Oracle MVA

Tales from a Jack of all trades

storeUserConfig caveats

with 5 comments

While creating a small startup script for nodemanager on my test setup (to prevent me from having to start nodemanager manually all the time) I figured storing the clear text password in the script was a bad practice. Therefore I wanted to use the storeUserConfig command in WLST to store the username and password in a user configuration file and an associated key file.

You would expect that to be not too exciting, but some caveats arose. First you have to connect nodemanager

wls:/offline> nmConnect('nodemanager','Welkom01','wls1.area51.local',5556,'hs_test');
Successfully Connected to Node Manager.

Then you can store the configuration:

wls:/nm/hs_test> storeUserConfig(userConfigFile='/u01/app/oracle/admin/nodemanager/nodemanager.config', userKeyFile='/u01/app/oracle/admin/nodemanager/nodemanager.keyfile');
Currently connected to Node Manager to monitor the domain hs_test.
You will need to be connected to a running WLS or Node Manager to execute this command

mmmm… that was unexpected. Seems you have to pass an extra argument to mention that you are only connected to the nodemanager

storeUserConfig(userConfigFile='/u01/app/oracle/admin/nodemanager/nodemanager.config', userKeyFile='/u01/app/oracle/admin/nodemanager/nodemanager.keyfile',nm='true');
Currently connected to Node Manager to monitor the domain hs_test.
Creating the key file can reduce the security of your system if it is not kept in a secured location after it is created. Do you want to create the key file? y or ny
The username and password that were used for this WebLogic NodeManager connection are stored in /u01/app/oracle/admin/nodemanager/nodemanager.config and /u01/app/oracle/admin/nodemanager/nodemanager.keyfile .

Now that is all cool, next if you should be able to connect to nodemanager without specifying a username and password:

wls:/offline> nmConnect(userConfigFile='/u01/app/oracle/admin/nodemanager/nodemanager.config', userKeyFile='/u01/app/oracle/admin/nodemanager/nodemanager.keyfile', host='wls1.area51.local', port=5556, domainName='hs_test');
Connecting to Node Manager ...
Traceback (innermost last):
File "", line 1, in ?
File "", line 123, in nmConnect
File "", line 648, in raiseWLSTException
WLSTException: Error occured while performing nmConnect : Cannot connect to Node Manager. : Access to domain 'hs_test' for user 'weblogic' denied
Use dumpStack() to view the full stacktrace

Ehhrmm… that sort of sucks. Seems that the username is defaulted to weblogic all of the sudden. Well that sucks, that implies that you cannot use the stored configuration if your username is not weblogic (like in my case). Bummer… (I just hope I am wrong)

Hope this helps.

And thanks to Peter van Nes to learn me how to use the sourcecode setting in wordpress.

Advertisements

Written by Jacco H. Landlust

January 9, 2013 at 1:16 pm

Posted in security, Weblogic

5 Responses

Subscribe to comments with RSS.

  1. Hi Jacco,

    As far as I can see you can connect with the encrypted credentials to the NodeManager that are different than the one used for connecting to the WebLogic domain. I tested this in my environment and connecting to the NodeManager with a different username and password than for the domain works.

    I was also capable of reproducing your error in my environment, I’m not sure if you had the same issue but let’s see.

    First of all I did a fresh start of my wlst session and then executed the nmConnect command like you did with the stored credentials. Connecting to the NodeManager was successfully.

    wls:/offline> nmConnect(userConfigFile=’/u02/user_projects/keys/nm_domain.configFile’,userKeyFile=’/u02/user_projects/keys/nm_domain.keyFile’,domainName=’nm_domain’,host=’wls01′)
    Connecting to Node Manager …
    Successfully Connected to Node Manager.

    Now for the reproduction of your error, in the userConfigFile property I made a type nm_domain1.configFile instead of nm_domain.configFile:

    wls:/nm/nm_domain> nmDisconnect()
    Successfully disconnected from Node Manager.
    wls:/offline> nmConnect(userConfigFile='/u02/user_projects/keys/nm_domain1.configFile',userKeyFile='/u02/user_projects/keys/nm_domain.keyFile',domainName='nm_domain',host='wls01')
    User configuration file was not found.  Check location of the file.
    Defaulting username to weblogic
    Defaulting password to welcome1
    Connecting to Node Manager ...
    Traceback (innermost last):
      File "", line 1, in ?
      File "", line 123, in nmConnect
      File "", line 648, in raiseWLSTException
    WLSTException: Error occured while performing nmConnect : Cannot connect to Node Manager. : Access to domain 'nm_domain' for user 'weblogic' denied 
    Use dumpStack() to view the full stacktrace
    wls:/offline> nmConnect(userConfigFile='/u02/user_projects/keys/nm_domain.configFile',userKeyFile='/u02/user_projects/keys/nm_domain.keyFile',domainName='nm_domain',host='wls01')
    Connecting to Node Manager ...
    Traceback (innermost last):
      File "", line 1, in ?
      File "", line 123, in nmConnect
      File "", line 648, in raiseWLSTException
    WLSTException: Error occured while performing nmConnect : Cannot connect to Node Manager. : Access to domain 'nm_domain' for user 'weblogic' denied 
    Use dumpStack() to view the full stacktrace
    

    As you can see I made a mistake in the location of the userConfigFile. When I correct my mistake with the correct nmConnect command, which proved correct in my earlier session, the nmConnect still fails. In my opinion the nmConnect command doesn’t read the userConfigFile again but still keeps the originally used user from the last command to connect to the NodeManager.

    With a new session the correct nmConnect still shows that a connection to the NodeManager is possible without errors.

    If you have the error I had, the one with the type and before doing the nmConnect again you execute nmDisconnect() a new nmConnect without typos execute correct. So in my opinion a nmDisconnect releases the earlier userName.

    I’m note sure if you had a similar scenario as I had but I expect that Nodemanager is not releasing its username in a failure situation which gives the errors you had.

    B.t.w., if you have doubts about the contents of the encrypted file you can retrieve the contents with some java code.

    Kind regards,

    Oscar

    Oscar Bell

    January 11, 2013 at 8:24 pm

    • Hi Oscar,

      Thanks for your extensive reply. I might have had a typo in my first attempt to connect to the nodemanager with the keys (and not restart the session). Your scenario is reproducible for me.

      Thanks!

      Jacco H. Landlust

      January 12, 2013 at 2:18 pm

      • It will work if you create a user called weblogic as your nodemanager user

        David Rice

        March 13, 2013 at 2:35 pm

  2. Hi Jacco
    A workaround is to set AuthenticationEnabled to false in your nodemanager.properties.
    But of course, it’s a workaround, not a solution

    Kind regards

    Michel

    mnemonic01

    April 16, 2013 at 3:52 pm

  3. Interestingly enough, the nmConnect() string seems to have a 256 char limit. If you exceed this limit, you won’t be able to use nmConnect.

    Btw, the solution above worked, with a non-weblogic NM admin user. Thanks, it’s not even funny how I keep stumbling across this blog and people commenting on it 🙂

    Sandeep S

    April 30, 2014 at 11:54 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: