Thursday, 7 July 2016

Create Weblogic users for ServiceBus

At one of my customers there was the question of creating users that needed to log on to EM (Fusion MiddleWare Control) and Service bus console to be able  to deploy SB en WLS Artefacts (queues, datasources etc.) on the Dev and Test environment. And to be able to do some monitoring on Acceptance. Further more they still used weblogic as the only, shared, administrator user. For the latter Oracle recommends to create at least one other user, to prevent you from an accidental admin-lockout. So I'd create named admin-users for each administrator.

Since there were several users to provision on several systems, it would be convenient to have a script to create the users and the particular groups.

As for the Roles there we need to differentiate to WebLogic default roles and and groups, and Service Bus roles.

To be able to log on to the EM, WLS Console and/or Servicebus the user at least needs the WLS Monitor role, which is provided using the Monitors group. But to be able to start and stop servers (that the developers need/want on dev and at this customer also test) you need the Operators group. To be able to create WLS Artefacts, the user need to be in the Deployers group. More on that you can read in chapter '6 Users, Groups, And Security Roles' in the document 'Securing Resources Using Roles and Policies for Oracle WebLogic Server' (12.2.1).

The Servicebus Application Specific Roles are described in the paragraph '11.1.3 Roles' within chapter '11.1 Understanding Oracle Service Bus Application Security' of the document 'Administering Oracle Service Bus'. How to add those to weblogic users and groups is quite clearly described in paragraph '19.1.3.3 Adding a Product-Specific Administration Role to the Enterprise Deployment Administration Group' of the 'Enterprise Deployment Guide for Oracle SOA Suite' (12.2.1), so I'm not going to copy that.

In the following script first administrator-users are created and added to the administrators group.
For every user group that is created (Administrators, OSB Developers  and OSB Testers), the property file (example is provided later) contains three comma seperated lists for the usernames, passwors and the user descriptions. So you can provide as many as you want, provided that the order in the passwords and description lists match the order in the user list. Of course if you have many users, you should consider implementing an LDAP Directory with WebLogic.
For each list of users the script loops over the list and fetches based on an incremented idx-variable the accompanying password and description. It creates the user and adds it as a member to the particular group.

After the administrator-users, the OSB Developers group is created, and for the Dev environment it is added to the WebLogic groups Operators and Deployers. It is done in a loop, based on a list of WebLogic groups this group should be a member of. In EM the group is added to the OSB Application Specific role 'Developer'. I haven't searched for a wls example to do that, but it is a environment specific small activity so I kept that manual.
After the OSB Developers group, the OSB Developer users are created.

Lastly in the same way the OSB Tester group and users are created. The Tester group is only added to the Weblogic Monitors group, and in EM added to the OSB Application Specific role 'Tester'.

