Thursday 30 April 2015

Starting WLST Securely and Connecting to Node Manager

WLST provides a command line interface to a running NodeManager which is handy if the Admin Server is down and you still want to control your managed servers gracefully.
Usually after setting your environment and starting the WLST Command Line process you can execute the command to connect to any NodeManager that is running.
nmConnect("weblogic","<password>","nodemanager-hostname.example.com",5556,"ofm-domain","/oracle/admin/ofm-domain","ssl")
However, if you have configured your Weblogic Domain and NodeManager with custom identity and trust you will experience issues trying to connect to nodemanager via wlst. With JSSE Enabled you will face an error like this:
wls:/offline> nmConnect("weblogic","<password>","nodemanager-hostname.example.com",5556,"ofm-domain","/oracle/admin/ofm-domain","ssl")
Connecting to Node Manager ...
......
javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
Traceback (innermost last):
 File "<console>", line 1, in ?
 File "<iostream>", line 123, in nmConnect
 File "<iostream>", line 653, in raiseWLSTException
WLSTException: Error occured while performing nmConnect : Cannot connect to Node Manager. : FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
Use dumpStack() to view the full stacktrace


In order for WLST to use the Custom Trust configuration of the domain, WLST should be started by calling java with some weblogic.ssl and weblogic.security arguments.
The JSSEEnabled and enableJSSE arguments can be ignored if you are not using JSSE SSL.
Add the -skipWLSModuleScanning flag to speed up the startup.
You will find the CustomTrust values in your nodemanager.properties file.


java -Dweblogic.ssl.JSSEEnabled=true
-Dweblogic.security.SSL.enableJSSE=true
-Dweblogic.security.SSL.ignoreHostnameVerification=true
-Dweblogic.security.CustomTrustKeyStoreType="JKS"
-Dweblogic.security.TrustKeyStore=CustomTrust
-Dweblogic.security.CustomTrustKeyStoreFileName="/oracle/admin/ofm-domain/ssl/trusts.jks"
weblogic.WLST
-skipWLSModuleScanning

This will load the WLST command line and when you execute nmConnect it will successfully connect to the node manager for you to execute commands.
Posted by at 1 comment:
Labels: , , , , , ,
Subscribe to: Posts (Atom)