Expose T3/T3S for Managed Servers

To create a custom T3/T3S channel for all Managed Servers, with a listen port listen_port and a paired public port public_port:

  1. Create t3_ms_config.py with the following content:
    admin_pod_name = sys.argv[1]
    admin_port = sys.argv[2]
    user_name = sys.argv[3]
    password = sys.argv[4]
    listen_port = sys.argv[5]
    public_port = sys.argv[6]
    public_address = sys.argv[7]
    managedNameBase = sys.argv[8]
    ms_count = sys.argv[9]
    channelType = sys.argv[10]
    print('custom host : [%s]' % admin_pod_name);
    print('custom port : [%s]' % admin_port);
    print('custom user_name : [%s]' % user_name);
    print('custom password : ********');
    print('public address : [%s]' % public_address);
    print('channel listen port : [%s]' % listen_port);
    print('channel public listen port : [%s]' % public_port);
    
    connect(user_name, password, 't3://' + admin_pod_name + ':' + admin_port)
    
    edit()
    startEdit()
    for index in range(0, int(ms_count)):
      cd('/')
      msIndex = index+1
      cd('/')
      name = '%s%s' % (managedNameBase, msIndex)
      cd('Servers/%s/' % name )
      if channelType == 't3':
        create('T3Channel_MS','NetworkAccessPoint')
        cd('NetworkAccessPoints/T3Channel_MS')
        set('Protocol','t3')
        set('ListenPort',int(listen_port))
        set('PublicPort',int(public_port))
        set('PublicAddress', public_address)
        print('Channel T3Channel_MS added ...for ' + name)
      elif channelType == 't3s':	  
        create('T3SChannel_MS','NetworkAccessPoint')
        cd('NetworkAccessPoints/T3SChannel_MS')
        set('Protocol','t3s')
        set('ListenPort',int(listen_port))
        set('PublicPort',int(public_port))
        set('PublicAddress', public_address)
        set('HttpEnabledForThisProtocol', true)
        set('OutboundEnabled', false)
        set('Enabled', true)
        set('TwoWaySSLEnabled', true)
        set('ClientCertificateEnforced', false)
        print('Channel T3SChannel_MS added ...for ' + name)
      else:
        print('Protocol [%s] not supported' % channelType)  	
    activate()
    disconnect()
    
  2. Copy t3_ms_config.py into the domain home (for example, /u01/oracle/user_projects/domains/soainfra) of the Administration Server pod (for example, soainfra-adminserver in soans namespace).
    kubectl cp t3_ms_config.py soans/soainfra-adminserver:/u01/oracle/user_projects/domains/soainfra
    
  3. Run wlst.sh t3_ms_config.py by exec into the Administration Server pod with the following parameters:
    • admin_pod_name: soainfra-adminserver # Administration Server pod
    • admin_port: 7001
    • user_name: weblogic
    • password: Welcome1 # weblogic password
    • listen_port: 30016 # New port for T3 Managed Servers
    • public_port: 30016 # Kubernetes NodePort which will be used to expose T3 port externally
    • public_address:
    • managedNameBase: soa_server # Give Managed Server base name. For osb_cluster this will be osb_server
    • ms_count: 5 # Number of configured Managed Servers
    • channelType: t3 # channelType is t3 or t3s
    admin_pod_name: soainfra-adminserver # Administration Server pod admin_port:  7001 user_name: weblogic password: Welcome1 # weblogic password listen_port: 30016 # New port for T3 Managed Serverspublic_port: 30016 # Kubernetes NodePort which will be used to expose T3 port
              externallypublic_address: managedNameBase: soa_server # Give Managed Server base name. For osb_cluster this will
              be osb_serverms_count: 5 # Number of configured Managed ServerschannelType: t3 # channelType is t3 or t3s

    For example:

    kubectl exec -it soainfra-adminserver -n soans -- /u01/oracle/oracle_common/common/bin/wlst.sh /u01/oracle/user_projects/domains/soainfra/t3_ms_config.py soainfra-adminserver  7001 weblogic Welcome1 30016 30016 xxx.xxx.xxx.xxx soa_server 5 t3
    
  4. Create t3_ms_svc.yaml with the following contents to expose T3 at Managed Server port 30016 for domainName, domainUID as soainfra, and clusterName as soa_cluster for the SOA cluster. Similarly, you can create the Kubernetes service with clusterName as osb_cluster for an Oracle Service Bus cluster:

    Note:

    For T3S, replace NodePort 30016 with the appropriate value used with public_port while creating the T3S channel using wlst.sh in the previous step.
    apiVersion: v1
    kind: Service
    metadata:
       name: soainfra-soa-cluster-t3-external
       namespace: soans
       labels:
         weblogic.clusterName: soa_cluster
         weblogic.domainName: soainfra
         weblogic.domainUID: soainfra
    spec:
      type: NodePort
      selector:
        weblogic.domainName: soainfra
        weblogic.domainUID: soainfra
        weblogic.clusterName: soa_cluster
      ports:
      - name: t3soaport
        protocol: TCP
        port: 30016
        targetPort: 30016
        nodePort: 30016
    
  5. Create the NodePort service for port 30016:
    kubectl create -f t3_ms_svc.yaml
    
  6. Verify that you can access T3 for the Managed Server with the following URL:
    t3://<master_ip>:30016
    
  7. Similarly, you can access T3S as follows:
    1. First get the certificates from the Administration Server to be used for secured (t3s) connection from client. You can export the certificate from the Administration Server with wlst commands. Sample commands to export the default demoidentity:

      Note:

      In case you are using the custom SSL certificate, replaces the steps accordingly
      kubectl exec -it soainfra-adminserver -n soans -- bash
      /u01/oracle/oracle_common/common/bin/wlst.sh
      connect('weblogic','Welcome1','t3://soainfra-adminserver:7001')
      svc = getOpssService(name='KeyStoreService')
      svc.exportKeyStoreCertificate(appStripe='system', name='demoidentity', password='DemoIdentityKeyStorePassPhrase', alias='DemoIdentity', type='Certificate', filepath='/tmp/cert.txt/')
      

      The above steps download the certificate at /tmp/cert.txt.

    2. Use the same certificates from the client side and connect using t3s. For example:
      export JAVA_HOME=/u01/jdk
      keytool -import -v -trustcacerts -alias soadomain -file cert.txt -keystore $JAVA_HOME/lib/security/cacerts -keypass changeit -storepass changeit
      export WLST_PROPERTIES="-Dweblogic.security.SSL.ignoreHostnameVerification=true"
      cd $ORACLE_HOME/oracle_common/common/bin
      ./wlst.sh
        Initializing WebLogic Scripting Tool (WLST) ...
        Welcome to WebLogic Server Administration Scripting Shell
        Type help() for help on available commands
      wls:/offline> connect('weblogic','Welcome1','t3s://<Master IP address>:30016')