Performing WLST Administration via SSL

12.3 Performing WLST Administration via SSL

The following steps show how to perform WLST administration via SSL:

By default the SSL port is not enabled for the Administration Server or Oracle Identity Governance (OIG) managed servers. To configure the SSL port for the Administration Server and Managed Servers:
1. Login to WebLogic Remote Console.
2. Click Edit Tree and in the left-hand navigation menu, navigate to Environment > Servers > <server_name> and click on the General tab.
3. Check the SSL Listen Port Enabled button and provide the SSL Port ( For AdminServer: 7002 and for oim_server1): 14101
4. Click Save.
5. Click the Shopping Cart and select Commit Changes.
Note:
If configuring the OIG managed servers for SSL you must enable SSL on the same port for all servers (oim_server1 through oim_server5).

Create a myscripts directory as follows:

cd $WORKDIR/kubernetes

mkdir myscripts

cd myscripts

Create a sample yaml template file in the myscripts directory called <domain_uid>-adminserver-ssl.yaml to create a Kubernetes service for the Administration Server:

Note:

Update the domainName, domainUID and namespace based on your environment. For example:

apiVersion: v1
kind: Service
metadata:
  labels:
    serviceType: SERVER
    weblogic.domainName: governancedomain
    weblogic.domainUID: governancedomain
    weblogic.resourceVersion: domain-v2
    weblogic.serverName: AdminServer
  name: governancedomain-adminserver-ssl
  namespace: oigns
spec:
  clusterIP: None
  ports:
  - name: default
    port: 7002
    protocol: TCP
    targetPort: 7002
  selector:
    weblogic.createdByOperator: "true"
    weblogic.domainUID: governancedomain
    weblogic.serverName: AdminServer
  type: ClusterIP

Create a <domain_uid>-oimcluster-ssl.yaml for the OIG managed server:

apiVersion: v1
kind: Service
metadata:
  labels:
    serviceType: SERVER
    weblogic.domainName: governancedomain
    weblogic.domainUID: governancedomain
    weblogic.resourceVersion: domain-v2
  name: governancedomain-cluster-oim-cluster-ssl
  namespace: oigns
spec:
  clusterIP: None
  ports:
  - name: default
    port: 14101
    protocol: TCP
    targetPort: 14101
  selector:
    weblogic.clusterName: oim_cluster
    weblogic.createdByOperator: "true"
    weblogic.domainUID: governancedomain
  type: ClusterIP

Apply the template using the following command for the AdminServer:
```
kubectl apply -f <domain_uid>-adminserver-ssl.yaml
```
For example:
```
kubectl apply -f governancedomain-adminserver-ssl.yaml
```
The output will look similar to the following:
```
service/governancedomain-adminserverssl created
```
Apply the template using the following command for the OIG managed server:
```
kubectl apply -f governancedomain-oim-cluster-ssl.yaml
```
For example:
```
kubectl apply -f governancedomain-oimcluster-ssl.yaml
```
The output will look similar to the following:
```
service/governancedomain-oimcluster-ssl created
```

Validate that the Kubernetes services to access SSL ports are created successfully:

kubectl get svc -n <domain_namespace> |grep ssl

For example:

kubectl get svc -n oigns |grep ssl

The output will look similar to the following:

governancedomain-adminserver-ssl           ClusterIP   None             <none>        7002/TCP                     74s
governancedomain-cluster-oim-cluster-ssl   ClusterIP   None             <none>        14101/TCP                    21s

Inside the bash shell of the running helper pod, run the following:

export WLST_PROPERTIES="-Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.TrustKeyStore=DemoTrust"

cd /u01/oracle/oracle_common/common/bin

./wlst.sh

The output will look similar to the following:

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell
   
Type help() for help on available commands
wls:/offline>

To connect to the Administration Server t3s service:

connect('weblogic','<password>','t3s://governancedomain-adminserver-ssl:7002')

The output will look similar to the following:

Connecting to t3s://governancedomain-adminserver-ssl:7002 with userid weblogic ...
<DATE> <Info> <Security> <BEA-090905> <Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true.>
<DATE> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG128 to HMACDRBG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true.>
<DATE> <Info> <Security> <BEA-090909> <Using the configured custom SSL Hostname Verifier implementation: weblogic.security.utils.SSLWLSHostnameVerifier$NullHostnameVerifier.>
Successfully connected to Admin Server "AdminServer" that belongs to domain "governancedomain".

wls:/governancedomain/serverConfig/>

To connect to the OIG Managed Server t3s service:

connect('weblogic','<password>','t3s://governancedomain-cluster-oim-cluster-ssl:14101')

The output will look similar to the following:

Connecting to t3s://governancedomain-cluster-oim-cluster-ssl:14101 with userid weblogic ...
<DATE> <Info> <Security> <BEA-090905> <Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true.>
<DATE> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG128 to HMACDRBG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true.>
<DATE> <Info> <Security> <BEA-090909> <Using the configured custom SSL Hostname Verifier implementation: weblogic.security.utils.SSLWLSHostnameVerifier$NullHostnameVerifier.>
Successfully connected to managed Server "oim_server1" that belongs to domain "governancedomain".

wls:/governancedomain/serverConfig/>