Tag: Security

WLST Script to Change Username and Password For All DataSources

Ravish Mody

Many times we have been asked if there is any script which can change the password of all the data sources at one time. As lot of people in production have n-numbers of data sources and if they have to change each and every password it would take a lot of time and energy to do it.

Hence Jay and I sat to-gather to get you this script which would make your life easy. Using the below WLST script you can even change the Username and Password of all the data source in weblogic server in no time.

Hope this would help all the Webloigc administrators and make them your life easier…..

– You just have to create a file called ChangePassDs.py and copy the below code to it.

#############################################################################
#
# @author Copyright (c) 2010 - 2011 by Middleware Magic, All Rights Reserved.
#
#############################################################################

print("*** Trying to Connect.... *****")
connect('weblogic','weblogic','t3://localhost:7001')
print("*** Connected *****")
cd('Servers/AdminServer')
edit()
startEdit()
cd('JDBCSystemResources')
allDS=cmo.getJDBCSystemResources()

for tmpDS in allDS:
  dsName=tmpDS.getName();
  print  'Changing Password & UserName for DataSource ', dsName
  cd('/JDBCSystemResources/'+dsName+'/JDBCResource/'+dsName+'/JDBCDriverParams/'+dsName)
  print('/JDBCSystemResources/'+dsName+'/JDBCResource/'+dsName+'/JDBCDriverParams/'+dsName)
  set('PasswordEncrypted','NEW_ENC_PASSWORDA')
  cd('/JDBCSystemResources/'+dsName+'/JDBCResource/'+dsName+'/JDBCDriverParams/'+dsName+'/Properties/'+dsName+'/Properties/user')
  set('Value','NEW_USERNAMEA')
  print("*** CONGRATES !!! Username & Password has been Changed for DataSource: ", dsName)
  print ('')
  print ('')

save()
activate()

Few things which has to be kept in mind:

  1. You might have to change Line 2, 4, 15 and 17 according to your environment.
  2. The alinement’s after the Line 10 to 20 should be copied as it is or else you would have syntax error.
  3. Make sure you follow the 5 Steps mentioned in the WLST page

Advantage of this Script:

  1. You work got automated.
  2. All the Username and Password of data sources can be changed
  3. Removing the set value for User name in Line 17 you can change only the passwords.
  4. You can enhance this script by changing other properties as well.

.

Do let us know if this WLST script helped you

Regards,

Ravish Mody


Common NodeManager Issues in WebLogic

Hi,

Jay SenSharma

Jay SenSharma

Actual Post Location: http://middlewaremagic.com/weblogic/?page_id=241

Many times we face a very common issue while configuring a Domain which has some remote Managed Servers asssigned to a Machine. The issue we might face is “NodeManager is Inactive”, “SSLException”, “Hostname Verification failed”, “domain salt not found”…etc

=========Issue-1).While Starting the Nodemanager if you see the following Exception …

<Fatal error in node manager server>
weblogic.nodemanager.common.ConfigException: Native version is enabled but node manager native library could not be loaded
at weblogic.nodemanager.server.NMServerConfig.initProcessControl(NMServerConfig.java:212)
at weblogic.nodemanager.server.NMServerConfig.<init>(NMServerConfig.java:172)
at weblogic.nodemanager.server.NMServer.init(NMServer.java:174)
at weblogic.nodemanager.server.NMServer.<init>(NMServer.java:139)
at weblogic.nodemanager.server.NMServer.main(NMServer.java:286)
at weblogic.NodeManager.main(NodeManager.java:31)
Caused by: java.lang.UnsatisfiedLinkError: no nodemanager in java.library.path
at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1682)

.

Debugging—->Then please make sure that the Library Path is set properly. There are some variables available like “LD_LIBRARY_PATH (UNIX only)” and “SHLIB_PATH” (For HP-UX operating system) to the Correct library:
Example:
(For Solaris/Linux)
LD_LIBRARY_PATH:$WL_HOME/server/lib/solaris:$WL_HOME/server/lib/solaris/ociXXX_X
(For HP-UX)
SHLIB_PATH=$SHLIB_PATH:$WL_HOME/server/lib/hpux11:$WL_HOME/server/lib/hpux11/ociXXX_X
.

=========Issue-2).If you see the SSL issues in the NodeManager Logs:

javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from aaa.bbb.com – 44.46.5.15. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.

.
Debugging—-> Usually we get this kind of error while starting the Server if the Certificates or SSL configuration is not correct.In this case we need to check the certificates are correct or not which is being used by Admin Server and the Node Manager.

If Admin and the Node Manager are using demo certificates which comes with WebLogic by default, then then we need to check the DNS name is correct or not. Just for Testing better to Disable the Host Name Varification for some time to see if the issue is with the incorrect HostName presence in the Certificate or not …We can use the following JAVA_OPTION to disable the HostName Varification:   -Dweblogic.security.SSL.ignoreHostnameVerification=true
If we are starting the Server using NodeManager then we must disable the HostName Varification in the “startNodeManager.sh” script as well…
-Dweblogic.nodemanager.sslHostNameVerificationEnabled=false
.
It is always a best practice to enable the following JAVA_OPTIONS as well whenever we get the SSL Exception in the Server Logs:   -Dweblogic.security.SSL.enforceConstraints=off        -Dssl.debug=true
.

Usually we get this kind of error while starting the Server if the Certificates or SSL configuration is not correct.In this case we need to check the certificates are correct or not which is being used by Admin Server and the Node Manager. Scenario-1). If Admin and the Node Manager are using demo certificates which comes with WebLogic by default, then then we need to check the DNS name is correct or not. Just for Testing better to Disable the Host Name Varification for some time to see if the issue is with the incorrect HostName presence in the Certificate or not …We can use the following JAVA_OPTION to disable the HostName Varification:  -Dweblogic.security.SSL.ignoreHostnameVerification=true

.

If we are starting the Server using NodeManager then we must disable the HostName Varification in the “startNodeManager.sh” script as well…

-Dssl.debug=true -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Dweblogic.security.SSL.enforceConstraints=off

.
It is always a best practice to enable the following JAVA_OPTIONS as well whenever we get the SSL Exception in the Server Logs:   -Dweblogic.security.SSL.enforceConstraints=off -Dssl.debug=true

.

Debugging—-> Specify the following flag in startWeblogic.sh
-Dssl.debug=true -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.enforceConstraints=off
————–And the following flag in startNodeManager.sh
-Dssl.debug=true -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Dweblogic.security.SSL.enforceConstraints=off

.

Debugging—-> Just for confirming that the actual issue is with SSL or not …Please disable the SSL Communication between AdminServer and NodeManager first:
NodeManager to listen over SSL by default, you can set
SecureListener=false (in <WL_HOME>commonnodemamanernodmanager.properties)
And also under machines, change the Listen Type to “Plain” from Admin Console.
Machine->Machine1->nodemanager—>type (Plain)
Then the communication between Admin Server and NodeManger will not be over SSL.
.

=========Issue-3).When you go to AdminConsole Nodemanager monitoring you see NodeManager is “Not Reachable/ Inactive”

Machine->Machine1->Monitoring:
Status: Inactive
Version: (not available)
Debugging—-> Please make sure that you have done the nmEnroll() using WLST. Nodemanager must be Enrolled to the Domain. Please follow the 7th and 8th Steps from the below link to enroll the Nodemanager to the WLS Domain.
http://middlewaremagic.com/weblogic/2010/04/28/weblogic-clustering-in-remote-boxes/
.

=========Issue-4).If you see the following Error While starting your Nodemanager:

<Warning> <I/O error while reading domain directory: java.io.FileNotFoundException: Domain directory ‘F:beawlserver_10.3commonnodemanager’ invalid (domain salt file not found)>
java.io.FileNotFoundException: Domain directory ‘F:beawlserver_10.3commonnodemanager’ invalid (domain salt file not found)
at weblogic.nodemanager.server.DomainManager.initialize(DomainManager.java:81)
at weblogic.nodemanager.server.DomainManager.<init>(DomainManager.java:53)
at weblogic.nodemanager.server.NMServer.getDomainManager(NMServer.java:252)
at weblogic.nodemanager.server.Handler.handleDomain(Handler.java:218)
at weblogic.nodemanager.server.Handler.handleCommand(Handler.java:109)
at weblogic.nodemanager.server.Handler.run(Handler.java:66)
at java.lang.Thread.run(Thread.java:619)

Debugging—->Whenever u use WLST never use Back Slash as a Path Separator….Use the following (Note I changed the BackSlash as Forward Slash):
wls:/base_domain/serverConfig> nmEnroll(‘F:/bea/user_projects/domains/YOUR_DOMAIN_NAME’,’F:/bea/wlserver_10.3/common/nodemanager’)

.

