UPGRADING WEBLOGIC FROM 12.1.2.0 TO 12.2.1 IN DISTRIBUTED SETUP(WEBLOGIC 12c)

THIS IS THE LOOK OF MY CURRENT ENVIRONMENT BEFORE THE UPGRADE.

screen1

ANOTHER LOOK OF MY ENVIRONMENT BEFORE UPGRADE.

  • Admin server and server1 is running on host01
  • server2 is running on host02
  • Both servers are member of cluster1
  • Nodemanager is configure for both machines to start/stop manage servers
  • old_environment_weblogic_before_upgrade
  1. LET’S START THE UPGRADE PROCESS.  I HAVE DOWNLOADED AND PLACED JAVA 8 AND WEBLOGIC  BINARIES UNDER /u01/software folder.  JAVA 8 IS REQUIRED FOR WEBLOGIC  12.2software_folder
  2. LET’S INSTALL JAVA 8 ON BOTH MACHINES. NEW JAVA IS INSTALLED MARK IN RED.java_installation_screen_shot
  3. NOW UPDATE THE NEW JAVA PATH WITH CORRECT VALUE:

export_java

4. NEXT INSTALL WEBLOGIC 12.2 BINARIES IN NEW MIDDLEWARE HOME.  I HAVE CREATED NEW  DIRECTORY STRUCTURE FOR MW_HOME AS FOLLOWING /u01/app/fmw12.2   PLEASE PICK DIRECTORY STRUCTURE AS PER YOUR ENVIRONMENT.

new_middleware_home

5. NOW START INSTALLING BINARIES IN NEW MW_HOME.  MAKE SURE X WINDOWS IS CONFIGURE ON BOTH BOXES UNLESS YOU

KNOW HOW TO DO SILENT INSTALL.  I HAVE X WINDOWS CONFIGURE SO THAT IS WHAT I WILL BE USING.

CLICK NEXT HEREscreen1

TAKE DEFAULT AND CLICK NEXT

SCREEN2

 

GIVE NEW MW_HOME  THAT WAS CREATED AND CLICK NEXT

SCREEN3

LEAVE DEFAULT VALUE AND CLICK NEXT

screen4

I HAVE OLD VERSION OF  LINUX SO INSTALLER IS WARNING ME THAT “ORACLE SOFTWARE IS CERTIFIED WITH CURRENT OS VERSION.”  I WILL IGNORE AND CLICK NEXT

screen5

I WILL UNCHECK ” I WISH TO RECEIVE SECURITY UPDATE VIA  MY ORACLE SUPPORT” AND CLICK NEXT AND THEN CLICK YES

SCREEN6

CLICK INSTALLSCREEN7

INSTALLATION STARTED

SCREEN8

BINARY INSTALLATION COMPLETED    CLICK FINISHSCREEN9

NOW GO TO host01 where is your domain and admin server recited and initiate the upgrade process from new HOME that just got created. Run reconfigure.sh script from MW_HOME/oracle_common/common/bin  as following and click next

screen10

click Next herescreen11

click Next here.  Please note new Java version 8 that is  shown being selectescreen12

WE DON’T TO MODIFY ANYTHING.  CLICK NEXT

screen13

NEXT PAGE WILL PROVIDE YOU SUMMARY OF COMPONENTS.  CLICK on reconfigure

screen15

RECONFIGURATION WIZARD STARTED

screen16

UPGRADE ON host01 COMPLETED.  CLICK NEXT

screen17

YOU WILL SEE “END Of Configuration screen.” CLICK FINISH

screen18

NOW THE CONFIGURATION CHANGES I HAVE MADE TO UPGRADE host02  HAVE WORKED FOR ME.   SO HERE ARE THE STEPS

ON host02 MACHINE GO TO DOMAIN_HOME AND MAKE COPY OF EXISTING DOMAIN FOLDER. I HAVE MADE A COPY AND NAMED IT WITH OLD DOMAIN VERSION AS SHOW BELOW MARK IN RED “wlsadmin_12.1.2.0”screen20

NOW MOVE THE ENTIRE DOMAIN FOLDER FROM host01 machine  to host02 AS SHOW BELOWmoving_domain

ONCE THE WHOLE DIRECTORY GET COPIED ON host02 machine.   GO TO DOMAIN_HOME/NODEMANAGER FOLDER AND edit the nodemanager.properties  FILE AND CHANGE HOST NAME ENTRY FROM host01 to host02  AND SAVE THE CHANGES.    screen21

SAVE CHANGES ONCE DONE MAKING IN nodemanager.properties FILE AND START THE SERVICES.  ONCE SERVER COMES UP YOU SHOULD SEE NEW VERSION OF WEBLOGIC STATED IN ADMIN CONSOLE AS SHOW BELOW.  AFTER_UPGRADE_SCREEN_SHOT

 

UPGRADED COMPLETED.

How to view active database connections in Tomcat

  1. Configure remote JMX Connectivity for Tomcat by adding these JAVA OPTIONS
-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9999 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false

2.  Start jmxconsole and connect to the remote tomcat process.

jconsole connection

3. Go to MBeans -> Datasource -> Application Name -> Your Datasource -> numActive

active database connection

Cannot create PoolableConnectionFactory (IO Error: Connection reset)

Issue while connecting to Database from JAVA program.

Cannot create PoolableConnectionFactory (IO Error: Connection reset)

This is sometimes an intermittent issue but it can be easily reproduced by reducing the randomness on the Server

watch -n 1 cat /proc/sys/kernel/random/entropy_avail

cat /dev/random > random_bits.bin

Once the issue is consistently reproduced, we can add the following JVM option and start the program.

-Djava.security.egd=file:///dev/urandom

This should solve the problem.

If it doesn’t, please feel free to comment here.

Security Vulnerability in your WebApplication (CVE 2017-9805)

Researchers have identified a major security flaw (CVE 2017-9805) in the Apache framework (Apache Struts REST Plugin) which could allow the hackers to inject malicious code to either steal critical customer data or cause service disruption of any server running an application built using the Struts framework and using the popular REST communication plugin.

This vulnerability is designated by CVE 2017-9805.

Versions affected:  Versions released since 2008.

Fix:  Upgrade the Apache Framework to 2.3.34 and 2.5.13.

https://struts.apache.org/announce.html

Further reading:

https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement

Eliminating Security Vulnerabilities at PORT 22

Issue : There are findings related to security at PORT 22 after Vulnerability Assessment and Penetration Testing (VAPT).

The below are the vulnerabilities :

1. SSH Weak Algorithms Supported.
2. SSH Server CBC Mode Ciphers Enabled.
3. SSH Weak MAC Algorithms Enabled.
4. SSH Server CBC Mode Ciphers Enabled.

Solution : In order to attend the vulnerabilities you need to login as root and follow the below steps.

Step 1 : Go to the directory as below (/etc/ssh).

etcSSH

Step 2 : edit sshd_config file as below.

sshdConf1

Remove weak ciphers arcfour256,arcfour128 and save the file.

sshdConf2

Step 3 : Re-scan the port for vulnerability and you will find the errors are eliminated now.

Cheers..!

Configuring Strong Ciphers on Linux OS

Security Vulnerabilities at IP

Environment Description:

OS – Oracle V 6.6              Weblogic Version – 12.2.1.0

Application Server IP : 192.168.0.132        Port : 8001

Soon after Nessus scan security vulnerabilities are detected as below for the above mentioned IP and port.

1. SSL RC4 Cipher Suites Supported (Bar Mitzvah)
2. SSL 64-bit Block Size Cipher Suites Supported (SWEET32)
3. SSL Medium Strength Cipher Suites Supported
4. SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

This means that the cipher suites which are using the ciphers are weak and needs to be reconfigured with stronger ciphers.

Check the java version and validate the ciphers list.

Java version can be checked as below in terminal :

JavaVersion

Now what is required is to check , whether ciphers which we will add in application server configuration is supported by java version. The below link contains more details on ciphers suites.

http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider

Now to add the ciphers in Oracle WebLogic Application Server follow the below steps.

Step 1 : Go to config folder (Directory structure may be different for different environments but configuration remains the same). for example my directory structure is as below :

DirectoryWBLDirectoryWBLDirectoryWBL

Step 2 : it is very important to take backup of config.xml file as it is a very important file and holds all application server configuration.

ConfigXMLBackup

Step 3 : Edit config.xml file as below

CiphersConfigXML

Step 4 : Save the config.xml file and restart the server.

Step 5 : Rescan the IP again either with nmap or nessus and you will find the vulnerabilities are eliminated now.

Note : I have added Advanced Encryption Securities with 128 and 256 encryption, you can more strong ciphers as per the security requirement.

Cheers..!