Search This Blog

Tuesday, December 2, 2014

I will Protect WebLogic Environments : storeUserConfig

There are many monitoring scripts that requires secure connection to admin server. Creation of username, password in encrypted and stored into a file UserConfigFile you can name it as per your domain requirements. That encryption would be done with private secure key that can be stored in another file User Key File.

Prerequisites

To run the storeUserConfig command you must be in online mode. Before you execute you need to connect to the admin server. You can create secure files for admin user or nodemanager user. nm = Optional. Boolean value specifying whether to store the username and password for Node Manager or WebLogic Server. If set to true, the Node Manager username and password is stored. This argument default to false.

WLST storeUserConfig usage

Execution of storeUserConfig command on WLST

You can execute without any parameters it will store the user secure files with the Operating systtem username and it will be stored in the domain path. storeUserConfig() You are allow to specifying the path where to store the secure files.
wls:/demodomain/serverConfig>  storeUserConfig('/home/wldomains/demodomain/demodomain.config', '/home/wldomains/demodomain/demodomain.key')

Once you create this storeUserConfig files you can use these in two scenarios where it invokes connect command on offline WLST to online WLST:

  • Interactive WLST mode
  • Script mode
  • Useful for weblogic.Admin utility
  • Useful for weblogic.Deployer utility

Once you created this secure config files for a new domain where you can apply for the following:

  • Reconfiguration new system resources like datasources, JMS 
  • Application deployments, undeployment, and redeployments
  • Monitoring WebLogic runtime mbeans.


Note: Creating the key file can reduce the security of your system if it is not kept in a secured location after it is created.

Generic script for protect your domain scripts

The following script is ready use script it is generic script it will interactive with you to connect to a domain and generates user config file, key files in the specified location. It will also validates the newly created the secure files working as expected or not.
"""
DescriptionT :  This script will create user config file, key file
Author   :   Manish Khatwani
Date   :  2/12/2014
"""

def getConnect(user, password, AdminURL):
 connect(user, password, AdminURL)

def testValues(userconf, keyconf, AdminURL):
 print "Connecting to Admin with userConfigFiles"
 connect(userConfigFile=userconf, userKeyFile=keyconf, url=AdminURL)

def createUCFUKF():
 user = raw_input("Enter user Name: ")
 password = raw_input("Enter Password: ")
 AdminURL = raw_input("Admin URL: ")
 configPath = raw_input("Enter Path for storing config files : ")
 userPath = configPath + '/YOURDOMAIN.ucf'
 keyPath = configPath + '/YOURDOMAIN.ukf'
 print "Connecting to Admin"
 getConnect(user, password, AdminURL)
 storeUserConfig( userPath, keyPath)
 disconnect()
 # Reconnecting with newly created secure files
 print "disconnected from Admin, Lets Validate..."
 testValues(userPath, keyPath, AdminURL)
 ls ()
 disconnect()

# =================== MAIN PROGRAM ================================
if __name__=='main':
 redirect('/dev/null','false')
 createUCFUKF()
 redirect('/dev/null','true')
exit()

Execution Procedure
The sample execution look like this:
java weblogic.WLST createUCFUKF.py
enter user name: weblogic
enter password: Webl0gic
enter url: t3://192.168.1.105:7001
Enter Path for stroring config files : /home/wldomains/demodomain
Connecting to Admin
Connecting to t3://192.168.1.105:7001 with userid weblogic ...
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'demodomain'.
 
Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.
 
Creating the key file can reduce the security of your system if it is not kept in a secured location after it is created. Do you want to create the key file? y or ny
...

Applicability to WLST
UCF='/home/wlsadmin/wldomains/demodomain/demodomain.ucf'
UKF='/home/wlsadmin/wldomains/demodomain/demodomain.ukf'
connect(UCF, UKF, admurl)

Applicability for Deployer tool

java weblogic.Deployer -userConfigFile /home/wlsadmin/wldomains/demodomain/demodomain.ucf -userKeyFile /home/wlsadmin/wldomains/demodomain/demodomain.ukf -deploy benefits.war -targets democlstr

Applicability of Admin utility

For your monitoring server state purpose you can use weblogic.Admin utility tool use GETSTATE.
#######################################################
# FileName         :           serverstate.sh
# Date             :           03/12/2014
#######################################################
clear
ucf=/home/wlsadmin/wldomains/demodomain/demodomain.ucf
ukf=/home/wlsadmin/wldomains/demodomain/demodomain.ukf
admurl=t3://192.168.1.105:7001

java weblogic.Admin -url $admurl -userconfigfile $ucf -userkeyfile $ukf GETSTATE demoMan1
java weblogic.Admin -url $admurl -userconfigfile $ucf -userkeyfile $ukf GETSTATE demoMan2

GetSate using weblogic.Admin utility

Current state of "demoMan1" : RUNNING


Current state of "demoMan2" : RUNNING

Note this out is executes multiple times JVM creations. Better way is using WLST :)
Thats all for now...
Cheers guys,


share your thought on this post!!

No comments:

Facebook Blogger Plugin: By RNHckr.com

Post a Comment

Please write your comment here

Popular Posts