Oracle

Onboarding WebLogic (Linux)

Prerequisites
  1. Ensure that the following packages are installed to facilitate device addition:
    1. dzdo (Optional, as per the access elevation selected)
    2. SFTP
  2. Ensure that the target IP is accessible from the cloud connector and that the port is open.
  3. Make sure that the language setting for the WebLogic Server is set to English.Ensure that the sudo/dzdo prompt string follows the standard Linux format, which is typically "[sudo] password for <your_username>:"
  4. SSH private keys cannot be used with password-enabled dzdo settings. Therefore, if an SSH key is used for authentication, ensure that dzdo is configured for passwordless operation.
  5. Certificates located in paths without the necessary user permissions cannot be identified, so ensure to either place the certificates in configuration files with accessible paths or adjust the file permissions for accessibility.
  6. Ensure that the commands requiring sudo/dzdo privileges are enabled on the server.
  7. Ensure that the WebLogic instance is properly configured with the necessary profiles, servers, and SSL certificates.
  8. Ensure that the config.xml file is present, the WebLogic server is running, and the user can log onto the wlst.sh script using the required WebLogic credentials.
  9. Ensure access to the wlst.sh script as it is used across multiple stages of device onboarding and CLM operations. Below are the key use cases:
    • Vendor Validation

      The wlst.sh script is run to verify the WebLogic installation. A successful launch without errors confirms the vendor setup.

    • Version Fetch

      The WebLogic version is retrieved by executing specific commands within the wlst.sh script.

    • Decrypting Domain Credentials

      To obtain the WebLogic domain username and password, values are decrypted using commands executed within wlst.sh.

    • Certificate Binding

      During the certificate binding process, a series of commands are executed through wlst.sh to bind the server certificate to the target WebLogic server.

  10. The OpenSSL toolkit is required for private key and CSR generation at the target device, so ensure to install it on the Linux machine.
  11. Minimum Permission Required
    • The SSH user or service account (if configured) must have the necessary permissions to access the path containing wlst.sh, with or without sudo privileges.
    • The user must have read (r) permission for the config.xml and boot.properties files, as well as their respective directories. Otherwise, elevated access is required.
    • Additionally, the user must have read and write (rw) permissions for the configured keystores and their directories. Otherwise, elevated access is required.
    • The user must have read and write (rw) permissions on the target location to push the keystore. Otherwise, elevated access is required.
    • An SFTP connection is set up for the current user, who might not have the necessary access to the service account's directory. It is recommended to choose a File Upload Temp Path in the UI that allows both the current user and the service account user to read and write.
  12. Recommended practices to use AppViewX efficiently:
    • Config.xml Guidelines:
      • If the configuration file (config.xml) lacks sufficient details to determine the protocol and port, AppViewX defaults to the T3 protocol and its standard port.

        To prevent misconfiguration, ensure the following entries are explicitly defined in config.xml:

        • Admin server port
        • Administration protocol enabled
        • Protocol type (for example, HTTP, HTTPS) - if applicable
        • Administration port - if applicable
        • Listen address - recommended for clarity and accuracy.
    • Java Truststore:
      • Do not customize the password for the default Java truststore, as WebLogic only recognizes the default password: changeit.
      • If a custom truststore path is used, it requires running ./wlst.sh with specific arguments which is not supported by WebLogic.
      • AppViewX supports pushing certificates only to the default Java truststore location: /java_path/lib/security/cacerts.
    • Server Certificate and Keystore Configuration:
      • For successful client-side authentication, WebLogic validates the SSLSocketFactory hostname verifier.
      • When using T3S or HTTPS protocols, the server certificate must include the WebLogic server's fully qualified domain name (FQDN) in either the Common Name (CN) or the Subject Alternative Name (SAN).
      • Store the server certificate, private key, and full certificate chain in a single keystore entry.
      • Maintain a separate truststore for root and intermediate certificates.

