feature request: add extra trust parameter to WlsDaemon

[ltutar]

Hi, I need to add the -Dweblogic.security.SSL.protocolVersion=TLS1 parameter to AdminServer and the Managed servers. I can do this by using the arguments in server_instances.

server_instances:
  'AdminServer':
    ensure:                                'present'
    arguments:
      - '-Xms752m'
      - '-Xmx1024m'
      - '-Dweblogic.security.SSL.protocolVersion=TLS1'

Since I want to use t3s. My question is how can I add this parameter as trust parameter in wlsdaemon.py? See https://github.com/biemond/biemond-orawls/blob/master/lib/utils/wls_daemon.rb#L51 There is post classpath parameter but not for trust_parameters.

[ltutar]

BTW. I see that AdminServer is ignoring the arguments. Xms is 1024 instead of Xms752m.

[root@wlsagent ~]# ps -ef | grep -i java
oracle    9618  9581  0 07:31 ?        00:00:06 /usr/java/latest/bin/java -client -Xms32m -Xmx200m -XX:MaxPermSize=128m -Dcoherence.home=/opt/wls/middleware11g/coherence_3.7 -Dbea.home=/opt/wls/middleware11g -Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/vagrant/salt/states/puppetmaster/files/base/jks/truststore.jks -Dweblogic.security.CustomTrustKeystorePassPhrase=welcome -Xverify:none -Djava.security.policy=/opt/wls/middleware11g/wlserver_10.3/server/lib/weblogic.policy -Dweblogic.nodemanager.javaHome=/usr/java/latest weblogic.NodeManager -v
oracle   10505 10459  0 07:32 ?        00:00:21 /usr/java/latest/bin/java -server -Xms256m -Xmx512m -XX:MaxPermSize=256m -Dweblogic.Name=AdminServer -Djava.security.policy=/opt/wls/middleware11g/wlserver_10.3/server/lib/weblogic.policy -Dweblogic.ProductionModeEnabled=true -Dweblogic.system.BootIdentityFile=/opt/wls/wlsdomains/domains/wls_domain/servers/AdminServer/security/boot.properties -Dweblogic.nodemanager.ServiceEnabled=true -XX:PermSize=256m -XX:MaxPermSize=512m -Xms1024m -Xmx1024m -Dweblogic.Stdout=/var/log/weblogic/AdminServer.out -Dweblogic.Stderr=/var/log/weblogic/AdminServer_err.out -da -Dplatform.home=/opt/wls/middleware11g/wlserver_10.3 -Dwls.home=/opt/wls/middleware11g/wlserver_10.3/server -Dweblogic.home=/opt/wls/middleware11g/wlserver_10.3/server -Dweblogic.management.discover=true -Dwlw.iterativeDev=false -Dwlw.testConsole=false -Dwlw.logErrorsToConsole=false -Dweblogic.ext.dirs=/opt/wls/middleware11g/patch_wls1036/profiles/default/sysext_manifest_classpath:/opt/wls/middleware11g/patch_ocp371/profiles/default/sysext_manifest_classpath weblogic.Server
root     11736  8188  0 08:25 pts/0    00:00:00 grep -i java
[root@wlsagent ~]# 

[biemond]

we can add a new one to wls_setting and pick this up in wls_daemon.

did you do a subscribe restart of the adminserver else in case of adminserver it will pickup the parameters from startup.properties in servers/adminserver/node something.

that is why I set it for adminserver on the domain.pp

java_arguments              => { "ADM" => "..."},

[ltutar]

I'll have a look at it on Monday. Have a nice weekend.

[ltutar]

Hi Edwin, Following your tip, helped me:

# create a standard domain
domain_instances:
  "%{hiera('wls_domain_name')}":
    domain_template:                       "%{hiera('domain_template')}"
    development_mode:                      false
    adminserver_listen_on_all_interfaces:  true
    java_arguments:
      ADM:  "-XX:PermSize=256m -XX:MaxPermSize=512m -Xms1024m -Xmx1024m -Dweblogic.security.SSL.protocolVersion=TLS1"

