| Oracle® Composite Application Monitor and Modeler Installation and Configuration Guide Release 10.2.0.5.1 Part Number E14147-03 |
|
|
PDF · Mobi · ePub |
| Oracle® Composite Application Monitor and Modeler Installation and Configuration Guide Release 10.2.0.5.1 Part Number E14147-03 |
|
|
PDF · Mobi · ePub |
This chapter explains the following post-installation requirements:
Configuring Oracle WebLogic Server or Oracle WebLogic Portal (WLP) for Secure Connectivity
Configuring the CAMM Agent When WebLogic Is Installed As a Windows Service
The following post-deployment requirements are specific to CAMM deployments on IBM WebSphere Application Server.
The main goal is to add the signer certificate of each administration server to CAMM's truststore, which is needed by each resource to connect to the server. This allows CAMM to trust the server when making secured (SSL) connections to the server. Without this trust, the SSL handshake will fail.
When using the default CAMM truststore, the server's signer certificate would be added to AcseraManagerTrust.jks. This procedure assumes that the customer is using the default key.p12 and trust.p12 keystores for their security support. If a different trust store is being used, refer to that trust store instead.
Exporting the administration server's signer certificate for resource.
If the administration server is the deployment manager in a WebSphere Application Server ND, export signer certificate from trust.p12 of the deployment manager located at path
<WAS_HOME>\profiles\Dmgr01\config\cells\<CellName>\trust.p12
If the administration server is a standalone server, export the signer certificate from trust.p12 of the standalone server located on the following path:
<WAS_HOME>\profiles\AppSrv01\config\cells\<CellName>\nodes\<NodeName>\trust.p12
To export, run the following command:
JAVA_HOME/bin/keytool -export -keystore <trust path> -storepass WebAS -storetype PKCS12 -alias default_signer -file servercert
Note: When exporting a PKCS12 store type, run keytool from an IBM JDK since it has support for this format type.
Import the administration server's signer certificate into the CAMM truststore.
Import the exported certification according to the information in Section 4.4, "Importing a Certificate into the Manager's Keystore".
To run CAMM against WebSphere with enabled Global Security, perform the following steps:
Identify the com.ibm.ssl.keyStore and com.ibm.ssl.trustStore files in soap.client.props and sas.client.props in [WAS_HOME]/properties as follows:
Copy the indicated keystore and truststore files to the CAMM Manager.
Import the files following the instructions in Section 4.4, "Importing a Certificate into the Manager's Keystore".
com.ibm.SOAP.securityEnabled=true com.ibm.SOAP.loginUserid=admin com.ibm.SOAP.loginPassword=test com.ibm.ssl.keyStore= com.ibm.ssl.keyStorePassword=acserajava com.ibm.ssl.trustStore= com.ibm.ssl.trustStorePassword=acserajava
If you encounter security exceptions in the CAMM EJB when the application server starts, you may need to update the [WAS_HOME]/properties/server.policy file and append the configuration that follows.
// Allow the Acsera Agent all permissions
grant codeBase "file:${was.install.root}/AcseraAgent/lib/-" {
permission java.security.AllPermission;
};
// Allow the Acsera Deployer EJBs all permissions
grant codeBase "file:${was.install.root}/installedApps/[node]/[Acsera app name].ear/-" {
permission java.security.AllPermission;
};
Normally, using the websphereDeployer command, the CAMM deployer EJBs would be deployed in the WebSphere server environment with the application name of the form:
Acsera_<node name>_<server name>
For example, this is an application name of a deployer deployed on node a6-7 and server WebSphere_Portal.
Acsera_a6-7_WebSphere_Portal
The Oracle SOA Suite may be configured to support RMIS (RMI over SSL) connectivity. In this case, CAMM can be configured to use this secure connection. To configure CAMM to do this, perform the following steps:
On the Oracle SOA Suite install, look at ORACLE_HOME/j2ee/<instance>/config/rmi.xml, locate the <ssl-config> element, and identify the path in the keystore attribute.
Copy the keystore file indicated to CAMM manager's config directory (for example, em10/config)
Import this keystore file following the instructions in Section 4.4, "Importing a Certificate into the Manager's Keystore".
To configure Oracle WebLogic Server 10.0 to handle connectivity using t3s, the location of the keystore files needs to be updated through the console.
Log in to the WebLogic Server console and select the servers under the Environment Servers list that is displayed which you plan to manage with CAMM.
Select the keystores tab click Load & Edit to update the Keystore
Make the following changes. Identify the keystore and truststore file paths from the following properties:
Identity
Custom Identity Keystore
Trust
Custom Trust Keystore: location of the trust file
Repeat steps 2 through 4 for additional server instances that will be managed.
Copy the identified keystore and truststore files to the CAMM manager.
Copy the BEA_HOME/license.bea to the CAMM manager's config directory (for example, em10g/config)
Import the keystore and truststore files following the instructions in Section 4.4, "Importing a Certificate into the Manager's Keystore"
Locate the following properties in the Acsera.properties file and set them as follows:
weblogic.security.TrustKeyStore=CustomTrust weblogic.security.CustomTrustKeyStoreFileName=AcseraManagerTrust.jks weblogic.security.CustomTrustKeyStorePassPhrase=acseramanager
To import entries from a keystore or truststore, perform the following steps, replacing ServerStoreFile.jks with the keystore or truststore from your application server. (Skip steps 1 and 2 if you are importing certificate files from WAS 6.1 as described in Section 4.1.1, "Configuring CAMM for WebSphere Application Server 6.1 Secured Connections".) You will generally need to complete these steps twice, once for the keystore and once for the truststore.
List the key aliases in the keystore/trustfile file from the server
keytool -list -keystore ServerStoreFile.jks –storepass DemoIdentityKeyStorePassPhrase
Output:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry:
demoidentity, Wed Nov 19 13:34:56 PST 2008, keyEntry, Certificate fingerprint (MD5): 36:06:C2:44:31:0A:28:FC:06:19:F7:AB:C0:7D:27:6A
Export a key entry to an intermediate file
keytool -export -alias demoidentity -keystore ServerStoreFile.jks -storepass DemoIdentityKeyStorePassPhrase -file demo103
Output:
Certificate stored in file <demo103>
Import the key into the CAMM store file (either AcseraManagerKey.jks or AcseraManagerTrust.jks in the CAMM manager's config directory)
keytool -import -alias demoidentity1 -keystore AcseraManagerKey.jks -storepass acseramanager -file demo103
Output:
Owner: CN=b91, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
Issuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
Serial number: 510fb3d4b2872e3a093d436fcbe9b24b
Valid from: Tue Nov 18 13:34:47 PST 2008 until: Sun Nov 19 13:34:47 PST 2023
Certificate fingerprints:
MD5: 36:06:C2:44:31:0A:28:FC:06:19:F7:AB:C0:7D:27:6A
SHA1: BB:85:6D:4C:0B:4A:92:63:CA:5E:E9:A8:54:42:80:2D:0D:BE:7C:91
Trust this certificate? [no]: yes
Certificate was added to keystore
Verify that the key was imported successfully
keytool -list -keystore AcseraManagerKey.jks -storepass acseramanager
Output:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 3 entries:
demoidentity1, Wed Apr 01 13:03:21 PST 2009, trustedCertEntry,
Certificate fingerprint (MD5): 36:06:C2:44:31:0A:28:FC:06:19:F7:AB:C0:7D:27:6A
demoidentity, Fri Mar 13 15:15:06 PST 2009, trustedCertEntry,
Certificate fingerprint (MD5): 0B:11:02:B5:44:0D:2A:CC:7F:C5:30:5C:1A:C9:A1:6C
mykey, Thu May 19 16:57:36 PDT 2005, keyEntry,
Certificate fingerprint (MD5): 5D:B0:EC:28:14:33:26:1F:44:F5:BE:DD:A8:50:15:9D
Repeat steps 2 through 4 for each key entry listed in step 1.
At present with CAMM running with a bundled Sun HotSpot JDK, it is not possible for CAMM to configure with PKCS12 type key/trust stores for secured connections. IBM JDK has built-in enhancements that allow it to work with PKCS12 key/trust stores, such as WebSphere 6.1's default key.p12 and trust.p12 stores. Also, there is a WebSphere 6.1 automatic function that is enabled with the property com.ibm.ssl.enableSignerExchangePrompt=true that allows a client connecting to a secure WebSphere port that allows automatic download of server's signer certificate and update of client's truststore. However, this automatic function is only available when CAMM is running with an IBM JDK which is not the case at present. This is the reason why we need to follow the above procedure to connect with a secured WebSphere 6.1.
When the monitored WebLogic server is installed as a Windows Service, the automatic startup changes to deploy the CAMM Agent need to be manually applied to the registry entries that control WebLogic startup.
The parameters which need to be changed are in the Windows registry key:
HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\$ServiceName\Parameters
Users should then consult the file on the CAMM Manager:
deploy/agent/bea/bin/agentoptions.bat (for WebLogic 8.1.x) deploy/agent/bea9/bin/agentoptions.bat (for WebLogic 9.x and higher)
Inspect this file and resolve the net results of its execution as Parameters in the registry.
Note that the beaaj.jar named on the %EXT_POST_CLASSPATH% variable needs to be placed on the server's classpath.
|
 Copyright © 2008, 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|