Thursday 15 September 2016

using mnConnect without specifying passwords in a text file

Easy, well you’d think.

There is a bit of a caveat, we  are creating a key file and a credential file.  If people can get a hold of these, then they can run nm commands as that user without needing to know the username and password, so you need to keep these files a little bit secure and secret.  chmod is your friend.

firstly, lets explain the problem

if a shell script, you run the following to start a server

/u01/oracle/Oracle/Middleware/Oracle_Home/oracle_common/common/bin/wlst.sh /u01/startscripts/nmStartServer.py

import sys;
print 'Starting with :',str(sys.argv);
if len(sys.argv) != 1:
  print 'Usage nmstartsvr.py servername'
  sys.exit(2)
try:
  print 'Connecting to nodemanager and creating encrypted credentials'
  nmConnect('weblogic','mySecurityHole',domainName='e1_apps', port='5556', nmType='ssl');

So that is great, we need to stop using mySecurityHole, so we now create a new script:

This has the connect and the following line:

import sys;
print 'Starting with :',str(sys.argv);
if len(sys.argv) != 1:
  print 'Usage nmEncryptPassword.py '
  sys.exit(2)
try:
  print 'Connecting to nodemanager and creating encrypted credentials'
  nmConnect('weblogic',’mySecurityHole;,domainName='e1_apps', port='5556', nmType='ssl');
  storeUserConfig(userConfigFile='/u01/startscripts/userconfig.secure', userKeyFile='/u01/startscripts/userkey.secure',nm='true');
except:
  print 'Could not change the password or store it to nodemanager'
  sys.exit(2)
exit()

So you can create the two files '/u01/startscripts/userconfig.secure', & '/u01/startscripts/userkey.secure' – the script will do this for you.

You only run the above once, which is nice.  The next thing you do is change your nmConnect line like below:

import sys;
print 'Starting with :',str(sys.argv);
if len(sys.argv) != 1:
  print 'Usage nmstartsvr.py servername'
  sys.exit(2)
try:
  print 'Connecting to nodemanager and creating encrypted credentials'
  nmConnect(userConfigFile='/u01/startscripts/userconfig.secure', userKeyFile='/u01/startscripts/userkey.secure',domainName='e1_apps', port='5556', nmType='ssl');

viola! You are now using a keyfile to run start, not the plain text credentials.

Note that in between I started to get:

Connecting to nodemanager
Connecting to Node Manager ...
This Exception occurred at Thu Sep 15 14:09:14 AEST 2016.
java.io.IOException: Get a TLS/SSL Alert. Connection is rejected. Probably caused by attempting to connect to a SSL server (SecureListener==true in nodemanager.properties) with a Plain client.
Could not connect to nodemanager

I noticed that I’d cut and pasted wrong  nmConnect(userConfigFile='/u01/startscripts/userconfig.secure', userKeyFile='/u01/startscripts/userkey.secure',domainName='e1_apps', port='5556', nmType=’plain’);

Once this was back to ssl, all was good in the WLST world.

nodemanager password problems

I’m using a copy of a copy of a copy of a web server to make another web server, this is the quickest way…

Why?  I have patched it, tested it, installed server manager etc.  This is easy when clients are using AWS, as I have pre-baked AMI’s with my JD Edwards code already installed.  Very simple for me to share the AMI and get the server up and running very quickly.  Just depends on how “baked” the AMI is.

I have a bit of an issue though (actually two).

First issue is to ensure that the nodemanager password from nm_password.properties has the correct values.  I use nmstart in all of my service start commands, and this password needs to be right to connect to the nodemanager automatically.

You cannot just enter a plain text value into this like the boot.properties.  I think that you need to do nmenroll or use WLS console.  So, it’s easy to change the weblogic password, and move on.  Change the boot.properties in the /u01/oracle/Oracle/Middleware/Oracle_Home/user_projects/domains/e1_apps/servers/AdminServer/security/ dir

image

Then you need to ensure that your nodeManager passwords are also updated, different location in the console.

image

Then

image

 

So, now the mn_password.properties file in /u01/oracle/Oracle/Middleware/Oracle_Home/user_projects/domains/e1_apps/config/nodemanager/ will be updated

[root@vawswls50 user_projects]# ls -l ./domains/e1_apps/config/nodemanager/nm_password.properties
-rw-r-----. 1 oracle oracle 79 Sep 13 12:16 ./domains/e1_apps/config/nodemanager/nm_password.properties
[root@vawswls50 user_projects]# ls -l ./domains/e1_apps/config/nodemanager/nm_password.properties
-rw-r-----. 1 oracle oracle 135 Sep 13 13:20 ./domains/e1_apps/config/nodemanager/nm_password.properties

After hitting save and activating the changes in WLS console, you have the confirmed changes to the file above.  Now the server is going to start using nmStart, let’s test it out.