DemoTrust value in ./bin/setDomainEnv.sh

[bradmcnaughton]

Hi Edwin,

I've reviewed and followed the Identity and Trust settings (https://github.com/biemond/biemond-orawls#identity) and they work fine for admin server, nodemanager etc.

The only problem I see is that the setDomainEnv.sh script in the domain does not get updated to reflect the custom trust. It stays as -Djavax.net.ssl.trustStore=${WL_HOME}/server/lib/DemoTrust.jks

Of course, SOA/BPM Product uses the java args from the command line for it's SSL settings, not the weblogic defined config! (At least for 11.1.1.6, not sure about later versions).

Do you expect the setDomainEnv.sh script to get updated as part of puppet's work configuring the domain identity, and I'm doing something wrong? Or does this need to be a manual step?

If it's manual still let me know, I'll try updating domain.pp manifest to do this.

Cheers, Brad

[biemond]

Hi Brad,

Did you also set the keystores on every managed server ( wls_server) like this https://github.com/biemond/biemond-orawls-vagrant/blob/master/puppet/hieradata/admin.example.com.yaml

and I think the parameters you set on the server arguments and started by the nodemanager should override this.

But I remember someone else also had this problem

error while getting asynchronous call back

He said remove the DemoTrust.jks and add the -Djavax.net.ssl.trustStore=/usr/java/latest/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit in to the setDomainEnv.sh file

But you maybe you can try to set the server arguments or do this need to copy cacerts, rename and add your own certs to it and use this as a trust keystore. and change the password of your cacert truststore http://stackoverflow.com/questions/2889238/keystore-change-passwords

Hope this helps else we need to use sed on domain.pp. ( can be tricky when you get a new patch)

[bradmcnaughton]

Hi Edwin, Yep - the managed servers have their custom trust set correctly.

SOA product uses the javax.net.ssl args for security instead of Weblogic - it's a known "feature" - https://docs.oracle.com/cd/E16764_01/doc.1111/e13925/troubleshooting.htm#BABJGJBD

I hadn't thought of setting this value in the server args, good thinking! I'll try that and see if it overrides the value from the setDomainEnv script. Cheers, Brad

[bradmcnaughton]

I had a chance to test setting javax.net.ssl.trustStore via the Console's args but no luck, the value in setDomainEnv script does not get overridden by the console value.

Sometime I'll modify domain.pp with an optional param to override this with the keystore specified by wls_trust_keystore_file. Can use this issue to track the enhancement if you like.

Cheers, Brad

[alexjfisher]

@bradmcnaughton Hi! Did you ever come up with a patch to domain.pp? I've just hit this issue too.

Thanks

[bradmcnaughton]

Hi @alexjfisher

It's been a while since I faced this one. I checked my profile and it looks like I just hacked in an exec statement to fix the problem after the install. I think it was enough to solve it:

# Replcace Demo Trust reference and add Trust Password exec { "overrideDemoTrust": command => "/bin/sed -i -- 's@-Djavax.net.ssl.trustStore=\${WL_HOME}/server/lib/DemoTrust.jks@-Djavax.net.ssl.trustStore=${trust} -Djavax.net.ssl.trustStorePassword=${trust_pass}@g' ${domain_dir}/bin/setDomainEnv.sh", unless => "/bin/grep trustStorePassword ${domain_dir}/bin/setDomainEnv.sh", user => hiera('wls_os_user'), group => hiera('wls_os_group'), }

Maybe it can work for you too.