Since there were several users to provision on several systems, it would be convenient to have a script to create the users and the particular groups.
As for the Roles there we need to differentiate to WebLogic default roles and and groups, and Service Bus roles.
To be able to log on to the EM, WLS Console and/or Servicebus the user at least needs the WLS Monitor role, which is provided using the Monitors group. But to be able to start and stop servers (that the developers need/want on dev and at this customer also test) you need the Operators group. To be able to create WLS Artefacts, the user need to be in the Deployers group. More on that you can read in chapter '6 Users, Groups, And Security Roles' in the document 'Securing Resources Using Roles and Policies for Oracle WebLogic Server' (12.2.1).
The Servicebus Application Specific Roles are described in the paragraph '11.1.3 Roles' within chapter '11.1 Understanding Oracle Service Bus Application Security' of the document 'Administering Oracle Service Bus'. How to add those to weblogic users and groups is quite clearly described in paragraph '19.1.3.3 Adding a Product-Specific Administration Role to the Enterprise Deployment Administration Group' of the 'Enterprise Deployment Guide for Oracle SOA Suite' (12.2.1), so I'm not going to copy that.
In the following script first administrator-users are created and added to the administrators group.
For every user group that is created (Administrators, OSB Developers and OSB Testers), the property file (example is provided later) contains three comma seperated lists for the usernames, passwors and the user descriptions. So you can provide as many as you want, provided that the order in the passwords and description lists match the order in the user list. Of course if you have many users, you should consider implementing an LDAP Directory with WebLogic.
For each list of users the script loops over the list and fetches based on an incremented idx-variable the accompanying password and description. It creates the user and adds it as a member to the particular group.
After the administrator-users, the OSB Developers group is created, and for the Dev environment it is added to the WebLogic groups Operators and Deployers. It is done in a loop, based on a list of WebLogic groups this group should be a member of. In EM the group is added to the OSB Application Specific role 'Developer'. I haven't searched for a wls example to do that, but it is a environment specific small activity so I kept that manual.
After the OSB Developers group, the OSB Developer users are created.
Lastly in the same way the OSB Tester group and users are created. The Tester group is only added to the Weblogic Monitors group, and in EM added to the OSB Application Specific role 'Tester'.
So here's the createUsers.py script:
############################################################################# # Create WebLogic Users and groups # # @author Martien van den Akker, Darwin-IT Professionals # @version 1.1, 2016-07-06 # ############################################################################# # Modify these values as necessary import sys, traceback scriptName = sys.argv[0] # # lineSeperator='__________________________________________________________________________________' # # def usage(): print 'Call script as: ' print 'Windows: wlst.cmd '+scriptName+' -loadProperties localhost.properties' print 'Linux: wlst.sh '+scriptName+' -loadProperties environment.properties' print 'Property file should contain the following properties: ' print "adminUrl=localhost:7001" print "adminUser=weblogic" print "adminPwd=welcome1" # # def connectToadminServer(adminUrl, adminServerName): try: print(lineSeperator) print('Try to connect to the AdminServer') try: connect(userConfigFile=usrCfgFile, userKeyFile=usrKeyFile, url=adminUrl) except NameError, e: print('Apparently user config properties usrCfgFile and usrKeyFile not set.') print('Try to connect to the AdminServer adminUser and adminPwd properties') connect(adminUser, adminPwd, adminUrl) except WLSTException: message='Apparently AdminServer not Started!' print (message) raise Exception(message) # # def getRealm(name=None): cd('/') if name == None: realm = cmo.getSecurityConfiguration().getDefaultRealm() else: realm = cmo.getSecurityConfiguration().lookupRealm(name) return realm # # def getAuthenticator(realm, name=None): if name == None: authenticator = realm.lookupAuthenticationProvider('DefaultAuthenticator') else: authenticator = realm.lookupAuthenticationProvider(name) return authenticator # # def createUser(authenticator, userName, password, description): print ("Creating user " + userName) if authenticator.userExists(userName): print ("User "+userName+" already exists.") else: print ("User "+userName+" does not exist.") authenticator.createUser(userName, password, description) print("User "+userName+" created with password "+password+".") # # def createGroup(authenticator, groupName, description): print ("Creating group " + groupName) if authenticator.groupExists(groupName): print ("Group "+groupName+" already exists.") else: print ("Group "+groupName+" does not exist.") authenticator.createGroup(groupName, description) print("Group "+groupName+" created.") # # def addMember2Group(authenticator, groupName, memberName): print ("Adding member "+memberName+" to group " + groupName) if authenticator.isMember(groupName,memberName,true) == 0: print ("Member "+memberName+" not yet member of the group "+groupName+".") authenticator.addMemberToGroup(groupName, memberName) print ("Member "+memberName+" added to the group "+groupName+".") else: print ("Member "+memberName+" already member of the group "+groupName+".") # # def main(): try: print (lineSeperator) print ('Start Osb Cluster') print (lineSeperator) print('\nConnect to AdminServer ') connectToadminServer(adminUrl, adminServerName) # #Create Users # Get Realm and Authenticator realm = getRealm() authenticator = getAuthenticator(realm) # Administrators print('\nCreate Administrator users') administratorList=administrators.split(',') administratorDescrList=administratorsDesc.split(',') administratorPasswordList=administratorPasswords.split(',') # idx=0 for administrator in administratorList: administratorDesc=administratorDescrList[idx] administratorPassword=administratorPasswordList[idx] print(str(idx)+': Process administrator user '+administrator+' with description '+administratorDesc) createUser(authenticator, administrator, administratorPassword, administratorDesc) addMember2Group(authenticator, 'administrators', administrator) idx=idx+1 # # OSB Developers print('\nCreate group '+grpOsbDevName) createGroup(authenticator, grpOsbDevName, grpOsbDevDesc) grpOsbDevWlsGrpList=grpOsbDevWlsGrps.split(',') idx=0 for wlsGroup in grpOsbDevWlsGrpList: print(str(idx)+': Add '+grpOsbDevName+' to '+wlsGroup) addMember2Group(authenticator, wlsGroup, grpOsbDevName) idx=idx+1 # osbDeveloperList=osbDevelopers.split(',') osbDeveloperDescrList=osbDeveloperDescriptions.split(',') osbDeveloperPasswordList=osbDeveloperPasswords.split(',') # print('Create OSB Developer users') idx=0 for osbDeveloper in osbDeveloperList: osbDeveloperDesc=osbDeveloperDescrList[idx] osbDeveloperPassword=osbDeveloperPasswordList[idx] print(str(idx)+': Process OSB Developer user '+osbDeveloper+' with description '+osbDeveloperDesc) createUser(authenticator, osbDeveloper, osbDeveloperPassword, osbDeveloperDesc) addMember2Group(authenticator, grpOsbDevName, osbDeveloper) idx=idx+1 # # OSB Testers print('\nCreate group '+grpOsbTestName) createGroup(authenticator, grpOsbTestName, grpOsbTestDesc) grpOsbTestWlsGrpList=grpOsbTestWlsGrps.split(',') idx=0 for wlsGroup in grpOsbTestWlsGrpList: print(str(idx)+': Add '+grpOsbTestName+' to '+wlsGroup) addMember2Group(authenticator, wlsGroup, grpOsbTestName) idx=idx+1 # osbTesterList=osbTesters.split(',') osbTesterDescrList=osbTesterDescriptions.split(',') osbTesterPasswordList=osbTesterPasswords.split(',') # print('Create OSB Tester users') idx=0 for osbTester in osbTesterList: osbTesterDesc=osbTesterDescrList[idx] osbTesterPassword=osbTesterPasswordList[idx] print(str(idx)+': Process OSB Tester user '+osbTester+' with description '+osbTesterDesc) createUser(authenticator, osbTester, osbTesterPassword, osbTesterDesc) addMember2Group(authenticator, grpOsbTestName, osbTester) idx=idx+1 # print('\nExiting...') exit() except NameError, e: print('Apparently properties not set.') print "Please check the property: ", sys.exc_info()[0], sys.exc_info()[1] usage() except: apply(traceback.print_exception, sys.exc_info()) exit(exitcode=1) #call main() main() exit()
And here an example of the property file:
############################################################################# # Properties for Creating WLS Users # # @author Martien van den Akker, Darwin-IT Professionals # @version 1.0, 2016-07-06 # ############################################################################# # # Properties for AdminServer adminServerName=Adminserver adminUrl=lxoosb301:7001 # AdminUser adminUser=weblogic adminPwd=wlsadmin_O3 # defaultPassword=welkom123 # grpOsbDevName=OSBDevelopers grpOsbDevDesc=OSB Developers grpOsbDevWlsGrps=Deployers,Operators # osbDevelopers=sjaak,maarten osbDeveloperDescriptions=Sjaak with a Lastname - OSB Developer,Maarten from another father - OSB Developer osbDeveloperPasswords=sjaak123,maarten456 # grpOsbTestName=OSBTesters grpOsbTestDesc=OSB Testers grpOsbTestWlsGrps=Monitors # osbTesters=wim osbTesterDescriptions=Wim You know - OSBTester osbTesterPasswords=wimrt789 # administrators=hans,martien administratorsDesc=Hans the Admin,Martien van den Akker (extern) administratorPasswords=hans123,martien456
As you can see the descriptions may have spaces and dashes and other characters in it. But certainly no comma's (','), since that breaks the list. Often the description is used to provide a full name.
Also it contains a references to the admin server and the admin username/passsword. So you need to adapt this part of the property file for each environment.
In a later past I'll show how to create user key files to use encrypted administrator passwords. So after creating the users, remove this file from your system.
To start it you can use the following shell script, or get the running wlst command from:
#!/bin/bash ############################################################################# # Create users # # @author Martien van den Akker, Darwin-IT Professionals # @version 2.1, 2016-07-06 # ############################################################################# # . fmw12c_env.sh echo echo Create Users wlst.sh ./createUsers.py -loadProperties fmw.properties
Rename the fmw.properties reference to the file you named the property file created based on the property file example above.
That (as my other scripts) needs a fmw12c_env.sh script like:
#!/bin/bash echo set Fusion MiddleWare 12cR2 environment export FMW_HOME=/ontw/u01/app/oracle/product/fmw12c2 # echo call setWLSEnv.sh . $FMW_HOME/wlserver/server/bin/setWLSEnv.sh export PATH=$FMW_HOME/oracle_common/common/bin:$WL_HOME/common/bin/:$WL_HOME/server/bin:$PATH
Hi, I need help to create JNDI Providers in SERVICEBUS console using WLST. Could you please help me with this? Thanks in advanced.
ReplyDeleteHi,
ReplyDeleteCould you please ask that question on community.oracle.com?
Regards,
Martien
Thanks for the immediate response. I went through the official documentation but didn't find the correct approach. I will ask the question in Oracle Community now. But in mean time, if possible could you please point me to where to check for the scripts or please provide me the above asked script? Thanks and sorry for my bad English.
ReplyDeleteHi,
ReplyDeleteI think this article could be a start: https://blog.darwin-it.nl/2014/03/osb-remove-artefacts-with-wlst.html
It finds a resource, in this case a project, and deletes it. But you could use that to try to find a jndi provider and if not existing, create it.