WLST Error "General SSLEngine problem" after Nodemanager SSL Configuration

Posted by Dirk Nachbar on Thursday, December 15, 2016 with No comments
In case you configured your WebLogic Nodemanager with SSL, you might run into the following error while using nmConnect via WLST.


cd $ORACLE_HOME/oracle_common/common/bin
./wlst.sh

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

wls:/offline> nmConnect('nodemanager', 'welcome1', 'soaserver1', '5556', 'demo_domain' , '/u00/app/oracle/user_projects/domains/demo_domain' , 'ssl')
Connecting to Node Manager ...
<Dec 15, 2016 2:22:30 PM CET> <Info> <Security> <BEA-090905> <Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true.> 
<Dec 15, 2016 2:22:30 PM CET> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG128 to HMACDRBG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true.> 
<Dec 15, 2016 2:22:30 PM CET> <Info> <Security> <BEA-090909> <Using the configured custom SSL Hostname Verifier implementation: weblogic.security.utils.SSLWLSHostnameVerifier$NullHostnameVerifier.> 
Traceback (innermost last):
  File "<console>", line 1, in ?
  File "<iostream>", line 111, in nmConnect
  File "<iostream>", line 553, in raiseWLSTException
WLSTException: Error occurred while performing nmConnect : Cannot connect to Node Manager. : General SSLEngine problem 
Use dumpStack() to view the full stacktrace :


My current nodemanager configuration is as follows:

#Node manager properties
#Fri Dec 09 12:04:54 CET 2016
DomainsFile=/u00/app/oracle/user_projects/domains/demo_domain/nodemanager/nodemanager.domains
LogLimit=0
PropertiesVersion=12.2.1.2.0
AuthenticationEnabled=true
NodeManagerHome=/u00/app/oracle/user_projects/domains/demo_domain/nodemanager
JavaHome=/u00/app/oracle/product/jdk1.8.0_101
LogLevel=INFO
DomainsFileEnabled=true
ListenAddress=soaserver1
NativeVersionEnabled=true
ListenPort=5556
LogToStderr=true
weblogic.StartScriptName=startWebLogic.sh
SecureListener=true
LogCount=1
QuitEnabled=false
LogAppend=true
weblogic.StopScriptEnabled=false
StateCheckInterval=500
CrashRecoveryEnabled=false
weblogic.StartScriptEnabled=true
LogFile=/u00/app/oracle/user_projects/domains/demo_domain/nodemanager/nodemanager.log
LogFormatter=weblogic.nodemanager.server.LogFormatter
ListenBacklog=50
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeystoreType=jks
CustomIdentityKeyStoreFileName=/home/soa/keystore/identity.jks
CustomIdentityKeyStorePassPhrase={AES}rQXxLXU2h6IBTrreiBVce3kGEfK8d4uUzsb+WKQqCu8=
CustomIdentityPrivateKeyPassPhrase={AES}M0Wl5V0kcCy27txsYyFzngS2jUoShI92PNlKUWb+JQo=
CustomIdentityAlias=selfsigned
CustomTrustKeystoreType=jks
CustomTrustKeyStoreFileName=/home/soa/keystore/trust.jks
CustomTrustKeyStorePassPhrase=


The solution to be able to connect via WLST to your Nodemanager is pretty simple, just modify the $ORACLE_HOME/oracle_common/common/bin/wlst.sh as follows:

#
# Search for the line 
#    JVM_ARGS="${WLST_PROPERTIES} ${JVM_D64} ${UTILS_MEM_ARGS} ${CONFIG_JVM_ARGS}"
# Add before the JVM_ARGS line following lines with the shown JAVA_OPTIONS
# and replace the line 
#    eval '"${JAVA_HOME}/bin/java"' ${JVM_ARGS} weblogic.WLST '"$@"'
# as shown below with
#    eval '"${JAVA_HOME}/bin/java"' ${JVM_ARGS} ${JAVA_OPTIONS} weblogic.WLST '"$@"'
#
JAVA_OPTIONS="-Dweblogic.ssl.JSSEEnabled=true ${JAVA_OPTIONS}"
JAVA_OPTIONS="-Dweblogic.security.SSL.enableJSSE="true" ${JAVA_OPTIONS}"
JAVA_OPTIONS="-Dweblogic.security.SSL.ignoreHostnameVerification=true ${JAVA_OPTIONS}"
JAVA_OPTIONS="-Dweblogic.security.TrustKeyStore=CustomTrust ${JAVA_OPTIONS}"
JAVA_OPTIONS="-Dweblogic.security.CustomTrustKeyStoreFileName=/home/soa/keystore/trust.jks ${JAVA_OPTIONS}"
JAVA_OPTIONS="-Dweblogic.security.CustomTrustKeyStorePassPhrase=welcome1 ${JAVA_OPTIONS}"
JAVA_OPTIONS="-Dweblogic.security.CustomTrustKeyStoreType=JKS ${JAVA_OPTIONS}"
export JAVA_OPTIONS

JVM_ARGS="${WLST_PROPERTIES} ${JVM_D64} ${UTILS_MEM_ARGS} ${CONFIG_JVM_ARGS}"
if [ -d "${JAVA_HOME}" ]; then
 # eval '"${JAVA_HOME}/bin/java"' ${JVM_ARGS} weblogic.WLST '"$@"'
 eval '"${JAVA_HOME}/bin/java"' ${JVM_ARGS} ${JAVA_OPTIONS} weblogic.WLST '"$@"'
else
 exit 1
fi


After the above modifications you can use WLST to connect to the Nodemanager with the nmConnect command.

cd $ORACLE_HOME/oracle_common/common/bin
./wlst.sh

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

wls:/offline> nmConnect('nodemanager', 'welcome1', 'soaserver1', '5556', 'demo_domain' , '/u00/app/oracle/user_projects/domains/demo_domain' , 'ssl')
Connecting to Node Manager ...
<Dec 15, 2016 2:38:15 PM CET> <Info> <Security> <BEA-090905> <Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true.> 

<Dec 15, 2016 2:38:15 PM CET> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG128 to HMACDRBG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true.> 

<Dec 15, 2016 2:38:16 PM CET> <Info> <Security> <BEA-090909> <Using the configured custom SSL Hostname Verifier implementation: weblogic.security.utils.SSLWLSHostnameVerifier$NullHostnameVerifier./gt; 

Successfully Connected to Node Manager.


Reaktionen: