Security

WebLogic12c with t3s (SSL) secure protocol and the JMX client

Hi,

As part of this article we will see how to use the “t3s” SSL based secure protocol to interact with WebLogic 12.2.1. We will be developing a simple MBean client which will access sime of the MBeans present on weblogic over the SSL. We are going to implement One Way SSL for this demo. With one-way SSL, the server must present a certificate to the client, but the client is not required to present a certificate to the server. The client must authenticate the server, but the server accepts a connection from any client. One-way SSL is common on the Internet where customers want to create secure connections before they share personal data. Often, clients will also use SSL to log on in order that the server can authenticate them.

Secure Sockets Layer (SSL) provides secure connections by allowing two applications connecting over a network to authenticate each other’s identity and by encrypting the data exchaoged between the applications. Authentication allows a server and optionally a client to verify the identity of the application on the other end of a network connection. Encryption makes data transmitted over the network intelligible only to the intended recipient.

What this demo is about ?

As part of this demo we will see how to use implement One way SSL on weblogic so that a Client can interact with it using https/t3s in a secure manner.

1. How to configure the “CustomIdentityAndJavaStandardTrust” on weblogic, In a complete automated way using WLST scripting.

2. How to configure the SSL port on WebLogic 12.2.1 using WLST.

3. How to create Server side Keystore and Client side truststore.

4. Running a simple MBean Client which will use “t3s” protocol to access/query the MBeans which are present on WLS server.

5. Troubleshooting some very common issues which users might encounter while implementing SSL on WebLogic 12c.

Creating Keystores and Truststore.

Step-1). Lets create a simple keystore which will be deployed on the WLS side and then we will be exporting the public key from that which will be imported on the Client side truststore. In order to simplify the keystore and truststore creation and importing / exporting the certificates, We will be writing a very simple shell script. Please change the store password and keystore/truststore file name based on your choice.
Create a shell script “createKeyStore.sh” somewhere in your filesystem as following:

########################################
# Creating Server and Client KeyStores.
########################################
# NOTE: "keytool" is a utility that can be found inside the "$JAVA_HOME/bin" so make sire the PATH includes the JDK's bin directory.

mkdir Keystores
cd Keystores/

echo ""
echo ""
echo "Creating WLS Server side Keystore. (wls12c.keystore)"
echo "----------------------------------------"
keytool -genkey -v -alias wlsalias -keyalg RSA -keysize 1024 -keystore wls12c.keystore -validity 3650 -keypass middleware+magic -storepass middleware+magic -dname "CN=127.0.0.1, OU=MiddlewareMagic, O=Blog, L=Bangalore, S=Karnataka, C=IN"


echo ""
echo ""
echo "Exporting public key (wls12c_server.cer) from the  WLS ServerSide keystore."
echo "----------------------------------------"
keytool -export -keystore wls12c.keystore -alias wlsalias -file wls12c_server.cer -keypass middleware+magic -storepass middleware+magic


echo ""
echo ""
echo "Creating Client side Keystore/truststore. (clientTrustStore.keystore)"
echo "----------------------------------------"
keytool -genkey -v -alias clientalias -keyalg RSA -keysize 1024 -keystore clientTrustStore.keystore -validity 3650 -keypass middleware+magic+client -storepass middleware+magic+client -dname "CN=127.0.0.1, OU=MiddlewareMagic, O=Blog, L=Bangalore, S=Karnataka, C=IN"


echo ""
echo ""
echo "Importing the WLS Servers public key to the Client's truststore."
echo "----------------------------------------"
keytool -import -v -trustcacerts -alias wlsalias -file wls12c_server.cer -keystore clientTrustStore.keystore -keypass middleware+magic+client -storepass middleware+magic+client


echo "Certificates created Successfully !!!"

Step-2). Lets run the above mentioned Shell script which will create the needed keystores and truststores. It also imports the servers public key to the client truststore. “keytool” is a utility that can be found inside the “$JAVA_HOME/bin” so make sire the PATH includes the JDK’s bin directory.

$ cd WLST_and_Keys
$ chmod 755 createKeyStore.sh
$ ./createKeyStore.sh 

--------
Output:
--------
$ ./createKeyStore.sh 


Creating WLS Server side Keystore. (wls12c.keystore)
----------------------------------------
Generating 1,024 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 3,650 days
	for: CN=127.0.0.1, OU=MiddlewareMagic, O=Blog, L=Bangalore, ST=Karnataka, C=IN
[Storing wls12c.keystore]


Exporting public key (wls12c_server.cer) from the  WLS ServerSide keystore.
----------------------------------------
Certificate stored in file <wls12c_server.cer>


Creating Client side Keystore/truststore. (clientTrustStore.keystore)
----------------------------------------
Generating 1,024 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 3,650 days
	for: CN=127.0.0.1, OU=MiddlewareMagic, O=Blog, L=Bangalore, ST=Karnataka, C=IN
[Storing clientTrustStore.keystore]


Importing the WLS Servers public key to the Client's truststore.
----------------------------------------
Owner: CN=127.0.0.1, OU=MiddlewareMagic, O=Blog, L=Bangalore, ST=Karnataka, C=IN
Issuer: CN=127.0.0.1, OU=MiddlewareMagic, O=Blog, L=Bangalore, ST=Karnataka, C=IN
Serial number: 66f456cb
Valid from: Sun Dec 27 19:27:29 IST 2015 until: Wed Dec 24 19:27:29 IST 2025
Certificate fingerprints:
	 MD5:  5A:C2:83:32:24:80:58:0D:A6:1F:68:88:5D:42:F8:C5
	 SHA1: 14:1A:32:08:25:C6:58:DA:37:35:50:FF:5C:D0:DD:F0:26:E5:2E:2E
	 SHA256: 6F:A3:4B:AA:37:D5:47:2C:21:F2:77:92:C6:B6:8C:A4:B2:D9:60:C2:5A:26:E2:A7:32:C5:5B:88:22:84:76:85
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 34 6C E7 FE E7 15 B1 DC   99 A9 EB 22 B5 A8 C1 1D  4l........."....
0010: 98 E3 1D B8                                        ....
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing clientTrustStore.keystore]
Certificates created Successfully !!! 

Configuring CustomIdentityAndJavaStandardTrust using WLST

Step-3). Now we will create a simple WLST script “configure_SSL_and_KeyStore.py” which will configure the “CustomIdentityAndJavaStandardTrust” on WebLogic 12c. It will configure the WLS12c to open the HTTPS/SSL port “7443”.

adminURL="t3://localhost:7001"
adminUserName="weblogic"
adminPassword="weblogic1"

connect(adminUserName, adminPassword, adminURL)

edit()
startEdit()
cd('/Servers/AdminServer')
cmo.setKeyStores('CustomIdentityAndJavaStandardTrust')
cmo.setCustomIdentityKeyStoreFileName('/Users/jsensharma/NotBackedUp/Installed/wls1221/user_projects/domains/base_domain/Keystores/wls12c.keystore')
cmo.setCustomIdentityKeyStoreType('jks')
cmo.setCustomIdentityKeyStorePassPhrase('middleware+magic')
activate()
startEdit()

startEdit()
cd('/Servers/AdminServer/SSL/AdminServer')
cmo.setServerPrivateKeyAlias('wlsalias')
cmo.setServerPrivateKeyPassPhrase('middleware+magic')
cmo.setEnabled(true)
cmo.setListenPort(7443)
activate()

Step-4). Now we will start the WebLogic 12.2.1 instance and then we will open a terminal to run the above mentioned WLST script. We will run the “setWLSEnv.sh” script in the terminal first so that it will set the CLASSPATH properly with the required JARs. (or simply use the “wls1221/wlserver/common/bin/wlst.sh” script to start the WLST)

$ cd /Users/jsensharma/NotBackedUp/Installed/wls1221/wlserver/server/bin

$ . ./setWLSEnv.sh 
CLASSPATH=/Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/lib/tools.jar:/Users/jsensharma/NotBackedUp/Installed/wls1221/wlserver/modules/features/wlst.wls.classpath.jar:
PATH=/Users/jsensharma/NotBackedUp/Installed/wls1221/wlserver/server/bin:/Users/jsensharma/NotBackedUp/Installed/wls1221/wlserver/../oracle_common/modules/org.apache.ant_1.9.2/bin:/Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/jre/bin:/Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Users/jsensharma/NotBackedUp/Installed/wls1221/wlserver/../oracle_common/modules/org.apache.maven_3.2.5/bin
Your environment has been set.


$ cd WLST_and_Keys

$ java weblogic.WLST configure_SSL_and_KeyStore.py


-------
OUTPUT
-------
$ java weblogic.WLST configure_SSL_and_KeyStore.py 

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Connecting to t3://localhost:7001 with userid weblogic ...
Successfully connected to Admin Server "AdminServer" that belongs to domain "two_ssl_domain".

Warning: An insecure protocol was used to connect to the server. 
To ensure on-the-wire security, the SSL port or Admin port should be used instead.

Location changed to edit tree. 	 
This is a writable tree with DomainMBean as the root. 	 
To make changes you will need to start an edit session via startEdit(). 
For more help, use help('edit').

Starting an edit session ...
Started edit session, be sure to save and activate your changes once you are done.
Activating all your changes, this may take a while ... 
The edit lock associated with this edit session is released once the activation is completed.

The following non-dynamic attribute(s) have been changed on MBeans 
that require server re-start:
MBean Changed : com.bea:Name=AdminServer,Type=Server
Attributes changed : CustomIdentityKeyStoreFileName, CustomIdentityKeyStorePassPhraseEncrypted, CustomIdentityKeyStoreType, KeyStores

Activation completed
Starting an edit session ...
Started edit session, be sure to save and activate your changes once you are done.
Starting an edit session ...
Started edit session, be sure to save and activate your changes once you are done.
Activating all your changes, this may take a while ... 
The edit lock associated with this edit session is released once the activation is completed.

