Aimstar

AIMSTAR Blog

Securing WebLogic Servers Part 3 – Configuring a Managed Server and Node Manager

Posted by Theodore Williams on Aug 23, 2017 10:00:00 AM

Configuring a Managed Server and Node Manager

Securing WebLogic Servers Part 3 Managed Server.png

This article is the third in a three-part series that details how to secure a WebLogic server.   

In general, the WebLogic Admin Server is used for administrative duties and the managed servers are used to deploy applications on WebLogic.  Managed servers can be configured to use keystores and run on a secure port in a manner similar to that used to secure Admin Servers. 

 

The WebLogic Node Manager can be used to start and stop WebLogic managed servers.  This article details how to configure a WebLogic managed server to run on a secure port and allow WebLogic Node Manager to start and stop the managed server.


Relevant Topics: Oracle DBA,  Oracle WebLogic, Managed Server, Node Manager, Keystores, WebLogic Security,  NIST SP 800-53

Following are variables used in the article.

 Environment Variables

 MW_HOME: This variable refers to the location where Oracle Fusion Middleware resides.

For this example, MW_HOME is:

 /u01/app/weblogic/wls12130

 WL_HOME: This variable refers to the location which contains installed files necessary to host a WebLogic Server.  For this example, WL_HOME is:

/u01/app/weblogic/wls/wlserver

 

DOMAIN_HOME: This is the home for our current WebLogic domain.  For this example, DOMAIN_HOME is:

/u01/app/weblogic/wls12130/user_projects/domains/base_domain

 

WebLogic APEX Oracle Checklist

 

Secure Managed Servers and Configure Node Manager

The previous post detailed the steps involved in securing an Admin Server.  Securing a WebLogic Managed Server is similar. 

  1. The Managed Server should be shut down.

 

  1. From the WebLogic home page, click on Servers. Click on the Managed Server. The Managed Server settings screen displays.

 managed_server_ssl_settings2.png

 

 Check the box next to SSL Listen Port enabled.  Enter a port number for SSL Listen Port:

 

Select the Configuration --> Keystores tab.

 

  1. The Managed Server Settings, Configuration --> Keystores screen displays.

 

 managed_server_keystores_set.png

 

Enter the following:

 

Click on the Keystores Change button. 

Choose Custom Identity and Custom Trust.

Click Save.

 

Identity

Custom Identity Keystore: <directory containing the keystores>/identity_keystore.jks

See our previous post on configuring keystores.

Custom Identity Keystore Type:  JKS

Custom Identity Keystore Passphrase: 

<password for identity_keystore.jks that was specified when it was created>

Confirm Custom Identity Keystore Passphrase:

<password for identity_keystore.jks that was specified when it was created>

 

Trust

Custom Trust Keystore: <directory containing the keystores>/trust_keystore.jks

Custom Trust Keystore Type:  JKS

Custom Trust Keystore Passphrase: 

<password for trust_keystore.jks that was specified when it was created>

Confirm Custom Trust Keystore Passphrase:

<password for trust_keystore.jks that was specified when it was created>

 

Click Save

 

Click the SSL tab.

 

  1. The Managed Server Settings General --> SSL screen displays.

 managed_server_ssl_settings.png

 

Identity and Trust Locations:   Make sure this is set to Keystores

 

Identity

 

Private Key Location:    from Custom Identity Keystore

Private Key Alias:       This is the private key that we defined in the identity keystore

                              For example forge_private_key

Private Key Passphrase:  <The password defined when the private key was created in the keystore>

Confirm Private Key Passphrase:  <The password defined when the private key was created in the keystore>

Certificate Location:            from Custom Identity Keystore

 

Trust

Trusted Certificate Authorities:   from Custom Trust Keystore

 

Click Save

 

  1. The screen displays indicating that the changes have been made.

 managed_server_ssl_settings_updated.png

 

  1. Click Servers. Click Activate Changes.

 managed_servers_changes_activated.png

 

The changes have been activated.

 

  1. Node Manager must be configured to use the secure port to start and stop the managed server. On the server, stop Node Manager if it is running.  This can be done with the command:

 

$MW_HOME/user_projects/domains/base_domain/bin/stopNodeManager.sh &

 

For example:

 

[[email protected] bin]$ pwd

/u01/app/weblogic/wls12130/user_projects/domains/base_domain/bin

[[email protected] bin]$ ./stopNodeManager.sh &

 

  1. On the server, edit the nodemanager.properties file to allow node manager to run securely. For the Node Manager per domain configuration, the nodemanager.properties file can be found in:

$MW_HOME/user_projects/domains/<domain_name>/nodemanager/nodemanager.properties

Enter the parameters regarding the keystores and pass phrases at the end of the file.  For example:

 

CustomIdentityAlias=forge_private_key

CustomIdentityKeyStoreFileName=/u01/app/weblogic/wls12130/keystores/identity_keystore.jks

CustomIdentityKeyStorePassPhrase=<Keystore password>

CustomIdentityKeyStoreType=JKS

CustomIdentityPrivateKeyPassPhrase=<Private key password>

CustomTrustKeyStoreFileName=/u01/app/weblogic/wls12130/keystores/trust_keystore.jks

CustomTrustKeyStoreType=JKS

JavaStandardTrustKeyStorePassPhrase=

KeyStores=CustomIdentityAndCustomTrust

NodeManagerHome=/u01/app/weblogic/wls12130/user_projects/domains/base_domain/nodemanager

WebLogicHome=/u01/app/weblogic/wls12130/wlserver

 

Note that the passwords in the nodemanager.properties file will be encrypted when Node Manager is restarted.

 

  1. Restart Node Manager. This can be done with the command:

 

$MW_HOME/user_projects/domains/base_domain/bin/startNodeManager.sh &

 

For example:

 

[[email protected] bin]$ pwd

/u01/app/weblogic/wls12130/user_projects/domains/base_domain/bin

[[email protected] bin]$ ./startNodeManager.sh &

 

 

  1. In the Admin Console Summary of Servers screen, Click Servers.  Click the Control tab.

managed_servers_restart.png 

 

Select the box next to the Managed Server and click Start.

 

  1. A confirmation page displays.managed_servers_restart_confirmation.png

 

Click Yes.

 

  1. A screen displays showing that the request to start the managed server has been sent to the Node Manager and is in progress.

 managed_servers_restart_request_sent.png

 

  1. After a minute or so, the managed server is started.

 managed_server_running.png

 

At this point the managed server is ready to use securely.  It can be accessed through the SSL Listen port entered earlier.  For security, for example to satisfy NIST SP 800-53 security controls, the non-secure Listen Port for the managed server can be disabled.


 

WebLogic APEX Oracle Checklist

 

Topics: Oracle DBA, Oracle Database Administration, WebLogic, Node Manager, WebLogic Managed Server, NIST SP 800-53, WebLogic Security, Keystores

Oracle APEX Configuration

WebLogic-ORDS-APEX Installation and Configuration Checklist

APEX allows rapid development of database applications utilizing the Oracle database.  Oracle WebLogic may be used as the web server for Oracle APEX applications by utilizing Oracle REST Data Services (ORDS), formerly named the APEX Listener.  Download a checklist containing a list of steps to install, configure, and secure ORDS on WebLogic. 

Lists:

  • Includes checklist steps for APEX
  • Includes checklist steps for WebLogic
  • Includes checklist steps for ORDS

 

WebLogic APEX Oracle Checklist

Subscribe to Email Updates