Friday, September 27, 2013

Secure Socket Layer

Internet traffic needs to be encrypted when we are passing confidential data across the network. Now every thing on the internet needs to be encrypted, but when we are contacting a Online back for performing operations. We should encrypt the data like user name and password and send them to the web site.

When you logon to your bank’s website, your traffic travels through your ISP’s network. If your bank is not a customer of the same ISP, your data will travel through at least one more ISP’s network, and often a few other networks. So there are many opportunities for criminals to “sniff” your traffic. If you are connected to the internet with a wireless connection, then your account info is literally floating around in the air where people nearby can receive it.

So In layman Terms,

SSL Or Secure Socket layer is a Cryptographic protocol that provides data integrity and security for communications over the Tcp/Ip networks.

SSL allows the application to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery.

Encrypting and decrypting data takes additional computer power. So, most of the time as you surf the web, none of your traffic is encrypted until you go to a website where money is involved such as your bank, broker, or credit card company.

How does the Encryption Works
The One big Question is how does the encryption works in SSL Case. We will see

Asymmetric Encryption and symmetric Encryption and see how they work together in achieving the encryption.

Asymmetric Encryption or public-key cryptography
in this mode , there will be 2 keys
public key
private key

The users will normally use the public key available from the Server and uses that to encrypt data. Once the encrypted data is available at the Destination , uses the private key to decrypt the message. In this way only the intended people will be able to decrypt the message.

The most common asymmetric encryption algorithm is RSA.

Symmetric Encryption







Symmetric encryption uses a single key to both encrypt and decrypt data. Both the sender and the receiver need the same key to communicate.

Which is Stronger
There are 2 important points we need to consider when using the SSL.They are
computational Over head
ease of distribution

Asymmetric keys are typically 1024 or 2048 bits and Symmetric key sizes are typically 128 or 256 bits. Since the key size is bigger , the asymmetric keys are generally Stronger.

But since the key size is very less , the computation for the symmetric keys are very less . The main problem is since we use the same key for both encryption and decryption.

This is not in the case of Asymmetric key. Two keys are used where the public key is distributed over the internet with out any problems as only the private key can decrypt it.

Public Key Infrastructure (PKI)
This is a set of hardware , people , software,polices that are needed to create, manage, distribute, use, store, and revoke digital certificates. So a PKI is the one which binds keys with user identities by means of the Certificate Authority (CA).

The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates.

A public key infrastructure consists of:

A certificate authority (CA) that issues and verifies digital certificate. A certificate includes the public key or information about the public key

A registration authority (RA) that acts as the verifier for the certificate authority before a digital certificate is issued to a requestor

One or more directories where the certificates (with their public keys) are held

A certificate management system

So coming to the Encryption, this is how it works










When we contact a Web Site
1.The Server sends the Asymmetric public key to the User
2.The user takes the asymmetric public key ,
create a Symmetric key
encrypts the symmetric key with the asymmetric public key provided by the server
send the encrypted data to the server
3.The server decrypts the encrypted data using the Asymmetric private key available with the server and gets the symmetric key send by the User
4.For now the client and Server communication happens using the symmetric keys

Asymmetric keys = RSA
Symmetric Keys = Twofish, AES, or Blowfish, to create keys—AES currently being the most popular

Certificate
All Browsers are able to connect to the Servers on SSL. But in order for the communication to be encrypted we need some thing called Certificate.

What is a Certificate
The Certificate contains public and private keys which helps in encrypting the Data Communication.

The certificate also includes a SUBJECT element which tells us about the identity of the certificate/website owner.

How Do we get this Certificate
In Order to get a Certificate we need to first create a Certificate Signing Request (CSR) on your server.

CSR will contain encoded information specific to your company and domain name; this information is known as a Distinguished Name or DN. The DN for most servers contains the following fields: Country, State (or province), Locality (or city), Organization, Organizational Unit, and Common Name.

The CSR creates the Private key and also a Data File and we will use these to send to the Certificate Authority ( CA ) . The CA uses the CSR data file to create a public key to match your private key.