The following non-dynamic attribute(s) have been changed on MBeans 
that require server re-start:
MBean Changed : com.bea:Name=AdminServer,Type=SSL,Server=AdminServer
Attributes changed : ServerPrivateKeyAlias, ServerPrivateKeyPassPhraseEncrypted

Activation completed

Step-5). As configuring the SSL on weblogic is a non dynamic change hence we will need to restart the WebLogic 12c instance. We can verify the same by looking at the WebLogic 12c console as following:

<Dec 27, 2015 7:42:24 PM IST> <Warning> <Management> <BEA-141239> <The non-dynamic attribute CustomIdentityKeyStoreFileName on weblogic.management.configuration.ServerMBeanImpl@77977041([two_ssl_domain]/Servers[AdminServer]) has been changed. This may require redeploying or rebooting configured entities.> 
<Dec 27, 2015 7:42:24 PM IST> <Warning> <Management> <BEA-141238> <A non-dynamic change has been made which affects the server AdminServer. This server must be rebooted in order to consume this change.> 
<Dec 27, 2015 7:42:24 PM IST> <Warning> <Management> <BEA-141239> <The non-dynamic attribute CustomIdentityKeyStoreFileName on weblogic.management.configuration.ServerMBeanImpl@77977041([two_ssl_domain]/Servers[AdminServer]) has been changed. This may require redeploying or rebooting configured entities.> 
<Dec 27, 2015 7:42:24 PM IST> <Warning> <Management> <BEA-141239> <The non-dynamic attribute ServerPrivateKeyAlias on weblogic.management.configuration.SSLMBeanImpl@5bbd5356([two_ssl_domain]/Servers[AdminServer]/SSL[AdminServer]) has been changed. This may require redeploying or rebooting configured entities.> 
<Dec 27, 2015 7:42:24 PM IST> <Warning> <Management> <BEA-141238> <A non-dynamic change has been made which affects the server AdminServer. This server must be rebooted in order to consume this change.> 
<Dec 27, 2015 7:42:24 PM IST> <Warning> <Management> <BEA-141239> <The non-dynamic attribute ServerPrivateKeyAlias on weblogic.management.configuration.SSLMBeanImpl@5bbd5356([two_ssl_domain]/Servers[AdminServer]/SSL[AdminServer]) has been changed. This may require redeploying or rebooting configured entities.> 

So we will need to restart the WebLogic 12c instance (in our case AdminServer). After restarting the WebLogic Server we will notice the following kind of output on the Console which indicates that the KeyStore is configured properly.

<Dec 27, 2015 7:42:57 PM IST> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias wlsalias from the jks keystore file /Users/jsensharma/NotBackedUp/Installed/wls1221/user_projects/domains/base_domain/Keystores/wls12c.keystore.> 

<Dec 27, 2015 7:42:57 PM IST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/jre/lib/security/cacerts.> 
<Dec 27, 2015 7:42:57 PM IST> <Warning> <Server> <BEA-002611> <The hostname "localhost", maps to multiple IP addresses: 127.0.0.1, 0:0:0:0:0:0:0:1.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[3]" is now listening on 127.0.0.1:7443 for protocols iiops, t3s, ldaps, https.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "Default[3]" is now listening on 127.0.0.1:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "Default[1]" is now listening on 10.0.1.101:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[1]" is now listening on 10.0.1.101:7443 for protocols iiops, t3s, ldaps, https.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "Default[2]" is now listening on 0:0:0:0:0:0:0:1:7001 for protocols iiop, t3, ldap, snmp, http.> 

<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[2]" is now listening on 0:0:0:0:0:0:0:1:7443 for protocols iiops, t3s, ldaps, https.> 

<Dec 27, 2015 7:42:57 PM IST> <Warning> <Server> <BEA-002611> <The hostname "jaysensharma.local", maps to multiple IP addresses: 168.253.130.227, fe80:0:0:0:9a5a:ebff:fecb:7e2e%12.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 168.253.130.227:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 168.253.130.227:7443 for protocols iiops, t3s, ldaps, https.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <WebLogicServer> <BEA-000331> <Started the WebLogic Server Administration Server "AdminServer" for domain "two_ssl_domain" running in development mode.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[3]" is now listening on 127.0.0.1:7443 for protocols iiops, t3s, ldaps, https.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "Default[3]" is now listening on 127.0.0.1:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "Default[1]" is now listening on 10.0.1.101:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[1]" is now listening on 10.0.1.101:7443 for protocols iiops, t3s, ldaps, https.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "Default[2]" is now listening on 0:0:0:0:0:0:0:1:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[2]" is now listening on 0:0:0:0:0:0:0:1:7443 for protocols iiops, t3s, ldaps, https.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 168.253.130.227:7001 for protocols iiop, t3, ldap, snmp, http.> 

<Dec 27, 2015 7:42:57 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 168.253.130.227:7443 for protocols iiops, t3s, ldaps, https.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <WebLogicServer> <BEA-000360> <The server started in RUNNING mode.> 
<Dec 27, 2015 7:42:57 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING.> 

Writing “t3s” based Secure WebLogic 12c JMX Client

Step-6). Now lets create a simple MBean client code which will interact with WebLogic using “t3s” secure protocol. We are going to use the Maven to build and run out project. So lets create the following directory structure somewhere in our filesystem first. Here the “SSL_JMX” is our project directory:

   $ mkdir  -p  SSL_JMX/src/main/java/client

Now lets create the following kind of JMX code “SecureJMXClient.java” inside “SSL_JMX/src/main/java/client” directory.

