isSet PARAMS ListenPortEnabled>
####<someDate> <Info> <Configuration Audit> <someNode> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <...> <BEA-159907> <USER weblogic INVOKED ON com.bea:Name=rbx_dev_osb_01,Type=Server METHOD isSet PARAMS ListenPort>
####<someDate> <Info> <Configuration Audit> <someNode> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <...> <BEA-159904> <USER weblogic MODIFIED com.bea:Name=rbx_dev_osb_01,Type=Server ATTRIBUTE ListenPort FROM 8010 TO 9010>
####<someDate> <Info> <Configuration Audit> <someNode> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <...> <BEA-159907> <USER weblogic INVOKED ON com.bea:Name=rbx_dev_osb_01,Type=Server METHOD isSet PARAMS JavaCompiler>
####<someDate> <Info> <Configuration Audit> <someNode> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <...> <BEA-159907> <USER weblogic INVOKED ON com.bea:Name=rbx_dev_osb_01,Type=Server METHOD isSet PARAMS ClientCertProxyEnabled>
####<someDate> <Info> <Configuration Audit> <someNode> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <...> <BEA-159904> <USER weblogic MODIFIED com.bea:Name=rbx_dev_osb_01,Type=SSL,Server=rbx_dev_osb_01 ATTRIBUTE Enabled FROM true TO true>
####<someDate> <Info> <Configuration Audit> <someNode> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <...> <BEA-159904> <USER weblogic MODIFIED com.bea:Name=rbx_dev_osb_01,Type=SSL,Server=rbx_dev_osb_01 ATTRIBUTE ListenPort FROM 8011 TO 9011>
####<someDate> <Info> <Configuration Audit> <someNode> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <...> <BEA-159907> <USER weblogic INVOKED ON com.bea:Name=rbx_dev_osb_01,Type=WLDFServerDiagnostic,Server=rbx_dev_osb_01 METHOD isSet PARAMS WLDFDiagnosticVolume>
####<someDate> <Info> <Configuration Audit> <someNode> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <...> <BEA-159907> <USER weblogic INVOKED ON com.bea:Name=ConfigurationManager,Type=weblogic.management.mbeanservers.edit.ConfigurationManagerMBean METHOD save PARAMS >
####<someDate> <Info> <Configuration Audit> <someNode> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <...> <BEA-159907> <USER weblogic INVOKED ON com.bea:Name=ConfigurationManager,Type=weblogic.management.mbeanservers.edit.ConfigurationManagerMBean METHOD haveUnactivatedChanges PARAMS >
####<someDate> <Info> <Configuration Audit> <someNode> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <...> <BEA-159907> <USER weblogic INVOKED ON com.bea:Name=ConfigurationManager,Type=weblogic.management.mbeanservers.edit.ConfigurationManagerMBean METHOD haveUnactivatedChanges PARAMS >

As you can see, it’s a lot of logging for such a simple change. The second bad part here is that the Weblogic log files are already cluttered with information, and it might be hard to find such specific information. Another problem might be that the log level is apparently fixed set to INFO. In most production domains I don’t want such a low log level due to log files getting to huge and containing to much non-information. So in general situation the Logger Severity is set to Notice or even Warning (located under each Admin / Managed Server at Logging -> General -> Advanced ).

Auditing with the Weblogic Auditing Provider:

The solution for the cluttered Weblogic server logging is to use the “Change Audit” option. The information will be redirected to the Weblogic Security Audit Provider (if configured) and send to a separate DefaultAuditRecorder.log file.

An auditing provider is collects, stores, and distributes information about operating requests and the outcome of those requests for the purposes of non-repudiation. An Auditing provider can also handle information about configuration changes for auditing purposes. You can configure multiple Auditing providers in a security realm, but none are required. The default security realm does not include an Auditing provider. (source: Weblogic Console)

First we set the Configuration Audit Type option to Change Audit and secondly we will need to configure a Security Audit Provider in the Weblogic Security realm.

You can add the default Audit Provider under Providers -> Auditing.

The Default Auditor is limited in it’s configuration so we can only configure the Log Severity, Log Rotation Level and the Begin and End Markers shown in the log file example below. When we change the configuration from a Managed Server again (the ListenPort) we can find the following lines in the DefaultAuditRecorder.log.

#### Audit Record Begin <someDate>
<Severity =SUCCESS>  <<<Event Type = SetAttribute Configuration Audit Event>
<Subject = Subject: 4
	Principal = class weblogic.security.principal.WLSUserImpl("weblogic")
	Principal = class weblogic.security.principal.WLSGroupImpl("Administrators")
	Principal = class weblogic.security.principal.WLSGroupImpl("IntegrationAdministrators")
	Principal = class weblogic.security.principal.WLSGroupImpl("AdminChannelUsers")>
<Object = com.bea:Name=rbx_dev_osb_01,Type=Server>
<Attribute = ListenPort><From = 6010><To = 7010>>>
Audit Record End ####

As we can see the modification has a SUCCESS severity, so again we don’t leave the default settings for the Security Audit Provider because the DefaultAuditRecorder.log is growing very rapidly. For now my conclusion is that it is more wise to set the Severity option to CUSTOM and use the Error, Success and Failure Audit Severity. Information Audit Severity will fill up your disks very fast.

However, the Default Audit Provider is connected to your security realm. So during startup of your domain many information is send to this file regarding roles, policies and deployments. Again it’s possible to find configuration changes, this time easier then in the general Weblogic log files, but still it might take some time to find specific settings and changes over time. Another detail is that the DefaultAuditRecorder.log is located in the default server log folder. So we might have to guarantee strict access to these files if we need them for legal audit purposes.

WLST Script Recording:

This might sound as a strange alternative, but WLST script recording could help us in some way. Of course WLST (Weblogic Scripting) is very cool for setting up complete new Weblogic environments in seconds. And besides that it’s also very handy for releasing configuration changes to your domains from development all the way to production.

You can of course start hardcore coding your scripts, but another helpful tool is the Record option the Weblogic console has to offer. This feature will record the changes you make in your configuration and save them as a generated Jython script which you can then (if necessary) modify and run on other environments.

If you check the preferences of your Weblogic domain you can find a WLST Script Recording tab


Which has an option called “Automatic Recording”

By enabling this option you actually get what you want, all changes are automatically written to disk in the location configured by the “Base Script Directory” option. However for some weird reason the “Script File Name” option which states that the filename is generated dynamically every time you Lock & Edit, is now a static value. So if you don’t realize this, the file “Script1316….” will be overwritten every time you make changes. To avoid this you could enable the “Append to File” option, but my opinion is that this is just a workaround and you would rather have:

  • A random generated output file name, instead of the static value you create by enabling the “Automatic Recording” option.
  • It would be a nice-to-have to be able to use parameters in the output file, like %date% or %username%.
There is another “problem” if you are the highest Weblogic Administrator in the domain and the business wants a feature for “audit and proof”. The problem is the fact that the setting is not set for the whole domain, as I would have hoped but for every user independantly. So right now we only set this configuration for the user “Weblogic”
For instance, when I log on with a new user called “Test” (which is member of the Operators and Deployers groups) we can see that the settings were not inherited.

The Base Script Directory is configured with the default (the domain home) and the Automatic Recording is disabled. While we do create users with WLST scripts it’s quite easy to configure both these settings correctly. But for audit purposes it has no use if the user itself is able to disable the whole setting.

It would be great to have this feature “improved” in feature Weblogic versions (this was tested with Weblogic 10.3.5). So that the whole Automatic Recording functionality is extended to be more like an internal security audit mechanism as the Weblogic Security Audit Provider.
Conclusion:

It looks like the Security Audit Provider in combination with the Configuration Audit Changes option is still the best solution for auditing a Weblogic domain. During the first period you configure it monitor the outcome to see if you audit to much or to less of details.

WLST Script Recording is very cool, but we can not guarantee to record all changes in the domain. So I would advise to use it, but more for the cases where you are debugging some issues in you domain. At any time you can check what changes you made and if necessary roll them back. So handle it more as a helpful reminder option.
 
4 Comments

Posted by on 26-09-2011 in Weblogic, WLST

 

Tags: , ,

Weblogic Security Realm WLST import and export

>This is just a reminder for myself, the code is not mine but can be found at multiple places on the web so I have no idea who the initial owner is and who to give credits.

export configuration:

java weblogic.WLST
connect('weblogic','weblogic', 't3://somedomain:7001')
domainRuntime()
cd('/DomainServices/DomainRuntimeService/DomainConfiguration/FirstDomain/SecurityConfiguration/FirstDomain/DefaultRealm/myrealm/AuthenticationProviders/DefaultAuthenticator')
cmo.exportData('DefaultAtn','/tmp/export.ldif', Properties())

import configuration:

java weblogic.WLST
connect('weblogic','weblogic', 't3://someotherdomain:7001')
domainRuntime()
cd('/DomainServices/DomainRuntimeService/DomainConfiguration/SecondDomain/SecurityConfiguration/SecondDomain/DefaultRealm/myrealm/AuthenticationProviders/DefaultAuthenticator')
cmo.importData('DefaultAtn','/tmp/export.ldif', Properties())
 
Leave a comment

Posted by on 18-06-2011 in Oracle, Weblogic, WLST

 

Tags: , , ,

Weblogic and Triple-DES encryption

>Weblogic allows you to store clear-text passwords in configuration files when you have a development domain, however production mode forces the use of Triple-DES block ciphers to store these password. (that’s also the reason why the encrypted passwords begin with “{3DES}”)

Often this proces is done automatically by Weblogic, but in some cases it is good to know how to manually convert clear-text to a 3DES encrypted string. You can find these 3DES strings located in the domain’s config.xml, boot.properties, the service accounts used by the Oracle Service Bus (even when you use the RDBMS Security Store under your weblogic domain), etc.

For this we will need the domain’s password salt file SerializedSystemIni.dat.
Cibergavin made a good post explaining the importance of this specific file for your Weblogic domain.

SerializedSystemIni.dat is a WebLogic domain file which contains hashes. SerializedSystemIni.dat is located in the domain directory (WebLogic Server 8.1 and earlier) or in domain/security directory (WebLogic Server 9.x and later). The SerializedSystemIni.dat is created during the creation of a WebLogic domain. The hashes in the file are created using an algorithm that binds the file to the domain in which it has been created. So, a SerializedSystemIni.dat file can be used only within the domain in which it has been created.

Due to the use of the salt file (SerializedSystemIni.dat) you should execute the utility from your domain folder:

cd d:\myDomain\binsetDomainEnv.cmdjava weblogic.security.EncryptPassword: weblogic{3DES}p2rh5zuiDsut1yNTGtUfFg==

You can also pass the password as an argument:

cd d:\myDomain\binsetDomainEnv.cmdjava weblogic.security.Encrypt weblogic{3DES}p2rh5zuiDsut1yNTGtUfFg==

And last but not least you can use WLST:

cd d:\myDomain\binsetDomainEnv.cmdjava weblogic.WLST

Initializing WebLogic Scripting Tool (WLST) ...Welcome to WebLogic Server Administration Scripting ShellType help() for help on available commands

wls:/offline> es = encrypt('weblogic')wls:/offline> print es{3DES}p2rh5zuiDsut1yNTGtUfFg==wls:/offline>
 
1 Comment

Posted by on 09-04-2010 in Oracle, Weblogic, WLST

 

Tags: , ,

Weblogic WLST connections using SSL

When your Administration Server, NodeManager and Managed Servers use SSL to communicate with each other you have a decent basic security for your Weblogic domain. (And NO, the default demo certs/stores do not fullfill that requirement in production).

However communication from WLST to your weblogic domain needs some small adjustment. The normal steps would otherwise result in this error:

call "D:\myDomain\bin\setDomainEnv.cmd"
D:\myDomain>java weblogic.WLST

Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands

wls:/offline> connect('weblogic',weblogic','t3s://myserver.local.rubix.nl:7003')

Connecting to t3s://myserver.local.rubix.nl:7003 with userid weblogic ...

<8-apr-2010 13:39:55 uur CES> <Warning> <Security< <BEA-090542> <Certificate chain received from myserver.local.rubix.nl - 10.0.0.11 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>

Traceback (innermost last):

File "<console>", line 1, in ?

File "<iostream>", line 22, in connect WLSTException: Error occured while performing connect : Error getting the initial context. There is no server running at t3s://myserver.local.rubix.nl:7003 Use dumpStack() to view the full stacktrace

wls:/offline>

*note: I use port 7003 because the Domain Admin Port is enabled in my domain.

Anyway, the connection to the Admin Server can not be established through SSL because there is no trust between the two components. To fix this some additional arguments need to be added.

D:\myDomain>java -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.CustomTrustKeyStoreType="JKS" -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName="D:/myDomain/security/myDomain.truststore.jks" weblogic.WLST

wls:/offline> connect(‘weblogic’,’weblogic’,’t3s://myserver.local.rubix.nl:7003′)

Successfully connected to Admin Server myDomain_admin’ that belongs to domain ‘myDomain’

wls:/myDomain/serverConfig> disconnect()

Disconnected from weblogic server: myDomain_admin

No let’s try to connect to the Nodemanager as well:

wls:/offline> nmConnect('weblogic','weblogic','myserver.local.rubix.nl','5556','myDomain','d:/myDomain','ssl')

Connecting to Node Manager …

Successfully Connected to Node Manager.

wls:/nm/myDdomain>

 
4 Comments

Posted by on 08-04-2010 in Oracle, Weblogic, WLST

 

Tags: , ,