WebLogic 12c 二三事-白红宇

WebLogic 12c 二三事

阅读量：7032 次

发布时间：2019-06-28

本文共 11884 字，大约阅读时间需要 39 分钟。

写在前面的话，在前人的基础上，重新实践了一遍，有些是截取了部分总结，有些是照搬，原文请注意蓝色超链。

安装篇

关于WebLogic的安装，之前通过图形化的安装方式，部署WebService以后，通过不带WSDL地址访问WebService路径，会有一个TEST选项。（稍后补图）后来项目正式环境没有图形化界面，只能静默安装，结果就没有这个TEST的选项，也不知道是为什么，无从下手该怎么搜索这个问题。

无论是图形化界面还是静默安装INSTALL_TYPE都选择的是一样的，为什么会出现这样的问题？百思不得其解。

静默安装的配置文件（）

图形化安装

既然扯到静默安装，就多扯两句吧。静默安装后，再创建Domains 时有可能会出现如下状况。

通过，将路径补充完整。类似这样的命令解决此问题

java -cp /app/Oracle/Middleware/wlserver/modules/features/*:/app/Oracle/Middleware/wlserver/modules/* weblogic.Server

20161116 又偷懒了几天，不知道今天能否更新完，发现图片截取的太宽了，导致部分显示不全，原来模板这东西也需要与时俱进啊。

SSL证书

生成证书

项目快要上线了，来了一波第三方测试，被要求WebLogic启用SSL登录，并且需要修改控制台的默认登录路径。领导们肯定是不会在这上面花钱了，因为非必须嘛，只是为了通过测试，于是乎，，自制证书...

因为已经在Linux和HPXU上实验过，此处以Ubantu为例

openssl.cnf文件内容（和原文的一样，我只是改了部分提示信息）

## OpenSSL configuration file## Working directorydir = .[ ca ]default_ca = CA_default[ CA_default ]serial                          = $dir/serialdatabase                        = $dir/certindex.txtnew_certs_dir                   = $dir/certscertificate                     = $dir/cacert.pemprivate_key                     = $dir/private/cakey.pemdefault_days                    = 365default_md                      = sha1preserve                        = noemail_in_dn                     = nonameopt                         = default_cacertopt                         = default_capolicy                          = policy_match[ policy_match ]countryName                     = matchstateOrProvinceName             = matchorganizationName                = matchorganizationalUnitName          = optionalcommonName                      = suppliedemailAddress                    = optional[ req ]default_bits                    = 2048      # Size of keysdefault_keyfile                 = key.pem   # name of generated keysdefault_md                      = sha1      # message digest algorithmstring_mask                     = nombstr   # permitted charactersdistinguished_name              = req_distinguished_namereq_extensions                  = v3_req[ req_distinguished_name ]# Variable name Prompt string#------------------------- ----------------------------------0.organizationName              = Organization Name (company)organizationalUnitName          = Organizational Unit Name (department, division)emailAddress                    = Email AddressemailAddress_max                = 40localityName                    = Locality Name (city, district)stateOrProvinceName             = State or Province Name (full name)countryName                     = Country Name (2 letter code)countryName_min                 = 2countryName_max                 = 2commonName                      = Common Name (hostname, IP, or your name)commonName_max                  = 64# Default values for the above, for consistency and less typing.# Variable name Value#------------------------ ------------------------------0.organizationName_default      = ENDLESSorganizationalUnitName_default  = EBILLemailAddress_default            = admin@endless.comlocalityName_default            = ShanghaistateOrProvinceName_default     = ShanghaicountryName_default             = CN[ v3_ca ]basicConstraints                = CA:TRUEsubjectKeyIdentifier            = hashauthorityKeyIdentifier          = keyid:always,issuer:always[ v3_req ]basicConstraints                = CA:FALSEsubjectKeyIdentifier            = hash[ my_v3_ext ]basicConstraints                = CA:true[ policy_anything ]countryName                     = optionalstateOrProvinceName             = optionallocalityName                    = optionalorganizationName                = optionalorganizationalUnitName          = optionalcommonName                      = suppliedemailAddress                    = optional

openssl.cnf

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf

此处的提示信息(红框部分)和前者文件openssl.cnf中的配置相关，有兴趣的可以自行研究。密码需要牢记，后面会用到。

openssl req -new -nodes -out GCSLevel2CA-req.pem -keyout private/GCSLevel2CA-key.pem -pubkey -days 3650 -config ./openssl.cnf

和上图类似，只是最后Common Name需要与之前的区分，此处为二级证书。（endless2CA)

openssl ca -extensions my_v3_ext -out GCSLevel2CA-cert.pem -days 3650 -config ./openssl.cnf -infiles GCSLevel2CA-req.pem

确认之前的信息

一般填写本机IP，原文中填写的域名(未测试，应该是可以的），密码为第一步中输出的密码，文件名和key可以自定义，之前都是照着原作者Copy，这次尝试自定义文件名，但请注意前后对应。

keytool -genkey -dname "cn=127.0.0.1, ou=WB, o=Endless, c=CN" -keyalg RSA -keysize 2048 -alias wbkey -keypass 密码 -keystore wbkeystore.jks -storepass 密码 -validity 3650

keytool -certreq -alias wbkey -file wbkey-req.pem -keypass 密码 -storetype JKS -keystore wbkeystore.jks -storepass 密码

openssl ca -policy policy_anything -keyfile private/GCSLevel2CA-key.pem -cert GCSLevel2CA-cert.pem -days 3650 -config ./openssl.cnf -out wbkey.pem -infiles wbkey-req.pem

openssl crl2pkcs7 -nocrl -certfile wbkey.pem -certfile GCSLevel2CA-cert.pem -certfile cacert.pem -outform PEM -out wbkey.p7b

keytool -import -alias wbkey -file wbkey.p7b -keystore wbkeystore.jks

小插曲：自定义key以后的悲剧

至此，证书算是自制完毕。检查之前输入的信息

keytool -list -keystore wbkeystore.jks -storepass 密码 -v

Keystore type: JKSKeystore provider: SUNYour keystore contains 1 entryAlias name: wbkeyCreation date: Nov 16, 2016Entry type: PrivateKeyEntryCertificate chain length: 3Certificate[1]:Owner: CN=127.0.0.1, OU=WB, O=Endless, C=CNIssuer: CN=endless2CA, OU=WB, O=Endless, ST=Shanghai, C=CNSerial number: 100002Valid from: Wed Nov 16 22:37:32 CST 2016 until: Sat Nov 14 22:37:32 CST 2026Certificate fingerprints:     MD5:  70:DB:F8:08:6B:23:B4:56:17:64:EF:04:D4:FF:29:13     SHA1: 27:12:91:C6:FD:8C:AC:9A:C1:27:8C:25:75:7D:09:8F:19:E9:CD:F4     SHA256: 03:4C:83:57:58:DF:0B:AF:C7:DC:0E:ED:66:37:83:E9:17:C0:C5:7C:D9:0F:5A:3F:0D:B7:B7:92:FC:F6:58:41     Signature algorithm name: SHA1withRSA     Version: 1Certificate[2]:Owner: CN=endless2CA, OU=WB, O=Endless, ST=Shanghai, C=CNIssuer: CN=endlessCA, C=CN, ST=Shanghai, L=Shanghai, EMAILADDRESS=admin@dxinfor.com, OU=WB, O=EndlessSerial number: 100001Valid from: Wed Nov 16 22:07:05 CST 2016 until: Sat Nov 14 22:07:05 CST 2026Certificate fingerprints:     MD5:  9D:39:81:C4:32:31:F0:24:84:E8:58:E5:5D:1A:AF:5F     SHA1: F8:46:21:A7:69:1C:D6:59:CF:29:FF:1E:BC:89:B8:CF:BD:5E:FC:91     SHA256: 86:AB:F6:26:D5:B0:06:59:19:BD:C5:CA:49:39:BB:41:E6:32:D2:E4:0D:06:C6:E3:43:5F:17:97:8C:E1:5F:2A     Signature algorithm name: SHA1withRSA     Version: 3Extensions: #1: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[  CA:true  PathLen:2147483647]Certificate[3]:Owner: CN=endlessCA, C=CN, ST=Shanghai, L=Shanghai, EMAILADDRESS=admin@dxinfor.com, OU=WB, O=EndlessIssuer: CN=endlessCA, C=CN, ST=Shanghai, L=Shanghai, EMAILADDRESS=admin@dxinfor.com, OU=WB, O=EndlessSerial number: b41ed39f6d4777dfValid from: Wed Nov 16 21:48:22 CST 2016 until: Sat Nov 14 21:48:22 CST 2026Certificate fingerprints:     MD5:  5D:F4:AB:97:C5:88:F9:0B:E1:EE:C7:18:78:2A:2D:46     SHA1: 8D:C6:8C:4B:13:D6:D3:56:13:A1:C0:5F:37:C8:CE:24:D9:B0:DD:D2     SHA256: 7C:29:42:17:98:C4:A5:A9:69:C6:9D:04:DD:B8:35:13:1A:EA:4C:45:E0:4C:91:89:D7:7E:A3:2D:92:48:DB:93     Signature algorithm name: SHA1withRSA     Version: 3Extensions: #1: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: F9 A4 DE 92 1E CE 4E BD   4D DB 87 E0 C1 EE 54 5E  ......N.M.....T^0010: FE 0A E5 48                                        ...H][CN=endlessCA, C=CN, ST=Shanghai, L=Shanghai, EMAILADDRESS=admin@dxinfor.com, OU=WB, O=Endless]SerialNumber: [    b41ed39f 6d4777df]]#2: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[  CA:true  PathLen:2147483647]#3: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: F9 A4 DE 92 1E CE 4E BD   4D DB 87 E0 C1 EE 54 5E  ......N.M.....T^0010: FE 0A E5 48                                        ...H]]**************************************************************************************

View Code

安装证书

登陆WebLogic，选择Environment->Servers->myserver

选择Keystores （密钥库）选项卡

选择‘Custom Identity and Java Standard Trust’ （定制标识和Java标准信任）后点击保存，填空相应的信息再次点击保存。

选择SSL选项卡

选择General (一般信息)选项卡，选中启用SSL监听端口，并指定端口后点击保存。

浏览器测试（IE中默认设置貌似是无法访问，会提示有风险，需要在高级设置中开启SSL、TLS）

修改访问控制台默认路径

建议更改前备份自己的config.xml(位于../WebLogic_HOME/user_projects/domains/domain/config/config.xml)

先开启管理员入口，再次更改访问控制台的默认路径。

保存后重启WebLogic查看路径已改变

附上刚出炉的config.xml


      
        
       
        mydomain
         
       
        12.2.1.1.0
         
           
        
         mydomain
            
              
                 
          
           DefaultAuthenticator
                
               
                 
          
           DefaultIdentityAsserter
                  
          
           AuthenticatedUser
                  
          
           weblogic-jwt-token
                
               
                 
          
           XACMLRoleMapper
                
               
                 
          
           XACMLAuthorizer
                
               
                 
          
           DefaultAdjudicator
                
               
                 
          
           DefaultCredentialMapper
                
               
                 
          
           WebLogicCertPathProvider
                
               
         
          WebLogicCertPathProvider
               
         
          myrealm
               
                 
          
           SystemPasswordValidator
                  
          
           8
                  
          
           1
                
             
            
        
         myrealm
            
        
         {AES}pL6ITnj4ocFHXlXUl7cd7Zh2lQfvtu2fflaNrEB4bo0g3D5V2juCjRo9RPtfsmaJl2BGQ1aGSMGodt/g1WorJck8EqSQ6GYUCZkxlGhl89A+sgUtHe52UoJ1Yp2VLG1Q
            
        
         weblogic
            
        
         {AES}fQbMdQ6HRyDs/42utRwPtXOBSe11CJWnCQpVOV34kKE=
          
         
           
        
         false
          
         
       
        true
         
       
        myconsole
         
       
        console-ext
         
           
        
         myserver
            
              
         
          true
               
         
          27001
               
         
          wbkey
               
         
          {AES}i223ERrerDkKqujTpGmgRtcFnY28IcnmNY9Lpe9zov0=
             
            
        
         27002
            
        
         false
            
            
        
         javac
            
        
         false
            
        
         CustomIdentityAndJavaStandardTrust
            
        
         /home/endless/Oracle/Middleware/sslcert/wbkeystore.jks
            
        
         JKS
            
        
         {AES}wCJOf6UFj12nzj1ndBjzXMkFhos5gNSFyQzmIcMTpec=
            
              
         
          Low
             
          
         
       
        false
         
           
        
         mydomain
            
        
         {AES}a0TCOHCuYZsjo6s7wHbvJ6+qXmqbKOj6elt0WiFyKaxsiKbN7/q9MbHkz/YpbFdr
          
         
       
        true
         
       
        29002
         
       
        false
         
       
        false
         
       
        12.2.1.1.0
         
       
        none
         
       
        false
         
           
        
         true
          
         
           
        
         true
            
        
         true
            
        
         false
            
        
         0
            
        
         true
          
         
       
        myserver
         
       
        t3s
         
           
        
         ADMINCONSOLESESSION
            
        
         true
            
        
         3600
            
        
         101
          
         
       
        true
         
       
        false
         
           
        
         true
          
         
           
        
         false
          
         
       
        /partitions
         
       
        true
         
           
        
         none
            
        
         false
          
         
       
        true