Change Nodemanager Password And Username in Weblogic

Oracle Weblogic Server

Before we change username and password, we shall know how to get the current username and password of nodemanager:

 

To check the Node Manager username?

There are three ways of doing this:
–Via the WLS config.xml
–Via the WLS Admin Console.
–Via the WLST commands

 

— Via the WLS config.xml

$ vi MW_HOME/user_projects/domains/<domain_name>/config/config.xml

...
<node-manager-username>guruadmin</node-manager-username>
<node-manager-password-encrypted>{AES}1ABC2def3GHI4jkl5MNO6pqr7STU8vwx9YZ0=</node-manager-password-encrypted>
...

— Via the WLS Admin Console

Login on the WLS Admin Console: http://hostname:7001/console 1. Click the <domain_name> link within the Navigator (left hand side) 2. Click the Security tab (right hand side) 3. You should be placed in the General subtab 4. Scroll down and expand the Advanced Options from that page 5. See the NodeManager Username field to get the username.

— Via the wlst scripting tool

$ cd MW_HOME/$ORACLE_HOME/common/bin $ ./wlst.sh 1. connect() 2. print get(‘/SecurityConfiguration/<DOMAIN>/NodeManagerUsername’) 3. disconnect() 4. exit() Example:

wls:/offline> connect('weblogic','welcome','t3://techpaste.com:7001')
Connecting to t3://techpaste.com:7001 with userid weblogic ...
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'tp_domain'.

wls:/tp_domain/serverConfig> print get('/SecurityConfiguration/tp_domain/NodeManagerUsername')
guruadmin
wls:/tp_domain/edit/SecurityConfiguration/tp_domain> disconnect()
Disconnected from weblogic server: AdminServer
wls:/offline> exit()

How to check the Node Manager password?

WLST command to check the current password: $ cd MW_HOME/$ORACLE_HOME/common/bin $ wlst.sh 1. connect() 2. print get(‘/SecurityConfiguration/<DOMAIN>/NodeManagerPassword’) 3. disconnect() 4. exit() Example:

wls:/offline> connect('weblogic','welcome1','t3://techpaste.com:7001')
Connecting to t3://techpaste.com:7001 with userid weblogic ...
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'tp_domain'.

wls:/tp_domain/serverConfig> print get('/SecurityConfiguration/tp_domain/NodeManagerPassword')
X322VT32jCt
wls:/tp_domain/edit/SecurityConfiguration/tp_domain> disconnect()
Disconnected from weblogic server: AdminServer
wls:/offline> exit()

Exiting WebLogic Scripting Tool.

Above password was encrypted password so to get clear text password we shall enable cleartext password display using wlst.

 

To do so please check below wlst commands:

$ cd MW_HOME/$ORACLE_HOME/common/bin

$ ./wlst.sh

1. connect() — To connect to online mode

2. edit() — To enter edit mode
3. startEdit() — To start the edit
4. cd(‘SecurityConfiguration/<DOMAIN>’) — To navigate to domain home
5. ls() — To check ClearTextCredentialAccessEnabled is true or false
6. cmo.setClearTextCredentialAccessEnabled(true) — To set the param to true
7. ls() — To check ClearTextCredentialAccessEnabled is set true
8. validate()
9. save()
10. activate()
11. print get(‘/SecurityConfiguration/<DOMAIN>/NodeManagerPassword’)
12. disconnect()
13. exit()

Example (Weblogic server in Production mode):

wls:/offline> connect('weblogic','welcome','t3://techpaste.com:7001')
Connecting to t3://techpaste.com:7001 with userid weblogic ...
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'tp_domain'.

wls:/tp_domain/serverConfig> edit()
Location changed to edit tree. This is a writable tree with
DomainMBean as the root. To make changes you will need to start
an edit session via startEdit().

