Extending WLS Plugin to Support t3s Connections to Admin Server

| June 29, 2015 | 0 Comments

Recently, I had the opportunity to visit a client with a significant WebLogic installation.  This customer has specific security interests.  Part of their interest in security requires that all connections to the WebLogic server (including wlst command line tools) should use SSL.  By default WebLogic wlst does not use SSL.  In order to get wlst to work cleanly via T3S needs to have a keystore that trusts the certificate from the server.  Furthermore, the client did not want to modify anything in the WebLogic install.  WebLogic does provide for some customizations in wlst at start up by defining templates.  We need to make sure there is a keystore so that wlst can find the server certificate and to know if hostname verification should be used.  I have created a little customization that you can use to easily enable T3S communication in wlst to talk to your WebLogic servers.


We can override the default behavior of the WebLogic plugin for the wls.Domain CI by changing the hidden property for the customWlstTemplatePath.   This will create a custom wlst template where we can set some custom properties.  To set this up we first need to modify the synthetic.xml file in the ext directory by adding the following:

<type-modification type="wls.Domain">
	<property name="customWlstTemplatePath" required="false" hidden="true" 
	<property name="libraryScripts" kind="list_of_string" required="false" 
        <property name="wlstProperties" kind="list_of_string" inspectionProperty="true" 
                           weblogic.security.SSL.enforceConstraints=off" />

When we do discovery on a WebLogic domain, we will be offered a default list of properties that will help make the T3S connection.

Screen Shot 2015-06-01 at 4.32.09 PM

Notice at the bottom of the properties page we now have a list of wlst Properties.  These Java system properties will be loaded into wlst before it connects to the WebLogic server.  These properties are set in the synthetic.xml file and will be saved in the wls.Domain after the discovery.

We can create a template script for wlst in the ext directory wlst/templates/wlst.sh.ftl.  We have one freemarker script added here.  We can define a Unix shell script and an Windows batch script here.  In our example, we will add a Unix shell script wlst/templates/wlst.sh.ftl.

<#assign hostForUrl=container.host.address?string>
<#if container.hostname?has_content>
	<#assign hostForUrl=container.hostname>
<#assign adminUrl = container.protocol + "://" + hostForUrl + ":" + container.port>

<#list container.wlstProperties as prop>
    key=$(echo ${prop} | cut -f1 -d=)
    val=$(echo ${prop} | cut -f2 -d=)
    echo "${r"${key}"} = ${r"${val}"}" 
    echo "${r"${key}"}=${r"${val}"}" >> /tmp/wlst.properties
echo "======================================="

export DEPLOYIT_WLST_PASSWORD=${container.password}
${container.getWlstPath()} -i ${script} ${container.username} ${adminUrl}
if [ $res != 0 ] ; then
	exit $res
rm /tmp/wlst.properties

This little template script will create an property file from the properties that were set in the previous screen.  That property file can then be loaded up by one of the library scripts (i.e. wlst/runtime/connect.py).  The connect.py script is as follows:

import os
import java.lang.System as System
import java.io.FileInputStream as FileInputStream
import java.util.Properties as Properties


if( os.path.isfile( propFile ) ):
   propFile = FileInputStream("/tmp/wlst.properties")
   prop = System.getProperties()
   prop.load( propFile )
   System.setProperties( prop )
#End if

def connectToAdminServer():
    script = sys.argv.pop(0)
    user = sys.argv.pop(0)
    url = sys.argv.pop(0)
    password = os.getenv('DEPLOYIT_WLST_PASSWORD')
    print "Connecting to WebLogic %s as user %s" %(url, user)
    connect(user, password, url)

This library script will get loaded every time we start wlst from XL Deploy.  This library script picks up the properties that enable the SSL connection.

In addition to showing you how you can configure wlst to be able to connect using t3s, you could also use this blog as an example of how you can configure XL Deploy, to use meaningful default values when you are configuring new WebLogic containers.

Rick Broker

About the Author ()

Rick is a Sales Engineer for XebiaLabs based in Columbus, Ohio. He has worked as a software developer and as a system administrator for Unix systems and middleware components including Websphere and Weblogic.