如何将Weblogic的config.xml迁移到多台机器上?

发布于 2024-08-07 06:07:34 字数 654 浏览 5 评论 0原文

我们的开发团队开发了一个在 Weblogic 10.3 上运行的 J2EE 应用程序。每台开发机器都运行自己的 Weblogic 10.3 应用程序服务器副本。开发环境的Weblogic域最初是在一台机器上创建的,然后使用Weblogic的配置工具(bea10/wlserver_10.3/common/bin/config.cmd)复制到所有机器上。

每台开发机器都有自己的 config.xml 副本。该文件中的所有密码(用于 JDBC 数据源等的密码)均已加密,并且加密显然在每台计算机上使用不同的种子,因为相同的密码在不同的计算机上具有不同的加密形式。

问题是,每隔一段时间 config.xml 就需要更新一次(例如,当添加新的 EJB 时),并且更新需要应用到所有计算机上。我们应该如何着手去做这件事呢?如果我们只是将文件放入 CVS 并从那里更新其他计算机,则每台计算机上的加密密码都会被覆盖。当服务器尝试解密最初在另一台计算机上加密的密码短语时,这会导致丑陋的填充异常。

是否有一个 ant 任务(我找不到)或类似的机制可以正确合并 config.xml 中的更改而不覆盖加密的密码?或者是否可以以某种方式以明文形式指定密码并在第一次启动时对其进行加密(我隐约记得这在以前的版本中是可能的,但在 10.3 中则不然)。

Weblogic 开发团队如何处理这个问题?

BR,

马科

our development team develops a J2EE application that runs on Weblogic 10.3. Each development machine runs its own copy of Weblogic 10.3 application server. The development environment's Weblogic domain was initially created on one machine and then copied onto all the machines using Weblogic's configuration tool (bea10/wlserver_10.3/common/bin/config.cmd).

Each development machine has its own copy of config.xml. All the passphrases (those for JDBC datasources etc.) in this file are encrypted and the encryption apparently uses a different seed on each machine since the same password has different encrypted forms on different machines.

The problem is that every once in a while config.xml needs to updated (for example when a new EJB is added) and the updates need to be applied on all the machines. How should we go about doing this? If we just put the file in CVS and update the other machines from there the encrypted passwords on each machine would get overwritten. This results in ugly paddingexceptions when the server tries to decrypt the passphrases originally encrypted on another machine.

Is there an ant task (I couldn't find one) or a similar mechanism that would take care of correctly merging the changes in config.xml without overwriting the encrypted passwords? Or is it possible to somehow specify the passphrases in plaintext and encrypt them on the first start (I have a faint recollection that this was possible in previous versions but not in 10.3).

How do development teams working on Weblogic handle this?

BR,

Marko

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

夜清冷一曲。 2024-08-14 06:07:34

[...] 每台开发机器都有自己的
config.xml 的副本。所有的
密码短语(用于 JDBC 的密码短语)
该文件中的数据源等)是
加密...

是的,WebLogic Server 会对存储在其域配置 XML 文件中的所有纯文本密码进行加密。这是为了防止访问敏感信息。当使用管理控制台或脚本工具输入密码时,密码会在存储在配置 XML 文件中之前自动加密。

...和加密
显然使用了不同的种子
由于每台机器密码相同
有不同的加密形式
不同的机器。

关于 加密 实用程序(来自Oracle WebLogic Server Java 实用程序),文档说:

weblogic.security.Encrypt 对与 WebLogic Server 一起使用的明文字符串进行加密。该实用程序使用当前目录的加密服务,或指定WebLogic Server 域根目录的加密服务。

注意:加密字符串必须已由将使用该字符串的 WebLogic Server 域中的加密服务进行加密。如果不是,服务器将无法解密该字符串。

文档中没有提到这一点,但据我所知,Weblogic 使用域的密码盐文件 (SerializedSystemIni.dat) 来加密明文字符串。

[...]如果我们只是将文件放入 CVS 并从那里更新其他计算机,则每台计算机上的加密密码都会被覆盖。

您可以选择在 VCS 中存储的 config.xml 中使用明文密码(如果这不是问题)。实际上,在WebLogic Server 9.0之前,密码会在随后的重新启动过程中被加密。从 WebLogic Server 9.0 开始,仅开发域“完全”支持在配置文件中使用明文密码,并且 Weblogic 不会重新加密密码。在这两种情况下,这都允许人们毫无困难地检查配置文件。

是否有一个 ant 任务(我找不到)或类似的机制可以正确合并 config.xml 中的更改而不覆盖加密的密码?...

我不确定这是否能直接回答您的问题,但是Oracle WebLogic Server 为大多数任务提供 Ant 任务 (如果不是全部)其 Java 实用程序。也许您会在那里找到一些有用的东西(查看 使用 wlconfig Ant 任务配置 WebLogic Server 域

或者是否可以以某种方式以明文形式指定密码并在第一次启动时对其进行加密(我隐约记得这在以前的版本中是可能的,但在 10.3 中不行)。

正如我上面所写,这是 Weblogic Server 9.0 之前的“默认”行为。我不知道您是否可以在以后的版本中强制执行此行为。当然,您始终可以使用 ant 和 加密< /a> 这样做,但是,老实说,如果您允许人们一次看到明文密码,我真的不认为在事实发生后对其进行加密有什么意义。

[...] Each development machine has its own
copy of config.xml. All the
passphrases (those for JDBC
datasources etc.) in this file are
encrypted ...

Yes, WebLogic Server encrypts all the plain text passwords stored in its domain configuration XML file(s). This is to prevent access to sensitive information. When passwords are entered using administration console or scripting tools, it will automatically get encrypted before they are stored in the configuration XML files(s).

... and the encryption
apparently uses a different seed on
each machine since the same password
has different encrypted forms on
different machines.

About the the encrypt utility (from the Oracle WebLogic Server Java Utilities), the documentation says:

The weblogic.security.Encrypt encrypts cleartext strings for use with WebLogic Server. The utility uses the encryption service of the current directory, or the encryption service for a specified WebLogic Server domain root directory.

Note: An encrypted string must have been encrypted by the encryption service in the WebLogic Server domain where it will be used. If not, the server will not be able to decrypt the string.

This is not mentioned in the documentation but, AFAIK, Weblogic uses the domain's password salt file (SerializedSystemIni.dat) for encrypting the clear text string.

[...] If we just put the file in CVS and update the other machines from there the encrypted passwords on each machine would get overwritten.

You could choose to use clear text passwords in the config.xml stored in your VCS (if this is not an issue). Actually, prior to WebLogic Server 9.0, the passwords would get encrypted during the subsequent restart. Starting from WebLogic Server 9.0, using clear text passwords in the configuration files is "fully" supported only for Development domain and Weblogic will not re-encrypt the passwords. In both case, this would allow people to check out the config file without troubles.

Is there an ant task (I couldn't find one) or a similar mechanism that would take care of correctly merging the changes in config.xml without overwriting the encrypted passwords?...

I'm not sure this answers directly your question but Oracle WebLogic Server provides Ant tasks for most of (if not all) its Java Utilities. Maybe you'll find something useful there (check out Configuring a WebLogic Server Domain Using the wlconfig Ant Task)

Or is it possible to somehow specify the passphrases in plaintext and encrypt them on the first start (I have a faint recollection that this was possible in previous versions but not in 10.3).

As I wrote above, this was the "default" behavior prior to Weblogic Server 9.0. I don't know if you can force this behavior for later versions. Of course, you could always use ant and encrypt to do it but, honestly, if you allow people to see clear text passwords once, I don't really see the point of encrypting them after the facts.

知你几分 2024-08-14 06:07:34

我会使用 Mercurial 或 git 之类的东西,并使用导出/导入功能,以便更改在差异中移动,而不是在完整文件中移动。

简短说明

好吧,如果您受困于 CVS(抱歉,我分担您的痛苦)在某种程度上),您可能会考虑创建差异的 CVS 存储库。例如,当创建新版本的配置文件时,新文件将与旧文件进行比较,并将差异文件添加到存储库中,其他主机从 cvs 中签出并修补配置文件。

这是一个黑客,但应该可以工作。

I would use something like mercurial or git, and use the export/import functionality, so that the changes are moved in diffs, not in complete files.

