Oracle® Fusion Middleware WebLogic Server on JRockit Virtual Edition Installation and Configuration Guide 11g Release 1 (10.3.4) Part Number E15219-03 |
|
|
View PDF |
This section includes post-installation tasks that can be run with configured WebLogic Server VMs.
Section 6.1, "Using the MedRec Sample Domain With Oracle Database"
Section 6.2, "Starting a WebLogic Server VM Domain With the boot.properties File"
The WebLogic Server on JRockit VE package includes instructions that are necessary to reconfigure the MedRec application to work with Oracle Database. Please follow the steps in Using the Oracle WebLogic Server on JRockit Virtual Edition MedRec Domain With Oracle DB (wlsve_medrec_domain_with_odb.pdf
).
You can start a WebLogic Server VM domain using a boot.properties
file, which removes the need to specify a username and password in the java-arguments
section of the wlsve.xml
file. However, there are additional steps required to use the boot.properties
file in some cases.
Changing the Username and Password In boot.properties
When changing the username and password in the boot.properties
file, the new username and password values must match an existing user account in the Authentication provider for the default security realm and must belong to a role that has permission to start a server.
Configuring boot.properties When Creating a New Domain
When creating a new domain, you have to pass weblogic.management.username
and weblogic.management.password
in the Java arguments in the wlsve.xml configuration file for the VM image.
After creating the domain, stop the server instance and remove the weblogic.management.username
and weblogic.management.password
from the Java arguments in the wlsve.xml file.
When you restart the server instance, it will automatically take the username and password from server's boot.properties
file.
Creating boot.properties for Managed Servers
For Managed Servers, if you haven't specified the username and password in the wlsve.xml
configuration file, you have to create a new boot.properties
file and inject it into the Managed Server's VM at the security directory of the Managed Server's root directory.
For more information, see "Provide User Credentials to Start and Stop Servers" in Managing Server Startup and Shutdown for Oracle WebLogic Server.
Because a physical Oracle WebLogic Server installation captures the installation host name in the DemoIdentity.jks
certificate, WebLogic Server on JRockit VE does not include standard installation demo certificates even though WebLogic Server is configured by default to use it. Therefore, in order to use SSL with WebLogic Server VMs you have to generate and install your own demo certificates.
For more information about SSL for WebLogic Server, refer to "Configuring Identity and Trust" and "Configuring SSL" in Securing Oracle WebLogic Server.
Section 6.3.1, "Use CertGen to Generate a Certificate Signed By the WebLogic Demo CA"
Section 6.3.2, "Store the Certificate In the DemoIdentity Keystore"
Section 6.3.3, "Accessing WebLogic Server VMs With SSL Using a Browser"
Section 6.3.5, "Accessing the VMM Node Manager Client Using WLST"
Section 6.3.6, "Configuring WebLogic Server to Securely Connect to VMM Node Manager Clients"
Note: The instructions in this section refer to the files in the WebLogic Server directories as if they were on a local file system. However, the files need to be updated in the WebLogic Server image, either by using the Image Tool to get/put them in a non-running image, or by using SCP (secure copy) or SFTP (secure FTP) to get/put the files on a running WebLogic Server VM.
The following steps assume that you have a physical WebLogic Server installation or used the Image Tool to extract a server configuration from a WebLogic Server VM to a local /application
directory.
Set your environment so you have access to the WebLogic Server utilities:
./application/wlserver_10.3/server/bin/setWLSEnv.sh
If you get this message: "The JDK wasn't found in directory. Please edit the startWebLogic.sh
script so that the JAVA_HOME
variable points to the location of your JDK." Then you need to edit /application/wlserver_10.3/common/bin/commEnv.sh
to set JAVA_HOME
.
Use this command to create a new certificate and key files for your WebLogic Server VM host, using the fully-qualified hostname:
java utils.CertGen -keyfile privatekeyfile -keyfilepass DemoIdentityPassPhrase -certfile certfile -cn hostname
Creates the following files:
certfile.der - public certificate in der
(Distinguished Encoding Rules) format.
certfile.pem - public certificate in pem
(Privacy Enhanced Mail) format.
privatekeyfile.der - the private key in der
format, protected with password 'DemoIdentityPassPhrase.
privatekeyfile.pem - the private key in pem
format, protected with password 'DemoIdentityPassPhrase'.
Important! You must use the DNS name when creating certificates. Also, the -cn
hostname
must match the hostname in the URL you use; otherwise, hostname verification will fail resulting in failed connection attempts to the server. Some certificates contain the long name and some the short.
The files CertGenCA.der
, CertGenCAKey.der
, and the key CertGenCAKey.der
from the weblogic\server\lib
directory are used for issuing the CA.
Convert CertGenCA.der
to CertGenCA.pem
:
java utils.der2pem CertGenCA.der
This commands creates a CertGenCA.pem
file in /application/wlserver_10.3/server/lib/CertGenCA.pem
In general, it is best to create two keystores: one for identity and one for trust. That way the trust keystore can be distributed over the network and the identity keystore containing the private key/digital certificate pairs can be isolated and not distributed, and therefore, be better protected from unauthorized use or modifications. You are going to reuse the DemoTrust.jks
(unchanged) and create a new and valid DemoIdentity.jks
and put it in the image's /application/wlserver_10.3/server/lib
directory.
Since you have created a certificate with CertGen
, you can use the WebLogic Server ImportPrivateKey
utility to import the certificate into a keystore. (If Sun's keytool had been used, it could have added the private keys and certificates to a keystore, but it cannot be used to take existing files and add them to a keystore, which is why ImportPrivateKey
is being used.)
Trust keystores only need certificates
Identity keystores need certificates and private keys
Combine the generated certfile with the supplied CertGenCA.
cat certfile.pem CertGenCA.pem > newcerts.pem
Create a new DemoIdentity.jks
keystore containing newcerts.pem
and privatekeyfile.pem
. (An identity keystore contains certificates and the certificate chain used to generate them.)
java utils.ImportPrivateKey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -keyfile privatekeyfile.pem -keyfilepass DemoIdentityPassPhrase -certfile newcerts.pem -alias DemoIdentity No password was specified for the key entry Key file password will be used Imported private key privatekeyfile.pem and certificate newcerts.pem into a new keystore DemoIdentity.jks of type jks under alias DemoIdentity
You can verify that you have properly created a new DemoIdentity.jks
by using Sun's keytool. If all has gone well, the DemoIdentity.jks
will contain two certificates, one for your host, and one for the issuing CA, CertGenCAB
.
keytool -list -v -keystore DemoIdentity.jks Enter keystore password: DemoIdentityKeyStorePassPhrase Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: demoidentity Creation date: Mar 19, 2010 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=some-WLS-host, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US Issuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US Serial number: 1eedee30d98d58ff424373a7ce8bc486 Valid from: Thu Mar 18 13:31:23 EDT 2010 until: Wed Mar 19 13:31:23 EDT 2025 Certificate fingerprints: MD5: 6F:BB:98:E1:3F:1E:F7:03:56:53:D7:F3:9A:13:41:CD SHA1: 4E:EE:E9:56:22:E1:E7:07:ED:A1:95:91:31:12:2A:AE:98:D9:C9:51 Signature algorithm name: MD5withRSA Version: 1 Certificate[2]: Owner: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US Issuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US Serial number: 234b5559d1fa0f3ff5c82bdfed032a87 Valid from: Thu Oct 24 11:54:45 EDT 2002 until: Tue Oct 25 11:54:45 EDT 2022 Certificate fingerprints: MD5: A2:18:4C:E0:1C:AB:82:A7:65:86:86:03:D0:B3:D8:FE SHA1: F8:5D:49:A4:12:54:78:C7:BA:42:A7:14:3E:06:F5:1E:A0:D4:C6:59 Signature algorithm name: MD5withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign ] #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:1 ] ******************************************* *******************************************
Copy your keystore to your WebLogic Server image (using SCP or SFTP for a running server, or the Image Tool for a non-running server).
By default, WebLogic Server is configured to use the DemoIdentity.jks
and DemoTrust.jks
, so your updated keystore will be picked up.
After enabling port 7002 for https
, if you attempt to access WebLogic Server with a browser, you will get a security exception because the CA used to generate the demo certificate is untrusted. The CertGenCA
is used for demo purposes. Simply accept the certificate as trusted and the browser will successfully access WebLogic Server.
If you attempt to connect to the server configured above with WLST simply by invoking:
java weblogic.WLST connect('weblogic','welcome1','t3s://some-WLS-host:7002')
Then, you may get the following error:
Connecting to t3s://some-WLS-host:7002 with userid weblogic ...<Mar 19, 2010 2:51:12 PM EDT> <Warning> <Security> <BEA-090542> <Certificate chain received from some-WLS-host - 10.137.144.13 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>
To correct this problem, simply follow the error message's suggestion (assuming you are running out of the /application/wlserver_10.3/server/lib/
directory.)
java -Dweblogic.security.TrustKeyStore=DemoTrust weblogic.WLST connect('weblogic','welcome1','t3s://some-WLS-host:7002') Connecting to t3s://some-WLS-host:7002 with userid weblogic ... Successfully connected to Admin Server 'WlsveAdmin' that belongs to domain 'wlsve_domain'.
Next, comes the process of accessing a VMM Node Manager client from WLST using an nmConnect()
call. If you connect with nmConnect
using the secure port, as follows, it might initially say "Successfully Connected to Node Manager."
nmConnect('admin', 'oracle', 'some-OVM-host', '4443', 'wlsve_domain', '/application/user_projects/domains/wlsve_domain', 'VMMS-OracleVM_2.2')
However, on your first attempt to execute an nm
command, you may end up with an error like this:
java.io.IOException: java.io.IOException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The problem is that the trust store does not have the certificate in it for the Oracle VM server at some-OVM-host
. Proceeding with the approach of using the DemoTrust, you first have to obtain the certificate from the Oracle VM host. There are a number of ways to do this, but one is to point at the secure port using a browser and https
and view and save the certificate to a file.
Using Firefox, for example, if you haven't already viewed and stored an exception for the Oracle VM's host certificate, when attempting to browse it using https://ovmhost:4443
, you will get this message: "This Connection is Untrusted." Clicking I Understand the Risks and Add Exception, you can view the certificate, and under the Details tab, click Export
to export the file to /application/wlserver_10.3/server/lib/ovmhost.crt
.
Next, you need to update your DemoTrust.jks
with the certificate you just retrieved from the Oracle VM host machine.
keytool -importcert -file locbox-ovmm-22.crt -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase Owner: CN=locbox-ovmm-22, OU=Linux, O=Oracle, L=Beijing, ST=Beijing, C=CN Issuer: CN=locbox-ovmm-22, OU=Linux, O=Oracle, L=Beijing, ST=Beijing, C=CN Serial number: 4af6d0e1 Valid from: Sun Nov 08 09:08:33 EST 2009 until: Sat Feb 06 09:08:33 EST 2010 Certificate fingerprints: MD5: 14:63:65:A1:DB:46:08:43:C8:49:3F:3A:C0:FC:3F:9B SHA1: 2E:55:B0:CC:49:F7:3C:E1:1D:DC:E4:F5:36:3C:1E:AB:D4:29:9D:88 Signature algorithm name: SHA1withRSA Version: 1 Trust this certificate? [no]: yes Certificate was added to keystore
Now, invoke WLST so that the VMM node manager client uses the updated keystore by running java weblogic.WLST
, and it will use the DemoTrust by default.
Then, when you issue nmConnect
using the secure port version of VMM, VMMS, and follow it with nm
commands, they will work.
wls:/offline> nmConnect('admin', 'oracle', 'some-OVM-host', '4443', 'wlsve_domain', '/application/user_projects/domains/wlsve_domain', 'VMMS-OracleVM_2.2') Connecting to Node Manager ... Successfully Connected to Node Manager. wls:/nm/wlsve_domain> nmServerStatus('wlsve_domain_WlsveAdmin') RUNNING wls:/nm/wlsve_domain>
No additional configuration is required. Simply verify that the DemoTrust.jks
is updated as explained in Section 6.3.5, "Accessing the VMM Node Manager Client Using WLST" with the Oracle VM host's certificate and is copied to the server/lib
directory on the WebLogic Server image.
You can set the desired locale using the Image Tool. Here's an example of setting a Japanese locale:
java -jar wlsveimagetool.jar -r vm.cfg set locale ja Asia/Tokyo eucJP