Skip to content

Merge and validate secured production mode in WLS for OCI #272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 35 commits into from
Jun 28, 2024
Merged

Merge and validate secured production mode in WLS for OCI #272

merged 35 commits into from
Jun 28, 2024

Conversation

@Mahuwa-Barman
Copy link
Contributor

@Mahuwa-Barman Mahuwa-Barman commented Jun 28, 2024
edited
Loading

Mahuwa-Barman and others added 30 commits February 6, 2024 11:10
@Mahuwa-Barman
Enable secured production mode in WLS for OCI (#235)
415168d 
https://jira.oraclecorp.com/jira/browse/JCS-14314
@Mahuwa-Barman
JCS-14321_certificate_service_secure_mode (#236)
0abfde7 
https://jira.oraclecorp.com/jira/browse/JCS-14321
This PR contains policy related changes required to access OCI
certificate service API & other miscellaneous changes.
@Mahuwa-Barman
Configure the domain to associate Keystores and SSL Certificate using…
e6c51c6 
… WDT parameters (#237)

https://jira.oraclecorp.com/jira/browse/JCS-14324
@Mahuwa-Barman
Enable administration port in WLS for OCI(Secured Production Mode) (#239
f7e2044 
)

https://jira.oraclecorp.com/jira/browse/JCS-14313
@PM-Darshan
Block obvious names for WebLogic administrator user and Throttle the …
c198ec2 
…thread pool in WLS for OCI
@PM-Darshan
Secure production mode variables are grouped under a comment
7ce2628
@PM-Darshan
Block obvious names for WebLogic administrator user and Throttle the … (
e914e2f 
#240)

**Testing**

1. One node secured production mode Non-JRF provisioning is successful.
<img width="1414" alt="Screenshot 2024-02-29 at 9 33 39 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/512e249f-c23e-4f63-b5e4-45df3b0ca8bb">

2. Block obvious names for WebLogic administrator user:
    -  Changed the default value of username to "wls_user".
<img width="940" alt="Screenshot 2024-02-29 at 9 12 32 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/2cf08291-5ade-43f1-b26f-d51521e2e199">
    -  When username is given as "weblogic", it is blocked.
<img width="940" alt="Screenshot 2024-02-29 at 9 12 47 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/c2877a21-e3ae-4f7e-a302-5fea059f6a36">
    -  When username is given as "weblogic1", it is accepted.
<img width="940" alt="Screenshot 2024-02-29 at 9 12 58 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/ffc425c8-4a7d-4823-93b5-84c331eb51d2">
- Error is thrown when username as weblogic is given, when running
through CLI.
<img width="789" alt="Screenshot 2024-02-29 at 9 16 57 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/10d64269-4615-4856-b117-15373ac8b788">
<img width="1405" alt="Screenshot 2024-02-29 at 9 17 15 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/36a7b77e-fbd9-4a29-a994-7c3e808edd06">

3. Throttle the thread pool:
- Throttle the thread pool added to the UI with the default value of
65536.
<img width="701" alt="Screenshot 2024-02-29 at 9 14 04 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/249f0669-cf34-4d62-9b58-ecb5fab9b661">
- Stack created with the thread_pool_limit of 60000 assigned in tfvars
file.
<img width="794" alt="Screenshot 2024-02-29 at 9 17 56 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/7ffc2227-6491-4b52-93e9-6d6ad9fcbbc5">
- Same is visible in admin console for admin server and managed server.
<img width="1256" alt="Screenshot 2024-02-29 at 9 36 04 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/8e8969ba-2bc1-4144-b569-89e585fd5dc4">
<img width="1256" alt="Screenshot 2024-02-29 at 9 36 16 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/6c603c53-3224-475f-93b0-76a3fcb664f2">
@PM-Darshan
Set two weblogic users in the Admin role in WLS for OCI
671e437
@PM-Darshan
Variables names changed, code changes to work for both secure and non…
d9c4d12 
… secure production mode.
@PM-Darshan
Validation changed for wls_secondary_admin_password_id
c588649
@PM-Darshan
Changed condition for invalid_wls_secondary_admin_password_id in vali…
ea387c8 
…dators
@PM-Darshan
Set two weblogic users in the Admin role in WLS for OCI (#241)
56517c4 
**Testing**

1. Additional admin user added in the UI with the default username as
'wls_user_1'.
<img width="970" alt="Screenshot 2024-03-01 at 4 13 06 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/c5018d33-1523-4e07-8fea-410a370fd5de">
2. Usernames 'weblogic' and 'administrator' are blocked in UI, while
'weblogic1' works fine.
<img width="970" alt="Screenshot 2024-03-01 at 4 16 15 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/eae6e89b-5189-4f83-82f0-a12ee768a2c7">
<img width="970" alt="Screenshot 2024-03-01 at 4 16 35 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/926204d3-33d0-4af8-a327-aa6ca3047418">
<img width="970" alt="Screenshot 2024-03-01 at 4 18 30 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/dd1f31c6-955e-492d-96fb-b1ecc3a9a2e3">
3. Username 'weblogic' is blocked in terraform.
<img width="970" alt="Screenshot 2024-03-01 at 7 46 56 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/ce5b04cf-beee-44d7-9b35-0ee03114d98f">
<img width="1414" alt="Screenshot 2024-03-01 at 7 48 31 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/79bc2626-b619-4e18-9be0-8dd3fd9b00f3">
@Mahuwa-Barman
Configure OCI Load Balancer backend set to use SSL (#244)
01987ce 
This MR is to configure OCI Load Balancer Backend Set to use SSL

Testing results are uploaded to associated jira
https://jira.oraclecorp.com/jira/browse/JCS-14325
@Mahuwa-Barman
Resolve review comment related to multi node provisioning mentioned i…
2e28049 
…n JCS-14385 (#249)

https://jira.oraclecorp.com/jira/browse/JCS-14385
@Mahuwa-Barman
Ensure no boot.properties is on disk (#252)
00346f7 
https://jira.oraclecorp.com/jira/browse/JCS-14387
@chintamani-bhat07
Modified the secrule from managed server NSG which now opens for admi…
d235dde 
…nistration port instead of all ports for wls subnet cidr in case of secured production mode
@chintamani-bhat07
Resource name changed from wls_ingress_spm_internal_security_rule to …
118153e 
…wls_ingress_internal_security_rule_secure_mode
@chintamani-bhat07
JCS-14388 - Implementation: Remove the secrule from managed server NS…
bdad2df 
…G which opens all ports for wls subnet cidr. (#255)

Apply job succeeded for 2 node provisioning

![Screenshot 2024-05-08 at 5 45
17 PM](https://github.com/oracle-quickstart/oci-weblogic-server/assets/146092665/3ba06c7b-ed4d-4959-94c3-04156daded5a)


![Scr](https://github.com/oracle-quickstart/oci-weblogic-server/assets/146092665/4c386072-f635-4718-a301-89667a20a3f7)

Modified the secrule from managed server NSG which now opens for
administration port 9002 instead of all ports for wls subnet cidr in
case of secured production mode



![image](https://github.com/oracle-quickstart/oci-weblogic-server/assets/146092665/d12346f7-b89f-4aeb-ab28-e51bb6981a7d)
@Mahuwa-Barman
Changes related to Certificate validity & ORM UI (#256)
d06415f 
https://jira.oraclecorp.com/jira/browse/JCS-14449
@PM-Darshan
Update network validation script and docs for secured production mode
ab3e6d4
@Mahuwa-Barman
topic_mb-JCS-14446 (#261)
47f9b82 
https://jira.oraclecorp.com/jira/browse/JCS-14446

https://orahub.oci.oraclecorp.com/weblogic-cloud/wls-oci/-/merge_requests/1043

This MR includes the following fixes:
1. Removed variable wls_cluster_mc_port as its not being used in the
code.
2. Fixed the certificate validity date
3. Removed SecuredExternAdmin channel with opens port 7002 from
base-model-jrf-secure-mode.yaml & base-model-nonjrf-secure-mode.yaml
4. Changed secure production mode to secured production mode in the code
at multiple places
@PM-Darshan
Updated network validation script
5bc55a4
@PM-Darshan
Updated network validation script
a1deb06
@PM-Darshan
Updated network validation script
fcc1b09
@Mahuwa-Barman
Script to renew SSL certificate (#263)
fcece43 
https://jira.oraclecorp.com/jira/browse/JCS-14450

https://orahub.oci.oraclecorp.com/weblogic-cloud/wls-oci/-/merge_requests/1046
This MR includes:
1. Adding missing policy for wls_secondary_admin_password_id
2. Changing the policy for certificate authority from inspect -> read
@Mahuwa-Barman
Add metadata for certificate OCID (#264)
2e63dd6 
Add metadata for certificate OCID
https://jira.oraclecorp.com/jira/browse/JCS-14450
@Mahuwa-Barman
Merge branch 'development' into clone-topic-secure-production-mode
838c9cc
@Mahuwa-Barman
merge master to clone-topic-secure-production-mode
14eae16
@Mahuwa-Barman
Disable JRF for secured production mode (#267)
3026073 
https://jira.oraclecorp.com/jira/browse/JCS-14477
@Mahuwa-Barman
Open port 9072 for weblogic subnet in managed server NSG in secure mo…
b18b273 
…de (#269)

This MR is to open port 9072 for weblogic subnet CIDR in managed server
NSG in secure mode
@PM-Darshan
Changes in Auto-Scaling(Scale-In Scale-out) scripts required for secu…
99f983c 
…re production mode
@PM-Darshan
Added T3 port(9072) for check
4381c7c
@PM-Darshan
Changes in Auto-Scaling(Scale-In Scale-out) scripts required for secu…
e647b0e 
…re production mode (#271)

Testing shown in Orahub
@PM-Darshan
Update network validation script (#262)
3ca0bf3 
**Testing**

1. Errors shown when no rules are added for Security Lists.
<img width="1500" alt="Screenshot 2024-05-23 at 7 10 17 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/8dfa4598-36a7-48fd-932d-c4ecb0c7fec5">

2. No errors, when all the required rules are added for Security Lists.
<img width="1500" alt="Screenshot 2024-05-23 at 7 16 41 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/3135e11a-0a69-4eb2-a5e0-668a44492170">
<img width="1500" alt="Screenshot 2024-05-23 at 7 16 51 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/b8b9f6ee-cf51-4509-bad7-10c32bd5424f">
<img width="1500" alt="Screenshot 2024-05-23 at 7 17 00 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/79e379e2-6321-48c5-b426-41c1b8b41999">
<img width="1500" alt="Screenshot 2024-05-23 at 10 58 56 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/f6a55d43-3283-4402-9e17-2b078829c314">

3. Errors shown when no rules are added for Network Security Groups.
<img width="1500" alt="Screenshot 2024-05-23 at 7 27 44 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/e4974b5a-41b7-4a9e-94be-81496b36ad17">

4. No errors, when all the required rules are added for Network Security
Groups.
<img width="1500" alt="Screenshot 2024-05-23 at 8 00 16 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/33c5dab7-f29a-40df-8927-075371d8fd57">
<img width="1500" alt="Screenshot 2024-05-23 at 7 31 25 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/c9d4b1c0-0e95-4178-9c86-1290b4a06847">
<img width="1500" alt="Screenshot 2024-05-23 at 7 32 18 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/b2631154-8cbd-4299-a851-f9515b8dc1cd">
<img width="1500" alt="Screenshot 2024-05-23 at 7 33 04 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/d439f9f1-6fab-477c-90f5-7ec02ca5c19c">
<img width="1500" alt="Screenshot 2024-05-23 at 7 33 39 PM"
src="https://github.com/oracle-quickstart/oci-weblogic-server/assets/148204723/8e5cdcd8-a698-4507-8af6-6a92f59be93e">
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jun 28, 2024
@Mahuwa-Barman Mahuwa-Barman changed the title Merge topic-secure-production-mode into development Merge and validate secured production mode in WLS for OCI Jun 28, 2024
@Mahuwa-Barman Mahuwa-Barman requested a review from telake June 28, 2024 13:13
telake
telake approved these changes Jun 28, 2024
View reviewed changes
Copy link
Member

@telake telake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved without review since I've been reviewing the merges into the topic branch all along. We'll find any issues in testing before making release branch.

@skommala skommala assigned skommala and unassigned skommala Jun 28, 2024
@skommala skommala requested a review from telake June 28, 2024 17:30
@Mahuwa-Barman Mahuwa-Barman requested a review from skommala June 28, 2024 17:32
skommala
skommala approved these changes Jun 28, 2024
View reviewed changes
Copy link
Contributor

@skommala skommala left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tim has already approved it. I am approving because Mahuwa has to merge these changes.

@skommala skommala merged commit 220adca into development Jun 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@telake telake Awaiting requested review from telake

1 more reviewer

@skommala skommala skommala approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Mahuwa-Barman @skommala @telake @PM-Darshan @chintamani-bhat07