RSS

Oracle Nodemanager connection issue (BEA-300033)

19 Aug

This blogpost started with a simple BEA-error regarding NodeManager communication. So the first parts documents the solution for this. Later the error occured again and the Weblogic domain configuration was changed to what we expected it to be in the first place (see update 24-08-2011). Later on we tried to pinpoint where this non-expected configuration occured from, and this resulted in the last update (see update 25-08-2011).

This is where it all started (19-08-2011):

Strange situation in a multiple hosts Weblogic domain:

  • AdminServer is running
  • Managed Servers are all running (on remote hosts)
  • Network communication between Managed Servers and Admin works, because configuration changes (the config.xml file) is being replicated to the Managed Servers.

However the Managed Servers can not be restarted due to an unreachable remote Node Manager.

Remote NodeManager logfiles show normal behaviour:

<INFO> <Secure socket listener started on port 5556>

The AdminServer logging shows the following error:

<NodeManager> <BEA-300033> <Could not execute command "getVersion" on the node manager. Reason: "Access to domain 'myDomain' for user 'R040FFV7GI' denied".>

At first I was wondering where this username originated from since it was not part of the embedded LDAP. Then I discovered the credentials were generated during the domain creation and can be found in the Weblogic console at <domain> -> Security -> General -> Advanced -> Nodemanager Username

The first solution was found on the Oracle Forums where it is mentioned that we could nmEnroll the remote machines NodeManager again to the AdminServer. During the installation of the Domain we already did this, so apparently for some reason unknown the NodeManager user and password token got conflicted between the 2 entities.

So for each remote host we performed the following task using WLST:


connect('weblogic','welcome1','t3://myserver:7001')
nmEnroll('C:/myDomain','C:/myOraHome/wlserver_10.3/common/nodemanager')
Enrolling this machine with the domain directory at C:/myDomain ...
Successfully enrolled this machine with the domain directory at C:/myDomain.

Syntax for the nmEnroll command is: nmEnroll([domainDir], [nmHome])


Update 24-08-2011:

However the problem kept reoccuring in the domain so we needed to find a permanent solution.
Instead of the default Weblogic generated Nodemanager credentials we wanted to try to configure a fixed name/password in the Weblogic domain and on each host.

In Weblogic console:

  • Click on domainname in Domain Structure (left menu)
  • Select Security -> General -> Advanced
  • Configure the NodeManager Username with weblogic
  • Configure the NodeManager Password with welcome1 (2x)

On each remote host:

    • Navigate to the folder %DOMAINHOME%\config\nodemanager
    • Edit the file: nm_password.properties
    • Content should be set to:
      username=weblogic
      password=welcome1
    • Save
    • Restart the Weblogic Node Manager

Update 25-08-2011:

Discussing this behaviour with Jacco Landlust our conclusion was quickly that we seen different configuration results over time. After a few tests we came to the conclusion:

Case 01 – Creating Weblogic domain with WLST script in Development mode:


#=======================================================================================
# Open Weblogic 10.3 template.
#=======================================================================================

print('open template')
readTemplate('C:/Oracle/Middleware/wlserver_10.3/common/templates/domains/wls.jar')
cd('/')
cmo.setName('myDomainWlstDev')

#=======================================================================================
# Configure Admin settings
#=======================================================================================

print('Set default settings for admin')
cd('/Servers/AdminServer')
cmo.setName('myAdmin')
set('ListenAddress','localhost')
set('ListenPort', int(7001))

#=======================================================================================
# Configure User settings
#=======================================================================================

print('Set Weblogic User')
cd('/Security/myDomainWlstDev/User/weblogic')
cmo.setPassword('welcome1')

#=======================================================================================
# Write domain and finalize
#=======================================================================================

print ('Write domain')
setOption('OverwriteDomain', 'true')
writeDomain('C:/Oracle/Middleware/user_projects/domains/myDomainWlstDev')
closeTemplate()

result: The domain myDomainWlstDev uses the default Weblogic credentials

Case 02 – Creating Weblogic domain with WLST script in Production mode:


#=======================================================================================
# Open Weblogic 10.3 template.
#=======================================================================================

print('open template')
readTemplate('C:/Oracle/Middleware/wlserver_10.3/common/templates/domains/wls.jar')
cd('/')
cmo.setName('myDomainWlstPrd')

#=======================================================================================
# Configure Admin settings
#=======================================================================================

print('Set default settings for admin')
cd('/Servers/AdminServer')
cmo.setName('myAdmin')
set('ListenAddress','localhost')
set('ListenPort', int(7001))

#=======================================================================================
# Configure User settings
#=======================================================================================

print('Set Weblogic User')
cd('/Security/myDomainWlstPrd/User/weblogic')
cmo.setPassword('welcome1')

#=======================================================================================
# Set ProductionMode
#=======================================================================================

print('Configure domain to Production Mode')
cd('/')
cmo.setProductionModeEnabled(true)

#=======================================================================================
# Write domain and finalize
#=======================================================================================

print ('Write domain')
setOption('OverwriteDomain', 'true')
writeDomain('C:/Oracle/Middleware/user_projects/domains/myDomainWlstPrd')
closeTemplate()

result: The domain myDomainWlstPrd also uses the default Weblogic credentials

Case 03 – Creating Weblogic domain with Config Wizard Development mode:

Just the most basic Weblogic Config Wizard steps: Sun JDK + Development Mode + default settings (Admin  / MS / etc) so skipping these configuration steps.

result: The domain myDomainWizardDev also uses the default Weblogic credentials

Case 04 – Creating Weblogic domain with Config Wizard Production mode:

result: The domain myDomainWizardPrd is using generated credentials

Conclusion:

The Weblogic Config Wizard generates nodemanager credentials for your domain when you choose production mode. I can’t remember reading about this in the Weblogic documentation regarding DEV vs PRD differences. So I’m not sure at the moment if this is working-as-expected and if there is some specific security reason for it.

References:

About these ads
 
3 Comments

Posted by on 19-08-2011 in Oracle, Weblogic

 

Tags: ,

3 responses to “Oracle Nodemanager connection issue (BEA-300033)

  1. Anwar Hussain

    18-10-2012 at 15:21

    am facing the same error message . . kindly help me

     
  2. responsive wordpress

    04-12-2012 at 09:29

    Your style is really unique compared to other folks I have read
    stuff from. Many thanks for posting when you have the opportunity, Guess I will just book mark
    this blog.

     
  3. Pierluigi Vernetto (@publicpierre)

    05-06-2013 at 17:04

    you saved my life! I had the same problem, and editing the nm_password.properties file fixed it.

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 323 other followers

%d bloggers like this: