Skip Headers
Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle WebCenter
11g Release 1 (11.1.1)

Part Number E12037-04
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

7 Setting Up Node Manager

This chapter describes how to configure Node Manager according to Enterprise Deployment recommendations. Oracle recommends using host name verification for the communications between Node Manager and the Administration Server. This requires the use of certificates for the different addresses communicating with the Administration Server. In this chapter, the steps for configuring SOAHOST1 and SOAHOST2 certificates for host name verification are provided. Similar steps are required for WCHOST1 and WCHOST2. Although the appropriate host name changes in the steps are required for WCHOST1 and WCHOST2, the procedure and syntax are exactly the same.

This chapter includes the following sections:

7.1 About the Node Manager

The Node Manager enables you to start and stop the Administration Server and the managed servers.

About Passwords

The passwords used in this guide are used only as examples. Use secure passwords in a production environment. For example, use passwords that include both uppercase and lowercase characters as well as numbers.

7.2 Enabling Host Name Verification Certificates for Node Manager in SOAHOST1

Perform these steps to set up host name verification certificates for communication between the Node Manager and the Administration Server.

7.2.1 Generating Self-Signed Certificates Using the utils.CertGen Utility

Follow these steps to create self-signed certificates on SOAHOST1.mycompany.com. These certificates should be created using the network name/alias. For information on on using trust CA certificates instead, see "Configuring Identity and Trust" in Oracle Fusion Middleware Securing Oracle WebLogic Server.

  1. Set up your environment by running the WL_HOME/server/bin/setWLSEnv.sh script:

    In the Bourne shell, run the following command:

    SOAHOST1> . setWLSEnv.sh
    

    Verify that the CLASSPATH environment variable is set:

    SOAHOST1> echo $CLASSPATH
    
  2. Create a user-defined directory for the certificates. For example, create a directory called certs under the ORACLE_BASE/admin/<domain_name>/aserver/<domain_name> directory. Note that certificates can be shared across WLS domains.

    SOAHOST1> cd ORACLE_BASE/admin/<domain_name>/aserver/<domain_name>
    SOAHOST1> mkdir certs
    
  3. Change directory to the user-defined directory.

    SOAHOST1> cd certs
    
  4. Run the utils.CertGen tool from the user-defined directory to create the certificates for both SOAHOST1 and ADMINVHN.

    Syntax:

    java utils.CertGen <key_passphrase> <cert_file_name> <key_file_name> [export | domestic] [hostname]

    Examples:

    SOAHOST1> java utils.CertGen welcome1 SOAHOST1_cert SOAHOST1_key
                 domestic SOAHOST1.mycompany.com
    
    SOAHOST1> java utils.CertGen welcome1 VIPHOST1_cert VIPHOST1_key
                 domestic ADMINVHN.mycompany.com
    

7.2.2 Creating an Identity Keystore Using the utils.ImportPrivateKey Utility

Follow these steps to create an Identity Keystore on SOAHOST1.mycompany.com.

  1. Create a new identity keystore called appIdentityKeyStore using the utils.ImportPrivateKey utility.

    Create this keystore under the same directory as the certificates (that is, ORACLE_BASE/admin/<domain_name>/aserver/<domain_name>/certs).

    Note:

    The Identity Store is created (if none exists) when you import a certificate and the corresponding key into the Identity Store using the utils.ImportPrivateKey utility.

    Import the certificate and private key for both SOAHOST1 and VIPHOST1 into the Identity Store. Make sure that you use a different alias for each of the certificate/key pair imported.

    Syntax:

    java utils.ImportPrivateKey <keystore_file> <keystore_password> <certificate_alias_to_use> <private_key_passphrase> <certificate_file> <private_key_file> [<keystore_type>]

    Examples:

    SOAHOST1> java utils.ImportPrivateKey appIdentityKeyStore.jks welcome1
                appIdentity1 welcome1
                ORACLE_BASE/admin/<domain_name>/aserver/<domain_name>/certs/SOAHOST1_cert.pem
                ORACLE_BASE/admin/<domain_name>/aserver/<domain_name>/certs/SOAHOST1_key.pem
    
    SOAHOST1> java utils.ImportPrivateKey appIdentityKeyStore.jks welcome1
                appIdentity2 welcome1
                ORACLE_BASE/admin/<domain_name>/aserver/<domain_name>/certs/VIPHOST1_cert.pem
                ORACLE_BASE/admin/<domain_name>/aserver/<domain_name>/certs/VIPHOST1_key.pem
    

7.2.3 Creating a Trust Keystore Using the Keytool Utility

Follow these steps to create the Trust Keystore on SOAHOST1.mycompany.com.

  1. Copy the standard java keystore to create the new trust keystore since it already contains most of the root CA certificates needed. Oracle does not recommend modifying the standard Java trust key store directly. Copy the standard Java keystore CA certificates located under the WL_HOME/server/lib directory to the same directory as the certificates. For example:

    cp WL_HOME/server/lib/cacerts
    ORACLE_BASE/admin/<domain_name>/aserver/<domain_name>/certs/appTrustKeyStore.jks
    
  2. The default password for the standard Java keystore is changeit. Oracle recommends always changing the default password. Use the keytool utility to do this. The syntax is:

    keytool -storepasswd -new <NewPassword> -keystore <TrustKeyStore> -storepass <Original Password>
    

    For example:

    keytool -storepasswd -new welcome1 -keystore appTrustKeyStore.jks -storepass changeit
    
  3. The CA certificate CertGenCA.der is used to sign all certificates generated by the utils.CertGen tool and is located at WL_HOME/server/lib directory. This CA certificate must be imported into the appTrustKeyStore using the keytool utility. The syntax is:

    keytool -import -v -noprompt -trustcacerts -alias <AliasName>
     -file <CAFileLocation> -keystore <KeyStoreLocation> -storepass <KeyStore Password>
    

    For example:

    keytool -import -v -noprompt -trustcacerts -alias clientCACert -file
     $WL_HOME/server/lib/CertGenCA.der -keystore appTrustKeyStore.jks -storepass welcome1
    

7.2.4 Configuring Node Manager to Use the Custom Keystores

To configure the Node Manager to use the custom keystores, add the following lines to the end of the nodemanager.properties file located in the WL_HOME/common/nodemanager directory:

KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeyStoreFileName=<Identity KeyStore>
CustomIdentityKeyStorePassPhrase=<Identity KeyStore Passwd>
CustomIdentityAlias=<Identity Key Store Alias>
CustomIdentityPrivateKeyPassPhrase=<Private Key used when creating Certificate>
Make sure to use the correct value for CustomIdentityAlias on each node. For example on SOAHOST1, use appIdentity1, and on VIPHOST1, use appIdentity2.
Example for Node 1:
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeyStoreFileName=ORACLE_BASE/admin/<domain_name>/aserver/<domain_name>/certs/appIdentityKeyStore.jks
CustomIdentityKeyStorePassPhrase=welcome1
CustomIdentityAlias=appIdentity1
CustomIdentityPrivateKeyPassPhrase=welcome1

The passphrase entries in the nodemanager.properties file get encrypted when you start Node Manager as described in Section 7.3, "Starting the Node Manager on SOAHOST1." For security reasons, you want to minimize the time the entries in the nodemanager.properties file are left unencrypted. After you edit the file, you should start Node Manager as soon as possible so that the entries get encrypted.

When using a common/shared storage installation for MW_HOME, Node Manager is started from different nodes using the same base configuration (nodemanager.properties). In that case, it is required to add the certificate for all the nodes that share the binaries to the appIdentityKeyStore.jks identity store. To do this, create the certificate for the new node and import it to appIdentityKeyStore.jks as described above. Once the certificates are available in the store, each node manager needs to point to a different identity alias to send the correct certificate to the Administration Server. To do this, set different environment variables before starting Node Manager in the different nodes:

SOAHOST1>cd WL_HOME/server/bin
SOAHOST1>export JAVA_OPTIONS=-DCustomIdentityAlias=appIdentitySOAHOST1

SOAHOSTn>cd WL_HOME/server/bin
SOAHOSTn>export JAVA_OPTIONS=-DCustomIdentityAlias=appIdentitySOAHOSTn

7.3 Starting the Node Manager on SOAHOST1

You must start the Node Manager if it is not already running, and restart it if it is running.

To stop the Node Manager use a Unix kill command.

Run these commands to start Node Manager on SOAHOST1:

Note:

If you have not configured and started Node Manager for the first time yet, run the setNMProps.sh script as specified in section Section 4.6, "Starting Node Manager on SOAHOST1." This will enable the use of the start script which is required for SOA.
SOAHOST1> cd WL_HOME/server/bin
SOAHOST1> ./startNodeManager.sh

7.4 Enabling Host Name Verification Certificates for the Node Manager in SOAHOST2

Perform these steps to set up SSL for communication between the Node Manager and the Administration Server:

7.4.1 Generating Self-Signed Certificates Using the utils.CertGen Utility

Follow these steps to create self-signed certificates on SOAHOST2.mycompany.com. These certificates should be created using the network name/alias.

  1. Set up your environment by running the WL_HOME/server/bin/setWLSEnv.sh script:

    In the Bourne shell, run the following command:

    SOAHOST2> . setWLSEnv.sh
    

    Verify that the CLASSPATH environment variable is set:

    SOAHOST2> echo $CLASSPATH
    
  2. Create a user-defined directory for the certificates. For example, create a directory called certs under the ORACLE_BASE/admin/<domain_name>/aserver/<domain_name> directory. Note that certificates can be shared across WLS domains.

    SOAHOST2> cd ORACLE_BASE/admin/<domain_name>/aserver/<domain_name>
    SOAHOST2> mkdir certs
    

    Note:

    The directory where keystores and trust keystores are maintained must be on shared storage that is visible from all nodes so that when the Administration Server fails over the cert/keystores are also available.
  3. Change directory to the user-defined directory.

    SOAHOST2> cd certs
    
  4. Run the utils.CertGen tool from the user-defined directory to create the certificates for both SOAHOST2 and ADMINHOST.

    Syntax:

    java utils.CertGen <key_passphrase> <cert_file_name> <key_file_name> [export | domestic] [hostname]

    Examples:

    SOAHOST2> java utils.CertGen welcome1 SOAHOST2_cert SOAHOST2_key
                 domestic SOAHOST2.mycompany.com
    
    SOAHOST2> java utils.CertGen welcome1 VIPHOST1_cert VIPHOST1_key
                 domestic ADMINVHN.mycompany.com
    

7.4.2 Creating an Identity Keystore Using the "utils.ImportPrivateKey" Utility

Follow these steps to create an Identity Keystore on SOAHOST2.mycompany.com.

  1. Create a new identity keystore called "appIdentityKeyStore" using the "utils.ImportPrivateKey" utility.

    Create this keystore under the same directory as the certificates (that is, ORACLE_BASE/admin/<domain_name>/aserver/<domain_name>/certs).

    Note that the Identity Store is created (if none exists) when you import a certificate and the corresponding key into the Identity Store using the "utils.ImportPrivateKey" utility.

    Import the certificate and private key for both SOAHOST2 and VIPHOST1 into the Identity Store. Make sure that you use a different alias for each of the certificate/key pair imported.

    Syntax:

    java utils.ImportPrivateKey <keystore_file> <keystore_password> <certificate_alias_to_use> <private_key_passphrase> <certificate_file> <private_key_file> [<keystore_type>]

    Examples:

    SOAHOST2> java utils.ImportPrivateKey appIdentityKeyStore.jks welcome1
                appIdentity1 welcome1
                ORACLE_BASE/admin/domain_name/aserver/domain_name/certs/SOAHOST2_cert.pem
                ORACLE_BASE/admin/domain_name/aserver/domain_name/certs/SOAHOST2_key.pem
    
    SOAHOST2> java utils.ImportPrivateKey appIdentityKeyStore.jks welcome1
                appIdentity2 welcome1
                ORACLE_BASE/admin/domain_name/aserver/domain_name/certs/VIPHOST1_cert.pem
                ORACLE_BASE/admin/domain_name/aserver/domain_name/certs/VIPHOST1_key.pem
    

7.4.3 Creating a Trust Keystore Using the keytool Utility

Follow these steps to create the Trust Keystore on SOAHOST2.mycompany.com.

  1. Create a new trust keystore called appTrustKeyStore using the keytool utility:

    bash-3.00$ keytool -keystore appTrustKeyStore.jks -genkey -keyalg RSA -alias app TrustKey -dname "cn=appTrustKey,ou=FOR TESTING ONLY,o=MyOrganization,L=MyTown,ST=MyState,C=US"
    Enter keystore password:
    Re-enter new password:
    Enter key password for <appTrustKey>
           (RETURN if same as keystore password):
    bash-3.00$ _
    

    Note:

    Use the standard Java keystore to create the new trust keystore because it already contains most of the needed root CA certificates. Do not to modify the standard Java trust key store directly.
  2. You will be asked a series of questions. The keystore is created after you respond to these questions.

    Tip:

    Make a note of the information that you provide on the command line and in the subsequent dialog box, because you will need this information to define gateway policy steps.
  3. Change the default password for the standard Java keystore utility using the keytool utility. Use the following syntax to change the default password:

    keytool -storepasswd -keystore <TrustKeyStore>

  4. Import the CA certificate called CertGenCA.der into the appTrustKeyStore using the keytool utility. This certificate, which is located in the WL_HOME/server/lib directory, is used to sign all certificates generated by utils.CertGen tool. Import CertGenCA.der using the following syntax:

    keytool -import -v -noprompt -trustcacerts -alias <AliasName> -file <CAFileLocation> -keystore <KeyStoreLocation>

7.4.4 Configuring Node Manager to Use the Custom Keystores

Follow these steps to configure the Node Manager to use the custom keystores.

  1. Add the following lines to the end of the nodemanager.properties file located in the WL_HOME/common/nodemanager directory.

    KeyStores=CustomIdentityAndCustomTrust

    CustomIdentityKeyStoreFileName=<Identity KeyStore>

    CustomIdentityKeyStorePassPhrase=<Identity KeyStore Passwd>

    CustomIdentityAlias=<Identity Key Store Alias>

    CustomIdentityPrivateKeyPassPhrase=<Private Key used when creating Certificate>

    Make sure to use the correct value for CustomIdentityAlias on each node. For example on SOAHOST2, use "appIdentity2", and on VIPHOST1, use "appIdentity2".

    Example for Node 1:

    KeyStores=CustomIdentityAndCustomTrust

    CustomIdentityKeyStoreFileName=ORACLE_BASE/admin/<domain_name>/aserver/<domain_name>/certs/appIdentityKeyStore.jks

    CustomIdentityKeyStorePassPhrase=welcome1

    CustomIdentityAlias=appIdentity1

    CustomIdentityPrivateKeyPassPhrase=welcome1

    Note:

    The passphrase entries in the nodemanager.properties file get encrypted when you start Node Manager, as described in Section 7.5, "Starting the Node Manager on SOAHOST2."

    For security reasons, you want to minimize the time the entries in the nodemanager.properties file are left unencrypted. After you edit the file, you should start Node Manager as soon as possible so that the entries get encrypted.

7.5 Starting the Node Manager on SOAHOST2

You must start the Node Manager if it is not already running, and restart it if it is running.

To stop the Node Manager use a Unix kill command.

Run these commands to start Node Manager on SOAHOST2:

Note:

If you have not configured and started Node Manager for the first time yet, run the setNMProps.sh script as specified in section Section 4.15, "Starting Node Manager on SOAHOST2." This will enable the use of the start script which is required for SOA.
SOAHOST2> cd WL_HOME/server/bin
SOAHOST2> ./startNodeManager.sh

7.6 Enabling Host Name Verification Certificates for Node Manager in WCHOST1 and WCHOST2

Repeat the steps in Section 7.4, "Enabling Host Name Verification Certificates for the Node Manager in SOAHOST2," and Section 7.5, "Starting the Node Manager on SOAHOST2," substituting WCHOST1 and WCHOST2 for SOAHOST2, to configure SSL for the node managers on these machines.

7.7 Configuring WebLogic Servers to Use the Custom Keystores

To configure the identity and trust keystores:

  1. Log in to the Administration Console, and click Lock & Edit.

  2. In the left pane, expand Environment, and select Servers.

  3. Click the name of the server for which you want to configure the identity and trust keystores.

  4. Select Configuration, and then Keystores.

  5. In the Keystores field, select the "Custom Identity and Custom Trust" method for storing and managing private keys/digital certificate pairs and trusted CA certificates.

  6. In the Identity section, define attributes for the identity keystore.

    1. Custom Identity Keystore: Enter the fully qualified path to the identity keystore:

      ORACLE_BASE/admin/domain_name/aserver/domain_name/certs/appIdentityKeyStore.jks 
      
    2. Custom Identity Keystore Type: Leave this field blank, it defaults to JKS.

    3. Custom Identity Keystore Passphrase: Enter the password Keystore_Password you provided in Section 7.2.2, "Creating an Identity Keystore Using the utils.ImportPrivateKey Utility."

      This attribute may be optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server reads only from the keystore, so whether or not you define this property depends on the requirements of the keystore.

  7. In the Trust section, define properties for the trust keystore:

    1. Custom Trust Keystore: Enter the fully qualified path to the trust keystore:

      ORACLE_BASE/admin/domain_name/aserver/domain_name/certs/appTrustKeyStore.jks 
      
    2. Custom Trust Keystore Type: Leave this field blank, it defaults to JKS.

    3. Custom Trust Keystore Passphrase: The password you provided in as New_Password in Section 7.2.3, "Creating a Trust Keystore Using the Keytool Utility."

      This attribute may be optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server reads only from the keystore, so whether or not you define this property depends on the requirements of the keystore.

  8. Click Save.

  9. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.

  10. Select Configuration, then SSL.

  11. In the Private Key Alias field, enter the alias you used for the host name the managed server listens on.

    In the Private Key Passphrase and the Confirm Private Key Passphrase fields, enter the password for the keystore that you created in Section 7.2.2, "Creating an Identity Keystore Using the utils.ImportPrivateKey Utility."

  12. Click Save.

  13. Click Activate Changes in the Administration Console's Change Center to make the changes take effect.

  14. Restart the server for which the changes have been applied.

Execute these steps for the Administration Server, the WLS_WSMn and the WLS_SOAn servers.