So here's the createUsers.py script:
#############################################################################
# Create WebLogic Users and groups
#
# @author Martien van den Akker, Darwin-IT Professionals
# @version 1.1, 2016-07-06
#
#############################################################################
# Modify these values as necessary
import sys, traceback
scriptName = sys.argv[0]
#
#
lineSeperator='__________________________________________________________________________________'
#
#
def usage():
  print 'Call script as: '
  print 'Windows: wlst.cmd '+scriptName+' -loadProperties localhost.properties'
  print 'Linux: wlst.sh '+scriptName+' -loadProperties environment.properties'
  print 'Property file should contain the following properties: '
  print "adminUrl=localhost:7001"
  print "adminUser=weblogic"
  print "adminPwd=welcome1"
#
#
def connectToadminServer(adminUrl, adminServerName):
  try:
    print(lineSeperator)
    print('Try to connect to the AdminServer')
    try:
      connect(userConfigFile=usrCfgFile, userKeyFile=usrKeyFile, url=adminUrl)
    except NameError, e:
      print('Apparently user config properties usrCfgFile and usrKeyFile not set.')
      print('Try to connect to the AdminServer adminUser and adminPwd properties')
      connect(adminUser, adminPwd, adminUrl)
  except WLSTException:
    message='Apparently AdminServer not Started!'
    print (message)
    raise Exception(message)
#
#
def getRealm(name=None):
  cd('/')
  if name == None:
    realm = cmo.getSecurityConfiguration().getDefaultRealm()
  else:
    realm = cmo.getSecurityConfiguration().lookupRealm(name)
  return realm
#
#
def getAuthenticator(realm, name=None):
  if name == None:
    authenticator = realm.lookupAuthenticationProvider('DefaultAuthenticator')
  else:
    authenticator = realm.lookupAuthenticationProvider(name)
  return authenticator  
#
#
def createUser(authenticator, userName, password, description):
  print ("Creating user " + userName)
  if authenticator.userExists(userName):
    print ("User "+userName+" already exists.")
  else:
    print ("User "+userName+" does not exist.")
    authenticator.createUser(userName, password, description)
    print("User "+userName+" created with password "+password+".")
#
#
def createGroup(authenticator, groupName, description):
  print ("Creating group " + groupName)
  if authenticator.groupExists(groupName):
    print ("Group "+groupName+" already exists.")
  else:
    print ("Group "+groupName+" does not exist.")
    authenticator.createGroup(groupName, description)
    print("Group "+groupName+" created.")
#
#
def addMember2Group(authenticator, groupName, memberName):
  print ("Adding member "+memberName+" to group " + groupName)
  if authenticator.isMember(groupName,memberName,true) == 0:
    print ("Member "+memberName+" not yet member of the group "+groupName+".")
    authenticator.addMemberToGroup(groupName, memberName)
    print ("Member "+memberName+" added to the group "+groupName+".")
  else:
    print ("Member "+memberName+" already member of the group "+groupName+".")
#
#
def main():
  try:
    print (lineSeperator)
    print ('Start Osb Cluster')
    print (lineSeperator)
    print('\nConnect to AdminServer ')
    connectToadminServer(adminUrl, adminServerName)
    #
    #Create Users
    # Get Realm and Authenticator
    realm = getRealm()
    authenticator = getAuthenticator(realm)
    # Administrators
    print('\nCreate Administrator users')
    administratorList=administrators.split(',')
    administratorDescrList=administratorsDesc.split(',')
    administratorPasswordList=administratorPasswords.split(',')
    #
    idx=0
    for administrator in administratorList:
      administratorDesc=administratorDescrList[idx]
      administratorPassword=administratorPasswordList[idx]
      print(str(idx)+': Process administrator user '+administrator+' with description '+administratorDesc)
      createUser(authenticator, administrator, administratorPassword, administratorDesc)
      addMember2Group(authenticator, 'administrators', administrator)
      idx=idx+1
    #
    # OSB Developers
    print('\nCreate group '+grpOsbDevName)
    createGroup(authenticator, grpOsbDevName, grpOsbDevDesc)
    grpOsbDevWlsGrpList=grpOsbDevWlsGrps.split(',')
    idx=0
    for wlsGroup in grpOsbDevWlsGrpList:
      print(str(idx)+': Add '+grpOsbDevName+' to '+wlsGroup)
      addMember2Group(authenticator, wlsGroup, grpOsbDevName)
      idx=idx+1      
    #
    osbDeveloperList=osbDevelopers.split(',')
    osbDeveloperDescrList=osbDeveloperDescriptions.split(',')
    osbDeveloperPasswordList=osbDeveloperPasswords.split(',')
    #
    print('Create OSB Developer users')
    idx=0
    for osbDeveloper in osbDeveloperList:
      osbDeveloperDesc=osbDeveloperDescrList[idx]
      osbDeveloperPassword=osbDeveloperPasswordList[idx]
      print(str(idx)+': Process OSB Developer user '+osbDeveloper+' with description '+osbDeveloperDesc)
      createUser(authenticator, osbDeveloper, osbDeveloperPassword, osbDeveloperDesc)
      addMember2Group(authenticator, grpOsbDevName, osbDeveloper)
      idx=idx+1
    #
    # OSB Testers
    print('\nCreate group '+grpOsbTestName)
    createGroup(authenticator, grpOsbTestName, grpOsbTestDesc)
    grpOsbTestWlsGrpList=grpOsbTestWlsGrps.split(',')
    idx=0
    for wlsGroup in grpOsbTestWlsGrpList:
      print(str(idx)+': Add '+grpOsbTestName+' to '+wlsGroup)
      addMember2Group(authenticator, wlsGroup, grpOsbTestName)
      idx=idx+1
    #
    osbTesterList=osbTesters.split(',')
    osbTesterDescrList=osbTesterDescriptions.split(',')
    osbTesterPasswordList=osbTesterPasswords.split(',')
    #
    print('Create OSB Tester users')
    idx=0
    for osbTester in osbTesterList:
      osbTesterDesc=osbTesterDescrList[idx]
      osbTesterPassword=osbTesterPasswordList[idx]
      print(str(idx)+': Process OSB Tester user '+osbTester+' with description '+osbTesterDesc)
      createUser(authenticator, osbTester, osbTesterPassword, osbTesterDesc)
      addMember2Group(authenticator, grpOsbTestName, osbTester)
      idx=idx+1
    #
    print('\nExiting...')
    exit()
  except NameError, e:
    print('Apparently properties not set.')
    print "Please check the property: ", sys.exc_info()[0], sys.exc_info()[1]
    usage()
  except:
    apply(traceback.print_exception, sys.exc_info())
    exit(exitcode=1)
#call main()
main()
exit()

And here an example of the property file:
#############################################################################
# Properties for Creating WLS Users
#
# @author Martien van den Akker, Darwin-IT Professionals
# @version 1.0, 2016-07-06
#
#############################################################################
#
# Properties for AdminServer
adminServerName=Adminserver
adminUrl=lxoosb301:7001
# AdminUser
adminUser=weblogic
adminPwd=wlsadmin_O3
#
defaultPassword=welkom123
#
grpOsbDevName=OSBDevelopers
grpOsbDevDesc=OSB Developers
grpOsbDevWlsGrps=Deployers,Operators
#
osbDevelopers=sjaak,maarten
osbDeveloperDescriptions=Sjaak with a Lastname - OSB Developer,Maarten from another father - OSB Developer
osbDeveloperPasswords=sjaak123,maarten456
#
grpOsbTestName=OSBTesters
grpOsbTestDesc=OSB Testers
grpOsbTestWlsGrps=Monitors
#
osbTesters=wim
osbTesterDescriptions=Wim You know - OSBTester
osbTesterPasswords=wimrt789
#
administrators=hans,martien
administratorsDesc=Hans the Admin,Martien van den Akker (extern)
administratorPasswords=hans123,martien456

As you can see the descriptions may have spaces and dashes and other characters in it. But certainly no comma's (','), since that breaks the list. Often the description is used to provide a full name.
Also it contains a references to the admin server and the admin username/passsword. So you need to adapt this part of the property file for each environment.
In a later past I'll show how to create user key files to use encrypted administrator passwords. So after creating the users, remove this file from your system.
To start it you can use the following shell script, or get the running wlst command from:
#!/bin/bash
#############################################################################
# Create users
#
# @author Martien van den Akker, Darwin-IT Professionals
# @version 2.1, 2016-07-06
#
#############################################################################
#  
. fmw12c_env.sh
echo
echo Create Users
wlst.sh ./createUsers.py -loadProperties fmw.properties

Rename the fmw.properties reference to the file you named the property file created based on the property file example above.

That (as my other scripts) needs a fmw12c_env.sh script like:
#!/bin/bash
echo set Fusion MiddleWare 12cR2 environment
export FMW_HOME=/ontw/u01/app/oracle/product/fmw12c2
#
echo call setWLSEnv.sh
. $FMW_HOME/wlserver/server/bin/setWLSEnv.sh
export PATH=$FMW_HOME/oracle_common/common/bin:$WL_HOME/common/bin/:$WL_HOME/server/bin:$PATH


No comments :