Node Manager Administrator’s Guide

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Configuring Script Node Manager

The following sections describe how to configure script-based Node Manager:



The SSH Node Manager is a shell script,, located in {WL_HOME}/common/bin/. must exist on each machine that hosts server instances that you want to control with Node Manager. This script can be customized to meet site-specific requirements.

You must have an SSH client executable on each machine where Node Manager or a Node Manager client runs. This script must also be in the path of the user id running it. Typically, an SSH client is a standard part of a Unix or Linux installation.


Creating a Node Manager User

Before running Node Manager, you should create a dedicated UNIX user account for performing Node Manager functions. This user should be added to all machines that will host the SSH Node Manager and to all machines that will host a Node Manager client, including the Administration Server.


Configuring Node Manager as an xinetd Service

When configuring Node Manager to run as an inetd or xinetd service, the following considerations apply:

The following example shows how Node Manager can be configured within xinetd:

# default: off
# description:nodemanager as a service
service nodemgrsvc
   type = UNLISTED
   disable = no
   socket_type = stream
   protocol = tcp
   wait = yes
   user = <username>
   port = 5556
   flags = NOLIBWRAP
   log_on_success += DURATION HOST USERID
   server = <path-to-jave>/java
   env = CLASSPATH=<cp> LD_LIBRARY_PATH=<ldpath>
   server_args = -client -DNodeManagerHome=<NMHome> <java options>
   <nodemanager options> weblogic.NodeManager -v


Overriding the Default SSH Port

The default SSH port used by Node Manager is 22. You can override that setting in the following ways:


Configuring Script-based Node Manager Security

The Node Manager SSH shell script relies on SSH user-based security to provide a secure trust relationship between users on different machines. Authentication is not required. You create a UNIX user account—typically one per domain—for running Node Manager commands and scripts. A user logged in as this user can issue Node Manager commands without providing a username and password.

Note: You must also ensure that the Node Manager and WebLogic Server commands are available in the path of the UNIX user ID used to run them.

Security for WebLogic Server Scripts

To perform Server migration and other tasks, the user ID executing scripts such as must have enough sufficient security permissions. This includes being able to bring an IP address online or take an IP address offline via a network interface.

Server migration is performed by the cluster master when it detects that a server has failed. It then uses SSH to launch a script on the target machine to begin the migration. The script on the target machine runs as the same user ID running the server on the cluster master.

The commands required to perform server migration are ifconfig and arping. Since these scripts require elevated OS privileges, it is important to note that this can prevent a potential security hole.

Using sudo, you can configure your SSH to only allow ifconfig and arping to be run using elevated privileges.

Remote Server Start Security for Script-based Node Manager

A remote start user name and password is required to start a server instance with Node Manager. These credentials are provided differently for Administration Servers and Managed Servers.

Any server instance started by Node Manager encrypts and saves the credentials with which it started in a server-specific file, for use in automatic restarts.

Generating and Distributing Key Value Pairs

The script-based Node Manager uses two types of key value pairs. This section contains instructions for distributing key value pairs to the machines that will host a Node Manager client or server.

Shared Key Value Pair

This option distributes the same key value pair to all machines that will host a Node Manager client or server.

The simplest way to accomplish this is to set up your LAN to mount the Node Manager user home directory on each of the machines. This makes the key value pair available to the machines. Otherwise

  1. Generate an RSA key value pair for the user with the ssh-keygen command provided with your SSH installation.
  2. The default location for the private and public keys are ~/.ssh/id_rsa and ~/.ssh/ respectively.

    If these keys are stored in a different location, modify the ShellCommand template, adding an option to the ssh command to specify the location of the keys.

  3. Append the public key to the ~/.ssh/authorized_keys file on the Node Manager machine. For example:
  4. command="/home/bea/server90/common/nodemanager/" 1024 33 23...2323

    in which the you substitute the public key that you generated, as stored in, for the string shown in the example as

    1024 33 23...2323

    Note: The prefix command=<command> ensures that a user that establishes a session with the machine using the public key can only run the command specified— This ensures that the user can only perform Node Manager functions, and prevents unauthorized access to data, system utilities, or other resources on the machine.
  5. Manually distribute the key value pair to each machine that will host a Node Manager server instance or client.
  6. Execute the following command on the client machine to check that the Node Manager client can access the Node Manager:
  7. /home/bea$ ssh montgomery VERSION

    This response indicates that the client accessed Node Manager successfully:

    +OK NodeManager v9.1.0

Individual Key Value Pairs

On each machine that will host a Node Manager client:

  1. Generate a separate RSA key value pair for the Node Manager user as described in step one in the previous section.

Append the public key to the machine's ~/.ssh/authorized_keys file user as described in step two in the previous section.

  Back to Top       Previous  Next