Short instructions

Well, if you are stuck with CVS (I'm sorry, I share your pain to some extent), you might consider creating a CVS repo of diffs. E.g. when a new version of the config file is made, the new file is diffed to the old file and the diff file is added to the repo, other hosts checkout from cvs and patch the config file.

It's a hack, but should work.

内心荒芜 2024-08-14 06:07:34

就我个人而言,我会研究 WLST 来进行大规模域更新。即使您没有使用 python 或 WLST 的经验,这也非常简单

  1. 打开域的记录(管理 Web 界面)
  2. 在一个域(管理 Web 界面)上进行更改
  3. 激活更改(管理 Web 界面)
  4. 您应该在您的 默认域文件夹
  5. 每个环境的
    1. 使用 WLST 连接到管理服务器
    2. 应用您的脚本
    3. 如果需要,请重新启动域或托管服务器

目前,我工作的公司做了与您描述类似的事情 - 使用 weblogic 域文件进行修改,然后使用小型部署相同的文件调整我们所有的环境。多年来,我们最终陷入了一片混乱。这不是正确的出路。

Personally I'd look into WLST to do mass domain updates. It's really simple even if you have no experience with python or WLST

  1. turn on recording for a domain (admin web interface)
  2. do your changes on one domain (admin web interface)
  3. activate changes (admin web interface)
  4. you should get a python script in your default domain folder
  5. for each environment
    1. connect to the admin server with WLST
    2. apply your script
    3. restart domain or managed servers if required

Currently the company I work for does a similar thing to what you describe - hack around with weblogic domain files and then deploy the same files with small tweaks to all our environments. Over the years we've ended up with an absolute mess. It's just not the way to go.

雨夜星沙 2024-08-14 06:07:34

我们使用 WLST 做到了。我们在Python中使用某种简单的声明性“域模型”,它相当抽象(即它没有指定集群中不同服务器的配置,在我们的环境中所有节点必须相同)。这个模型非常短(对于拥有 30 多个连接池、一堆 JMS 内容和一些外国 JMS 提供程序的最大应用程序来说,只有 2-3 页)。之后,我们有 2 个脚本:第一个在目标环境中创建一个空域,第二个应用域模型。为了收集开发人员在“主”环境中所做的更改,我们有一个脚本来遍历域配置并输出模型文件。使用这些模型文件的差异,我们可以看到发生了什么变化。

这看起来像是一个重量级框架,但当我们必须管理 100 多个应用程序的开发、测试、登台和生产环境时,它确实节省了大量时间。

对于较小的情况,只需复制文件并使用相同的 SerializedSystemIni.dat 即可。只需确保您的域名保持不变,调整地址/端口即可。
如果您想使用不同的 SerializedSystemInit.dat,基于此代码(http://gustlik.wordpress.com/2008/08/06/decryption-of-configuration-passwords-in-weblogic/)它是编写一个实用程序非常容易,该实用程序将使用原始 SerializedSystemIni.dat 解码密码并使用新密码进行编码。这应该可以解决问题。

We did it using WLST. We use some kind of simple declarative "domain model" in python which is rather abstract (i.e. it doesn't specify the configuration of different servers in a cluster, in our environments all the nodes must be identical). This model is quite short (2-3 pages for biggest applications that have 30+ connection pools, a bunch of JMS stuff and some foreign JMS providers). After that, we have 2 scripts: first creates an empty domain in the target enviornment, the 2nd applies the domain model. To collect the changes that developers do in the "master" environment we have a script that goes through the domain configuration and outputs the model file. Using a diff on those model files we can see what has been changes.

This looks like a heavyweight framework, but it really saves a lot of time when we have to manage development, testing, staging and production environments for 100+ applications.

For smaller cases just copying the files and using the same SerializedSystemIni.dat should do. Just make sure that your domain name stays the same, adjust the addresses/ports.
If you want to use different SerializedSystemInit.dat, it is rather easy to do that as well, based on this code (http://gustlik.wordpress.com/2008/08/06/decryption-of-configuration-passwords-in-weblogic/) it's quite easy to write a utility that will decode the password with original SerializedSystemIni.dat and encode with a new one. This should do the trick.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文