Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 7 (11.1.7) Part Number E21032-21 |
|
|
PDF · Mobi · ePub |
This chapter describes how to configure Node Manager in accordance with Oracle best practice recommendations.
This chapter contains the following sections:
Section 12.3, "Update Domain to Access Node Manager Using SSL"
Section 12.5, "Enabling Host Name Verification Certificates for Node Manager"
Node Manager enables you to start and stop the Administration Server and the Managed Servers.
Process
The procedures described in this chapter must be performed for various components of the enterprise deployment topologies outlined in Section 2.1.1, "Reference Topologies Documented in the Guide." The topologies and hosts are shown in Table 12-1.
Table 12-1 Hosts in Each Topology
Topology | Hosts |
---|---|
OAM11g/OIM11g |
IDMHOST1 IDMHOST2 |
OIF11g |
IDMHOST1 IDMHOST2 |
Note that the procedures in this chapter must be performed multiple times for each VIP-and-IP pair using the information provided in the component-specific chapters.
Recommendations
Oracle provides two main recommendations for Node Manager configuration in enterprise deployment topologies:
Oracle recommends placing the Node Manager log file in a location different from the default one (which is inside the Middleware Home where Node Manager resides).
Oracle also recommends using host name verification for the communication between Node Manager and the servers in the domain. This requires the use of certificates for the different addresses used in the domain. This chapter explains the steps for configuring certificates in the hosts for host name verification. See Section 12.5, "Enabling Host Name Verification Certificates for Node Manager" for further details.
Note:
The passwords used in this guide are used only as examples. Use secure passwords in a production environment. For example, use passwords that consist of random sequences of both uppercase and lowercase characters as well as numbers.
By default, provisioning does not configure Node Manager in SSL mode. You must configure each node manager in the topology to use SSL.
For each node manager that has its configuration in SHARED_CONFIG_DIR
/nodemanager/hostname
, perform the following steps:
Edit the file nodemanager.properties
.
Change the line SecureListener=false
to SecureListener=true
.
Save the file.
Restart Node Manager by killing the nodemanager
process, and restart as follows.
Execute the command:
startNodeManagerWrapper.sh
Repeat these steps for each node manager.
Log in to the WebLogic Administration console as the user weblogic_idm
. (Console URLs are provided in Section 16.2, "About Identity Management Console URLs.")
Select IDMDomain > Environment > Machines from the Domain Structure menu.
Click on Lock and Edit.
Click on one of the machines, for example idmhost1.mycompany.com.
Click on the Node Manager tab.
Change Type from Plain to SSL.
Click Save
Repeat Steps 4-7 for each machine
Click Activate Changes.
You must update the following files, which are generated by the provisioning tool. Each of these files is located in the directory SHARED_CONFIG_DIR
/scripts/basescripts
:
stop_nodemanager_template.py
stop_adminserver_template.py
start_adminserver_template.py
Proceed as follows for each of the files:
Edit the file.
Locate the line which starts with nmConnect
.
Change the last parameter from plain
to SSL
.
For example in start_adminserver_template.py
, change the line:
nmConnect('admin', nmpwd, 'localhost', '5556', 'IDMDomain' , '/u01/oracle/config/domains/IDMDomain' , 'Plain')
to
nmConnect('admin', nmpwd, 'localhost', '5556', 'IDMDomain' , '/u01/oracle/config/domains/IDMDomain' , 'SSL')
Save the file.
This section describes how to set up host name verification certificates for communication between Node Manager and the Administration Server. It consists of the following steps:
Section 12.5.1, "Generating Self-Signed Certificates Using the utils.CertGen Utility"
Section 12.5.2, "Creating an Identity Keystore Using the utils.ImportPrivateKey Utility"
Section 12.5.3, "Creating a Trust Keystore Using the Keytool Utility"
Section 12.5.4, "Configuring Node Manager to Use the Custom Keystores"
Section 12.5.5, "Configuring Managed WebLogic Servers to Use the Custom Keystores"
Section 12.5.6, "Changing the Host Name Verification Setting for the Managed Servers"
The certificates added in this chapter (as an example) address a configuration where Node Manager listens on a physical host name (HOST.mycompany.com) and a WebLogic Managed Server listens on a virtual host name (VIP.mycompany.com). Whenever a server is using a virtual host name, it is implied that the server can be migrated from one node to another. Consequently, the directory where keystores and trust keystores are maintained ideally must reside on a shared storage that is accessible from the failover. If additional host names are used in the same or different nodes, the steps in this example must be extended to:
Add the required host names to the certificate stores (if they are different from HOST.mycompany.com and VIP.mycompany.com).
Change the identity and trust store location information for Node Manager (if the additional host names are used by Node Manager) or for the servers (if the additional host names are used by Managed Servers).
Follow these steps to create self-signed certificates on HOST. These certificates should be created using the network name or alias. For information on using trust CA certificates instead, see "Configuring Identity and Trust" in Oracle Fusion Middleware Securing Oracle WebLogic Server. The following examples configure certificates for HOST.mycompany.com and VIP.mycompany.com; that is, it is assumed that both a physical host name (HOST) and a virtual host name (VIP) are used in HOST. It is also assumed that HOST.mycompany.com is the address used by Node Manager and VIP.mycompany.com is the address used by a Managed Server or the Administration Server. This is the common situation for nodes hosting an Administration Server and a Fusion Middleware component, or for nodes where two Managed Servers coexist with one server listening on the physical host name and one server using a virtual host name (which is the case for servers that use migration servers).
Set up your environment by running the WL_HOME
/server/bin/setWLSEnv.sh script. In the Bourne shell, run the following commands:
cd WL_HOME/server/bin
. ./setWLSEnv.sh
Verify that the CLASSPATH
environment variable is set:
echo $CLASSPATH
Create a user-defined directory for the certificates. For example, create a directory called 'keystores' under the ASERVER_HOME
directory. Note that certificates can be shared across WebLogic domains.
cd ASERVER_HOME
mkdir keystores
Note:
The directory where keystores and trust keystores are maintained must be on shared storage that is accessible from all nodes so that when the servers fail over (manually or with server migration), the appropriate certificates can be accessed from the failover node. Oracle recommends using central or shared stores for the certificates used for different purposes (like SSL set up for HTTP invocations, for example).
Change directory to the directory that you just created:
cd keystores
Run the utils.CertGen tool from the user-defined directory to create the certificates for both HOST. mycompany.com and VIP. mycompany.com.
Syntax (all on a single line):
java utils.CertGen Key_Passphrase Cert_File_Name Key_File_Name [export | domestic] [Host_Name]
Examples:
java utils.CertGen Key_Passphrase IDMHOST1.mycompany.com_cert IDMHOST1.mycompany.com_key domestic IDMHOST1.mycompany.com java utils.CertGen Key_Passphrase IDMHOST2.mycompany.com_cert IDMHOST2.mycompany.com_key domestic IDMHOST2.mycompany.com
Also create a certificate for the Admin Server virtual host.
java utils.CertGen Key_Passphrase ADMINVHN.mycompany.com_cert ADMINVHN.mycompany.com_key domestic ADMINVHN.mycompany.com
Follow these steps to create an identity keystore on IDMHOST1:
Create a new identity keystore called appIdentityKeyStore
using the utils.ImportPrivateKey
utility. Create this keystore under the same directory as the certificates (that is, ASERVER_HOME
/keystores
).
Note:
The Identity Store is created (if none exists) when you import a certificate and the corresponding key into the Identity Store using the utils.ImportPrivateKey
utility.
Import the certificate and private key for IDMHOST1.mycompany.com
, IDMHOST2.mycompany.com
into the Identity Store. Ensure that you use a different alias for each of the certificate/key pairs imported.
Syntax (all on a single line):
java utils.ImportPrivateKey Keystore_File Keystore_Password Certificate_Alias_to_Use Private_Key_Passphrase Certificate_File Private_Key_File [Keystore_Type]
Examples:
java utils.ImportPrivateKey appIdentityKeyStore.jks Key_Passphrase appIdentityIDMHOST1 Key_Passphrase ASERVER_HOME/keystores/IDMHOST1.mycompany.com_cert.pem ASERVER_HOME/keystores/IDMHOST1.mycompany.com_key.pem java utils.ImportPrivateKey appIdentityKeyStore.jks Key_Passphrase appIdentityIDMHOST2 Key_Passphrase ASERVER_HOME/keystores/IDMHOST2.mycompany.com_cert.pem ASERVER_HOME/keystores/IDMHOST2.mycompany.com_key.pem java utils.ImportPrivateKey appIdentityKeyStore.jks Key_Passphrase appIdentityADMVHN Key_Passphrase ASERVER_HOME/keystores/ADMINVNH.mycompany.com_cert.pem ASERVER_HOME/keystores/ADMINVNH.mycompany.com_key.pem
Follow these steps to create the trust keystore on each host, for example IDMHOST1 and IDMHOST2:
Copy the standard Java keystore to create the new trust keystore since it already contains most of the root CA certificates needed. Oracle does not recommend modifying the standard Java trust keystore directly. Copy the standard Java keystore CA certificates located under the WL_HOME
/server/lib directory to the same directory as the certificates. For example:
cp WL_HOME/server/lib/cacerts ASERVER_HOME/keystores/appTrustKeyStoreIDMHOST1.jks
The default password for the standard Java keystore is changeit
. Oracle recommends always changing the default password. Use the keytool
utility to do this. The syntax is:
keytool -storepasswd -new New_Password -keystore Trust_Keystore -storepass Original_Password
For example:
keytool -storepasswd -new Key_Passphrase -keystore appTrustKeyStoreIDMHOST1.jks -storepass changeit
The CA certificate CertGenCA.der is used to sign all certificates generated by the utils.CertGen tool. It is located in the WL_HOME
/server/lib
directory. This CA certificate must be imported into the appTrustKeyStore
using the keytool
utility. The syntax is:
keytool -import -v -noprompt -trustcacerts -alias Alias_Name -file CA_File_Location -keystore Keystore_Location -storepass Keystore_Password
For example:
keytool -import -v -noprompt -trustcacerts -alias clientCACert -file WL_HOME/server/lib/CertGenCA.der -keystore appTrustKeyStoreIDMHOST1.jks -storepass Key_Passphrase
To configure Node Manager to use the custom keystores, add the following lines to the end of the nodemanager.properties
file located in the SHARED_CONFIG_DIR
/nodemanager/
hostname
directory, where hostname
is the name of the host where nodemanager runs:
KeyStores=CustomIdentityAndCustomTrust CustomIdentityKeyStoreFileName=Identity_Keystore CustomIdentityKeyStorePassPhrase=Identity_Keystore_Password CustomIdentityAlias=Identity_Keystore_Alias CustomIdentityPrivateKeyPassPhrase=Private_Key_Used_When_Creating_Certificate
For example:
KeyStores=CustomIdentityAndCustomTrust CustomIdentityKeyStoreFileName=ASERVER_HOME/keystores/appIdentityKeyStore.jks CustomIdentityKeyStorePassPhrase=Key_Passphrase CustomIdentityAlias=appIdentityIDMHOST1 CustomIdentityPrivateKeyPassPhrase=Key_Passphrase
The passphrase entries in the nodemanager.properties
file get encrypted when you start Node Manager as described in Section 16.1, "Starting and Stopping Components." For security reasons, minimize the time the entries in the nodemanager.properties
file are left unencrypted. After you edit the file, start Node Manager as soon as possible so that the entries get encrypted.
Follow these steps to configure the identity and trust keystores for WLS_SERVER:
Log in to Oracle WebLogic Server Administration Console at: http://ADMIN.mycompany.com/console
Click Lock and Edit.
Expand the Environment node in the Domain Structure window.
Click Servers. The Summary of Servers page is displayed.
Click the name of the server for which you want to configure the identity and trust keystores (WLS_SERVER). The settings page for the selected server is displayed.
Select Configuration, then Keystores.
In the Keystores field, select the Custom Identity and Custom Trust method for storing and managing private keys/digital certificate pairs and trusted CA certificates.
In the Identity section, define attributes for the identity keystore:
Custom Identity Keystore: The fully qualified path to the identity keystore:
ASERVER_HOME/keystores/appIdentityKeyStore.jks
Custom Identity Keystore Type: Leave blank; it defaults to JKS.
Custom Identity Keystore Passphrase: The password (Keystore_Password
) you provided in Section 12.5.3, "Creating a Trust Keystore Using the Keytool Utility." This attribute is optional or required depending on the type of keystore. All keystores require the passphrase to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server only reads from the keystore, so whether you define this property depends on the requirements of the keystore.
In the Trust section, define properties for the trust keystore:
Custom Trust Keystore: The fully qualified path to the trust keystore:
ASERVER_HOME/keystores/appTrustKeyStoreIDMHOST1.jks
Custom Trust Keystore Type: Leave blank; it defaults to JKS.
Custom Trust Keystore Passphrase: The password you provided as New_Password in Section 12.5.3, "Creating a Trust Keystore Using the Keytool Utility." This attribute is optional or required depending on the type of keystore. All keystores require the passphrase to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server only reads from the keystore, so whether you define this property depends on the requirements of the keystore.
Click Save.
Click Activate Changes in the Administration Console's Change Center to make the changes take effect.
Select Configuration, then SSL.
Click Lock and Edit.
In the Private Key Alias field, enter the alias you used for the host name the Managed Server listens on, for example:
For wls_ods1
, use appIdentityIDMHOST1
.
For wls_ods2
use appIdentityIDMHOST2
.
For ADMINSERVER
use appIdentityADMVHN
.
In the Private Key Passphrase and the Confirm Private Key Passphrase fields, enter the password for the keystore that you created in Section 12.5.2, "Creating an Identity Keystore Using the utils.ImportPrivateKey Utility."
Click Save.
Click Activate Changes in the Administration Console's Change Center to make the changes take effect.
Restart the server for which the changes have been applied, as described in Section 16.1, "Starting and Stopping Components."
Once the previous steps have been performed, set host name verification for the affected Managed Servers to Bea Hostname Verifier
. To do this, perform the following steps:
Log in to Oracle WebLogic Server Administration Console. (Console URLs are provided in Section 16.2, "About Identity Management Console URLs.")
Select Lock and Edit from the change center.
Expand the Environment node in the Domain Structure window.
Click Servers. The Summary of Servers page is displayed.
Select the Managed Server in the Names column of the table. The settings page for the server is displayed.
Open the SSL tab.
Expand the Advanced section of the page.
Set host name verification to Bea Hostname Verifier
.
Click Save.
Click Activate Changes.
Each managed server has a boot.properties
file which is created as part of the process described in previous sections. In order to start managed servers using the provisioning start script, you must update each of these files and comment out following line:
TrustKeyStore=DemoTrust
That is, when you have finished updating the file, the line should look like this:
#TrustKeyStore=DemoTrust
The files you must update are:
ASERVER_HOME
/servers/AdminServer/security/boot.properties
and each managed server boot.properties
file. These have path names of the form:
MSERVER_HOME
/servers/
servername
/security/boot.properties
and
ASERVER_HOME
/servers/AdminServer/data/nodemanager/boot.properties
Run the following commands to start Node Manager.
cd SHARED_CONFIG_DIR/nodemanager/hostname
./startNodeManagerWrapper.sh
Note:
Verify that Node Manager is using the appropriate stores and alias from the Node Manager output. You should see the following when Node Manager starts.:
<Loading identity key store:
FileName=ASERVER_HOME/keystores/appIdentityKeyStore.jks, Type=jks, PassPhraseUsed=true>
Host name verification works if you apply a test configuration change to the servers and it succeeds without Node Manager reporting any SSL errors.