Tweet
I was recently working with a client, to help them configure OTM to match up with a SOX audit. In particular, the audit found that the WebLogic "system" user's password was clearly identified within the process arguments. This is the super-user for WebLogic and can easily compromise OTM. For instance, if you ran "ps -ef", you'd see the following:
glog 1886 1328 0 Sep 26 - 435:35 /opt/gc3/jdk/bin/java -Xms2000m -Xmx2000m -verbose:gc -Xnoclassgc -Dglog.home=/opt/gc3/glog/config -Duser.home=/opt/gc3/glog/config -Djava.io.tmpdir=/opt/gc3/temp -Djava.awt.headless=true -Dlogin.configuration.provider=com.sun.security.aut h.login.ConfigFile -Djava.security.auth.login.config=/opt/gc3/glog/config/gc3_jaas.config -Dweblogic.Name=gc3-app -Dbea.home=/opt/bea -Dweblogic.home=/opt/bea/weblogic81/server -Dweblogic.management.username=system -Dweblogic.management.password=changeme -Dweblogic.ProductionModeEnabled=true -Dweblogic.management.discover=false -Djava.security.policy=/opt/bea/weblogic81/server/lib/weblogic.policy -Dwrapper.key=Hi8VUDX3i -Dwrapper.port=32000 -Dwrapper.use_system_time=TRUE -Dwrapper.version=3.1.2 -Dwrapper.native_library=wrapper -Dwrapper.service=TRUE -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=1 org.tanukisoftware.wrapper.WrapperStartStopApp weblogic.Server 1 start weblogic.Admin true 7 -url t3://gc3.company.com:7001 -username system -password changeme shutdown
The passwords are identified above in the arguments "-Dweblogic.management.password=changeme" and "-password changeme".
In order to resolve this, we had to go through a 2 step process. First, edit the <otm_home>/weblogic/config/gc3domain/weblogic.conf file and append the following argument to the "Java Additional Parameters" Section. This will store the WebLogic username and password into the boot.properties file, in an encrypted form. Note: Replace "XX" with the next consecutive number, based on your list of arguments.
Now restart WebLogic and ensure that the boot.properties file is created in your <otm_home>/weblogic/config/gc3domain directory.
Next, edit your weblogic.conf file again and remove the following lines from the "Java Additional Parameters" section:
Note: Whenever removing or adding lines to these sections, ensure that you renumber the remaining lines, so that they are in consecutive numerical order. Without doing this, your WebLogic instance may not startup correctly.
Next, remove the following lines from the "Application Parameters..." section. Again, remember to renumber the remaining lines accordingly.
Finally, in the same section, update the value of the line below from "7" to "3":
Change:
To:
Finally, restart OTM one last time and make sure everything starts up. If it doesn't, for some reason, just restore the original weblogic.conf file and try again.
Now, if you run "ps -ef", you'll see the following:
glog 9886 4328 0 Sep 26 - 435:35 /opt/gc3/jdk/bin/java -Xms2000m -Xmx2000m -verbose:gc -Xnoclassgc -Dglog.home=/opt/gc3/glog/config -Duser.home=/opt/gc3/glog/config -Djava.io.tmpdir=/opt/gc3/temp -Djava.awt.headless=true -Dlogin.configuration.provider=com.sun.security.aut h.login.ConfigFile -Djava.security.auth.login.config=/opt/gc3/glog/config/gc3_jaas.config -Dweblogic.Name=gc3-app -Dbea.home=/opt/bea -Dweblogic.home=/opt/bea/weblogic81/server -Dweblogic.ProductionModeEnabled=true -Dweblogic.management.discover=false -Djava.security.policy=/opt/bea/weblogic81/server/lib/weblogic.policy -Dwrapper.key=Hi8VUDX3i -Dwrapper.port=32000 -Dwrapper.use_system_time=TRUE -Dwrapper.version=3.1.2 -Dwrapper.native_library=wrapper -Dwrapper.service=TRUE -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=1 org.tanukisoftware.wrapper.WrapperStartStopApp weblogic.Server 1 start weblogic.Admin true 7 -url t3://gc3.company.com:7001 shutdown