I get:

oracle   10795 10749 40 19:22 ?        00:00:13 /usr/java/latest/bin/java -server -Xms256m -Xmx512m -XX:MaxPermSize=256m -Dweblogic.Name=AdminServer -Djava.security.policy=/opt/wls/middleware11g/wlserver_10.3/server/lib/weblogic.policy -Dweblogic.ProductionModeEnabled=true -Dweblogic.system.BootIdentityFile=/opt/wls/wlsdomains/domains/wls_domain/servers/AdminServer/security/boot.properties -Dweblogic.nodemanager.ServiceEnabled=true -XX:PermSize=256m -XX:MaxPermSize=512m -Xms1024m -Xmx1024m -Dweblogic.security.SSL.protocolVersion=TLS1 -da -Dplatform.home=/opt/wls/middleware11g/wlserver_10.3 -Dwls.home=/opt/wls/middleware11g/wlserver_10.3/server -Dweblogic.home=/opt/wls/middleware11g/wlserver_10.3/server -Dweblogic.management.discover=true -Dwlw.iterativeDev=false -Dwlw.testConsole=false -Dwlw.logErrorsToConsole=false -Dweblogic.ext.dirs=/opt/wls/middleware11g/patch_wls1036/profiles/default/sysext_manifest_classpath:/opt/wls/middleware11g/patch_ocp371/profiles/default/sysext_manifest_classpath weblogic.Server

1) As you can see above, I see two times Xsd, Xmx and MaxPermSize in the java output. Something is going wrong. 2) If I have domain_template: "standard", what do I need to use instead of ADM for the managed servers? I can not see the template for it. Thank you in advance

[ltutar]

Also for the managed server, I get Xms and Xmx double.

oracle    6774  6728 24 20:21 ?        00:00:11 /usr/java/jdk1.7.0_80/bin/java -client -Xms256m -Xmx512m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=256m -Dweblogic.Name=wlsServer1 -Djava.security.policy=/opt/wls/middleware11g/wlserver_10.3/server/lib/weblogic.policy -Dweblogic.system.BootIdentityFile=/opt/wls/wlsdomains/domains/wls_domain/servers/wlsServer1/data/nodemanager/boot.properties -Dweblogic.nodemanager.ServiceEnabled=true -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.ReverseDNSAllowed=false -Dweblogic.Stdout=/var/log/weblogic/wlsServer1.out -Dweblogic.Stderr=/var/log/weblogic/wlsServer1_err.out -Dweblogic.security.SSL.protocolVersion=TLS1 -Xms712m -Xmx1024m -Xverify:none -da -Dplatform.home=/opt/wls/middleware11g/wlserver_10.3 -Dwls.home=/opt/wls/middleware11g/wlserver_10.3/server -Dweblogic.home=/opt/wls/middleware11g/wlserver_10.3/server -Dweblogic.management.discover=false -Dweblogic.management.server=http://192.168.234.95:7001 -Dwlw.iterativeDev= -Dwlw.testConsole= -Dwlw.logErrorsToConsole= -Dweblogic.ext.dirs=/opt/wls/middleware11g/patch_wls1036/profiles/default/sysext_manifest_classpath:/opt/wls/middleware11g/patch_ocp371/profiles/default/sysext_manifest_classpath weblogic.Server

the yaml is:

server_instances:

...
  "%{hiera('wls_name_on_node1')}":
    ensure:                                'present'
    arguments:
      - "-Dweblogic.Stdout=/var/log/weblogic/%{hiera('wls_name_on_node1')}.out"
      - "-Dweblogic.Stderr=/var/log/weblogic/%{hiera('wls_name_on_node1')}_err.out"
      - '-Dweblogic.security.SSL.protocolVersion=TLS1'
      - '-Xms712m'
      - '-Xmx1024m'

[biemond]

no worries , the last one counts and that should be the correct ones the first are from setdomainenv script because of startscriptenabled in the nodemanager.properties

[ltutar]

I can supply the TLS1 parameter to Admin Server and the Managed Servers. Only the nodemanager is left. Any idea when you have time to add this parameter to wls_setting as you described above?

The java processes on wlsagent machine (Admin Server):

[root@wlsagent ~]# ps -ef | grep -i java
oracle    9749  9712  0 06:30 ?        00:00:12 /usr/java/latest/bin/java -client -Xms32m -Xmx200m -XX:MaxPermSize=128m -Dcoherence.home=/opt/wls/middleware11g/coherence_3.7 -Dbea.home=/opt/wls/middleware11g -Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/vagrant/salt/states/puppetmaster/files/base/jks/truststore.jks -Dweblogic.security.CustomTrustKeystorePassPhrase=welcome -Xverify:none -Djava.security.policy=/opt/wls/middleware11g/wlserver_10.3/server/lib/weblogic.policy -Dweblogic.nodemanager.javaHome=/usr/java/latest weblogic.NodeManager -v
oracle   10674 10628  0 06:31 ?        00:00:41 /usr/java/latest/bin/java -server -Xms256m -Xmx512m -XX:MaxPermSize=256m -Dweblogic.Name=AdminServer -Djava.security.policy=/opt/wls/middleware11g/wlserver_10.3/server/lib/weblogic.policy -Dweblogic.ProductionModeEnabled=true -Dweblogic.system.BootIdentityFile=/opt/wls/wlsdomains/domains/wls_domain/servers/AdminServer/security/boot.properties -Dweblogic.nodemanager.ServiceEnabled=true -XX:MaxPermSize=512m -Xms1024m -Xmx1024m -Dweblogic.security.SSL.protocolVersion=TLS1 -da -Dplatform.home=/opt/wls/middleware11g/wlserver_10.3 -Dwls.home=/opt/wls/middleware11g/wlserver_10.3/server -Dweblogic.home=/opt/wls/middleware11g/wlserver_10.3/server -Dweblogic.management.discover=true -Dwlw.iterativeDev=false -Dwlw.testConsole=false -Dwlw.logErrorsToConsole=false -Dweblogic.ext.dirs=/opt/wls/middleware11g/patch_wls1036/profiles/default/sysext_manifest_classpath:/opt/wls/middleware11g/patch_ocp371/profiles/default/sysext_manifest_classpath weblogic.Server
root     13151  8341  0 08:57 pts/0    00:00:00 grep -i java

The java processes on wlsmachine1 (managed server 1) machine:

[root@wlsagent1 ~]# ps -ef | grep -i java
oracle    5392  5355  0 07:02 ?        00:00:11 /usr/java/latest/bin/java -client -Xms32m -Xmx200m -XX:MaxPermSize=128m -Dcoherence.home=/opt/wls/middleware11g/coherence_3.7 -Dbea.home=/opt/wls/middleware11g -Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/vagrant/salt/states/puppetmaster/files/base/jks/truststore.jks -Dweblogic.security.CustomTrustKeystorePassPhrase=welcome -Xverify:none -Djava.security.policy=/opt/wls/middleware11g/wlserver_10.3/server/lib/weblogic.policy -Dweblogic.nodemanager.javaHome=/usr/java/latest weblogic.NodeManager -v
oracle    5703  5656  0 07:04 ?        00:00:23 /usr/java/jdk1.7.0_80/bin/java -client -Xms256m -Xmx512m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=256m -Dweblogic.Name=wlsServer1 -Djava.security.policy=/opt/wls/middleware11g/wlserver_10.3/server/lib/weblogic.policy -Dweblogic.system.BootIdentityFile=/opt/wls/wlsdomains/domains/wls_domain/servers/wlsServer1/data/nodemanager/boot.properties -Dweblogic.nodemanager.ServiceEnabled=true -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.ReverseDNSAllowed=false -Dweblogic.Stdout=/var/log/weblogic/wlsServer1.out -Dweblogic.Stderr=/var/log/weblogic/wlsServer1_err.out -Dweblogic.security.SSL.protocolVersion=TLS1 -Xms712m -Xmx1024m -Xverify:none -da -Dplatform.home=/opt/wls/middleware11g/wlserver_10.3 -Dwls.home=/opt/wls/middleware11g/wlserver_10.3/server -Dweblogic.home=/opt/wls/middleware11g/wlserver_10.3/server -Dweblogic.management.discover=false -Dweblogic.management.server=http://192.168.234.95:7001 -Dwlw.iterativeDev= -Dwlw.testConsole= -Dwlw.logErrorsToConsole= -Dweblogic.ext.dirs=/opt/wls/middleware11g/patch_wls1036/profiles/default/sysext_manifest_classpath:/opt/wls/middleware11g/patch_ocp371/profiles/default/sysext_manifest_classpath weblogic.Server

[biemond]

will do wls_setting in the next few days

[biemond]

fixed in 61af37a

[ltutar]

One question. Shouldn't https://github.com/biemond/biemond-orawls/blob/master/templates/wlst/enrollDomain.py.erb#L16 be using adminserver_ssl_port if useT3s is true?

[biemond]

basically it is a port, else I need to add to an extra parameter. but instead of use_t3s I can replace this with admin ssl port and check which one is defined.

[ltutar]

not needed. setting the port as shown below, solves the problem.

copy_domain_instances:
  "%{hiera('wls_domain_name')}":
    use_ssh:                     false
    domain_pack_dir:             '/tmp'
    log_output:                  true
    use_t3s:                     true
    adminserver_port:            7002

[ltutar]

I am trying to solve the following problem. On the machine of managed server 1, I see the following error. The logging of managed server machine. The set up works if I use t3 protocol for copy_domain.

Notice: orawls::wlsdomain wls_domain /opt/wls/wlsdomains/domains/wls_domain 1036 does not exists
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Notify[orawls::wlsdomain wls_domain /opt/wls/wlsdomains/domains/wls_domain 1036 does not exists]/message: defined 'message' as 'orawls::wlsdomain wls_domain /opt/wls/wlsdomains/domains/wls_domain 1036 does not exists'
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[copy domain jar wls_domain]/returns: executed successfully
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[unpack wls_domain]/returns: << read template from "/opt/orainstall/domain_wls_domain.jar"
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[unpack wls_domain]/returns: >>  succeed: read template from "/opt/orainstall/domain_wls_domain.jar"
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[unpack wls_domain]/returns: << set config option AppDir to "/opt/wls/wlsdomains/applications/wls_domain"
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[unpack wls_domain]/returns: >>  succeed: set config option AppDir to "/opt/wls/wlsdomains/applications/wls_domain"
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[unpack wls_domain]/returns: << set config option ServerStartMode to "dev"
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[unpack wls_domain]/returns: >>  succeed: set config option ServerStartMode to "dev"
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[unpack wls_domain]/returns: << find User "weblogic" as u1_CREATE_IF_NOT_EXIST
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[unpack wls_domain]/returns: >>  succeed: find User "weblogic" as u1_CREATE_IF_NOT_EXIST
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[unpack wls_domain]/returns: << set u1_CREATE_IF_NOT_EXIST attribute Password to "********"
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[unpack wls_domain]/returns: >>  succeed: set u1_CREATE_IF_NOT_EXIST attribute Password to "********"
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[unpack wls_domain]/returns: << write Domain to "/opt/wls/wlsdomains/domains/wls_domain"
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[unpack wls_domain]/returns: ...............................................................................................
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[unpack wls_domain]/returns: >>  succeed: write Domain to "/opt/wls/wlsdomains/domains/wls_domain"
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[unpack wls_domain]/returns: << close template
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[unpack wls_domain]/returns: >>  succeed: close template
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[unpack wls_domain]/returns: executed successfully
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: 
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: CLASSPATH=/opt/wls/middleware11g/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/opt/wls/middleware11g/patch_ocp371/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/usr/java/jdk1.7.0_80/lib/tools.jar:/opt/wls/middleware11g/wlserver_10.3/server/lib/weblogic_sp.jar:/opt/wls/middleware11g/wlserver_10.3/server/lib/weblogic.jar:/opt/wls/middleware11g/modules/features/weblogic.server.modules_10.3.6.0.jar:/opt/wls/middleware11g/wlserver_10.3/server/lib/webservices.jar:/opt/wls/middleware11g/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/opt/wls/middleware11g/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar::/opt/wls/middleware11g/utils/config/10.3/config-launch.jar::/opt/wls/middleware11g/wlserver_10.3/common/derby/lib/derbynet.jar:/opt/wls/middleware11g/wlserver_10.3/common/derby/lib/derbyclient.jar:/opt/wls/middleware11g/wlserver_10.3/common/derby/lib/derbytools.jar::
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: 
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: Initializing WebLogic Scripting Tool (WLST) ...
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: 
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: Jython scans all the jar files it can find at first startup. Depending on the system, this process may take a few minutes to complete, and WLST may not return a prompt right away.
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: 
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: Welcome to WebLogic Server Administration Scripting Shell
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: 
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: Type help() for help on available commands
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: 
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: Connecting to t3s://192.168.234.95:7002 with userid weblogic ...
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: <Jul 7, 2016 8:47:20 PM CEST> <Info> <Security> <BEA-090905> <Disabling CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true> 
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: <Jul 7, 2016 8:47:20 PM CEST> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true> 
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: <Jul 7, 2016 8:47:20 PM CEST> <Info> <Security> <BEA-090908> <Using default WebLogic SSL Hostname Verifier implementation.> 
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: This Exception occurred at Thu Jul 07 20:47:21 CEST 2016.
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://192.168.234.95:7002: Destination unreachable; nested exception is: 
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns:    javax.net.ssl.SSLException: Received fatal alert: unexpected_message; No available router to destination]
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: Problem invoking WLST - Traceback (innermost last):
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns:   File "/opt/orainstall/enroll_domain_wls_domain.py", line 16, in ?
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns:   File "<iostream>", line 22, in connect
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns:   File "<iostream>", line 653, in raiseWLSTException
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: WLSTException: Error occured while performing connect : Error getting the initial context. There is no server running at t3s://192.168.234.95:7002 
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: Use dumpStack() to view the full stacktrace
Error: /opt/wls/middleware11g/wlserver_10.3/common/bin/wlst.sh /opt/orainstall/enroll_domain_wls_domain.py weblogic1 returned 1 instead of one of [0]
Error: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[execwlst wls_domain wls_domain]/returns: change from notrun to 0 failed: /opt/wls/middleware11g/wlserver_10.3/common/bin/wlst.sh /opt/orainstall/enroll_domain_wls_domain.py weblogic1 returned 1 instead of one of [0]
Notice: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[domain.py wls_domain wls_domain]: Dependency Exec[execwlst wls_domain wls_domain] has failures: true
Warning: /Stage[main]/Profiles::Wls::Copy_domain/Orawls::Copydomain[wls_domain]/Exec[domain.py wls_domain wls_domain]: Skipping because of failed dependencies
Info: Orawls::Copydomain[wls_domain]: Unscheduling all events on Orawls::Copydomain[wls_domain]
Info: Stage[main]: Unscheduling all events on Stage[main]
Notice: Applied catalog in 61.12 seconds
[root@wlsagent1 ~]# 

But I know from the logging of the admin server that it is reachable. The logging of Admin Server machine.

Info: index wls_user 
Info: Executing: wlstScript with action index
Info: domain found default
Info: Starting the wls daemon for domain default
Info: Executing wls-script /tmp/wlstCommonScript.py20160707-12925-5swr3w
Info: Executing wls-script /tmp/wlstScript20160707-12925-1i4sq8u.py with timeout = 120
Info: Connecting to wls on url t3s://192.168.234.95:7002
Info: index wls_group 
Info: Executing: wlstScript with action index
Info: domain found default
Info: Executing wls-script /tmp/wlstScript20160707-12925-ls06ps.py with timeout = 120
Info: Connecting to wls on url t3s://192.168.234.95:7002
Info: index wls_domain
Info: Executing: wlstScript with action index
Info: domain found default
Info: Executing wls-script /tmp/wlstScript20160707-12925-i884e2.py with timeout = 120
Info: Connecting to wls on url t3s://192.168.234.95:7002
Info: index wls_machine 
Info: Executing: wlstScript with action index
Info: domain found default
Info: Executing wls-script /tmp/wlstScript20160707-12925-7g9cu7.py with timeout = 120
Info: Connecting to wls on url t3s://192.168.234.95:7002
Info: index wls_server 
Info: Executing: wlstScript with action index
Info: domain found default
Info: Executing wls-script /tmp/wlstScript20160707-12925-7dxjs8.py with timeout = 120
Info: Connecting to wls on url t3s://192.168.234.95:7002
Info: index wls_cluster
Info: Executing: wlstScript with action index
Info: domain found default
Info: Executing wls-script /tmp/wlstScript20160707-12925-12j0lys.py with timeout = 120
Info: Connecting to wls on url t3s://192.168.234.95:7002
Notice: Applied catalog in 47.92 seconds
[root@wlsagent ~]# 

[ltutar]

