WebLogic Scripting Tool

Automating WebLogic Server Administration Tasks

You can use the WebLogic Scripting Tool (WLST) to automate the creation and management of WebLogic Server domains, servers, and resources. WLST provides commands that create, get and set values for, invoke operations on, and delete instances of configuration MBeans and commands to get values and invoke operations on runtime MBeans. The following sections describe using WLST commands online to automate typical domain and server configuration tasks:

• Creating a Sample Domain: Main Steps
• Monitoring Domain Runtime Information
• Managing Security
• Configuring Logging

Alternatively, you can use one of the following techniques to automate the configuration of a WebLogic Server domain:

• Use WLST offline to create a new domain or update an existing domain without connecting to a running WebLogic Server. WLST offline supports the same functionality as the Configuration Wizard. See Creating and Configuring WebLogic Domains Using WLST Offline.
• Use the WebLogic Server Ant tasks. For almost all configuration needs, the Ant tasks and the weblogic.Server, weblogic.Admin (deprecated in this release of WebLogic Server), and weblogic.Deployer commands are functionally equivalent. See "Using Ant Tasks to Configure and Use a WebLogic Server Domain" in Developing Applications with WebLogic Server.

 

---

Creating a Sample Domain: Main Steps

The section Script to Create and Configure a Sample Domain provides a sample script for creating a modified MedRec domain. The script creates a new directory MedRecDomain under the current directory, and creates and starts an Administration Server. WLST connects to the server and builds a modified version of the MedRec domain.

The sample script does the following:

Creates a new directory, MedRecDomain, under the current directory.
Creates and starts an Administration Server. See Creating a Domain.
After the domain's Administration Server has completed its startup cycle, connects WLST to the server and configures resources for the domain. See:
• Creating JDBC Resources
• Creating JMS Resources
• Creating Mail Resources
Invokes multiple WLST deploy commands to deploy J2EE modules such as EJBs and Enterprise applications. See Deploying Applications.

Setting Up the Environment

All WebLogic Server commands require an SDK to be specified in the environment's PATH variable and a set of WebLogic Server classes to be specified in the CLASSPATH variable.

Use the following script to add an SDK to the PATH variable and the WebLogic Server classes to the CLASSPATH variable:

WL_HOME\server\bin\setWLSEnv.cmd (on Windows)
WL_HOME/server/bin/setWLSEnv.sh (on UNIX)

where WL_HOME refers to the top-level installation directory for WebLogic Server.

If you want to use JDBC resources to connect to a database, modify the environment as the database vendor requires. Usually this entails adding driver classes to the CLASSPATH variable and vendor-specific directories to the PATH variable. To set the environment that the sample PointBase database requires as well as add an SDK to PATH variable and the WebLogic Server classes to the CLASSPATH variable, invoke the following script:

WL_HOME\samples\domains\wl_server\setExamplesEnv.cmd (on Windows)
WL_HOME/samples/domains/wl_server/setExamplesEnv.sh (on UNIX)

Creating a Domain

The commands in Listing 6-1 create a domain named MedRecDomain with an Administration Server named medrec-adminServer that listens on port 8001, and connect WLST to the server instance.

Listing 6-1 Creating a Domain

from java.io import File
domainDir = File("MedRecDomain")
bool = domainDir.mkdir()
if bool==1:
  print 'Successfully created a new Directory'
else:
  if domainDir.delete()==1:
    domainDir.mkdir()
    print 'Successfully created a new Directory'
  else:
    print 'Could not create new directory, dir already exists'
    stopExecution("cannot create a new directory") 

debug()
dsname="myJDBCDataSource"
adminServerName="medrec-adminServer"
domainName="MedRecDomain"
_url="t3://localhost:8001"
uname="weblogic"
pwd="weblogic"
startNewServer(adminServerName,domainName,_url,domainDir=domainDir.getPath(),
block="true")
connect(uname, pwd, _url)
edit()
startEdit()

Note: The command specifies a listen port of 8001 because the sample MedRec domain that WebLogic Server installs listens on the default port 7011. If the sample MedRec domain is running, the 7011 listen port cannot be used by another server instance.

Creating JDBC Resources

The commands in Listing 6-2 create and configure a JDBC system resource for MedRecDomain.

Listing 6-2 Creating a JDBC System Resource

dsname="myJDBCDataSource"

# Creating and Configuring a JDBC System Resource
print 'Creating JDBCSystemResource with name '+dsname
jdbcSR = create(dsname,"JDBCSystemResource")
theJDBCResource = jdbcSR.getJDBCResource()
theJDBCResource.setName("myJDBCDataSource")

connectionPoolParams = theJDBCResource.getJDBCConnectionPoolParams()
connectionPoolParams.setConnectionReserveTimeoutSeconds(25)
connectionPoolParams.setMaxCapacity(100)
connectionPoolParams.setTestTableName("SYSTABLES")

dsParams = theJDBCResource.getJDBCDataSourceParams()
dsParams.addJNDIName("ds.myJDBCDataSource")

driverParams = theJDBCResource.getJDBCDriverParams()
driverParams.setUrl("jdbc:pointbase:server://localhost/demo")
driverParams.setDriverName("com.pointbase.xa.xaDataSource")
#driverParams.setUrl("jdbc:oracle:thin:@my-oracle-server:my-oracle-server-port:my-oracle-sid")
#driverParams.setDriverName("oracle.jdbc.driver.OracleDriver")

driverParams.setPassword("examples")
#driverParams.setLoginDelaySeconds(60)
driverProperties = driverParams.getProperties()

proper = driverProperties.createProperty("user")
#proper.setName("user")
proper.setValue("examples")

proper1 = driverProperties.createProperty("DatabaseName")
#proper1.setName("DatabaseName")
proper1.setValue("jdbc:pointbase:server://localhost/demo")

Creating JMS Resources

The commands in Listing 6-3 create a JMS system resource in MedRecDomain.

Listing 6-3 Creating a JMS System Resource

# Creating a JMS System Resource
jmsSystemResource = create("medrec-jms-resource","JMSSystemResource")
theJMSResource = jmsSystemResource.getJMSResource()

# Creating a JMS Connection Factory
mrqFactory = theJMSResource.createConnectionFactory("MedRecQueueFactory")
mrqFactory.setJNDIName("jms/MedRecQueueConnectionFactory")

# Creating and Configuring a JMS JDBC Store
mrjStore = create("MedRecJMSJDBCStore","JDBCStore")
mrjStore.setDataSource(jdbcSR)
mrjStore.setPrefixName("MedRec")

# Creating and Configuring a JMS Server
mrJMSServer = create("MedRecJMSServer","JMSServer")
mrJMSServer.setStore(mrjStore)

# Creating and Configuring a Queue
regQueue = theJMSResource.createQueue("RegistrationQueue")
regQueue.setJNDIName("jms/REGISTRATION_MDB_QUEUE")

# Creating and Configuring an Additional Queue
mailQueue = theJMSResource.createQueue("MailQueue")
mailQueue.setJNDIName("jms/MAIL_MDB_QUEUE")

See "Using the WebLogic Scripting Tool to Manage JMS Servers and JMS System Resources" in Configuring and Managing WebLogic JMS.

Creating Mail Resources

The commands in Listing 6-4 add E-mail capabilities to the sample applications in MedRecDomain by creating and configuring a MailSessionMBean.

Listing 6-4 Creating Mail Resources

# Creating Mail Resources
mrMailSession = create("MedicalRecordsMailSession","MailSession")
mrMailSession.setJNDIName("mail/MedRecMailSession")
mrMailSession.setProperties(makePropertiesObject("mail.user=joe;mail.host=mail.mycompany.com"))

To see all attributes and legal values of the MailSessionMBean, see MailSessionMBean in the WebLogic Server MBean Reference. For more information about the WebLogic Server mail service, see "Configure Access to JavaMail" in the Administration Console Online Help.

Deploying Applications

The commands in Listing 6-5 deploy sample applications in MedRecDomain.

Listing 6-5 Deploying Applications

# Deploying Applications

deploy("PhysicianEAR","C:/bea/weblogic90/samples/server/medrec/src/physicianEar","medrec-adminServer",securityModel="Advanced",block="true")
deploy("StartupEAR","C:/bea/weblogic90/samples/server/medrec/src/startupEar","medrec-adminServer",securityModel="Advanced",block="true")
deploy("MedRecEAR","C:/bea/weblogic90/samples/server/medrec/src/medrecEAR","medrec-adminServer",securityModel="Advanced",block="true")

Notes:

• You must invoke these commands on the computer that hosts the Administration Server for MedRecDomain.
• Because the sample applications use JDBC connection pools, you must specify the JDBC driver in the CLASSPATH environment variable. See Setting Up the Environment.
• To use JDBC resources in MedRecDomain, you must start the database before running the script.
• In the sample commands, the application files are located in the WL_HOME\samples\server\medrec\src directory.

For more information using WLST for deploying applications, see "Overview of Deployment Tools" in Deploying Applications to WebLogic Server.

Script to Create and Configure a Sample Domain

Listing 6-6 provides a sample script for creating a modified MedRec domain. You can use the script as a template for creating and configuring a typical WebLogic Server domain.

Note: This sample script uses the demonstration PointBase Server that is installed with WebLogic Server. Before running the script, you should start the PointBase Server by issuing one of the following commands:

Windows: WL_HOME\common\eval\pointbase\tools\startPointBase.cmd

UNIX: WL_HOME/common/eval/pointbase/tools/startPointBase.sh

To create and configure a domain such as the MedRec sample domain:

Copy and save the commands in Listing 6-6 in a text file with a .py file extension; for example, cloneDomain.py.
Set the required environment variables. See Setting Up the Environment.

Use WL_HOME\samples\domains\wl_server\setExamplesEnv.cmd to set the variables required for running this script.

Invoke WLST and run the sample script by entering the following command:

java weblogic.WLST <filepath>/cloneDomain.py

For more information on how to run this script, see Running Scripts.

Listing 6-6 cloneDomain.py

from java.io import File
domainDir = File("MedRecDomain")
bool = domainDir.mkdir()
if bool==1:
  print 'Successfully created a new Directory'
else:
  if domainDir.delete()==1:
    domainDir.mkdir()
    print 'Successfully created a new Directory'
  else:
    print 'Could not create new directory, dir already exists'
    stopExecution("cannot create a new directory") 

debug()
dsname="myJDBCDataSource"
adminServerName="medrec-adminServer"
domainName="MedRecDomain"
_url="t3://localhost:8001"
uname="weblogic"
pwd="weblogic"
startNewServer(adminServerName,domainName,_url,domainDir=domainDir.getPath(),
block="true")
connect(uname, pwd, _url)
edit()
startEdit()

# Creating and Configuring a JDBC System Resource
print 'Creating JDBCSystemResource with name '+dsname
jdbcSR = create(dsname,"JDBCSystemResource")
theJDBCResource = jdbcSR.getJDBCResource()
theJDBCResource.setName("myJDBCDataSource")

connectionPoolParams = theJDBCResource.getJDBCConnectionPoolParams()
connectionPoolParams.setConnectionReserveTimeoutSeconds(25)
connectionPoolParams.setMaxCapacity(100)
connectionPoolParams.setTestTableName("SYSTABLES")

dsParams = theJDBCResource.getJDBCDataSourceParams()
dsParams.addJNDIName("ds.myJDBCDataSource")

driverParams = theJDBCResource.getJDBCDriverParams()
driverParams.setUrl("jdbc:pointbase:server://localhost/demo")
driverParams.setDriverName("com.pointbase.xa.xaDataSource")
#driverParams.setUrl("jdbc:oracle:thin:@my-oracle-server:my-oracle-server-port:my-oracle-sid")
#driverParams.setDriverName("oracle.jdbc.driver.OracleDriver")

driverParams.setPassword("examples")
#driverParams.setLoginDelaySeconds(60)
driverProperties = driverParams.getProperties()

proper = driverProperties.createProperty("user")
#proper.setName("user")
proper.setValue("examples")

proper1 = driverProperties.createProperty("DatabaseName")
#proper1.setName("DatabaseName")
proper1.setValue("jdbc:pointbase:server://localhost/demo")

# Creating a JMS System Resource
jmsSystemResource = create("medrec-jms-resource","JMSSystemResource")
theJMSResource = jmsSystemResource.getJMSResource()

# Creating a JMS Connection Factory
mrqFactory = theJMSResource.createConnectionFactory("MedRecQueueFactory")
mrqFactory.setJNDIName("jms/MedRecQueueConnectionFactory")

# Creating and Configuring a JMS JDBC Store
mrjStore = create("MedRecJMSJDBCStore","JDBCStore")
mrjStore.setDataSource(jdbcSR)
mrjStore.setPrefixName("MedRec")

# Creating and Configuring a JMS Server
mrJMSServer = create("MedRecJMSServer","JMSServer")
mrJMSServer.setPersistentStore(mrjStore)

# Creating and Configuring a Queue
regQueue = theJMSResource.createQueue("RegistrationQueue")
regQueue.setJNDIName("jms/REGISTRATION_MDB_QUEUE")

# Creating and Configuring an Additional Queue
mailQueue = theJMSResource.createQueue("MailQueue")
mailQueue.setJNDIName("jms/MAIL_MDB_QUEUE")

# Creating Mail Resources
mrMailSession = create("MedicalRecordsMailSession","MailSession")
mrMailSession.setJNDIName("mail/MedRecMailSession")
mrMailSession.setProperties(makePropertiesObject("mail.user=joe;mail.host=mail.mycompany.com"))

# Getting and configuring the server target
tgt = getMBean("/Servers/medrec-adminServer")
tgt.setJavaCompiler("javac")
tgt.setListenAddress("localhost")
tgt.setListenPort(8001)
#tgt.setIIOPEnabled(0)
tgt.setInstrumentStackTraceEnabled(1)

ssl = tgt.getSSL()
ssl.setEnabled(1)
ssl.setIdentityAndTrustLocations("KeyStores")
ssl.setListenPort(9992)

# Targeting Resources to the medrec admin server
jdbcSR.addTarget(tgt)
jmsSystemResource.addTarget(tgt)
mrjStore.addTarget(tgt)
mrJMSServer.addTarget(tgt)
mrMailSession.addTarget(tgt)

save()
activate(block="true")
shutdown(force="true",block="true")
print 'end of the script ... '

 

---

Monitoring Domain Runtime Information

WebLogic Server includes a large number of MBeans which provide information about the runtime state of its resources. Each server instance in a domain hosts only the MBeans that configure and monitor its own set of resources. However, within the Administration Server, MBeans for domain-wide services are in a single hierarchy whose root is DomainRuntimeMBean. The domain runtime MBean hierarchy provides access to any runtime MBean on any server in the domain as well as MBeans for domain-wide services such as application deployment, JMS servers, and JDBC connection pools.

Accessing Domain Runtime Information: Main Steps

Accessing the runtime information for a domain includes the following main steps:

Invoke WLST and connect to a running Administration Server instance. See Invoking WLST.
Navigate to the domain runtime MBean hierarchy by entering the domainRuntime command.

wls:/mydomain/serverConfig>domainRuntime()

The domainRuntime command places WLST at the root of the domain-wide runtime management objects, DomainRuntimeMBean.

Navigate to ServerRuntimes and then to the server instance which you are interested in monitoring.

wls:/mydomain/domainRuntime>cd('ServerRuntimes/myserver')

At the server instance, navigate to and interrogate runtime MBeans.

wls:/mydomain/domainRuntime/ServerRuntimes/myserver>cd('JVMRuntime/myserver')>
wls:/mydomain/domainRuntime/ServerRuntimes/myserver/JVMRuntime/myserver>ls()

-r--   AllProcessorsAverageLoad                     0.0
-r--   Concurrent                                   true
-r--   FreeHeap                                     15050064
-r--   FreePhysicalMemory                           900702208
-r--   GCHandlesCompaction                          true
-r--   GcAlgorithm                                  Dynamic GC currently running
strategy: Nursery, parallel mark, parallel sweep
-r--   Generational                                 true
-r--   HeapFreeCurrent                              14742864
-r--   HeapFreePercent                              5
-r--   HeapSizeCurrent                              268435456
-r--   HeapSizeMax                                  268435456
-r--   Incremental                                  false
-r--   JVMDescription                               BEA JRockit Java Virtual Machine
-r--   JavaVMVendor                                 BEA Systems, Inc.
-r--   JavaVendor                                   BEA Systems, Inc.
-r--   JavaVersion                                  1.5.0
...

The following sections provide example scripts for retrieving runtime information about WebLogic Server server instances and domain resources.

Script for Monitoring Server State

The WLST online script in Listing 6-7 checks the status of a Managed Server every 5 seconds and restarts the server if the server state changes from RUNNING to any other status.

For information on how to run this script, see Running Scripts.

