- Migrating Oracle Java Cloud Service Instances to Oracle WebLogic Server for OCI Using WDT
- Migrate an Instance
- Configure Node Manager SSL on the Target Instance
Configure Node Manager SSL on the Target Instance
If you configured your source Oracle Java Cloud Service instance to use custom identity or trust keystores, then you must manually configure the Node Manager on each node in the target instance to use the custom keystores.
- Use a Secure Shell (SSH) client to connect to the Administration Server node on the target instance as the
opc
user.ssh -i <privatekey> opc@<target_admin_IP>
If you are using a private subnet, use the following command to connect to the Administration Server node in your target instance:ssh -i <path_to_privatekey> -o ProxyCommand="ssh -W %h:%p -i <path_to_privatekey> opc@<Public_IP>" opc@<target_admin_IP>
- Switch to the
oracle
user.sudo su - oracle
- Using the model file and properties file, identify the SSL configuration for the servers on this node:
- The identity keystore file, path, and password
- The trust keystore file, path, and password
- The key alias and password
Example:
Server: ... MyInstan_server_1: ... CustomIdentityKeyStoreFileName: wlsdeploy/servers/MyInstan_server_1/identity.jks CustomTrustKeyStoreFileName: wlsdeploy/servers/MyInstan_server_1/trust.jks CustomIdentityKeyStorePassPhraseEncrypted: '@@PROP:keystore1.password@@' CustomTrustKeyStorePassPhraseEncrypted: '@@PROP:trustkeystore1.password@@' ... SSL: ServerPrivateKeyAlias: server_cert ServerPrivateKeyPassPhraseEncrypted: '@@PROP:privatekey1.password@@'
- Edit the
nodemanager.properties
file located under theDOMAIN_HOME
directory.vi $DOMAIN_HOME/nodemanager/nodemanager.properties
- Add the following lines to the end of the file. Specify the full path to the keystore files.
KeyStores=CustomIdentityAndCustomTrust CustomIdentityKeystoreType=jks CustomIdentityKeyStoreFileName=/u01/data/domains/<target_domain>/wlsdeploy/servers/<target_server_name>/<identity_keystore_file> CustomIdentityKeyStorePassPhrase=<identity_keystore_password> CustomIdentityPrivateKeyPassPhrase=<key_password> CustomIdentityAlias=<key_alias> CustomTrustKeystoreType=jks CustomTrustKeyStoreFileName=/u01/data/domains/<target_domain>/wlsdeploy/servers/<target_server_name>/<trust_keystore_file> CustomTrustKeyStorePassPhrase=<trust_keystore_password>
Example:
KeyStores=CustomIdentityAndCustomTrust CustomIdentityKeystoreType=jks CustomIdentityKeyStoreFileName=/u01/data/domains/MyInstan/wlsdeploy/servers/MyInstan_adminserver/myidentity.jks CustomIdentityKeyStorePassPhrase=<identity_keystore_password> CustomIdentityPrivateKeyPassPhrase=<key_password> CustomIdentityAlias=server_cert CustomTrustKeystoreType=jks CustomTrustKeyStoreFileName=/u01/data/domains/MyInstan/wlsdeploy/servers/MyInstan_adminserver/mytrust.jks CustomTrustKeyStorePassPhrase=<trust_keystore_password>
- Edit the
setDomainEnv.sh
file located under theDOMAIN_HOME
directory.vi $DOMAIN_HOME/bin/setDomainEnv.sh
- Add the following line to the end of the file.
export WLST_PROPERTIES="${WLST_PROPERTIES} -Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/u01/data/domains/<target_domain>/wlsdeploy/servers/<target_server_name>/<trust_keystore_file> -Dweblogic.security.CustomTrustKeyStoreType=JKS"
Example:
export WLST_PROPERTIES="${WLST_PROPERTIES} -Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/u01/data/domains/MyInstan/wlsdeploy/servers/MyInstan_adminserver/mytrust.jks -Dweblogic.security.CustomTrustKeyStoreType=JKS"
- Connect to all Managed Server nodes in the target instance that use custom keystores, and then repeat Steps 4 to 7.
Example:
ssh myinstance-wls-2 vi $DOMAIN_HOME/nodemanager/nodemanager.properties vi $DOMAIN_HOME/bin/setDomainEnv.sh exit
- Disconnect from the Administration Server node.