使用自定义 SSL 配置启动 WebLogic 服务器

Question

Currently I'm experimenting a little bit with Oracle WebLogic Server 12c. I set up a new domain to experiment with SSL. I've already created a custom identity store, certificate and trust following the instructions here: https://helpx.adobe.com/uk/experience-manager/6-3/forms/using/admin-help/configuring-ssl-weblogic-server.html#creating_an_ssl_credential_for_use_on_weblogic_server

I've also set up my AdminServer to use these, which I could test by activating the domain wide admin port and connecting to the admin console. I inspected the provided cert in the browser and could verify, that it was my custom cert.

So far so good. But when I create a managed server, and configure it to also use my custom identity, trust and the certificate and save the settings in the admin console, I'm not able to boot the server using the provided startManagedWebLogic.sh script. The reason for the failure is, that the server tries to use the DemoCert and DemoTrust, as I can see in the logs. Consequently it fails to connect to the AdminServer and cannot load it's configs.

Here is my problem: How should I start a managed server with custom SSL settings, if the default settings are always used to start it up in the first place? Is there any way, to modify the startup scripts to use different defaults? Or is there a different "best practice"?

The error for the server not starting up are:

<Apr 6, 2020 2:40:46,041 PM CEST> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: A MultiException has 6 exceptions.  They are:
1. weblogic.security.SecurityInitializationException: Authentication for user weblogic denied.
2. java.lang.IllegalStateException: Unable to perform operation: post construct on weblogic.security.SecurityService
3. java.lang.IllegalArgumentException: While attempting to resolve the dependencies of weblogic.jndi.internal.RemoteNamingService errors were found
4. java.lang.IllegalStateException: Unable to perform operation: resolve on weblogic.jndi.internal.RemoteNamingService
5. java.lang.IllegalArgumentException: While attempting to resolve the dependencies of weblogic.io.common.internal.FileService errors were found
6. java.lang.IllegalStateException: Unable to perform operation: resolve on weblogic.io.common.internal.FileService

A MultiException has 6 exceptions.  They are:
1. weblogic.security.SecurityInitializationException: Authentication for user weblogic denied.
2. java.lang.IllegalStateException: Unable to perform operation: post construct on weblogic.security.SecurityService
3. java.lang.IllegalArgumentException: While attempting to resolve the dependencies of weblogic.jndi.internal.RemoteNamingService errors were found
4. java.lang.IllegalStateException: Unable to perform operation: resolve on weblogic.jndi.internal.RemoteNamingService
5. java.lang.IllegalArgumentException: While attempting to resolve the dependencies of weblogic.io.common.internal.FileService errors were found
6. java.lang.IllegalStateException: Unable to perform operation: resolve on weblogic.io.common.internal.FileService

    at org.jvnet.hk2.internal.Collector.throwIfErrors(Collector.java:89)
    at org.jvnet.hk2.internal.ClazzCreator.resolveAllDependencies(ClazzCreator.java:250)
    at org.jvnet.hk2.internal.ClazzCreator.create(ClazzCreator.java:358)
    at org.jvnet.hk2.internal.SystemDescriptor.create(SystemDescriptor.java:487)
    at org.glassfish.hk2.runlevel.internal.AsyncRunLevelContext.findOrCreate(AsyncRunLevelContext.java:305)
    Truncated. see log file for complete stacktrace
Caused By: weblogic.security.SecurityInitializationException: Authentication for user weblogic denied.
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:1158)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.postInitialize(CommonSecurityServiceManagerDelegateImpl.java:1272)
    at weblogic.security.service.SecurityServiceManager.postInitialize(SecurityServiceManager.java:586)
    at weblogic.security.SecurityService.start(SecurityService.java:130)
    at weblogic.server.AbstractServerService.postConstruct(AbstractServerService.java:76)
    Truncated. see log file for complete stacktrace
Caused By: javax.security.auth.login.FailedLoginException: [Security:090938]Authentication failure: The specified user failed to log in. weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090295]caught unexpected exception, No such object
    at com.bea.common.security.utils.ExceptionHandler.throwFailedLoginException(ExceptionHandler.java:62)
    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:369)
    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:117)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:114)
    Truncated. see log file for complete stacktrace
>

I've checked username and password, they have been entered correctly.

EDIT: If I disable the admin port, and startup the managed server with

startManagedWeblogic ms0 t3://localhost:7001 (1)

instead of

startManagedWeblogic ms0 t3s://localhost:9001 (2)

the server starts up as intended. Consecutive startups with ENABLED admin port (2) do succeed in spite of the persistent problems when trying to reach the admin server during startup.

EDIT 2: I've tried using NodeManager for that, thanks to the reply below. Unfortunately, I cannot access it from the admin console, due to an SSL exception:

javax.net.ssl.SSLHandshakeException

I found out, that I have to configure the Nodemanager to also use custom ssl settings in the nodemanager.properties file. I used the following settings:

## SSL ##
# Configure default SSL
KeyStores=CustomIdentityAndCustomTrust

# Identity keystore
CustomIdentityKeyStoreFileName=/home/iffuw/feck-credentials.jks
CustomIdentityKeyStoreType=jks
CustomIdentityKeyStorePassPhrase=whatever

# private key
CustomIdentityAlias=feck-credentials
CustomIdentityPrivateKeyPassPhrase=whatever

# Trust keystore
CustomTrustKeyStoreFileName=/home/iffuw/feck-ca.jks
CustomTrustKeyStoreType=jks
CustomTrustKeyPassPhrase=whatever
CustomTrustKeyStorePassPhrase=whatever

Please note, that the passphrases are not all whatever, but the passphrases for the two KeyStores (Id and Trust) are identical. When I start up nodemanger, the passphrases from the key and identity blocks are encrypted. The passphrase from the trust block turn out to be empty. Something might go wrong here, but I don't know what. Any ideas? The nodemanager.log says:

<Apr 6, 2020 4:30:40 PM CEST> <INFO> <Upgrade> <Removing NodeManager property: CustomTrustKeyStorePassPhrase>

is that normal?

Answer 1

in the script startManagedWebLogic.sh you need to set the parameter:

-Djavax.net.ssl.trustStore=/YOUR_PATH/CustomTrust.jks 

More useful (example) SSL/JKS parameters:

-Djavax.net.debug=ssl
-Djavax.net.ssl.keyStoreType=pkcs12
-Djavax.net.ssl.keyStore=client.p12
-Djavax.net.ssl.keyStorePassword=whatever
-Djavax.net.ssl.trustStoreType=jks
-Djavax.net.ssl.trustStore=client-truststore.jks
-Djavax.net.ssl.trustStorePassword=whatever

In the other hand, this can be avoided if you start up the managed server through admin console (actually it is node manager underneath working).