package client;
import weblogic.management.mbeanservers.domainruntime.DomainRuntimeServiceMBean;
import weblogic.management.runtime.ServerRuntimeMBean;
import javax.management.MBeanServerConnection;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import javax.management.remote.JMXConnector;
import javax.management.remote.JMXConnectorFactory;
import javax.management.remote.JMXServiceURL;
import javax.naming.Context;
import weblogic.management.jmx.MBeanServerInvocationHandler;
import java.util.Hashtable;
import java.io.IOException;
import java.net.MalformedURLException;
import weblogic.management.runtime.JDBCDataSourceRuntimeMBean;
import javax.management.*;
import javax.naming.*;
 
public class SecureJMXClient {
 
   private static MBeanServerConnection connection;
   private static JMXConnector connector;
   private static final ObjectName service;
   private static String combea = "com.bea:Name=";
   private static String service1 = "DomainRuntimeService,Type=weblogic.management.mbeanservers.domainruntime.DomainRuntimeServiceMBean";
   private static String service2 = "RuntimeService,Type=weblogic.management.mbeanservers.runtime.RuntimeServiceMBean";
 
   static {
        try {
               service =new ObjectName(combea + service1);
        } catch (MalformedObjectNameException e) {
               throw new AssertionError(e.getMessage());
        }
   }
 
   public static void initConnection(String hostname, String portString, String username, String password) throws IOException,MalformedURLException {
    String protocol = "t3s";
    Integer portInteger = Integer.valueOf(portString);
    int port = portInteger.intValue();
    String jndiroot = "/jndi/";
    String mserver = "weblogic.management.mbeanservers.domainruntime";
    JMXServiceURL serviceURL = new JMXServiceURL(protocol, hostname, port, jndiroot + mserver);
    Hashtable h = new Hashtable();
    h.put(Context.SECURITY_PRINCIPAL, username);
    h.put(Context.SECURITY_CREDENTIALS, password);
    h.put(JMXConnectorFactory.PROTOCOL_PROVIDER_PACKAGES,"weblogic.management.remote");
    connector = JMXConnectorFactory.connect(serviceURL, h);
    connection = connector.getMBeanServerConnection();
   }
 
   public static ObjectName[] getServerRuntimes() throws Exception {
        return (ObjectName[]) connection.getAttribute(service,"ServerRuntimes");
    }
 
   public void printNameAndState() throws Exception {
    ObjectName arr[]=getServerRuntimes();       
    for(ObjectName temp : arr)
        System.out.println("Servers: "+temp);
 
    ObjectName domain = (ObjectName) connection.getAttribute(service,"DomainConfiguration");
    System.out.println("Domain: " + domain.toString());
    ObjectName[] servers = (ObjectName[]) connection.getAttribute(domain,"Servers");
    for (ObjectName server : servers) {
        String serverState="UNKNOWN";
        String aName = (String) connection.getAttribute(server,"Name");
        try {
            ObjectName ser= new ObjectName("com.bea:Name="+aName+",Location="+aName+",Type=ServerRuntime");
            serverState=(String) connection.getAttribute(ser,"State");
            System.out.println("Server: "+aName+"t State: "+serverState);
         } catch(Exception e) {
            System.out.println("Server: "+aName+"t State: SHUTDOWN (or) In State : "+ serverState);
         }
      }
    }
 
  public static void main(String[] args) throws Exception {
    String hostname   = "localhost";    // CHANGE ME !!!
    String portString = "7443";         // CHANGE ME !!!
    String username   = "weblogic";     // CHANGE ME !!!
    String password   = "weblogic1";    // CHANGE ME !!!
    
    SecureJMXClient s = new SecureJMXClient();
    initConnection(hostname, portString, username, password);
    s.printNameAndState();
    connector.close();
   }
 }

Step-7). Now the most important part in which we will be writing the maven “pom.xml” which will compile and build the above Java code and will package them as part fo a JAR file. We will be using the “exec-maven-plugin” maven plugin in this pom sothat we can easily run the project via “mvn clean install exec:exec”

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>middleware.magic</groupId>
    <artifactId>JMX_Over_SSL</artifactId>
    <version>1.0</version>
    <packaging>jar</packaging>

    <properties>
        <java.version>1.7</java.version>
        <middleware.home>/Users/jsensharma/NotBackedUp/Installed/wls1221</middleware.home> <!-- CHANGE ME !!! -->
    </properties>
    
    <dependencies>
        <dependency>
        	<groupId>weblogic</groupId>
        	<artifactId>wlthint3client.needed.jars</artifactId>
        	<version>1.0</version>
            <scope>system</scope>   
            <systemPath>${middleware.home}/wlserver/server/lib/wlthint3client.jar</systemPath>     	
        </dependency>   
        <dependency>
        	<groupId>weblogic</groupId>
        	<artifactId>com.bea.core.management.jmx.jars</artifactId>
        	<version>1.0</version>
            <scope>system</scope>   
            <systemPath>${middleware.home}/wlserver/modules/com.bea.core.management.jmx.jar</systemPath>     	
        </dependency>   
        <dependency>
        	<groupId>weblogic</groupId>
        	<artifactId>wls-api.jars</artifactId>
        	<version>1.0</version>
            <scope>system</scope>   
            <systemPath>${middleware.home}/wlserver/server/lib/wls-api.jar</systemPath>     	
        </dependency>                       
    </dependencies>
    
    <build>
         <defaultGoal>install</defaultGoal>
         <finalName>${project.artifactId}</finalName>
         <plugins>
            <plugin>
               <groupId>org.apache.maven.plugins</groupId>
               <artifactId>maven-compiler-plugin</artifactId>
               <version>2.3.2</version>
               <configuration>
                  <source>1.7</source>
                  <target>1.7</target>
               </configuration>
            </plugin>

            <!-- Allows the example to be run via 'mvn compile exec:exec' -->
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>exec-maven-plugin</artifactId>
                <version>1.4.0</version>
                <configuration>
                    <executable>java</executable>
                       <arguments>
                           <argument>-Davax.net.ssl.trustStorePassword=middleware+magic+client</argument>         <!-- CHANGE ME !!! -->
                           <argument>-Djavax.net.ssl.trustStore=${basedir}/ClientKey/client.keystore</argument>   <!-- CHANGE ME !!! -->
                           <argument>-classpath</argument>
                           <!-- UNIX Based OS use the following classpath setting -->                             <!-- CHANGE ME !!! -->
                           <argument>${middleware.home}/wlserver/server/lib/wlthint3client.jar:${middleware.home}/wlserver/server/lib/wls-api.jar:${middleware.home}/wlserver/modules/com.bea.core.management.jmx.jar:target/${project.artifactId}.jar:.:</argument>

                           <!-- WINDOWS Based OS use the following classpath setting -->                          <!-- CHANGE ME !!! -->
                           <!-- <argument>${middleware.home}/wlserver/server/lib/wlthint3client.jar;${middleware.home}/wlserver/server/lib/wls-api.jar;${middleware.home}/wlserver/modules/com.bea.core.management.jmx.jar;target/${project.artifactId}.jar;.;</argument> -->
                           <argument>client.SecureJMXClient</argument>
                       </arguments>
                </configuration>
            </plugin>
         </plugins>
     </build>
     
</project>


<!--  ######   For those who wants to run the "client.SecureJMXClient" manually do the following:
export MW_HOME=/Users/jsensharma/NotBackedUp/Installed/wls1221
export CLASSPATH=$MW_HOME/wlserver/server/lib/wlthint3client.jar:$MW_HOME/wlserver/server/lib/wls-api.jar:$MW_HOME/wlserver/modules/com.bea.core.management.jmx.jar:.:
java   -Davax.net.ssl.trustStorePassword=middleware+magic+client   -Djavax.net.ssl.trustStore=${basedir}/ClientKey/client.keystore  client.SecureJMXClient
-->

Running the t3s protocol based Secure JMX Client

Step-8). Now we are going to build and run the JMX Client to interact with WebLogic 12.2.1 using “t3s://” protocol. Users need to make sure that in the “pom.xml” file they edit the “CHANGE ME!!!” sections to specify the correct path & for the client truststore and the correct truststore password.

For Windows Based OS

$ set M2_HOME=C:\PATH\TO\apache_maven_3.2.3
$ set JAVA_HOME=C:\PATH\TO\jdk1.8.0_60
$ set PATH=%JAVA_HOME%/bin;C:\PATH\TO\apache_maven_3.2.3\bin;%PATH%

$ cd C:\SSL_JMX
$ mvn clean install exec:exec

For Unix Based OS

$ export M2_HOME=/PATH/TO/apache_maven_3.2.3
$ export JAVA_HOME=/PATH/TO/jdk1.8.0_60
$ export PATH=$JAVA_HOME/bin:/PATH/TO/apache_maven_3.2.3/bin:$PATH

$ cd /PAYTH/TO/SSL_JMX

$ mvn clean install exec:exec


---------
  OUTPUT
---------
$ mvn clean install exec:exec
[INFO] Scanning for projects...
[INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building JMX_Over_SSL 1.0
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ JMX_Over_SSL ---
[INFO] Deleting /Users/jsensharma/NotBackedUp/MM_Tests/WLS/SSL_JMX/target
[INFO] 
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ JMX_Over_SSL ---
[WARNING] Using platform encoding (UTF-8 actually) to copy filtered resources, i.e. build is platform dependent!
[INFO] skip non existing resourceDirectory /Users/jsensharma/NotBackedUp/MM_Tests/WLS/SSL_JMX/src/main/resources
[INFO] 
[INFO] --- maven-compiler-plugin:2.3.2:compile (default-compile) @ JMX_Over_SSL ---
[WARNING] File encoding has not been set, using platform encoding UTF-8, i.e. build is platform dependent!
[INFO] Compiling 1 source file to /Users/jsensharma/NotBackedUp/MM_Tests/WLS/SSL_JMX/target/classes
[INFO] 
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ JMX_Over_SSL ---
[WARNING] Using platform encoding (UTF-8 actually) to copy filtered resources, i.e. build is platform dependent!
[INFO] skip non existing resourceDirectory /Users/jsensharma/NotBackedUp/MM_Tests/WLS/SSL_JMX/src/test/resources
[INFO] 
[INFO] --- maven-compiler-plugin:2.3.2:testCompile (default-testCompile) @ JMX_Over_SSL ---
[INFO] No sources to compile
[INFO] 
[INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ JMX_Over_SSL ---
[INFO] No tests to run.
[INFO] 
[INFO] --- maven-jar-plugin:2.4:jar (default-jar) @ JMX_Over_SSL ---
[INFO] Building jar: /Users/jsensharma/NotBackedUp/MM_Tests/WLS/SSL_JMX/target/JMX_Over_SSL.jar
[INFO] 
[INFO] --- maven-install-plugin:2.4:install (default-install) @ JMX_Over_SSL ---
[INFO] Installing /Users/jsensharma/NotBackedUp/MM_Tests/WLS/SSL_JMX/target/JMX_Over_SSL.jar to /Users/jsensharma/.m2/repository/middleware/magic/JMX_Over_SSL/1.0/JMX_Over_SSL-1.0.jar
[INFO] Installing /Users/jsensharma/NotBackedUp/MM_Tests/WLS/SSL_JMX/pom.xml to /Users/jsensharma/.m2/repository/middleware/magic/JMX_Over_SSL/1.0/JMX_Over_SSL-1.0.pom
[INFO] 
[INFO] --- exec-maven-plugin:1.4.0:exec (default-cli) @ JMX_Over_SSL ---
Handshake succeeded: TLSv1.2
Servers: com.bea:Name=AdminServer,Location=AdminServer,Type=ServerRuntime
Domain: com.bea:Name=two_ssl_domain,Location=two_ssl_domain,Type=Domain
Server: AdminServert State: RUNNING
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 3.943 s
[INFO] Finished at: 2015-12-27T21:12:40+05:30
[INFO] Final Memory: 13M/245M
[INFO] ------------------------------------------------------------------------

