Easy, well you’d think.
There is a bit of a caveat, we are creating a key file and a credential file. If people can get a hold of these, then they can run nm commands as that user without needing to know the username and password, so you need to keep these files a little bit secure and secret. chmod is your friend.
firstly, lets explain the problem
if a shell script, you run the following to start a server
/u01/oracle/Oracle/Middleware/Oracle_Home/oracle_common/common/bin/wlst.sh /u01/startscripts/nmStartServer.py
import sys;
print 'Starting with :',str(sys.argv);
if len(sys.argv) != 1:
print 'Usage nmstartsvr.py servername'
sys.exit(2)
try:
print 'Connecting to nodemanager and creating encrypted credentials'
nmConnect('weblogic','mySecurityHole',domainName='e1_apps', port='5556', nmType='ssl');
So that is great, we need to stop using mySecurityHole, so we now create a new script:
This has the connect and the following line:
import sys;
print 'Starting with :',str(sys.argv);
if len(sys.argv) != 1:
print 'Usage nmEncryptPassword.py '
sys.exit(2)
try:
print 'Connecting to nodemanager and creating encrypted credentials'
nmConnect('weblogic',’mySecurityHole;,domainName='e1_apps', port='5556', nmType='ssl');
storeUserConfig(userConfigFile='/u01/startscripts/userconfig.secure', userKeyFile='/u01/startscripts/userkey.secure',nm='true');
except:
print 'Could not change the password or store it to nodemanager'
sys.exit(2)
exit()
So you can create the two files '/u01/startscripts/userconfig.secure', & '/u01/startscripts/userkey.secure' – the script will do this for you.
You only run the above once, which is nice. The next thing you do is change your nmConnect line like below:
import sys;
print 'Starting with :',str(sys.argv);
if len(sys.argv) != 1:
print 'Usage nmstartsvr.py servername'
sys.exit(2)
try:
print 'Connecting to nodemanager and creating encrypted credentials'
nmConnect(userConfigFile='/u01/startscripts/userconfig.secure', userKeyFile='/u01/startscripts/userkey.secure',domainName='e1_apps', port='5556', nmType='ssl');
viola! You are now using a keyfile to run start, not the plain text credentials.
Note that in between I started to get:
Connecting to nodemanager
Connecting to Node Manager ...
This Exception occurred at Thu Sep 15 14:09:14 AEST 2016.
java.io.IOException: Get a TLS/SSL Alert. Connection is rejected. Probably caused by attempting to connect to a SSL server (SecureListener==true in nodemanager.properties) with a Plain client.
Could not connect to nodemanager
I noticed that I’d cut and pasted wrong nmConnect(userConfigFile='/u01/startscripts/userconfig.secure', userKeyFile='/u01/startscripts/userkey.secure',domainName='e1_apps', port='5556', nmType=’plain’);
Once this was back to ssl, all was good in the WLST world.