- Oracle SOA Suite on Kubernetes
- Administration Guide
- Expose the T3/T3S Protocol
- Expose T3/T3S for Managed Servers
Expose T3/T3S for Managed Servers
To create a custom T3/T3S channel for all Managed Servers, with a listen port listen_port and a paired public port public_port:
- Create
t3_ms_config.py
with the following content:admin_pod_name = sys.argv[1] admin_port = sys.argv[2] user_name = sys.argv[3] password = sys.argv[4] listen_port = sys.argv[5] public_port = sys.argv[6] public_address = sys.argv[7] managedNameBase = sys.argv[8] ms_count = sys.argv[9] channelType = sys.argv[10] print('custom host : [%s]' % admin_pod_name); print('custom port : [%s]' % admin_port); print('custom user_name : [%s]' % user_name); print('custom password : ********'); print('public address : [%s]' % public_address); print('channel listen port : [%s]' % listen_port); print('channel public listen port : [%s]' % public_port); connect(user_name, password, 't3://' + admin_pod_name + ':' + admin_port) edit() startEdit() for index in range(0, int(ms_count)): cd('/') msIndex = index+1 cd('/') name = '%s%s' % (managedNameBase, msIndex) cd('Servers/%s/' % name ) if channelType == 't3': create('T3Channel_MS','NetworkAccessPoint') cd('NetworkAccessPoints/T3Channel_MS') set('Protocol','t3') set('ListenPort',int(listen_port)) set('PublicPort',int(public_port)) set('PublicAddress', public_address) print('Channel T3Channel_MS added ...for ' + name) elif channelType == 't3s': create('T3SChannel_MS','NetworkAccessPoint') cd('NetworkAccessPoints/T3SChannel_MS') set('Protocol','t3s') set('ListenPort',int(listen_port)) set('PublicPort',int(public_port)) set('PublicAddress', public_address) set('HttpEnabledForThisProtocol', true) set('OutboundEnabled', false) set('Enabled', true) set('TwoWaySSLEnabled', true) set('ClientCertificateEnforced', false) print('Channel T3SChannel_MS added ...for ' + name) else: print('Protocol [%s] not supported' % channelType) activate() disconnect()
- Copy
t3_ms_config.py
into the domain home (for example,/u01/oracle/user_projects/domains/soainfra
) of the Administration Server pod (for example,soainfra-adminserver
insoans
namespace).kubectl cp t3_ms_config.py soans/soainfra-adminserver:/u01/oracle/user_projects/domains/soainfra
- Run
wlst.sh t3_ms_config.p
y by exec into the Administration Server pod with the following parameters:- admin_pod_name: soainfra-adminserver # Administration Server pod
- admin_port: 7001
- user_name: weblogic
- password: Welcome1 # weblogic password
- listen_port: 30016 # New port for T3 Managed Servers
- public_port: 30016 # Kubernetes NodePort which will be used to expose T3 port externally
- public_address:
- managedNameBase: soa_server # Give Managed Server base name. For osb_cluster this will be osb_server
- ms_count: 5 # Number of configured Managed Servers
- channelType: t3 # channelType is t3 or t3s
admin_pod_name: soainfra-adminserver # Administration Server pod admin_port: 7001 user_name: weblogic password: Welcome1 # weblogic password listen_port: 30016 # New port for T3 Managed Serverspublic_port: 30016 # Kubernetes NodePort which will be used to expose T3 port externallypublic_address: managedNameBase: soa_server # Give Managed Server base name. For osb_cluster this will be osb_serverms_count: 5 # Number of configured Managed ServerschannelType: t3 # channelType is t3 or t3s
For example:
kubectl exec -it soainfra-adminserver -n soans -- /u01/oracle/oracle_common/common/bin/wlst.sh /u01/oracle/user_projects/domains/soainfra/t3_ms_config.py soainfra-adminserver 7001 weblogic Welcome1 30016 30016 xxx.xxx.xxx.xxx soa_server 5 t3
- Create
t3_ms_svc.yaml
with the following contents to expose T3 at Managed Server port30016
for domainName, domainUID as soainfra, and clusterName as soa_cluster for the SOA cluster. Similarly, you can create the Kubernetes service with clusterName as osb_cluster for an Oracle Service Bus cluster:Note:
For T3S, replace NodePort 30016 with the appropriate value used with public_port while creating the T3S channel usingwlst.sh
in the previous step.apiVersion: v1 kind: Service metadata: name: soainfra-soa-cluster-t3-external namespace: soans labels: weblogic.clusterName: soa_cluster weblogic.domainName: soainfra weblogic.domainUID: soainfra spec: type: NodePort selector: weblogic.domainName: soainfra weblogic.domainUID: soainfra weblogic.clusterName: soa_cluster ports: - name: t3soaport protocol: TCP port: 30016 targetPort: 30016 nodePort: 30016
- Create the NodePort service for port 30016:
kubectl create -f t3_ms_svc.yaml
- Verify that you can access T3 for the Managed Server with the following
URL:
t3://<master_ip>:30016
- Similarly, you can access T3S as follows:
- First get the certificates from the Administration Server to be used
for secured (t3s) connection from client. You can export the certificate
from the Administration Server with wlst commands. Sample commands to
export the default demoidentity:
Note:
In case you are using the custom SSL certificate, replaces the steps accordinglykubectl exec -it soainfra-adminserver -n soans -- bash /u01/oracle/oracle_common/common/bin/wlst.sh connect('weblogic','Welcome1','t3://soainfra-adminserver:7001') svc = getOpssService(name='KeyStoreService') svc.exportKeyStoreCertificate(appStripe='system', name='demoidentity', password='DemoIdentityKeyStorePassPhrase', alias='DemoIdentity', type='Certificate', filepath='/tmp/cert.txt/')
The above steps download the certificate at
/tmp/cert.txt
. - Use the same certificates from the client side and connect using t3s.
For example:
export JAVA_HOME=/u01/jdk keytool -import -v -trustcacerts -alias soadomain -file cert.txt -keystore $JAVA_HOME/lib/security/cacerts -keypass changeit -storepass changeit export WLST_PROPERTIES="-Dweblogic.security.SSL.ignoreHostnameVerification=true" cd $ORACLE_HOME/oracle_common/common/bin ./wlst.sh Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands wls:/offline> connect('weblogic','Welcome1','t3s://<Master IP address>:30016')
- First get the certificates from the Administration Server to be used
for secured (t3s) connection from client. You can export the certificate
from the Administration Server with wlst commands. Sample commands to
export the default demoidentity: