背景:
WebLogic 14c(14.1.1.0.0)域创建后,登录控制台,在控制台主页上会出现一行红字:
Security warnings detected. Click here to view the report and recommended remedies.
点击红字链接,跳转到安全警告的报告页面,可以发现有下面四个涉及安全的警告。
我们先来处理第2条,其实就是security目录和boot.properties文件的权限太大,需要缩减,分别缩减为750、640。命令如下:
-bash-4.2$ pwd
/app/domains/wls14cdomain/servers/AdminServer
-bash-4.2$ ls -l
总用量 0
drwxr-x--- 3 app app 25 6月 9 10:39 cache
drwxr-x--- 5 app app 46 6月 9 10:39 data
drwxr-x--- 3 app app 96 6月 9 10:39 logs
drwxrwxr-x 2 app app 29 6月 9 10:39 security
drwxr-x--- 4 app app 66 6月 9 10:39 tmp
-bash-4.2$ chmod 750 ./security/
-bash-4.2$ ll
总用量 0
drwxr-x--- 3 app app 25 6月 9 10:39 cache
drwxr-x--- 5 app app 46 6月 9 10:39 data
drwxr-x--- 3 app app 96 6月 9 10:39 logs
drwxr-x--- 2 app app 29 6月 9 10:39 security
drwxr-x--- 4 app app 66 6月 9 10:39 tmp
-bash-4.2$ cd security/
-bash-4.2$ chmod 640 boot.properties
-bash-4.2$ ls -l
总用量 4
-rw-r----- 1 app app 156 6月 9 10:39 boot.properties
下面我们用WLST脚本来实现第1、3、4条警告信息涉及配置的修改,脚本内容如下:
print '|--------------------------------------------------------------------------------------------------------------------|'
print '| Function: This jython scripts is used for disable iiop protocol of wlserver instance in domain created by Wlserver|'
print '| Execute: /weblogic/Oracle/Middleware/Oracle_Home/oracle_common/common/bin/wlst.sh ./disable_iiop_t3_protocol.py |'
print '| Python: 2.7.5 |'
print '| Author: cnskylee@126.com |'
print '| Date: Jun,9th 2023 |'
print '|--------------------------------------------------------------------------------------------------------------------|'
connect('weblogic','weblogic!123','t3://192.168.223.199:9600')
edit()
startEdit()
print 'disable IIOP protocol of each wlserver.'
servers=cmo.getServers()
for server in servers:
serverName = server.getName()
cd('/Servers/'+serverName)
cmo.setIIOPEnabled(false)
cmo.setKeyStores('CustomIdentityAndJavaStandardTrust')
save()
print 'Config T3 protocol for current domain settings.'
domainConfig()
edit()
startEdit()
cd('/SecurityConfiguration/wls14cdomain')
cmo.setConnectionFilter('weblogic.security.net.ConnectionFilterImpl')
set('ConnectionFilterRules',jarray.array([String('127.0.0.1'+' * * allow t3 t3s'), String('192.168.223.199'+' * * allow t3 t3s'), String('0.0.0.0/0 * * deny t3 t3s')], String))
save()
print 'Forbidden Ta/IIOP3 protocol for Anonymous RMI.'
domainConfig()
edit()
startEdit()
cd('/SecurityConfiguration/wls14cdomain')
cmo.setRemoteAnonymousRMIIIOPEnabled(false)
cmo.setRemoteAnonymousRMIT3Enabled(false)
save()
activate()
disconnect()
修改以上脚本中的控制台登录用户名、密码、T3 URL串,修改T3过滤器规则筛选中的IP地址。
然后按照Execute说明中的命令(注意:wlst脚本的路径以本地实际路径为准!)执行py脚本即可。
-bash-4.2$ /weblogic/Oracle/Middleware/Oracle_Home/oracle_common/common/bin/wlst.sh ./disable_iiop_t3_protocol.py
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
|--------------------------------------------------------------------------------------------------------------------|
| Function: This jython scripts is used for disable iiop protocol of wlserver instance in domain created by Wlserver|
| Execute: /weblogic/Oracle/Middleware/Oracle_Home/oracle_common/common/bin/wlst.sh ./disable_iiop_t3_protocol.py |
| Python: 2.7.5 |
| Author: cnskylee@126.com |
| Date: May,19th 2023 |
|--------------------------------------------------------------------------------------------------------------------|
Connecting to t3://192.168.223.199:9600 with userid weblogic ...
Successfully connected to Admin Server "AdminServer" that belongs to domain "wls14cdomain".
Warning: An insecure protocol was used to connect to the server.
To ensure on-the-wire security, the SSL port or Admin port should be used instead.
Location changed to edit tree.
This is a writable tree with DomainMBean as the root.
To make changes you will need to start an edit session via startEdit().
For more help, use help('edit').
Starting an edit session ...
Started edit session, be sure to save and activate your changes once you are done.
disable IIOP protocol of each wlserver.
Saving all your changes ...
Saved all your changes successfully.
Config T3 protocol for current domain settings.
Location changed to domainConfig tree. This is a read-only tree
with DomainMBean as the root MBean.
For more help, use help('domainConfig')
You already have an edit session in progress and hence WLST will
continue with your edit session.
Starting an edit session ...
Started edit session, be sure to save and activate your changes once you are done.
Saving all your changes ...
Saved all your changes successfully.
Forbidden Ta/IIOP3 protocol for Anonymous RMI.
You already have an edit session in progress and hence WLST will
continue with your edit session.
Starting an edit session ...
Started edit session, be sure to save and activate your changes once you are done.
Saving all your changes ...
Saved all your changes successfully.
Activating all your changes, this may take a while ...
The edit lock associated with this edit session is released once the activation is completed.
The following non-dynamic attribute(s) have been changed on MBeans
that require server re-start:
MBean Changed : com.bea:Name=appServer1,Type=Server
Attributes changed : IIOPEnabled
MBean Changed : com.bea:Name=appServer2,Type=Server
Attributes changed : IIOPEnabled
MBean Changed : com.bea:Name=AdminServer,Type=Server
Attributes changed : IIOPEnabled
Activation completed
Disconnected from weblogic server: AdminServer
然后,我们重启AdminServer,再次登录到控制台,发现上面四条告警信息已经没有了。
如果您对我的文章内容满意,欢迎打赏支持!