How to install Oracle VirtualBox and create a CentOS 7 VM

Hi,

Jyoti Sensharma

Generally for testing new components, services or products we frequently need VM machines. Specially for testing open source components. Hence we need some kind of virtualbox setup locally to test these things quickly. Oracle VirtualBox is a general-purpose full virtualiser for x86 hardware, targeted at server, desktop and embedded use.

In this article we will see how quickly we can configure the Oracle VirtualBox and create a CentOS 7 VM. The same article can be referred to create any other OS VM like RHEL 6/7, Fedora, Suse etc

 

Download the Oracle VirtualBox from below link and install:
https://www.virtualbox.org/wiki/Downloads

Download CentOS 7 minimal version from below link:
http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-1708.iso

Global VirtualBox Network Settings

In below steps we will add a new NAT Network and Host-Only Network which will help our VMs to get a public IP Address and they will be able to connect to the world wide network.

Step1: Navigate to VirtualBox >> Preferences >> Network

Step2: Add a new NAT Network.

Step3: Navigate to File >> Host Network Manager

Step4: Add a new Host-Only Network.

VM creation and its network settings

Step5:  Create a new VM in VitualBox with Type Linux for installing CentOS 7.

Step6: Setting 4GB RAM for this VM so that we can run some servers on this VM and test multiple things at a time.

Step7: In this stage we are fixing the memory utilisation of this VM by selecting Fixed Size, so that it should not consume more than the allocated memory.

Step8: Allocating 20GB memory for the hard disk of this VM

Step9:  Configure the network settings for this CentOS 7 Node1 vm as follows:

Step10: Start this node1 and install CentOS 7 in this vm.

Step11: Just in case if you want to make the IP Address Static “192.168.56.101” and IPV6 disabled then follow the below steps:

vi /etc/sysconfig/network-scripts/ifcfg-enp0s8

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
IPV6_AUTOCONF=no
IPV6_DEFROUTE=no
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=enp0s8
UUID=58c59ff3-31fa-4fa4-8259-430e5e122d52
DEVICE=enp0s8
ONBOOT=yes
IPADDR=192.168.56.101

Step12: Restart the network services:

service network restart

Step13: Repeat the above steps of “VM creation and its network setting” to create Node2.

Configure both the host to recognise each other by their hostnames:

Edit the “/etc/hosts” file:

vi /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.56.101	node1.example.com
192.168.56.102	node2.example.com

For Configuring passwordless ssh between these nodes refer the below article:

How to configure passwordless ssh between linux hosts


How to configure passwordless ssh between linux hosts

Jyoti Sensharma

Hi,
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. The best known example application of ssh is for remote login to computer systems by users. It is also used while doing an SCP to transfer files from one host to another host over the network.

SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH.

In this article we are going to learn how we can do a passwordless ssh from one linux host to another. By default when we do a ssh to a remote linux host it asks for a password, but entering a password every-time you do a ssh becomes time consuming. Therefore there is a way to generate a ssh key and configure other linux hosts to achieve this functionality.

Default ssh command to connect a linux host and its output

[root@node1 ~]# ssh root@node2.example.com
The authenticity of host 'node2.example.com (192.xx.xx.102)' can't be established.
ECDSA key fingerprint is SHA256:PMG2xSYmdcdkzdgXV7Nw3Jtzd0NzbLmBmXlaQEzHEQ.
ECDSA key fingerprint is MD5:aa:d5:b9:33:7e:a6:32:as:xx:0c:20:1f:55:f3:00:1e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'node3.example.com,192.xx.xx.102' (ECDSA) to the list of known hosts.
root@node2.example.com's password: 
Last login: Thu Jan  4 11:23:09 2018 from 192.xx.xx.102
[root@node2 ~]# 

Steps to configure passwordless ssh to a linux host

Step1: Generate a ssh key on node1 using “ssh-keygen” utility.

[root@node1 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:eb691XAY0MVxsswolHv7xhGwbr2uX7e8vZ0uOwhisrwA root@node1.example.com
The key's randomart image is:
+---[RSA 2048]----+
|            oox++|
|             =.oo|
|            . + .|
|         .   . =x|
|   E    S . . @ o|
|    .    =   o +.|
|     .  . = o =.=|
|      .. . * +=O=|
|       .o.. +o*@X|
+----[SHA256]-----+

Step2: Copying public ssh key of node1 to node2 using “ssh-copy-id” utility.

[root@node1 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@node2.example.com
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@node2.example.com's password: 
Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@node2.example.com'"
and check to make sure that only the key(s) you wanted were added.

Step3: Verify the key entry in the node2 in file ~/.ssh/authorized_keys

[root@node2 ~]# less ~/.ssh/authorized_keys

ssh-rsa AAAAB3NzaC1c2EAAAADAQABAAABAQDUnkqPN1LVvyJkiIXnabmoN4hmL3WfuDcrWwURCqVAkwG0+00DEiiUXuwUL3gGDXaKpJxxJKsP1RthFtxw1Fl9OJ1QKB6m0S2CgyP5RkmFq2PwEUxyFvAXXOaHAfvISadv55mRP3iTGAUEfnQGz0wQXXLruBC4NbF27R8h1Wqx+AwS+X+qLXDjLjR3pRXQtaWDGYsLGCXN4zOovdaYN1SjqSkg23oxI/rQl9z/4nf8CZZyKM+9lYN+2wBe99PPjHf83ZVtPVfi+BN9VjUPOUm9tbUoS8RU+dEx5sEJbf1cqmZ61afaQSIs/+/m4lbX1/BvERF95vjrxOMf1 jyotisensharma@Jyotis-MBP

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDoOXbrVXXWzdO0sjiDJYvPEPEAYJHS4eYS+iSTAagYlTwqXjuRYZ5PJn2LlJvGqkd+Sxbwn4GDbeGjMTzvOuTUYb7t795S0P2Y+pzKc9a03hGxC4tU8meGPLOWnJB55cMHREXT4t5qvnqCSoY0MAsY37sIRKCmK5WSXcecfRBkAalAr7LqjzlK/ujo+F09Cc+mB1VILyfszkJ2CHaf9Hznwg08MK/kZakXF3lXUC7LuVCauEnEemU6MXM5dsA25CavyM4qGYfH4d60GVlMwWWjDs4uylFLDvFxyMcfMQjaeJ+oc5GqxV2aPuDU17xrUpN6ldJXwCGKypeKGXZ root@node1.example.com

Now you can perform ssh from node1 to node2 without providing a password

[root@node1 ~]# ssh root@node2.example.com
Last login: Thu Jan  4 11:12:06 2018 from 192.xx.xx.102

[root@node2 ~]#

.


WebLogic12c with t3s (SSL) secure protocol and the JMX client

Hi,

As part of this article we will see how to use the “t3s” SSL based secure protocol to interact with WebLogic 12.2.1. We will be developing a simple MBean client which will access sime of the MBeans present on weblogic over the SSL. We are going to implement One Way SSL for this demo. With one-way SSL, the server must present a certificate to the client, but the client is not required to present a certificate to the server. The client must authenticate the server, but the server accepts a connection from any client. One-way SSL is common on the Internet where customers want to create secure connections before they share personal data. Often, clients will also use SSL to log on in order that the server can authenticate them.

Secure Sockets Layer (SSL) provides secure connections by allowing two applications connecting over a network to authenticate each other’s identity and by encrypting the data exchaoged between the applications. Authentication allows a server and optionally a client to verify the identity of the application on the other end of a network connection. Encryption makes data transmitted over the network intelligible only to the intended recipient.

What this demo is about ?

As part of this demo we will see how to use implement One way SSL on weblogic so that a Client can interact with it using https/t3s in a secure manner.

1. How to configure the “CustomIdentityAndJavaStandardTrust” on weblogic, In a complete automated way using WLST scripting.

2. How to configure the SSL port on WebLogic 12.2.1 using WLST.

3. How to create Server side Keystore and Client side truststore.

4. Running a simple MBean Client which will use “t3s” protocol to access/query the MBeans which are present on WLS server.

5. Troubleshooting some very common issues which users might encounter while implementing SSL on WebLogic 12c.

Creating Keystores and Truststore.

Step-1). Lets create a simple keystore which will be deployed on the WLS side and then we will be exporting the public key from that which will be imported on the Client side truststore. In order to simplify the keystore and truststore creation and importing / exporting the certificates, We will be writing a very simple shell script. Please change the store password and keystore/truststore file name based on your choice.
Create a shell script “createKeyStore.sh” somewhere in your filesystem as following:

########################################
# Creating Server and Client KeyStores.
########################################
# NOTE: "keytool" is a utility that can be found inside the "$JAVA_HOME/bin" so make sire the PATH includes the JDK's bin directory.

mkdir Keystores
cd Keystores/

echo ""
echo ""
echo "Creating WLS Server side Keystore. (wls12c.keystore)"
echo "----------------------------------------"
keytool -genkey -v -alias wlsalias -keyalg RSA -keysize 1024 -keystore wls12c.keystore -validity 3650 -keypass middleware+magic -storepass middleware+magic -dname "CN=127.0.0.1, OU=MiddlewareMagic, O=Blog, L=Bangalore, S=Karnataka, C=IN"


echo ""
echo ""
echo "Exporting public key (wls12c_server.cer) from the  WLS ServerSide keystore."
echo "----------------------------------------"
keytool -export -keystore wls12c.keystore -alias wlsalias -file wls12c_server.cer -keypass middleware+magic -storepass middleware+magic


echo ""
echo ""
echo "Creating Client side Keystore/truststore. (clientTrustStore.keystore)"
echo "----------------------------------------"
keytool -genkey -v -alias clientalias -keyalg RSA -keysize 1024 -keystore clientTrustStore.keystore -validity 3650 -keypass middleware+magic+client -storepass middleware+magic+client -dname "CN=127.0.0.1, OU=MiddlewareMagic, O=Blog, L=Bangalore, S=Karnataka, C=IN"


echo ""
echo ""
echo "Importing the WLS Servers public key to the Client's truststore."
echo "----------------------------------------"
keytool -import -v -trustcacerts -alias wlsalias -file wls12c_server.cer -keystore clientTrustStore.keystore -keypass middleware+magic+client -storepass middleware+magic+client


echo "Certificates created Successfully !!!"

Step-2). Lets run the above mentioned Shell script which will create the needed keystores and truststores. It also imports the servers public key to the client truststore. “keytool” is a utility that can be found inside the “$JAVA_HOME/bin” so make sire the PATH includes the JDK’s bin directory.

$ cd WLST_and_Keys
$ chmod 755 createKeyStore.sh
$ ./createKeyStore.sh 

--------
Output:
--------
$ ./createKeyStore.sh 


Creating WLS Server side Keystore. (wls12c.keystore)
----------------------------------------
Generating 1,024 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 3,650 days
	for: CN=127.0.0.1, OU=MiddlewareMagic, O=Blog, L=Bangalore, ST=Karnataka, C=IN
[Storing wls12c.keystore]


Exporting public key (wls12c_server.cer) from the  WLS ServerSide keystore.
----------------------------------------
Certificate stored in file <wls12c_server.cer>


Creating Client side Keystore/truststore. (clientTrustStore.keystore)
----------------------------------------
Generating 1,024 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 3,650 days
	for: CN=127.0.0.1, OU=MiddlewareMagic, O=Blog, L=Bangalore, ST=Karnataka, C=IN
[Storing clientTrustStore.keystore]


Importing the WLS Servers public key to the Client's truststore.
----------------------------------------
Owner: CN=127.0.0.1, OU=MiddlewareMagic, O=Blog, L=Bangalore, ST=Karnataka, C=IN
Issuer: CN=127.0.0.1, OU=MiddlewareMagic, O=Blog, L=Bangalore, ST=Karnataka, C=IN
Serial number: 66f456cb
Valid from: Sun Dec 27 19:27:29 IST 2015 until: Wed Dec 24 19:27:29 IST 2025
Certificate fingerprints:
	 MD5:  5A:C2:83:32:24:80:58:0D:A6:1F:68:88:5D:42:F8:C5
	 SHA1: 14:1A:32:08:25:C6:58:DA:37:35:50:FF:5C:D0:DD:F0:26:E5:2E:2E
	 SHA256: 6F:A3:4B:AA:37:D5:47:2C:21:F2:77:92:C6:B6:8C:A4:B2:D9:60:C2:5A:26:E2:A7:32:C5:5B:88:22:84:76:85
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 34 6C E7 FE E7 15 B1 DC   99 A9 EB 22 B5 A8 C1 1D  4l........."....
0010: 98 E3 1D B8                                        ....
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing clientTrustStore.keystore]
Certificates created Successfully !!! 

Configuring CustomIdentityAndJavaStandardTrust using WLST

Step-3). Now we will create a simple WLST script “configure_SSL_and_KeyStore.py” which will configure the “CustomIdentityAndJavaStandardTrust” on WebLogic 12c. It will configure the WLS12c to open the HTTPS/SSL port “7443”.

adminURL="t3://localhost:7001"
adminUserName="weblogic"
adminPassword="weblogic1"

connect(adminUserName, adminPassword, adminURL)

edit()
startEdit()
cd('/Servers/AdminServer')
cmo.setKeyStores('CustomIdentityAndJavaStandardTrust')
cmo.setCustomIdentityKeyStoreFileName('/Users/jsensharma/NotBackedUp/Installed/wls1221/user_projects/domains/base_domain/Keystores/wls12c.keystore')
cmo.setCustomIdentityKeyStoreType('jks')
cmo.setCustomIdentityKeyStorePassPhrase('middleware+magic')
activate()
startEdit()

startEdit()
cd('/Servers/AdminServer/SSL/AdminServer')
cmo.setServerPrivateKeyAlias('wlsalias')
cmo.setServerPrivateKeyPassPhrase('middleware+magic')
cmo.setEnabled(true)
cmo.setListenPort(7443)
activate()

Step-4). Now we will start the WebLogic 12.2.1 instance and then we will open a terminal to run the above mentioned WLST script. We will run the “setWLSEnv.sh” script in the terminal first so that it will set the CLASSPATH properly with the required JARs. (or simply use the “wls1221/wlserver/common/bin/wlst.sh” script to start the WLST)

$ cd /Users/jsensharma/NotBackedUp/Installed/wls1221/wlserver/server/bin

$ . ./setWLSEnv.sh 
CLASSPATH=/Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/lib/tools.jar:/Users/jsensharma/NotBackedUp/Installed/wls1221/wlserver/modules/features/wlst.wls.classpath.jar:
PATH=/Users/jsensharma/NotBackedUp/Installed/wls1221/wlserver/server/bin:/Users/jsensharma/NotBackedUp/Installed/wls1221/wlserver/../oracle_common/modules/org.apache.ant_1.9.2/bin:/Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/jre/bin:/Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Users/jsensharma/NotBackedUp/Installed/wls1221/wlserver/../oracle_common/modules/org.apache.maven_3.2.5/bin
Your environment has been set.


$ cd WLST_and_Keys

$ java weblogic.WLST configure_SSL_and_KeyStore.py


-------
OUTPUT
-------
$ java weblogic.WLST configure_SSL_and_KeyStore.py 

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Connecting to t3://localhost:7001 with userid weblogic ...
Successfully connected to Admin Server "AdminServer" that belongs to domain "two_ssl_domain".

Warning: An insecure protocol was used to connect to the server. 
To ensure on-the-wire security, the SSL port or Admin port should be used instead.

Location changed to edit tree. 	 
This is a writable tree with DomainMBean as the root. 	 
To make changes you will need to start an edit session via startEdit(). 
For more help, use help('edit').

Starting an edit session ...
Started edit session, be sure to save and activate your changes once you are done.
Activating all your changes, this may take a while ... 
The edit lock associated with this edit session is released once the activation is completed.

The following non-dynamic attribute(s) have been changed on MBeans 
that require server re-start:
MBean Changed : com.bea:Name=AdminServer,Type=Server
Attributes changed : CustomIdentityKeyStoreFileName, CustomIdentityKeyStorePassPhraseEncrypted, CustomIdentityKeyStoreType, KeyStores

Activation completed
Starting an edit session ...
Started edit session, be sure to save and activate your changes once you are done.
Starting an edit session ...
Started edit session, be sure to save and activate your changes once you are done.
Activating all your changes, this may take a while ... 
The edit lock associated with this edit session is released once the activation is completed.

The following non-dynamic attribute(s) have been changed on MBeans 
that require server re-start:
MBean Changed : com.bea:Name=AdminServer,Type=SSL,Server=AdminServer
Attributes changed : ServerPrivateKeyAlias, ServerPrivateKeyPassPhraseEncrypted

Activation completed

Step-5). As configuring the SSL on weblogic is a non dynamic change hence we will need to restart the WebLogic 12c instance. We can verify the same by looking at the WebLogic 12c console as following:

<Dec 27, 2015 7:42:24 PM IST> <Warning> <Management> <BEA-141239> <The non-dynamic attribute CustomIdentityKeyStoreFileName on weblogic.management.configuration.ServerMBeanImpl@77977041([two_ssl_domain]/Servers[AdminServer]) has been changed. This may require redeploying or rebooting configured entities.> 
<Dec 27, 2015 7:42:24 PM IST> <Warning> <Management> <BEA-141238> <A non-dynamic change has been made which affects the server AdminServer. This server must be rebooted in order to consume this change.> 
<Dec 27, 2015 7:42:24 PM IST> <Warning> <Management> <BEA-141239> <The non-dynamic attribute CustomIdentityKeyStoreFileName on weblogic.management.configuration.ServerMBeanImpl@77977041([two_ssl_domain]/Servers[AdminServer]) has been changed. This may require redeploying or rebooting configured entities.> 
<Dec 27, 2015 7:42:24 PM IST> <Warning> <Management> <BEA-141239> <The non-dynamic attribute ServerPrivateKeyAlias on weblogic.management.configuration.SSLMBeanImpl@5bbd5356([two_ssl_domain]/Servers[AdminServer]/SSL[AdminServer]) has been changed. This may require redeploying or rebooting configured entities.> 
<Dec 27, 2015 7:42:24 PM IST> <Warning> <Management> <BEA-141238> <A non-dynamic change has been made which affects the server AdminServer. This server must be rebooted in order to consume this change.> 
<Dec 27, 2015 7:42:24 PM IST> <Warning> <Management> <BEA-141239> <The non-dynamic attribute ServerPrivateKeyAlias on weblogic.management.configuration.SSLMBeanImpl@5bbd5356([two_ssl_domain]/Servers[AdminServer]/SSL[AdminServer]) has been changed. This may require redeploying or rebooting configured entities.> 

So we will need to restart the WebLogic 12c instance (in our case AdminServer). After restarting the WebLogic Server we will notice the following kind of output on the Console which indicates that the KeyStore is configured properly.

<Dec 27, 2015 7:42:57 PM IST> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias wlsalias from the jks keystore file /Users/jsensharma/NotBackedUp/Installed/wls1221/user_projects/domains/base_domain/Keystores/wls12c.keystore.> 

<Dec 27, 2015 7:42:57 PM IST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/jre/lib/security/cacerts.> 
<Dec 27, 2015 7:42:57 PM IST> <Warning> <Server> <BEA-002611> <The hostname "localhost", maps to multiple IP addresses: 127.0.0.1, 0:0:0:0:0:0:0:1.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[3]" is now listening on 127.0.0.1:7443 for protocols iiops, t3s, ldaps, https.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "Default[3]" is now listening on 127.0.0.1:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "Default[1]" is now listening on 10.0.1.101:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[1]" is now listening on 10.0.1.101:7443 for protocols iiops, t3s, ldaps, https.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "Default[2]" is now listening on 0:0:0:0:0:0:0:1:7001 for protocols iiop, t3, ldap, snmp, http.> 