[root@wlsagent1 weblogic]# cat /opt/orainstall/enroll_domain_wls_domain.py

wlsUser = 'weblogic' password = sys.argv[1] machine = '192.168.234.95' portNumber = '7002' domains_path = '/opt/wls/wlsdomains/domains' domain = 'wls_domain' nodeMgrHome = '/opt/wls/middleware11g/wlserver_10.3/common/nodemanager' useT3s = 'true'

if useT3s == 'false': connectStr = 't3://' else: connectStr = 't3s://'

connect(wlsUser, password, connectStr + machine + ':' + portNumber) nmEnroll(domainDir=domains_path + '/' + domain, nmHome=nodeMgrHome) [root@wlsagent1 weblogic]#

[biemond]

maybe disable firewall/iptables and check netstat -an

[ltutar]

I can telnet to it.

[root@wlsagent1 weblogic]# telnet 192.168.234.95 7002
Trying 192.168.234.95...
Connected to 192.168.234.95.
Escape character is '^]'.

[ltutar]

I created my own certificates. I am not sure if I have to trust some certificates between the machines.

[biemond]

you need to set trust on copydomain

[ltutar]

One more thing. The second puppet run will not rerun the script. If the first puppet run goes wrong, we will not be able to correct the machine.

[root@wlsagent1 weblogic]# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for wlsagent1.home
Info: Applying configuration version '1467917990'
Notice: /Stage[main]/Motd/File[/etc/motd]/content: 
--- /etc/motd   2016-07-07 20:46:20.978008001 +0200
+++ /tmp/puppet-file20160707-6077-1187ttu   2016-07-07 20:59:55.394008002 +0200
@@ -5,4 +5,4 @@
 #### OS: CentOS (6.8)
 #### Memory: 996.17 MiB Total
 #### Puppet Version: 4.4.1
-#### Uptime: 0:16 hours
+#### Uptime: 0:29 hours

Notice: /Stage[main]/Motd/File[/etc/motd]/content: content changed '{md5}6c41257aee55a4e2a9543890e033480e' to '{md5}878073352848074bd8e5e34654ae3dc5'
Notice: /Stage[main]/Orawls_deps::Install/Exec[Install_glibc-2.12-1.166.el6_7.7.i686.rpm]/returns: executed successfully
Notice: Applied catalog in 39.01 seconds
[root@wlsagent1 weblogic]# 

[ltutar]

I already have the following in my yaml.

wls_custom_trust:                  true
wls_trust_keystore_file:           '/opt/ssl/keystore/truststore.jks'
wls_trust_keystore_passphrase: 'welcome'

[ltutar]

one step closer when I run the script enroll_domain_wls_domain.py manually, I get the following error:

<Jul 7, 2016 9:10:51 PM CEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.10045.4.3.3.> 
<Jul 7, 2016 9:10:51 PM CEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=AffirmTrust Premium,O=AffirmTrust,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.12.> 
<Jul 7, 2016 9:10:51 PM CEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<Jul 7, 2016 9:10:51 PM CEST> <Warning> <Security> <BEA-090492> <UNEXPECTED_MESSAGE alert received from wlsagent.home - 192.168.234.95.> 
This Exception occurred at Thu Jul 07 21:10:51 CEST 2016.
javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://192.168.234.95:7002: Destination unreachable; nested exception is: 
    javax.net.ssl.SSLProtocolException: [Security:090492]UNEXPECTED_MESSAGE alert received from wlsagent.home - 192.168.234.95.; No available router to destination]
Problem invoking WLST - Traceback (innermost last):
  File "enroll_domain_wls_domain.py", line 16, in ?
  File "<iostream>", line 22, in connect
  File "<iostream>", line 653, in raiseWLSTException
WLSTException: Error occured while performing connect : Error getting the initial context. There is no server running at t3s://192.168.234.95:7002 
Use dumpStack() to view the full stacktrace

[root@wlsagent1 orainstall]# 

I think I need to set some parameters like for copy_domain as in https://github.com/biemond/biemond-orawls/pull/348 and https://github.com/biemond/biemond-orawls-vagrant-12.2.1/issues/4

[biemond]

probably your TLS parameter needs to be set , what if you set it yourself in the code on copydomain or from wlst

[ltutar]

I added in wlst.sh

CONFIG_JVM_ARGS="-Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/opt/ssl/keystore/truststore.jks -Dweblogic.security.CustomTrustKeystorePassPhrase=welcome"

echo CONFIG_JVM_ARGS=${CONFIG_JVM_ARGS}

JVM_ARGS="-Dprod.props.file='${WL_HOME}'/.product.properties ${WLST_PROPERTIES} ${JVM_D64} ${MEM_ARGS} ${CONFIG_JVM_ARGS}"

but no luck

[biemond]

I don't see the TLS parameter which you added to the adminserver. or something with the jvm.

