1. Deploying and Managing Oracle Access Management on Kubernetes
  2. Administering Oracle Access Management on Kubernetes
  3. WLST Administration Operations
  4. Performing WLST Administration via SSL

13.3 Performing WLST Administration via SSL

The following steps show how to perform WLST administration via SSL:

  1. By default the SSL port is not enabled for the Administration Server or Oracle Access Management (OAM) managed servers. To configure the SSL port for the Administration Server and managed servers:
    1. Login to WebLogic Remote Console.
    2. Click Edit Tree and in the left-hand navigation menu navigate to Environment > Servers > <server_name> and click on the General tab.
    3. Check the SSL Listen Port Enabled button and provide the SSL Port ( For AdminServer: 7002 and for oam_server1): 14101
    4. Click Save.
    5. Click the Shopping Cart and select Commit Changes.

    Note:

    If configuring the OAM managed servers for SSL you must enable SSL on the same port for all servers (oam_server1 through oam_server5).
  2. Create a myscripts directory as follows:
    cd $WORKDIR/kubernetes
    mkdir myscripts
    cd myscripts
  3. Create a <domain_uid>-adminserver-ssl.yaml file in the myscripts directory for the OAM administration server:

    Note:

    Update the domainName, domainUID and namespace based on your environment. For example: 
    apiVersion: v1
kind: Service
metadata:
  labels:
    serviceType: SERVER
    weblogic.domainName: accessdomain
    weblogic.domainUID: accessdomain
    weblogic.resourceVersion: domain-v2
    weblogic.serverName: AdminServer
  name: accessdomain-adminserverssl
  namespace: oamns
spec:
  clusterIP: None
  ports:
  - name: default
    port: 7002
    protocol: TCP
    targetPort: 7002
  selector:
    weblogic.createdByOperator: "true"
    weblogic.domainUID: accessdomain
    weblogic.serverName: AdminServer
  type: ClusterIP
  4. Create a <domain_uid>-oamcluster-ssl.yaml for the OAM managed server:
    apiVersion: v1
kind: Service
metadata:
  labels:
    serviceType: SERVER
    weblogic.domainName: accessdomain
    weblogic.domainUID: accessdomain
    weblogic.resourceVersion: domain-v2
  name: accessdomain-oamcluster-ssl
  namespace: oamns
spec:
  clusterIP: None
  ports:
  - name: default
    port: 14101
    protocol: TCP
    targetPort: 14101
  selector:
    weblogic.clusterName: oam_cluster
    weblogic.createdByOperator: "true"
    weblogic.domainUID: accessdomain
  type: ClusterIP
  5. Apply the template using the following command for the administration server:
    kubectl apply -f <domain_uid>-adminserver-ssl.yaml
    For example:
    kubectl apply -f accessdomain-adminserver-ssl.yaml
    The output will look similar to the following:
    service/accessdomain-adminserverssl created
  6. Apply the template using the following command for the OAM managed server:
    kubectl apply -f <domain_uid>-oamcluster-ssl.yaml
    For example:
    kubectl apply -f accessdomain-oamcluster-ssl.yaml
    The output will look similar to the following:
    service/accessdomain-oamcluster-ssl created
  7. Validate that the Kubernetes services to access SSL ports are created successfully:
    kubectl get svc -n <domain_namespace> |grep ssl
    For example:
    kubectl get svc -n oamns |grep ssl
    The output will look similar to the following:
    accessdomain-adminserverssl           ClusterIP   None             <none>        7002/TCP                     102s
accessdomain-oamcluster-ssl           ClusterIP   None             <none>        14101/TCP                    35s
  8. Inside the bash shell of the running helper pod, run the following:
    export WLST_PROPERTIES="-Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.TrustKeyStore=DemoTrust"

    cd /u01/oracle/oracle_common/common/bin

    ./wlst.sh
    The output will look similar to the following:
    Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell
   
Type help() for help on available commands
wls:/offline>
    To connect to the Administration Server t3s service:
    connect('weblogic','<password>','t3s://accessdomain-adminserverssl:7002')
    The output will look similar to the following:
    Connecting to t3s://accessdomain-adminserverssl:7002 with userid weblogic ...
<<DATE>> <Info> <Security> <BEA-090905> <Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true.>
<<DATE>> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG128 to HMACDRBG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true.>
<<DATE>> <Info> <Security> <BEA-090909> <Using the configured custom SSL Hostname Verifier implementation: weblogic.security.utils.SSLWLSHostnameVerifier$NullHostnameVerifier.>
Successfully connected to Admin Server "AdminServer" that belongs to domain "accessdomain".

wls:/accessdomain/serverConfig/>
    To connect to the OAM Managed Server t3s service:
    connect('weblogic','<password>','t3s://accessdomain-oamcluster-ssl:14101')
    The output will look similar to the following:
    Connecting to t3s://accessdomain-oamcluster-ssl:14101 with userid weblogic ...
<<DATE>> <Info> <Security> <BEA-090905> <Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true.>
<<DATE>> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG128 to HMACDRBG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true.>
<<DATE>> <Info> <Security> <BEA-090909> <Using the configured custom SSL Hostname Verifier implementation: weblogic.security.utils.SSLWLSHostnameVerifier$NullHostnameVerifier.>
Successfully connected to managed Server "oam_server1" that belongs to domain "accessdomain".