安裝的是WebLogic Server 12.2.1.3.0,在一次安全漏洞修復工作中需要禁用業務端口,就是屏蔽業務端口對外開發,
具體操作方法如下:
登錄控制檯,找到實例名,鎖定並編輯,勾選“啓動管理端口”,管理端口默認是9002,這裏我改成了9001。
然後保存,激活更改。
但在操作後,後臺日誌顯示啓動報錯,日誌信息如下:
]. The system is vulnerable to security attacks, since it trusts certificates signed by the demo trusted CA.>
<2019-5-14 上午09時38分54,400秒 CST> <Alert> <Security> <BEA-090165> <Cannot find identity keystore file /picclife/weblogic/user_
projects/domains/domain7100/security/DemoIdentity.jks on server AdminServer>
<2019-5-14 上午09時38分54,401秒 CST> <Error> <WebLogicServer> <BEA-000297> <Inconsistent security configuration, weblogic.managem
ent.configuration.ConfigurationException: Cannot find identity keystore file /picclife/weblogic/user_projects/domains/domain7100
/security/DemoIdentity.jks on server AdminServer>
<2019-5-14 上午09時38分54,401秒 CST> <Emergency> <Security> <BEA-090034> <Not listening for SSL, weblogic.management.configuratio
n.ConfigurationException: Cannot find identity keystore file
/picclife/weblogic/user_projects/domains/domain7100/security/DemoIdentity.jks on server AdminServer.>
<2019-5-14 上午09時38分54,403秒 CST> <Error> <Server> <BEA-002625> <An attempt to configure channel "DefaultAdministration[admin]
" failed because of weblogic.server.ServiceFailureException:
There are 1 nested errors:
java.io.IOException: [Server:002664]Failed to start Admin Channel DefaultAdministration[admin].
at weblogic.server.channels.ServerSocketManager.createAndBindServerSockets(ServerSocketManager.java:132)
at weblogic.server.channels.ServerSocketManager.createAndBindAllServerSockets(ServerSocketManager.java:89)
at weblogic.server.channels.AdminPortService.createAndBindServerSockets(AdminPortService.java:108)
at weblogic.server.channels.EnableAdminListenersService.start(EnableAdminListenersService.java:60)
at weblogic.server.channels.ChannelService.startDefaultAdminChannel(ChannelService.java:1513)
at weblogic.server.channels.ChannelService.activateUpdate(ChannelService.java:1939)
at weblogic.descriptor.internal.DescriptorImpl$Update.activate(DescriptorImpl.java:688)
at weblogic.descriptor.internal.DescriptorImpl.activateUpdate(DescriptorImpl.java:346)
at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService.activateUpdate(RuntimeAccessDeploymentRe
ceiverService.java:2132)
at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService.commitCurrentTreeAndSaveRevertDiffs(Runt
imeAccessDeploymentReceiverService.java:2051)
at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService.processChanges(RuntimeAccessDeploymentRe
ceiverService.java:639)
at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService.access$000(RuntimeAccessDeploymentReceiv
erService.java:82)
at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService$2.run(RuntimeAccessDeploymentReceiverSer
vice.java:537)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:326)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:137)
at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService.doCommit(RuntimeAccessDeploymentReceiver
Service.java:532)
at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService.commit(RuntimeAccessDeploymentReceiverSe
rvice.java:444)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doCommitCallback(DeploymentReceiver
CallbackDeliverer.java:217)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.commit(DeploymentReceiverCallbackDe
liverer.java:65)
at weblogic.deploy.service.internal.statemachines.targetserver.AwaitingCommit.callDeploymentReceivers(AwaitingCommit.jav
a:267)
at weblogic.deploy.service.internal.statemachines.targetserver.AwaitingCommit.handleCommit(AwaitingCommit.java:121)
at weblogic.deploy.service.internal.statemachines.targetserver.AwaitingCommit.receivedCommit(AwaitingCommit.java:44)
at weblogic.deploy.service.internal.transport.CommonMessageReceiver.receiveRequestCommitMsg(CommonMessageReceiver.java:6
74)
at weblogic.deploy.service.internal.transport.CommonMessageReceiver$3.run(CommonMessageReceiver.java:1015)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:670)
at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:352)
at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:337)
at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:57)
at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:644)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:415)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:355)
Caused by: java.io.IOException: Cannot find identity keystore file /picclife/weblogic/user_projects/domains/domain7100/security/
DemoIdentity.jks on server AdminServer
at weblogic.server.channels.ServerSocketWrapperJSSE.<init>(ServerSocketWrapperJSSE.java:75)
at weblogic.server.channels.ServerSocketManager.createServerSocketWrapper(ServerSocketManager.java:184)
at weblogic.server.channels.ServerSocketManager.createBindAndEnableServerSocket(ServerSocketManager.java:158)
at weblogic.server.channels.ServerSocketManager.createAndBindServerSockets(ServerSocketManager.java:126)
... 31 more
Caused by: weblogic.management.configuration.ConfigurationException: Cannot find identity keystore file /picclife/weblogic/user_
projects/domains/domain7100/security/DemoIdentity.jks on server AdminServer
at weblogic.security.utils.SSLContextManager.fail(SSLContextManager.java:818)
at weblogic.security.utils.SSLContextManager.getServerSSLIdentity(SSLContextManager.java:743)
at weblogic.security.utils.SSLContextManager.createSSLContext(SSLContextManager.java:509)
at weblogic.security.utils.SSLContextManager.getChannelSSLContext(SSLContextManager.java:447)
at weblogic.security.utils.SSLContextManager.getChannelSSLContext(SSLContextManager.java:433)
at weblogic.security.utils.SSLContextManager.getSSLEngineFactory(SSLContextManager.java:382)
at weblogic.server.channels.ServerSocketWrapperJSSE.<init>(ServerSocketWrapperJSSE.java:69)
... 34 more
.
主要的錯誤信息是這個
<2019-5-14 上午09時38分54,401秒 CST> <Error> <WebLogicServer> <BEA-000297> <Inconsistent security configuration, weblogic.managem
ent.configuration.ConfigurationException: Cannot find identity keystore file /picclife/weblogic/user_projects/domains/domain7100
/security/DemoIdentity.jks on server AdminServer>
說找不到密鑰文件DemoIdentity.jks。檢查了一下還真沒有。低版本的weblogic操作是沒有問題的。
這次我操作的是WebLogic Server 12.2.1.3.0,版本偏高,按照這個方法不行了。
此時控制檯也無法訪問了,別急緊張,可以回退的,找到實例的配置文件
/picclife/wlserver122/user_projects/domains/domain8001/config/config.xml
刪除其中的兩行,重啓實例。
<administration-port-enabled>false</administration-port-enabled>
<administration-port>9001</administration-port>
-----------------------------------------------------------------------------------
各種搗鼓後,發現是需要配置CA密鑰,具體方法如下:
1、首先登陸到我們應用的實例中,我的實例路徑是
[weblogic@zhanglw-a domain8001]$ pwd
/picclife/wlserver122/user_projects/domains/domain8001
在此路徑下建立一個文件夾用來存放我們生成的密鑰文件。
[weblogic@zhanglw-a domain8001]$ mkdir sslcert
創建完成後進入該目錄
[weblogic@zhanglw-a domain8001]$ cd sslcert/
[weblogic@zhanglw-a sslcert]$
2、開始進行密鑰的生成
---先執行
keytool -genkey -alias group_jianyishu -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=`hostname`,OU=Picclife,O=IT,L=chuanjing,S=beijinghaidian,C=China" -keypass zhanglw1986 -keystore keystore.jks -storepass zhanglw1986 -validity 3600
可能會提示
Warning:
JKS 密鑰庫使用專用格式。建議使用 "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12" 遷移到行業標準格式 PKCS12。
先刪除已經生成的keystore.jks
再改成下面的方式
keytool -genkey -alias my_test -keyalg RSA -storetype PKCS12 -keysize 2048 -sigalg SHA256withRSA -dname "CN=`hostname`,OU=Picclife,O=IT,L=haidian,S=beijing,C=China" -keypass 112233 -keystore keystore.jks -storepass 112233 -validity 3600
參數解釋:
my_test 別名,最好起的有意義
112233 密碼,自己想一個,儘量複雜一點
CN=commonName 通用名
OU=organizationUnit 組織部門名
O=organizationName 組織名
L=localityName 地址
S=stateName 州名
C=country 城市名
---再執行
keytool -selfcert -v -alias my_test -keypass 112233 -keystore keystore.jks -storepass 112233 -storetype jks -validity 3600
---再執行
keytool -export -v -alias my_test -file "`hostname`-rootCA.der" -keystore keystore.jks -storepass 112233
---再執行
keytool -import -v -trustcacerts -alias my_test -file "`hostname`-rootCA.der" -keystore trust.jks -storepass 112233
輸入 Y 回車
至此密鑰生成完畢。查看生成的文件
[weblogic@zhanglw-a sslcert]$ ll
總用量 12
-rw-r--r--. 1 weblogic bea 2243 5月 14 19:27 keystore.jks
-rw-r--r--. 1 weblogic bea 955 5月 14 19:29 trust.jks
-rw-r--r--. 1 weblogic bea 887 5月 14 19:28 zhanglw-a-rootCA.der
3、登錄weblogic控制檯
3.1>先配置密鑰庫
點擊“環境—服務器—AdminServer(管理)—配置—密鑰庫”,再點擊“鎖定並編輯”。需要修改的內容如下圖:
值如下:
密鑰庫配置
密鑰庫: 定製標識和定製信任
----身份
定製身份密鑰庫: /picclife/wlserver122/user_projects/domains/domain8001/sslcert/keystore.jks
定製身份密鑰庫類型: JKS
定製身份密鑰庫密碼短語:112233
確認定製身份密鑰庫密碼短語:112233
----信任
定製信任密鑰庫: /picclife/wlserver122/user_projects/domains/domain8001/sslcert/trust.jks
定製信任密鑰庫類型:JKS
定製信任密鑰庫密碼短語:112233
確認定製信任密鑰庫密碼短語:112233
3.2>密鑰庫選項卡下的內容修改完畢後,點擊“保存”,再點擊“SSL”選項卡,編輯如下內容:
值如下:
私有密鑰別名:my_test
私有密鑰密碼短語:112233
確認私有密鑰密碼短語:112233
點擊“保存”,最後點擊控制檯左上角的“激活更改”,至此控制檯配置完成。
4、再次操作,啓用管理端口
登錄控制檯,找到實例名,鎖定並編輯,勾選“啓動管理端口”,管理端口默認是9002,這裏我改成了9001。
然後保存,激活更改。
驗證:
http://192.168.129.136:8001/console/login/LoginForm.jsp
這個地址已經無法訪問了
需要使用管理地址訪問https://192.168.129.136:9001/console/login/LoginForm.jsp