Can you try sslpoke https://github.com/biemond/biemond-orawls-vagrant/blob/master/SSLPoke.class java -Djavax.net.ssl.trustStore=/vagrant/truststore.jks -Djavax.net.ssl.trustStorePassword=welcome SSLPoke 10.10.10.10 5556

[ltutar]

[root@wlsagent1 orainstall]# java -Djavax.net.ssl.trustStore=/opt/ssl/keystore/truststore.jks -Djavax.net.ssl.trustStorePassword=welcome SSLPoke 192.168.234.96 5556 Successfully connected [root@wlsagent1 orainstall]# java -Djavax.net.ssl.trustStore=/opt/ssl/keystore/truststore.jks -Djavax.net.ssl.trustStorePassword=welcome SSLPoke 192.168.234.95 5556 Successfully connected [root@wlsagent1 orainstall]#

[biemond]

and port 7002

[ltutar]

It is working. You are right. Adding -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1 to wlst.sh solved it.

[root@wlsagent1 orainstall]# /opt/wls/middleware11g/wlserver_10.3/common/bin/wlst.sh -i enroll_domain_wls_domain.py 

CLASSPATH=/opt/wls/middleware11g/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/opt/wls/middleware11g/patch_ocp371/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/usr/java/jdk1.7.0_80/lib/tools.jar:/opt/wls/middleware11g/wlserver_10.3/server/lib/weblogic_sp.jar:/opt/wls/middleware11g/wlserver_10.3/server/lib/weblogic.jar:/opt/wls/middleware11g/modules/features/weblogic.server.modules_10.3.6.0.jar:/opt/wls/middleware11g/wlserver_10.3/server/lib/webservices.jar:/opt/wls/middleware11g/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/opt/wls/middleware11g/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar::/opt/wls/middleware11g/utils/config/10.3/config-launch.jar::/opt/wls/middleware11g/wlserver_10.3/common/derby/lib/derbynet.jar:/opt/wls/middleware11g/wlserver_10.3/common/derby/lib/derbyclient.jar:/opt/wls/middleware11g/wlserver_10.3/common/derby/lib/derbytools.jar::
CONFIG_JVM_ARGS=-Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/opt/ssl/keystore/truststore.jks -Dweblogic.security.CustomTrustKeystorePassPhrase=welcome -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Connecting to t3s://192.168.234.95:7002 with userid weblogic ...
<Jul 7, 2016 11:20:54 PM CEST> <Info> <Security> <BEA-090905> <Disabling CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true> 
<Jul 7, 2016 11:20:54 PM CEST> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true> 
<Jul 7, 2016 11:20:54 PM CEST> <Info> <Security> <BEA-090908> <Using default WebLogic SSL Hostname Verifier implementation.> 
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'wls_domain'.

Enrolling this machine with the domain directory at /opt/wls/wlsdomains/domains/wls_domain ...
Successfully enrolled this machine with the domain directory at /opt/wls/wlsdomains/domains/wls_domain.

The new CONFIG_JVM_ARGS

CONFIG_JVM_ARGS="-Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/opt/ssl/keystore/truststore.jks -Dweblogic.security.CustomTrustKeystorePassPhrase=welcome -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1"

question: How can I pass these parameters to copy_domain?

[biemond]

Do it here https://github.com/biemond/biemond-orawls/blob/master/manifests/copydomain.pp#L218

you can also add a new param to copydomain called extra_arguments and add it to this https://github.com/biemond/biemond-orawls/blob/master/manifests/copydomain.pp#L218 and this https://github.com/biemond/biemond-orawls/blob/master/manifests/copydomain.pp#L221

[ltutar]

Thank you. I will add a new parameter and create a PR.

[ltutar]

362 solved the last issues. Thank you for your time.