I will Protect WebLogic Environments : storeUserConfig

There are many monitoring scripts that requires secure connection to admin server. Creation of username, password in encrypted and stored into a file UserConfigFile you can name it as per your domain requirements. That encryption would be done with private secure key that can be stored in another file User Key File.

Prerequisites

To run the storeUserConfig command you must be in online mode. Before you execute you need to connect to the admin server. You can create secure files for admin user or nodemanager user. nm = Optional. Boolean value specifying whether to store the username and password for Node Manager or WebLogic Server. If set to true, the Node Manager username and password is stored. This argument default to false.

WLST storeUserConfig usage

Execution of storeUserConfig command on WLST

You can execute without any parameters it will store the user secure files with the Operating systtem username and it will be stored in the domain path. storeUserConfig() You are allow to specifying the path where to store the secure files.

wls:/demodomain/serverConfig>  storeUserConfig('/home/wldomains/demodomain/demodomain.config', '/home/wldomains/demodomain/demodomain.key')

Once you create this storeUserConfig files you can use these in two scenarios where it invokes connect command on offline WLST to online WLST:

• Interactive WLST mode
• Script mode
• Useful for weblogic.Admin utility
• Useful for weblogic.Deployer utility

Once you created this secure config files for a new domain where you can apply for the following:

• Reconfiguration new system resources like datasources, JMS 
• Application deployments, undeployment, and redeployments
• Monitoring WebLogic runtime mbeans.

Note: Creating the key file can reduce the security of your system if it is not kept in a secured location after it is created.

Generic script for protect your domain scripts

The following script is ready use script it is generic script it will interactive with you to connect to a domain and generates user config file, key files in the specified location. It will also validates the newly created the secure files working as expected or not.

"""
DescriptionT :  This script will create user config file, key file
Author   :   Manish Khatwani
Date   :  2/12/2014
"""

def getConnect(user, password, AdminURL):
 connect(user, password, AdminURL)

def testValues(userconf, keyconf, AdminURL):
 print "Connecting to Admin with userConfigFiles"
 connect(userConfigFile=userconf, userKeyFile=keyconf, url=AdminURL)

def createUCFUKF():
 user = raw_input("Enter user Name: ")
 password = raw_input("Enter Password: ")
 AdminURL = raw_input("Admin URL: ")
 configPath = raw_input("Enter Path for storing config files : ")
 userPath = configPath + '/YOURDOMAIN.ucf'
 keyPath = configPath + '/YOURDOMAIN.ukf'
 print "Connecting to Admin"
 getConnect(user, password, AdminURL)
 storeUserConfig( userPath, keyPath)
 disconnect()
 # Reconnecting with newly created secure files
 print "disconnected from Admin, Lets Validate..."
 testValues(userPath, keyPath, AdminURL)
 ls ()
 disconnect()

# =================== MAIN PROGRAM ================================
if __name__=='main':
 redirect('/dev/null','false')
 createUCFUKF()
 redirect('/dev/null','true')
exit()

Execution Procedure
The sample execution look like this:

java weblogic.WLST createUCFUKF.py
enter user name: weblogic
enter password: Webl0gic
enter url: t3://192.168.1.105:7001
Enter Path for stroring config files : /home/wldomains/demodomain
Connecting to Admin
Connecting to t3://192.168.1.105:7001 with userid weblogic ...
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'demodomain'.
 
Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.
 
Creating the key file can reduce the security of your system if it is not kept in a secured location after it is created. Do you want to create the key file? y or ny
...

Applicability to WLST

UCF='/home/wlsadmin/wldomains/demodomain/demodomain.ucf'
UKF='/home/wlsadmin/wldomains/demodomain/demodomain.ukf'
connect(UCF, UKF, admurl)

Applicability for Deployer tool

java weblogic.Deployer -userConfigFile /home/wlsadmin/wldomains/demodomain/demodomain.ucf -userKeyFile /home/wlsadmin/wldomains/demodomain/demodomain.ukf -deploy benefits.war -targets democlstr

Applicability of Admin utility

For your monitoring server state purpose you can use weblogic.Admin utility tool use GETSTATE.

#######################################################
# FileName         :           serverstate.sh
# Date             :           03/12/2014
#######################################################
clear
ucf=/home/wlsadmin/wldomains/demodomain/demodomain.ucf
ukf=/home/wlsadmin/wldomains/demodomain/demodomain.ukf
admurl=t3://192.168.1.105:7001

java weblogic.Admin -url $admurl -userconfigfile $ucf -userkeyfile $ukf GETSTATE demoMan1
java weblogic.Admin -url $admurl -userconfigfile $ucf -userkeyfile $ukf GETSTATE demoMan2

GetSate using weblogic.Admin utility

Current state of "demoMan1" : RUNNING


Current state of "demoMan2" : RUNNING

Note this out is executes multiple times JVM creations. Better way is using WLST :)
Thats all for now...
Cheers guys,


share your thought on this post!!

WLST Issues

NoClassDefFoundError: weblogic.WLST issue

While starting WLST Script you might encounter this issue

Exception in thread "main" java.lang.NoClassDefFoundError: weblogic.WLST
   at gnu.java.lang.MainThread.run(libgcj.so.7rh)
Caused by: java.lang .ClassNotFoundException: weblogic.WLST not found in gnu.gcj.runtime.SystemClassLoader{urls=[file:./], parent=gnu.gcj.runtime.ExtensionClassLoader{urls=[], parent=null}}
   at java.net.URLClassLoader.findClass(libgcj.so.7rh)
   at java.lang.ClassLoader.loadClass(libgcj.so.7rh)
   at java.lang.ClassLoader.loadClass(libgcj.so.7rh)
   at gnu.java.lang.MainThread.run(libgcj.so.7rh)

What to do? What is the fix? searched in google but they all said run setWLSEnv.sh or cmd. Here my way is setup two environment variable availble to your shell.

1. WL_HOME your weblogic installation path
2. CLASSPATH with WL_HOME/server/lib/weblogic.jar

You can update these environment variables in your .bash_profile or .bashrc or .profile in the Home directory.

One more alternative method is use the wlst.sh script with absolute path.

alias wlst='${MW_HOME}/oracle_common/common/bin/wlst.sh'

Now you can directly use wlst mypthon.py my.properties

Still have problem in invoking WLST?

$ java weblogic.WLST

Initializing WebLogic Scripting Tool (WLST) ...

Problem invoking WLST - java.lang.NoClassDefFoundError: weblogic.management.scripting.WLScriptContext

Solution for this issue is set the JAVA_HOME properly. that means don't use Linux provided Java instead you have to use Oracle JDK or Jrockit as follows:

export JAVA_HOME=/apps/softwares/weblogic/jdk160_05
or 
export JAVA_HOME=/apps/softwares/weblogic/jrockit_160_05
export PATH=$JAVA_HOME/bin:$PATH

Update these lines in your .bash_profile or .profile check in new Window/Terminal or execute your .bash_profile by placing dot.

$ . .bash_profile

Permission Denied issue

Today when I have tried to workout on WLST it was throwing error.It was shocked me! till yesterday it was working why it is not working now. This is common sentence for every issue :) Need to analyze the problem.

pavanbsd@ubuntu:~$ wlst

Initializing WebLogic Scripting Tool (WLST) ...

Jython scans all the jar files it can find at first startup. Depending on the system
, this process may take a few minutes to complete, and WLST may not return a prompt
right away.