For more help, use help(edit)

wls:/tp_domain/edit> startEdit()
Starting an edit session ...
Started edit session, please be sure to save and activate your
changes once you are done.
wls:/tp_domain/edit !> cd('SecurityConfiguration/tp_domain')
wls:/tp_domain/edit/SecurityConfiguration/tp_domain !> ls()
dr-- DefaultRealm
dr-- Realms

-rw- AnonymousAdminLookupEnabled false
-rw- ClearTextCredentialAccessEnabled false
-rw- CompatibilityConnectionFiltersEnabled false
-rw- ConnectionFilter null
-rw- ConnectionFilterRules null
-rw- ConnectionLoggerEnabled false
-rw- ConsoleFullDelegationEnabled false
-rw- Credential ******
-rw- CredentialEncrypted ******
-rw- CrossDomainSecurityEnabled false
-rw- DowngradeUntrustedPrincipals false
-rw- EnforceStrictURLPattern true
-rw- EnforceValidBasicAuthCredentials true
-rw- ExcludedDomainNames null
-rw- Name tp_domain
-rw- NodeManagerPassword ******
-rw- NodeManagerPasswordEncrypted ******
-rw- NodeManagerUsername guruadmin
-rw- Notes null
-rw- PrincipalEqualsCaseInsensitive false
-rw- PrincipalEqualsCompareDnAndGuid false
-r-- Type SecurityConfiguration
-rw- WebAppFilesCaseInsensitive false

-r-x findDefaultRealm WebLogicMBean :
-r-x findRealm WebLogicMBean : String(realmDisplayName)
-r-x findRealms WebLogicMBean[] :
-r-x freezeCurrentValue Void : String(attributeName)
-r-x generateCredential [B :
-r-x isSet Boolean : String(propertyName)
-r-x restoreDefaultValue Void : String(attributeName)
-r-x unSet Void : String(propertyName)

wls:/tp_domain/edit/SecurityConfiguration/tp_domain !> cmo.setClearTextCredentialAccessEnabled(true)
wls:/tp_domain/edit/SecurityConfiguration/tp_domain !> ls()
dr-- DefaultRealm
dr-- Realms

-rw- AnonymousAdminLookupEnabled false
-rw- ClearTextCredentialAccessEnabled true ---> See it's true. got changed.
-rw- CompatibilityConnectionFiltersEnabled false
-rw- ConnectionFilter null
-rw- ConnectionFilterRules null
-rw- ConnectionLoggerEnabled false
-rw- ConsoleFullDelegationEnabled false
-rw- Credential ******
-rw- CredentialEncrypted ******
-rw- CrossDomainSecurityEnabled false
-rw- DowngradeUntrustedPrincipals false
-rw- EnforceStrictURLPattern true
-rw- EnforceValidBasicAuthCredentials true
-rw- ExcludedDomainNames null
-rw- Name tp_domain
-rw- NodeManagerPassword ******
-rw- NodeManagerPasswordEncrypted ******
-rw- NodeManagerUsername guruadmin
-rw- Notes null
-rw- PrincipalEqualsCaseInsensitive false
-rw- PrincipalEqualsCompareDnAndGuid false
-r-- Type SecurityConfiguration
-rw- WebAppFilesCaseInsensitive false

-r-x findDefaultRealm WebLogicMBean :
-r-x findRealm WebLogicMBean : String(realmDisplayName)
-r-x findRealms WebLogicMBean[] :
-r-x freezeCurrentValue Void : String(attributeName)
-r-x generateCredential [B :
-r-x isSet Boolean : String(propertyName)
-r-x restoreDefaultValue Void : String(attributeName)
-r-x unSet Void : String(propertyName)

wls:/tp_domain/edit/SecurityConfiguration/tp_domain !> validate()
Validating changes ...
Validated the changes successfully
wls:/tp_domain/edit/SecurityConfiguration/tp_domain !> save()
Saving all your changes ...
Saved all your changes successfully.
wls:/tp_domain/edit/SecurityConfiguration/tp_domain !> activate()
Activating all your changes, this may take a while ...
The edit lock associated with this edit session is released
once the activation is completed.
Activation completed
wls:/tp_domain/edit/SecurityConfiguration/tp_domain> print get('/SecurityConfiguration/tp_domain/NodeManagerPassword')
welcome*12
wls:/tp_domain/edit/SecurityConfiguration/tp_domain> disconnect()
Disconnected from weblogic server: AdminServer
wls:/offline> exit()
Exiting WebLogic Scripting Tool.

Note: Make sure you revert back ClearTextCredentialAccessEnabled to false once you are done else that will be a big security breach as password will be in clear text.

To check whether the gathered username and password is correct or not you can do run following commands :

wls:/offline> nmConnect(domainName='tp_domain', username='guruadmin', password='welcome*12')
Connecting to Node Manager ...
Successfully Connected to Node Manager.
wls:/nm/wc_domain> nmDisconnect()
Successfully disconnected from Node Manager.
wls:/offline> exit()
Exiting WebLogic Scripting Tool.

Now we know how to retrieve and check nodemanager username and password. We can now proceed to know the steps to change/modify the Nodemanager username and password.

Steps to modify the Node Manager username & password?

modifying the Node Manager username ->

The best way of doing this is to change it solely within the WLS config.xml and make sure the Admin Server is restarted, along with the Node Manager.

To change the WLS config.xml, do the following:

$ vi MW_HOME/user_projects/domains/<domain_name>/config/config.xml

<node-manager-username>guruadmin</node-manager-username>
<node-manager-password-encrypted>{AES}1ABC2def3GHI4jkl5MNUUw7STU8vwx9YZ0=</node-manager-password-encrypted>

Note:
you can use the encrypted password found in previous sections or you can make it same as admin username and password(boot.properties file can get you the admin username and password details)

After changing the above, please do restart the Admin Server and the NodeManager.

Modifying the Node Manager password ->

The best way of doing this is to change it solely within the WLS Admin Console. There is no restart needed.

Login on the WLS Admin Console: http://hostname:7001/console

1. Click the <domain_name> link within the Navigator (left hand side)
2. Click the Security tab (right hand side)
3. You should be placed in the General subtab
4. Scroll down and expand the Advanced Options from that page
5. Change the password and activate the changes.

Changing password using wlst script:

def modifyNodeManager():
readDomain(DOMAIN_HOME) -- change the home location in DOMAIN_HOME
cd("/SecurityConfiguration/"+DOMAINNAME) -- Change the DOMAINNAME to your domain name
cmo.setNodeManagerUsername("nmUser") -- Fill the nmUser with your Node manager username
cmo.setNodeManagerPasswordEncrypted("nmPass") -- Fill the nmPass with your Node manager new password
updateDomain()

 

In case of any ┬ęCopyright or missing credits issue please check CopyRights page for faster resolutions.

3 Responses

  1. I am getting this error when trying to modify the node manager password:

    This command is not supported while connected to a running server

    Problem invoking WLST – Traceback (innermost last):
    File "/stage/provisioning/Scripts/fmw/ChangeNodeManagerPassword.py", line 39, in ?
    File "/stage/provisioning/Scripts/fmw/ChangeNodeManagerPassword.py", line 26, in changeNodeManagerPass
    at weblogic.management.jmx.ExceptionMapper.matchJMXException(ExceptionMapper.java:74)
    at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:506)
    at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380)
    at com.sun.proxy.$Proxy15.setNodeManagerUsername(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)

    java.lang.RuntimeException: java.lang.RuntimeException: The requested attribute is not exposed through JMX: setNodeManagerUsername

    Any idea what could be the problem? Thanks ­čÖé

  2. Joanne says:

    I followed your advice to modify NodeManager password solely via WLS admin console. However, afterwards, I tried to start each server instance (01 & 02). I got the following errors.
    Messages
    Message icon – Warning For server adf_server1, the Node Manager associated with machine 01-wl.xxx.org is not reachable.
    Message icon – Warning For server adf_server2, the Node Manager associated with machine 02-wl.xxx.org is not reachable.
    Message icon – Warning All of the servers selected are currently in a state which is incompatible with this operation or are not associated with a running Node Manager or you are not authorized to perform the action requested. No action will be performed.

    my adf servers are configured as clustered. I’m wondering what else is missing if I choose to do it via admin console?

    If I vi nm_password.properties, I’d need to update this file for admin; node2 and node3 assuming admin is node1.

    Thanks,

    Joanne

Leave a Reply