Debugging—->Alternative…Still If you want to use the BackSlash only then do the Following (Note i added a preceeding character ‘r’ before the path)
wls:/base_domain/serverConfig> nmEnroll(r’F:beauser_projectsdomainsYOUR_DOMAIN_NAME’,r’F:beawlserver_10.3commonnodemanager’)
Name of the Domain was also missing in your command. You need to use own Domain name where i used “YOUR_DOMAIN_NAME” in my edited Command above.

.

Debugging—->If you still face the Issue then Please Copy the “SerializedSystemIni.dat” file from “F:/bea/user_projects/domains/base_domain/security” Location and Paste it inside “F:/bea/wlserver_10.3/common/nodemanager/security” Location. Then retsart your NodeManager. Or Better Enroll The NodeManager and restart it again.

Practical Implementation Of Above Theory

http://forums.oracle.com/forums/thread.jspa?messageID=4497751

http://forums.oracle.com/forums/thread.jspa?messageID=4483537&tstart=0

http://forums.oracle.com/forums/thread.jspa?messageID=4466417

http://forums.oracle.com/forums/thread.jspa?threadID=1030788

http://forums.oracle.com/forums/thread.jspa?messageID=4272137

http://forums.oracle.com/forums/thread.jspa?messageID=4277611

http://forums.oracle.com/forums/thread.jspa?messageID=4526851

.
.
Thanks
Jay SenSharma


Changing UserLockoutDuration Using JMX 9.x and above

Hi,

Jay SenSharma

Jay SenSharma

Here is a Simple example of changing the UserLockoutDuration using JMX code. This sample uses New style of MBeans so u can use this JMX code for Any WerbLogic Version from WLS9.x onwards.  Thanks to Mr. Alecomputacao for giving me an idea for write this very useful JMX code. http://middlewaremagic.com/weblogic/?p=2778#comment-1829

This JMX code illustrates that if we want to make any configuration related changes then first of all we need to get the “EditServiceMBean” object reference first of all.  This is must because from WLS9.x onwards we have Change Management Feature added as part of WebLogic Server .. It means until you dont press the “Lock & Edit” Button on the AdminConsole you cannot make any changes.

Step1). Please create a directory somewhere in your filesystem like :  “C:UserLockout”

Step2). Write the following JMX Code inside the above directory “UserLockoutTest .java”


import java.io.IOException;
import java.net.MalformedURLException;
import java.util.Hashtable;
import javax.management.Attribute;
import javax.management.MBeanServerConnection;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import javax.management.remote.JMXConnector;
import javax.management.remote.JMXConnectorFactory;
import javax.management.remote.JMXServiceURL;
import javax.naming.Context;
import weblogic.management.configuration.DomainMBean;
import weblogic.management.configuration.SecurityConfigurationMBean;
import weblogic.management.runtime.RealmRuntimeMBean;
import weblogic.management.security.RealmMBean;
import weblogic.management.security.authentication.AuthenticationProviderMBean;
import weblogic.management.security.authentication.UserLockoutManagerMBean;
import weblogic.management.security.authentication.UserPasswordEditorMBean;
import weblogic.security.UserLockoutManagerRuntime;
import weblogic.security.acl.internal.DefaultRealmImpl;
import weblogic.security.providers.authentication.DefaultAuthenticatorMBean;
public class UserLockoutTest {
private static MBeanServerConnection connection;
private static JMXConnector connector;
private static final ObjectName service;
static
{
try {
service = new ObjectName("com.bea:Name=EditService,Type=weblogic.management.mbeanservers.edit.EditServiceMBean");
}
catch (MalformedObjectNameException e)
{
throw new AssertionError(e.getMessage());
}
}
public static void initConnection(String hostname, String portString, String username, String password) throws IOException,MalformedURLException
{
String protocol = "t3";
Integer portInteger = Integer.valueOf(portString);
int port = portInteger.intValue();
String jndiroot = "/jndi/";
String mserver = "weblogic.management.mbeanservers.edit";
JMXServiceURL serviceURL = new JMXServiceURL(protocol, hostname, port,jndiroot + mserver);
Hashtable h = new Hashtable();
h.put(Context.SECURITY_PRINCIPAL, username);
h.put(Context.SECURITY_CREDENTIALS, password);
h.put(JMXConnectorFactory.PROTOCOL_PROVIDER_PACKAGES,"weblogic.management.remote");
connector = JMXConnectorFactory.connect(serviceURL, h);
connection = connector.getMBeanServerConnection();
}
public ObjectName startEditSession() throws Exception
{
ObjectName cfgMgr = (ObjectName) connection.getAttribute(service,"ConfigurationManager");
ObjectName domainConfigRoot = (ObjectName)
connection.invoke(cfgMgr,"startEdit", new Object[] { new Integer(60000),new Integer(120000) }, new String[] { "java.lang.Integer","java.lang.Integer" });
if (domainConfigRoot == null)
{
throw new Exception("Somebody else is editing already");
}
return domainConfigRoot;
}
public void editUserLockoutDuration(ObjectName cfgRoot,Integer duration) throws Exception
{
Attribute newDuration = new Attribute("LockoutDuration", duration);
connection.setAttribute(cfgRoot, newDuration);
System.out.println("Changed the UserLockoutDuration to " +duration);
}
public ObjectName activate() throws Exception
{
ObjectName cfgMgr = (ObjectName) connection.getAttribute(service,"ConfigurationManager");
ObjectName task = (ObjectName) connection.invoke(cfgMgr, "activate",new Object[] { new Long(120000) }, new String[] { "java.lang.Long" });
return task;
}
public static void main(String[] args) throws Exception
{
String hostname = args[0];
String portString = args[1];
String username = args[2];
String password = args[3];
UserLockoutTest ewb = new UserLockoutTest();
System.out.println("--------------1");
initConnection(hostname, portString, username, password);
System.out.println("--------------2");
ObjectName cfgMgr = (ObjectName) connection.getAttribute(service,"ConfigurationManager");
System.out.println("--------------3");
ObjectName cfgRoot = ewb.startEditSession();
System.out.println("--------------4");
Integer duration=new Integer("2222");
ewb.editUserLockoutDuration(new ObjectName("Security:Name=myrealmUserLockoutManager"),duration);
System.out.println("--------------5");
connection.invoke(cfgMgr, "save", null, null);
System.out.println("--------------6");
ewb.activate();
connector.close();
}
}

Step3). start the WebLogic Server and check the LockOutDuration  what u see in the AdminConsole.

Home > Summary of Security Realms > myrealm > Configuration > UserLockput (Page)

Step4). Now open a command prompt and then run the “setWLSEnv.cmd” script to set the Environment like “CLASSPATH” and “PATH” in your command prtompt.

Step5). run the Above program like following:

UserLockout_JMX_Code

UserLockout_JMX_Code

Step6). Again login to AdminConsole and then Double check that the UserLockout  Duration is changed or not?

UserLocaout_Changes_AdminConsole

UserLocaout_Changes_AdminConsole

NOTE: UserLockoutDuration change is not a Dynamic Change so you will have to restart your Server sothat the changes will take effect….Because as soon as u make the changes you will see the following Message in the Server STDOUT:


<Aug 28, 2010 6:02:11 PM IST> <Warning> <Management> <BEA-141239> <The non-dynamic attribute LockoutDuration on weblogic.management.security.authentication.UserLockoutManagerMBeanImpl@860bb40f ([7001_EJB_Domain]/SecurityConfiguration[7001_EJB_Domain]/Realms[myrealm]/ UserLockoutManager[UserLockoutManager]) has been changed. This may require redeploying or rebooting configured entities>

<Aug 28, 2010 6:02:11 PM IST> <Warning> <Management> <BEA-141238> <A non-dynamic change has been made which affects the server AdminServer. This server must be rebooted in order to consume this change.>

.

.

Thanks

Jay SenSharma


Copyright © 2010-2012 Middleware Magic. All rights reserved. |