*sys-package-mgr*: can't create package cache dir, '/tmpWLSTTemppavanbsd/packages'
java.io.IOException: Permission denied
        at java.io.UnixFileSystem.createFileExclusively(Native Method)
        at java.io.File.createNewFile(File.java:1006)
        at java.io.File.createTempFile(File.java:1989)
        at java.io.File.createTempFile(File.java:2040)
        at com.oracle.cie.domain.script.jython.WLST_offline.getWLSTOfflineInitFilePath(WLST_offline.java:239)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at weblogic.management.scripting.utils.WLSTUtil.getOfflineWLSTScriptPathInternal(WLSTUtil.java:104)
        at weblogic.management.scripting.utils.WLSTUtil.setupOfflineInternal(WLSTUtil.java:300)
        at weblogic.management.scripting.utils.WLSTUtil.setupOffline(WLSTUtil.java:277)
        at weblogic.management.scripting.utils.WLSTUtilWrapper.setupOffline(WLSTUtilWrapper.java:29)
        at weblogic.management.scripting.utils.WLSTInterpreter.(WLSTInterpreter.java:168)
        at weblogic.management.scripting.WLST.main(WLST.java:130)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at weblogic.WLST.main(WLST.java:29)
Problem invoking WLST - java.lang.NullPointerException

Problem here is OS Permission denied to create files in /tmp path. I've remmebered that when I want to try re-install the Weblogic software encountered not enough space in /tmp path. So I had removed all the files forcefully using root user. That makes in accessable to weblogic user to write into the /tmp path.
Here is the solution

sudo chmod 1777 /tmp

Issues in WLST 2 :

This again While Starting with the WLST Shell, we were facing the below issue, offcourse this is common for the first time WLST users:

bash-3.00$ java weblogic.WLST
Initializing WebLogic Scripting Tool (WLST) ...
*sys-package-mgr*: can't write cache file for '/HomeServerInstancepath/bea/jdk150_10/jre/lib/rt.jar'
*sys-package-mgr*: can't write cache file for '/HomeServerInstancepath/bea/weblogic92/server/lib/weblogic.jar'
*sys-package-mgr*: can't write cache file for '/HomeServerInstancepath/bea/jdk150_10/jre/lib/rt.jar'
*sys-package-mgr*: can't write cache file for '/HomeServerInstancepath/bea/jdk150_10/jre/lib/jsse.jar'
*sys-package-mgr*: can't write cache file for '/HomeServerInstancepath/bea/jdk150_10/jre/lib/jce.jar'
*sys-package-mgr*: can't write cache file for '/HomeServerInstancepath/bea/jdk150_10/jre/lib/charsets.jar'
*sys-package-mgr*: can't write cache file for '/HomeServerInstancepath/bea/jdk150_10/jre/lib/ext/sunjce_provider.jar'
*sys-package-mgr*: can't write cache file for '/HomeServerInstancepath/bea/jdk150_10/jre/lib/ext/sunpkcs11.jar'
*sys-package-mgr*: can't write cache file for '/HomeServerInstancepath/bea/jdk150_10/jre/lib/ext/dnsns.jar'
*sys-package-mgr*: can't write cache file for '/HomeServerInstancepath/bea/jdk150_10/jre/lib/ext/localedata.jar'
*sys-package-mgr*: can't write index file
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
wls:/offline>

-->

To Fix the above issue, we have two options:

1) This problem I had encountered in Solaris machine, We need to change the permissions of /var/tmp/wlstTemp directory content must be accessed by all users means to use "chmod 777"
or
2) we need to define the cache directory path using open for every user path as /tmp/wlstTemp

bash-3.00$ java -Dpython.cachedir=/tmp/wlstTemp weblogic.WLST
Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands

wls:/offline>

I found very good referrence blog who always talks technically :) that 'Techtalks'
http://www.prasannatech.net/2009/02/jython-sys-package-mgr-processing-jar.html

Now your turn to comment on this issue how do you feel when you see this on your Solaris machine or Linux machine :)
Keep posting your suggestions too...

Related Posts

• WLST Errors and Exceptions
• WLST Starting issues
• Best WLST Tricks and tips