X

Proactive insights, news and tips from Oracle WebLogic Server Support. Learn Oracle from Oracle.

  • November 5, 2015

Create WebLogic Server Domain with Partitions using WLST in 12.2.1

Oracle WebLogic Server 12.2.1 added support for multitenancy (WLS MT). In WLS MT, WLS can be configured with a domain, as well as one or more partitions. A partition contains new elements introduced in WLS MT, like resource groups, resource group templates, virtual targets, etc. Setting up a domain with partitions requires additional steps compared to a traditional WLS domain. For more detailed information about these new WLS MT related concepts, please see Oracle Docs listed in the "References" section. 

Oracle recommends to use Fusion Middleware Control (FMWC) to create WebLogic domains via Restricted JRF template. Oracle also support creating WebLogic Server domains using WLST. In this article, I will demonstrate how to create a WLS domain with 2 partitions using WLST. This includes:

  • Displaying domain topology
  • Creating a domain with 2 partitions using WLST
  • Displaying domain config file sample

These tasks are described in the subsequence sections.

1.Domain Topology

In this article, I will create a domain that is configured with:

  • One AdminServer named "admin", one partition named "coke", one partition named "pepsi".
  • The "coke" partition contains one resource group named "coke-rg1", targeting to a virtual target named "coke-vt". 
  • The "pepsi" partition contains one resource group named "pepsi-rg1", targeting to a virtual target named "pepsi-vt". 
  • An application "helloTenant.ear" is deployed to the domain, the "coke-rg1" in the "coke" partition and the "pepsi-rg1" in the "pepsi" partition.

The following picture shows what the domain topology looks:

Note this domain topology does not contain other MT related concepts, like a resource group template. They are not covered in this article. To see more information about other MT related concepts, please check the "References" section for details.

2. Create a domain with partitions

To create a domain with the topology shown in the picture above, several steps are required:

  • Create a traditional WLS domain
  • Start the domain
  • Create a partition in the domain
    • Create a security realm for the partition
    • Create a user for the partition
    • Add the user to the groups in the security realm
    • Create a virtual target
    • Create a partition
      • Create a resource group
      • Set a virtual target as a default target
      • Setup security IDD for the partition
  • Restart the server
  • Start the partition

Below will illustrate each step in details.

2.1 Create a traditional WLS domain

A traditional WLS domain can be created by using the Config Wizard. Start the Config Wizard via a command script:

sh $MW_Home/oracle_common/common/bin/config.sh

Create a domain using all the defaults, Specify the following:

  • Domain name = base_domain
  • User name = weblogic
  • User password = welcome1

2.2 Start the domain

cd $MW_Home/user_projects/domains/base_domain/

sh startWebLogic.sh

2.3 Create a partition: coke in a domain

The steps below require WLST to be started. Use the following command to start WLST:

sh $MW_Home/oracle_common/common/bin/wlst.sh

Note, all of the WLST commands shown below are run after connecting to the Admin server "admin" with the admin user "weblogic" credentials, e.g.,

connect("weblogic", "welcome1", t3://localhost:7001")

Now, WLST is ready to run commands to setup the partition for coke. The partition for coke has the following values:

  • Partition name = coke
  • Partition user name = mtadmin1
  • Partition password = welcome1

To do that, a security realm and a user are created for the partition as shown below. We explain it step-by-step.

2.3.1 Create a security realm for the partition 

The security realm is created using the standard WLS APIs.


edit()

startEdit()

realmName = 'coke_realm'

security = cmo.getSecurityConfiguration()

print 'realm name is ' + realmName

realm = security.createRealm(realmName)

# ATN

atnp = realm.createAuthenticationProvider(
  'ATNPartition','weblogic.security.providers.authentication.DefaultAuthenticator')

atna = realm.createAuthenticationProvider(
  'ATNAdmin','weblogic.security.providers.authentication.DefaultAuthenticator')

# IA

ia = realm.createAuthenticationProvider(
  'IA','weblogic.security.providers.authentication.DefaultIdentityAsserter')

ia.setActiveTypes(['AuthenticatedUser'])

# ATZ/Role

realm.createRoleMapper(
  'Role','weblogic.security.providers.xacml.authorization.XACMLRoleMapper')

realm.createAuthorizer(
  'ATZ','weblogic.security.providers.xacml.authorization.XACMLAuthorizer')

# Adjudicator

realm.createAdjudicator('
  ADJ','weblogic.security.providers.authorization.DefaultAdjudicator')

# Auditor

realm.createAuditor('
  AUD','weblogic.security.providers.audit.DefaultAuditor')


