|
|
The following sections describe how to configure script-based Node Manager:
The SSH Node Manager is a shell script, wlscontrol.sh, located in {WL_HOME}/common/bin/. wlscontrol.sh must exist on each machine that hosts server instances that you want to control with Node Manager. This script can be customized to meet site-specific requirements.
You must have an SSH client executable on each machine where Node Manager or a Node Manager client runs. This script must also be in the path of the user id running it. Typically, an SSH client is a standard part of a Unix or Linux installation.
Before running Node Manager, you should create a dedicated UNIX user account for performing Node Manager functions. This user should be added to all machines that will host the SSH Node Manager and to all machines that will host a Node Manager client, including the Administration Server.
When configuring Node Manager to run as an inetd or xinetd service, the following considerations apply:
The following example shows how Node Manager can be configured within xinetd:
# default: off
# description:nodemanager as a service
service nodemgrsvc
{
type = UNLISTED
disable = no
socket_type = stream
protocol = tcp
wait = yes
user = <username>
port = 5556
flags = NOLIBWRAP
log_on_success += DURATION HOST USERID
server = <path-to-jave>/java
env = CLASSPATH=<cp> LD_LIBRARY_PATH=<ldpath>
server_args = -client -DNodeManagerHome=<NMHome> <java options>
<nodemanager options> weblogic.NodeManager -v
}
The default SSH port used by Node Manager is 22. You can override that setting in the following ways:
Port= parameter in the ~/.ssh/config file to set the default port for an individual user.Port= parameter in the /etc/ssh_config file to set the default port across the entire system.-Dweblogic.nodemanager.ShellCommand="ssh -o PasswordAuthentication=no -p %P %H wlscontrol.sh -d %D -r %R -s %S %C"
After starting the server, you can edit the SSH port in the Administration Server’s configuration file.
The Node Manager SSH shell script relies on SSH user-based security to provide a secure trust relationship between users on different machines. Authentication is not required. You create a UNIX user account—typically one per domain—for running Node Manager commands and scripts. A user logged in as this user can issue Node Manager commands without providing a username and password.
| Note: | You must also ensure that the Node Manager and WebLogic Server commands are available in the path of the UNIX user ID used to run them. |
To perform Server migration and other tasks, the user ID executing scripts such as wlscontrol.sh must have enough sufficient security permissions. This includes being able to bring an IP address online or take an IP address offline via a network interface.
Server migration is performed by the cluster master when it detects that a server has failed. It then uses SSH to launch a script on the target machine to begin the migration. The script on the target machine runs as the same user ID running the server on the cluster master.
The commands required to perform server migration are ifconfig and arping. Since these scripts require elevated OS privileges, it is important to note that this can prevent a potential security hole.
Using sudo, you can configure your SSH to only allow ifconfig and arping to be run using elevated privileges.
A remote start user name and password is required to start a server instance with Node Manager. These credentials are provided differently for Administration Servers and Managed Servers.
boot.properties file. The Configuration Wizard initializes the boot.properties file and the startup.properties file for an Administration Server when you create the domain.
Any server instance started by Node Manager encrypts and saves the credentials with which it started in a server-specific boot.properties file, for use in automatic restarts.
The script-based Node Manager uses two types of key value pairs. This section contains instructions for distributing key value pairs to the machines that will host a Node Manager client or server.
This option distributes the same key value pair to all machines that will host a Node Manager client or server.
The simplest way to accomplish this is to set up your LAN to mount the Node Manager user home directory on each of the machines. This makes the key value pair available to the machines. Otherwise
ssh-keygen command provided with your SSH installation.
The default location for the private and public keys are ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub respectively.
If these keys are stored in a different location, modify the ShellCommand template, adding an option to the ssh command to specify the location of the keys.
~/.ssh/authorized_keys file on the Node Manager machine. For example:
command="/home/bea/server90/common/nodemanager/nodemanager.sh" 1024 33 23...2323
in which the you substitute the public key that you generated, as stored in id_rsa.pub, for the string shown in the example as
| Note: | The prefix command=<command> ensures that a user that establishes a session with the machine using the public key can only run the command specified—nodemanager.sh. This ensures that the user can only perform Node Manager functions, and prevents unauthorized access to data, system utilities, or other resources on the machine. |
/home/bea$ ssh montgomery VERSION
This response indicates that the client accessed Node Manager successfully:
On each machine that will host a Node Manager client:
Append the public key to the machine's ~/.ssh/authorized_keys file user as described in step two in the previous section.
|