Oracle MVA

Tales from a Jack of all trades

Archive for July 2012

setting mBean attributes after securing OIM with SSL

with 2 comments

When you setup SSL for Oracle Identity Manager, you have to click through a pretty complicated mBean path. Since I am all about scripting deployments, I created a small WLST script that sets the appropriate mBean attributes for me. Creating this script was easier because of one of Edwin Biemond’s posts.

The specific attributes are:

  • OimFrontEndURL: The URL the end-user uses to access the OIM application, usually a VIP on a http-loadbalancer
  • Rmiurl: The URL the OIM application uses to contact SOA over RMI. This is a comma separated list of SOA servers available to OIM
  • Soapurl: The URL on which the OIM application can invoke services on SOA, usually a VIP on a http-loadbalancer

Please keep in mind that you might have to set up mod_wl_ohs on an http server. Also keep in mind that you have to choose the correct ports, in my case default https for OIM and SOA SOAP (with mod_wl_ohs in place) plus 8002 for t3s for SOA RMI.

Anyway, here’s the script (and yet again: sorry for the fubar layout):

connect('weblogic','Welkom01','t3s://oim.area51.local:7002')

domainRuntime()

oimBean = ObjectName('oracle.iam:Location=oim_server1,name=Discovery,type=XMLConfig.DiscoveryConfig,XMLConfig=Config,Application=oim,ApplicationVersion=11.1.1.3.0')
fUrl=Attribute('OimFrontEndURL','https://oim.area51.local')
mbs.setAttribute(oimBean,fUrl)

soaBean = ObjectName('oracle.iam:Location=oim_server1,name=SOAConfig,type=XMLConfig.SOAConfig,XMLConfig=Config,Application=oim,ApplicationVersion=11.1.1.3.0')

soaConfigRmiURL=Attribute('Rmiurl','t3s://oim1.area51.local:8002,t3s://oim2.area51.local:8002')
soaConfigSoapUrl=Attribute('Soapurl','https://oim.area51.local')

mbs.setAttribute(soaBean,soaConfigRmiURL)
mbs.setAttribute(soaBean,soaConfigSoapUrl)

disconnect()

After you have configured SSL correctly, I suggest you also enable the SSL port for OIM. How this can be done I explained here.

P.S. if you would setup OIM on a cluster, you would need to setup these attributes too.

Hope this helps.

Written by Jacco H. Landlust

July 5, 2012 at 9:05 pm

Posted in Identity Management, OIM, security, Weblogic

WLST: setup ssl for servers

leave a comment »

Since everyone seems to be posting these cool WLST snippets nowadays, I figured I should share some of my stuff 🙂 Here’s a little script that I wrote to enable SSL for servers. For those of you that don’t know much about SSL for WebLogic yet, Simon Haslam has a great post about it.

Please keep in mind that certain Fusion Middleware products need additional configuration. Also keep in mind that NodeManager needs to be configured for SSL too.

I stole part of the code from David M. Karr, all credits for the parameter parsing should be his. Also I made some assumptions about the keystore name (you can deduct that from the script).

I’m no fulltime jython coder, so please don’t kill me over stupid constructs. Also WordPress should be severely punished for having these broken code tags. Copying the script to vi (or your editor of choice) is easiest.

Finally: please don’t run this script on your production environment without testing it thoroughly first!

#!/bin/python
#

import os, sys, re, getopt
# Usage function
def usage():
     print "Usage: setup_ssl_for_servers.py -u adminuser -c password -t protocol -a adminserver -p port -k path_to_keys -x identityKeyPass -y trustStoreKeyPass -z privateKeyPass"

# Function that sets the keystore and key passphrases
# if SSL is not enabled, it will enable it now
# Also the SSL port is set
def setSSLSettings(serverObj, keypath, identitykey, truststorekey, privatekey):
     cd('/Servers/' + serverObj)
     # Get the relevant information (listen address, port and name)
     strListenAddress=cmo.getListenAddress()
     if strListenAddress == "":
          strListenAddress = java.net.InetAddress.getLocalHost().getHostName();
          print "the listen address of the server is empty, set it to " + str(strListenAddress)
     else:
          print "listen address of the server is : " + strListenAddress
          intListenPort=cmo.getListenPort()
          svrName=cmo.getName()
          # Set the Keystore Information
          cmo.setKeyStores('CustomIdentityAndCustomTrust')
          cmo.setCustomIdentityKeyStoreFileName( keypath + "/" + str(strListenAddress) + '.jks')
          cmo.setCustomIdentityKeyStoreType('JKS')
          set('CustomIdentityKeyStorePassPhrase', identitykey)
          cmo.setCustomTrustKeyStoreFileName(keypath + '/truststore.jks')
          cmo.setCustomTrustKeyStoreType('JKS')
          set('CustomTrustKeyStorePassPhrase', truststorekey)
          # Create SSL Port
          try:
               create(svrName,'SSL')
               cd('SSL/' + svrName )
          except:
               cd('SSL/' + svrName )
          portList = (intListenPort,100)
          cmo.setListenPort(sum(portList))
          print "SSL port was set to " + str(sum(portList))
          cmo.setEnabled(true)
          # Set private key settings
          cmo.setServerPrivateKeyAlias(strListenAddress)
          set('ServerPrivateKeyPassPhrase', privatekey)

# Process parameters
try:
     opts, args = getopt.getopt(sys.argv[1:], "u:c:t:a:p:k:x:y:z:",["adminuser=", "credential=", "adminProtocol=", "adminServer=","adminserverPort=", "keyPath=", "identityKeyPass=","trustStoreKeyPass=", "privateKeyPass="])
except:
     print "unknown argument passed"
     usage()
     sys.exit(2)

# Initialize variables
adminuser=""
credential=""
adminProtocol=""
adminServer=""
adminserverPort=""
identityKeyPass=""
trustStoreKeyPass=""
privateKeyPass=""
keyPath=""

# Get the parameters
for opt, arg in opts:
if opt == "-u":
     adminuser = arg
elif opt == "-c":
     credential = arg
elif opt == "-t":
     adminProtocol = arg
elif opt == "-a":
     adminServer = arg
elif opt == "-p":
     adminserverPort = arg
elif opt == "-k":
     keyPath = arg
elif opt == "-x":
     identityKeyPass = arg
elif opt == "-y":
     trustStoreKeyPass = arg
elif opt == "-z":
     privateKeyPass = arg

# Do some checking on the parameters
if adminuser == "":
     print "Missing \"-u adminuser\" parameter."
     usage()
     sys.exit(2)
elif credential == "":
     print "Missing \"-c password\" parameter."
     usage()
     sys.exit(2)
elif adminProtocol == "":
     print "Missing \"-t adminProtocol\" parameter."
     usage()
     sys.exit(2)
elif adminServer == "":
     print "Missing \"-a adminServer\" parameter."
     usage()
     sys.exit(2)
elif adminserverPort == "":
     print "Missing \"-p adminserverPort\" paramerer."
     usage()
     sys.exit(2)
elif keyPath == "":
     print "Missing \"-k keyPath\" parameter."
     usage()
     sys.exit(2)
elif identityKeyPass == "":
     print "Missing \"-x identityKeyPass\" parameter."
     usage()
     sys.exit(2)
elif trustStoreKeyPass == "":
     print "Missing \"-y trustStoreKeyPass\" parameter."
     usage()
     sys.exit(2)
elif privateKeyPass == "":
     print "Missing \"-z privateKeyPass\" parameter."
     usage()
     sys.exit(2)

print "Got all the required parameters"

# Connect
connectString= str(adminProtocol) + "://" + str(adminServer) + ":" + str(adminserverPort)
connect(adminuser,credential,connectString)

# Start Edit
edit()
startEdit()

# Loop through servers
cd('/Servers')
redirect('/dev/null','false')
servers=ls(returnMap='true')
redirect('/dev/null','true')

for svr in servers:
     # Do some SSL magic
     setSSLSettings( svr, keyPath, identityKeyPass, trustStoreKeyPass, privateKeyPass )

cd('/Clusters')
redirect('/dev/null','false')
clusters=ls(returnMap='true')
redirect('/dev/null','true')

for cls in clusters:
     cd('/Clusters/' + cls)
     # Set replication to secure
     cmo.setSecureReplicationEnabled(true)

# Activate
save()
activate()

Hope this helps.

Written by Jacco H. Landlust

July 2, 2012 at 11:20 pm

Posted in security, Weblogic