As a reference, much of this info was pulled from BEA's Doc site at:
http://edocs.bea.com/wls/docs81/Cons...startstop.html
Thanks,
Chris
glog 1886 1328 0 Sep 26 - 435:35 /opt/gc3/jdk/bin/java -Xms2000m -Xmx2000m -verbose:gc -Xnoclassgc -Dglog.home=/opt/gc3/glog/config -Duser.home=/opt/gc3/glog/config -Djava.io.tmpdir=/opt/gc3/temp -Djava.awt.headless=true -Dlogin.configuration.provider=com.sun.security.aut h.login.ConfigFile -Djava.security.auth.login.config=/opt/gc3/glog/config/gc3_jaas.config -Dweblogic.Name=gc3-app -Dbea.home=/opt/bea -Dweblogic.home=/opt/bea/weblogic81/server -Dweblogic.management.username=system -Dweblogic.management.password=changeme -Dweblogic.ProductionModeEnabled=true -Dweblogic.management.discover=false -Djava.security.policy=/opt/bea/weblogic81/server/lib/weblogic.policy -Dwrapper.key=Hi8VUDX3i -Dwrapper.port=32000 -Dwrapper.use_system_time=TRUE -Dwrapper.version=3.1.2 -Dwrapper.native_library=wrapper -Dwrapper.service=TRUE -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=1 org.tanukisoftware.wrapper.WrapperStartStopApp weblogic.Server 1 start weblogic.Admin true 7 -url t3://gc3.company.com:7001 -username system -password changeme shutdown
The passwords are identified above in the arguments "-Dweblogic.management.password=changeme" and "-password changeme".
In order to resolve this, we had to go through a 2 step process. First, edit the <otm_home>/weblogic/config/gc3domain/weblogic.conf file and append the following argument to the "Java Additional Parameters" Section. This will store the WebLogic username and password into the boot.properties file, in an encrypted form. Note: Replace "XX" with the next consecutive number, based on your list of arguments.
Code:
wrapper.java.additional.XX=-Dweblogic.system.StoreBootIdentity=true
Next, edit your weblogic.conf file again and remove the following lines from the "Java Additional Parameters" section:
Note: Whenever removing or adding lines to these sections, ensure that you renumber the remaining lines, so that they are in consecutive numerical order. Without doing this, your WebLogic instance may not startup correctly.
Code:
wrapper.java.additional.20=-Dweblogic.management.username=system wrapper.java.additional.21=-Dweblogic.management.password=%WL_PW%
Code:
wrapper.app.parameter.9=-username wrapper.app.parameter.10=system wrapper.app.parameter.11=-password wrapper.app.parameter.12=%WL_PW%
Change:
Code:
wrapper.app.parameter.6=7
Code:
wrapper.app.parameter.6=3
Now, if you run "ps -ef", you'll see the following:
glog 9886 4328 0 Sep 26 - 435:35 /opt/gc3/jdk/bin/java -Xms2000m -Xmx2000m -verbose:gc -Xnoclassgc -Dglog.home=/opt/gc3/glog/config -Duser.home=/opt/gc3/glog/config -Djava.io.tmpdir=/opt/gc3/temp -Djava.awt.headless=true -Dlogin.configuration.provider=com.sun.security.aut h.login.ConfigFile -Djava.security.auth.login.config=/opt/gc3/glog/config/gc3_jaas.config -Dweblogic.Name=gc3-app -Dbea.home=/opt/bea -Dweblogic.home=/opt/bea/weblogic81/server -Dweblogic.ProductionModeEnabled=true -Dweblogic.management.discover=false -Djava.security.policy=/opt/bea/weblogic81/server/lib/weblogic.policy -Dwrapper.key=Hi8VUDX3i -Dwrapper.port=32000 -Dwrapper.use_system_time=TRUE -Dwrapper.version=3.1.2 -Dwrapper.native_library=wrapper -Dwrapper.service=TRUE -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=1 org.tanukisoftware.wrapper.WrapperStartStopApp weblogic.Server 1 start weblogic.Admin true 7 -url t3://gc3.company.com:7001 shutdown
As a reference, much of this info was pulled from BEA's Doc site at:
http://edocs.bea.com/wls/docs81/Cons...startstop.html
Thanks,
Chris