Generate HTTPS certificate and import into WLS

pass phrase for all above stores: changeit
alias for all above stores: my_cert

Q: How to generate a key pair:
keytool -genkeypair -keystore server_side_https_keystore.releng-china.org -alias my_cert -keyalg RSA

Q: How to generate cert/trust-store for a new test server by its hostname?
– first, generate cert for the new test server
$> keytool -selfcert -v -alias -keypass -keystore -storepass -storetype -validity 36000 -ext san=dns:releng-china.org
For example,
$> keytool -selfcert -v -alias my_cert -keypass changeit -keystore server_side_https_keystore.releng-china.org -storepass changeit -storetype jks -validity 36000 -ext san=dns:releng-china.org

– second, export the cert just created into file say, server_side_https_keystore.cer.releng-china.org
$> keytool -exportcert -file server_side_https_keystore.cer.releng-china.org -keystore server_side_https_keystore.releng-china.org -storepass changeit -alias my_cert

– finally, import the cert into trust store trust.jks.releng-china.org (will be automatically created)
$> keytool -import -v -trustcacerts -alias my_cert -file server_side_https_keystore.cr.releng-china.org -keystore trust.jks.releng-china.org -storepass changeit

Import the cert to JRE (for example, C:/program files/Java/jre1.8.0_40/lib/security):
\keystore>keytool -importcert -keystore “C:/program files/Java/jre1.8.0_40/lib/security/cacerts” -file server_side_https_keystore.cer.releng-china.org -alias my_cert

WebLogic configuration
Log in to WLS admin console
Go to Environment -> Servers ->
Go to Configuration -> Keystore tab
Change “Keystores” to “Custom Identity and Java Standard Trust”
Set “Custom Identity Keystore” to the path to mystore.jks
Set “Custom Identity Keystore Type” to “JKS”
Set “Custom Identity Keystore Passphrase: to mystore.jks password
Save
Go to Configuration -> SSL tab
“Private Key Location” should be set to “from Custom Identity Keystore”
Set “Private Key Alias” to “key_localhost”
Set “Private Key Passphrase” to key_localhost password
Go to Configuration -> General tab
Check “SSL Listen Port Enabled” checkbox
Un-check “Listen Port Enabled” checkbox
Save
Go to Configuration -> SSL tab
Click on “Advanced” link to the bottom
Change “Hostname Verification” to “None”
Save
Important If you have both administrative and managed servers, disable hostname verification in both
Restart WLS
Both administrative and managed instances should be restarted
Sometimes, graceful shutdown doesn’t work, so you need to use “Force Shutdown Now”

Note: you have to use  -keyalg RSA while generating the key otherwise you might hit into,

Firefox :

An error occurred during a connection to 127.0.0.1:7003.

Cannot communicate securely with peer: no common encryption

algorithm(s). (Error code: ssl_error_no_cypher_overlap)

Chrome :

A secure connection cannot be established because this site

uses an unsupported protocol.

Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html

Scripts to Update WLS DataSource for EBS 12.2.x

On EBS R12.2 we need to reconfigure the EBS datasource if we change the password of apps schema. Its’ sequences,

1. Change system password,

2. Shutdown mid-tier services,

3. Change product schema password,

4. Change applsys password,

5. Startup WLS adadmin console only,

6. Logon WLS console UI to reconfigure its datasource,

7. Startup oacore managed server,

8. Startup all the mid-tier services.

 

With the help of WebLogic wlst script, I wrote a script to automate this.


# | DESCRIPTION
# | This .sh script will take care of steps described on xxxx
# | You might update the passwords parameters defined below to meet your requirement before running this script.
# |
# | USAGE
# | sh change_apps_pwd.sh
# |
# | PLATFORM
# | EBS R12.2.X
# |
# | CONTACT
# | luohua.HUANG@gmail.com

# ======================================================================
# Set Parameters
# ======================================================================
printf "Enter your ORACLE_SID (e.g: aux123db): "
read ORACLE_SID

APPS_OLD="apps"

APPS_NEW="newapps123"
SYSTEM_NEW="newmanager123"
PRODUCT_NEW="newebs123"

WEBLOGIC_PWD="welcome1"

RUN_FS="/u01/R122_EBS/fs1"
ORACLE_HOME="/u01/R122_EBS/11.2.0"

HOST_NAME=`hostname -a`
FULL_HOST_NAME=`hostname -f`

WORKING_DIR=`pwd`
LOGFILE="${WORKING_DIR}/change_apps_pwd.log"

# ======================================================================
# Source db tier and update system password
# ======================================================================
source ${ORACLE_HOME}/${ORACLE_SID}_${HOST_NAME}.env
printf "********* Changing SYSTEM password ********* \n";
DBSHUTDOWN=`sqlplus '/as sysdba'<<!
 alter user SYSTEM identified by ${SYSTEM_NEW};
exit
!`
printf "$DBSHUTDOWN \n" >> $LOGFILE;

# ======================================================================
# Source Apps tier
# ======================================================================
source ${RUN_FS}/EBSapps/appl/APPS${ORACLE_SID}_${HOST_NAME}.env
PORT=`grep s_wls_adminport $CONTEXT_FILE | sed "s/.*\">//" | sed "s/<.*//"`

# ======================================================================
# Stop mid-tier services
# ======================================================================
printf "********* Running adstpall ********* \n";
{ echo apps; echo ${APPS_OLD}; echo ${WEBLOGIC_PWD}; } | sh adstpall.sh -nopromptmsg >> $LOGFILE;
while ps -ef | grep -i fndlib | grep -v "grep" > /dev/null
do
 sleep 30
 printf "********* Waiting for mid-tier services come down ********* \n";
done

# ======================================================================
# Change Product Schema Passowrd
# ======================================================================
printf "********* Changing Product Schema Passowrd ********* \n";
FNDCPASS apps/${APPS_OLD} 0 Y system/${SYSTEM_NEW} ALLORACLE ${PRODUCT_NEW} >> $LOGFILE
STATUS=$?
if [ $STATUS -gt 0 ];then
 printf "********* Failed to run FNDCPASS apps/${APPS_OLD} 0 Y system/${SYSTEM_NEW} ALLORACLE ${PRODUCT_NEW} ********* \n";
 exit 1;
fi

# ======================================================================
# Change APPS Schema Passowrd
# ======================================================================
printf "********* Changing APPS Schema Passowrd ********* \n";
FNDCPASS apps/${APPS_OLD} 0 Y system/${SYSTEM_NEW} SYSTEM APPLSYS ${APPS_NEW} >> $LOGFILE
STATUS=$?
if [ $STATUS -gt 0 ];then
 printf "********* Failed to run FNDCPASS apps/${APPS_OLD} 0 Y system/${SYSTEM_NEW} SYSTEM APPLSYS ${APPS_NEW} ********* \n";
 exit 1;
fi

# ======================================================================
# Start WLS adadmin console
# ======================================================================
printf "********* Starting WLS adadmin console only ********* \n";
{ echo ${WEBLOGIC_PWD}; echo ${APPS_NEW}; } | sh adadminsrvctl.sh start -nopromptmsg >> $LOGFILE;
STATUS=$?
if [ $STATUS -gt 0 ];then
 printf "********* Failed to startup WLS adadmin console ********* \n";
 exit 1;
fi
sleep 30

# ======================================================================
# Change Datasource password on WLS adadmin console
# ======================================================================
printf "********* Changing Datasource password on WLS adadmin console ********* \n";
rm -f updateDSpwd.py
printf "username = 'weblogic' \n" >> updateDSpwd.py;
printf "password = '${WEBLOGIC_PWD}' \n" >> updateDSpwd.py;
printf "URL='t3://$FULL_HOST_NAME:$PORT' \n" >> updateDSpwd.py;
printf "connect(username,password,URL) \n" >> updateDSpwd.py;
printf "edit() \n" >> updateDSpwd.py;
printf "startEdit() \n" >> updateDSpwd.py;
printf "en = encrypt('${APPS_NEW}','$FMW_HOME/user_projects/domains/EBS_domain_${ORACLE_SID}') \n" >> updateDSpwd.py;
printf "dsName = 'EBSDataSource' \n" >> updateDSpwd.py;
printf "cd('/JDBCSystemResources/'+dsName+'/JDBCResource/'+dsName+'/JDBCDriverParams/'+dsName) \n" >> updateDSpwd.py;
printf "set('PasswordEncrypted',en) \n" >> updateDSpwd.py;
printf "print ('') \n" >> updateDSpwd.py;
printf "print ('') \n" >> updateDSpwd.py;
printf "save() \n" >> updateDSpwd.py;
printf "activate() \n" >> updateDSpwd.py;
java -cp $FMW_HOME/wlserver_10.3/server/lib/weblogic.jar weblogic.WLST updateDSpwd.py >> $LOGFILE;
STATUS=$?
if [ $STATUS -gt 0 ];then
 printf "********* Failed to change Datasource password on WLS adadmin console ********* \n";
 exit 1;
fi

# ======================================================================
# Startup oacore_server1
# ======================================================================
printf "********* Startup-ing oacore_server1 ********* \n";
{ echo ${WEBLOGIC_PWD};} | sh admanagedsrvctl.sh start oacore_server1 -nopromptmsg >> $LOGFILE;
STATUS=$?
if [ $STATUS -gt 0 ];then
 printf "********* Failed to startup oacore_server1 ********* \n";
 exit 1;
fi

# ======================================================================
# Startup ALL services
# ======================================================================
printf "********* Startup-ing ALL services ********* \n";
{ echo apps; echo ${APPS_NEW}; echo ${WEBLOGIC_PWD}; } | sh adstrtal.sh -nopromptmsg >> $LOGFILE;
STATUS=$?
if [ $STATUS -gt 0 ];then
 printf "********* Failed to startup ALL services ********* \n";
 exit 1;
fi

# ======================================================================
# Connect to WLS console to check managed servers statues
# ======================================================================
rm -f serverStateAll.py
printf "username = 'weblogic' \n" >> serverStateAll.py;
printf "password = '${WEBLOGIC_PWD}' \n" >> serverStateAll.py;
printf "URL='t3://$FULL_HOST_NAME:$PORT' \n" >> serverStateAll.py;
printf " \n" >> serverStateAll.py;
printf "connect(username,password,URL) \n" >> serverStateAll.py;
printf "domainConfig() \n" >> serverStateAll.py;
printf "serverList=cmo.getServers(); \n" >> serverStateAll.py;
printf "domainRuntime() \n" >> serverStateAll.py;
printf "cd('/ServerLifeCycleRuntimes/') \n" >> serverStateAll.py;
printf "\n" >> serverStateAll.py;
printf "print 'Servers Status on ' +URL \n" >> serverStateAll.py;
printf "for server in serverList: \n" >> serverStateAll.py;
printf " name=server.getName() \n" >> serverStateAll.py;
printf " cd(name) \n" >> serverStateAll.py;
printf " serverState=cmo.getState() \n" >> serverStateAll.py;
printf " if serverState!='RUNNING': \n" >> serverStateAll.py;
printf " print '**** FoundBadServer ****' \n" >> serverStateAll.py;
printf " print '***Server: '+ name +'-'+serverState \n" >> serverStateAll.py;
printf " break \n" >> serverStateAll.py;
printf " print '***Server: '+ name +'-'+serverState \n" >> serverStateAll.py;
printf " cd('..') \n" >> serverStateAll.py;
wlsstatus=`java -cp $FMW_HOME/wlserver_10.3/server/lib/weblogic.jar weblogic.WLST serverStateAll.py`
printf "$wlsstatus \n" >> $LOGFILE;
if [[ "$wlsstatus" =~ "FoundBadServer" ]]; then
 printf "********* FOUND managed server(s) NOT in RUNNING status ********* \n";
 exit 1;
fi
printf "********* ALL services are UP ********* \n";

printf "********* Done! ********* \n";

One Sample log,

-bash-3.2$ sh change_apps_pwd.sh
Enter your ORACLE_SID (e.g: aux123db): yourdbid (Luohua: here you need to input sid)
********* Changing SYSTEM password *********
********* Running adstpall *********
********* Waiting for mid-tier services come down *********
********* Waiting for mid-tier services come down *********
********* Changing Product Schema Passowrd *********
Log filename : L7595369.log
Report filename : O7595369.out
********* Changing APPS Schema Passowrd *********
Log filename : L7595370.log
Report filename : O7595370.out
********* Starting WLS adadmin console only *********
********* Changing Datasource password on WLS adadmin console *********
********* Startup-ing oacore_server1 *********
*** ALL THE FOLLOWING FILES ARE REQUIRED FOR RESOLVING RUNTIME ERRORS
*** Log File = /u01/R122_EBS/fs1/inst/apps/yourdbid_yourhostname/logs/appl/rgf/TXK/txkChkEBSDependecies_Sat_Apr_5_17_33_44_2014/txkChkEBSDependecies_Sat_Apr_5_17_33_44_2014.log
********* Startup-ing ALL services *********
********* ALL services are UP *********
********* Done! *********
-bash-3.2$