Configure Node Manager to Use the SSL Certificate

To ensure a successful SSL handshake among the Administration Server, Managed Servers, and Node Manager, you should configure Node Manager to use the custom keystores and the SSL certificate.

  1. Connect to the Administration Server node with a secure shell (SSH) client, and then switch to the oracle user.
    sudo su - oracle
  2. Edit the nodemanager.properties file located in the Domain Home directory.
    vi $DOMAIN_HOME/nodemanager/nodemanager.properties
  3. Add the following lines to the end of the file.
    KeyStores=CustomIdentityAndCustomTrust CustomIdentityKeystoreType=jks CustomIdentityKeyStoreFileName=path_to_identity_keystore CustomIdentityKeyStorePassPhrase=keystore_password CustomIdentityPrivateKeyPassPhrase=server_cert_password CustomIdentityAlias=server_cert CustomTrustKeyStoreType=jks CustomTrustKeyStoreFileName=path_to_trust_keystore CustomTrustKeyStorePassPhrase=keystore_password
    For example:
    KeyStores=CustomIdentityAndCustomTrust CustomIdentityKeystoreType=jks CustomIdentityKeyStoreFileName=/u01/data/keystores/identity.jks CustomIdentityKeyStorePassPhrase=keystore_password CustomIdentityPrivateKeyPassPhrase=server_cert_password CustomIdentityAlias=server_cert CustomTrustKeyStoreType=jks CustomTrustKeyStoreFileName=/u01/data/keystores/trust.jks CustomTrustKeyStorePassPhrase=keystore_password
  4. Regenerate the Node Manager startup files.
    1. Launch the WebLogic Scripting Tool (WLST).
      $MIDDLEWARE_HOME/oracle_common/common/bin/wlst.sh
    2. Connect to the Administration Server.
      connect('admin_user','password','t3://admin_server_host:9071')
      For example:
      connect('weblogic','password','t3://myinstance-wls-1:9071')
    3. Generate the boot.properties and startup.properties files for the server(s) on this node.
      nmGenBootStartupProps('server_name')
      Both the Administration Server and the first Managed Server run on the first node in the service instance. For example:
      nmGenBootStartupProps('myinstance_adminserver')
      nmGenBootStartupProps('myinstance_server_1')
    4. Exit WLST.
      exit()
  5. Run the restart script as the oracle user.
    /opt/scripts/restart_domain.sh

    Note:

    If your instance was created before 23.3.2 (end of August 2023) you should edit the setEnv.sh file located in /opt/scripts:
    vi /opt/scripts/setEnv.sh
    Add the following properties to the WLST_PROPERTIES variable set in the file:
    -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=path_to_trust_keystore -Dweblogic.security.CustomTrustKeyStoreType=JKS
    For example, after adding the properties, WLST_PROPERTIES would be: 
    export WLST_PROPERTIES="${WLST_PROPERTIES} -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 -Dpython.path=${PYTHONPATH} -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.TrustKeyStore=DemoTrust -Djava.security.egd=file:///dev/urandom -Doracle.jdbc.fanEnabled=false -Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/u01/data/keystores/trust.jks -Dweblogic.security.CustomTrustKeyStoreType=JKS"
  6. Repeat from Step 1 for any other nodes in service instance for which you want to configure SSL.