如何将Weblogic的config.xml迁移到多台机器上?
我们的开发团队开发了一个在 Weblogic 10.3 上运行的 J2EE 应用程序。每台开发机器都运行自己的 Weblogic 10.3 应用程序服务器副本。开发环境的Weblogic域最初是在一台机器上创建的,然后使用Weblogic的配置工具(bea10/wlserver_10.3/common/bin/config.cmd)复制到所有机器上。
每台开发机器都有自己的 config.xml 副本。该文件中的所有密码(用于 JDBC 数据源等的密码)均已加密,并且加密显然在每台计算机上使用不同的种子,因为相同的密码在不同的计算机上具有不同的加密形式。
问题是,每隔一段时间 config.xml 就需要更新一次(例如,当添加新的 EJB 时),并且更新需要应用到所有计算机上。我们应该如何着手去做这件事呢?如果我们只是将文件放入 CVS 并从那里更新其他计算机,则每台计算机上的加密密码都会被覆盖。当服务器尝试解密最初在另一台计算机上加密的密码短语时,这会导致丑陋的填充异常。
是否有一个 ant 任务(我找不到)或类似的机制可以正确合并 config.xml 中的更改而不覆盖加密的密码?或者是否可以以某种方式以明文形式指定密码并在第一次启动时对其进行加密(我隐约记得这在以前的版本中是可能的,但在 10.3 中则不然)。
Weblogic 开发团队如何处理这个问题?
BR,
马科
our development team develops a J2EE application that runs on Weblogic 10.3. Each development machine runs its own copy of Weblogic 10.3 application server. The development environment's Weblogic domain was initially created on one machine and then copied onto all the machines using Weblogic's configuration tool (bea10/wlserver_10.3/common/bin/config.cmd).
Each development machine has its own copy of config.xml. All the passphrases (those for JDBC datasources etc.) in this file are encrypted and the encryption apparently uses a different seed on each machine since the same password has different encrypted forms on different machines.
The problem is that every once in a while config.xml needs to updated (for example when a new EJB is added) and the updates need to be applied on all the machines. How should we go about doing this? If we just put the file in CVS and update the other machines from there the encrypted passwords on each machine would get overwritten. This results in ugly paddingexceptions when the server tries to decrypt the passphrases originally encrypted on another machine.
Is there an ant task (I couldn't find one) or a similar mechanism that would take care of correctly merging the changes in config.xml without overwriting the encrypted passwords? Or is it possible to somehow specify the passphrases in plaintext and encrypt them on the first start (I have a faint recollection that this was possible in previous versions but not in 10.3).
How do development teams working on Weblogic handle this?
BR,
Marko
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
是的,WebLogic Server 会对存储在其域配置 XML 文件中的所有纯文本密码进行加密。这是为了防止访问敏感信息。当使用管理控制台或脚本工具输入密码时,密码会在存储在配置 XML 文件中之前自动加密。
关于 加密 实用程序(来自Oracle WebLogic Server Java 实用程序),文档说:
文档中没有提到这一点,但据我所知,Weblogic 使用域的密码盐文件 (
SerializedSystemIni.dat
) 来加密明文字符串。您可以选择在 VCS 中存储的 config.xml 中使用明文密码(如果这不是问题)。实际上,在WebLogic Server 9.0之前,密码会在随后的重新启动过程中被加密。从 WebLogic Server 9.0 开始,仅开发域“完全”支持在配置文件中使用明文密码,并且 Weblogic 不会重新加密密码。在这两种情况下,这都允许人们毫无困难地检查配置文件。
我不确定这是否能直接回答您的问题,但是Oracle WebLogic Server 为大多数任务提供 Ant 任务 (如果不是全部)其 Java 实用程序。也许您会在那里找到一些有用的东西(查看 使用 wlconfig Ant 任务配置 WebLogic Server 域)
正如我上面所写,这是 Weblogic Server 9.0 之前的“默认”行为。我不知道您是否可以在以后的版本中强制执行此行为。当然,您始终可以使用 ant 和 加密< /a> 这样做,但是,老实说,如果您允许人们一次看到明文密码,我真的不认为在事实发生后对其进行加密有什么意义。
Yes, WebLogic Server encrypts all the plain text passwords stored in its domain configuration XML file(s). This is to prevent access to sensitive information. When passwords are entered using administration console or scripting tools, it will automatically get encrypted before they are stored in the configuration XML files(s).
About the the encrypt utility (from the Oracle WebLogic Server Java Utilities), the documentation says:
This is not mentioned in the documentation but, AFAIK, Weblogic uses the domain's password salt file (
SerializedSystemIni.dat
) for encrypting the clear text string.You could choose to use clear text passwords in the config.xml stored in your VCS (if this is not an issue). Actually, prior to WebLogic Server 9.0, the passwords would get encrypted during the subsequent restart. Starting from WebLogic Server 9.0, using clear text passwords in the configuration files is "fully" supported only for Development domain and Weblogic will not re-encrypt the passwords. In both case, this would allow people to check out the config file without troubles.
I'm not sure this answers directly your question but Oracle WebLogic Server provides Ant tasks for most of (if not all) its Java Utilities. Maybe you'll find something useful there (check out Configuring a WebLogic Server Domain Using the wlconfig Ant Task)
As I wrote above, this was the "default" behavior prior to Weblogic Server 9.0. I don't know if you can force this behavior for later versions. Of course, you could always use ant and encrypt to do it but, honestly, if you allow people to see clear text passwords once, I don't really see the point of encrypting them after the facts.
我会使用 Mercurial 或 git 之类的东西,并使用导出/导入功能,以便更改在差异中移动,而不是在完整文件中移动。
简短说明
好吧,如果您受困于 CVS(抱歉,我分担您的痛苦)在某种程度上),您可能会考虑创建差异的 CVS 存储库。例如,当创建新版本的配置文件时,新文件将与旧文件进行比较,并将差异文件添加到存储库中,其他主机从 cvs 中签出并修补配置文件。
这是一个黑客,但应该可以工作。
I would use something like mercurial or git, and use the export/import functionality, so that the changes are moved in diffs, not in complete files.
Short instructions
Well, if you are stuck with CVS (I'm sorry, I share your pain to some extent), you might consider creating a CVS repo of diffs. E.g. when a new version of the config file is made, the new file is diffed to the old file and the diff file is added to the repo, other hosts checkout from cvs and patch the config file.
It's a hack, but should work.
就我个人而言,我会研究 WLST 来进行大规模域更新。即使您没有使用 python 或 WLST 的经验,这也非常简单
目前,我工作的公司做了与您描述类似的事情 - 使用 weblogic 域文件进行修改,然后使用小型部署相同的文件调整我们所有的环境。多年来,我们最终陷入了一片混乱。这不是正确的出路。
Personally I'd look into WLST to do mass domain updates. It's really simple even if you have no experience with python or WLST
Currently the company I work for does a similar thing to what you describe - hack around with weblogic domain files and then deploy the same files with small tweaks to all our environments. Over the years we've ended up with an absolute mess. It's just not the way to go.
我们使用 WLST 做到了。我们在Python中使用某种简单的声明性“域模型”,它相当抽象(即它没有指定集群中不同服务器的配置,在我们的环境中所有节点必须相同)。这个模型非常短(对于拥有 30 多个连接池、一堆 JMS 内容和一些外国 JMS 提供程序的最大应用程序来说,只有 2-3 页)。之后,我们有 2 个脚本:第一个在目标环境中创建一个空域,第二个应用域模型。为了收集开发人员在“主”环境中所做的更改,我们有一个脚本来遍历域配置并输出模型文件。使用这些模型文件的差异,我们可以看到发生了什么变化。
这看起来像是一个重量级框架,但当我们必须管理 100 多个应用程序的开发、测试、登台和生产环境时,它确实节省了大量时间。
对于较小的情况,只需复制文件并使用相同的 SerializedSystemIni.dat 即可。只需确保您的域名保持不变,调整地址/端口即可。
如果您想使用不同的 SerializedSystemInit.dat,基于此代码(http://gustlik.wordpress.com/2008/08/06/decryption-of-configuration-passwords-in-weblogic/)它是编写一个实用程序非常容易,该实用程序将使用原始 SerializedSystemIni.dat 解码密码并使用新密码进行编码。这应该可以解决问题。
We did it using WLST. We use some kind of simple declarative "domain model" in python which is rather abstract (i.e. it doesn't specify the configuration of different servers in a cluster, in our environments all the nodes must be identical). This model is quite short (2-3 pages for biggest applications that have 30+ connection pools, a bunch of JMS stuff and some foreign JMS providers). After that, we have 2 scripts: first creates an empty domain in the target enviornment, the 2nd applies the domain model. To collect the changes that developers do in the "master" environment we have a script that goes through the domain configuration and outputs the model file. Using a diff on those model files we can see what has been changes.
This looks like a heavyweight framework, but it really saves a lot of time when we have to manage development, testing, staging and production environments for 100+ applications.
For smaller cases just copying the files and using the same SerializedSystemIni.dat should do. Just make sure that your domain name stays the same, adjust the addresses/ports.
If you want to use different SerializedSystemInit.dat, it is rather easy to do that as well, based on this code (http://gustlik.wordpress.com/2008/08/06/decryption-of-configuration-passwords-in-weblogic/) it's quite easy to write a utility that will decode the password with original SerializedSystemIni.dat and encode with a new one. This should do the trick.