Sunday Apr 05, 2015

Securing Coherence unicast communications for FMW SOA by Peter van Nes

clip_image002When confidentiality is required for an Oracle Fusion Middleware environment, the first thing you probably will do is configure SSL for the domain. You might think that this will secure all your connections in the domain, but various FMW applications utilize different frameworks like JGroups or Oracle Coherence which connections are not secured by configuring SSL for the domain.

Various FMW applications, like Oracle Identity Manager, use FMW SOA which utilizes Oracle Coherence for Unicast communications. As Oracle recommends Unicast communication for SOA enterprise deployments in the Fusion Middleware Enterprise Deployment Guide for Oracle SOA Suite, you probably will have setup Unicast communication in your production environments accordingly by adding the Java properties tangosol.coherence.wka[1-n] and tangosol.coherence.localhost.

Instead of adding the properties to the Server Start arguments for each server individually you could add these settings to the setDomainEnv.sh. This way you have consolidated view of all the configuration settings for the Coherence cluster. Securing Unicast communications

Unicast (TCMP) communications for Coherence can be secured using by defining a SSL Socket Provider.  [Coherence Security Guide; Using SSL to Secure TCMP Communication]

A pre-defined SSL Socket Provider ‘ssl’ is defined in the tangosol-coherence.xml file of java archive coherence.jar which can be found in the lib directory of your coherence installation in the <MW_HOME>. The pre-defined SSL Socket Provider expects a key- and truststore with the name keystore.jks which must be present in the classpath. Therefore this Socket Provider is less suitable for production environments where truststores and keystores are defined in separate Keystores. Best practice is not to replace tangosol-coherence.xml, but to override the operational and run-time settings using  an Operational Override File. The property tangosol.coherence.override specifies the name of the override file to be used instead of the default. In this override file the cluster-config element should be defined to enable SSL for TCMP (Unicast). The cluster-config element contains three sub-elements; member-identity, unicast-listener and socket-provider.

The member-identity element contains the cluster-name of the Coherence cluster. This is the same name as the cluster name set in property tangosol.coherence.cluster when configuring unicast communications. Element unicast-listener defines the well- known-addresses, listen-ports and other properties of all cluster nodes. This are the values you assigned to the properties tangosol.coherence.wka[1-n] and tangosol.coherence.localhost when setting up unicast communications. The element socket-provider should have the same value as attribute id of the socket-provider element which will be described next. Read the complete article here.

WebLogic Partner Community

For regular information become a member in the WebLogic Partner Community please visit: http://www.oracle.com/partners/goto/wls-emea ( OPN account required). If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn Forum Wiki

Tuesday Feb 24, 2015

Full recovery of a corrupt WebLogic embedded LDAP server by Peter van Nes

clip_image002Today one of the Adminservers failed to re-start and was flooding the AdminServer.out with multiple EmbeddedLDAP java.lang.ArrayIndexOutOfBoundException messages per second. I do admit, this is not the first article about how to recover from this issue, and probably not the last. Although i was able to Google multiple articles and blogs on this exception, all of the suggested solutions left me with a seed embedded LDAP. The good news is that  by default a backup is made of the embedded LDAP every day at 23:05 and the last 7 copies are retained. You can find these setting by selecting the domain in the domainstructure of the Weblogic console and then open the tab Security > Embedded LDAP.

So you can recover fully from a corrupt Weblogic embedded LDAP server, just follow these few steps.

· Shutdown admin server

· Move the current data directory so you can access it later.
mv <domain_home>/servers/AdminServer/data to <domain_home>/servers/AdminServer/data.bkp

· Start the admin server Read the complete article here.

WebLogic Partner Community

For regular information become a member in the WebLogic Partner Community please visit: http://www.oracle.com/partners/goto/wls-emea ( OPN account required). If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn Forum Wiki

Tuesday May 13, 2014

A Weblogic Admin Console with a dynamic look and feel by Peter van Nes

In my previous post i explained how to build your a custom look and feel for the Weblogic Administration Console, which is a result of research into a possibility to distinguish Weblogic Consoles in DTAP environments. My initial plan was to develop a separate look and feel for each specific environment, simply because i did not know what the possibilities were. I quickly abandoned this plan and developed one Weblogic Admin Console look and feel which adapts itself to the environment wherein it is deployed.

At most sites there is a way to determine if your host is running in a Development, Test, Acceptation or Production environment. The key data used to differentiate these environments depends on the infrastructure. It can be for example the IP-address, DNS name or Weblogic Domain name. A customer for example has standardized the weblogic domain names in such a way that the first position of the domain name corresponds with the environment. A Weblogic Development domain therefore always starts with a ‘D’, test with ‘T’, etc.  In this article i will show you how to make the Weblogic Console adapt its look and feel based on the Weblogic Domain name.

The Weblogic Admin Console login page is defined in /login/LoginForm.jsp which imports the MBeanUtils.class file. This class contains a lot of valuable methods. One of those methods, getDomainName() returns as it says the name of the Weblogic Domain. Simply by adding the following single line of Java as a JSP expression to LoginForm.jsp gives you the Weblogic domain name for which the Admin Console is opened. Read the complete article here.

WebLogic Partner Community

For regular information become a member in the WebLogic Partner Community please visit: http://www.oracle.com/partners/goto/wls-emea ( OPN account required). If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn Mix Forum Wiki

Search

Archives
« April 2015
SunMonTueWedThuFriSat
   
4
27
28
29
30
  
       
Today