For those who wants to run the same code without using Maven. Just compile and run the “” code as following:


 $ export MW_HOME=/Users/jsensharma/NotBackedUp/Installed/wls1221

 $ export CLASSPATH=$MW_HOME/wlserver/server/lib/wlthint3client.jar:$MW_HOME/wlserver/server/lib/wls-api.jar:$MW_HOME/wlserver/modules/com.bea.core.management.jmx.jar:.:

 $ javac -d . SecureJMXClient.java 
 
 $ java   -Davax.net.ssl.trustStorePassword=middleware+magic+client   -Djavax.net.ssl.trustStore=/PATH/TO/SSL_JMX/WLST_and_Keys/Keystores/clientTrustStore.keystore    client.SecureJMXClient

---------
  OUTPUT
---------
Handshake succeeded: TLSv1.2
Servers: com.bea:Name=AdminServer,Location=AdminServer,Type=ServerRuntime
Domain: com.bea:Name=two_ssl_domain,Location=two_ssl_domain,Type=Domain
Server: AdminServert State: RUNNING

Some Common Issues

Issue-1). If the Client keystore/truststore PATH is not valid, so check the path specified in “-Djavax.net.ssl.trustStore” (OR) if the client keystore does not include the WebLogic certificate imported in it then we may see the following kind of error:

Handshake failed: TLSv1.2, error = sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
Handshake failed: TLSv1.1, error = sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
Handshake failed: TLSv1, error = Received fatal alert: handshake_failure
Handshake failed: TLSv1.2, error = sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
Handshake failed: TLSv1.1, error = sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
Handshake failed: TLSv1, error = Received fatal alert: handshake_failure
Exception in thread "main" java.io.IOException: t3s://localhost:7443: [RJVM:000575]Destination 0:0:0:0:0:0:0:1, 7443 unreachable.; nested exception is: 
	javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure; [RJVM:000576]No available router to destination.; nested exception is: 
	java.rmi.ConnectException: [RJVM:000576]No available router to destination.
	at weblogic.management.remote.common.ClientProviderBase.makeConnection(ClientProviderBase.java:301)
	at weblogic.management.remote.common.ClientProviderBase.newJMXConnector(ClientProviderBase.java:135)
	at javax.management.remote.JMXConnectorFactory.newJMXConnector(JMXConnectorFactory.java:369)
	at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:267)
	at client.SecureJMXClient.initConnection(SecureJMXClient.java:47)
	at client.SecureJMXClient.main(SecureJMXClient.java:83)
Caused by: javax.naming.CommunicationException: t3s://localhost:7443: [RJVM:000575]Destination 0:0:0:0:0:0:0:1, 7443 unreachable.; nested exception is: 
	javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure; [RJVM:000576]No available router to destination.; nested exception is: 
	java.rmi.ConnectException: [RJVM:000576]No available router to destination. [Root exception is java.net.ConnectException: t3s://localhost:7443: [RJVM:000575]Destination 0:0:0:0:0:0:0:1, 7443 unreachable.; nested exception is: 
	javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure; [RJVM:000576]No available router to destination.; nested exception is: 
	java.rmi.ConnectException: [RJVM:000576]No available router to destination.]
	at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:44)
	at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:889)
	at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:377)
	at weblogic.jndi.Environment.getContext(Environment.java:348)
	at weblogic.jndi.Environment.getContext(Environment.java:316)
	at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:119)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
	at javax.naming.InitialContext.init(InitialContext.java:242)
	at javax.naming.InitialContext.<init>(InitialContext.java:216)
	at weblogic.management.remote.common.ClientProviderBase.makeConnection(ClientProviderBase.java:278)
	... 5 more
Caused by: java.net.ConnectException: t3s://localhost:7443: [RJVM:000575]Destination 0:0:0:0:0:0:0:1, 7443 unreachable.; nested exception is: 
	javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure; [RJVM:000576]No available router to destination.; nested exception is: 
	java.rmi.ConnectException: [RJVM:000576]No available router to destination.
	at weblogic.rjvm.RJVMFinder.findOrCreateInternal(RJVMFinder.java:238)
	at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:170)
	at weblogic.rjvm.ClientServerURL.findOrCreateRJVM(ClientServerURL.java:178)
	at weblogic.jndi.WLInitialContextFactoryDelegate$1.run(WLInitialContextFactoryDelegate.java:355)
	at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
	at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:143)
	at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:351)
	... 13 more
Caused by: java.rmi.ConnectException: [RJVM:000575]Destination 0:0:0:0:0:0:0:1, 7443 unreachable.; nested exception is: 
	javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure; [RJVM:000576]No available router to destination.; nested exception is: 
	java.rmi.ConnectException: [RJVM:000576]No available router to destination.
	at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:524)
	at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:339)
	at weblogic.rjvm.RJVMManager.findOrCreateRemoteInternal(RJVMManager.java:306)
	at weblogic.rjvm.RJVMManager.findOrCreate(RJVMManager.java:155)
	at weblogic.rjvm.RJVMFinder.findOrCreateRemoteServer(RJVMFinder.java:258)
	at weblogic.rjvm.RJVMFinder.findOrCreateRemoteCluster(RJVMFinder.java:329)
	at weblogic.rjvm.RJVMFinder.findOrCreateInternal(RJVMFinder.java:227)
	... 19 more
Caused by: java.rmi.ConnectException: [RJVM:000576]No available router to destination.
	at weblogic.rjvm.ConnectionManager.findOrCreateRouter(ConnectionManager.java:1643)
	at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:505)
	... 25 more