Once you receive the SSL Certificate, you install it on your server. You also install a pair of intermediate certificates that establish the credibility of your SSL Certificate by tying it to your CA’s root certificate. This is called Certificate Chain

Any one can create a Certificate but browsers only identify certificates from a Known Certificate authorities or trusted CA's .Browsers come with a pre-installed list of trusted CAs, known as the Trusted Root CA store.

Once the Certificate is trusted by the browser from the trusted CA's ,it is now good to connect to the server.

How does the SSL Certificate helps in Securing the Connections

1.Browser connects to a web server (website) secured with SSL (https). Browser requests that the server identify itself.
2.Server sends a copy of its SSL Certificate, including the server’s public key.
3.Browser checks the certificate root against a list of trusted CAs and that the certificate is unexpired, unrevoked, and that its common name is valid for the website that it is connecting to. If the browser trusts the certificate, it creates, encrypts, and sends back a symmetric session key using the server’s public key.
4.Server decrypts the symmetric session key using its private key and sends back an acknowledgement encrypted with the session key to start the encrypted session.
Server and Browser now encrypt all transmitted data with the session key.

In the next Articles We will see How we can Configure SSL On Servers.
Read More

Web Logic Node Manager Issues

When I was trying to Configure a Node Manager I faced different kinds of exceptions. One of them is

WARNING: Uncaught exception in server handlerjavax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from 127.0.0.1 - 127.0.0.1. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.
javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from 127.0.0.1 - 127.0.0.1. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.

Even Though Node Manager is Started Successfully , I was unable to perform any operation on the managed Nodes.

We face this kind of errors while starting the server using node managers. These error occures when the Certificates or the SSL configuration is not correct. So During this case we need to check whether the Certificates are correct or not

If Admin Server and the Node Manager are using demo certificates which comes with WebLogic by default, then then we need to check the DNS name is correct or not.

Since I was testing the Node Manager , I disabled the Host Name Verification to make sure whether the issue wit the Incorrect Host name in the Certificate

For doing this , I just passed the
-Dweblogic.security.SSL.ignoreHostnameVerification=true to the JAVA_OPTS to the StartServer.sh Script
mean while for the startNodeManager.sh script too I added ,
-Dweblogic.nodemanager.sslHostNameVerificationEnabled=false

In Order to make sure the issue was with the SSL , we can change the communication between the admin server and the node manager.

we can set
SecureListener=false in <WL_HOME>\common\nodemamaner\nodmanager.properties

And also under machines, change the Listen Type to “Plain” from Admin Console.
Machine->Machine1->nodemanager—>type (Plain)
Then the communication between Admin Server and NodeManger will not be over SSL.

Once the Changes are Done ,the Communication between the Node Manager and Admin server is Successfully.
Read More

Thursday, September 26, 2013

Java Issues : java.lang.OutOfMemoryError: GC overhead limit exceeded

In many Cases , we see Out Of Memory Issues When Working with Java Applications on the Web logic or some other Servers.

GC overhead limit exceeded” is generally thrown by the Garbage Collectors that we use for the JVM. This is generally thrown by serial or parallel collectors.

The issue comes when more amount of time is spent in doing the Garabage Collection and very less than 2% of the heap is recovered.

This may be due to applications that are running very long time or may be due to threads that are struck. Due to these sort of threads ,the objects that are loaded are not reclaimed and are hold-ed by these struck threads for a long time

The serial or parallel collectors throw this exception and this feature is designed to prevent applications from running for an extended period of time while making little or no progress because the heap is too small. If necessary, this feature can be disabled by adding the option -XX:-UseGCOverheadLimit to the command line.

If the new generation size is explicitly defined with JVM options, decrease the size or remove the relevant JVM options entirely to un-constrain the JVM and provide more space in the old generation for long lived objects.

If there is unintended object retention , we need to check code for changes If the retention looks normal, and it is a load issue, the heap size would need to be increased.

Note
The New Generation Size is specified by -XX:NewSize=n

Set this value to a multiple of 1024 that is greater than 1MB. As a general rule, set -XX:NewSize to be one-fourth the size of the maximum heap size. Increase the value of this option for larger numbers of short-lived objects.

Be sure to increase the New generation as you increase the number of processors.

To find what values were given to the JVM use jmap like

#$ Jmap 9977

Heap Configuration:
MinHeapFreeRatio = 40
MaxHeapFreeRatio = 70
MaxHeapSize = 268435456 (256.0MB)
NewSize = 1048576 (1.0MB)
MaxNewSize = 4294901760 (4095.9375MB)
OldSize = 4194304 (4.0MB)
NewRatio = 8
SurvivorRatio = 8
PermSize = 16777216 (16.0MB)
MaxPermSize = 134217728 (128.0MB)

More To Come , Happy learning :-)
Read More

Web logic : Node Manager

In production Environments we always maintain several number of Clusters that are spanned over multiple physical machines. In the case of weblogic , we create managed nodes for different cluster on different machines to provide high availability and also to eliminate single point of failure.

For allowing remote web logic Nodes to be started, stopped and recycled Web logic provides a utility called “Node Manager”.

These are of two type of Node Managers available
Java Based (runs under JVM)
Script Based (not available on windows)

For Windows Machine only Java Based Node Manager is supported where as for Unix/Linux both Java Based and Script Based Node Manager are supported.

Java Based (more secure) Node Manager is secured using SSL where as security in Script Based (less secure) Node Manager is implemented more easily using ssh or rsh.

Node Manager component is optional but it is good utility if you need to manage remote webloigc nodes. Other way it to go to the remote machine and Perform operations on those Instances manually.

In this article we will see how we can configure the node Manager on the local system and use that to perform operations on the Nodes.

Node Manager is installed on physical machine and is not linked to any Domain. If there are multiple domain on one machine , all domains can use same Node Manager.

Lets Configure a machine and Node Manager and See how they work.

Configure a Machine
1. Login to the AdminServer console
  1. Navigate through Domain Structure to %DOMAIN_NAME% -> Environment -> Machines
  2. Create a new machine
    Name : localhost
    OS : Other
    In the Next Screen ,
  3. Choose Type “SSL”
  4. Listen Address : localhost
  5. Keep The Port as 5556.
  6. Save
Assign Servers to Machines

Assign a Managed Node to machines based on which machine the Managed Node is hosted.
Take Lock & Edit and navigate through
%DOMAIN_NAME% -> Environment -> Machines -> %MACHINE_NAME% -> Configuration tab -> Servers tab

Click add to add a Managed Node that exists on the Machine.
Save

Once we added the Servers to the Machines , We can go to $BEA_HOME/wlsserver_10.3/server/bin and run
startNodeManager.sh script

[root@vx111a bin]# ./startNodeManager.sh
+ CLASSPATH=/root/Oracle/Middleware/patch_wls1036/profiles/default/sys_manifest_classpath/(Removed Since too Long)
+ '[' '!' -z '' ']'
+ '[' '!' -z '' ']'
+ export CLASSPATH
+ export PATH
+ cd /root/Oracle/Middleware/wlserver_10.3/common/nodemanager
+ set -x
+ '[' '' '!=' '' ']'
+ '[' '' '!=' '' ']'
+ /soa/jdk1.7.0_25/bin/java -client -Xms32m -Xmx200m -XX:MaxPermSize=128m -Dcoherence.home=/root/Oracle/Middleware/coherence_3.7 -Dbea.home=/root/Oracle/Middleware -Xverify:none -Djava.security.policy=/root/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.policy -Dweblogic.nodemanager.javaHome=/soa/jdk1.7.0_25 weblogic.NodeManager -v
<Sep 26, 2013 7:02:46 AM> <INFO> <Loading domains file: /root/Oracle/Middleware/wlserver_10.3/common/nodemanager/nodemanager.domains>
Sep 26, 2013 7:02:46 AM weblogic.nodemanager.server.NMServerConfig initDomainsMap
INFO: Loading domains file: /root/Oracle/Middleware/wlserver_10.3/common/nodemanager/nodemanager.domains
<Sep 26, 2013 7:03:18 AM> <INFO> <Loading identity key store: FileName=/root/Oracle/Middleware/wlserver_10.3/server/lib/DemoIdentity.jks, Type=jks, PassPhraseUsed=true>
Sep 26, 2013 7:03:18 AM weblogic.nodemanager.server.SSLConfig loadKeyStoreConfig
INFO: Loading identity key store: FileName=/root/Oracle/Middleware/wlserver_10.3/server/lib/DemoIdentity.jks, Type=jks, PassPhraseUsed=true
<Sep 26, 2013 7:03:18 AM> <WARNING> <Node manager configuration properties file '/root/Oracle/Middleware/wlserver_10.3/common/nodemanager/nodemanager.properties' not found. Using default settings.>
Sep 26, 2013 7:03:18 AM weblogic.nodemanager.server.NMServer <init>
WARNING: Node manager configuration properties file '/root/Oracle/Middleware/wlserver_10.3/common/nodemanager/nodemanager.properties' not found. Using default settings.
<Sep 26, 2013 7:03:18 AM> <INFO> <Saving node manager configuration properties to '/root/Oracle/Middleware/wlserver_10.3/common/nodemanager/nodemanager.properties'>
Sep 26, 2013 7:03:18 AM weblogic.nodemanager.server.NMServer <init>
INFO: Saving node manager configuration properties to '/root/Oracle/Middleware/wlserver_10.3/common/nodemanager/nodemanager.properties'
Node manager v10.3

