DevoxxFR 2024 Reproducible Builds with Apache Maven
Tips and Trics for hardening Oracle Fusion Middleware - Jacco Landlust & Simon Haslam
1. Tips and Tricks
for hardening
Oracle Fusion Middleware
a presentation by
Jacco Landlust & Simon Haslam
woensdag 3 oktober 12
2. Introduction
Architecture
Separate binaries from config
Firewall
Jacco H. Landlust
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• 35 years old
• Deventer, the Netherlands
• Lives Together with Margot,
2 Daughters (Franka & Jules) and our Cat
2
woensdag 3 oktober 12
3. Introduction
Architecture
Separate binaries from config
Firewall
Jacco H. Landlust / iDBA Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• Independent Red Stack Administrator
• Oracle since 2000
• Oracle ACE since 2006
• iDBA since 2010
• Architecture, Clustering, High Availability, Performance &
Management
3
woensdag 3 oktober 12
4. Introduction
Architecture
Separate binaries from config
Firewall
Simon Haslam
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• Over 35 years old
• Sherborne, UK
4
woensdag 3 oktober 12
5. Introduction
Architecture
Separate binaries from config
Firewall
Simon Haslam
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• Oracle since 1996 (UNIX since 1989)
• Founded Veriton in 1996
• Oracle ACE Director since 2009
• Chair of the UKOUG Application Server & Middleware SIG
• Architecture, Design, Installation
• http://simonhaslam.co.uk
5
woensdag 3 oktober 12
6. Introduction
Architecture
Separate binaries from config
Firewall
Why present together?
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• Lone wolf pack
• We just like to talk, share ideas and discuss Oracle Fusion
Middleware administrator topics
• Oracle Infrastructure Administrators Group
6
woensdag 3 oktober 12
7. Introduction
Architecture
Separate binaries from config
Firewall
Prerequisites & Disclaimer
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• This is a technical presentation
• Background knowledge about middleware is assumed
• Best practices of our (Limited) experience
• We do not work for Oracle / represent Oracle
• We do not pretend this list is complete
• We are not ‘native’ American speakers
7
woensdag 3 oktober 12
8. Tips and Tricks
for hardening
Oracle Fusion Middleware
8
woensdag 3 oktober 12
9. Introduction
Architecture
Separate binaries from config
Firewall
Whatever you do
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• Run on “current” versions
• Monitor for critical patches by Oracle
• Apply PSU’s / CPU’s
9
woensdag 3 oktober 12
10. Introduction
Architecture
Separate binaries from config
Firewall
Architecture
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• Decide upon definitions in your team
• Document your train of thoughts
• We love pictures
• Segregation of environments (DTAP)
• Start with security measures in DEV
• Use SSL wherever you can
10
woensdag 3 oktober 12
11. Introduction
Architecture
Separate binaries from config
Firewall
Architecture
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• Separate system components from Java components
• Separate directories
• Separate binaries from configuration
• Separate AdminServer from Managed Servers
• Standardize & automate as much as possible
11
woensdag 3 oktober 12
12. Introduction
Architecture
Separate binaries from config
Firewall
Architecture
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• Tiered architecture
• Think about access to components:
• from where?
• to what?
• by whom?
12
woensdag 3 oktober 12
13. Introduction
Architecture
Separate binaries from config
Firewall
Architecture
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
13
woensdag 3 oktober 12
14. Introduction
Architecture
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
14
woensdag 3 oktober 12
15. Introduction
Architecture
Separate binaries
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
from configuration
SSL
Domain Wide Administration Port
Database
Auditing
• No chance of runtime user altering binaries
• Runtime users secondary group is primary group of binary
owner
• Need to fix privileges on some files / directories
• One nodemanager per runtime user
15
woensdag 3 oktober 12
16. Introduction
Architecture
Separate binaries from config
Firewall
Caveats
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• One nodemanager per runtime user
• Startup binary of system owner needs to be owner by runtime
user
• Different layared products have different requirements
16
woensdag 3 oktober 12
18. Introduction
Architecture
Separate binaries from config
Firewall
Firewall
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
http://en.wikipedia.org/wiki/Firewall_(computing)
A firewall primary objective is to control the incoming and outgoing
network traffic by analyzing the data packets and determining
whether it should be allowed through or not, based on a
predetermined rule set.
A network's firewall builds a bridge between an internal network that
is assumed to be secure and trusted, and another network, usually an
external (inter)network, such as the Internet, that is not assumed to be
secure and trusted
18
woensdag 3 oktober 12
19. Introduction
Architecture
Separate binaries from config
Firewall
Network Connection Filter
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• Connection filters let you deny access at the network level
• Network connection filters are a type of firewall in that they
can be configured to filter on protocols, IP addresses, and
DNS node names
• Careful: rules are domain wide
19
woensdag 3 oktober 12
20. Introduction
Architecture
Connection Filter
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Rules Syntax
SSL
Domain Wide Administration Port
Database
Auditing
Each rule must be written on a single line.
• Tokens in a rule are separated by white space.
• A pound sign (#) is the comment character. Everything after a pound sign on a
line is ignored.
• Whitespace before or after a rule is ignored.
• When entering the filter rules on the Administration Console, enter them in the
following format:
target localAddress localPort action protocols
• If no protocol is defined, all protocols will match a rule
• The rules are evaluated in the order in which they were written
20
woensdag 3 oktober 12
21. Introduction
Architecture
Setup filter to block
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
all non-http traffic
SSL
Domain Wide Administration Port
Database
Auditing
127.0.0.1 * 7001 allow
192.168.56.101 * 7001 allow
0.0.0.0/0 * 7001 allow http
0.0.0.0/0 * 7001 deny
21
woensdag 3 oktober 12
22. Introduction
Architecture
Setup filter to block
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
all non-http traffic
SSL
Domain Wide Administration Port
Database
Auditing
22
woensdag 3 oktober 12
23. Introduction
Architecture
Setup filter to block
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
all non-http traffic
SSL
Domain Wide Administration Port
Database
Auditing
22
woensdag 3 oktober 12
24. Introduction
Architecture
Setup filter to block
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
all non-http traffic
SSL
Domain Wide Administration Port
Database
Auditing
22
woensdag 3 oktober 12
25. Introduction
Architecture
Setup filter to block
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
all non-http traffic
SSL
Domain Wide Administration Port
Database
Auditing
22
woensdag 3 oktober 12
26. Introduction
Architecture
Setup filter to block
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
all non-http traffic
SSL
Domain Wide Administration Port
Database
Auditing
22
woensdag 3 oktober 12
27. Introduction
Architecture
Setup filter to block
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
all non-http traffic
SSL
Domain Wide Administration Port
Database
Auditing
weblogic.security.net.ConnectionFilterImpl
22
woensdag 3 oktober 12
28. Introduction
Architecture
Setup filter to block
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
all non-http traffic
SSL
Domain Wide Administration Port
Database
Auditing
weblogic.security.net.ConnectionFilterImpl
22
woensdag 3 oktober 12
29. Introduction
Architecture
Setup filter to block
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
all non-http traffic
SSL
Domain Wide Administration Port
Database
Auditing
weblogic.security.net.ConnectionFilterImpl
22
woensdag 3 oktober 12
30. Introduction
Architecture
Setup filter to block
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
all non-http traffic
SSL
Domain Wide Administration Port
Database
Auditing
<29-sep-2012 11:58:00 uur CEST> <Notice> <Socket>
<BEA-000445> <Connection rejected, filter blocked
Socket[addr=192.168.56.1,port=49182,localport=7001],
weblogic.security.net.FilterException: [Security:090220]rule 4>
23
woensdag 3 oktober 12
31. Introduction
Architecture
Setup filter to block
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
all non-http traffic
SSL
Domain Wide Administration Port
Database
Auditing
127.0.0.1 * 7001 allow
192.168.56.101 * 7001 allow
0.0.0.0/0 * 7001 allow http
0.0.0.0/0 * 7001 deny
24
woensdag 3 oktober 12
32. Introduction
Architecture
Separate binaries from config
Firewall
Personal Accounts
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• Trace administrative actions to a human
• Authentication providers
• Identity assertion authentication provider
• JAAS control flags
• Order of providers matters
• Most FMW layered products only find group memberships
(and groups) for the first provider
25
woensdag 3 oktober 12
33. Introduction
Architecture
Separate binaries from config
Firewall
Role Based Privileges
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• For WebLogic configured in /console
• For most Fusion Middleware application configured in /em
• Policy store provider in OID or Database
26
woensdag 3 oktober 12
34. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
CREATE TABLE USERS (
U_NAME VARCHAR(200) NOT NULL,
U_PASSWORD VARCHAR(50) NOT NULL,
U_DESCRIPTION VARCHAR(1000),
CONSTRAINT PK_USERS PRIMARY KEY (U_NAME));
CREATE TABLE GROUPS (
G_NAME VARCHAR(200) NOT NULL,
G_DESCRIPTION VARCHAR(1000) NULL,
CONSTRAINT PK_GROUPS PRIMARY KEY (G_NAME));
27
woensdag 3 oktober 12
35. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
CREATE TABLE GROUPMEMBERS (
G_NAME VARCHAR(200) NOT NULL,
G_MEMBER VARCHAR(200) NOT NULL,
CONSTRAINT PK_GROUPMEMBERS
PRIMARY KEY (G_NAME,G_MEMBER),
CONSTRAINT FK1_GROUPMEMBERS
FOREIGN KEY ( G_NAME ) REFERENCES GROUPS (G_NAME)
ON DELETE CASCADE,
CONSTRAINT FK2_GROUPMEMBERS
FOREIGN KEY ( G_MEMBER ) REFERENCES USERS (U_NAME)
ON DELETE CASCADE
);
28
woensdag 3 oktober 12
36. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
insert into USERS (U_NAME,U_PASSWORD,U_DESCRIPTION)
values('jacco','Welcome01','admin user');
insert into GROUPS (G_NAME,G_DESCRIPTION)
values('Administrators','Adnministrators');
insert into GROUPMEMBERS (G_NAME,G_MEMBER)
values('Administrators','jacco');
29
woensdag 3 oktober 12
37. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
30
woensdag 3 oktober 12
38. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
30
woensdag 3 oktober 12
39. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
30
woensdag 3 oktober 12
40. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
30
woensdag 3 oktober 12
41. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
30
woensdag 3 oktober 12
42. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
30
woensdag 3 oktober 12
43. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
30
woensdag 3 oktober 12
44. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
30
woensdag 3 oktober 12
45. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
30
woensdag 3 oktober 12
46. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
30
woensdag 3 oktober 12
47. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
30
woensdag 3 oktober 12
48. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
30
woensdag 3 oktober 12
49. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
30
woensdag 3 oktober 12
50. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
30
woensdag 3 oktober 12
51. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
30
woensdag 3 oktober 12
52. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
53. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
54. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
55. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
56. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
57. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
58. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
59. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
60. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
61. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
62. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
63. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
64. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
65. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
66. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
67. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
68. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
69. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
70. Introduction
Architecture
SQL Based
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Authentication Provider
SSL
Domain Wide Administration Port
Database
Auditing
31
woensdag 3 oktober 12
71. Introduction
Architecture
Separate binaries from config
Firewall
Nodemanager
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• Always use secureListener=true
• Setup credentials to custom user
• Store and protect credentials in keyfiles
• Never use demo certificates (in production)
32
woensdag 3 oktober 12
72. Introduction
Architecture
Secure Sockets Layer /
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Transport Layer Security
SSL
Domain Wide Administration Port
Database
Auditing
• TLS and predecessor SSL are cryptographic protocols
• The TLS protocol allows client-server applications to
communicate across a network in a way designed to prevent
eavesdropping and tamering.
33
woensdag 3 oktober 12
73. Introduction
Architecture
Separate binaries from config
Firewall
How does it work?
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
1. The client sends the server the client's SSL version number, cipher settings, session-specific data, and other
information that the server needs to communicate with the client using SSL.
2. The server sends the client the server's SSL version number, cipher settings, session-specific data, and other
information that the client needs to communicate with the server over SSL. The server also sends its own
certificate, and if the client is requesting a server resource that requires client authentication, the server requests
the client's certificate.
3. The client uses the information sent by the server to authenticate the server (see Server Authentication for details).
If the server cannot be authenticated, the user is warned of the problem and informed that an encrypted and
authenticated connection cannot be established. If the server can be successfully authenticated, the client
proceeds to step 4.
4. Using all data generated in the handshake thus far, the client (with the cooperation of the server, depending on the
cipher being used) creates the pre-master secret for the session, encrypts it with the server's public key (obtained
from the server's certificate, sent in step 2), and then sends the encrypted pre-master secret to the server.
5. If the server has requested client authentication (an optional step in the handshake), the client also signs another
piece of data that is unique to this handshake and known by both the client and server. In this case, the client sends
both the signed data and the client's own certificate to the server along with the encrypted pre-master secret.
34
woensdag 3 oktober 12
74. Introduction
Architecture
Separate binaries from config
Firewall
How does it work?
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
6. If the server has requested client authentication, the server attempts to authenticate the client (see Client
Authentication for details). If the client cannot be authenticated, the session ends. If the client can be successfully
authenticated, the server uses its private key to decrypt the pre-master secret, and then performs a series of steps
(which the client also performs, starting from the same pre-master secret) to generate the master secret.
7. Both the client and the server use the master secret to generate the session keys, which are symmetric keys used to
encrypt and decrypt information exchanged during the SSL session and to verify its integrity (that is, to detect any
changes in the data between the time it was sent and the time it is received over the SSL connection).
8. The client sends a message to the server informing it that future messages from the client will be encrypted with
the session key. It then sends a separate (encrypted) message indicating that the client portion of the handshake is
finished.
9. The server sends a message to the client informing it that future messages from the server will be encrypted with
the session key. It then sends a separate (encrypted) message indicating that the server portion of the handshake is
finished.
source: http://en.wikipedia.org/wiki/Secure_Sockets_Layer
35
woensdag 3 oktober 12
75. Introduction
Architecture
Separate binaries from config
Firewall
Key Information
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• Identity store: information to uniquely and securely identify
yourself
• Truststore: knowledge of whom to trust
36
woensdag 3 oktober 12
76. Introduction
Architecture
Different Components, Different
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Keystores
SSL
Domain Wide Administration Port
Database
Auditing
• All java components use Java key stores (by default)
• All system components use Oracle Wallets
• Most system components need auto-login wallets
• Default CAs are stored with JRE
37
woensdag 3 oktober 12
77. Introduction
Architecture
Separate binaries from config
Firewall
When using WLST
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• -Dweblogic.security.SSL.trustedCAKeyStore=/path/to/
truststore.jks
• Setup WLST_PROPERTIES in
${MW_HOME}/wlserver_10.3/common/bin/wlst.sh
• Preferably create a wrapper script outside of your middleware
home
38
woensdag 3 oktober 12
78. Introduction
Architecture
Separate binaries from config
Firewall
Nodemanager
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• Setup in nodemanager.properties
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeyStoreFileName=identity.jks
CustomIdentityKeyStorePassPhrase=Welcome01
CustomIdentityAlias=oow12demo.area51.local
CustomIdentityPrivateKeyPassPhrase=Welcome01
CustomTrustKeyStoreFileName=truststore.jks
39
woensdag 3 oktober 12
79. Introduction
Architecture
Separate binaries from config
Firewall
WebLogic Servers
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• Change keystoretype to Custom Identity (and Custom Trust)
• Configure Identity Keystore
• Configure Trust Keystore (if custom)
• Configure Private key (whoami)
• No disabling of hostname verification
• 2 way SSL
40
woensdag 3 oktober 12
80. Introduction
Architecture
Separate binaries from config
Firewall
Layered Products
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• Most can be configured from Enterprise Manager (you must
have the administrator role!)
• Credential Maps are all stored in an Oracle Wallet
• Setup SSL in mod_wl_ohs.conf to encrypt traffic between
OHS and WLS
41
woensdag 3 oktober 12
81. Introduction
Architecture
Domain Wide
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Administration Port
SSL
Domain Wide Administration Port
Database
Auditing
• You can separate administration traffic from application
traffic in your domain
• Run administrative actions on separate threads from
application threads
• You can start a server in standby state
• Since communication uses SSL, administration traffic (which
includes such things as administrator passwords) is more
secure
42
woensdag 3 oktober 12
82. Introduction
Architecture
Separate binaries from config
Firewall
Caveats
Personal Accounts
Nodemanager
SSL
Domain Wide Administration Port
Database
Auditing
• All servers in your domain must be configured with support
for the SSL protocol
• Port conflicts, override per managed server
• Inter-layered product communication usually runs over user
weblogic / a user with the administrator role
• Register system components can be difficult / you cannot
use standard config.sh GUI’s
43
woensdag 3 oktober 12
83. Introduction
Architecture
Domain Wide
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Administration Port
SSL
Domain Wide Administration Port
Database
Auditing
44
woensdag 3 oktober 12
84. Introduction
Architecture
Domain Wide
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Administration Port
SSL
Domain Wide Administration Port
Database
Auditing
44
woensdag 3 oktober 12
85. Introduction
Architecture
Domain Wide
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Administration Port
SSL
Domain Wide Administration Port
Database
Auditing
44
woensdag 3 oktober 12
86. Introduction
Architecture
Domain Wide
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Administration Port
SSL
Domain Wide Administration Port
Database
Auditing
44
woensdag 3 oktober 12
87. Introduction
Architecture
Domain Wide
Separate binaries from config
Firewall
Personal Accounts
Nodemanager
Administration Port
SSL
Domain Wide Administration Port
Database
Auditing
Console/Management requests or requests with
<require-admin-traffic> specified to 'true' can only be made
through an administration channel
45
woensdag 3 oktober 12