To configure WebLogic (Linux) server:

  1. Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
  3. Click the (Add) icon.
  4. Select Oracle logo from the Vendors list.
    The Oracle server configuration screen is displayed.
  5. In the Server Details section, enter details as mentioned below.
    Table 1. Server Details - Field Description Table
    Fields Description
    *Server type Select WebLogic (Linux) from the dropdown field.
    *Server name Enter the name of the designated WebLogic (Linux) server.
    *IP address Enter the valid IP address of the server being onboarded.
    Data center Select the desired data center from the dropdown list.
    Onboarding Group Select the onboarding group to assign the device.
    Note: Devices without an assigned group are automatically mapped to the Default group during migration, onboarding, and when edited without existing group mappings.
    *SSH Port Enter the SSH port number. By default, 22 is the port used for the SSH communication mode.
    Cert sync Choose from any of the following:
    • Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them.
    • Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them.
    • Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
    *: Mandatory fields
  6. In the Credentials section, enter the details as follows.
    Table 2. Credentials - Field Description Table
    Fields Description
    *Credential Type Select the credential type from the dropdown:
    • Manual entry (default)
    • Credential List - AppViewX
    • SSH
    • If external credential types such as Thycotic, BeyondTrust, CloudAccount, or AppViewX Vault are configured, then this credential type will be listed in the device addition screen. Choose the appropriate Credential List from the dropdown menu.
    Note:
    • If Credential list - AppViewX is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values.
    • If SSH is selected, enter the *Username, *Upload key file, and enter the Passphrase for authentication.
    • If authentication relies on an external credential, ensure that the hostname, FQDN, or IP address used for device communication is configured in the corresponding external credential vault.
    *Username Enter the designated username for authentication. (field displayed for manual entry and SSH)
    *Password Enter the secure password. (field displayed for manual entry only)
    *: Mandatory fields
  7. In the Service account credentialssection enter the details as follows.
    Table 3. Service account credentials - Field Description Table
    Fields Description
    Username Enter the designated username for authentication.
    Password Enter the secure password.
  8. In the Vendor Specific Details section enter the details as follows.
    Table 4. Vendor Specific Details - Field Description Table
    Fields Description
    WebLogic Installation directory Enter the path where the WebLogic domain-registry.xml file is saved.

    Example:/WL_installation_directory/
    *Access Elevation Select the type of access elevation from the dropdown list. By default, it is None.
    File Upload Temp Path Enter the temporary file upload path. This field is applicable only for push operations and is enabled when access is elevated using sudo or dzdo.
    Note: This field is enabled if you access elevation as sudo or dzdo.
    *: Mandatory fields
  9. Click Add
    The WebLogic Installation directory is added successfully in the table.
  10. (Optional) Click the (Delete) icon, if you want to delete the directory location from the table, or add more WebLogic Installation directories.
  11. In the Certificate details section (required to discover any additional non-profile certificate), enter the details as follows.
    Table 5. Certificate Details - Field Description Table
    Fields Description
    Key store location Enter the location of the jks keystore in Oracle Linux that contains the private key and an associated certificate.

    Example: /tmp/certs/sample.jks
    Key store password Enter the key store password to access the keystore location.
    Trust store location Enter the location of the jks trust store in Oracle Linux that contains the CA certificates.

    Example: /tmp/certs/sample.jks
    Trust store password Enter the trust store password to access the keystore location.
  12. Click Add
    The keystore location is added successfully in the table.
  13. (optional step) Click the (Delete) icon, if you want to delete the certificate location from the list, or add more keystore locations.
  14. Click Save.
    The Oracle WebLogic (Linux) device is on-boarded successfully.

WebLogic (Linux) Commands for CLM Operations

Operation Command Description Sudo/Dzdo Configuration Required? Executed in wlst Script
Session configuration commands (Executed post creation of ssh session for all use-cases) 
bash
 Used to set the prompt string for the logged-in user No - 
bind 'set enable-bracketed-paste off'
 Disable the bracketed-paste configuration for the current session No - 
export SUDO_PROMPT='[sudo] password for %p: ' ; export LANG=en_US.UTF-8
Note: This command is executed only when access elevation is enabled.		 Set the sudo password prompt to the standard value for the current session and update the session language as English US Yes -
whoami Executed to know the logged-in user No -
Pre-config fetch 
ps -eaf|grep 'weblogic'|grep -v grep
 This command is used to check if a WebLogic server process is running on the system. No - 
find -name 'wlst.sh'
 To find the location of the wlst.sh script Yes - 
WLST_LOCATION/wlst.sh
 The wlst.sh script is used to launch WebLogic Scripting Tool (WLST), which is a command-line utility for managing and automating WebLogic Server administration. Yes - 
print version
 This command is used to find the version of the WebLogic server. - Yes 
exit()
 This command is used to close the wlst.sh script. - Yes
Config fetch 
cat 'domain-registry-xml_path/domain-registry.xml'
 This command is used to read the contents of domain-registry.xml file. Yes - 
cat 'config_xml_path/config.xml'
 This command is used to read the contents of config.xml file - Yes 
cat 'boot_properties_path/boot.properties'
 This command is used to read the contents of boot.propertiesl file Yes - 
service = weblogic.security.internal.SerializedSystemIni.getEncryptionService('"domainPath "')"
 This command is used in WebLogic Scripting Tool (WLST) to retrieve the encryption service for a WebLogic domain No Yes 
encryption = weblogic.security.internal.encryption.ClearOrEncryptedService(service)
 The ClearOrEncryptedService class in WebLogic allows you to handle encrypted values within WebLogic Server. This is typically used for encrypting and decrypting passwords stored in configuration file. No Yes 
encryption.decrypt('encrypted_password')
 In WebLogic Scripting Tool (WLST), the encryption.decrypt() function is used to decrypt an encrypted password stored in WebLogic. No Yes 
encryption.decrypt('encrypted_username')
 In WebLogic Scripting Tool (WLST), the encryption.decrypt() function is used to decrypt an encrypted username stored in WebLogic. No Yes
Tempora Directory Creation (Only for access elevated user) 
<access-elevation> mkdir -p <temporary-directory>
 A temporary folder is created to upload files into the end machine. Yes - 
uname -a
 To check if the OS is AIX. No - 
<access-elevation> chmod 700  <temporary-directory> && <access-elevation> setfacl -m u:<username>:rwx  <temporary-directory>
 Modify access for the current session user. Yes - 
<access-elevation> chmod 700  <temporary-directory> && <access-elevation> setfacl -m u:<username>:rwx -m u:<SERVICEACCOUNT>:rwx <temporary-directory> 
sudo chmod 700 '/tmpfileloc//weblogicLinuxPush_1739432147548' && sudo setfacl -m u:appviewx:rwx '/tmpfileloc//weblogicLinuxPush_1739432147548'
 Modify access for the current session user and service account user. Yes - 
<access-elevation> chmod 777 <temporary-directory>
sudo chmod 777 '/tmpfileloc//weblogicLinuxPush_1739432147548'
 Modify the access to rwx for every user for the temporary account only if the above Access fails. Yes - 
<access-elevation> rm  -rf <temporary-directory>
sudo rm -rf /tmpfileloc//weblogicLinuxPush_1739432147548
 Remove the temporary folder after the clm operation scope is finished. Yes -
Discovery 
base64 '/home/appviewx/oracle_cert1.jks'
 Read the content of keystore file using base 64 method. Yes -
CSR Generation 
<access-elevation> mkdir -p <target-file-directory>;  <access-elevation> touch <target-file-directory>
 Test if the folder exists; else, create a folder (both for CSR and key files) Yes - 
<access-elevation> chown $(id -un):$(id -gn) <csr-config-file>
 Change ownership to the logged-in user Yes - 
openssl req -nodes -newkey {keyType}:{bitLength} -{hashFuntion} -days {validityInDays} -keyout {keyFileName}.key  -out {csrFileName}.csr -subj '/C={country}/ST={state}/L={location}/O={organisation}/OU={organisationUnit}/CN={commonName}/emailAddress={email}/' -config <location>/{csrConfFileName}
  1. RSA as the key type

    To generate CSR and key at weblogic endpoint.

  2. DSA as the key type

    To generate CSR at weblogic endpoint.

 Yes - 
openssl req -nodes -new -{hashFuntion} -days {validityInDays} -key {keyFileName}.key -out {csrFileName}.csr -subj '/C={country}/ST={state}/L={location}/O={organisation}/OU={organisationUnit}/CN={commonName}/emailAddress={email}/' -config <location>/{csrConfFileName}
 This command is used to generate CSR for EC or ECDSA as the key type. Yes - 
openssl dsaparam -out {keyFileName}.key {bitLength}
 This command is used to generate a key at the endpoint if the key type is DSA. Yes - 
openssl ecparam -name {algorithm} -genkey -noout -out {keyFileName}.key
 This command is used to generate a key at the endpoint if the key type is ec or ecdsa. Yes - 
<access-elevation> base64 <csr-file-path> sudo base64 /home/appviewx/test/testingweblogic.conf
 Command executed to fetch CSR generated at end device. Yes - 
<access-elevation> chmod 640 <target-key-file-path>
 Update the key file access permission to 640. Yes - 
<access-elevation> rm -rf <files>
 Executed to remove the cnf(csr config) and csr files created at the endpoint. Yes -
Push 
<access-elevation> stat -c %a <keystore-location>
 To fetch the permission of the file if it exists in the server. Yes - 
<access-elevation> stat -c %U:%G <keystore-location>
 To fetch the ownership of the file if it exists in the server Yes - 
<access-elevation> cp <temporary-file-path> <target-location>
 Copy the file (keystore) from the temporary location to the target location. Yes - 
<access-elevation> chmod <permission-received from stat command/600> <target-keystore-file-path>
 Update the file access with existing permission or set it to 600 Yes - 
<access-elevation> rm -f <temp-file>
 Remove the temperory file (This command is executed only in case of enrollment of key at end-point). Yes -
Bind 
date +%s%3N
 This command returns the current timestamp in milliseconds. Yes - 
perl -MTime::HiRes -e 'printf(\"%.0f\\n\", Time::HiRes::time() *1000)'
 This command returns the current timestamp in milliseconds. Yes - 
WLST_LOCATION/wlst.sh
 - Yes - 
connect(USERNAME,PASSWORD,LISTENADRESS)
 This function in WebLogic Scripting Tool (WLST) is used to establish a connection to a WebLogic Server. No Yes
edit()
startEdit()
 This commands are used when making configuration changes to the WebLogic domain. - Yes 
cd(TARGET_SERVER_PATH)
 The cd() command in WLST (WebLogic Scripting Tool) is used to navigate the hierarchical MBean tree of a WebLogic domain.This command moves into the AdminServer MBean, allowing you to view and modify its attributes. - Yes 
cmo.setKeyStores('CustomIdentityAndCustomTrust')
 cmo refers to the Current Management Object, which represents the MBean of the currently navigated configuration.

setKeyStores('CustomIdentityAndCustomTrust') sets the keystore type for SSL configuration.

 - Yes 
cmo.setCustomIdentityKeyStoreFileName(KEYSTORE_ABSOLUTE_PATH)
 This command is used in WebLogic Scripting Tool (WLST) to set the absolute path of the custom identity keystore for a WebLogic Server instance. - Yes 
cmo.setCustomIdentityKeyStorePassPhrase(PASSWORD)
This command is used in WebLogic Scripting Tool (WLST) to set the password of the custom identity keystore for a WebLogic Server instance. - Yes 
cmo.setCustomTrustKeyStoreType('jks')
 This command sets the keystore type for SSL configuration. - Yes 
save()
 This command is used to save the configuration changes to WebLogic. - Yes 
cd(PATH_TO_SSL_SERVER)
 This command moves into the AdminServer MBean, allowing you to view and modify its attributes. - Yes 
cmo.setServerPrivateKeyAlias(PRIVATE_KEY_ALIAS_NAME)
 This command is used in WebLogic Scripting Tool (WLST) to specify the alias of the private key inside the identity keystore for a WebLogic Server instance. - Yes 
cmo.set('ServerPrivateKeyPassPhrase',PASSPHRASE)
 This command is used in WebLogic Scripting Tool (WLST) to set the passphrase for the server’s private key stored in the custom identity keystore. - Yes 
cmo.setEnabled(true)
 This command is used in WebLogic Scripting Tool (WLST) to enable SSL for a WebLogic Server instance. - Yes 
activate()
 This command is used to commit and apply configuration changes made in the edit session. - Yes 
disconnect()
 This command closes the WLST session and disconnects from WebLogic Server. - Yes 
cmo.getServerPrivateKeyAlias()
 This is a getter method used to retrieve the alias of the private key for the server's SSL configuration.This alias refers to a private key entry in the server’s keystore - Yes
Note:
  • All commands referenced here are executed using the latest version. In legacy versions, some commands may differ or may have been introduced only in the most recent release.
  • Limitations
    • The P12 extension is not supported for certificate push.
    • Execute permission is required for the wlst.sh path as a cd operation is performed to access that directory.
    • Currently, the t3s protocol is not supported for server connections. Configure the WebLogic server to use the t3 protocol instead.

Onboarding WebLogic (Windows)

Prerequisites
  • The gateway must be installed within the same domain.
  • The WebLogic instance on Windows must be up and running.
  • Ensure config.xml is available in the domain directory and the user must have access to it.
  • To avoid misconfiguration, ensure that the following details are explicitly defined in the config.xml:
    • Admin server port
    • Administration protocol enabled
    • Listen address (recommended for clarity and accuracy)

    Access Requirements

    If the WebLogic Server instance is running under a service account that is not Local System or a member of the Administrators group:

    • For a Domain Service Account: Add the account to the Administrators group on the server.
    • For a Built-in Account (e.g., Network Service): If the service account user cannot be added to the admin group, then use the Default connector to push the certificate. You can then use the post-script execution to perform the bind operation.

    Best Practice Recommendation

    If the same issuer certificate is available in multiple paths, then the first find is considered. Hence, it is recommended to maintain the trust certificates in one common location.

To configure WebLogic (Windows) server:

  1. Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
  3. Click the (Add) icon.
  4. Select Oracle logo from the Vendors list.
    The Oracle server configuration screen is displayed.
  5. In the Server Details section, enter details as mentioned below.
    Table 6. Server Details - Field Description Table
    Fields Description
    *Server type Select WebLogic (Windows) from the dropdown field.
    *Server name Enter the name of the designated WebLogic (Windows) server.
    Communication Mode Select the Gateway or SSM protocol to be used for communication between the AppViewX node and the Oracle server. Gateway is the preferred communication mode.
    *Hostname Enter the hostname of the Oracle WebLogic (Windows) server that is to be onboarded.

    This field is not mandatory if Communication mode is SSM.
    Data center Select the desired data center from the dropdown list. It holds all the SSL What can you do next? that is to be retrieved from the server.
    Cert sync Choose from any of the following:
    • Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them.
    • Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them.
    • Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
    *: Mandatory fields
  6. In the Credentials section, enter the details as follows.
    If Communication mode = Gateway the fields are as follows:
    Table 7. Credentials - Field Description Table
    Fields Description
    *Credential Type Select the credential type from the dropdown:
    • Manual entry (default)
    • Credential List - AppViewX
    • If external credential types such as Thycotic, BeyondTrust, CloudAccount, or AppViewX Vault are configured, then this credential type will be listed in the device addition screen. Choose the appropriate Credential List from the dropdown menu.
    Note:
    • If Credential list - AppViewX is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values.
    • If authentication relies on an external credential, ensure that the hostname, FQDN, or IP address used for device communication is configured in the corresponding external credential vault.
    *Username Enter the designated username for authentication. (field displayed for manual entry only)
    *Password Enter the secure password. (field displayed for manual entry only)
    *: Mandatory fields
    If Communication mode = SSM the fields are as follows:
    Table 8. Credentials - Field Description Table
    Fields Description
    *Credential Type Select the credential type from the dropdown:
    • Manual entry (default)
    • Credential List - cloudAccount
    • If external credential types such as Thycotic, BeyondTrust, CloudAccount, or AppViewX Vault are configured, then this credential type will be listed in the device addition screen. Choose the appropriate Credential List from the dropdown menu.
    Note:
    • If Credential list - cloudAccount is selected, the *Account name dropdown field is displayed. Select any of the preconfigured credential values.
    • If authentication relies on an external credential, ensure that the hostname, FQDN, or IP address used for device communication is configured in the corresponding external credential vault.
    *Access key Enter the access key to login to the EC2 instance of the AWS cloud machine. This field is displayed only when Communication mode is SSM.
    *Secret key Enter the secret key to login to the EC2 instance of the AWS cloud machine. This field is displayed only when Communication mode is SSM.
    *: Mandatory fields
  7. In the Windows gateway details section, enter the details as indicated below. (This section is not displayed if Communication mode = SSM)
    Table 9. Windows Gateway Details - Field Description Table
    Fields Description
    *Gateway type Select to use the PowerShell or WMI commands as the gateway communication mode.
    *Gateway location The value Remote is selected by default.
    *Select gateway Select the New or Existing gateway to be used. The below fields are enabled/disabled according to the selection.
    *Windows gateway name Enter the new gateway name. (Enabled when New is selected as gateway)
    *Windows gateway URL Enter the URL for the new gateway. (Enabled when New is selected as gateway)
    Client authentication certificate Click Browse and upload the client authentication certificate for the new gateway. (Enabled when New is selected as gateway)
    *Windows gateway Select any of the existing configured gateways from the dropdown list. (Enabled when Existing is selected as gateway)
    *: Mandatory fields
  8. In the Vendor Specific Details section enter the details as follows.
    If Communication mode = Gateway the fields are as follows:
    Table 10. Vendor Specific Details - Field Description Table
    Fields Description
    *WebLogic Installation directory Enter a directory where domain-registry file is located.

    Example:/WL_installation_directory/domain-registry.xml
    *: Mandatory fields
    If Communication mode = SSM the fields are as follows:
    Table 11. Vendor Specific Details - Field Description Table
    Fields Description
    *WebLogic Installation directory Enter a directory where domain-registry file is located.

    Example:/WL_installation_directory/domain-registry.xml
    *Region Enter the geographic region of the AWS instance.

    Example: us-east-2
    *Instance id Enter the unique identifier for an EC2 instance in AWS.

    It is required to perform actions or execute commands on a specific EC2 instance

    Example: i-02573cafcftext
    *SSM document name Enter the name of the SSM document that contains the script or action to be executed on the EC2 instance.

    Example: AWS-RunShellScript is an SSM document that allows you to execute shell scripts on EC2 instances.
    *SSM document version Specify the version of the SSM document to be executed.

    Example: 1
    *S3 bucket name Enter the S3 bucket name used to store command output or logs executed in the EC2 instance.

    Example: avxdiscoverydocument-c2
    Proxy required Select the checkbox to enable the secure proxy service.
    *: Mandatory fields
  9. [Optional] In the Certificate details section, enter the details as indicated below.
    Note: You can skip this section as it will be deprecated in the next release.
    Table 12. Certificate Details - Field Description Table
    Fields Description
    Key store location Enter the location of the jks keystore in Oracle that contains the private key and an associated certificate.

    Example: C:\keystore\samle.jks
    Key store password Enter the key store password to access the keystore location.
    Trust store location Enter the location of the jks trust store in Oracle that contains the CA certificates.

    Example: C:\keystore\samle.jks
    Trust store password Enter the trust store password to access the keystore location.
  10. Click Add.
    The keystore location is added successfully in the table.
  11. [Optional] Click the Delete icon to delete the certificate location from the list, or add more keystore locations.
  12. Click Save.
    The Oracle WebLogic (Windows) device is onboarded successfully.
    Note:

    Limitations

    • The P12 extension is not supported for certificate push.
    • Currently, the t3s protocol is not supported for server connections. Configure the WebLogic server to use the t3 protocol instead.

Pushing Certificates

  1. There is an option to deliver the certificate to the WebLogic server in the following formats:
    • JKS
    • keystore
  2. When you choose the private key on the device, provide the absolute path of the server-generated private key on the UI screen.

Sample Configuration File

Following is a sample configuration file for config.xml:
<server>
    <name>AdminServer</name>
    <ssl>
      <name>AdminServer</name>
      <enabled>true</enabled>
      <hostname-verifier xsi:nil="true"></hostname-verifier>
      <hostname-verification-ignored>true</hostname-verification-ignored>
      <export-key-lifespan>500</export-key-lifespan>
      <client-certificate-enforced>false</client-certificate-enforced>
      <listen-port>7002</listen-port>
      <two-way-ssl-enabled>false</two-way-ssl-enabled>
      <server-private-key-alias>ws</server-private-key-alias>
      <server-private-key-pass-phrase-encrypted>{AES256}Y6nGhqZXlUv+76dQt+w5uOqWrQMUxusqPV3kx4nzi7g=</server-private-key-pass-phrase-encrypted>
      <ssl-rejection-logging-enabled>true</ssl-rejection-logging-enabled>
      <inbound-certificate-validation>BuiltinSSLValidationOnly</inbound-certificate-validation>
      <outbound-certificate-validation>BuiltinSSLValidationOnly</outbound-certificate-validation>
      <allow-unencrypted-null-cipher>false</allow-unencrypted-null-cipher>
      <use-server-certs>false</use-server-certs>
    </ssl>
    <machine>machine_1</machine>
    <listen-port>7001</listen-port>
    <listen-port-enabled>true</listen-port-enabled>
    <listen-address></listen-address>
    <java-compiler>javac</java-compiler>
    <client-cert-proxy-enabled>false</client-cert-proxy-enabled>
    <key-stores>CustomIdentityAndCustomTrust</key-stores>
    <custom-identity-key-store-file-name>/tmp/keystore.jks</custom-identity-key-store-file-name>
    <custom-identity-key-store-type>JKS</custom-identity-key-store-type>
    <custom-identity-key-store-pass-phrase-encrypted>{AES256}uFlgx8fDT9ag2zGtvcOwjR9HUZRvkIGDdEdHGwpZnsQ=</custom-identity-key-store-pass-phrase-encrypted>
    <custom-trust-key-store-file-name>/tmp/keystore.jks</custom-trust-key-store-file-name>
    <custom-trust-key-store-type>JKS</custom-trust-key-store-type>
    <custom-trust-key-store-pass-phrase-encrypted>{AES256}45ySG867mJorWxBfHpKK0fWmJGT/07oxPKL8/lYBcF8=</custom-trust-key-store-pass-phrase-encrypted>
    <server-diagnostic-config>
      <wldf-diagnostic-volume>Low</wldf-diagnostic-volume>
    </server-diagnostic-config>
  </server>

Probable Error Messages and Causes for WebLogic CLM Use Case

Error message Description
Communication to <ip/fqdn> has failed.

Caused by: net.schmizz.sshj.userauth.UserAuthException: Exhausted available authentication methods

 Authentication failure. Kindly check the credentials used for the authentication.
Beyond trust vault, response parsing failed::["Managed Account not found"] Kindly check whether the weblogic device hostname or IP address is configured for the user in the Beyond Trust.
Thycotic vault access token denied or not generated Check the Thycotic vault integration with AppViewX.
Password object matching query was not found. Please check that there is a password object that answers your query in the Vault and that both the Provider and the application user have the appropriate permissions needed to use the password Check the Thycotic vault integration with AppViewX
CredentialStore(s) does not exist. Kindly check whether the weblogic device hostname or IP address is configured for the user in the Thycotic server.

Onboarding iPlanet

  1. Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
  3. Click the (Add) icon.
  4. Select Oracle logo from the Vendors list.
    The Oracle server configuration screen is displayed.
  5. In the Server Details section, enter details as mentioned below.
    Table 13. Server Details section - Field Description Table
    Fields Description
    *Server type Select iPlanet from the dropdown field.
    *Server name Enter the name of the designated iPlanet server.
    *IP address Enter the valid IP address of the server being onboarded.
    Data center Select the desired data center from the dropdown list. It holds all the SSL What can you do next? that is to be retrieved from the server.
    *SSH Port Enter the SSH port number. 22 is the default port used for the SSH communication mode.
    Cert sync Choose from any of the following:
    • Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them.
    • Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them.
    • Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
    *: Mandatory fields
  6. In the Credentials section, enter the details as follows.
    Table 14. Credentials section - Field Description Table
    Fields Description
    *Credential Type Select the credential type from the dropdown:
    • Manual entry (default)
    • Credential List - AppViewX
    • If external credential types such as Thycotic, BeyondTrust, CloudAccount, or AppViewX Vault are configured, then this credential type will be listed in the device addition screen. Choose the appropriate Credential List from the dropdown menu.
    Note:
    • If Credential list - cloudAccount is selected, the *Account name dropdown field is displayed. Select any of the preconfigured credential values.
    • If authentication relies on an external credential, ensure that the hostname, FQDN, or IP address used for device communication is configured in the corresponding external credential vault.
    *Username Enter the designated username for authentication. (field displayed for manual entry only)
    *Password Enter the secure password. (field displayed for manual entry only)
    *: Mandatory fields
  7. In the Vendor Specific Details section enter the details as follows.
    Table 15. Vendor Specific Details - Field Description Table
    Fields Description
    *WADM User name Enter the username for the WADM CLI (Command line interface) utility.

    WADM defines all the commands that are supported for configuring and administering the server.
    *WADM Password Enter the password for the WADM CLI utility.
    *WADM directory path Enter the file location/directory path to where the WADM utility is stored.
    *: Mandatory fields
  8. In the Certificate Details section enter the details as follows.
    Table 16. Certificate Details- Field Description Table
    Fields Description
    Database path Enter the file location/directory path of the database where the certificates are stored.
    Password Enter the password for the certificates database.
  9. Click Add
    The database path is added successfully in the table.
  10. (optional step) Click the (Delete) icon, if you want to delete the database path from the list, or add more accordingly.
  11. Click Save.
    The Oracle iPlanet device is on-boarded successfully.

Validating the Device

After the device is onboarded successfully, follow the steps to validate the device communication with AppViewX:
  1. Go to ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
    The Server Inventory page is displayed.
  3. Check that the device name appears in the inventory (Name column) with the specified status in the status column.
    The status column will have the value Managed/Monitored/Ignored if the connection is successful or displays Failed/Unresolved in case of failure.
  4. From the Status column, click the Managed/Monitored/Ignored/Failed/Unresolved.
    Device Status Log pop-up is displayed.
  5. Expand each value in the pop-up to know the Device communication, Device Version, Instance Information, and Certificate Discovery From Device.