7 Monitoring WebLogic Domains
When using Enterprise Manager version 12.1 and a Secure Socket Layer (SSL) protocol or Transport Layer Security (TLS) protocol to discover and monitor WebLogic servers, the Management Agent must be able to trust the server before it can establish a secure communication link. The Agent maintains a Java Keystore (JKS) truststore containing certificates of Certification Authorities (CAs) that it can trust when establishing a secure connection. The Agent comes with nine well-known CA certificates.
It is recommended that customers using WebLogic t3s in a production environment use certificates signed by a well-known Certification Authority (CA), such as VeriSign or Thawte, on their WebLogic servers. A few popular Root CA certificates are available out-of-box in the Agent's JKS-based truststore and does not require any action by the customer. However, if self-signed certificates or the default (out-of-box) demo certificate are being used on the WebLogic servers, then the following step is needed to explicitly import the Root CA certificate for these server certificates to the Agent's truststore.
The JKS Agent truststore is located at the following location:
$ORACLE_HOME/sysman/config/montrust/AgentTrust.jks
Note: ORACLE_HOME is the Management Agent's instance home.
Updating the Agent truststore is required on ALL Enterprise Manager Agents involved in the discovery and monitoring of the WebLogic domain using any secure protocol.
Updating the Agent Truststore
To update the Agent truststore (AgentTrust.jks), you use EMCTL. If the default demo certificate, or a self-signed certificate is being used on the WebLogic servers for t3s/iiops, then the Root CA certificate for this must be added to AgentTrust.jks in order for the Agent to be able to discover and monitor these WebLogic servers and J2EE applications using t3s. An EMCTL command is provided for this purpose.
emctl secure add_trust_cert_to_jks [-password <password> -trust_certs_loc <loc> -alias <alias>]
Where:
- 
                           password = password to the AgentTrust.jks(if not specified, you will be prompted for the password at the command line)
- 
                           trust_certs_loc = location of the certificate file to import 
- 
                           alias = alias for the certificate to import 
Importing a Demo WebLogic Server Root CA Certificate
To import the Root CA certificate for a Demo WebLogic server into the Agent's truststore, the EMCTL secure command needs to be executed from the host on which the Agent is located.
<ORACLE_HOME>/bin/emctl secure add_trust_cert_to_jks -password "welcome"
Note: ORACLE_HOME is the Management Agent's instance home.
The following example demonstrates a typical session using the secure command with the add_trust_cert_to_jks option.
The default out-of-box password for the AgentTrust.jks is "welcome" and it is recommended that this be changed using the JDK keytool utility. If no password is specified along with the EMCTL command, the system will prompt you for the password.
Example 7-1 Sample Session
./emctl secure add_trust_cert_to_jks -password welcome Oracle Enterprise Manager 12c Release 1 Cloud Control 12.1.0.2.0 Copyright (c) 1996, 2012 Oracle Corporation. All rights reserved. Message : Certificate was added to keystore ExitStatus: SUCCESS
Importing a Custom Root CA Certificate
If the WebLogic servers are secured with another certificate, such as a self-signed certificate, then that Root CA certificate must be imported into the Agent's truststore as follows:
<ORACLE_HOME>/bin/emctl secure add_trust_cert_to_jks -password "welcome" trust_certs_loc <location of certificate> -alias <certificate-alias>
Note: ORACLE_HOME is the Management Agent's instance home.
Prerequisites for Domain Discovery When in TLS Mode
If the Oracle Management Service is running in TLS mode only, set the following parameters on the Management Agent of the target. This is the Management Agent which is going to run the discovery of the WebLogic Server Domain.
emctl secure agent -protocol TLS emctl setproperty agent -name allowTLSOnly -value true
Collecting JVM Performance Metrics for WebLogic Servers
In order to collect JVM performance metrics from platform MBeans, the Mbeans must be made accessible via the runtime MBeanServer. To do this, from the WebLogic console, set PlatformMBeanServerEnabled=true. Domain->Advanced
Note:
This only applies to WebLogic server installations where Java Required Files (JRF) are not installed.
Setting the PlatformMBeanServerUsed Attribute
If you are using WebLogic server versions 9.2.0.40, 10.0.2.0, 10.3.1 and 10.3.2 and certain patch releases of 9.x, you must explicitly set the PlatformMBeanServerUsed attribute to TRUE in addition to setting the PlatformMBeanServerEnabled (shown in the previous section). You set the PlatformMBeanServerUsed attribute using the WebLogic Scripting Tool (WLST), as shown in the next section.
Note:
From WebLogic server versions 10.3.3 onwards, the default out-of-box behavior enables platform MBeans to be accessible via runtime MBeanServers. Hence, this section can be skipped.
Activating Platform MBeans on WebLogic Server 9.x to 10.3.2 versions
The following WebLogic Scripting Tool session shown in Example 7-2 demonstrates how to use, check, and set the PlatformMBeanServerUsed attribute.
User actions are shown in bold.
Example 7-2 Setting PlatformMBeanServerUsed
cd common/bin/ ade:[ adminsw_easvr ] [adminsw@mymachine bin]$ ./wlst.sh CLASSPATH=/net/mymachine/scratch/shiphomes/wl/wl10/patch wls1002/profiles/default/sys_manifest_classpath/weblogic patch.jar:/net/mymachine/scratch/shiphomes/wl/wl10/patch cie640/profiles/default/sys_manifest_classpath/weblogic patch.jar:/net/mymachine/scratch/shiphomes/wl/wl10/jrockit_150 15/lib/tools.jar:/net/mymachine/scratch/shiphomes/wl/wl10/wlserver 10.0/server/lib/weblogic_sp.jar:/net/mymachine/scratch/shiphomes/wl/wl10/wlserver 10.0/server/lib/weblogic.jar:/net/mymachine/scratch/shiphomes/wl/wl10/modules/fea ures/weblogic.server.modules 10.0.2.0.jar:/net/mymachine/scratch/shiphomes/wl/wl10/modules/features/com.bea.ci .common-plugin.launch 2.1.2.0.jar:/net/mymachine/scratch/shiphomes/wl/wl10/wlserver 10.0/server/lib/webservices.jar:/net/mymachine/scratch/shiphomes/wl/wl10/modules/ rg.apache.ant 1.6.5/lib/ant-all.jar:/net/mymachine/scratch/shiphomes/wl/wl10/modules/net.sf.ant ontrib_1.0b2.0/lib/ant-contrib.jar: PATH=/net/mymachine/scratch/shiphomes/wl/wl10/wlserver 10.0/server/bin:/net/mymachine/scratch/shiphomes/wl/wl10/modules/org.apache.ant 1.6.5/bin:/net/mymachine/scratch/shiphomes/wl/wl10/jrockit_150 15/jre/bin:/net/mymachine/scratch/shiphomes/wl/wl10/jrockit_150 15/bin:/home/adminsw/products/valgrind/bin:/ade/adminsw easvr/oracle/jdk/bin:/ade/adminsw easvr/oracle/work/middleware/oms/perl/bin:/bin:/usr/local/bin:/usr/local/remote/p ckages/firefox-1.5.0.3:/ade/adminsw_easvr/oratst/bin:/ade/adminsw easvr/oracle/buildtools/bin:/ade/adminsw_easvr/oracle/emdev/merge:/ade/adminsw easvr/oracle/emdev/utl:/ade/adminsw_easvr/oracle/utl:/pdp/pds/utl:/ade/adminsw easvr/oracle/work/middleware/oms/bin:/ade/adminsw easvr/oracle/nlsrtl3/bin:/opt/SUNWspro/bin:/usr/ccs/bin:/usr/bin:/usr/sbin:/ade/a minsw easvr/oracle/opmn/bin:/usr/X11R6/bin:/home/adminsw/products/valgrind/bin:/home/ad insw/products/valgrind/bin:/usr/kerberos/bin:/home/adminsw/products/valgrind/bin: bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin:/usr/local/ade/bin:/bin:/usr/local/bin Your environment has been set. CLASSPATH=/net/mymachine/scratch/shiphomes/wl/wl10/patch wls1002/profiles/default/sys_manifest_classpath/weblogic patch.jar:/net/mymachine/scratch/shiphomes/wl/wl10/patch cie640/profiles/default/sys_manifest_classpath/weblogic patch.jar:/net/mymachine/scratch/shiphomes/wl/wl10/jrockit_150 15/lib/tools.jar:/net/mymachine/scratch/shiphomes/wl/wl10/wlserver 10.0/server/lib/weblogic_sp.jar:/net/mymachine/scratch/shiphomes/wl/wl10/wlserver 10.0/server/lib/weblogic.jar:/net/mymachine/scratch/shiphomes/wl/wl10/modules/fea ures/weblogic.server.modules 10.0.2.0.jar:/net/mymachine/scratch/shiphomes/wl/wl10/modules/features/com.bea.ci .common-plugin.launch 2.1.2.0.jar:/net/mymachine/scratch/shiphomes/wl/wl10/wlserver 10.0/server/lib/webservices.jar:/net/mymachine/scratch/shiphomes/wl/wl10/modules/ rg.apache.ant 1.6.5/lib/ant-all.jar:/net/mymachine/scratch/shiphomes/wl/wl10/modules/net.sf.ant ontrib 1.0b2.0/lib/ant-contrib.jar::/net/mymachine/scratch/shiphomes/wl/wl10/wlserver 10.0/common/eval/pointbase/lib/pbembedded51.jar:/net/mymachine/scratch/shiphomes/ l/wl10/wlserver 10.0/common/eval/pointbase/lib/pbtools51.jar:/net/mymachine/scratch/shiphomes/wl/ l10/wlserver_10.0/common/eval/pointbase/lib/pbclient51.jar Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands wls:/offline> wls:/offline> connect('weblogic','welcome1','mymachine:7501') Connecting to t3://mymachine:7501 with userid weblogic ... Successfully connected to Admin Server 'AdminServer' that belongs to domain 'base domain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead. wls:/base_domain/serverConfig> edit() Location changed to edit tree. This is a writable tree with DomainMBean as the root. To make changes you will need to start an edit session via startEdit(). For more help, use help(edit) wls:/base_domain/edit> startEdit() Starting an edit session ... Started edit session, please be sure to save and activate your changes once you are done. wls:/base_domain/edit !> cd('JMX') wls:/base_domain/edit/JMX !> ls() drw- base_domain wls:/base_domain/edit/JMX !> cd ('base_domain') wls:/base_domain/edit/JMX/base_domain !> ls() -rw- CompatibilityMBeanServerEnabled true -rw- DomainMBeanServerEnabled true -rw- EditMBeanServerEnabled true -rw- InvocationTimeoutSeconds 0 -rw- ManagementEJBEnabled true -rw- Name base_domain -rw- Notes null -rw- PlatformMBeanServerEnabled true -rw- PlatformMBeanServerUsed false ** -rw- RuntimeMBeanServerEnabled true -r-- Type JMX -r-x freezeCurrentValue Void : String(attributeName) -r-x isSet Boolean : String(propertyName ) -r-x restoreDefaultValue Void : String(attributeName) -r-x unSet Void : String(propertyName) wls:/base_domain/edit/JMX/base_domain !> set('PlatformMBeanServerUsed','true') wls:/base_domain/edit/JMX/base_domain !> ls() -rw- CompatibilityMBeanServerEnabled true -rw- DomainMBeanServerEnabled true -rw- EditMBeanServerEnabled true -rw- InvocationTimeoutSeconds 0 -rw- ManagementEJBEnabled true -rw- Name base_domain -rw- Notes null -rw- PlatformMBeanServerEnabled true -rw- PlatformMBeanServerUsed true ** -rw- RuntimeMBeanServerEnabled true -r-- Type JMX -r-x freezeCurrentValue Void : String(attributeName) -r-x isSet Boolean : String(propertyName ) -r-x restoreDefaultValue Void : String(attributeName) -r-x unSet Void : String(propertyName) wls:/base_domain/edit/JMX/base_domain !> activate() Activating all your changes, this may take a while ... The edit lock associated with this edit session is released once the activation is completed. The following non-dynamic attribute(s) have been changed on MBeans that require server re-start: ** MBean Changed : com.bea:Name=base_domain,Type=JMX Attributes changed : PlatformMBeanServerUsed Activation completed wls:/base_domain/edit/JMX/base_domain> ade:[ adminsw_easvr ] [adminsw@mymachine bin]$ ade:[ adminsw_easvr ] [adminsw@mymachine bin]$
**NOTE: PlatformMBeanServerUsed attribute is present in WebLogic releases 10.3.1.0 and 10.3.2.0 and also for certain patch releases of prior versions. If above PlatformMBeanServerUsed attribute is NOT present, or if it is present and already set to true, then running the commands are not necessary.