Pages

Wednesday, March 7, 2012

Tidy Up WebLogic Server After EPM System Installation

Here are two recommended tasks for WebLogic Server you can perform to make your fresh EPM installation more production-ready:
  • Remove the Demo CA certificate that is installed with WebLogic for development and testing purposes
  • Specify the Listen Address so WebLogic will only bind to the production network interface (instead of all interfaces including backup and management networks which is the default behavior) 
Read on to see how to carry out these changes.


WebLogic Demo CA Certificate

After installing and configuring EPM 11.1.2.x you start the services and check that everything is working correctly. But when inspecting the web application logs (for example HyS9FoundationServices-sysout.log) you will find worrying messages like this:

<Mar 7, 2012 9:04:37 AM EET> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file D:\Oracle\Middleware\jrockit_160_20\jre\lib\security\cacerts.>
<
Mar 7, 2012 9:04:38 AM EET> <Alert> <Security> <BEA-090152> <Demo trusted CA certificate is being used in production mode: [
[...etc...]
] The system is vulnerable to security attacks, since it trusts certificates signed by the demo trusted CA.>

The reason for the message is simple: the Demo Certificate Authority certificate is provided with WebLogic Server for SSL testing purposes but it should not be used on production servers. If you plan to use SSL for server-to-server connections you will need to create a new WebLogic keystore, import the required certificates and configure the server to use the store. But if the EPM web applications will only use HTTP internally it is easiest to get rid of this message just by disabling SSL for all WebLogic servers.

The steps to disable SSL for a given WebLogic Server (and get rid of the certificate warnings):

1. Start the WebLogic Admin Server on the first server where you configured Foundation Services: (example from a Windows box)



2. Log in to the Admin Server using the URL http://servername:7001/console/ and the credentials you specified during Foundation Services configuration.
3. From the left-hand Domain Structure menu select EPMSystem > Environment > Servers:



4. Click the server you want to modify (for example FoundationServices0) and click Lock&Edit to enable changes to be done.
5. Remove the check mark from "SSL Listen Port Enabled":


6. Repeat the same setting for all WebLogic servers listed in the Admin Server (FinancialReporting0, RaFramework0 etc).
7. Save the settings by clicking Activate Changes. The SSL port will be disabled (and the warning message gone) the next time you start the web applications.


WebLogic Listen Address

By default WebLogic will listen to any IP address available on the server. This can clearly be seen from the following log file snippet:

<Mar 7, 2012 9:04:38 AM EET> <Notice> <Server> <BEA-002613> <Channel "Default[3]" is now listening on 0:0:0:0:0:0:0:1:28080 for protocols iiop, t3, CLUSTER-BROADCAST, ldap, snmp, http.>
<
Mar 7, 2012 9:04:38 AM EET> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 172.31.100.11:28080 for protocols iiop, t3, CLUSTER-BROADCAST, ldap, snmp, http.>
<
Mar 7, 2012 9:04:38 AM EET> <Notice> <Server> <BEA-002613> <Channel "Default[1]" is now listening on 10.129.122.39:28080 for protocols iiop, t3, CLUSTER-BROADCAST, ldap, snmp, http.>
<
Mar 7, 2012 9:04:38 AM EET> <Notice> <Server> <BEA-002613> <Channel "Default[2]" is now listening on 127.0.0.1:28080 for protocols iiop, t3, CLUSTER-BROADCAST, ldap, snmp, http.>

WebLogic has picked up all available IP addresses on the server: the primary IP address (172.31.100.11), backup network address (10.129.122.39), localhost (127.0.0.1) and localhost/IPv6 (0:0:0:0:0:0:0:1). In the spirit of Keeping It Simple and also for security purposes it is recommended to restrict WebLogic into listening only to the primary or "production" interface.

Listen Address can be changed on the same Admin Server settings page with the SSL Listen Port described in the first section of this post. In the case of the server from which the log file shown above was taken we would set Listen Address to 172.31.100.11, after which WebLogic Server would only bind to the production network interface which accepts connections from the office network.

Update March 15, 2012: Note that forcing WebLogic Server to use an IPv4 address may introduce problems in case IPv6 is enabled on the server. One potentionally problematic component is the WebLogic module used by OHS (mod_wl) as it seems to default to using IPv6 addresses whenever they are available. So to avoid problems you could either use an IPv6-based Listen Address or use an IPv4 address and make sure that the IPv6 protocol is disabled on the server(s).

No comments :

Post a Comment