Listing 6-7 Monitoring Server State

# Node Manager needs to be running to run this script.

import thread
import time

def checkHealth(serverName):
  while 1:
    slBean = getSLCRT(serverName)
    status = slBean.getState()
    print 'Status of Managed Server is '+status
    if status != "RUNNING":
      print 'Starting server '+serverName
      start(serverName, block="true")
    time.sleep(5) 

def getSLCRT(svrName):
    domainRuntime()
    slrBean = cmo.lookupServerLifecycleRuntime(svrName)
    return slcBean

Script for Monitoring the JVM

The WLST online script in Listing 6-8 monitors the HJVMHeapSize for all running servers in a domain; it checks the heap size every 3 minutes and prints a warning if the heap size is greater than a specified threshold.

For information on how to run this script, see Running Scripts.

Listing 6-8 Monitoring the JVM Heap Size

waitTime=300000
THRESHOLD=100000000
uname = "weblogic"
pwd = "weblogic"
url = "t3://localhost:7001"
def monitorJVMHeapSize():
    connect(uname, pwd, url)
    while 1:
        serverNames = getRunningServerNames()
        domainRuntime()
        for name in serverNames:
            print 'Now checking '+name.getName()
            try:
           cd("/ServerRuntimes/"+name.getName()+"/JVMRuntime/"+name.getName())
            except WLSTException,e:
                # this typically means the server is not active, just ignore
                pass
            heapSize = cmo.getHeapSizeCurrent()
            if heapSize > THRESHOLD:
            # do whatever is neccessary, send alerts, send email etc
                print 'WARNING: The HEAPSIZE is Greater than the Threshold'
            else:
                print heapSize
        java.lang.Thread.sleep(1800000)

def getRunningServerNames():
    domainConfig()
    return cmo.getServers()

if __name__== "main":
    monitorJVMHeapSize()

 

---

Managing Security

In the WebLogic Security Service, an Authentication provider is the software component that proves the identity of users or system processes. An Authentication provider also remembers, transports, and makes that identity information available to various components of a system when needed. A security realm can use different types of Authentication providers to manage different sets of users and groups. See "Authentication Providers" in Developing Security Providers for WebLogic Server.

You can use WLST to invoke operations on the following types of Authentication providers:

• The default WebLogic Server Authentication provider, weblogic.management.security.authentication.AuthenticatorMBean. By default, all security realms use this Authentication provider to manage users and groups.
• Custom Authentication providers that extend weblogic.security.spi.AuthenticationProvider and extend the optional
  Authentication SSPI MBeans. See "SSPI MBean Quick Reference" in Developing Security Providers for WebLogic Server.

Note: Use the Edit MBean Server to modify security MBean attributes; use a Runtime MBean Server or the Domain Runtime MBean Server to invoke security provider MBean operations. You cannot invoke these operations if an edit is in process or if you need to reboot the server because you've modified a security MBean attribute.

For more information, see "Choosing an MBean Server to Manage Security Realms" in Developing Custom Management Utilities with JMX.

The following sections describe basic tasks for managing users and groups using WLST:

• Creating a User
• Adding a User to a Group
• Verifying Whether a User Is a Member of a Group
• Listing Groups to Which a User Belongs
• Listing Users and Groups in a Security Realm
• Changing a Password
• Protecting User Accounts in a Security Realm

For information about additional tasks that the AuthenticationProvider and the optional MBeans support, refer to weblogic.management.security.authentication package in the WebLogic Server MBean Reference.

Note: WebLogic Server 6.0 style security MBeans are accessible using WLST but are not displayed using the ls command. For example, if you enter the following commands, WLST lists the domain MBeans, but not excluded attributes, such as FileRealms:

java weblogic.WLST
connect()
ls()

However, if you enter the following commands, WLST displays the DomainMBean's file realms:

java weblogic.WLST
connect()
cmo.getFileRealms()

Creating a User

To create a user, invoke the UserEditorMBean.createUser method, which is extended by the security realm's AuthenticationProvider MBean. For more information, see the createUser method in the WebLogic Server MBean Reference.

The method requires three input parameters:

username password user-description

The following WLST online script invokes createUser on the default Authentication Provider. For information on how to run this script, see Running Scripts.

Listing 6-9 Creating a User

from weblogic.management.security.authentication import UserEditorMBean

print "Creating a user ..."
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
atnr.createUser('my_user','my_password','new_admin')
print "Created user successfully"

Adding a User to a Group

To add a user to a group, invoke the GroupEditorMBean.addMemberToGroup method, which is extended by the security realm's AuthenticationProvider MBean. For more information, see the addMemberToGroup method in the WebLogic Server MBean Reference.

The method requires two input parameters:

groupname username

The following WLST online script invokes addMemberToGroup on the default Authentication Provider. For information on how to run this script, see Running Scripts.

Listing 6-10 Adding a User to a Group

from weblogic.management.security.authentication import GroupEditorMBean

print "Adding a user ..."
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
atnr.addMemberToGroup('Administrators','my_user')
print "Done adding a user"

Verifying Whether a User Is a Member of a Group

To verify whether a user is a member of a group, invoke the GroupEditorMBean.isMember method, which is extended by the security realm's AuthenticationProvider MBean. For more information, see the isMember method in the WebLogic Server MBean Reference.

The method requires three input parameters:

groupname username boolean

where boolean specifies whether the command searches within child groups. If you specify true, the command returns true if the member belongs to the group that you specify or to any of the groups contained within that group.

The following WLST online script invokes isMember on the default Authentication Provider. For information on how to run this script, see Running Scripts.

Listing 6-11 Verifying Whether a User is a Member of a Group

from weblogic.management.security.authentication import GroupEditorMBean

print "Checking if isMember of a group ... "
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
if atnr.isMember('Administrators','my_user',true) == 0:
  print "my_user is not member of Administrators"
else:
  print "my_user is a member of Administrators"

Listing Groups to Which a User Belongs

To see a list of groups that contain a user or a group, invoke the MemberGroupListerMBean.listMemberGroups method, which is extended by the security realm's AuthenticationProvider MBean. For more information, see the listMemberGroups method in the WebLogic Server MBean Reference.

The method requires one input parameter:

memberUserOrGroupName

where memberUserOrGroupName specifies the name of an existing user or a group.

The following WLST online script invokes listMemberGroups on the default Authentication provider. For information on how to run this script, see Running Scripts.

Listing 6-12 Listing Groups to Which a User Belongs

from weblogic.management.security.authentication import MemberGroupListerMBean

print "Listing the member groups ..."
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
x = atnr.listMemberGroups('my_user')
print x

The method returns a cursor, which refers to a list of names. The weblogic.management.utils.NameLister.haveCurrent, getCurrentName, and advance methods iterate through the returned list and retrieve the name to which the current cursor position refers. See the weblogic.management.utils.NameLister interface in the WebLogic Server MBean Reference.

Listing Users and Groups in a Security Realm

To see a list of user or group names, you invoke a series of methods, all of which are available through the AuthenticationProvider interface:

• The GroupReaderMBean.listGroups and UserReaderMBean.listUsers methods take two input parameters: a pattern of user or group names to search for, and the maximum number of names that you want to retrieve.

Because a security realm can contain thousands (or more) of user and group names that match the pattern, the methods return a cursor, which refers to a list of names.

For more information, see the listGroups and listUsers methods in the WebLogic Server MBean Reference.

• The NameLister.haveCurrent, getCurrentName, and advance methods iterate through the returned list and retrieve the name to which the current cursor position refers. For more information, see the NameListerMBean interface in the WebLogic Server MBean Reference.
• The NameLister.close method releases any server-side resources that are held on behalf of the list.

The WLST online script in Listing 6-13 lists all the users in a realm and the groups to which they belong. For information on how to run this script, see Running Scripts.

Listing 6-13 Listing Users and Groups

from weblogic.management.security.authentication import UserReaderMBean
from weblogic.management.security.authentication import GroupReaderMBean

realm=cmo.getSecurityConfiguration().getDefaultRealm()
atns = realm.getAuthenticationProviders()
for i in atns:
  if isinstance(i,UserReaderMBean):
    userReader = i
    cursor = i.listUsers("*",0)
    print 'Users in realm '+realm.getName()+' are: '
    while userReader.haveCurrent(cursor):
      print userReader.getCurrentName(cursor)
      userReader.advance(cursor)
    userReader.close(cursor)

for i in atns:
  if isinstance(i,GroupReaderMBean):
    groupReader = i
    cursor = i.listGroups("*",0)
    print 'Groups in realm are: '
    while groupReader.haveCurrent(cursor):
      print groupReader.getCurrentName(cursor)
      groupReader.advance(cursor)
    groupReader.close(cursor)

Changing a Password

To change a user's password, invoke the UserPasswordEditorMBean.changeUserPassword method, which is extended by the security realm's AuthenticationProvider MBean. For more information, see the changeUserPassword method in the WebLogic Server MBean Reference.

The following WLST online script invokes changeUserPassword on the default Authentication Provider: For information on how to run this script, see Running Scripts.

Listing 6-14 Changing a Password

from weblogic.management.security.authentication import UserPasswordEditorMBean

print "Changing password ..."
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
  atnr.changeUserPassword('my_user','my_password','new_password')
print "Changed password successfully"

Protecting User Accounts in a Security Realm

WebLogic Server provides a set of attributes to protect user accounts from intruders. By default, these attributes are set for maximum protection. You can decrease the level of protection for user accounts. For example, you can increase the number of login attempts before a user account is locked, increase the time period in which invalid login attempts are made before locking the user account, or change the amount of time a user account is locked.

The AuthenticationProvider MBean does not extend methods that you use to protect user accounts. Instead, retrieve the UserLockoutManagerMBean and invoke its methods. For more information, see the UserLockoutManagerMBean interface in the WebLogic Server MBean Reference.

The following tasks provide examples for invoking UserLockoutManagerMBean methods:

• Set Consecutive Invalid Login Attempts
• Unlock a User Account

Set Consecutive Invalid Login Attempts

The following WLST online script sets the number of consecutive invalid login attempts before a user account is locked out. For information on how to run this script, see Running Scripts.

Listing 6-15 Setting Consecutive Invalid Login Attempts

from weblogic.management.security.authentication import UserLockoutManagerMBean

edit()
startEdit()

#You have two choices for getting a user lockout manager to configure
# 1 - to configure the default realm's UserLockoutManager:

ulm=cmo.getSecurityConfiguration().getDefaultRealm().getUserLockoutManager()

# 2 - to configure another realm's UserLockoutManager:
#ulm=cmo.getSecurityConfiguration().lookupRealm("anotherRealm").getUserLockoutManager()

ulm.setLockoutThreshold(3)
save()
activate()

Unlock a User Account

The following WLST online script unlocks a user account. For information on how to run this script, see Running Scripts.

Listing 6-16 Unlocking a User Account

from weblogic.management.security.authentication import UserLockoutManagerMBean

serverRuntime()
ulm=cmo.getServerSecurityRuntime().getDefaultRealmRuntime().getUserLockoutManagerRuntime()
#note1 : You can only manage user lockouts for the default realm starting from when the server was booted (versus other non-active realms).
#note2 : If the default realm's user lockout manager's LockoutEnabled attribute is false, then the user lockout manager's runtime MBean will be null.
#That is, you can only manage user lockouts in the default realm if its user lockout manager is enabled.

if ulm != None:
  ulm.clearLockout("myuser")

 

---

Configuring Logging

Using WLST, you can configure a server instance's logging and message output.

To determine which log attributes can be configured, see LogMBean and LogFileMBean in the WebLogic Server MBean Reference. The reference also indicates valid values for each attribute.

The WLST online script in Listing 6-17 get and set several LogMBean and LogFileMBean attributes. For information on how to run this script, see Running Scripts.

Listing 6-17 Configuring Logging

from java.lang import Boolean
from java.lang import System
from java.lang import Integer

username = System.getProperty("user","weblogic")
password = System.getProperty("password","weblogic")
adminHost = System.getProperty("adminHost","localhost")
adminPort = System.getProperty("adminPort","7001")
protocol = System.getProperty("protocol","t3")
url = protocol+"://"+adminHost+":"+adminPort

fileCount = Integer.getInteger("fileCount", 5)
fileMinSize = Integer.getInteger("fileMinSize", 400)
fileName = System.getProperty("fileName","config\\mydomain\\myserver\\myserver.log")
fileTimeSpan = Integer.getInteger("fileTimeSpan", 12)
log4jEnabled = System.getProperty("log4jEnabled", "true")
stdoutSeverity = System.getProperty("stdoutSeverity", "Info")
logBRSeverity = System.getProperty("logBRSeverity", "Info")
logFileSeverity = System.getProperty("logFileSeverity", "Info")
memBufferSeverity = System.getProperty("memBufferSeverity", "Info")
memBufferSize = Integer.getInteger("memBufferSize", 400)
numOfFilesLimited = System.getProperty("numOfFilesLimited", "true")
redirectStdout = System.getProperty("redirectStdout", "true")
redirectStdErr = System.getProperty("redirectStdErr", "true")
rotateOnStartup = System.getProperty("rotateOnStartup", "false")
rotateTime = System.getProperty("rotateTime", "00:10")
rotateType = System.getProperty("rotateType", "byTime")

print "Connecting to " + url + " as [" + \
  username + "," + password + "]"

# Connect to the server
connect(username,password,url)
edit()
startEdit()

# set CMO to the server log config
cd("Servers/myserver/Log/myserver")
ls ()

# change the LogFileMBean and LogMBean attributes
print "Original FileCount is " + 'get("FileCount")'
print "Setting FileCount to be " + \QfileCount\Q
set("FileCount", fileCount)

print "Original FileMinSize is " + 'get("FileMinSize")'
print "Setting FileMinSize to be " + 'fileMinSize'
set("FileMinSize", fileMinSize)

print "Original FileName is " + 'get("FileName")'
print "Setting FileName to be " + 'fileName'
set("FileName", fileName)

print "Original FileTimeSpan is " + 'get("FileTimeSpan")'
print "Setting FileTimeSpan to be " + 'fileTimeSpan'
set("FileTimeSpan", fileTimeSpan)

print "Original Log4jEnabled is " + 'get("Log4jLoggingEnabled")'
print "Setting Log4jLoggingEnabled to be " + 'log4jEnabled'
set("Log4jLoggingEnabled", log4jEnabled)

print "Original StdoutSeverity is " + 'get("StdoutSeverity")'
print "Setting StdoutSeverity to be " + 'stdoutSeverity'
set("StdoutSeverity", stdoutSeverity)

print "Original DomainLogBroadcastSeverity is " + \Qget("DomainLogBroadcastSeverity")\Q
print "Setting DomainLogBroadcastSeverity to be " + 'logBRSeverity'
set("DomainLogBroadcastSeverity", logBRSeverity)

print "Original LogFileSeverity is " + 'get("LogFileSeverity")'
print "Setting LogFileSeverity to be " + 'logFileSeverity'
set("LogFileSeverity", logFileSeverity)

print "Original MemoryBufferSeverity is " + 'get("MemoryBufferSeverity")'
print "Setting MemoryBufferSeverity to be " + 'memBufferSeverity'
set("MemoryBufferSeverity", memBufferSeverity)

print "Original MemoryBufferSize is " + 'get("MemoryBufferSize")'
print "Setting MemoryBufferSize to be " + 'memBufferSize'
set("MemoryBufferSize", memBufferSize)

print "Original NumberOfFilesLimited is " + 'get("NumberOfFilesLimited")'
print "Setting NumberOfFilesLimited to be " + 'numOfFilesLimited'
set("NumberOfFilesLimited", numOfFilesLimited)

print "Original RedirectStdoutToServerLogEnabled is " + 'get("RedirectStdoutToServerLogEnabled")'
print "Setting RedirectStdoutToServerLogEnabled to be " + 'redirectStdout'
set("RedirectStdoutToServerLogEnabled", redirectStdout)

print "Original RedirectStderrToServerLogEnabled is " + 'get("RedirectStderrToServerLogEnabled")'
print "Setting RedirectStderrToServerLogEnabled to be " + 'redirectStdErr'
set("RedirectStderrToServerLogEnabled", redirectStdErr)

print "Original RotateLogOnStartup is " + 'get("RotateLogOnStartup")'
print "Setting RotateLogOnStartup to be " + 'rotateOnStartup'
set("RotateLogOnStartup", rotateOnStartup)

print "Original RotationTime is " + 'get("RotationTime")'
print "Setting RotationTime to be " + 'rotateTime'
set("RotationTime", rotateTime)

print "Original RotationType is " + 'get("RotationType")'
print "Setting RotationType to be " + 'rotateType'
set("RotationType", rotateType)

save()
activate()

print
ls ()

# all done...
exit()

For example scripts that demonstrate using WLST to configure the WebLogic Diagnostic Framework, see "WebLogic Scripting Tool Examples" in Configuring and Using the WebLogic Diagnostics Framework.