Thursday, May 26, 2016

Hacking users in WebLogic

vi $DOMAIN_HOME/security/DefaultAuthenticatorInit.ldift
insert this:

dn: uid=PIPPO,ou=people,ou=@realm@, dc=@domain@
description: Test generated user
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: S107077
sn: S107077
userpassword: {ssha}blablabla
uid: PIPPO
objectclass: wlsUser
wlsMemberOf: cn=Administrators,ou=groups,ou=@realm@,dc=@domain@



PIPPO should become an Administrative user

ssha passwords (ssha being a variant of SHA1) can be generated with openssh http://www.openldap.org/faq/data/cache/347.html or with Python/WLST

Wednesday, May 25, 2016

WebLogic network-access-point

If you need to invoke operations (EJB, WS...) on a specific IP different from the main listen address / port of WLS, you can create inside config.xml a network-access-point and give it a mnemonic name like "INT-Channel" :
   <network-access-point>
      <name>INT-Channel</name>
      <protocol>t3s</protocol>
      <listen-address>1.2.3.4</listen-address>
      <enabled>true</enabled>
      <two-way-ssl-enabled>true</two-way-ssl-enabled>
      <client-certificate-enforced>true</client-certificate-enforced>
    </network-access-point> 


and configure your component in your weblogic-ejb-jar.xml with a clause:
<weblogic-enterprise-bean>
     <network-access-point>INT-Channel</network-access-point>
</weblogic-enterprise-bean>

see https://docs.oracle.com/cd/E11035_01/wls100/ejb/DDreference-ejb-jar.html#network-access-point



Tuesday, May 24, 2016

Apache http-client, customizing SSLSocketFactory

Here the general documentation on Apache HTTP client https://hc.apache.org/httpcomponents-client-ga/

https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/conn/scheme/SchemeSocketFactory.html

    HttpContext context...
    SchemeRegistry registry = getSchemeRegistry(context);
    Scheme schm = registry.getScheme(target.getSchemeName());
    SchemeSocketFactory sf = schm.getSchemeSocketFactory();


This example https://hc.apache.org/httpcomponents-client-ga/httpclient/examples/org/apache/http/examples/client/ClientCustomSSL.java shows

Specifically, it's interesting to look at their default implementation of https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/HostnameVerifier.html which is the org.apache.http.conn.ssl.BrowserCompatHostnameVerifier ( extends org.apache.http.conn.ssl.AbstractVerifier implements org.apache.http.conn.ssl.X509HostnameVerifier extends javax.net.ssl.HostnameVerifier )

The extra methods added by org.apache.http.conn.ssl.X509HostnameVerifier are:

  public abstract void verify(String host, SSLSocket ssl)
    throws IOException;
  
  public abstract void verify(String host, X509Certificate cert)
    throws SSLException;
  
  public abstract void verify(String host, String[] cns, String[] subjectAlts)
    throws SSLException;

while the basic javax.net.ssl.HostnameVerifier contains only
verify(String hostname, SSLSession session)


Remember! javax.net.ssl.SSLSocketFactory is an ABSTRACT class.

For use within WebLogic, see http://docs.oracle.com/cd/E12839_01/core.1111/e10043/ohttps.htm#JISEC2046, but the property HTTPClient.defaultHostnameVerifier doesn't seem to work with Apache HTTPClient.

Also another interface exists weblogic.security.SSL.HostnameVerifier



No shared spaces configured


Heap
garbage-first heap   total 6291456K, used 1368757K [0x0000000640000000, 0x00000007c0000000, 0x00000007c0000000)
  region size 2048K, 97 young (198656K), 9 survivors (18432K)
compacting perm gen  total 1048576K, used 230859K [0x00000007c0000000, 0x0000000800000000, 0x0000000800000000)
   the space 1048576K,  22% used [0x00000007c0000000, 0x00000007ce172e10, 0x00000007ce173000, 0x0000000800000000)
No shared spaces configured.



this was seen in a
java/jdk170_91-64b/bin/java -XX:-UseBiasedLocking -XX:SurvivorRatio=10 -verbose:gc -XX:+PrintGCTimeStamps -Xms6144m -Xmx6144m -XX:NewSize=256m -XX:MaxNewSize=256m -XX:PermSize=1024m -XX:MaxPermSize=1024m  -XX:+UseG1GC -XX:InitiatingHeapOccupancyPercent=60 


I am not really sure what this "No shared spaces configured" would mean - I could not find any decent documentation on this message. And it doesn't seem to be really an error message, nor something related to G1GC...

Sunday, May 8, 2016

Singleton Timer in WebLogic

If you have a JEE EJB Timer in a Cluster, maybe you want only 1 instance to be active. In this case you should implement a Cluster Aware Singleton Component :
https://blogs.oracle.com/muraliveligeti/entry/ejb_timer_ejb

- create table WEBLOGIC_TIMERS

configure a Datasource and set it in "cluster-Scheduling":