<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[2]" is now listening on 0:0:0:0:0:0:0:1:7443 for protocols iiops, t3s, ldaps, https.> 

<Dec 27, 2015 7:42:57 PM IST> <Warning> <Server> <BEA-002611> <The hostname "jaysensharma.local", maps to multiple IP addresses: 168.253.130.227, fe80:0:0:0:9a5a:ebff:fecb:7e2e%12.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 168.253.130.227:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 168.253.130.227:7443 for protocols iiops, t3s, ldaps, https.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <WebLogicServer> <BEA-000331> <Started the WebLogic Server Administration Server "AdminServer" for domain "two_ssl_domain" running in development mode.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[3]" is now listening on 127.0.0.1:7443 for protocols iiops, t3s, ldaps, https.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "Default[3]" is now listening on 127.0.0.1:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "Default[1]" is now listening on 10.0.1.101:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[1]" is now listening on 10.0.1.101:7443 for protocols iiops, t3s, ldaps, https.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "Default[2]" is now listening on 0:0:0:0:0:0:0:1:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[2]" is now listening on 0:0:0:0:0:0:0:1:7443 for protocols iiops, t3s, ldaps, https.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 168.253.130.227:7001 for protocols iiop, t3, ldap, snmp, http.> 

<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 168.253.130.227:7443 for protocols iiops, t3s, ldaps, https.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <WebLogicServer> <BEA-000360> <The server started in RUNNING mode.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING.> 

Writing “t3s” based Secure WebLogic 12c JMX Client

Step-6). Now lets create a simple MBean client code which will interact with WebLogic using “t3s” secure protocol. We are going to use the Maven to build and run out project. So lets create the following directory structure somewhere in our filesystem first. Here the “SSL_JMX” is our project directory:

   $ mkdir  -p  SSL_JMX/src/main/java/client

Now lets create the following kind of JMX code “SecureJMXClient.java” inside “SSL_JMX/src/main/java/client” directory.

package client;
import weblogic.management.mbeanservers.domainruntime.DomainRuntimeServiceMBean;
import weblogic.management.runtime.ServerRuntimeMBean;
import javax.management.MBeanServerConnection;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import javax.management.remote.JMXConnector;
import javax.management.remote.JMXConnectorFactory;
import javax.management.remote.JMXServiceURL;
import javax.naming.Context;
import weblogic.management.jmx.MBeanServerInvocationHandler;
import java.util.Hashtable;
import java.io.IOException;
import java.net.MalformedURLException;
import weblogic.management.runtime.JDBCDataSourceRuntimeMBean;
import javax.management.*;
import javax.naming.*;
 
public class SecureJMXClient {
 
   private static MBeanServerConnection connection;
   private static JMXConnector connector;
   private static final ObjectName service;
   private static String combea = "com.bea:Name=";
   private static String service1 = "DomainRuntimeService,Type=weblogic.management.mbeanservers.domainruntime.DomainRuntimeServiceMBean";
   private static String service2 = "RuntimeService,Type=weblogic.management.mbeanservers.runtime.RuntimeServiceMBean";
 
   static {
        try {
               service =new ObjectName(combea + service1);
        } catch (MalformedObjectNameException e) {
               throw new AssertionError(e.getMessage());
        }
   }
 
   public static void initConnection(String hostname, String portString, String username, String password) throws IOException,MalformedURLException {
    String protocol = "t3s";
    Integer portInteger = Integer.valueOf(portString);
    int port = portInteger.intValue();
    String jndiroot = "/jndi/";
    String mserver = "weblogic.management.mbeanservers.domainruntime";
    JMXServiceURL serviceURL = new JMXServiceURL(protocol, hostname, port, jndiroot + mserver);
    Hashtable h = new Hashtable();
    h.put(Context.SECURITY_PRINCIPAL, username);
    h.put(Context.SECURITY_CREDENTIALS, password);
    h.put(JMXConnectorFactory.PROTOCOL_PROVIDER_PACKAGES,"weblogic.management.remote");
    connector = JMXConnectorFactory.connect(serviceURL, h);
    connection = connector.getMBeanServerConnection();
   }
 
   public static ObjectName[] getServerRuntimes() throws Exception {
        return (ObjectName[]) connection.getAttribute(service,"ServerRuntimes");
    }
 
   public void printNameAndState() throws Exception {
    ObjectName arr[]=getServerRuntimes();       
    for(ObjectName temp : arr)
        System.out.println("Servers: "+temp);
 
    ObjectName domain = (ObjectName) connection.getAttribute(service,"DomainConfiguration");
    System.out.println("Domain: " + domain.toString());
    ObjectName[] servers = (ObjectName[]) connection.getAttribute(domain,"Servers");
    for (ObjectName server : servers) {
        String serverState="UNKNOWN";
        String aName = (String) connection.getAttribute(server,"Name");
        try {
            ObjectName ser= new ObjectName("com.bea:Name="+aName+",Location="+aName+",Type=ServerRuntime");
            serverState=(String) connection.getAttribute(ser,"State");
            System.out.println("Server: "+aName+"t State: "+serverState);
         } catch(Exception e) {
            System.out.println("Server: "+aName+"t State: SHUTDOWN (or) In State : "+ serverState);
         }
      }
    }
 
  public static void main(String[] args) throws Exception {
    String hostname   = "localhost";    // CHANGE ME !!!
    String portString = "7443";         // CHANGE ME !!!
    String username   = "weblogic";     // CHANGE ME !!!
    String password   = "weblogic1";    // CHANGE ME !!!
    
    SecureJMXClient s = new SecureJMXClient();
    initConnection(hostname, portString, username, password);
    s.printNameAndState();
    connector.close();
   }
 }

Step-7). Now the most important part in which we will be writing the maven “pom.xml” which will compile and build the above Java code and will package them as part fo a JAR file. We will be using the “exec-maven-plugin” maven plugin in this pom sothat we can easily run the project via “mvn clean install exec:exec”

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>middleware.magic</groupId>
    <artifactId>JMX_Over_SSL</artifactId>
    <version>1.0</version>
    <packaging>jar</packaging>

    <properties>
        <java.version>1.7</java.version>
        <middleware.home>/Users/jsensharma/NotBackedUp/Installed/wls1221</middleware.home> <!-- CHANGE ME !!! -->
    </properties>
    
    <dependencies>
        <dependency>
        	<groupId>weblogic</groupId>
        	<artifactId>wlthint3client.needed.jars</artifactId>
        	<version>1.0</version>
            <scope>system</scope>   
            <systemPath>${middleware.home}/wlserver/server/lib/wlthint3client.jar</systemPath>     	
        </dependency>   
        <dependency>
        	<groupId>weblogic</groupId>
        	<artifactId>com.bea.core.management.jmx.jars</artifactId>
        	<version>1.0</version>
            <scope>system</scope>   
            <systemPath>${middleware.home}/wlserver/modules/com.bea.core.management.jmx.jar</systemPath>     	
        </dependency>   
        <dependency>
        	<groupId>weblogic</groupId>
        	<artifactId>wls-api.jars</artifactId>
        	<version>1.0</version>
            <scope>system</scope>   
            <systemPath>${middleware.home}/wlserver/server/lib/wls-api.jar</systemPath>     	
        </dependency>                       
    </dependencies>
    
    <build>
         <defaultGoal>install</defaultGoal>
         <finalName>${project.artifactId}</finalName>
         <plugins>
            <plugin>
               <groupId>org.apache.maven.plugins</groupId>
               <artifactId>maven-compiler-plugin</artifactId>
               <version>2.3.2</version>
               <configuration>
                  <source>1.7</source>
                  <target>1.7</target>
               </configuration>
            </plugin>

            <!-- Allows the example to be run via 'mvn compile exec:exec' -->
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>exec-maven-plugin</artifactId>
                <version>1.4.0</version>
                <configuration>
                    <executable>java</executable>
                       <arguments>
                           <argument>-Davax.net.ssl.trustStorePassword=middleware+magic+client</argument>         <!-- CHANGE ME !!! -->
                           <argument>-Djavax.net.ssl.trustStore=${basedir}/ClientKey/client.keystore</argument>   <!-- CHANGE ME !!! -->
                           <argument>-classpath</argument>
                           <!-- UNIX Based OS use the following classpath setting -->                             <!-- CHANGE ME !!! -->
                           <argument>${middleware.home}/wlserver/server/lib/wlthint3client.jar:${middleware.home}/wlserver/server/lib/wls-api.jar:${middleware.home}/wlserver/modules/com.bea.core.management.jmx.jar:target/${project.artifactId}.jar:.:</argument>

                           <!-- WINDOWS Based OS use the following classpath setting -->                          <!-- CHANGE ME !!! -->
                           <!-- <argument>${middleware.home}/wlserver/server/lib/wlthint3client.jar;${middleware.home}/wlserver/server/lib/wls-api.jar;${middleware.home}/wlserver/modules/com.bea.core.management.jmx.jar;target/${project.artifactId}.jar;.;</argument> -->
                           <argument>client.SecureJMXClient</argument>
                       </arguments>
                </configuration>
            </plugin>
         </plugins>
     </build>
     
</project>


<!--  ######   For those who wants to run the "client.SecureJMXClient" manually do the following:
export MW_HOME=/Users/jsensharma/NotBackedUp/Installed/wls1221
export CLASSPATH=$MW_HOME/wlserver/server/lib/wlthint3client.jar:$MW_HOME/wlserver/server/lib/wls-api.jar:$MW_HOME/wlserver/modules/com.bea.core.management.jmx.jar:.:
java   -Davax.net.ssl.trustStorePassword=middleware+magic+client   -Djavax.net.ssl.trustStore=${basedir}/ClientKey/client.keystore  client.SecureJMXClient
-->

Running the t3s protocol based Secure JMX Client

Step-8). Now we are going to build and run the JMX Client to interact with WebLogic 12.2.1 using “t3s://” protocol. Users need to make sure that in the “pom.xml” file they edit the “CHANGE ME!!!” sections to specify the correct path & for the client truststore and the correct truststore password.

For Windows Based OS

$ set M2_HOME=C:\PATH\TO\apache_maven_3.2.3
$ set JAVA_HOME=C:\PATH\TO\jdk1.8.0_60
$ set PATH=%JAVA_HOME%/bin;C:\PATH\TO\apache_maven_3.2.3\bin;%PATH%

$ cd C:\SSL_JMX
$ mvn clean install exec:exec

For Unix Based OS

$ export M2_HOME=/PATH/TO/apache_maven_3.2.3
$ export JAVA_HOME=/PATH/TO/jdk1.8.0_60
$ export PATH=$JAVA_HOME/bin:/PATH/TO/apache_maven_3.2.3/bin:$PATH

$ cd /PAYTH/TO/SSL_JMX

$ mvn clean install exec:exec


---------
  OUTPUT
---------
$ mvn clean install exec:exec
[INFO] Scanning for projects...
[INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building JMX_Over_SSL 1.0
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ JMX_Over_SSL ---
[INFO] Deleting /Users/jsensharma/NotBackedUp/MM_Tests/WLS/SSL_JMX/target
[INFO] 
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ JMX_Over_SSL ---
[WARNING] Using platform encoding (UTF-8 actually) to copy filtered resources, i.e. build is platform dependent!
[INFO] skip non existing resourceDirectory /Users/jsensharma/NotBackedUp/MM_Tests/WLS/SSL_JMX/src/main/resources
[INFO] 
[INFO] --- maven-compiler-plugin:2.3.2:compile (default-compile) @ JMX_Over_SSL ---
[WARNING] File encoding has not been set, using platform encoding UTF-8, i.e. build is platform dependent!
[INFO] Compiling 1 source file to /Users/jsensharma/NotBackedUp/MM_Tests/WLS/SSL_JMX/target/classes
[INFO] 
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ JMX_Over_SSL ---
[WARNING] Using platform encoding (UTF-8 actually) to copy filtered resources, i.e. build is platform dependent!
[INFO] skip non existing resourceDirectory /Users/jsensharma/NotBackedUp/MM_Tests/WLS/SSL_JMX/src/test/resources
[INFO] 
[INFO] --- maven-compiler-plugin:2.3.2:testCompile (default-testCompile) @ JMX_Over_SSL ---
[INFO] No sources to compile
[INFO] 
[INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ JMX_Over_SSL ---
[INFO] No tests to run.
[INFO] 
[INFO] --- maven-jar-plugin:2.4:jar (default-jar) @ JMX_Over_SSL ---
[INFO] Building jar: /Users/jsensharma/NotBackedUp/MM_Tests/WLS/SSL_JMX/target/JMX_Over_SSL.jar
[INFO] 
[INFO] --- maven-install-plugin:2.4:install (default-install) @ JMX_Over_SSL ---
[INFO] Installing /Users/jsensharma/NotBackedUp/MM_Tests/WLS/SSL_JMX/target/JMX_Over_SSL.jar to /Users/jsensharma/.m2/repository/middleware/magic/JMX_Over_SSL/1.0/JMX_Over_SSL-1.0.jar
[INFO] Installing /Users/jsensharma/NotBackedUp/MM_Tests/WLS/SSL_JMX/pom.xml to /Users/jsensharma/.m2/repository/middleware/magic/JMX_Over_SSL/1.0/JMX_Over_SSL-1.0.pom
[INFO] 
[INFO] --- exec-maven-plugin:1.4.0:exec (default-cli) @ JMX_Over_SSL ---
Handshake succeeded: TLSv1.2
Servers: com.bea:Name=AdminServer,Location=AdminServer,Type=ServerRuntime
Domain: com.bea:Name=two_ssl_domain,Location=two_ssl_domain,Type=Domain
Server: AdminServert State: RUNNING
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 3.943 s
[INFO] Finished at: 2015-12-27T21:12:40+05:30
[INFO] Final Memory: 13M/245M
[INFO] ------------------------------------------------------------------------

For those who wants to run the same code without using Maven. Just compile and run the “” code as following:


 $ export MW_HOME=/Users/jsensharma/NotBackedUp/Installed/wls1221

 $ export CLASSPATH=$MW_HOME/wlserver/server/lib/wlthint3client.jar:$MW_HOME/wlserver/server/lib/wls-api.jar:$MW_HOME/wlserver/modules/com.bea.core.management.jmx.jar:.:

 $ javac -d . SecureJMXClient.java 
 
 $ java   -Davax.net.ssl.trustStorePassword=middleware+magic+client   -Djavax.net.ssl.trustStore=/PATH/TO/SSL_JMX/WLST_and_Keys/Keystores/clientTrustStore.keystore    client.SecureJMXClient

---------
  OUTPUT
---------
Handshake succeeded: TLSv1.2
Servers: com.bea:Name=AdminServer,Location=AdminServer,Type=ServerRuntime
Domain: com.bea:Name=two_ssl_domain,Location=two_ssl_domain,Type=Domain
Server: AdminServert State: RUNNING

Some Common Issues

Issue-1). If the Client keystore/truststore PATH is not valid, so check the path specified in “-Djavax.net.ssl.trustStore” (OR) if the client keystore does not include the WebLogic certificate imported in it then we may see the following kind of error:

Handshake failed: TLSv1.2, error = sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
Handshake failed: TLSv1.1, error = sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
Handshake failed: TLSv1, error = Received fatal alert: handshake_failure
Handshake failed: TLSv1.2, error = sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
Handshake failed: TLSv1.1, error = sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
Handshake failed: TLSv1, error = Received fatal alert: handshake_failure
Exception in thread "main" java.io.IOException: t3s://localhost:7443: [RJVM:000575]Destination 0:0:0:0:0:0:0:1, 7443 unreachable.; nested exception is: 
	javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure; [RJVM:000576]No available router to destination.; nested exception is: 
	java.rmi.ConnectException: [RJVM:000576]No available router to destination.
	at weblogic.management.remote.common.ClientProviderBase.makeConnection(ClientProviderBase.java:301)
	at weblogic.management.remote.common.ClientProviderBase.newJMXConnector(ClientProviderBase.java:135)
	at javax.management.remote.JMXConnectorFactory.newJMXConnector(JMXConnectorFactory.java:369)
	at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:267)
	at client.SecureJMXClient.initConnection(SecureJMXClient.java:47)
	at client.SecureJMXClient.main(SecureJMXClient.java:83)
Caused by: javax.naming.CommunicationException: t3s://localhost:7443: [RJVM:000575]Destination 0:0:0:0:0:0:0:1, 7443 unreachable.; nested exception is: 
	javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure; [RJVM:000576]No available router to destination.; nested exception is: 
	java.rmi.ConnectException: [RJVM:000576]No available router to destination. [Root exception is java.net.ConnectException: t3s://localhost:7443: [RJVM:000575]Destination 0:0:0:0:0:0:0:1, 7443 unreachable.; nested exception is: 
	javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure; [RJVM:000576]No available router to destination.; nested exception is: 
	java.rmi.ConnectException: [RJVM:000576]No available router to destination.]
	at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:44)
	at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:889)
	at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:377)
	at weblogic.jndi.Environment.getContext(Environment.java:348)
	at weblogic.jndi.Environment.getContext(Environment.java:316)
	at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:119)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
	at javax.naming.InitialContext.init(InitialContext.java:242)
	at javax.naming.InitialContext.<init>(InitialContext.java:216)
	at weblogic.management.remote.common.ClientProviderBase.makeConnection(ClientProviderBase.java:278)
	... 5 more
Caused by: java.net.ConnectException: t3s://localhost:7443: [RJVM:000575]Destination 0:0:0:0:0:0:0:1, 7443 unreachable.; nested exception is: 
	javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure; [RJVM:000576]No available router to destination.; nested exception is: 
	java.rmi.ConnectException: [RJVM:000576]No available router to destination.
	at weblogic.rjvm.RJVMFinder.findOrCreateInternal(RJVMFinder.java:238)
	at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:170)
	at weblogic.rjvm.ClientServerURL.findOrCreateRJVM(ClientServerURL.java:178)
	at weblogic.jndi.WLInitialContextFactoryDelegate$1.run(WLInitialContextFactoryDelegate.java:355)
	at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
	at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:143)
	at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:351)
	... 13 more
Caused by: java.rmi.ConnectException: [RJVM:000575]Destination 0:0:0:0:0:0:0:1, 7443 unreachable.; nested exception is: 
	javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure; [RJVM:000576]No available router to destination.; nested exception is: 
	java.rmi.ConnectException: [RJVM:000576]No available router to destination.
	at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:524)
	at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:339)
	at weblogic.rjvm.RJVMManager.findOrCreateRemoteInternal(RJVMManager.java:306)
	at weblogic.rjvm.RJVMManager.findOrCreate(RJVMManager.java:155)
	at weblogic.rjvm.RJVMFinder.findOrCreateRemoteServer(RJVMFinder.java:258)
	at weblogic.rjvm.RJVMFinder.findOrCreateRemoteCluster(RJVMFinder.java:329)
	at weblogic.rjvm.RJVMFinder.findOrCreateInternal(RJVMFinder.java:227)
	... 19 more
Caused by: java.rmi.ConnectException: [RJVM:000576]No available router to destination.
	at weblogic.rjvm.ConnectionManager.findOrCreateRouter(ConnectionManager.java:1643)
	at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:505)
	... 25 more

The Source Code for this demo can be found at:
https://github.com/jaysensharma/MiddlewareMagicDemos/tree/master/WebLogic/Security/SSL_JMX_WLS12c
.
.

Regards
Jay SenSharma


Copyright © 2010-2012 Middleware Magic. All rights reserved. |