Deploy the Mobile Gateway

The Oracle Network Management System Mobile Gateway is delivered in the $NMS_BASE/dist/install directory and when the nms-install-config --java is run, the deployable Oracle Network Management System Mobile Gateway will reside in $NMS_BASE/java/deploy/nms-ws.ear.

There are many options for how the Oracle Network Management System Mobile Gateway is deployed to a WebLogic system and how they interact with the NMS WebLogic Managed Servers. Please refer to the "NMS Configuration Guidelines for Multiple WebLogic Managed Servers" section in the User Authentication chapter of the Oracle Utilities Network Management System Configuration Guide.

The Oracle Network Management System Mobile Gateway nms-ws.ear is deployed to the target WebLogic server. The nms-ws.ear expects a proxy user to connect between the nmw-ws.ear and the cesejb.ear, the default is mobile-proxy and it needs to be included in the Role NmsMobile. If you are configuring multiple authentication providers, please mark them as Control Flag = OPTIONAL.

The following changes should be done on the main NMS domain, as well as the mobile gateway domain (if you are using separate domains).

1. Uncomment the following line in $NMS_CONFIG/jconfig/build.properties, modifying the user if necessary:

config.ws_runas_user = mobile-proxy

2. In the WebLogic console, do the following:

• In the Domain Structure, click the Summary of Security Realms link.

• On the Summary of Security Realms page, click myrealm.

• On the Settings for myrealm page, click the Users and Groups tab.

• In the Users tab, click New and create the username matching the proxy username you are using.

• On the Settings for myrealm page, click the Roles and Policies tab.

• In the Roles table, expand Global Roles

• Click Roles.

• On the Global Roles page, click New.

• On the Create a New Role for this Realm page, enter NmsMobile in the Name field. The role will be listed in the Global Roles table.

• Click the NmsMobile role name link to edit the role.

• On the Edit Global Role page, under Role Conditions, add the user mobile-proxy (or whatever proxy user name you are using). The proxy user should not be a member of any group.)

3. Locate the script $NMS_BASE/dist/install/wls/scripts/oma-jms.py. Transfer this to your WebLogic installation. Then locate the wlst.sh command so that you can provide the full path to it. Typically, this is in the $WL_HOME/common/bin directory. Then on the server that is running nms-ws.ear, run:

<path to>/wlst.sh oma-jms.py

The script will prompt you for login credentials for the nms-ws WebLogic admin server, the server name, and a suffix to add to each of the elements being created. When deploying to a cluster, deploy to a server within the cluster (not the cluster itself).The script will create the following:

• A JMS Server called JMSServer-oma

• A JMS system module called SystemModule-oma

The SystemModule-oma defines a connection factory called MobileConnectionFactory, with the following changes from the default:

• The JNDI name is jms/MobileConnectionFactory

• The Default delivery mode is Non-Persistent

• The default time to live is 300000

• The client acknowledge policy is Previous

• The Flow Control Enabled is checked

• The One Way Send Mode is “Queue or Topic”

• The security is set to only allow access from a user with the NmsMobile role

It will also create the oma-to-nms queue with the JNDI name jms/oma-to-nms, and the nms-to-oma queue with the name jms/nms-to-oma.

The factory and the queues are deployed to a subdeployment to the JMSServer‑oma.

If this WebLogic instance is only to provide support for OMA and/or Flex, then disable measurement updating on that server. To do this, add the following WebLogic startup parameters:

-DscadaMeasureAnalogUpdates=0

-DscadaMeasureDigitalUpdates=0

4. Run nms-install-config --java, which will rebuild the ear files with the configured username and install the nms-ws.ear.

The server running nms-ws.ear needs to have a SSL certificate configured. Follow the steps in the Oracle Utilities Network Management System Installation Guide “Configure Keystores” section.

If the nms-ws.ear file is deployed on the same WebLogic managed server as the Oracle Network Management System cesejb.ear file, there is no additional configuration required; however, if the nms-ws.ear file is deployed on a different WebLogic managed server than the cesejb.ear in the same domain or a different domain, you will need to do the remaining steps in this section.

5. Do the following on the WebLogic domain where nms-ws will be deployed:

• Define a proxy user and role as you did for the main NMS server.

Note: For the best security, use a different password than you used for the proxy user on the main NMS server.

• Set the domain Trust Credential

• Select the domain name at the top of the Domain Structure panel.

• On the Settings page for the domain, click the Security tab and its General sub-tab.

• At the bottom of the panel, expand the Advanced settings and enter the Credential and Confirm Credential value you plan to establish domain trust.

• Settings for the managed server:

Note: If deploying in a WebLogic cluster, repeat these steps for each managed server in the cluster.

• Configuration tab/General sub-tab Listening Port Enabled not checked and SSL Listening Port Enabled checked with a valid SSL Listen Port specified.

• Protocols tab/General sub‑tab Enable Tunneling checked.

• Protocols tab/Channels sub‑tab. Create a new channel for JMS queue communications for the NMS WebLogic server. Click New and enter:

• Name: enter a name (OMA-JMS-Channel)

• Protocol: Select t3s or https.

Note: Some corporate firewalls will not allow t3s communication to the external system and will require https. However, if supported by the firewall, we recommend t3s.

• Click Next.

• Listen Address: use the same address as the main listen address for the managed server default listen address.

• Listen Port: use an unused port on the managed server.

• External Listen Address: use the public facing DNS known host name. If the host does not have a public facing DNS known hostname, use the public facing IP address.

• External Listen Port: Use the public facing port for this channel

• Click Next.

• Check all four options: Enabled, Tunneling Enabled, HTTP Enabled for This Protocol, and Outbound Enabled.

• Click Finished.

• If the managed server is on a cloud system with a network controlled front end, such as the Oracle Java Cloud Service, be sure to expose the default https port and the JMS queue channel port to the public internet.

6. To provide fault tolerance when connecting to a cluster or multiple servers, set up multiple oma gateways with each gateway pointing to a specific cesejb instance. Then have a load balancer in front of the oma gateways configured to fail over if a server goes unresponsive. The connection should be sticky so that if a client connects to a server, it should continue to use that server unless it becomes unavailable. To determine the health of an oma server, the load balancer can use this suggested call to this URL:

To verify an OMA server is up, periodically call this url:

https://host:port/nms-ws/mobile/version

That will return a json object similar to this:

{

"serverInfo": {

"codebase": "APPLICATION_SERVER",

"properties": {

"APPLICATION_SERVER_STATUS": "up",

"APPLICATION_SERVER_CVS_TAG": "REL_2_5_0_2",

"APPLICATION_SERVER_PROJECT_NAME": "OPAL",

"APPLICATION_SERVER_PROJECT_BUILD_DATE": "2022:09:26 23:40:20",

"APPLICATION_SERVER_PROJECT_TAG": "NO_TAG",

"APPLICATION_SERVER_BUILD_DATE": "2022:09:26 23:13:45",

"APPLICATION_SERVER_HOST_NAME": "nms-wls-host"

}

"mobileInfo": {

"codebase": "MOBILE_SERVER",

"properties": {

"MOBILE_SERVER_PROJECT_NAME": "OPAL",

"MOBILE_SERVER_BUILD_DATE": "2022:09:26 23:13:45",

"MOBILE_SERVER_PROJECT_BUILD_DATE": "2022:09:26 23:40:20",

"MOBILE_SERVER_HOST_NAME": "nms-wls-host",

"MOBILE_SERVER_PROJECT_TAG": "NO_TAG",

"MOBILE_SERVER_CVS_TAG": "REL_2_5_0_2"

}

Look at the APPLICATION_SERVER_STATUS. It should be up; if it is down or no answer, then it should fail over.

7. In the WebLogic console, under Work Managers, add a new work manager called nms‑ws‑work‑manager, and accept the defaults. Then edit the manager, and add a new "Maximum Thread Constraint", and choose as a default 125. (This may need to be adjusted but as a starting point use 8 times the number of CPU threads). If you see the managed server requiring too much memory, you can lower this value. If there is cpu and memory to spare, you can increase it up to 200 maximum. This should be configured for both the domain running cesejb.ear as well as nms-ws.ear (in the case when there are separate domains).

8. Do the following on the NMS Managed Server:

• Verify the managed servers running cesejb.ear have the following in their system startup parameters: -Djava.awt.headless=true

• Create a new System Module.

• In that new system module, create a New Foreign server named nms-ws and accept the defaults.

• Select the new system module and click the Security tab’s Policies sub-tab.

• Add Conditions, Role, and add NmsMobile.

• Click Finish.

• Select nms-ws and configure the following:

• JNDI Initial Context Factory: weblogic.jndi.WLInitialContextFactory

• JNDI Connection URL: The URL to the gateway server, where the server name and port match the hostname(s) and port(s) defined above when configuring OMA-JMS-Channel for each OMA managed server. The URL should be in the format t3s://somehost:port.

Notes:

• If the nms-ws managed server is not on a host with a known DNS name, use the public IP address for somehost.

• JNDI Properties Credentials: The password of the mobile-proxy user.

• JNDI Properties: java.naming.security.principal=mobile‑proxy (replace mobile-proxy with the name of the mobile-proxy user)

• Default Targeting Enabled should be checked.

• Click Save.

• Under the Destinations tab, create a new destination:

• Name: oma-to-nms

• Local JNDI Name: jms/oma-to-nms

• Remote JNDI Name: jms/oma-to-nms

• Under the Destinations tab, create another new destination:

• Name: nms-to-oma

• Local JNDI Name: jms/nms-to-oma

• Remote JNDI Name: jms/nms-to-oma

• Under Connection Factories, create a new factory:

• Name: MobileConnectionFactory

• Local JNDI Name: jms/MobileConnectionFactory

• RemoteJNDI Name: jms/MobileConnectionFactory

• Set the domain Trust Credential.

• Select the domain name at the top of the Domain Structure panel.

• On the Settings page for the domain, click the Security tab and its General sub-tab.

• At the bottom of the panel, expand the Advanced settings and enter the Credential and Confirm Credential value you plan to establish domain trust.