Beruflich Dokumente
Kultur Dokumente
WebWerks
Operations Guide
(Authorized User's Operations Guide)
9 November 2009
GM/EDS Confidential
Statement of Confidentiality
This document contains information that is confidential and proprietary to EDS. This information is made
available with the express understanding that it will be held in strict confidence and not disclosed,
duplicated, or used, in whole or in part, without written consent from the EDS Legal department.
Information can only be disclosed, duplicated, or otherwise used in accordance with the nondisclosure
agreement with EDS. Additionally, this information shall be limited to EDS and GM persons having a need
to know.
EDS is a registered mark, and the EDS logo is a trademark, of Electronic Data Systems Corporation. EDS
is an equal opportunity employer and values the diversity of its people. Copyright 2014 Electronic Data
Systems Corporation. All rights reserved.
Product names referred to herein are trademarks of their respective companies. Many of the designations
used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those
designations appear in this document, and the editorial staff was aware of a trademark claim, the
designations have been printed in initial capital letters.
Version 2.0
GM/EDS Confidential
9 November 2009
Change History
This document complies with the requirements of the Content Standard for Operations Guide,
version 2.05, effective 02 Sep 2008. The QMS Web site version of this document is controlled.
All other versions are uncontrolled.
The following Change History table contains a record of changes made to this document:
Published /
Revised Date
Version
#
Document Owner
Published /
Revised Date
Version
#
Document Owner
05 October
2009
1.0
09 November
2009
2.0
SreeLatha Chalasani HP
HS
sreelatha.chalasani@hp.c
om 248-364-5819
Same
Created Document
http://ustlsvugq001.amer.cor
p.eds.com/sites/Applications
/PeerReview/Pages/Request.as
px?reqid=81430
04 January
2010
2.0
19 January
2010
same
GM/EDS Confidential
Same
Jessica Leja
HP ES HS
jessica.leja@hp.com
248-754-7767
Contents
Introduction................................................................................................................................... 4
Architecture Design...................................................................................................................... 5
Logical Architecture....................................................................................................................................... 5
Related Manuals and Training.......................................................................................................................7
Support.......................................................................................................................................... 7
Ongoing Support........................................................................................................................................... 7
Optional Configurations............................................................................................................................. 7
WebLogic OpsWare Signature File............................................................................................................7
WebLogic Opsware MAPL......................................................................................................................... 9
Manually Changing the System Password..............................................................................................10
Using an Automated Script with a Manual Step to Change the System ID Password.............................11
Adding a User ID to the Embedded LDAP...............................................................................................13
Deleting a User ID from the Embedded LDAP.......................................................................................14
Unlocking a User Account........................................................................................................................ 14
Change or Remove Oracle Thin Driver from CLASSPATH......................................................................14
Configure Managed Server Instance Memory.........................................................................................15
Configure the Level of Messages Sent to Standard Out..........................................................................16
Configure a Default Web Application.......................................................................................................17
Deploy an Application.............................................................................................................................. 17
Create a Data Source.............................................................................................................................. 18
Update (Redeploy) an Application...........................................................................................................19
Delete (Undeploy) an Application.............................................................................................................19
Start/Stop an Application.......................................................................................................................... 20
Deploy the Sample Application................................................................................................................21
Using WLST (WebLogic Scripting Tool)...................................................................................................23
Version 2.0
GM/EDS Confidential
9 November 2009 i
Troubleshooting.......................................................................................................................... 32
Troubleshooting Standards.........................................................................................................................32
Troubleshooting Performance.....................................................................................................................35
http://download.oracle.com/docs/cd/E13222_01/wls/docs92/perform/topten.html..................................35
Vendor recommendations for Resolving Performance Issues.................................................................35
Known Problems......................................................................................................................................... 36
Support........................................................................................................................................................ 36
Contacts................................................................................................................................................... 37
Product-Specific Support......................................................................................................................... 38
Event Monitoring.......................................................................................................................................... 39
SiteScope Monitoring............................................................................................................................... 39
Real Time Monitoring............................................................................................................................... 40
Migration...................................................................................................................................... 72
Technical...................................................................................................................................... 72
Administrative / Back-End Access...............................................................................................................72
Application Access....................................................................................................................................... 72
Application Testing....................................................................................................................................... 73
Availability and Load Balancing................................................................................................................... 73
Domain Administration Server.................................................................................................................73
Clustering Managed Server Instances.....................................................................................................74
JMS.......................................................................................................................................................... 75
JSP/Servlet Clustering.............................................................................................................................75
JDBC Clustering...................................................................................................................................... 76
Patching & Maintenance Pack General Information....................................................................................76
Patching................................................................................................................................................... 76
Maintenance Pack Information................................................................................................................77
Version 2.0
GM/EDS Confidential
9 November 2009 ii
Version 2.0
GM/EDS Confidential
Introduction
The purpose of this document is to describe the design for the HP Hosting Services (HP HS) WebLogic Server (WLS) 9.2 build specifically for
HPUX 11.23 Itanium.
The intended audience for this document is system administrators, the Middleware team, engineers, security administrators, and help desk
personnel.
This document is supported by the WebLogic 9.2 Requirements Guide found at
http://admin.gweb.eds.com/gwh/doc/release/wls/wls92/hpux/guides/requirements/EDS_HS_WebLogic_Server_9.2_Requirements_Guidehpux.doc.
This document is supported by the WebLogic 9.2 Design Guide found at
http://admin.gweb.eds.com/gwh/doc/release/wls/wls92/hpux/guides/design/EDS_HS_WebLogic_Server_9.2_Requirements_Guide-hpux.doc
This document is intended for the HPUX 11.23 Itanium operating system. This design and operations guide provides details for installing and
configuring WLS 92 on HPUX build as per GBD standards, however if intended this build can be used to install the build into non standard
directories that are not mentioned in the GBD. A single directory prefix to the standard installation directory is feasible. Many features such as
integration with Sun Web Server using Weblogic plugin, control tool, migration, admin instance failover and Node Manager are out of scope of
this build.
Throughout this document the reference /<VENDORDIR>/<BEAHOME> and /usr/local/bea/wls92 are generally interchangeable as examples
of where WebLogic 9.2 binaries should be deployed. Inspite of that installation directory with a single directory prefix is also feasible for e.g.
<PREFIX>/<VENDORDIR>/<BEAHOME> i.e. /wls92pkg/usr/local/bea/wls92 non standard directory structure is accommodated by this build if
required. See the Install Binaries section of this document for information on naming conventions for directories where additional binaries
should be deployed.
Y/N
Y
Y
This document refers to an <installid>. Wherever you see <installid> you should replace it with the UNIX user ID that has sudo to root privileges on the HP HS
administration server and that also has the ability to ssh from the HP HS administration server to the remote application server and sudo to root. To meet the GM
Version 2.0
GM/EDS Confidential
9 November 2009 4
and HP security standards <installid> should not be a generic id, it should be a EDSNET id.This <installid> will be always be part of gwlsins group. The
INSTALLGRP variable should not be changed in any of the server.conf files.
It is easier for the installer if this ID has not only the ability to sudo to root but to sudo to root without entering a password. Also ensure to remove the sudo access
for the <installid> on the server where WLS 9.2 is deployed and remove SSH trust after the installation is complete.
Architecture Design
The General Motors WebLogic Server 9.2 Gold Build Definition includes both Solaris 10 and HP-UX 11i v2.3 Enterprise Operating Environment (EOE). This guide
is for HPUX Itanium version 11.23 WebLogic 9.2 only. This template supports BEA WebLogic Server 9.2 deployments on HPUX Itanium version 11.23
In general WebLogic is the 3rd tier in a 4 tier architecture consisting of browser web server application server (WLS) and database. The General Motors Gold
Build integrates WebLogic Server 9.2 with the Sun Java Web Server and Oracle database server.
However for the current scope of the project integration with Web server by using Weblogic Plugin is not included.
Logical Architecture
Version 2.0
GM/EDS Confidential
9 November 2009 5
End users will access the Sun Java System Web Server which when configured will pass that traffic via HTTP or HTTPS to the backend
WebLogic Server Cluster. However Web Server integration is out of scope of this project.
2.
3.
If the transaction requires database connectivity WebLogic will use connection pools and datasources to connect to the Oracle
Database using standard JDBC/SQL.
4.
HP SMC Administrators, Application Owners and HP HS Engineers will be able to access the WLS Administration console via HTTPS.
Version 2.0
GM/EDS Confidential
9 November 2009 6
Support
Ongoing Support
Optional Configurations
WebLogic OpsWare Signature File
As of the 3rd quarter 2009 block point any HP HS standard deployments of WebLogic at the most current version will contain a WebLogic Opsware Signature File.
This file is used by HP Opsware to identify whether the deployment is an HP HS standard deployment and whether the deployment is up-to-date with the most
current security patches and / or service pack releases. This file will contain version history information. This file will exist in /<VENDORDIR>/<BEAHOME> (in
most cases* this is /usr/local/bea/wls92) and is called eds-gm-wls92.txt. The following is the current signature file:
*****************************************************************************************
DO NOT MODIFY OR DELETE THIS FILE. Permissions on this file should be set to 444.
*****************************************************************************************
This is a signature file for the EDS Hosting Services binary build used on the GM account
(GSC36a). While Opsware MAPLs will exist to identify all deployments of this technology,
an additional MAPL will uniquely identify this as the EDS-GM standard / gold build. This
will enable us to leverage automated patching, and standardized upgrade procedures.
The file can also be manually viewed to determine binary version information.
*****************************************************************************************
Product:
WebLogic Server 9.2
Version 2.0
GM/EDS Confidential
9 November 2009 7
Location:
$BEAHOME (normally /usr/local/bea/wls92.)
Version History:
---------------11/2009
- New build including 2009q3 patches.
- 2LYV.jar - CVE-2009-1974
- TRY5.jar - CVE-2009-0217
* The following MAPL was created to determine if the eds-gm-wls92.txt file exists and what version or block point it is related to:
Action
Priority
File Name
Add
n/a
eds-gm-wls92.txt
Product Name
WebLogic
Server
Product
Version
9.2MP3
Vendor Name
BEA Systems
Inc.
Min File
Size
1022
Max
File
Size
1022
Min
File
Date
Max
File
Date
OS
n/a
n/a
HPUX 11.23
Action
Priority
File Name
Add
n/a
libwlenv.so
Add
n/a
weblogic.jar
Version 2.0
Product Name
Weblogic
Server
Weblogic
Server
GM/EDS Confidential
Product
Version
Vendor Name
Min File
Size
Max File
Size
Min
File
Date
Max
File
Date
OS
9.2MP3
BEA / Oracle
14308
14308
n/a
n/a
HPUX 11.23
9.2MP3
BEA / Oracle
53961499
53961499
n/a
n/a
HPUX 11.23
9 November 2009 8
Version 2.0
GM/EDS Confidential
9 November 2009 9
Version 2.0
GM/EDS Confidential
9 November 2009 10
deployer ID and system ID passwords before starting the additional instance installation to
keep all other potential users out of the administration console during this change as well.
1.
Open a browser session to the administration console. Login using the system user id
and password. Leave this session open while you complete the following. That
way in case the change does not go as planned, you will have a console open that you
can use to either reset the password or unlock the system user id.
2.
Use a second browser session to access the administration console for the domain.
Login using the system user id and password.
3.
4.
5.
6.
7.
Enter the new system users password in the New Password field.
8.
9.
Click Save.
Variable
AS1_DNS
Definition
The fully qualified dns name for
the server that hosts the sites
WebLogic administration server.
Sample Value
app-r-vs01.iweb.gm.com
ADMIN_PORT
7503
VENDORDIR
Standard directory :
/usr/local/bea
Non standard directory :
BEAHOME
SHORTNAME
ORIGPASS
Version 2.0
GM/EDS Confidential
/<PREFIX>/usr/local/bea
wls92
test4
start123
9 November 2009 11
JDKVER
If there are no errors in $SHORTNAME.out and all instances restart properly then you can remove
the $SHORTNAME.out file.
Run this script against each site that requires the system ID password to be changed (one at a time only -please be careful since this is changing the system id and the cn=Admin LDAP Owner ids password for
each weblogic domain).
In order to encrypt the boot.properties file each instance on each physical server that hosts the site should
be stopped and started after the script has completed successfully. It is required that all instances are
stopped and started to verify that the changes were successful for all instances in a domain and to
avoid errors on startup because passwords of different jvms in the same domain do not match and
to make other id / pw changes.
Any SiteScope monitors that use the system id should also be updated with the new password.
Use a browser to access the administration console for the domain. Use an ID with
administration access to the WLS Administration console.
2.
3.
Click on myrealm.
4.
5.
Click New.
Version 2.0
GM/EDS Confidential
9 November 2009 12
6.
7.
8.
9.
Add the user to the appropriate group. (For example, if adding an ID for an engineer
who requires access only to view the configuration then assign them to the Monitors
group). Use the arrow to add the appropriate group(s) to the Chosen field.
3.
Click on the Security Realms entry. Click on the myRealm entry in the Name column in the
right most frame.
4.
5.
Place a check mark in the first column in front of the user ID to be deleted. This will enable the
Delete button. Click the Delete button.
6.
When prompted Are you sure you want to delete the following items? Click Yes
7.
Version 2.0
GM/EDS Confidential
9 November 2009 13
CLASSPATH="/usr/local/bea/wls92/weblogic92/server/ext/jdbc/oracle/11g/ojd
bc5.jar:${CLASSPATH}"
To remove the Oracle Thin Driver from the CLASSPATH remove the following if 10g is configured:
/usr/local/bea/wls92/weblogic92/server/ext/jdbc/oracle/10g/ojdbc14.jar
To remove the Oracle Thin Driver from the CLASSPATH remove the following if 11g is configured:
/usr/local/bea/wls92/weblogic92/server/ext/jdbc/oracle/11g/ojdbc5.jar
To set the instance to use 10g make sure the only oracle thin driver entry in the CLASSPATH is set to
/usr/local/bea/wls92/weblogic92/server/ext/jdbc/oracle/10g/ojdbc14.jar
To set the instance to use 11g make sure the only oracle thin driver entry in the CLASSPATH is set to
/usr/local/bea/wls92/weblogic92/server/ext/jdbc/oracle/11g/ojdbc5.jar
Login to the application server as the B<shortname> UNIX user id. This should put
you in the domain root (something like /usr/local/bea/wls92/domains/shortname or if
a non standard directory structure is used into /<PREFIX>/
usr/local/bea/wls92/domains/shortname).
2.
3.
Make a backup of the startWebLogic_instance files that you are going to update the
memory allocation for.
4.
Edit the startWebLogic_instance files by replacing the two 512 entries in the
MEM_ARGS value with the new memory allocation (such as 1024, etc.)
5.
6.
7.
MEM_ARGS="-Xms1024m -Xmx1024m"
NOTE: the following is taken from the General Motors Gold Build for WebLogic Server
9.2
Memory: The memory required varies by application. For capacity planning purposes, three sizes
(small, medium, large) have been defined. One may have bigger application server instances but this
would be the exception. For sizing the available memory capacity of a server, reserve 20% of the
memory for the OS, tools, and margin.
It is expected that in most cases the WebLogic administration server Instance will require 512 MB of
memory.
Version 2.0
GM/EDS Confidential
9 November 2009 14
Memory Allocation
Size of
Application
Server
instance/JVM
Small
Medium
Large
1 GB RAM
typical
2GB RAM
Extra Large
More than
2GB RAM
Disk Space: 1.8 GB minimum plus application data and related files. Multiple instances require
slightly more disk space (minimum of 30 MB each instance).
Capacity Chart of 1) Single Instances per server; 2) Active-Active Instances
Memory Capacity
Version 2.0
GM/EDS Confidential
9 November 2009 15
<weblogic-web-app>
<context-root>/</context-root>
</weblogic-web-app>
Deploy an Application
The Middleware team should rarely have to deploy applications the following instructions are supplied to
assist in cases when the Middleware team needs to deploy an application.
1. Use a browser to login to the WebLogic Administration Console.
2. Click Lock & Edit
3. Click on Deployments
4. Click Install
5. Either browse to the ear or war file using the Location links or use the upload your
file(s) option to upload the ear or war file from your work station. Select the ear or
war file and click Next.
6. Select Install this deployment as an application and click Next.
7. Target the application to the appropriate instances or cluster and click Next.
8. To stage the application click Copy this application onto every target for me and
click Next. It is up to the application owner to tell you which option they want to
select, for example (Use the defaults defined by the deployments targets, Copy this
application onto every target for me or I will make the deployment accessible from the
following location).
9. Click Finish.
10. Click Activate Changes.
11. Test the application URL.
Version 2.0
GM/EDS Confidential
9 November 2009 16
d. Click Save.
e. Expand the Advanced section at the bottom of the page
f.
g. Click Save
23. Click Activate Changes
24. Click the Monitoring tab
25. Click the Testing tab
Version 2.0
GM/EDS Confidential
9 November 2009 17
26. Select the managed server instance to test the Data Source on and click Test Data
Source (you will need to test the Data Source on each managed server instance it is
targeted to one at a time)
27. You should receive a message at the top of the page Test of <DATA SOURCE> on
server <INSTANCE> was successful.
Use a browser to login to the administration console using the ID required to deploy the application
(for example the sample application is deployed using the system id but in general all other
applications are deployed using the deployer ID).
If you have not already done so, in the Change Center of the Administration Console, click Lock &
Edit.
3.
In the left pane of the Administration Console, select Deployments. A table in the right pane
displays all deployed applications and modules.
4.
In the right pane, locate the application you want to update (redeploy).
5.
Select the check box next to the name of the application you want to update.
6.
7.
8.
9.
To activate these changes, in the Change Center of the Administration Console, click Activate
Changes. Not all changes take effect immediatelysome require a restart (see Use the Change
Center).
Use the WebLogic Administration Console to make sure the application is stopped (start/stop an
application).
2.
3.
Click Deployments
4.
5.
Click Targets
6.
Uncheck or deselect the target to remove the application from and click Save
7.
To completely remove the application from being deployed to any managed server instances:
1.
Use the WebLogic Administration Console to make sure the application is stopped (start/stop an
application).
Version 2.0
GM/EDS Confidential
9 November 2009 18
2.
3.
Click Deployments
4.
5.
Click Delete
6.
7.
8.
This should remove the application from the staged directory if the application was deployed with
staging enabled. It should not remove the original EAR/WAR file from the upload directory.
Start/Stop an Application
The following is taken from
http://download.oracle.com/docs/cd/E13222_01/wls/docs92/ConsoleHelp/taskhelp/applications/StopDeploye
dEnterpriseApplications.html Starting an Enterprise Application makes the application available to
WebLogic Server clients; stopping it makes it unavailable.
When you start an application, you can make it immediately available to clients, or you can start it in
administration mode to first ensure that it is working as you expect. Starting in administration mode allows
you to perform final ("sanity") checking of the distributed application directly in the production environment
without disrupting clients.
Similarly, you can stop an application so that no clients can use it, or you can stop it in administration mode
so that only administrative tasks can be performed.
Stopping an application does not remove its source files from the server; you can later redeploy (also called
update) a stopped application to make it available to WebLogic Server clients once again.
If stopping or starting an application for a customer (not the sample application for example) be sure to use
one of the deployer IDs and not any of the IDs with system administration privileges.
To stop an application:
1.
Use a browser to login to the administration console using the ID required to deploy the
application (for example the sample application is deployed using the system ID but in general
all other applications are deployed using the deployer ID).
2.
Click on Deployments
3.
4.
Click the Stop arrow and select the appropriate option (When work completes, Force Stop
Now or Stop, but continue servicing administration requests)
5.
6.
If there are SiteScope monitors configured for this application then you should expect
SiteScope to start reporting that the instance or application is down.
To start an application:
1.
Use a browser to login to the administration console using the ID required to deploy the
application (for example the sample application is deployed using the system ID but in general
all other applications are deployed using the deployer ID).
2.
Click on Deployments
3.
4.
Click the Start arrow and select the appropriate option (Servicing all requests or Servicing only
administration requests)
Version 2.0
GM/EDS Confidential
9 November 2009 19
5.
6.
Validate that the application is now accessible either via SiteScope or manually.
Note, both war files should be available on the file system in the directory noted above
for every domain admin instance regardless of whether the domain currently only
hosts clustered or non-clustered instances.
2.
3.
If you need to deploy the clustered version of the sample application then do the
following substituting InMemRepClient_clus.war for SAMPLEAPP. If you need to deploy
the unclustered version of the sample application then do the following substituting
InMemRepClient_scell.war for SAMPLEAPP.
4.
Version 2.0
GM/EDS Confidential
9 November 2009 20
f.
Edit the weblogic.xml file by replacing SITE with the shortname for the site.
This is for the workingDir parameter.
j.
If you need to add a server to the sample application targets, skip to step 4 below. If
you need to deploy the application for the first time continue here. If the domain has
both clustered and non-clustered instances then you will need to do the following one
time using the InMemRepClient_clus.war file and targeting it to the cluster(s) and once
using the InMemRepClient_scell.war file and targeting it to the nonclustered instances.
a. Make sure all managed server instances in the domain (or cluster) are
running.
b. Use the admin console to redeploy the new war file to the cluster.
i.
ii.
Click Deployments
iii.
Click Install
iv.
Navigate to
/<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/servers/SHORTN
AME_admin/upload or if a non standard directory structure is used
/<PREFIX>/<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/serve
rs/SHORTNAME_admin/upload
v.
vi.
vii.
viii.
ix.
x.
xi.
xii.
xiii.
Version 2.0
GM/EDS Confidential
9 November 2009 21
xiv.
xv.
6.
Click Yes
You should see that the State changed to Active
To add a managed server instance as a target for the sample application that is
already deployed to other instances in the domain complete the following:
Click on Deployments
g. Click Save
h. Click Activate Changes
Version 2.0
GM/EDS Confidential
9 November 2009 22
Version 2.0
GM/EDS Confidential
9 November 2009 23
/<PREFIX>/<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/config/deployments/*
/
<PREFIX>/<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/servers/domain_bak/config_prev/config.x
ml
/<PREFIX>/<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/servers/INSTANCE/cache
/<PREFIX>/<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/servers/INSTANCE/data
/<PREFIX>/<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/servers/INSTANCE/logs
/<PREFIX>/<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/servers/INSTANCE/stage
/<PREFIX>/<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/servers/INSTANCE/tmp
And any other files not specifically mentioned in this section or in the Files that Can Be Shared with
Application Development Teams section of this document.
Standard/Recommended JAVA_OPTIONS
The following JAVA_OPTIONS are required for the SSL configuration to work properly:
In the /<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/INSTANCE/bin/startWebLogic_instance
and /<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/INSTANCE/bin/stop files or if a non standard
directory structure is used then in
/<PREFIX>/<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/INSTANCE/bin/startWebLogic_instance
and /<PREFIX>/<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/INSTANCE/bin/stop the following
JAVA_OPTIONS should be set:
JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.nojce=true
-Dweblogic.security.SSL.trustedCAKeyStore=/<VENDORDIR>/<BEAHOME>/domains/SHORTNA
ME/JKS/SHORTNAMEtrust.jks
-Djavax.net.ssl.trustStore=/<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/JKS/SHORTNAM
Etrust.jks -Djavax.net.ssl.trustStorePassword=KEYPASS"
Version 2.0
GM/EDS Confidential
9 November 2009 24
JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.nojce=true
-Dweblogic.security.SSL.trustedCAKeyStore=/<PREFIX>/<VENDORDIR>/<BEAHOME>/domain
s/SHORTNAME/JKS/SHORTNAMEtrust.jks
-Djavax.net.ssl.trustStore=/<PREFIX>/<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/JKS
/SHORTNAMEtrust.jks -Djavax.net.ssl.trustStorePassword=KEYPASS"
For example:
JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.nojce=true
-Dweblogic.security.SSL.trustedCAKeyStore=/usr/local/bea/wls92/domains/test4/JKS
/test4trust.jks
-Djavax.net.ssl.trustStore=/usr/local/bea/wls92/domains/test4/JKS/test4trust.jks
-Djavax.net.ssl.trustStorePassword=Test1234+"
Version 2.0
GM/EDS Confidential
9 November 2009 25
Script Name:
start
Script Location:
Script Purpose:
Calls the startWebLogic.sh to start the WLS 9.2 domain admin server
Instance
Validation
Instructions (include
which processes
should be running):
Standard location
/usr/local/bea/wls92/domains/<shortname>/bin/startWebLogic.sh
standard location
/PREFIX/usr/local/bea/wls92/domains/<shortname>/bin/startWebLogic.s
h
Script Name:
startWebLogic.sh
Script Location:
Script Purpose:
Called by the start script to start the WLS 9.2 domain admin server
Instance. In general this script should not be run directly unless during
a troubleshooting session.
Validation
Instructions (include
which processes
should be running):
Script Name:
start_instance
Script Location:
Script Purpose:
Validation
Instructions (include
which processes
should be running):
Script Name:
startManaged_instance
Version 2.0
GM/EDS Confidential
9 November 2009 26
Script Location:
Script Purpose:
Validation
Instructions (include
which processes
should be running):
/usr/bin/ksh
Standard directory
/usr/local/bea/wls92/domains/<shortname>/bin/startWebLogic_<instan
ce> node
Or Non Standard directory
/<PREFIX/>usr/local/bea/wls92/domains/<shortname>/bin/startWebLog
ic_<instance> node
Script Name:
startWebLogic_instance
Script Location:
Script Purpose:
Starts the WLS 9.2 domain managed server instance. In general this
script should not be run directly unless during a troubleshooting session.
Validation
Instructions (include
which processes
should be running):
Script Name:
stop
Script Location:
Standard
/usr/local/bea/wls92/domains/SHORTNAME/bin
Or
Non Standard
/<PREFIX>/usr/local/bea/wls92/domains/SHORTNAME/bin
Version 2.0
GM/EDS Confidential
9 November 2009 27
Script Purpose:
Validation
Instructions (include
which processes
should be running):
Script Name:
stop_instance
Script Location:
Standard
/usr/local/bea/wls92/domains/SHORTNAME/bin
Or
Non standard
/<PREFIX>/usr/local/bea/wls92/domains/SHORTNAME/bin
Script Purpose:
Validation
Instructions (include
which processes
should be running):
Log Files
Log File
access.log
Log File
Location
Standard
/
sites/<SHOR
TNAME>/site
/common/log
s/92_<INSTA
NCE>
Rotation
Schedule
Nightly
Retention
Period
Indefinitely
Non
Standard
/
<PREFIX>/sit
es/<SHORTN
AME>/site/co
mmon/logs/9
2_<INSTANC
E>
Version 2.0
GM/EDS Confidential
9 November 2009 28
Log File
Location
Log File
instance.log
Standard
/
sites/<SHOR
TNAME>/site
/common/log
s/92_<INSTA
NCE>
Or
Non
Standard
/
<PREFIX>//s
ites/<SHORT
NAME>/site/
common/logs
/92_<INSTA
NCE>
start_instance.lo
g
Standard
Rotation
Schedule
Retention
Period
Nightly
Indefinitely
Nightly
Indefinitely
/
sites/<shortn
ame./site/co
mmon/logs/9
2_<instance
>
Or
Non
Standard
/
<PREFIX>/sit
es/<shortna
me./site/com
mon/logs/92
_<instance>
Version 2.0
GM/EDS Confidential
9 November 2009 29
Log File
shortname.log
Log File
Location
Standard
/
sites/<SHOR
TNAME>/site
/common/log
s/92_<SHOR
TNAME>_ad
min
Or Non
Standard
/
<PREFIX>//s
ites/<SHORT
NAME>/site/
common/logs
/92_<SHORT
NAME>_admi
n
diagnostic_imag
es
Standard
/
sites/<shortn
ame>/site/co
mmon/logs/9
2_<instance
>
Rotation
Schedule
Retention
Period
A domain log is
automatically
configured when the
domain is installed.
The domain log
collects messages
from all server
instances in the
domain. The
domain log does not
contain HTTP
requests (which are
stored in a separate
access log for each
server) or JDBC
messages (which
are stored in a
separate JDBC log
for each server).
Nightly
Indefinitely
Directory where
debugging output is
written to when
server debug is
turned on.
None at this
time
Indefinitely
Or
/
<PREFIX>/sit
es/<shortna
me>/site/co
mmon/logs/9
2_<instance
>
The following links are deployed when the domain or additional instance(s) are deployed:
Standard
/<VENDORDIR>/<BEAHOME>/domains/<SHORTNAME>/servers/<SHORTNAME>_admin/logs links to
/sites/<SHORTNAME>/site/common/logs/92_<SHORTNAME>_admin
/<VENDORDIR>/<BEAHOME>/domains/<SHORTNAME>/servers/<INSTANCE>/logs links to
/sites/<SHORTNAME>/site/common/logs/92_<INSTANCE>
Or
Non standard
/<PREFIX>/<VENDORDIR>/<BEAHOME>/domains/<SHORTNAME>/servers/<SHORTNAME>_admin/logs
links to /sites/<SHORTNAME>/site/common/logs/92_<SHORTNAME>_admin
/<PREFIX>/<VENDORDIR>/<BEAHOME>/domains/<SHORTNAME>/servers/<INSTANCE>/logs links to
/sites/<SHORTNAME>/site/common/logs/92_<INSTANCE>
Version 2.0
GM/EDS Confidential
9 November 2009 30
The log files are rotated on a nightly basis via a cron job. The log file rotation tars and gzips the log files ad
the embedded ldap backups and on the server/zone that hosts the WLS administration server instance the
config.xml and SerializedSystemIni.dat files as well. The gzipped files are stored in
/sites/<SHORTNAME>/site/common/logs/92_dailybackups or if a non standard directory structure is used
then /<PREFIX>/sites/<SHORTNAME>/site/common/logs/92_dailybackups
Maintenance Window
Maintenance windows will be defined by the customer.
Troubleshooting
Troubleshooting Standards
Version 2.0
GM/EDS Confidential
9 November 2009 31
Symptom
Possible
Cause(s)
Action(s) to Take
1.
Cannot release
2.
configuration on the
admin console or
unlock the admin
console edit
function.
An edit
hung or
someone else
has started an
edit and never
finished it.
3.
Application cannot 4.
revert deployment
to an older version.
BEA WLS
Known Issue
Validate/verify
that the
junction is
configured
correctly and
the web
site/weblogic
site is
responding to
non-junction
based traffic if
possible.
Ensure the
junction is
created with
the junction
b flag is set to
filter instead
of ignore.
The system
may be
locked by
one of the
managed
server
instances
having a hold
or lock on
something
that was
being changed
via WLST or
the admin
console.
Stop the managed server instance(s) and then restart the managed
server instance(s). In most cases as soon as all the managed server
instances are stopped the change will activate successfully.
If managed server
instances are
started in the
absence of a
RUNNING
administration
server instance
when the
administration
server instance is
started, automatic
This is a
known issue
and hopefully
will be
resolved with
a future patch
or service
pack upgrade.
The
start_instance
scripts contain
Version 2.0
GM/EDS Confidential
9 November 2009 32
managed server
discovery does not
work if the domain
wide administration
port is enabled.
The domain wide
administration port
has to be enabled
for the WLS
deployment to be
compliant with the
General Motors
WebLogic Technical
Security Standards.
a step that
checks for a
RUNNING
admin
instance for
10 minutes
and then
starts up the
managed
server in MSI
mode if
necessary.
This is mainly
intended to be
used during a
physical
server/zone
reboot to
allow the
admin
instance(s)
time to start
up before the
managed
server
instances
start.
When Entrust
certificates are used,
from the browser the
certificates are not
recognized to be a
authorized certificate.
Entrust issues a
chain certificate
and it needs to
be installed.
Entrust certificates do
not use 1024 RSA
keys any further
Entrust is
moving to 2048
RSA keys
Tool/Procedure Location:
Version 2.0
GM/EDS Confidential
9 November 2009 33
Tool/Procedure Location:
Troubleshooting Performance
The following is based on input from BEA during troubleshooting the PRTS application slow
response issue. Please note that the PRTS troubleshooting effort was based on WebLogic
Server 8.1 although the recommendations should be the same for 9.2.
For general BEA performance tuning information see the following URL:
http://download.oracle.com/docs/cd/E13222_01/wls/docs92/perform/topten.html
Version 2.0
GM/EDS Confidential
9 November 2009 34
Known Problems
When using one of the deployer IDs and clicking on the Testing tab for a deployment the user receives a
page full of errors. The Vendor is aware of this issue and has an open CR (change request) for this issue
but it has not been resolved yet. When the vendor provides a fix for this issue it will be tested in the release
environment and released to the environment if it works as expected.
Support
Any changes to a system should be part of an authorized work order which is documented at
installation time stating a change is occurring and be authorized via change control processes.
Version 2.0
GM/EDS Confidential
9 November 2009 35
Contacts
Name
Jessica Leja
Sreelatha
Chalasani
Beth Van Egeren
Tony Mazur
Yona Shaposhnik
Role
Phone
Pager
HP HS WebLogic Engineer
HP HS WebLogic Engineer
248-754-7767
248-364-5819
EON
EON
248-364-4918
248-370-1402
248-364-5539
EON
EON
EON
Oracle Support
HP HS Architect
HP HS Oracle Engineer
HP HS Sun Java System Web
Server Engineer
Oracle Support
1-800-633-0738
Metalink
Oracle Support
Not available
Dale Deloy
Not available
Support Identifier
3238825
metalink.oracle.co
m Support
Identifier 3238825
dale.deloy@oracle.c
om
Version 2.0
GM/EDS Confidential
9 November 2009 36
Product-Specific Support
The following was taken from http://www.oracle.com/support/library/brochure/lifetime-support-middleware.pdf
and is the End-of-Life Support for WebLogic Server 9.2
Product
WebLogic Server/Express
(WLS)
WL Platform
(WLS+WLW+WLP+WLI)
Version 2.0
Version
Status
Order
Availability
9.x
Active
Available
9.x
Active
Available
GM/EDS Confidential
GA Date
July, 2005
November
28, 2006
Retirement
Date
See WL
Platform 9.x
November 30,
2011
End of
Extended
Support
See WL
Platform 9.x
November
30, 2013
9 November 2009 37
Sustaining
Support
Yes
Yes
Technical
Event Monitoring
SiteScope Monitoring
A SiteScope monitor should be configured for the following:
Import EDS HS WLS 9.2 Root Certificate Authority into SiteScope To be performed by the
Tools Team
Before SiteScope monitors can be configured to monitor the WLS SSL ports the following
needs to be completed by the tools team:
Complete the following using the administration id on the Pre-Production and Production Intranet SiteScope
servers. Contact the engineer assigned to obtain the passwords noted in red text below before starting this
change.
1.
ca.cert.pem
If there is already a ca.cert.pem in that directory then be sure to make a backup copy of it first.
2.
3.
4.
Type ..\..\bin\keytool -alias edshswls92 -trustcacerts -import -file ca.cert.pem -keystore cacerts
-storepass password
5.
Version 2.0
GM/EDS Confidential
9 November 2009 38
Technical
Valid from: Thu May 17 11:43:19 EDT 2007 until: Thu May 15 11:43:19 EDT 2014
Certificate fingerprints:
MD5: 04:58:21:C8:35:AA:FD:BE:FB:B6:15:48:B5:47:2A:D0
SHA1: D2:65:27:57:38:43:99:A1:45:E1:6E:BF:9C:FB:5D:B7:B1:1C:A5:02
Trust this certificate? [no]:
7.
Answer yes
8.
9.
10. To backout this change move the cacerts to cacerts.watommoca and move the cacerts.
b4wls92certimport to cacerts and restart SiteScope.
11. If for some reason a backup of the cacerts before the import was not made you can use the following
command to delete the newly trusted certificate authority from the cacerts and then restart SiteScope.
12. C:\SiteScope\java\lib\security>..\..\bin\keytool -keystore cacerts -storepass password -delete -alias
edshswls92
Version 2.0
GM/EDS Confidential
9 November 2009 39
Technical
Prerequisites
This section describes the other systems and resources that must be in place in order for
WebLogic 9.2 to function properly.
Version 2.0
GM/EDS Confidential
9 November 2009 40
Technical
If WLS needs to be installed into a Service guard package then then the Service Guard
cluster should be installed and a package should have been created. And the package
name should be provided for WLS install. This package name should be used as a
PREFIX parameter in server.conf files.
Only one directory structure PREFIX of off root is accommodated with this build into
which WLS can be installed. For example the Service Guard package should be created
off of root i.e. /wls92pkg. And WLS directory structure will appear as
/wls92pkg/usr/local/bea, sites directory will be /wls92pkg/sites and gwh directory
where start and stop scripts corresponding to WLS are stored are under
/wls92pkg/usr/local/gwh
WLS process are not monitored by Service Guard. Service Guard package can be
manually failed over or it can failover when a Service Guard cluster node fails.
System Parameters
HP-UX WebLogic Tuning Parameters
From http://download.oracle.com/docs/cd/E13222_01/wls/docs92/pdf/perform.pdf
WebLogic will function correctly without these changes, but performance may not be optimal for larger
applications. If any of these parameters have been set by another application, then the higher of the two
values must be used. Following are the values for WebLogic 9.2 (based on tuning information from
http://download.oracle.com/docs/cd/E13222_01/wls/docs92/pdf/perform.pdf and
http://docs.hp.com/hpux/onlinedocs/TKP-90203/TKP-90203.html
http://h21007.www2.hp.com/dspp/tech/tech_TechDocumentDetailPage_IDX/1,1701,1602,00.html). The
System Administrator should set the following based on the HP-UX 11.i v2.3 GBD.
Make a backup of the kernel before altering the kernel and network parameters below.
Value
Comment
tcp_conn_req_max
4096
tcp_xmit_hiwater_def
1048576
tcp_ip_abort_interval
60000
tcp_rexmit_interval_initial
4000
tcp_keepalive_interval
900000
Version 2.0
GM/EDS Confidential
9 November 2009 41
Technical
For example, here are the lines for the shared application servers in pre-production
10.30.150.87 usplgmas002.iweb.gm.com
10.30.150.86 usplgmas001.iweb.gm.com
3
4
And as another example, here are the lines for the shared application servers in production
10.20.150.87 usahgmas002.iweb.gm.com
10.20.150.86 usahgmas001.iweb.gm.com
5
And as another example, here are the lines for the shared application servers in production
10.20.150.87 usahgmas002.iweb.gm.com
10.20.150.86 usahgmas001.iweb.gm.com
8
Installation
This section of the document describes how to install and configure WebLogic 9.2.
1.
2.
3.
4.
5.
6.
7.
Ensure that all items documented in the Installation and De-Installation Prerequisites
section of this document have been met.
Create and install the Application Server SSL Certificates using the Create
Application Server SSL Certificate section of this document.
Install the WebLogic 9.2 Binaries using the Install Binaries section of this document.
Install a WebLogic 9.2 domain using the Install Domain section of this document.
Please note that during the time of the install in any of the server.conf files the
installer should enter values of the parameters and should NOT use substitutions (for
e.g. $variable). If there are variables set in the value already for example in
server.conf file corresponding to additional instance they should be left as is.
Please note that Hosting engineering has provided some variables in the server.conf
file for which values can be set in the server.conf file. But there are additional variables
that needs to be set when running the install at the prompt. For example password
parameters needs to set on the fly they are not provided in the server.conf file.
Installer should not add or remove parameters in the server.conf file.
Please note that if not in all of the HP hosting environments, some HP hosting
environments ( for example in GME ) the ids corresponding to SERVGID and SERVUID
needs to be obtained from the Unix Admin team before they can be set at the time of
the install. Unix team provides specific tracked numbers which should be used to set
these parameters.
Version 2.0
GM/EDS Confidential
9 November 2009 42
Technical
8.
In some environments (for example GME) users and groups cannot be created by any
process (script) they can be created only by the Unix Administration in which case the
install can work with pre existing user and groups.
9. Please note the install file corresponding to binaries, wls-as (domain), additional
instance contains a temporary location set to a prefix of /var/tmp/. If /var/tmp on
the target sever (On the server where WLS needs to be installed) does not have
enough space then this variable can be changed to /tmp if tmp has enough space.
Following is how the variable looks currently
"TMPDIR=/var/tmp/wls_install${DATE}" >> $CONFIGDIR/$CONFIGFILE \
If needed depending on the space constraints this can be changed to
"TMPDIR=/tmp/wls_install${DATE}" >> $CONFIGDIR/$CONFIGFILE \
10. If for any reason if the install is unsuccessful verify the /var/tmp directory and clean
up any remnants of the install.
Permissions
Owner
/usr/local/gwh/scripts/tarballs/wls92
770
wlsins:gwlsins
/usr/local/gwh/scripts/common/sitesdir/hpux
755
phreak:ed
/
usr/local/gwh/scripts/wls92/binaries/gwhsslcerts/wl
s92
770
root:other
/usr/local/gwh/scripts/wls92_hpux_11.23_itanium
770
wlsins:gwlsins
/usr/local/gwh/scripts/tarballs/java/hpux
755
phreak:ed
Preferably make sure the <installid> UNIX User ID on the new HP HS Administration Server has access to
ssh to <installid> on the servers where WLS 9.2 will be deployed and become root (sudo) without having to
pass a password either during the ssh or the sudo command. To meet the GM and HP security standards
<installid> should not be a generic id, it should be a EDSNET id . This <installid> will be always be part of
gwlsins group. The INSTALLGRP variable should not be changed in any of the server.conf files.
It is required to ensure that the install id has sudo set into default path on the server where WLS needs to be
installed. It is usually set in the default path on the server but incase if it is not in place then this needs to be
requested before the installation. If it is known that in your environment (for e.g. GME, GMAC) it is not set
into default path it is suggested to request it while requesting the installid access privileges.
Please see Appendix 1 of this document for detailed information on how to configure SSH keys if necessary.
Also ensure to remove the sudo access for the <installid> on the server where WLS 9.2 is deployed and
remove SSH trust after the installation is complete.
Copy the following files from the existing HP HS Administration Server to the new HP HS Administration
Server in the same location:
/usr/local/gwh/scripts/common/sitesdir/hpux/makesitesdir
/usr/local/gwh/scripts/common/sitesdir/hpux/sitesdir.tar
Version 2.0
GM/EDS Confidential
9 November 2009 43
Technical
/usr/local/gwh/scripts/wls92_hpux_11.23_itanium
/usr/local/gwh/scripts/tarballs/wls92/<tarball name>
for example
/usr/local/gwh/scripts/tarballs/wls92/server923_generic_hpux_itanium_11.23.jar
/usr/local/gwh/scripts/tarballs/java/hpux/<tarball name>
for example
/usr/local/gwh/scripts/tarballs/java/hpux/jdk1.5.0_13.tar.gz
At some time the scripts and tarballs will be put into an OpsWare ISM and you will be able to use OpsWare
SAS to setup the HP HS Administration Server WebLogic scripts but they are not there at this time.
In general the contents of /usr/local/gwh/scripts/tarballs/wls92 will look similar to the following (note with
each block point these files/directories may be changed)::
-rwxr-xr-x
1 phreak
ed 292020417
server923_generic_hpux_itanium_11.23.jar
Version 2.0
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
5
1
1
1
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
2978
2976
5734
3404
1898
7310
440
452
440
7705
512
3723
1294
6432
7121
7849
55
10488
2719
3440
2241
1245
968
51
12674
2439
50095
512
50107
50096
27937
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Sep
Dec
Sep
Oct
Nov
Nov
Nov
Nov
Nov
Nov
Dec
Dec
Dec
Dec
Dec
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
4
2
15
30
21
24
26
26
26
26
4
4
4
4
4
2007
2007
2007
2007
2007
2007
2007
2007
2007
2007
2007
2007
2007
2007
2007
2007
2007
2007
2008
2008
2008
2008
2008
2008
2008
2008
2008
2008
2008
2008
2008
wls-logrollover.sh
wls-logrollover-admin.sh
stop_instance
startManaged_instance
start
makemeadmin
deploysample_single921.py
deploysample_ncha921.py
deploysample_clus921.py
createnonhaclusdomain921.py
admincopy_cron.sh
admincopy
ALPHABUILD.txt
createsinglecelldomain921.py
createnonclustereddomain921.py
createdomain921.py
test.txt
setDomainEnv.sh
server.conf_09152008
stop
start_instance
install_users.ldif
user_list.txt
middleware_support_domain_info
middleware_support.ldif.0304091428
create_middleware_support_ldif.sh
InMemRepClient_scell.war.working
jesstmp2
InMemRepClient.war
InMemRepClient_scell.war
InMemRepClient_clus.war
GM/EDS Confidential
9 November 2009 44
2
1
1
1
1
1
1
2
1
1
1
1
1
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
Technical
512
12927
1864
12354
6808
9460
1079
3072
1314
166747
37253
25916
2601
binaries:
-rwxrwx--drwxrwx---rwxrwx---rwxrwx---rwx-----rwxrwx---rwx-----rwxrwx---rwxrwx---rwxrwx---rwxrwx--drwxrwx---rwxrwx---rwxrwx---rwxrwx--drwxrwx---rwxrwx---rwxrwx--drwxrwx---rwxrwx---rwxrwx---rwxrwx---rwxrwx---rwxrwx---rwxrwx---
wlsins gwlsins
wlsins gwlsins
wlsins gwlsins
wlsins gwlsins
1 root
other
1 wlsins gwlsins
1 root
other
1 wlsins gwlsins
1 wlsins gwlsins
1 wlsins gwlsins
1 wlsins gwlsins
2 wlsins gwlsins
1 wlsins gwlsins
1 wlsins gwlsins
1 wlsins gwlsins
2 wlsins gwlsins
1 wlsins gwlsins
1 wlsins gwlsins
3 wlsins gwlsins
1 wlsins gwlsins
1 wlsins gwlsins
1 wlsins gwlsins
1 wlsins gwlsins
1 wlsins gwlsins
1 wlsins gwlsins
-rwxrwx---
1 wlsins gwlsins
1 wlsins gwlsins
3 root
other
-rwxrwx--drwxrwx---
1
2
1
1
addl-instance:
total 486
-rwxrwx--1
-rwxrwx--1
-rwxrwx--1
-rwxrwx--1
-rwxrwx--1
-rwxrwx--1
drwxrwx--2
-rwxrwx--1
-rwxrwx--1
-rwxrwx--1
-rwxrwx--1
-rwxrwx--1
-rwxrwx--1
-rwxrwx--1
-rwxrwx--1
-rwxrwx--1
-rwxrwx--1
Version 2.0
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
GM/EDS Confidential
9 November 2009 45
1
1
1
1
1
1
1
1
1
1
1
1
2
1
1
1
1
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
wlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
gwlsins
Technical
7849
921
960
4001
1294
1362
10488
6452
57860
20017
3899
4184
1536
28121
28272
12675
1258
Aug
Aug
Aug
Aug
Aug
Oct
Dec
Jan
Apr
Apr
Apr
Apr
Apr
Jun
Jun
Jun
Jun
13
13
13
13
13
26
2
27
6
6
6
6
10
2
2
2
2
2007
2007
2007
2007
2007
2007
2007
08:24
22:07
22:20
22:21
22:21
19:20
15:42
15:43
17:28
17:30
createdomain921.py
create_machine.py
assign_instance_to_machine.py
assign_instance_2_machine
ALPHABUILD.txt
server.conf.b44q2007
setDomainEnv.sh
startWebLogic_instance
makeaddlinstance
makeaddlinstance_admin
configureaddlinstance921.py
configureaddlinstance921_clus.py
configs
install_addl_instance.orig
install_addl_instance
install
server.conf
6) When prompted to enter a pass phrase for the root certificate, enter b00gie5r (those are
zero's)
7) Create the directory
a) /
usr/local/gwh/scripts/wls92_hpux_11.23_itanium/binaries/gwhsslcert
s/wls92
Version 2.0
GM/EDS Confidential
9 November 2009 46
Technical
on the pre-production administration server (for example usplgmad001) and copy these
files to that server/directory. Verify that the file ownership and privileges are set the same
on both administration servers. It is expected that all certificates will be created and
signed using the production administration server and the preproduction administration
server will only be used in cases where disaster recovery is necessary.
$APPSERVERHOSTNAME.key.pem
$APPSERVERHOSTNAME.cert.pem
$APPSERVERHOSTNAME.req.pem
Install Binaries
NOTE: do this once for each application server that will host WebLogic 9.2
Expected Time to Install Binaries is approximately 45 minutes depending on whether this is
your first time using these instructions, the speed of your application server host and the
speed of your network.
Complete the following for each physical application server that you need to install the
WebLogic 9.2 Binaries on:
1.
If the application servers are deployed behind a load balancing device then verify that
a NAT exists for each of the application servers on the load balancing device that is in
front of them. This NAT will be used by the extranet web servers to access WebLogic
9.2 and also by the Application Owners, Web Masters and Engineers to access the
Administration Console for each domain. The engineer assigned to the project should
have submitted a work order for this NAT to be created.
2.
3.
4.
Type
1.
cd /usr/local/gwh/scripts/wls92_hpux_11.23_itanium /binaries
directory
5.
If you want the installation information to be prepopulated edit the server.conf with
the BEAHOME and APPSERVER information before running the install script.
6.
If more than one instance of the binaries are required on the same server then the
following directory structure can be followed
(a) In case of non standard directory structure or
/wls92pkg1/usr/local/bea/wls92a (for the first instance)
and /wls92pkg2/usr/local/bea/wls92b (for the second instance) and so on.
Please note that even though the PREFIX differs (wls92pkg1 vs
wls92pkg2) it is NOT possible to have same BEAHOME. The BEAHOME (in
this example it is wls92a vs wls92b) should be different.
(b) When ever WebLogic is installed into a non standard directory then create
a soft link wls92 to the BEAHOME. In the above examples
i.e. /wls92pkg1/usr/local/bea/wls92a
and /wls92pkg2/usr/local/bea/wls92b create the link as follows
cd /wls92pkg1/usr/local/bea
ln s wls92a wls92
cd /wls92pkg2/usr/local/bea
Version 2.0
GM/EDS Confidential
9 November 2009 47
Technical
ln s wls92b wls92
8) Note you can pre-configure the answers to the install script by editing the server.conf file.
In most cases the only items you need to change in this file would be the BEAHOME,
VENDORDIR, APPSERVER and APPSERVER DOMAIN, most other entries should be left at
their default values. If you change any other values then be sure to change them back to
their default values after the installation is complete.
9) This build gives a flexibility to install WLS binaries into standard directory structure as well
as into a non standard directory structure. Non standard directory structure is limited to
one prefix directory of the root which prepended making it /PREFIX/usr/local/bea. If
binaries are being installed into a non standard directory structure then the GWH dir also
reflects the non standard directory structure.
10)It is required to ensure when installation completes successfully or even if it fails manually
verify there are no directories or files associated with this or a previous Weblogic install in
the install tmp directory (for example /var/tmp or /tmp) that have permissions of 777. If
they exist they need to be removed.
11)Type ./install
12)Enter values for the following variables:
Variable Name
Description of Variable
VENDORDIR
Stanadard /usr/local/bea
/PREFIX/usr/local/bea
wls92
BEAHOME
Version 2.0
GM/EDS Confidential
Non Standard :
For e.g.
/wls92pkg/usr/local/bea
9 November 2009 48
Technical
Standard directory
structure /usr/local/gwh
Non standard directory
structure
/PREFIX/usr/local/gwh
APPSERVER
appserver name
triras001
APPSERVERDOMAIN
iweb.gm.com
5000
SERVUID
5000
13)NOTE: The following files are created on the administration server in For Solaris
/usr/local/gwh/scripts/wls92_hpux_11.23_itanium/binaries/configs in case you want to
review the output of the script after it has been run:
Log File Name
Wlsbin.cfg.<BEAHOME>.<APPSERVER>.out
wlsbin.cfg.<BEAHOME>
Version 2.0
GM/EDS Confidential
9 November 2009 49
Technical
15)Create the following cron job for the root UNIX user id (note that /usr/local/bea/wls92
should be replaced with the BEAHOME for the binaries that you just installed):
30 1 * * * /usr/local/bea/wls92/admincopy_cron.sh > /dev/null 2> &1
Or for Non standard directory structure
30 1 * * * /PREFIX/usr/local/bea/wls92/admincopy_cron.sh > /dev/null 2> &1
16)Make sure that the UNIX user ID that owns the binaries (for example Bwls92) is set so
that its password is non-expiring.
17)Manually add the Bwls92 (or B$BEAHOME) ID to the cron.allow file.
a) Please note that the cron.allow file can be found on HPUX 11.23 OS under
18)For each set of binaries that hosts admin instances that are configured in an HA domain
that is deployed across multiple physical servers configure SiteScope admincopy monitor.
19)In order to be TSS compliant you must import the self-signed SSL Certificate Root
Authority Certificate into your brower. Below are instructions for importing into Internet
Explorer and Netscape browsers. If a customer requests a copy of the ca.cert.pem file you
can send it to them.
a) Internet Explorer
i)
Click "Next" at the "Welcome to the Certificate Import Wizard" dialog box
ix) Use the "Browse..." button to find the certificate file you saved to your file system
x) Make sure the "Files of type" drop down has "All files" selected
xi) Select the certificate file and click "Open"
xii) Click "Next"
xiii)
The "Place all certificates in the following store" is selected and the store
is set to "Trusted Root Certification Authorities"
xiv)
Click "Next"
xvii)
Version 2.0
GM/EDS Confidential
9 November 2009 50
Technical
b) Netscape:
i)
ii) Click "Next" when prompted with the "New Site Certificate" dialog box
iii) Click "Next" at the next dialog box ("Certificate for: EDS, Signed by: EDS...")
iv) Select "Accept this certificate forever" if you do not want to be asked to accept
this certificate again.
v) Click "Next"
vi) Click "Next"
vii) Click "Finish"
129.124.60.82
Domain
Name
eabp
Managed
Instance
eabp001
USPLSONST797 1 cpu
129.124.60.83
eabp
eabp002
USPLSONST798 1 cpu
129.124.60.84
eaon
eaon001
USPLSONST799 1 cpu
129.124.60.86
eaon
eaon002
If you require assistance with your license keys, please contact by sending an email to
licensecodes_ww@oracle.com
Version 2.0
GM/EDS Confidential
9 November 2009 51
Technical
See the Product Licensing, Warranty, and Upgrades section of the document for license
information.
2.
Type hostname. This will return the name of the host, e.g. usplgmas001
3.
Look up the IP address in /etc/hosts for the name returned by the hostname
command. This is the IP address that should be used to create the license.
The license that is originally installed with the binaries is an evaluation license. Please perform
the following on each application server that the binaries were installed on to update the
license to a production license:
1. Login to the application server as root.
2. Type cd <BEAHOME>, for example cd /usr/local/bea/wls92 or
/PREFIX/usr/local/bea/wls92
3. Type cp license.bea license.bea.orig
4. Make sure a copy of the valid/new license is located in this directory
5. Type cp license_update_file license.bea.
NOTE: license_update_file is the name of the valid/new license file.
6. This will overwrite the new license over the top of the original license.bea file.
7. Save a copy of your updated license.bea file in a safe place such as the
/home/<installid>/wls_license directory on the admin server outside the WebLogic
directories. Although no one else can use your license file, you should save it in a
place that is protected from both malicious and innocent tampering.
8. If there are WebLogic 9.2 domains installed that will use this license restart the
domains and ensure that they startup properly.
Install Domain
NOTE: complete the following once for each new WebLogic 9.2 site
The domain installation will check to ensure the WebLogic 9.2 binaries or BEAHOME exists on
the server(s) on which the domain is being installed. If the binaries or BEAHOME does not
exist, the domain installation will fail.
A typical WebLogic 9.2 site in HP HS consists of:
1) A WebLogic 9.2 domain (containing a WebLogic 9.2 admin server and 2 managed server
instances on 2 physically separate servers -- one managed server instance will reside on
the same physical server as the admin server.)
Expected Elapsed Time to Install an HA Clustered Domain is 45 minutes per server (this
includes the time it takes to gather information for the installation such as app server name.)
Version 2.0
GM/EDS Confidential
9 November 2009 52
Technical
NOTE: If you are installing BEA WebLogic 9.2 on the same server as the web server, please
install the application server components first, and install the web server components later
with the -x option. This option was added to support the VSP project, which needed to install a
WebLogic Cluster on the same two machines as the Web Server instances. It is described in
the online help for the ws-site install script as (toggles CREATE_SITESDIR to no). After the
web server installation check the /sites/<shortname>/site/common/logs directory and make
sure all the WLS log directories and the files/subdirectories in those directories are owned by
the B<shortname>:g<shortname> UNIX user ID and group. If they are not change the
ownership of only the WLS log directories and the files/subdirectories in those directories to
the B<shortname>:g<shortname> UNIX user ID and group.
NOTE: You should not try to install the same site in preproduction and production
simultaneously unless you are installing from separate administration servers, otherwise, the
installations will fail as the configuration files created by the install scripts will only work for
one of the installs at a time.
Overview
Operations Guide Content
There are 4 different ways to install a WebLogic 9.2 domain using this templated build:
1.
Install a domain using the DOHACLUS=true entry in server.conf. This will install an
admin instance on 1 physical application server and two managed server instances
clustered across 2 physical application servers. This assumes that the admin instance
will be installed on the same physical server as the 1st managed server instance and
that DONONHACLUS, DONOCLUSHA and DOSINGLECELL server.conf entries are set to
false.
2.
Install a domain using the DONONHACLUS=true entry in server.conf. This will install
an admin instance and two managed server instances clustered on 1 physical
application server. This assumes that the DOHACLUS, DONOCLUSHA and
DOSINGLECELL server.conf entries are set to false.
3.
Install a domain using the DONOCLUSHA=true entry in server.conf. This will install an
admin instance and one managed server instance on one physical application server
and a second managed server instance on a second physical application server. The
managed server instances will not be clustered together. This assumes that the
DOHACLUS, DONONHACLUS and DOSINGLECELL server.conf entries are set to false.
4.
Install a domain using the SINGLECELL=true entry in server.conf. This will install an
admin instance and 1 managed server instance on 1 physical application server. This
installation option is meant for sites using the Advantage license which does not
support WebLogic clustering. Additional instances can be installed, either on the same
physical server or a new physical server to provide for some failover but session
failover will not work. This assumes that the DOHACLUS and DONONHACLUS and
DONOCLUSHA server.conf entries are set to false.
In addition to the above there is a variable named DEV in server.conf. If this domain is being
installed in the HP HS development environment then enter DEV=true, otherwise enter
DEV=false. This variable is mainly used to make sure the system password in the
development environment is different from that in the pre-production and production
environments.
Install Instructions
1. You will need to get the following from the Web Administration Team
2. 5 consecutive ports in the 7000 range (the Web Administration Team will only give you
the first port in this range, and you should assume the next 4 are dedicated for your
application):
a.
Version 2.0
GM/EDS Confidential
9 November 2009 53
Technical
b.
SSL WebLogic 9.2 domain administration port ("Non-SSL WebLogic 9.2 domain
administration port" + 1)
c. WebLogic 9.2 cluster port ("Non-SSL WebLogic 9.2 domain administration port" +
2)
d. WebLogic domain wide administration port (Non-SSL WebLogic 9.2 domain
administration port + 3)
e. Reserved for future use
10 consecutive ports in the 15000 range (the Web Administration Team will
only give you the first port in this range, and you should assume the next
9 are dedicated for your application):
i. Non-SSL 1st & 2nd managed server instance Port
ii. SSL 1st & 2nd managed server instance port ("Non-SSL 1st & 2nd
managed server instance Port" +1)
iii. Managed server instance administration port (local administration port
override ) (Non-SSL 1st & 2nd managed server instance port +2)
iv. 7 ports reserved for future expansion of the site (additional instances)
3. Note for custom installations: If you are installing a non-HA deployment with multiple
managed server instances you will need to ask for the following because your 1st and
2nd Managed Server Instances can not run on the same IP address and same port as
they do in an HA cluster:
a.
b.
cd /usr/local/gwh/scripts/wls92_hpux_11.23_itanium /wls-as
directory
Version 2.0
GM/EDS Confidential
9 November 2009 54
Technical
The WEBADMINID entered in the install menu (below) should NOT exist in the
middleware_support.ldif or the ldif import will fail. Please double-check the contents of the
middleware_support.ldif to ensure the WEBADMINID (the EDSNET ID of the installer) is not in
the ldif file before the installation begins.
Description of Variable
SHORTNAME
test
APPSERVER1
triras001
APPSVRDNS
iweb.gm.com
ADMIN_PORT
7000
Version 2.0
GM/EDS Confidential
9 November 2009 55
Technical
15000
MCAST_ADDR
239.1.0.1
50518
SERVUID
50518
PREFIX
Standard value is /
Stanadard /usr/local/bea
Non Standard :
VENDORDIR
Version 2.0
GM/EDS Confidential
/<PREFIX>/usr/local/bea
For e.g.
/wls92pkg/usr/local/bea
9 November 2009 56
Technical
Standard : /sites
NonStandard
:/<PREFIX>/sites
for example
/wls92pkg/sites
GWHDIR
Standard directory
structure /usr/local/gwh
Non standard directory
structure
/<PREFIX>/usr/local/gwh
for example
/wls92pkg/sites
BEAHOME
wls92
Test123+
WEBADMINID
zzgm4j
WEBADMINIDPW
Numeric
Test123+
Version 2.0
GM/EDS Confidential
9 November 2009 57
KEYKEYPASS
ORACLEVER
APPSERVER2
Technical
test1234
start1234
11g
triras002
site.cfg.wls.<SHORTNAME>.as1
site.cfg.wls.<SHORTNAME>.as2
site.cfg.wls.<SHORTNAME>.as1.out
site.cfg.wls.<SHORTNAME>.as2.out
server.conf
The install script writes the total number of OK, WARNING and ERROR messages
that occurred during the install. If in doubt you should grep the *out files for your
installation for "ERROR", "WARNING", or "Failed" to see if there were any errors
during the installation.
To test that the domain was installed correctly, use the following URLs (replacing the
necessary server DNS names and ports based on the information you ran the
installation with):
https://triras003.iweb.gm.com:7023/console
If instances are clustered:
Version 2.0
GM/EDS Confidential
9 November 2009 58
Technical
http://triras003.iweb.gm.com:15020/InMemRepClient_clus/Session.jsp
http://triras004.iweb.gm.com:15020/InMemRepClient_clus/Session.jsp
If instances are not clustered:
http://triras003.iweb.gm.com:15020/InMemRepClient_scell/Session.jsp
http://triras004.iweb.gm.com:15020/InMemRepClient_scell/Session.jsp
If the sample application is not deployed then please refer to the Deploy the Sample
Application section of this document for information on how to deploy the sample
application.
The wls_install_<shortname>_date/timestamp.out file will be created in the domain
root (/<VENDORDIR>/<BEAHOME>/domains/<SHORTNAME> directory. This should
only contain INFO messages, but no WARN or ERROR messages
15. Important TSS NOTES:
A. Using a web browser access the admin console, deselect the Listen Port
Enabled entry for the administration server instance only. Restart the admin
instance to make the change take affect.
B. The automatically generated webadmin, gwheng and shortname_deployer ID
should already be deleted from the embedded LDAP. A deployer ID tied to a
specific user ID (or multiple deployer IDs) needs to be created for each person
that is to deploy code. Please set the ids password to something that is
specific to the site (not easily guessable) and notify the application owner of
the id/password combination. Verify a signed systems access and security
request form exists for each user on the system.
16. All B<shortname> ids should be non-expiring batch IDs. These IDs should never
expire their passwords or the nightly cronjob to rotate log files may not work properly.
17. Remove the middleware_support.ldif file
18. In the create_middleware_support_ldif.sh script replace the domain/shortname with SHORTNAME
in all caps so the next installer can use find and replace to update that value.
19. In the create_middleware_support_ldif.sh script replace the temporary password with TEMPPW in
all caps so the next installer can use find and replace to update that value.
20. Email global distribution for the local Middleware/COTS support teams (Operations team members
that require Administrative access to WebLogic) about the installation including. the
shortname/domain name, admin URL, admin server name, and temporary password in the email.
The GM GSO GLOBAL SOFTWARE distribution list should only be in the bcc field of the email to
hide the list of recipients. The email should also state that all temporary passwords are required to
be changed by the individual user immediately. (General Motors UNIX Security Checklist item
1.2.3)
21. Make a note to login to the application servers the day after the domain was installed
and validate that the cron job to rotate log files and if applicable the admincopy
portion of the log file rotation is working. You should see a gz file in
/sites/<shortname>/site/common/logs/92_dailybackups for the previous night to
ensure the log file rotation worked. If you do not then check /var/cron/log to see what
type of error/issue was encountered or the
/sites/<shortname>/site/common/logs/wlscron.log file. To ensure the admincopy
portion of the log file rotation worked you should review the first application servers
/sites/SHORTNAME/site/common/logs/92_wlscron.log for any errors from the previous
nights cron run specifically the copy of the admin files from the first server to the
second server in the domain. As a second check point to ensure the admincopy
portion of the log file rotation worked you should login to the 2 nd server in the domain
and cd to the domain root/admin_bak directory. Check to ensure the admincopy.tar.gz
Version 2.0
GM/EDS Confidential
9 November 2009 59
Technical
file exists in that directory, that it has a file size greater than 0 and has the
date/timestamp of the previous night.
22. Configure the Event Monitors for the new domain.
23. To allow Deployer IDs access to manage JDBC elements complete the following (the
following is in red text because at the current time this does not work. A ticket has
been opened with Oracle and the vendor has confirmed this is a bug and has
submitted a request to Oracle engineering to provide a patch. When a patch is
available HP HS engineering will evaluate and apply the patch as appropriate):
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
Version 2.0
GM/EDS Confidential
9 November 2009 60
Technical
2.
3.
4.
5.
6.
7.
8.
Set the B<shortname> Unix User ID's password on both application servers. Set the
ID password to be non-expiring. NOTE: If you do not do this, the nightly cron that
runs to rollover the log files and to copy admin instance information to the second
server in the cluster will not work properly. This means that you will not be able
to fail over the administration server to the second application server.
2.
Configure the B<shortname> Unix User IDs that the domain was installed with so that
their passwords do not expire.
3.
Version 2.0
GM/EDS Confidential
9 November 2009 61
Technical
4.
Type ssh B<shortname>@appserver2.appsvrdns and make sure that you are able
to login without getting prompted for a password. NOTE: make sure you use the full
dns name and not just the hostname when you do this.
5.
All B<shortname> ids should never expire their passwords or the nightly cronjob to
copy admin server instance files to the 2nd server in the cluster for failover purposes
may not work properly.
It takes approximately 45 minutes to install each additional instance (15 minutes to prepare, 15 minutes to
run the script and 15 minutes to validate the installation was successful.)
Notes for deploying additional instances:
If there are any existing changes to be activated in the WLS domain (for
example if you login to the admin console and the activate changes button is
available to click then those changes should be activated before continuing
with this deployment or this deployment will likely fail.
Please stay out of the administration console during this installation. Do not
open a browser and browse the admin console during these updates. If
necessary temporarily change the deployer ID and system ID passwords
before starting the additional instance installation to keep all other potential
users out of the administration console during this change as well.
This deployment will not target the sample application to the new instance if it
is not part of an existing cluster. That is a manual step you will need to
perform after the script has finished running.
It was discovered during the testing of this build that when installing a domain
if port 7001 is used as non ssl admin server port then the additional instance
install will potentially fail while setting the listen address. This was
investigated and the reason for this issue is that WebLogic is possibly using
7001 as a default port for various configuration purposes. There are couple of
alternatives. First one is to avoid using 7001 port while installing any
WebLogic domains. However if you are forced to use this port for any reason
then on the HP admin server under
/usr/local/gwh/scripts/wls92_hpux_11.23_itanium/addl-instance do the
following steps
1.
2.
Version 2.0
GM/EDS Confidential
9 November 2009 62
Technical
After completion of the install it is required to put the original file back
by renaming configureaddlinstance921.py.orig to
configureaddlinstance921.py
Next instance name (for example, if gmbla001 and gmbla002 managed server
instances are already installed, the next instance name for the domain would be
gmbla003. You can view the currently installed managed server instance names in
the WebLogic 9.2 Administration Console using a browser).
2. NOTE: Because of the updates made to the config.xml file in WLST offline mode
(when the admin instance is down), you should only install 1 additional instance to a
domain at a time.
3. If you are adding an instance to a WebLogic 9.2 domain that consists of one or more
managed server instances that is/are not already part of a cluster and you want to
cluster the existing instance(s) and the new instance, use the following instructions to
create the cluster and then continue with the rest of this section. You can view
whether a cluster is installed and what instances are a part of it in the WebLogic 9.2
Administration console using a browser:
a. Click on Lock & Edit
b. Click on Environment
c.
Click on Clusters
d. Click on New
e. Enter shortname_cluster in the Name field, for example test4_cluster. If
shortname_cluster already exists then enter the new cluster name.
f.
Enter the multicast address and port assigned to the cluster in the appropriate
fields. If multiple clusters are deployed to this domain they should each have their
own unique multicast address and port.
j.
k. Make sure the instances to be added to the cluster are stopped. Please remember
if this is the first time WLST is being used for an instance it will take a minute or
two to stop the instance.
l.
Version 2.0
GM/EDS Confidential
9 November 2009 63
Technical
that are now clustered and instead deploy the InMemRepClient_clus sample app to
those instances. Both sample applications are in the
/<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/servers/SHORTNAME_admin/upl
oad directory or a non standard directory such as
<PREFIXDIR>/<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/servers/SHORTNA
ME_admin/upload on the server that hosts the domains admin server. You will need to
first stop and undeploy the InMemRepClient_scell application from the instance(s) and
then use the instructions starting with #3 of the Deploy the Sample Application
section of this document to deploy the InMemRepClient_clus application.
5. On the EDS HS administration server cd
A. For HPUX Solaris /usr/local/gwh/scripts/wls92 _hpux_11.23_itanium
/addl-instance
6. You can pre-configure the answers to the install script by editing the server.conf file
Ensure that the <installid> is added to gwlsins group on the HP HS Administration
server for installtion and configuration purposes. In the server.conf file make sure the
INSTALLID and INSTALLGRP are set to the <install id> and gwlsins. In most cases the
only items you need to change in this file would be the SHORTNAME, ADMINSERVER,
ADMIN_PORT, ADMINSVRDNS, APPSERVER, APPSVRDNS, SERVGID, SERVUID,
MGD_SVR_PORT, INSTANCENUM, and NEWSVR. If you are installing using
DONONHACLUS or DOSINGLECELL then you do not need to enter anything for
APPSERVER2 or you can leave what ever entry is there alone, the script will ignore it.
7. Following are the examples to set standard VENDOR dir and PREFIX parameters in
server.conf
A. Standard directory structure is required the
o
VENDORDIR=/usr/local/bea
PREFIX=/
SITES=/sites
GWHDIR=/usr/local/gwh
VENDORDIR=/wls92pkg/usr/local/bea
PREFIX=/wls92pkg
SITES=/wls92pkg/sites
GWHDIR=/wls92pkg/usr/local/gwh
8. If you are installing this instance on a server that already hosts this WLS domain for
this WLS version then you will need to find out what the CERTKEYPASS (see the stop
files for any of the instances in that domain on that server) and KEYKEYPASS are for
the existing SHORTNAMEkeystore.jks which is where the public and private key portion
of the SSL certificate are stored respectively. The KEYKEYPASS can be tested
manually before running the install by using a command for example:
As the Bshortname ID in the ~BSHORTNAME/JKS directory type
keytool list keystore SHORTNAMEkeystore.jks storepass password
replacing the SHORTNAME and password entries as appropriate for this site.
The KEYKEYPASS value is not stored in any files in a user readable format so
Version 2.0
GM/EDS Confidential
9 November 2009 64
Technical
this is something that the Operations team will need to keep track of in order
to maintain the environment.
9. If the following directory exists on the server/zone where the additional instance is to
be deployed make sure the permissions of the directory recursively are set to 770 then
continue with the installation: /var/tmp/wlstTemp/packages
10. It is required to ensure when installation completes successfully or even if it fails
manually verify there are no directories or files associated with this or a previous
Weblogic install in the install tmp directory (for example /var/tmp or /tmp) that have
permissions of 777. If they exist they need to be removed.
11. Type ./install
12. Enter values for the following variables (Please make sure the ip/port combination you
assign to the new instance is not already being used, the script will not validate this
for you it will just fail if this is not the case):
Variable Name
Description of Variable
SHORTNAME
test4
ADMINSERVER
triras001
ADMIN_PORT
7003
ADMINSVRDNS
iweb.gm.com
APPSERVER
triras001
APPSVRDNS
iweb.gm.com
50518
SERVUID
50518
BEAHOME
wls92
Version 2.0
GM/EDS Confidential
9 November 2009 65
Technical
the /usr/local/bea/wls92 directory.
If WLS needs to be installed into a
non standard directory then a
<prefix>/<vendordir><beahome>
could be used. This means that
an example of a non standard
directory is set to
/wls92pkg/usr/local/bea/wls92
If for some reason this
domain was installed into a
second, third, etc. BEAHOME,
then change this entry
accordingly.
The following is taken from the
WebLogic 9.2 Gold Build
documentation. This build is for
9.2MP2 or later so the 9.2SP1
reference below is out of date but
is what the Gold Build actually
states: If you plan on running
multiple versions of WebLogic
Server on the targeted server, use
the following Home Directory
naming convention
/usr/local/bea/wls92a,
/usr/local/bea/wls92b, etc. The
WebLogic 9.2 SP1 version has to
be installed in the directory
/usr/local/bea/wls92. If needed a
non standard directory structure
can be accommodated by
prepending with a prefix directory
MGD_SVR_PORT
15003
INSTANCENUM
003
NEWSVR
false
Version 2.0
GM/EDS Confidential
9 November 2009 66
Technical
manual steps to take to get
the boot.properties
configured for this instance.
This manual step is
documented below, but is not
supported at this time and
has not been tested. This
option is included for future
enhancement purposes only.
CLUSTERED
true
If CLUSTERED=true then
provide the name of the
cluster here. The default for
this value is
SHORTNAME_cluster.
test4_cluster
ORACLEVER
11g
CERTKEYPASS
test1234
KEYKEYPASS
start1234
Version 2.0
GM/EDS Confidential
9 November 2009 67
Technical
maintain the environment.
PREFIX
SITES
Standared is /sites
Non standard is
<PREFIX>/sites for e.g.
/wls92pkg/sites
13. NOTE: The following files are created on the administration server in
site.cfg.wlsaddl.<SHORTNAME>.<INSTANCENUM>
server.conf
site.cfg.wlsaddl.<SHORTNAME>.<INSTANCENUM>.out
14. If you installed with CLUSTERED=true then, the sample application will get deployed
to the new instance as soon as it becomes part of the cluster assuming the cluster had
the sample application deployed to all servers in the cluster without issue before this
instance was installed.
15. If you installed with CLUSTERED=false then you need to manually deploy the sample
application to the new instance(s):
Version 2.0
GM/EDS Confidential
9 November 2009 68
Technical
A. Restart the entire domain including the administration server instance. This
restart can be done in HA mode if the application requires it. Do not continue
until all instances in the domain are in RUNNING mode.
B. Using the system ID login in to the administration console for the domain.
C. Make sure there are no changes to activate. If there are then activate those
changes before continuing.
D. If the InMemRepClient_scell has NOT been deployed in the domain before
then use the following instructions otherwise continue with step E:
1. In the WLS Administration Console click Lock & Edit
2. Click Deployments (in the left navigation pane)
3. Click Install
4. Navigate to
/<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/servers/SHORTN
AME_admin/upload or for non standard directories
<PREFIX>/<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/server
s/SHORTNAME_admin/upload
5. Select the InMemRepClient_scell.war file and click Next
6. Select Install this deployment as an application and click Next
7. Select the appropriate target(s) and click Next
8. Select Copy this application onto every target for me and leave
all other default values
9. Click Next
10. Click Finish
11. Click Activate Changes
12. Click Deployments (in the left navigation pane)
13. Place a checkmark in the checkbox next to InMemRepClient_scell and
click Start servicing all Requests
14. Click Yes, you should see the InMemRepClient_scell application State
change to Active.
E. If the InMemRepClient_scell is already deployed to existing instances in the
domain and you need to add the new instance(s) as target(s) for the
application then:
1.
2. Click on Deployments
3. Place a checkmark in the checkbox next to InMemRepClient_scell and
click Stop Force Stop Now
4. Click Yes
5. Click on the InMemRepClient_scell application link
6. Click on the Targets tab
7. Select the new instance to be targeted and click Save
8. Click Activate Changes
9. Click Deployments
Version 2.0
GM/EDS Confidential
9 November 2009 69
Technical
Definition
Sample Value
SHORTNAME
test4
SERVUSER
Btest4
SECOND_SERVER
jess-app-r-vs02.iweb.gm.com
BEAHOME
The VENDORDIR/
BEAHOME/domains/SHORTNAME
for the directory structure where
the domain is installed
Version 2.0
GM/EDS Confidential
9 November 2009 70
Technical
/wls92pkg/usr/local/bea/wls92/test4
Definition
Sample Value
VENDORDIR
Standard directories
/usr/local/bea
Non standard directories
/<PREFIX>/usr/local/bea for
example
/wls92pkg/usr/local/bea
BEAHOME
wls92
Version 2.0
SHORTNAME
test4
SERVUSER
Btest4
AS1_DNS
jess-app-r-vs01.iweb.gm.com
AS2_DNS
jess-app-r-vs02.iweb.gm.com
AS1
jess-app-r-vs01
AS2
jess-app-r-vs02
GM/EDS Confidential
9 November 2009 71
Technical
De-installation
Operations Guide Content
De-Install Binaries
Operations Guide Content
NOTE: Repeat the following steps on all of the application servers where the binaries exist.
IMPORTANT: Before removing the binaries from an application, be sure to stop any domains running on
those binaries and remove them before removing the binaries.
NOTE: Replace <BEAHOME> below with the name of the binaries that are being removed. For example,
the standard HP HS BEAHOME is wls92, but in some cases there may be a 2nd or 3rd set of binaries
installed.
1.
2.
3.
4.
If this is the last set of WebLogic binaries in the /usr/local/bea directory, then remove the entire
/usr/local/bea directory.
5.
Remove the B< BEAHOME> UNIX user ID from /etc/passwd and /etc/shadow.
6.
7.
As root type pwconv to make sure the edits to /etc/passwd and /etc/group are finished.
8.
If the admincopy_cron.sh for the set of binaries you are removing is configured for the root id cron
Remove the cron entry. Please note that each set of binaries has its own cron entry for the root id
so there could be multiple cron entries that look similar, please do not delete the wrong one. If this
is the only set of WebLogic 9.2 binaries on the server then remove the wlsmon Solaris id from the
server as well. If you do not perform this task then please open up a request with the security team
to remove this id.
9.
De-Install Domain
Operations Guide Content
Version 2.0
GM/EDS Confidential
9 November 2009 72
Technical
NOTE: Repeat the following steps on all of the application servers where the domain components exist.
IMPORTANT NOTE: Before removing the domain from an application, be sure to stop any instances
running in that domain.
NOTE: Replace <BEAHOME> below with the name of the binaries that the domain in installed in. For
example, the standard HP HS BEAHOME is wls92, but in some cases there may be a 2nd or 3rd set of
binaries installed.
1.
2.
3.
4.
Type rm -rf <DOMAIN_NAME> where DOMAIN_NAME is replaced with the shortname for the
domain/site you are removing.
5.
6.
<SITES>/live/wls92
<SITES>/backup/wls92
<SITES>/upload/wls92
<SITES>/common/wls92
Remove the following entries from the B<shortname> crontab if they exist:
9
10 00 * * * /<VENDORDIR>/<BEAHOME>/wls92/domains/<shortname>/wlslogrollover.sh >> /<SITES>/<shortname>/site/common/logs/wlscron.log
1.
Make sure that the ids and groups are removed from /etc/passwd and /etc/group, again, assuming
no other software or applications are using the id(s) or group(s).
2.
3.
Version 2.0
GM/EDS Confidential
9 November 2009 73
Technical
De-Install Miscellaneous
Operations Guide Content
If WebLogic is de-installed then remove any SiteScope or BMC patrol monitors that related to the WebLogic
deployment (its processes or log files for example).
If WebLogic is de-installed and if Control Tool was used in conjunction with the de-installed WebLogic then
remove the wls.cfg file in the /<SITES>/control/site/common/control_configs/<SHORTNAME> directory
along with the entry to the wls.cfg in the
/<SITES>/control/site/common/control_configs/<SHORTNAME>/<SHORTNAME>.cfg file
Version 2.0
GM/EDS Confidential
9 November 2009 74
Technical
Non-Standard Configurations
There are no non-standard configurations documented in this guide. This guide documents a
standard WebLogic 10.3 deployment in HP HS.
Migration
Migration is out of scope for this build
Technical
Administrative / Back-End Access
There is not expected to be any special or non-standard uses of the Administrative / Backend interface.
The Middleware team must have highly available Unix shell and WLS Administration Console network
access. If an engineered work around is designed it must be highly available and must not include any
single points of failure.
Backup/Restore access to the application servers will take place through the back-end network. No other
access is expected to take place over the back-end network connection to the application servers.
Application Access
As detailed in the Architecture section of this document and in the GM Gold Build for WLS 9.2
As detailed in the Architecture section of this document and in the GM Gold Build for WLS 9.2 end
users will access the application via the Sun Java System Web Server which will use the BEA Plugin to communicate with the backend BEA WebLogic Servers. However integration with WebServer
is out of scopt for current HPUX build.
The HP HS Operations Team on the GM or HP Network will have system level access to the WLS
Admin Console via a browser using https*.
The Application Owner on the GM or HP Network will have deployer level access to the WLS
Admin Console via a browser using https*.
This assumes no dedicated firewalls are in place to stop traffic. If this happens the application
team needs to either provide a workaround or engage engineering to provide a workaround.
Application Testing
The sample application deployed as part of the WLS standard build can be used to validate
that WebLogic Server was installed correctly. This application will also be used after block
point patches to validate that infrastructure is still working properly.
A test guide will be created as a part of this project. All test cases in the Test Guide will be
performed and results will be documented. The Test Guide will be stored in the CVS
repository.
Version 2.0
GM/EDS Confidential
9 November 2009 75
Technical
Attribute
General Description
HP HS Description
Name
Shortname
ClusterAddress
Comma-separated list of
single-address host names or
IP addresses
MulticastPort
A sample config.xml entry specifying the cluster name, address, and multicast address
follows:
<cluster>
<name>test11_cluster</name>
<cluster-address>jess-app-r-vs01.iweb.gm.com:16570,jessapp-r-vs02.iweb.gm.com:16570</cluster-address>
<multicast-address>239.3.28.95</multicast-address>
Version 2.0
GM/EDS Confidential
9 November 2009 76
Technical
<multicast-port>7587</multicast-port>
<weblogic-plugin-enabled>true</weblogic-plugin-enabled>
</cluster>
IP sockets are used for peer-to-peer communication such as replicating HTTP session states
and stateful session EJB states between a primary and secondary server instance and
accessing clustered objects that reside on a remote server instance. Servers broadcast their
heartbeat messages every 10 seconds. If a server monitoring the multicast address misses
three heartbeats from a peer server (30 seconds), the monitoring server marks the peer
server as failed. It then updates its local JNDI tree, if necessary, to retract the services that
were hosted on the failed server.The following sections detail how clustering of JSPs, servlets,
EJBs and JDBC configurations works.
Attribute
General Description
HP HS Description
Name
Shortname
ClusterAddress
Comma-separated list of
single-address host names or
IP addresses
MulticastPort
Version 2.0
GM/EDS Confidential
9 November 2009 77
Technical
each other
port.
A sample config.xml entry specifying the cluster name, address, and multicast address
follows:
<cluster>
<name>test11_cluster</name>
<cluster-address>jess-app-r-vs01.iweb.gm.com:16570,jessapp-r-vs02.iweb.gm.com:16570</cluster-address>
<multicast-address>239.3.28.95</multicast-address>
<multicast-port>7587</multicast-port>
<weblogic-plugin-enabled>true</weblogic-plugin-enabled>
</cluster>
IP sockets are used for peer-to-peer communication such as replicating HTTP session states
and stateful session EJB states between a primary and secondary server instance and
accessing clustered objects that reside on a remote server instance. Servers broadcast their
heartbeat messages every 10 seconds. If a server monitoring the multicast address misses
three heartbeats from a peer server (30 seconds), the monitoring server marks the peer
server as failed. It then updates its local JNDI tree, if necessary, to retract the services that
were hosted on the failed server.
The following sections detail how clustering of JSPs, servlets, EJBs and JDBC configurations
works.
JMS
Most JMS queues used by WLS applications are configured as distributed destinations across the WLS
cluster. The exceptional cases are JMS queues that are targeted to single managed servers. If failover is
required for the queues that are targeted to single managed server instances failover
instructions/configuration should be provided by the application owner.
JSP/Servlet Clustering
WLS provides clustering support for JSPs and servlets by replicating the session state of clients
that access them. To enable automatic failover of servlets and JSPs, session state must
persist in memory. Session replication occurs only if the session state is persistent. A session
state can be persisted in the following ways:
File-based persistence -- not recommended for use in HP HS (not capable of this unless
using a shared file system, which is not part of the HP HS WLS standard build)
Version 2.0
GM/EDS Confidential
9 November 2009 78
Technical
Through load-balancing hardware. (this is not included in the GM WLS 9.2 GBD and is
included here for informational purposes only)
Through a group of web servers configured identically with WebLogic proxy plug-ins. The
plug-in provides the logic necessary to locate the replica of a clients HTTP session state if
a WLS instance should fail.
JDBC Clustering
WLS allows you to cluster JDBC objects, including datasources. Each JDBC object configured
for the cluster must be targeted to each managed server in the cluster.
Clustering JDBC objects does not enable failover of connections In other words, if a WLS
instance dies, any JDBC connections that it managed will also die, and the database will roll
back any transactions that were under way.
A server-side datasource will not go to another cluster member for its JDBC connections. The
connection is pinned to the local server instance for the duration of the database transaction
and as long as the application code retains it.
If a non standard directory structure is used then the regular automated patching cannot be
applied. There is a custom engineering required for that purposes. Instructions are provided
without taking into consideration the non standard directory structure those instructions could
be leveraged as much as possible depending on the support scope for any given application.
The following is for informational purposes only. In general no patches or maintenance packs should be
deployed without HP HS Engineering instructions.
Patching
Patches should always be applied to binaries, not to specific instances. In rare cases, and only after
Engineering has been consulted, patches may be applied specifically to instances and not binaries in an
emergency situation.
WebLogic security patches generally are provided in jar file format. In the past the HP HS standard
placement for the jar files is in the /<VENDORDIR>>/<BEAHOME>/weblogic92/patches directory (for
example /<VENDORDIR>/wls92/weblogic92/patches). This is no longer the case. BEA recommends the
use of the Smart Update utility to apply patches to WLS9.2. Please see Appendix 3 of this document for
information on how to use the Smart Update tool.
Version 2.0
GM/EDS Confidential
9 November 2009 79
Technical
Gather the domain embedded ldap backup zip file, config.xml, SerializedSystemIni.dat and
all log files in /<SITES>/SHORTNAME/site/common/logs/tmp/ with an extension of .log
Append the current date to the file names.
Tar and gzip the files
Move the tar/gzipped file to /<SITES>/ SHORTNAME /site/common/logs/92_dailybackups
directory.
Batch Processes
Note that admin failover is not in the scope of this build and hence anything specific to admin
failover is not tested.
Batch Process Component:
admincopy_cron.sh
Location:
/<VENDORDIR>/<BEAHOME>/admincopy_cron.sh
Notifications:
/var/tmp/admincopy_<beahome>.out
Version 2.0
GM/EDS Confidential
9 November 2009 80
Technical
Timing:
Dependencies:
wls-logrollover.sh
Location:
Notifications:
n/a
sites/<SHORTNAME></site/common/logs/wlscron.log
Timing:
Dependencies:
Embedded LDAP
The Embedded LDAP will only be backed up on the administration server instance. According
to BEA, you do not need to back up the LDAP data on a managed server instance because the
master LDAP server replicates the LDAP on each managed server instance as updates are
made to the master server. If a domains administration server instance is unavailable, the
WebLogic security providers cannot modify security data. (The LDAP repositories on managed
server instances are replicas and therefore cannot be modified.)
By default the master embedded LDAP is backed up to a zip file in
/usr/local/bea/wls92/domains/SHORTNAME/servers/SHORTNAME_admin/ldap/backup/Embedd
edLDAPBackup.zip each night at 23:05. Each backup file is kept for 7 days which is the BEA
WLS default. As part of the nightly log file rollover cron job, each nights ldap backup will get
copied and stored with its daily log files.
Control Tool
The control tool is out of scope.
Disaster Recovery
It is intended that each application that uses the WebLogic template will have a production and
a preproduction site that are in sync. The preproduction site will be used as the disaster
recovery site for any applications using the WebLogic template. The preproduction site must
be at a physically different location to qualify as a disaster recovery site.
Version 2.0
GM/EDS Confidential
9 November 2009 81
Technical
Network
Each project that uses this template will have specific information regarding network
bandwidth required in each segment of the network that will be used, network interface
information, nonstandard networks or network configurations that will be used, any WAN
requirements, etc.
All WLS instances in a cluster and domain must reside on the same network subnet.
To install or patch WLS 9.2 a centralized administration server is required. For more
information please see the Create an EDS HS Administration Server section of this document
WebLogic Server 9.2 and higher passwords are masked, never displayed in clear
text on any GM computing and communication device
WebLogic Server 9.2 and higher Passwords are always stored in encrypted form, on
any GM computing and communication device
Remote Access
End users will access the application via the Web Server which will use the BEA Plug-in to
communicate with the BEA WebLogic Servers. However providing integration instruction for Web
Server and plugin is out of scope of this project.
The HP SMC on the GM or HP Network will have system level access to the WLS Admin Console via
a browser using https.
The Application Owner on the GM or HP Network will have deployer level access to the WLS Admin
Console via a browser using https.
The HP HS Engineers on the GM or HP Network will have view/monitor level access to the WLS
Admin Console via a browser using https.
Type of
Remote
Access
Security Level of
Remote Access Type
WLS
Administratio
n Console
Deployer ID
WLS
Administratio
n Console
Administration ID
Version 2.0
Purpose
To allow application
owners to deploy
ear/war files and
create connection
pools and / or
datasources.
To start/stop
WebLogic instances
and perform
maintenance when
necessary
GM/EDS Confidential
Description
WLS
Embedded
LDAP ID
WLS
Embedded
LDAP ID
9 November 2009 82
Security Level of
Remote Access Type
Technical
Purpose
WLS
Administratio
n Console
WLS
Administratio
n Console
WLS
Administratio
n Console
WLS
Administratio
n Console
Backup
Administration ID
Backup system ID
Backup
Administration ID
Backup system ID
Backup
Administration ID
Backup system ID
Web
Administration
Team ID
WLS
Administratio
n Console
Engineering/
Monitoring ID
To allow WebLogic
system
administrators
access to
troubleshoot the
environment and
make any required
configuration
changes.
To allow HP HS
Engineers access to
troubleshoot the
environment.
Description
WLS
Embedded
LDAP ID
WLS
Embedded
LDAP ID
WLS
Embedded
LDAP ID
WLS
Embedded
LDAP ID
WLS
Embedded
LDAP ID
Reporting
Even though it is possible to analyze the WLS managed server instance access logs using a
tool like Webalizer or WebTrends, this is not included in this project.
Standard availability reports as detailed in the HP HS contract will be provided to the customer
via the Global Visualization link at http://webwerks.gm.com.
OpsWare MAPL information can be found in this document in the following places:
WebLogic OpsWare Signature File
WebLogic OpsWare MAPL
Security
The Solaris and WebLogic software release builds are either compliant (or have submitted
necessary deviations) to the General Motors Technical Security Standards and Information
Security Practices and Policies. The HP HS Operations Teams should be validating that the
Solaris (by the System Administrator) and WebLogic software (by the WebLogic Administrator)
stays compliant to the General Motors Technical Security Standards and Information Security
Practices and Policies, if any customized changes are requested to Solaris and WebLogic
software by non-EHS engineering teams or persons.
Verify a signed Systems Access and Security Request Form exists for each UNIX user on the
system (for example the Bshortname ID).
The following was taken from the GM ISP&P 2007: The recommended password
configuration should be a mix of the following combinations:
Upper case alpha (i.e., capital letter)
Lower case alpha
Version 2.0
GM/EDS Confidential
9 November 2009 83
Technical
Numeric
Login the UNIX server where the WLS domain administration instance is running.
2.
Become the B$SHORTNAME Unix user ID and type the following commands substituting the
appropriate values for admininstanceurl, admininstanceport, and SITENAME:
java $JAVA_OPTIONS weblogic.WLST
connect(url=t3s://admininstanceurl:admininstanceport)
cd('/SecurityConfiguration/SITENAME/Realms/myrealm/Auditors/')
delete(SITENAME_Auditor)
save()
activate()
exit()
3.
Restart all instances in the domain including the administration server instance.
Version 2.0
GM/EDS Confidential
9 November 2009 84
Technical
SSL
In the HP HS environment, the administration servers will be assigned a non-SSL and an SSL
port in the 7000 range but the non-SSL port will be disabled. All communications with the
administration server instance will be via SSL.
By default each managed server has both non-SSL and SSL mode enabled. The managed
server instances will be assigned a non-SSL and SSL port in the 15000 range.
The operations team may deem it necessary to use other ports for both administration and
managed server instances.
boot.properties
The boot.properties file located in
/<VENDORDIR>/<BEAHOME>/domains/SHORTNAME/servers/INSTANCE/security (for example
/usr/local/bea/wls92/domains/test4/servers/test4001/security/boot.properties) contains the
encrypted ID and password for the WebLogic server administration and managed server
instances in the domain. This file is used to pass the start and stop scripts the WLS_USER
and WLS_PW values. This file will automatically be configured during the installation of the
domain in the HP HS environment. If the system password needs to change then the
encrypted portions of the boot.properties can be removed and replaced with plain text. When
the WLS admin server instance is restarted the new entries will be encrypted
Embedded LDAP
When WLS is installed each site will have its own WLS embedded LDAP. The embedded LDAP
server is used as the security provider database for the WebLogic Authentication,
Authorization, Credential Mapping and Role Mapping providers. The embedded LDAP must be
the only repository for IDs used to access the WebLogic Administration Console.
The embedded LDAP server contains user, group, group membership, security role, security
policy, and credential map information. By default, each WebLogic Server domain has an
embedded LDAP server configured with the default values set for each attribute. The WebLogic
Authentication, Authorization, Credential Mapping, and Role Mapping providers use the
embedded LDAP server as their database
Since the developers will use the Administration Console to deploy their application(s), the
embedded LDAP will contain the developers ids and passwords.
Each managed server instance contains a replica of the domains embedded ldap server. When
you use the embedded LDAP Server in a WebLogic Server domain, updates are sent to a
master LDAP server. The master LDAP server maintains a log of all changes. The master LDAP
server also maintains a list replicated servers and the current change status for each one. The
master LDAP server sends appropriate changes to each replicated server and updates the
change status for each server. This process occurs when an update is made to the Master
LDAP server. However, depending on the number of updates, it may take several seconds or
more for the change to be replicated to the managed server. The master LDAP server is the
embedded LDAP server on the administration server. The replicated servers are all the
managed server instances in the WebLogic Server domain.
Caching of embedded LDAP entries will be configured by default. The cache size is set to 32
and the cache time to live is set to 60 seconds. These are both WLS default settings.
Each physical server that a WLS domain is installed on will be configured to keep a replica
copy of the embedded LDAP. One reason for this is to enable managed server independences,
another is to limit network traffic by configuring each managed server instance to use its own
copy of the embedded LDAP rather than the master embedded LDAP on the administration
server.
Version 2.0
GM/EDS Confidential
9 November 2009 85
Technical
The managed server instances are not configured to refresh all embedded LDAP replicated
data at boot time because the expectation is that the embedded LDAP data will be fairly small
(about 10 entries user IDs per domain) and because this data is not expected to change
often.
By default, the master LDAP server sends appropriate changes to each replicated server and
updates the change status for each server every 30 seconds.
The Master First option in the Embedded LDAP configuration page will not be selected. This
option specifies that connections to the master LDAP server should always be made instead of
connections to the local replicated LDAP server. Again, because the master LDAP is expected
to replicate with the managed servers replica copies of the LDAP every 30 seconds and
because the data in the LDAP is not expected to be a large amount or to change very often,
this option will not be enabled.
User Lockout
Per the GM draft TSS for WebLogic user lockout is enabled. The lockout threshold is set to 6.
This means a users account (including system user) will be locked for 30 minutes (lockout
duration) after 6 invalid login attempts. The Lockout Reset Duration is also set to 30.
When an ID is locked out of the environment a message like the following will occur in the
instance.log file:
####<Jan 19, 2010 4:43:23 PM EST> <Notice> <Security> <jess-app-rvs01.rel.gweb.eds.com> <test4_admin> <[ACTIVE] ExecuteThread: '3' for queue:
'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1263937403235>
<BEA-090078> <User system2 in security realm myrealm has had 6 invalid login
attempts, locking account for 30 minutes.>
When a user ID is locked out the data owner must be notified to download or request log files
so the data owner can address the lockout.
Note, if the Middleware team account (system id) is locked out, no instances can be stopped
or started until the lockout timeout has occurred. In this case the system2, system3, system4
IDs can be used to unlock the system id.
Four additional system ids called system2, system3, and system4 are created as part of the
installation of each WLS domain (site). These ids are to be used in cases where it is
imperative to get access to an administration console when the system id has been locked out.
The boot. properties and stop files will have to be updated with this additional system id in
order to restart the system in these cases.
Users
As stated above, there is the main system user id (system) which is used to run the WLS
domain. A system2 id will be used in case the system id gets corrupted or locked out.
Developer id(s) will be created for the domain to be used by the application owner(s) or
developer(s) to deploy code.
WLS is installed with five default groups:
Group Name
Permissions
Administrators
AppTesters
Operators
Version 2.0
GM/EDS Confidential
9 November 2009 86
Technical
group is empty. This group will not be used
in the HP HS design.
Deployers
Monitors
Steps for creating and removing groups from domain configurations will not be included in the
Operations Guide for this project. It is assumed that if groups are required to be created, they
will be created in an external LDAP.
The only users that will be defined in the WLS security realm are the Middleware team ids and
the developers deployer ids. All user and group names will be unique per domain. Manual
steps for creating and removing user ids from WLS domains will be included in the Operations
Guide section of this document.
Because external LDAP or portal connectivity configured at the Sun Web Server layer is
expected to be used for any application level access restriction, WLS Roles (which dynamically
calculate access for example, based on time of day) will not be defined in this design.
Firewall Rules
A firewall rule will need to be opened on the GM Firewall from the HP HS Extranet web servers
to the HP HS Intranet application servers using HTTP on ports in the 15000 range (or the
range that the WebLogic Server Managed Server Instances are configured to use).
If WebLogic Server is to be deployed to a environment that includes a dedicated network with
dedicated firewalls the dedicated firewall should be opened to allow HP HS Engineering and the
HP HS Middleware teams access via HP network or HP VPN to the WebLogic Admin Console via
HTTPS, WebLogic managed server instances via HTTPS and HTTP and Unix Shell access via
SCP and SSH. If this access cannot be granted then point solution custom engineering will be
required to provide a highly available work around.
Software Discovery
OpsWare MAPL information can be found in this document in the following places:
WebLogic OpsWare Signature File
WebLogic OpsWare MAPL
Storage
The WLS installation will use the standard HP HS Storage Area Network.
The WLS installation scripts will not be written to install WLS on a network attached storage
file system shared with any other server/zone. This does not preclude the use of NAS by
individual applications for shared application data.
Version 2.0
GM/EDS Confidential
9 November 2009 87
Technical
User Management
There should be no shared or group in accordance with site security policy.
Please see the following sections of this document for user management information:
Embedded LDAP
Version 2.0
GM/EDS Confidential
9 November 2009 88
Technical
Version 2.0
GM/EDS Confidential
9 November 2009 89
Technical
J.
In the stop and stop_instance script(s), on all servers where the domain was
installed, comment out the URL=t3:// entry and uncomment the URL=t3s://
entry.
M. In the start_instance script(s) on all servers where the domain was installed
comment out the two t3:// entries and uncomment the two t3s:// entries.
N. Stop all server instances, including the admin instance (you may have to kill
the processes) for this domain. (The managed server instance(s) should
already be stopped.)
O. If this domain was installed on more than one physical server then complete
the following, otherwise start the administration and managed server instances
for this domain:
1. On the first and second physical servers cd to the domain root (for
example, /<VENDORDIR>/wls92/domains/<shortname>.
2. Type mv JKS JKS.orig
3. Copy the first physical servers
/<VENDORDIR>/wls92/domains/<shortname>/JKS.orig directory to
the second physical server
Version 2.0
GM/EDS Confidential
9 November 2009 90
Technical
/<VENDORDIR>/wls92/domains/<shortname>/JKS directory
preserving file ownership and permissions.
4. Login to the second physical server as the B<shortname> ID
5. Type cd JKS
6. Set the following variables as appropriate (comments are noted below
as examples):
VENDORDIR=/usr/local/bea or /<PREFIX>/usr/local/bea
BEAHOME=wls92
WLSJDKVER=jdk150_13
APPSERVER=
#triras001
APPSERVERDOMAIN=
# iweb.gm.com
KEYPASS=b00gie5r
STATE=
#Michigan
SHORTNAME=
7. Run the following commands (note each of the following 3 commands
should all be on one line):
a.
$VENDORDIR/$BEAHOME/$WLSJDKVER/bin/keytool -genkey
-keyalg RSA -dname "CN=$APPSERVER.
$APPSERVERDOMAIN,OU=HS,O=EDS,L=$LOCALE,S=$STATE,C=U
S" -keystore $VENDORDIR/$BEAHOME/domains/
$SHORTNAME/JKS/${SHORTNAME}keystore.jks -alias
$APPSERVER.$APPSERVERDOMAIN -keysize 1024 -keypass
$KEYPASS -storepass $KEYPASS -validity 2555
b.
$VENDORDIR/$BEAHOME/$WLSJDKVER/bin/keytool -export -alias
$APPSERVER.$APPSERVERDOMAIN -file $VENDORDIR/
$BEAHOME/domains/${SHORTNAME}/JKS/$APPSERVER.
$APPSERVERDOMAIN.pem -keystore $VENDORDIR/
$BEAHOME/domains/${SHORTNAME}/JKS/$
{SHORTNAME}keystore.jks -storepass $KEYPASS -rfc
c.
$VENDORDIR/$BEAHOME/$WLSJDKVER/bin/keytool -import -alias
$APPSERVER.$APPSERVERDOMAIN -file $VENDORDIR/
$BEAHOME/domains/${SHORTNAME}/JKS/$APPSERVER.
$APPSERVERDOMAIN.pem -keystore $VENDORDIR/
$BEAHOME/domains/${SHORTNAME}/JKS/$
{SHORTNAME}trust.jks -storepass $KEYPASS -noprompt
8. Copy the second physical servers
/<VENDORDIR>/wls92/domains/<shortname>/JKS directory back to
the first physical server
/<VENDORDIR>/wls92/domains/<shortname>/ directory preserving
file ownership and permissions.
Version 2.0
GM/EDS Confidential
9 November 2009 91
Technical
You will need to be running software that will allow you to export your Display to your local client
(for example Exceed).
2.
3.
4.
5.
Type cd /<VENDORDIR>/wls92/utils/bsu
6.
Type ./bsu.sh
7.
8.
If this is a brand new deployment of the WLS 9.2 binaries then enter your Support ID and Password
and click Work Offline. Otherwise enter your Support ID and Password in the appropriate fields
and click Login.
9.
If you clicked Work Offline then you will need to configure your proxy information by clicking FilePreferences from the main menu then click the Proxy tab. Select the checkbox next to Use HTTP
Proxy and Use Authentication. Enter the appropriate information in the Host, Post, Username
and Password fields and click Save. Then click File-Login and reenter your Support ID and
Password and click Login. If you logged in already you do not need to do this.
10. Once logged in make sure the BEA Home is the expected BEA Home, for example
/usr/local/bea/wls92 or /<PREFIX>/usr/local/bea/wls92 Make sure you are on the Get Patches tab.
11. Select the checkbox in the Select column for any patches required and then click Download
Selected.
12. When prompted Do you want Smart Update to check each patch for conflicts before download?
select Yes, check for conflicts now. And then click OK.
Version 2.0
GM/EDS Confidential
9 November 2009 92
Technical
13. If there are no conflicts you should see a dialog box stating No conflicts detected. Click OK. If the
dialog box shows conflicts then you will need to open a ticket with vendor to determine if there is a
combo patch available for the conflicting patches or if one of the patches takes precedence over
the other.
14. If there are any private patches to be downloaded click Patches-Retrieve Private from the main
menu. Enter the Patch identifier (for example E36T) and the Passcode (generally supplied via a
support ticket with the vendor) in the appropriate fields and click Download. If prompted check for
conflicts again.
15. Once all patches are downloaded click the Manage Patches tab.
16. You should see all new patches that were just downloaded in the bottom section of the Smart
Update screen under Download Patches
17. For each patch click the Apply button associated with that patch.
18. Again, the patches will be validated before being applied. If there are no conflicts you should see a
dialog box that states No conflicts detected. Click OK. If you see a dialog box that shows
conflicts then again you will need to open a ticket with the vendor to determine if there is a combo
patch available for the conflicting patches or if one of the patches takes precedence over the other.
Sometimes there are no conflicts but Smart Update will tell you that one of the patches needs to be
installed before one of the other patch(es) . If this happens you need to remove the patch noted in
the dialog box, apply the patch that should be applied first and then re-apply the other patch.
19. Select File-Exit from the main menu.
20. Once you have applied the patch(es) via the Smart Upate GUI in Release provide the ABCD.jar (for
example E36T.jar) file(s) along with the patch-catalog.xml file (from the release application server in
/<VENDORDIR>/wls92/utils/bsu/cache_dir to the operations team and ask them to put the files on
the app server that needs to be updated. If any of the files already exist on the application server
to be patched then Operations should make a backup of the existing files before copying in the
new files. All the files in the cache_dir should be owned by the UNIX user ID and group that own
the WLS 9.2 binary files (for example Bwls92:gwls92) and should have permissions set to 750.
21. Once the files are in place Operations should run the following commands as the UNIX user ID that
owns the WLS 9.2 binary files (for example Bwls92:gwls92) to install the patch(es)
a.
cd /<VENDORDIR>/wls92/utils/bsu
b.
c.
Replace the 81XN,EP13 values in the command above with the patch(es) being deployed.
The output should look similar to the following:
Checking for conflicts..
No conflict(s) detected
Installing Patch ID: 81XN.
Result: Success
Installing Patch ID: EP13.
Result: Success
Installing Patch ID: VSZL.
Result: Success
Installing Patch ID: KSMA.
Result: Success
Installing Patch ID: 2RWZ.
Result: Success
Version 2.0
GM/EDS Confidential
9 November 2009 93
Technical
d.
e.
To back out the patches deployed run the same command except instead of install use
remove, for example: ./bsu.sh -remove -patchlist=81XN,EP13,VSZL,KSMA,2RWZ
-prod_dir=/<VENDORDIR>/wls92/weblogic92
f.
Note: neither the install or the backout of patches via Smart Update change the
commEnv.sh file. The $
{BEA_HOME}/patch_weblogic922/profiles/default/sys_manifest_classpath/weblogic_patch
.jar file is updated with the new patches. This jar file is what is called by the commEnv.sh
file.
g.
Restart all instances in the binaries that had the patch(es) backed out.
HP HS Engineering will supply you with the patch jar file(s) along with a patch-catalog.xml file.
Copy the files to the app server that needs to be updated. If any of the files already exist on the
application server to be patched then Operations should make a backup of the existing files before
copying in the new files. The files should be copied to the /usr/local/bea/wls92/utils/bsu/cache_dir
directory. All the files in the /usr/local/bea/wls92/utils/bsu/cache_dir should be owned by the UNIX
user ID and group that own the WLS 9.2 binary files (for example Bwls92:gwls92) and should have
permissions set to 750.
2.
Once the files are in place Operations should run the following type of command as the UNIX user
ID that owns the WLS 9.2 binary files to install the patch(es)
h.
cd /usr/local/bea/wls92/utils/bsu or cd /PREFIX/usr/local/bea/wls92/utils/bsu
i.
j.
Replace the 81XN,EP13, etc values in the command above with the patch(es) being
deployed.
The output should look similar to the following:
k.
l.
Version 2.0
GM/EDS Confidential
9 November 2009 94
Technical
m. Restart all instances in the binaries that had the patch(es) backed out.
To validate if an instance has the patch(es) applied you can either
1.
Type cd /<SITES>/<shortname>/site/common/logs/92_shortname_admin
2.
Version 2.0
GM/EDS Confidential
9 November 2009 95
Technical
# pvcreate /dev/rdsk/c1t0d0
Physical volume "/dev/rdsk/c1t0d0" has been successfully created.
/dev/vg92
VG Write Access
read/write
VG Status
available
Max LV
255
Cur LV
Open LV
Max PV
16
Cur PV
Act PV
Max PE per PV
VGDA
PE Size (Mbytes)
Total PE
Version 2.0
17501
2
4
17499
GM/EDS Confidential
9 November 2009 96
Technical
Alloc PE
Free PE
17499
Total PVG
/dev/dsk/c1t0d0
PV Status
available
Total PE
17499
Free PE
17499
Autoswitch
On
Proactive Polling
On
#mkdir /wls92pkg
# bdf
Version 2.0
Filesystem
kbytes
/dev/vg00/lvol3
GM/EDS Confidential
9 November 2009 97
Technical
/dev/vg00/lvol1
/dev/vg00/lvol7
/dev/vg00/lvol6
/dev/vg00/lvol9
/dev/vg00/lvol5
/dev/vg00/lvol4
/dev/vg92/sglvol1 122880
1754 113563
2% /wls92pkg
# vgchange -a y vg92
# mkdir /wls92pkg
# ls al /wls92pkg verify that the same file exist that you copied on the first system.
# umount /wls92pkg
# vgchange a n vg92
Version 2.0
GM/EDS Confidential
9 November 2009 98
Technical
<wls92pkg>
PACKAGE_TYPE
FAILOVER
NODE_NAME
hprel36a
NODE_NAME
hprel36b
AUTO_RUN
NO
NODE_FAIL_FAST_ENABLED
RUN_SCRIPT
NO
/etc/cmcluster/<wls92pkg>/<wls92pkg>.cntl
HALT_SCRIPT
/etc/cmcluster/<wls92pkg>/<wls92pkg>.cntl
RUN_SCRIPT_TIMEOUT
NO_TIMEOUT
SUCCESSOR_HALT_TIMEOUT
NO_TIMEOUT
FAILOVER_POLICY
CONFIGURED_NODE
FAILBACK_POLICY
MANUAL
PRIORITY
NO_PRIORITY
LOCAL_LAN_FAILOVER_ALLOWED
YES
MONITORED_SUBNET
192.85.89.0
Version 2.0
GM/EDS Confidential
# Default
9 November 2009 99
Technical
# Default
FS_UMOUNT_COUNT=1
FS_MOUNT_RETRY_COUNT=0
CONCURRENT_VGCHANGE_OPERATIONS=1
CONCURRENT_FSCK_OPERATIONS=1
CONCURRENT_MOUNT_AND_UMOUNT_OPERATIONS=1
IP[0]="192.85.89.243"
SUBNET[0]="192.85.89.0"
IP[1]="192.85.89.245"
SUBNET[1]="192.85.89.0"
# START OF CUSTOMER DEFINED FUNCTIONS
# This function is a place holder for customer define functions.
# You should define all actions you want to happen here, before the service is
# started. You can create as many functions as you need.
function customer_defined_run_cmds
{
# ADD customer defined run commands.
: # do nothing instruction, because a function must contain some command.
/<wls92pkg>/usr/local/gwh/lib/startcommands
test_return 51
}
# This function is a place holder for customer define functions.
# You should define all actions you want to happen here, after the service is
# halted.
Version 2.0
GM/EDS Confidential
Technical
function customer_defined_halt_cmds
{
# ADD customer defined halt commands.
# do nothing instruction, because a function must contain some command.
/<wls92pkg>/usr/local/gwh/lib/stopcommands
test_return 52
}
# END OF CUSTOMER DEFINED FUNCTIONS
/dev/vg04
NODE_NAME hprel36b
NETWORK_INTERFACE lan1
HEARTBEAT_IP
172.0.1.1
NETWORK_INTERFACE lan4
FIRST_CLUSTER_LOCK_PV /dev/dsk/c1t0d3
NODE_NAME hprel36a
NETWORK_INTERFACE lan1
HEARTBEAT_IP
172.0.1.2
NETWORK_INTERFACE lan4
FIRST_CLUSTER_LOCK_PV /dev/dsk/c1t0d3
MAX_CONFIGURED_PACKAGES 10
VOLUME_GROUP VG04
Version 2.0
GM/EDS Confidential
Technical
When using WLST in offline mode if changes are made to the config.xml file WLST will
automatically create files called backup_config.xml. As long as these files are not
causing space issues they can remain on the file system without issue. If they are
causing space issues then make sure they have been backed up via the standard BUR
and then delete them.
Port information can be found in the Domain Installation section of this document.
Version 2.0
GM/EDS Confidential
Technical
Copy the Entrust Chain Certificate to your clipboard. You must include the "----BEGIN CERTIFICATE-----"
and "-----END CERTIFICATE-----" lines.
Paste the Entrust Chain Certificate into the text box under Message Text ensuring that
it is all left aligned with no trailing white space.
Click OK.
Click Add Server Certificate
Click OK to the warning regarding the server having to be restarted.
You should now receive a "Success" message, click OK.
Now you must restart your web server for the changes to take effect.
-----BEGIN CERTIFICATE----MIIFkTCCBHmgAwIBAgIEOGPFrjANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
Version 2.0
GM/EDS Confidential
Technical
bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw0wODA4MjUxODE0MjZaFw0xODA4
MjUxODQ0MjZaMIIBNDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIElu
Yy4xODA2BgNVBAsTL0FORCBBRERJVElPTkFMIFRFUk1TIEdPVkVSTklORyBVU0Ug
QU5EIFJFTElBTkNFMUcwRQYDVQQLEz5DUFMgQ09OVEFJTlMgSU1QT1JUQU5UIExJ
TUlUQVRJT05TIE9GIFdBUlJBTlRJRVMgQU5EIExJQUJJTElUWTE5MDcGA1UECxMw
d3d3LmVudHJ1c3QubmV0L0NQUyBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNl
MR8wHQYDVQQLExYoYykgMjAwOCBFbnRydXN0LCBJbmMuMS4wLAYDVQQDEyVFbnRy
dXN0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gTDFCMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA3CH1aPl6zofyeN/YO00GfcYk5KnNnQFW5PZxF6p/
dSIY5HRtGz5W1bGmHt1ZJlPKBua6C283u6jGnBU7BhuHDMIaTdOBrttQZaU6ZE8w
NJorqR/9K9E4cRlo8o7re8lAPEjEGbG3ECXvRKfmd5t9Ipre2F7Zw87JcSK7ru8F
1vIX51Z44VMFSiZzuMdJZ5MjD1ayj93JWQXlYxW0h35ARum1AHsDtA3klmcs3htZ
CxofuGNErsHXRIfEkVmcAENtxt8KsLEEzf6+MF46JXLdoj7tRjrHpFxc5CXyEwfo
rtqbGZui2WCdzpBHamF7QOgUwv4vhFpmF8CX00k43mMCnwIDAQABo4IBJjCCASIw
DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wMwYIKwYBBQUHAQEEJzAl
MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAyBgNVHR8EKzAp
MCegJaAjhiFodHRwOi8vY3JsLmVudHJ1c3QubmV0LzIwNDhjYS5jcmwwOwYDVR0g
BDQwMjAwBgRVHSAAMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5u
ZXQvQ1BTMB0GA1UdDgQWBBT18paIfQ3zKvlO5zSgvUZ+E9YWyDAfBgNVHSMEGDAW
gBRV5IHREYC+2Im5CKMx+aEkCRa5cDAZBgkqhkiG9n0HQQAEDDAKGwRWNy4xAwIA
gTANBgkqhkiG9w0BAQUFAAOCAQEACyU8WPqO3KJCO3ZxbmzUTyu5U1yyWLmx3G8a
5OPEUPJBgrr0fcfB+fqMU7+5YrdJ4x0K/B/WxHZqk8t3Hix/0D8WY0xyTGdgD/iA
1qeayqIzkQ9EsmY9jmgMQIUSN5G5gnc0WS1c34JuLLZ60gSQZ2hLcPwtuP+QZG9+
kffRRzPzW7hYLiHYdWAbE8z4sqj6aqkqWk9FhUC03TQFt3DKAe/hgecRUNs+4tcQ
LmoVf7fUo2KyiWlhV8Z/jp7UJHrzoUNfoHqJ3FnNfdd1p7xT1Uc1xjEwIJ+burWD
5olVAU2RO9aJNYc8g2t6KYLUS9TmFnSwARCraQYUN3v3ZjA6xQ==
-----END CERTIFICATE-----
Version 2.0
GM/EDS Confidential
Technical
-----BEGIN CERTIFICATE----MIIEnzCCBAigAwIBAgIERp6RGjANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wOTAz
MjMxNTE4MjdaFw0xOTAzMjMxNTQ4MjdaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5l
dDFAMD4GA1UECxQ3d3d3LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkg
cmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5u
ZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkgKDIwNDgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
rU1LqRKGsuqjIAcVFmQqK0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOL
Gp18EzoOH1u3Hs/lJBQesYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3ed
Vc3kw37XamSrhRSGlVuXMlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4
LeksyZB2ZnuU4q941mVTXTzWnLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5
CFVghTAp+XtIpGmG4zU/HoZdenoVve8AjhUiVBcAkCaTvA5JaJG/+EfTnZVCwQ5N
328mz8MYIWJmQ3DW1cAH4QIDAQABo4IBJzCCASMwDgYDVR0PAQH/BAQDAgEGMA8G
A1UdEwEB/wQFMAMBAf8wMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRw
Oi8vb2NzcC5lbnRydXN0Lm5ldDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
LmVudHJ1c3QubmV0L3NlcnZlcjEuY3JsMDsGA1UdIAQ0MDIwMAYEVR0gADAoMCYG
CCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L0NQUzAdBgNVHQ4EFgQU
VeSB0RGAvtiJuQijMfmhJAkWuXAwHwYDVR0jBBgwFoAU8BdiE1U9s/8KAGv7UISX
8+1i0BowGQYJKoZIhvZ9B0EABAwwChsEVjcuMQMCAIEwDQYJKoZIhvcNAQEFBQAD
gYEAj2WiMI4mq4rsNRaY6QPwjRdfvExsAvZ0UuDCxh/O8qYRDKixDk2Ei3E277M1
RfPB+JbFi1WkzGuDFiAy2r77r5u3n+F+hJ+ePFCnP1zCvouGuAiS7vhCKw0T43aF
SApKv9ClOwqwVLht4wj5NI0LjosSzBcaM4eVyJ4K3FBTF3s=
-----END CERTIFICATE-----
Version 2.0
GM/EDS Confidential