英文:
Start WebLogic server with custom SSL config
问题
目前我正在与 Oracle WebLogic Server 12c 进行一些实验。
我设置了一个新域来尝试使用 SSL。
我已经根据这里的说明创建了自定义身份存储、证书和信任:https://helpx.adobe.com/uk/experience-manager/6-3/forms/using/admin-help/configuring-ssl-weblogic-server.html#creating_an_ssl_credential_for_use_on_weblogic_server
我还设置了我的 AdminServer 来使用这些设置,我可以通过激活域范围的管理端口并连接到管理控制台进行测试。我在浏览器中检查了提供的证书,并且可以验证它是我的自定义证书。
到此为止都很好。但是当我创建一个托管服务器,并在管理控制台中配置它也使用我的自定义身份、信任和证书,并保存设置后,我无法使用提供的 startManagedWebLogic.sh 脚本启动服务器。
失败的原因是,服务器尝试使用 DemoCert 和 DemoTrust,我可以在日志中看到。因此,它无法连接到 AdminServer 并且无法加载其配置。
以下是我的问题:
如果默认设置始终用于首次启动托管服务器,那么我应该如何使用自定义 SSL 设置启动托管服务器?是否有任何方法可以修改启动脚本以使用不同的默认值?或者是否有不同的“最佳实践”?
服务器无法启动的错误信息如下:
<Apr 6, 2020 2:40:46,041 PM CEST> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: A MultiException has 6 exceptions...
(以下堆栈跟踪省略)
我已经检查了用户名和密码,它们已经正确输入。
编辑:如果我禁用了管理端口,并使用以下方式启动托管服务器
startManagedWeblogic ms0 t3://localhost:7001
而不是
startManagedWeblogic ms0 t3s://localhost:9001
则服务器会按预期启动。尽管在启动过程中尝试访问管理服务器时仍会出现持续问题,启用了管理端口(2)的连续启动仍然成功。
编辑 2:我尝试使用 NodeManager,感谢下面的回复。不幸的是,由于 SSL 异常,我无法从管理控制台访问它:
javax.net.ssl.SSLHandshakeException
我发现,我还必须在 nodemanager.properties 文件中配置 NodeManager 以使用自定义 SSL 设置。
我使用了以下设置:
## SSL ##
# Configure default SSL
KeyStores=CustomIdentityAndCustomTrust
# Identity keystore
CustomIdentityKeyStoreFileName=/home/iffuw/feck-credentials.jks
CustomIdentityKeyStoreType=jks
CustomIdentityKeyStorePassPhrase=whatever
# private key
CustomIdentityAlias=feck-credentials
CustomIdentityPrivateKeyPassPhrase=whatever
# Trust keystore
CustomTrustKeyStoreFileName=/home/iffuw/feck-ca.jks
CustomTrustKeyStoreType=jks
CustomTrustKeyPassPhrase=whatever
CustomTrustKeyStorePassPhrase=whatever
请注意,虽然不是所有都是 "whatever",但两个 KeyStores(身份和信任)的密码是相同的。
当我启动 nodemanger 时,密钥和身份块中的密码是加密的。信任块的密码事实上为空。
这里可能出了些问题,但我不知道是什么问题。
有什么想法吗?nodemanager.log 中写着:
<Apr 6, 2020 4:30:40 PM CEST> <INFO> <Upgrade> <Removing NodeManager property: CustomTrustKeyStorePassPhrase>
这正常吗?
英文:
Currently I'm experimenting a little bit with Oracle WebLogic Server 12c.
I set up a new domain to experiment with SSL.
I've already created a custom identity store, certificate and trust
following the instructions here: https://helpx.adobe.com/uk/experience-manager/6-3/forms/using/admin-help/configuring-ssl-weblogic-server.html#creating_an_ssl_credential_for_use_on_weblogic_server
I've also set up my AdminServer to use these, which I could test by activating the domain wide admin port and connecting to the admin console. I inspected the provided cert in the browser and could verify, that it was my custom cert.
So far so good. But when I create a managed server, and configure it to also use my custom identity, trust and the certificate and save the settings in the admin console, I'm not able to boot the server using the provided startManagedWebLogic.sh script.
The reason for the failure is, that the server tries to use the DemoCert and DemoTrust, as I can see in the logs. Consequently it fails to connect to the AdminServer and cannot load it's configs.
Here is my problem:
How should I start a managed server with custom SSL settings, if the default settings are always used to start it up in the first place? Is there any way, to modify the startup scripts to use different defaults? Or is there a different "best practice"?
The error for the server not starting up are:
<Apr 6, 2020 2:40:46,041 PM CEST> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: A MultiException has 6 exceptions. They are:
1. weblogic.security.SecurityInitializationException: Authentication for user weblogic denied.
2. java.lang.IllegalStateException: Unable to perform operation: post construct on weblogic.security.SecurityService
3. java.lang.IllegalArgumentException: While attempting to resolve the dependencies of weblogic.jndi.internal.RemoteNamingService errors were found
4. java.lang.IllegalStateException: Unable to perform operation: resolve on weblogic.jndi.internal.RemoteNamingService
5. java.lang.IllegalArgumentException: While attempting to resolve the dependencies of weblogic.io.common.internal.FileService errors were found
6. java.lang.IllegalStateException: Unable to perform operation: resolve on weblogic.io.common.internal.FileService
A MultiException has 6 exceptions. They are:
1. weblogic.security.SecurityInitializationException: Authentication for user weblogic denied.
2. java.lang.IllegalStateException: Unable to perform operation: post construct on weblogic.security.SecurityService
3. java.lang.IllegalArgumentException: While attempting to resolve the dependencies of weblogic.jndi.internal.RemoteNamingService errors were found
4. java.lang.IllegalStateException: Unable to perform operation: resolve on weblogic.jndi.internal.RemoteNamingService
5. java.lang.IllegalArgumentException: While attempting to resolve the dependencies of weblogic.io.common.internal.FileService errors were found
6. java.lang.IllegalStateException: Unable to perform operation: resolve on weblogic.io.common.internal.FileService
at org.jvnet.hk2.internal.Collector.throwIfErrors(Collector.java:89)
at org.jvnet.hk2.internal.ClazzCreator.resolveAllDependencies(ClazzCreator.java:250)
at org.jvnet.hk2.internal.ClazzCreator.create(ClazzCreator.java:358)
at org.jvnet.hk2.internal.SystemDescriptor.create(SystemDescriptor.java:487)
at org.glassfish.hk2.runlevel.internal.AsyncRunLevelContext.findOrCreate(AsyncRunLevelContext.java:305)
Truncated. see log file for complete stacktrace
Caused By: weblogic.security.SecurityInitializationException: Authentication for user weblogic denied.
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:1158)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.postInitialize(CommonSecurityServiceManagerDelegateImpl.java:1272)
at weblogic.security.service.SecurityServiceManager.postInitialize(SecurityServiceManager.java:586)
at weblogic.security.SecurityService.start(SecurityService.java:130)
at weblogic.server.AbstractServerService.postConstruct(AbstractServerService.java:76)
Truncated. see log file for complete stacktrace
Caused By: javax.security.auth.login.FailedLoginException: [Security:090938]Authentication failure: The specified user failed to log in. weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090295]caught unexpected exception, No such object
at com.bea.common.security.utils.ExceptionHandler.throwFailedLoginException(ExceptionHandler.java:62)
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:369)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:117)
at java.security.AccessController.doPrivileged(Native Method)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:114)
Truncated. see log file for complete stacktrace
>
I've checked username and password, they have been entered correctly.
EDIT: If I disable the admin port, and startup the managed server with
startManagedWeblogic ms0 t3://localhost:7001 (1)
instead of
startManagedWeblogic ms0 t3s://localhost:9001 (2)
the server starts up as intended. Consecutive startups with ENABLED admin port (2) do succeed in spite of the persistent problems when trying to reach the admin server during startup.
EDIT 2:
I've tried using NodeManager for that, thanks to the reply below. Unfortunately, I cannot access it from the admin console, due to an SSL exception:
javax.net.ssl.SSLHandshakeException
I found out, that I have to configure the Nodemanager to also use custom ssl settings in the nodemanager.properties file.
I used the following settings:
## SSL ##
# Configure default SSL
KeyStores=CustomIdentityAndCustomTrust
# Identity keystore
CustomIdentityKeyStoreFileName=/home/iffuw/feck-credentials.jks
CustomIdentityKeyStoreType=jks
CustomIdentityKeyStorePassPhrase=whatever
# private key
CustomIdentityAlias=feck-credentials
CustomIdentityPrivateKeyPassPhrase=whatever
# Trust keystore
CustomTrustKeyStoreFileName=/home/iffuw/feck-ca.jks
CustomTrustKeyStoreType=jks
CustomTrustKeyPassPhrase=whatever
CustomTrustKeyStorePassPhrase=whatever
Please note, that the passphrases are not all whatever, but the passphrases for the two KeyStores (Id and Trust) are identical.
When I start up nodemanger, the passphrases from the key and identity blocks are encrypted. The passphrase from the trust block turn out to be empty.
Something might go wrong here, but I don't know what.
Any ideas? The nodemanager.log says:
<Apr 6, 2020 4:30:40 PM CEST> <INFO> <Upgrade> <Removing NodeManager property: CustomTrustKeyStorePassPhrase>
is that normal?
答案1
得分: 0
在脚本startManagedWebLogic.sh中,您需要设置以下参数:
-Djavax.net.ssl.trustStore=/YOUR_PATH/CustomTrust.jks
更有用的(示例)SSL/JKS参数:
-Djavax.net.debug=ssl
-Djavax.net.ssl.keyStoreType=pkcs12
-Djavax.net.ssl.keyStore=client.p12
-Djavax.net.ssl.keyStorePassword=whatever
-Djavax.net.ssl.trustStoreType=jks
-Djavax.net.ssl.trustStore=client-truststore.jks
-Djavax.net.ssl.trustStorePassword=whatever
另一方面,如果您通过管理控制台启动托管服务器(实际上是在节点管理器下运行),则可以避免这种情况。
英文:
in the script startManagedWebLogic.sh you need to set the parameter:
-Djavax.net.ssl.trustStore=/YOUR_PATH/CustomTrust.jks
More useful (example) SSL/JKS parameters:
-Djavax.net.debug=ssl
-Djavax.net.ssl.keyStoreType=pkcs12
-Djavax.net.ssl.keyStore=client.p12
-Djavax.net.ssl.keyStorePassword=whatever
-Djavax.net.ssl.trustStoreType=jks
-Djavax.net.ssl.trustStore=client-truststore.jks
-Djavax.net.ssl.trustStorePassword=whatever
In the other hand, this can be avoided if you start up the managed server through admin console (actually it is node manager underneath working).
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论