The Source Code for this demo can be found at:
https://github.com/jaysensharma/MiddlewareMagicDemos/tree/master/WebLogic/Security/SSL_JMX_WLS12c
.
.

Regards
Jay SenSharma


How to get the Users List from Security Realm using WLST

Ravish Mody

Today one of our subscribers Sai using comment asked how to list out users which are in default Authenticator only, hence we have just created a script which would do the same and would also show you all the Authenticator’s list of users if you want by just setting one flag as true (show.all.authenticator.userlist) inside your “details.properties” file. This way everyone can get what they want.

As every time we have again used a properties file in which you can give the required details and can get your required output, hence just by giving the details in the details.properties files and you are good to go.

An article written by Jay  WebLogic SQLAuthenticator Demo With FormBased Authentication helped me alot in testing this script, so others can also take the advantage from it.

Steps to get the Users List from Security Realm using WLST

Step1). Create a Directory somewhere in your file system like : “C:WLST_log”

Step2). Write a Properties filedetails.properties inside “C:WLSTUserList” like following:

admin.url=t3://localhost:7001
admin.userName=weblogic
admin.password=weblogic

########## User Name which wants to get listed (where, * = all users name) ################
user.name.wildcard=*

########## Maximum Numbers of List you want to see (where, 0 = all the number of users) ###############
maximum.to.return=0

########## If "true" will show all the Authenticator's Users List, if "false" then would only show Default Authenticators Uers List ################
show.all.authenticator.userlist=false

Step2). Now in the same directory write the following WLST Script “usersList.py” like following:

#############################################################################
#
# @author Copyright (c) 2010 - 2011 by Middleware Magic, All Rights Reserved.
#
#############################################################################

from java.io import FileInputStream
from weblogic.management.security.authentication import UserReaderMBean

propInputStream = FileInputStream("details.properties")
configProps = Properties()
configProps.load(propInputStream)

adminURL=configProps.get("admin.url")
adminUserName=configProps.get("admin.userName")
adminPassword=configProps.get("admin.password")
userNameWildcard=configProps.get("user.name.wildcard")
maximumToReturn=configProps.get("maximum.to.return")
showAllAuthenticatorUserList=configProps.get("show.all.authenticator.userlist")

connect(adminUserName, adminPassword, adminURL)

realmName=cmo.getSecurityConfiguration().getDefaultRealm()
authProvider = realmName.getAuthenticationProviders()

for i in authProvider:
	if isinstance(i,UserReaderMBean):
		userName = i
		authName= i.getName()

		if showAllAuthenticatorUserList == 'true':
			userList = i.listUsers(str(userNameWildcard),int(maximumToReturn))
			print '======================================================================'
			print 'Below are the List of USERS which are in the: "'+authName+'"'
			print '======================================================================'
			num=1
			while userName.haveCurrent(userList):
				print num,'- '+ userName.getCurrentName(userList)
				userName.advance(userList)
				num=num+1
			print '======================================================================'
			userName.close(userList)

		else:
			if authName == 'DefaultAuthenticator':
				userList = i.listUsers(str(userNameWildcard),int(maximumToReturn))
				print '======================================================================'
				print 'Below are the List of USERS which are in the: "'+authName+'"'
				print '======================================================================'
				num=1
				while userName.haveCurrent(userList):
					print num,'- '+ userName.getCurrentName(userList)
					userName.advance(userList)
					num=num+1
				print '======================================================================'
				userName.close(userList)

Step3). Now Open a Command/Shell Prompt and then run the “setWLSEnv.sh” script to set the CLASSPATH and PATH environment variables. Run the “. ./setWLSEnv.sh” by adding two DOTs separated by a single space …..before the actual script like following : (use ‘cd’ command to move inside the <BEA_HOME>/wlserver_10.3/server/bin) then run the following command….
. ./setWLSEnv.sh

Note: Here The first DOT represents that set the Environment in the current Shell, AND the second ./ represents execute the script from the current directory.

Step4). Run the Above WLST Script like following:

java weblogic.WLST usersList.py

Following would be the Output when

show.all.authenticator.userlist=true

java weblogic.WLST usersList.py

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Connecting to t3://localhost:7001 with userid weblogic ...
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'Domain_7001'.

Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.

======================================================================
Below are the List of USERS which are in the: "DefaultAuthenticator"
======================================================================
1 - weblogic
2 - TestUserOne
3 - TestUserTwo
4 - TestUserThree
5 - TestUserFour
6 - TestUserFive
======================================================================
======================================================================
Below are the List of USERS which are in the: "RavishAuth"
======================================================================
1 - DB-weblogic-1
2 - DB-weblogic-2
3 - DB-weblogic-3
4 - weblogic
======================================================================

Following would be the Output when

show.all.authenticator.userlist= false

java weblogic.WLST usersList.py

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Connecting to t3://localhost:7001 with userid weblogic ...
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'Domain_7001'.

Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.

======================================================================
Below are the List of USERS which are in the: "DefaultAuthenticator"
======================================================================
1 - weblogic
2 - TestUserOne
3 - TestUserTwo
4 - TestUserThree
5 - TestUserFour
6 - TestUserFive
======================================================================

Regards,
Ravish Mody


Secured Access Using Encrypted Credentials with WLST

Ravish Mody

We are been getting lot of  questions about how can one avoid giving the clear text uersname and password in the WLST scripts or in the properties file for the security requirement. Hence I though of writing a new article on it so that it would more easier for others to get there answers. A month back I had written a post Deploy Applications Using Encrypted Password With ANT — Security Alert and would be using the same technique with WLST also which works just fine.

I would be using the StoreUserConfig, to create a user-configuration file which would contain an encrypted username and password and an associated key file that contains a secret key that is used to encrypt and decrypt the username and password which is in the user-configuration file. Once these files have been created then we can use them in any WLST script or any properties files.

Steps to create the user configuration file and key file:

There are basically two ways to create the StoreConfig and Key file.

1. weblogic.Admin Command:

Option-1). Using weblogic.Admin utility like following:

java weblogic.Admin -url t3://localhost:7001 -username weblogic -password weblogic
-userconfigfile C:\Security_Files_Dir\domain_A_userConfig.file
-userkeyfile C:\Security_Files_Dir\domain_A_key.file  STOREUSERCONFIG

2. WLST Commands:

Option-2). Now lets see how to create a user-configuration file and an associated key file by running the StoreUserConfig() using WLST with the following commands.

Step-1) Starting the WLST After running the setWLSEnv.sh script in the command prompt.

java  weblogic.WLST

Step-2) Connecting to WebLogic Admin Server using WLST

connect('weblogic','weblogic','t3://localhost:7001')

Step-3) Storing the user config file.

storeUserConfig('/someDirectory/MyUserConfigFile','/someDirectory/MyUserKeyFile')

Here:
someDirectory = Path where you would like to create these files
MyUserConfigFile = user-configuration
MyUserKeyFile = key file

Steps to use the user configuration file and key file in any WLST

Now we can use these files in any WLST scripts or in properties file, so lets look into it one by one

1. WLST script:

Normally we give the clear text username and password in the connect() command with the URL as show below

connect('weblogic','weblogic','t3://localhost:7001')

However as we have created user-configuration and the key files, hence we would now be replacing the above command with the below command

connect(userConfigFile='/someDirectory/MyUserConfigFile',userKeyFile='/someDirectory/MyUserKeyFile',url='t3://localhost:7001')

Where:
userConfigFile = the path where user-configuration file is been kept.
userKeyFile = the path where key file is been kept.
url = the url of the server where you want to connect it.

2. Properties file

We all know the use of the properties file with WLST, it gives an added advantage to just change the values in one simple file without touching the actual WLST which has the business logic. Now here is the changes has to be done as before and after

# Before (When you are NOT using user-configuration and the key files)

In *.properties files

admin.url=t3://localhost:7001
admin.username=weblogic
admin.password=weblogic

In WLST script

adminUrl = configProps.get("admin.url")
adminUser = configProps.get("admin.username")
adminPassword = configProps.get("admin.password")

connect(adminUser,adminPassword,adminUrl)

# After (When using user-configuration and the key files)

In *.properties files

admin.url=t3://localhost:7001
admin.username=/home/rmody/JBoss_Data/Samples/WLS/secure/myuserconfigfile.secure
admin.password=/home/rmody/JBoss_Data/Samples/WLS/secure/myuserkeyfile.secure

In WLST script

adminUrl = configProps.get("admin.url")
adminUser = configProps.get("admin.username")
adminPassword = configProps.get("admin.password")

connect(userConfigFile=adminUser,userKeyFile=adminPassword,url=adminUrl)

Where:
userConfigFile = the path where user-configuration file is been kept.
userKeyFile = the path where key file is been kept.
url = the url of the server where you want to connect it.

This way you can use your user-configuration and the key files inseated of the clear text credentials.

.

.

Regards,

Ravish Mody


Copyright © 2010-2012 Middleware Magic. All rights reserved. |