Configuration settings:

NodeManagerHome=/root/Oracle/Middleware/wlserver_10.3/common/nodemanager
ListenAddress=
ListenPort=5556
ListenBacklog=50
SecureListener=true
AuthenticationEnabled=true
NativeVersionEnabled=true
CrashRecoveryEnabled=false
JavaHome=/soa/jdk1.7.0_25/jre
StartScriptEnabled=false
StopScriptEnabled=false
StartScriptName=startWebLogic.sh
StopScriptName=
LogFile=/root/Oracle/Middleware/wlserver_10.3/common/nodemanager/nodemanager.log
LogLevel=INFO
LogLimit=0
LogCount=1
LogAppend=true
LogToStderr=true
LogFormatter=weblogic.nodemanager.server.LogFormatter
DomainsFile=/root/Oracle/Middleware/wlserver_10.3/common/nodemanager/nodemanager.domains
DomainsFileEnabled=true
StateCheckInterval=500
UseMACBroadcast=false
DomainRegistrationEnabled=false
DomainsDirRemoteSharingEnabled=false

Domain name mappings:
base_domain -> /root/Oracle/Middleware/user_projects/domains/managed_domain
admin_domain -> /root/Oracle/Middleware/user_projects/domains/admin_domain

<Sep 26, 2013 7:03:18 AM EDT> <Info> <Security> <BEA-090905> <Disabling CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true>
<Sep 26, 2013 7:03:19 AM EDT> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>
<Sep 26, 2013 7:03:19 AM EDT> <Info> <Security> <BEA-090908> <Using default WebLogic SSL Hostname Verifier implementation.>
<Sep 26, 2013 7:03:19 AM> <INFO> <Secure socket listener started on port 5556>
Sep 26, 2013 7:03:19 AM weblogic.nodemanager.server.SSLListener run
INFO: Secure socket listener started on port 5556
The Node Manager is Successfully Started.

Test
To test whether node manager is working fine or not we can go the Machine tab → Servers and try to recycle a Managed Node

We can see that recycle of the Server will be started.

Node Manager Domains
Once the node manager is started successfully , the domains that needs to be managed are loaded from the nodemanager.domain file which exits in $BEA_HOME/wlsserver_10.3/common/nodemanager/

[root@vx111a nodemanager]# cat nodemanager.domains
#Domains and directories created by Configuration Wizard
#Thu Sep 19 08:12:45 EDT 2013
base_domain=/root/Oracle/Middleware/user_projects/domains/managed_domain
admin_domain=/root/Oracle/Middleware/user_projects/domains/admin_domain

There is a way to make a new domain encroll for the node manager by using the WLST

Setup NodeManager to restore servers to their last known state after a reboot
Open nodemanager.properties $BEA_HOME/wlsserver_10.3/common/nodemanager/
1.Set CrashRecoveryEnabled property value to true
CrashRecoveryEnabled=true
2.Set StartScriptEnabled property value to true to invoke the startWeblogic script
StartScriptEnabled=true
3.Set StopScriptEnabled property value to true to invoke the stopWeblogic script and get the managed servers to shutdown cleanly
StopScriptEnabled=false
4.Restart of NodeManager service for each change to this nodemanager.properties file

NodeManager Domain Username and password
1. Login to the AdminServer console
  1. Click on Domain name in the Domain Structure and navigate through %DOMAIN_NAME% -> Security tab -> General tab -> Advanced link
  2. Take Lock & Edit and input the NodeManager username/password/confirm passwords fields and these could be unique from your weblogic console password.

More To Come

Happy learning :-)
Read More

Weblogic : Migrating a Web Logic Domain from a 32 to a 64 bit JVM/Architecture

When we have a 32bit OS , we do have an Issue with the allocation of the memory.

By limit, a 32 bit OS, will not be able to allocate more than 3 GB on a Linux environment, or 2 GB for Windows environment

When this limit is reached, a migration to a 64 bit architecture is recommended.

Here are the Steps on how to Migrate a Weblogic Domain from a 32Bit to 64Bit

Req:
Weblogic Server Version: WebLogic Server Version: 10.3.4.0
OS: Linux vx181d 2.6.18-348.el5xen #1 SMP Wed Nov 28 21:31:28 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
JVM:java version "1.6.0_22"
Java(TM) SE Runtime Environment (build 1.6.0_22-b04)
Oracle JRockit(R) (build R28.1.1-13-139783-1.6.0_22-20101206-0136-linux-x86_64, compiled mode)

To create migration template:

1. Execute $<WLS_HOME>/wlserver_10.3/common/bin/config_builder.sh
2. Create Domain Template.
3. Select Domain to migrate.
4. Enter the name of template and other info. Click next.
5. Using Add Button, Select libraries you want to add under lib folder. copy jdbc data sources you would like to have under config/jdbc folder. If you want to have log4j configuration, copy log4j.xml under domain_root folder.
6. Select data base for the domain and click next.
7. Enter Admin Server Name and port numbers. Click next.
8. Enter username and password. Click next. Select No if you don want to add users/groups/roles
9. Click next until reach button create.

This will create a jar file which we will use to create a Domain on the 64bit machine

To install and migrate domain to 64 bit architecture.

1. Install JVM Jrockit R28.1.1.13 on environment
2. Go to JRockit_Home/bin and execute
           $ java -d64 -jar wls1034_generic.jar
3. When prompt, select JRockit JVM in browse menu, and complete the Installation
4. Go to <WLS_HOME>/wlserver_10.3/common/bin
           execute $ ./config.sh
5. Select Create a new Weblogic domain
6. Select Base this domain on an existing template and select browse.
7. Select jar file that was created previously
8. Select Name of domain.
9. Select user name and password.
10. Select Jrockit SDK 1.6.0_22 and click next.
11. Confirm all JMS/JDBC/security configuration.
12. On select Optional Configuration, reconfigure if necessary.
13. Check on Configuration summary for all domain configuration.
14. Click on create, to finish up domain import.
Note: Always when installing a 64 bit WLS, it's necessary to install first the 64 JVM and then run the generic installer with the -d64 bit option. If this is not performed, the installation will be the 32 default version.


More to Come , happy learning :-)
Read More

Tuesday, September 24, 2013

Web Logic Tips

Web logic Server Over Load Protection
A Node in weblogic can be in any during its working. Web logic allows us to tune the server when the state of the server goes to a Over-Load State

A running server instance can fail as a result of out-of-memory exceptions or stuck application threads, or if one or more critical services become dysfunctional. A server instance monitors its health, and upon detecting that one or more critical subsystems are unstable, it declares itself FAILED.

We can make web logic to perform a specific action when the Server State goes to Failed or Over-Load State.

To Configure → Go to Servers → Choose a Server → Choose Over Load on the left pane.

We can configure various options on how the servers responds for various issues

Light Weight Container
Starting a Light Weight container with weblogic is very easy. normally when a web logic servers is started , the server type is wls . This server type basically starts all types of servers , but when we start the weblogic server with wlx options the server starts in a light weight mode.

The "wlx" option starts a server instance that excludes the following services, making for a lighter weight runtime footprint:

Enterprise JavaBeans (EJB)
Java EE Connecter Architecture (JCA)
Java Message Service (JMS)

Just pass the “-DserverType=wlx “ to the startWeblogic.sh Script

Bind IP address to Web Logic Servers
There are cases where we need to run a web logic server by binding it to a specific IP address. This helps in case when we have multiple web logic server instances running on same machine which has multiple network interfaces.

there is a way in weblogic that allows to get the ip address of the weblogic instance

First, you should bind the address as follows:

java -msXXm -mxXXm … -Dweblogic.system.bindAddr=xxx.xxx.xxx.xxx weblogic.Server

Open Multiple admin consoles Of Web Logic in same browser
There are cases where we need to open multiple admin consoles in a same browser. In some cases , when we open multiple web browsers the user will be logged out.

If one console is opened in firefox and another in IE, it does not logout.

This is due to a Cookie used by the admin console. The cookie is ADMINCONSOLESESSION.When 2 same cookies of the browser then there is a conflict. This can be eliminated by

Go to admin-console → domain → configuration → General → advanced

Edit the Console Cookie Name of ADMINCONSOLESESSION to something else.
Save changes and restart.

More Still To Come , Happy Learning
Read More

Monday, September 23, 2013

Tomcat : Password Encryption Policy

Passwords in tomcat are defined in the tomcat-user.xml file .The passwords in this file are defined in a plain text format. Normally in tomcat a UserDatabaseRealm exits which reads the users for the tomcat-users.xml file to authenticate the users

The Plain Text passwords can be changed by using a digest available in tomcat .The plain text passwords are not good in side the production environments, these can be encoded by a method called digesting the passwords which is provided by tomcat itself.

Rhe realm used authenticates by retrieving the stored password with the one that user submitted. We can configure the realm element to select the digested passwords. The value for this attribute must be one of the digest algorithms supported by the java.security.MessageDigest class (SHA, MD2, or MD5).

When the authenticate() method of the Realm is called, the (cleartext) password specified by the user is itself digested by the same algorithm, and the result is compared with the value returned by the Realm. An equal match implies that the cleartext version of the original password is the same as the one presented by the user, so that this user should be authorized.

Now lets see how can we configure the tomcat to use the digesting of the passwords

1.Modify the server.xml file Realm Elements like

<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->

<Realm className="org.apache.catalina.realm.MemoryRealm" digest="MD5" />
</Realm>

In the above snippet ,i added the MemoryRealm with the digest as MD5.

2.Create a MD5 digest password,go the tomcat/bin location and run

./digest.sh -a MD5 secret
secret:5ebe2294ecd0e0f08eab7690d2a6ee69

In the above snippet ,i have created a md5 for the string “secret” which I will use as password

3.Now once we have the MD5 , we modify in the tomcat-users.xml file as

<role rolename="manager-gui"/>
<user username="tomcat" password="5ebe2294ecd0e0f08eab7690d2a6ee69" roles="manager-gui"/>

4.Restart and open the tomcat manager console with the user name and password.

More to Come , Happy learning :-)
Read More

Weblogic : Admin Password Reset

There are many cases where we need to reset the admin password for web logic. Here is a Process of how we can reset the password for the web logic admin account.

1.Set up the Environment for the Web logic Domain

$ cd $MIDDLEWARE_HOME/user_projects/domains/{your_domain}/bin/
where your_domain is the domain_name for your Web logic domain

$ cd /root/Oracle/MiddleWare/user_projects/domains/base_domain/bin

Execute the setDomainEnv.sh script

. ./setDomainEnv.sh

2.Shut Down the Web logic Domain

3.Now change the User Name and Password in the Boot.properties.It is available at
/root/Oracle/MiddleWare/user_projects/domains/base_admin/servers/AdminServer/security

now open the boot.properties and change the user name and password values with plain test values

4.Now go the Domain Security Location which is
/root/Oracle/MiddleWare/user_projects/domains/base_domain/security
and change the name of the DefaultAuthenticatorInit.idift to DefaultAuthenticatorInit.idift.old
( This Step is optional it seems , try with out doing this but make sure you take a copy of the file)

5.Now create a New password like

java -cp /root/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar:$CLASSPATH weblogic.security.utils.AdminAccount hello hello123 .

I am giving the user name as hello and password hello123.

Note : Dont forget dot (“.”) At the end else it will throw “In valid Arguments” error

6.Now Restart the Server and login the admin-console using the hello and hello123.

More to Come , Happy learning :-)
Read More

Thursday, September 19, 2013

SSL Configuration On Tomcat

This post is a walk through on how to Configure SSL on Tomcat. The document is divided into 3 parts

Create a keystore file using Java
Configure Tomcat to use the keystore
Test it

1.Create a keyStore File
For Creating the key Store file ,we use the keytool command available with JDK. Use the tool as

C:\software\jboss\EWS\1.0>keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: teamJAG
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=teamJAG, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes

Enter key password for <tomcat>
(RETURN if same as keystore password):

The password that I Used is “changeit”

Now the file is created as .keystore in Home location of the User.

2.Configure Tomcat to use the keystore
Once the Key store file is available , configure tomcat port 8443 for the SSL as 

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="8443" keystoreFile="C:\Users\jag\.keystore" keystorePass="changeit" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLS" />

For the key Store File , provide the location of the file and password that we used for creating the key store files.

3.Test It
In order to test the Configuration , open the Browsers type
https://localhost:8443/manager/html to open the Tomcat Manager application with SSL Enabled.


More to Come , Happy learning
Read More

Weblogic : Migrating Web logic Managed Nodes from One Physical machine to another

There are couple of things that we need to manage when we are dealing with the Migration of Managed Nodes.

When Ever We migrate a Weblogic domain, the files that are available by default are

All files and directories in the source domain are included, leaving these:
Temporary files that are created when you start a server
The servers directory
Files in the security directory that are created automatically when you create the domain, such as DefaultAuthenticatorInit.ldift and XACMLRoleMapperInit.ldift

The most important thing is that if you configure any of the user,groups or roles using the Weblogic admin console , they are stored inside the ldap and are not available when migrating.
We first need to export the data and them import it for the new Domain on other Machine.

When We migrate a Managed Node , we have
  • All files in the root directory with the following extensions: .cmd, .sh, .xml, .properties, and.ini.
  • Any files with the.pem extension defined in the SSL configuration for your domain
  • bin directory
  • lib directory
  • All files and subdirectories in the config directory
  • The following files and directories are not included in a managed server template by default:
  • Applications and certain application initialization files
  • Temporary files that are created when you start a server
  • The servers directory
  • Files in the security directory that are created automatically when you create the domain, such as DefaultAuthenticatorInit.ldift and XACMLRoleMapperInit.ldift.

Now for creating a template for the managed nodes , we need to pass 'managed=true' element like
[root@vx111a bin]# ./pack.sh -domain=/root/Oracle/Middleware/user_projects/domains/base_domain -template=/root/Oracle/Middleware/user_projects/domains/managerd_domain.jar -template_name="my Domain Template" -log=/root/Oracle/Middleware/user_projects/domains/domain-pack.log -managed=true
<< read domain from "/root/Oracle/Middleware/user_projects/domains/base_domain"
>> succeed: read domain from "/root/Oracle/Middleware/user_projects/domains/base_domain"
<< set config option Managed to "true"
>> succeed: set config option Managed to "true"
<< write template to "/root/Oracle/Middleware/user_projects/domains/managerd_domain.jar"
....................................................................................................
>> succeed: write template to "/root/Oracle/Middleware/user_projects/domains/managerd_domain.jar"
<< close template
>> succeed: close template

and the unpack goes in this way,
[root@vx111a bin]# ./unpack.sh -template=/root/Oracle/Middleware/user_projects/domains/managerd_domain.jar -domain=/root/Oracle/Middleware/user_projects/domains/managed_domain -user_name="weblogic" -password="weblogic1" -server_start_mode="dev" -log=/root/Oracle/Middleware/user_projects/domains/domain-pack1.log
Warning: -server_start_mode for a managed template is ignored
Warning: -user_name for a managed template is ignored
Warning: -password for a managed template is ignored
<< read template from "/root/Oracle/Middleware/user_projects/domains/managerd_domain.jar"
>> succeed: read template from "/root/Oracle/Middleware/user_projects/domains/managerd_domain.jar"
<< set config option DomainName to "base_domain"
>> succeed: set config option DomainName to "base_domain"
<< write Domain to "/root/Oracle/Middleware/user_projects/domains/managed_domain"
...............................................................................................
>> succeed: write Domain to "/root/Oracle/Middleware/user_projects/domains/managed_domain"
<< close template
>> succeed: close template

Note : Be care full with the staged application location , since application files will not be included with the pack command when we are creating a template for the Managed node. This can cause issues when we are using a extenal_stage location. We need to make sure that new domain and managed node we are creating has access permissions to the external Stage location

More To Come , Happy Learning
Read More

Weblogic : Migrating Web logic Domains from One Physical machine to another

The Most Simple way of Migrating a Web logic Domain from One Machine to another is using the pack command provided by Web logic.

The pack command creates a template (a .jar archive file) that contains a snapshot of either an entire domain or a subset of a domain. You can use a template that contains a subset of a domain to create a managed server domain directory hierarchy on a remote machine.

By using the pack Command we can create a template file for the existing domain like,

[root@vx111a bin]# ./pack.sh -domain=/root/Oracle/Middleware/user_projects/domains/base_domain -template=/root/Oracle/Middleware/user_projects/domains/base_domain.jar -template_name="my base Domain Template" -log=/root/Oracle/Middleware/user_projects/domains/domain-pack.log

<< read domain from "/root/Oracle/Middleware/user_projects/domains/base_domain"
>> succeed: read domain from "/root/Oracle/Middleware/user_projects/domains/base_domain"
<< write template to "/root/Oracle/Middleware/user_projects/domains/base_domain.jar"
....................................................................................................
>> succeed: write template to "/root/Oracle/Middleware/user_projects/domains/base_domain.jar"
<< close template
>> succeed: close template

These are the details that I used in the above pack command
Domain = base_domain
Template Nmae = base_domain.jar

The pack and unpack commands are available are /root/Oracle/Middleware/wlserver_10.3/common/bin

Now Once the template is created , just copy the template file to the new physical machine which already contains the same version of weblogic software running, go to “/root/Oracle/Middleware/wlserver_10.3/common/bin” and run the unpack command sa,

When you use the unpack command with a domain template, it creates a domain containing all of the application and resource files defined in the template. It also creates necessary start scripts, and certain security and configuration files.

[root@vx111a bin]# ./unpack.sh -template=/root/Oracle/Middleware/user_projects/domains/base_domain.jar -domain=/root/Oracle/Middleware/user_projects/domains/admin_domain -user_name="weblogic" -password="weblogic1" -java_home="%JAVA_HOME%" -server_start_mode="dev" -log=/root/Oracle/Middleware/user_projects/domains/domain-pack1.log
Error: Full path required for "-java_home". Use "-help" to see details.
[root@vx111a bin]# ./unpack.sh -template=/root/Oracle/Middleware/user_projects/domains/base_domain.jar -domain=/root/Oracle/Middleware/user_projects/domains/admin_domain
-user_name="weblogic" -password="weblogic1" -server_start_mode="dev" -log=/root/Oracle/Middleware/user_projects/domains/domain-pack1.log
<< read template from "/root/Oracle/Middleware/user_projects/domains/base_domain.jar"
>> succeed: read template from "/root/Oracle/Middleware/user_projects/domains/base_domain.jar"
<< set config option ServerStartMode to "dev"
>> succeed: set config option ServerStartMode to "dev"
<< find User "weblogic" as u1_CREATE_IF_NOT_EXIST
>> succeed: find User "weblogic" as u1_CREATE_IF_NOT_EXIST
<< set u1_CREATE_IF_NOT_EXIST attribute Password to "********"
>> succeed: set u1_CREATE_IF_NOT_EXIST attribute Password to "********"
<< write Domain to "/root/Oracle/Middleware/user_projects/domains/admin_domain"
...............................................................................................
>> succeed: write Domain to "/root/Oracle/Middleware/user_projects/domains/admin_domain"
<< close template
>> succeed: close template

In the above command , iam going to create
Domain = admin_domain

During the unpack command , I also passed 'username' , 'password' , 'server start mode' e.t.c
Once the unpack command is done , you can see a new domain with the name admin_domain


Happy Learning , More To Come.
Read More