# Cred Mapper

realm.createCredentialMapper(
  'CM','weblogic.security.providers.credentials.DefaultCredentialMapper')

# Cert Path

realm.setCertPathBuilder(realm.createCertPathProvider(
  'CP','weblogic.security.providers.pk.WebLogicCertPathProvider'))

# Password Validator

pv = realm.createPasswordValidator('PV',
  'com.bea.security.providers.authentication.passwordvalidator.SystemPasswordValidator')

pv.setMinPasswordLength(8)

pv.setMinNumericOrSpecialCharacters(1)

save()

activate()

2.3.2 Add a user and group to the security realm for the partition

Create a user and add the user to a security group Administrators in the realm. In this use case, the username and the password for the coke partition are mtadmin1 and welcome1. There is no need to start an edit session when looking up the Authentication Provider to create a user/group.

realmName = 'coke_realm'

userName = 'mtadmin1'

groupName = 'Administrators'

print 'add user: realmName ' + realmName

if realmName == 'DEFAULT_REALM':

  realm = cmo.getSecurityConfiguration().getDefaultRealm()

else:

  realm = cmo.getSecurityConfiguration().lookupRealm(realmName)

print "Creating user " + userName + " in realm: " + realm.getName()

atn = realm.lookupAuthenticationProvider('ATNPartition')

if atn.userExists(userName):

  print "User already exists."

else:

  atn.createUser(userName, '${password}', realmName + ' Realm User')

print "Done creating user. ${password}"

print "Creating group " + groupName + " in realm: " + realm.getName()

if atn.groupExists(groupName):

  print "Group already exists."

else:

  atn.createGroup(groupName, realmName + ' Realm Group')

if atn.isMember(groupName,userName,true) == 0:

  atn.addMemberToGroup(groupName, userName)

else:

  print "User is already member of the group."

2.3.3 Create a virtual target for the partition

This virtual target is targeted to the admin server. The uri prefix is /coke. This is the url prefix used for making JMX connections to WebLogic Server MBeanServer.

edit()

startEdit()

vt = cmo.createVirtualTarget("coke-vt")

vt.setHostNames(array(["localhost"],java.lang.String))

vt.setUriPrefix("/coke")

as = cmo.lookupServer("admin")

vt.addTarget(as)

save()

activate()

2.3.4 Create the partition: coke

The partition name is coke and it is targeted to the coke-vt virtual target.

edit()

startEdit()

vt = cmo.lookupVirtualTarget("coke-vt")

p = cmo.createPartition('coke')

p.addAvailableTarget(vt)

p.addDefaultTarget(vt)

rg=p.createResourceGroup('coke-rg1')

rg.addTarget(vt)

realm = cmo.getSecurityConfiguration().lookupRealm("coke-realm")

p.setRealm(realm)

save()

activate()

2.3.5 Setup IDD for the partition

Set up primary identity domain (IDD) for the partition.

edit()

startEdit()

sec = cmo.getSecurityConfiguration()

sec.setAdministrativeIdentityDomain("AdminIDD")

realmName = 'coke_realm'

realm = cmo.getSecurityConfiguration().lookupRealm(realmName)

# ATN

defAtnP = realm.lookupAuthenticationProvider('ATNPartition')

defAtnP.setIdentityDomain('cokeIDD')

defAtnA = realm.lookupAuthenticationProvider('ATNAdmin')

defAtnA.setIdentityDomain("AdminIDD")

# Partition

pcoke= cmo.lookupPartition('coke')

pcoke.setPrimaryIdentityDomain('cokeIDD')

# Default realm

realm = sec.getDefaultRealm()

defAtn = realm.lookupAuthenticationProvider('DefaultAuthenticator')

defAtn.setIdentityDomain("AdminIDD")

save()

activate()

2.3.6 Restart the Server

Restart WebLogic Server because of the security setting changes.

2.3.7 Start the partition

This is required for a partition to receive requests.

edit()

startEdit()

partitionBean=cmo.lookupPartition('coke')

# start the partition (required)

startPartitionWait(partitionBean)

save()

activate()

2.4 Create another partition: pepsi in a domain

Repeat the same steps in 2.3 to create another partition: pepsi, but with different values:

  • Partition name = pepsi
  • User name = mtadmin2
  • Password = welcome2
  • Security realm = pepsi_realm
  • IDD name = pepsiIDD
  • Virtual target name = pepsi-vt
  • Resource group name = pepsi-rg1

2.5 Deploy User Application

Now the domain is ready to use. Let's deploy an application ear file. The application, e.g., helloTenant.ear, is deployed to the WebLogic Server domain, the coke partition, the pepsi partition.

edit()

startEdit()

deploy(appName='helloTenant',target='admin,path='${path-to-the-ear-file}/helloTenant.ear')

deploy(appName='helloTenant-coke',partition='coke',resourceGroup='coke-rg1',path='${path-to-the-ear-file}/helloTenant.ear')

deploy(appName='helloTenant-pepsi',partition='pepsi',resourceGroup='pepsi-rg1',path='${path-to-the-ear-file}/helloTenant.ear')

save()

activate()

2.6 Domain config file sample

When all of the steps are finished, the domain config file in $DOMAIN_HOME/config/config.xml will contain all of the info needed for the domain and the partitions. Here is a sample snippet related to the coke partition in the config.xml:

<server>

  <name>admin</name>

  <listen-address>localhost</listen-address>

</server>

<configuration-version>12.2.1.0.0</configuration-version>

<app-deployment>

  <name>helloTenant</name>

  <target>admin</target>

  <module-type>ear</module-type>

  <source-path>${path-to-the-ear-file}/helloTenant.ear</source-path>

  <security-dd-model>DDOnly</security-dd-model>

  <staging-mode xsi:nil="true"></staging-mode>

   <plan-staging-mode xsi:nil="true"></plan-staging-mode>

  <cache-in-app-directory>false</cache-in-app-directory>

</app-deployment>

<virtual-target>

  <name>coke-vt</name>

  <target>admin</target>

  <host-name>localhost</host-name>

  <uri-prefix>/coke</uri-prefix>

  <web-server>

    <web-server-log>

      <number-of-files-limited>false</number-of-files-limited>

    </web-server-log>

  </web-server>

</virtual-target>

<admin-server-name>admin</admin-server-name>

<partition>

  <name>coke</name>

  <resource-group>

    <name>coke-rg1</name>

    <app-deployment>

      <name>helloTenant-coke</name>

      <module-type>ear</module-type>

      <source-path>${path-to-the-ear-file}/helloTenant.ear</source-path>

      <security-dd-model>DDOnly</security-dd-model>

      <staging-mode xsi:nil="true"></staging-mode>

      <plan-staging-mode xsi:nil="true"></plan-staging-mode>

      <cache-in-app-directory>false</cache-in-app-directory>

    </app-deployment>

    <target>coke-vt</target>

    <use-default-target>false</use-default-target>

  </resource-group>

  <default-target>coke-vt</default-target>

  <available-target>coke-vt</available-target>

  <realm>coke_realm</realm>

  <partition-id>2d044835-3ca9-4928-915f-6bd1d158f490</partition-id>

  <primary-identity-domain>cokeIDD</primary-identity-domain>

</partition>

For the pepsi partition, there is a similar <virtual-target> element and the <partition> element for pepsi added in the config.xml.

From now on, the domain with 2 partitions are created and ready to serve requests. Users can access their applications deployed onto this domain. Check this blog Application MBean Visibility in Oracle WebLogic Server 12.2.1 regarding how to access the application MBeans registered on WebLogic Server MBeanServers in MT in 12.2.1.

3. Debug Flags

In case of errors during domain creation, there are debug flags which can be used to triage the errors:

  • If the error is related to security realm setup, restart the WLS server with these debug flags:
    • -Dweblogic.debug.DebugSecurityAtn=true -Dweblogic.debug.DebugSecurity=true -Dweblogic.debug.DebugSecurityRealm=true
  • If the error is related to a bean config error in a domain, restart the WLS server with these debug flags:
    • -Dweblogic.debug.DebugJMXCore=true -Dweblogic.debug.DebugJMXDomain=true
  • If the error is related to an edit session issue, restart the WLS server with these debug flags:
    • -Dweblogic.debug.DebugConfigurationEdit=true -Dweblogic.debug.DebugDeploymentService=true -Dweblogic.debug.DebugDeploymentServiceInternal=true -Dweblogic.debug.DebugDeploymentServiceTransportHttp=true 

4. Conclusion

An Oracle WebLogic Server domain in 12.2.1 can contain partitions. Creating a domain with partitions needs additional steps compared to creating a traditional WLS domain. This article shows the domain creation using WLST. There are other ways to create domains with partitions, e.g., FMW Control.  For more information on how to create a domain with partitions, please check the "References" section.

5. References

WebLogic Server domain

Domain partitions for multi tenency

Enterprise Manager Fusion Middleware Control (FMWC)

Config Wizard

Creating WebLogic domains using WLST offline

Restricted JRF template

WebLogic Server Security

WebLogic Server Deployment

WebLogic Server Debug Flags

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha