Oracle MVA

Tales from a Jack of all trades

WLST: setup ssl for servers

leave a comment »

Since everyone seems to be posting these cool WLST snippets nowadays, I figured I should share some of my stuff 🙂 Here’s a little script that I wrote to enable SSL for servers. For those of you that don’t know much about SSL for WebLogic yet, Simon Haslam has a great post about it.

Please keep in mind that certain Fusion Middleware products need additional configuration. Also keep in mind that NodeManager needs to be configured for SSL too.

I stole part of the code from David M. Karr, all credits for the parameter parsing should be his. Also I made some assumptions about the keystore name (you can deduct that from the script).

I’m no fulltime jython coder, so please don’t kill me over stupid constructs. Also WordPress should be severely punished for having these broken code tags. Copying the script to vi (or your editor of choice) is easiest.

Finally: please don’t run this script on your production environment without testing it thoroughly first!

#!/bin/python
#

import os, sys, re, getopt
# Usage function
def usage():
     print "Usage: setup_ssl_for_servers.py -u adminuser -c password -t protocol -a adminserver -p port -k path_to_keys -x identityKeyPass -y trustStoreKeyPass -z privateKeyPass"

# Function that sets the keystore and key passphrases
# if SSL is not enabled, it will enable it now
# Also the SSL port is set
def setSSLSettings(serverObj, keypath, identitykey, truststorekey, privatekey):
     cd('/Servers/' + serverObj)
     # Get the relevant information (listen address, port and name)
     strListenAddress=cmo.getListenAddress()
     if strListenAddress == "":
          strListenAddress = java.net.InetAddress.getLocalHost().getHostName();
          print "the listen address of the server is empty, set it to " + str(strListenAddress)
     else:
          print "listen address of the server is : " + strListenAddress
          intListenPort=cmo.getListenPort()
          svrName=cmo.getName()
          # Set the Keystore Information
          cmo.setKeyStores('CustomIdentityAndCustomTrust')
          cmo.setCustomIdentityKeyStoreFileName( keypath + "/" + str(strListenAddress) + '.jks')
          cmo.setCustomIdentityKeyStoreType('JKS')
          set('CustomIdentityKeyStorePassPhrase', identitykey)
          cmo.setCustomTrustKeyStoreFileName(keypath + '/truststore.jks')
          cmo.setCustomTrustKeyStoreType('JKS')
          set('CustomTrustKeyStorePassPhrase', truststorekey)
          # Create SSL Port
          try:
               create(svrName,'SSL')
               cd('SSL/' + svrName )
          except:
               cd('SSL/' + svrName )
          portList = (intListenPort,100)
          cmo.setListenPort(sum(portList))
          print "SSL port was set to " + str(sum(portList))
          cmo.setEnabled(true)
          # Set private key settings
          cmo.setServerPrivateKeyAlias(strListenAddress)
          set('ServerPrivateKeyPassPhrase', privatekey)

# Process parameters
try:
     opts, args = getopt.getopt(sys.argv[1:], "u:c:t:a:p:k:x:y:z:",["adminuser=", "credential=", "adminProtocol=", "adminServer=","adminserverPort=", "keyPath=", "identityKeyPass=","trustStoreKeyPass=", "privateKeyPass="])
except:
     print "unknown argument passed"
     usage()
     sys.exit(2)

# Initialize variables
adminuser=""
credential=""
adminProtocol=""
adminServer=""
adminserverPort=""
identityKeyPass=""
trustStoreKeyPass=""
privateKeyPass=""
keyPath=""

# Get the parameters
for opt, arg in opts:
if opt == "-u":
     adminuser = arg
elif opt == "-c":
     credential = arg
elif opt == "-t":
     adminProtocol = arg
elif opt == "-a":
     adminServer = arg
elif opt == "-p":
     adminserverPort = arg
elif opt == "-k":
     keyPath = arg
elif opt == "-x":
     identityKeyPass = arg
elif opt == "-y":
     trustStoreKeyPass = arg
elif opt == "-z":
     privateKeyPass = arg

# Do some checking on the parameters
if adminuser == "":
     print "Missing \"-u adminuser\" parameter."
     usage()
     sys.exit(2)
elif credential == "":
     print "Missing \"-c password\" parameter."
     usage()
     sys.exit(2)
elif adminProtocol == "":
     print "Missing \"-t adminProtocol\" parameter."
     usage()
     sys.exit(2)
elif adminServer == "":
     print "Missing \"-a adminServer\" parameter."
     usage()
     sys.exit(2)
elif adminserverPort == "":
     print "Missing \"-p adminserverPort\" paramerer."
     usage()
     sys.exit(2)
elif keyPath == "":
     print "Missing \"-k keyPath\" parameter."
     usage()
     sys.exit(2)
elif identityKeyPass == "":
     print "Missing \"-x identityKeyPass\" parameter."
     usage()
     sys.exit(2)
elif trustStoreKeyPass == "":
     print "Missing \"-y trustStoreKeyPass\" parameter."
     usage()
     sys.exit(2)
elif privateKeyPass == "":
     print "Missing \"-z privateKeyPass\" parameter."
     usage()
     sys.exit(2)

print "Got all the required parameters"

# Connect
connectString= str(adminProtocol) + "://" + str(adminServer) + ":" + str(adminserverPort)
connect(adminuser,credential,connectString)

# Start Edit
edit()
startEdit()

# Loop through servers
cd('/Servers')
redirect('/dev/null','false')
servers=ls(returnMap='true')
redirect('/dev/null','true')

for svr in servers:
     # Do some SSL magic
     setSSLSettings( svr, keyPath, identityKeyPass, trustStoreKeyPass, privateKeyPass )

cd('/Clusters')
redirect('/dev/null','false')
clusters=ls(returnMap='true')
redirect('/dev/null','true')

for cls in clusters:
     cd('/Clusters/' + cls)
     # Set replication to secure
     cmo.setSecureReplicationEnabled(true)

# Activate
save()
activate()

Hope this helps.

Advertisements

Written by Jacco H. Landlust

July 2, 2012 at 11:20 pm

Posted in security, Weblogic

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: