oracle/weblogic-azure

Oracle WebLogic Server Dynamic Cluster deployment failed

majguo opened this issue · 1 comments

majguo commented

Problem description

When deploying an Oracle WebLogic Server Dynamic Cluster with "Oracle HTTP Server Load Balancer" enabled and uploading an existing pkcs12 key store, the deployment failed with the following error message:

{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "VMExtensionProvisioningError",
"message": "VM has reported a failure when processing extension 'newuserscript'. Error message: "Enable failed: failed to execute command: command terminated with exit status=1\n[stdout]\ncreating OHS domain configuration file ...\nSetting up OHS standalone domain at /u01/domains/ohsStandaloneDomain\n\nInitializing WebLogic Scripting Tool (WLST) ...\n\nJython scans all the jar files it can find at first startup. Depending on the system, this process may take a few minutes to complete, and WLST may not return a prompt right away.\n\nWelcome to WebLogic Server Administration Scripting Shell\n\nType help() for help on available commands\n\n \n\n\nExiting WebLogic Scripting Tool.\n\nOHS standalone domain is configured successfully\nSetting CrashRecoveryEnabled true at /u01/domains/ohsStandaloneDomain/nodemanager/nodemanager.properties\nCreating NodeManager service\nCreating ohs component service\ncurl http://10.0.0.7:8002/weblogic/ready\n10.0.0.7:8002 is reachable\ncurl http://10.0.0.6:8004/weblogic/ready\n10.0.0.6:8004 is reachable\ncurl http://10.0.0.5:8003/weblogic/ready\n10.0.0.5:8003 is reachable\nCreating backup file for existing mod_wl_ohs.conf file\nCreating mod_wl_ohs.conf file as per 10.0.0.7:8002,10.0.0.6:8004,10.0.0.5:8003\nOracle PKI Tool : Version 12.2.1.4.0\nCopyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.\n\nOperation is successfully completed.\nSuccessfully oracle vault is created\ntotal 8\n-rw-------. 1 oracle oracle 194 Apr 1 15:10 cwallet.sso\n-rw-------. 1 oracle oracle 0 Apr 1 15:10 cwallet.sso.lck\n-rw-------. 1 oracle oracle 149 Apr 1 15:10 ewallet.p12\n-rw-------. 1 oracle oracle 0 Apr 1 15:10 ewallet.p12.lck\nOracle PKI Tool : Version 12.2.1.4.0\nCopyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.\n\noracle.security.crypto.core.CipherException: oracle.security.crypto.core.InvalidKeyException: oracle.security.crypto.core.AlgorithmIdentifierException: No class found for OBJECT IDENTIFIER {1 2 840 113549 2 9}\n\n[stderr]\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to adminVM port 7001 (#0)\n* Trying 10.0.0.4...\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to adminVM (10.0.0.4) port 7001 (#0)\n* Server auth using Basic with user 'weblogic'\n> GET /management/weblogic/latest/domainRuntime/serverRuntimes?fields=defaultURL HTTP/1.1\r\n> Authorization: Basic d2VibG9naWM6V2ViTG9naWMxMjM0NTY=\r\n> User-Agent: curl/7.29.0\r\n> Host: adminVM:7001\r\n> X-Requested-By:MyClient\r\n> Accept:application/json\r\n> Content-Type:application/json\r\n> \r\n\r 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0< HTTP/1.1 200 OK\r\n< Date: Fri, 01 Apr 2022 15:10:30 GMT\r\n< Content-Length: 2472\r\n< Content-Type: application/json\r\n< X-ORACLE-DMS-ECID: 513416ee-d799-4af7-b409-016e5cf03d92-00000057\r\n< X-ORACLE-DMS-RID: 0\r\n< Set-Cookie: JSESSIONID=jJHlrY3OTfD3t70eu3vuD36cdu3sKf3__C2BLi8SciNe3_53FQCP!-1625228959; path=/; HttpOnly\r\n< Vary: Accept-Encoding\r\n< \r\n{ [data not shown]\n\r100 2472 100 2472 0 0 1823 0 0:00:01 0:00:01 --:--:-- 1823\n* Connection #0 to host adminVM left intact\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\nUnable to add PKCS12 certificate to Oracle Wallet\n"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/VMExtensionCSELinuxTroubleshoot "
}
]
}

How to reproduce

Follow steps below to reproduce the issue:

  1. Open Oracle WebLogic Server Dynamic Cluster offer
  2. In "Basics" page: Fill in value for the required field(s). Click "Next".
  3. In "TLS/SSL Configuration" page: Click "Next".
  4. In "Oracle HTTP Server Load Balancer" page:

    1. Select "Yes" for "Connect to Oracle HTTP Server?"

    2. Use defaults and fill in value for the required field(s) except "TLS/SSL Configuration Settings".

    3. Generate a pkcs12 key store which includes a private key by referencing Create Identity and Trust Keystores for Self-Signed Certificates

      keytool -genkey -alias servercert -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keystore identity.p12 -keypass identityKeyPassword -storepass identityStorePassword

      Note: In my local env, openjdk 11 is installed, so the default type of the generated key store is pkcs12, details pls see here

    4. Upload "identity.p12" for "TLS/SSL certificate Data file(.jks,.p12)"

    5. Set identityStorePassword for "Password" and "Confirm password"

    6. Select PKCS12 for "type of certificate format(JKS,PKCS12)"

  5. Click "Review + Create"
  6. Click "Create"
  7. Wait until the deployment failed with the error mentioned above.

Workaround

I also tested that the deployment works with another pkcs12 key store (mycert.p12) generated with the following commands:

openssl genrsa -passout pass:<your-password> -out privkey.pem 3072
openssl req -x509 -new -key privkey.pem -out privkey.pub -subj "/C=US"
openssl pkcs12 -passout pass:<your-password> -export -in privkey.pub -inkey privkey.pem -out mycert.p12

Recommended fix

As a result, the recommended fix is to add necessary tips to UI and update the doc as well, so that user can know how to prepare a valid keystore for configuring TLS/SSL of Oracle HTTP Server.

edburns commented

We believe this issue is resolved and the root cause was an expired .jks file. When you created a fresh one, it did not suffer from this problem. Please close this.