Wednesday, June 20, 2007

Whats the deal with SNMPv1, v2 and v3

Here are some of the questions I got from someone few days ago. See my answers inline.

Q: The WLS SNMP agent supports 2 trap versions: V1, V2 and V3. What's the difference between these 3 versions?

[A] SNMPv1 and SNMPv2 are the two version of SNMP implementation. Until WLS 9.x only SNMPv1 and SNMPv2 are supported. Now we have SNMPv3 implemented in WLS 10. Both SNMPv1 and SNMPv2 use community strings to authenticate the packets as SNMP uses UDP (a broadcast protocol). The community string is sent in plain-text in every single SNMPv1 or SNMPv2 packet and the agent uses it to decide to process the packet or discard it. The main difference between SNMPv1 and SNMPv2 is that SNMPv2 added a few more packet types like the GETBULK PDU which enable you to request a large number of GET or GETNEXT in one packet.

SNMPv3 was designed to address the weak V1/V2 security. SNMPv3 is based on SNMPv2 (same packet types), but the main difference is that it is a lot more secure. It does not use community strings but users with passwords and SNMPv3 packets can be authenticated. For more info about SNMP Security from our edocs Security for SNMP.

Q: The SNMP architecture diagram demonstrates that you can poll MBean attribute values from Managed Servers. However, the SNMP commands such as SNMPWALK and SNMPGET don't allow you to specify the addresses and/or names of the Managed Servers that you'd like to poll. How can I tell which Managed Server(s) to poll?

[A] SNMP architecture until WLS 9.x doesn’t allow you to create multiple agents in a WLS domain. The agent implementation was only available in the administration server of the domain. The managed servers will be communicated by the agent when a SNMP manager talks to the SNMP agent running on the administration server. So if you want to get MBean attribute value from a managed server in a domain you must differentiate it using the OID. So you will still point your SNMPWALK and SNMPGET to the admin host and agent port. If you are not sure about the complete OIDs of the managed objects on the WebLogic managed servers you can use snmpwalk to get the root OID of the managed object (or) the attribute by suffixing the managed server's name to the community prefix.

View Balamurali Kothandaraman's profile on LinkedIn

Friday, June 15, 2007

A common (and tricky) security question

One common question people always ask me is "If I forget my administrator password how can I reset it". It was simple during WebLogic Server 6.1 days where the password was stored in a plain text file - When they released version 7.0 of WebLogic Server(WLS), the security architecture went through a complete overhaul. They introduced a file based Embedded LDAP server for storing security related information in the domain.

First there are few recommendations that I want to share with you:
  1. Create a backup admin user and keep it safe so that you can use that admin user in such disaster scenario. Make sure you keep that info in a safe place.
  2. Take periodical back ups of your domain's embedded LDAP directory on the admin server machine(/Servers/AdminServer/data/ldap/).
  3. Take periodical back ups of the individual providers in you real using WebLogic Server security import/export feature. (For more info see Export data from a security provider from edocs)

Following are some of the ways in which you can answer the above question:

  • If you are in development, one option is you can simply recreate the domain from the existing domain by creating a Domain Template using Domain Template Builder. That way you don't loose any configuration that you did in the original domain but any security changes you made will be lost.

  • If you have already created User Config file set for the admin user, run a JMX Script to change the admin user password using that User Config file set. Obviously you might want to recreate the User Config file set after you change the password. If you have no User Config file set created for the admin user then follow one of the following steps.

  • Delete the ldap sub-directory under the adminserver folder and restart the adminserver(Obiviously make a backup before you delete). It will automatically rebuild the ldap from the *.ldift files in the domain directory (created when the domain was created Ex. DefaultAuthenticatorInit.ldift). This will work if you changed the admin password after creating the domain and you forgot/loose the new password but still remember the old password which you created when you created the domain (Strange use case ! huh). When using this method you will loose all the existing users and groups in the ldap so you might want to export the users and groups before you delete the ldap and import them back later. But this can be performed only if you still have access to the console or some pre written backup scripts which are using encrypted username and password in the form of user config file.

  • If you don't remember the Adminstrator password at all (Original or Changed) and if you are ready to loose all the user and groups (if not backed up using export feature) in the existing ldap then delete the ldap sub-directory under the adminserver folder (Don't forget to create a backup). Edit the file 'DefaultAuthenticatorInit.ldift' in a text editor and locate the line 'dn: uid=adminusername,ou=people,ou=@realm@, dc=@domain@' (Obiviously make a backup before you edit). Edit the value for the attribute 'userpassword' to a known plain text value. Restart the admin server using the new credentials. The domain will recreate the ldap with the new admin username and password. If you have already exported the old users and groups import them back.

  • What if you haven't backed up any users or groups and you also don't want to loose them. But still you want to recover the lost administration user password. In such scenario to recover the administrator password in a WebLogic domain, provided the default Admin role is not modified/removed perform the following:

    • At the command line, change directory to the domain and run the setEnv script to set the PATH and CLASSPATH.
    • Create a new DefaultAuthenticatorInit.ldift: run java tempadminusername temppassword ./
    • Remove the initialized status file, DefaultAuthenticatormyrealmInit.initialized from the Domain/AdminServer/ldap subdirectory.
    • Restart the server, using the new user identity.
    • To change the old admin user identity, log into the admin console or JMX Scripts. (Optional)

  • Delete and recreate the domain (Yuck!). I dont think you would ever end up doing this unless you change the default Admin role or his permissions. This is highly unlikely situation.

View Balamurali Kothandaraman's profile on LinkedIn

Thursday, June 7, 2007

To be or not to be technical

I was thinking to start a technical blog for a long time and I kept on deferring it. By the way who am I and why am I starting this blog?!

My name is Balamurali Kothandarman and I go by the name of "Bala". I am a Delivery Technologist Sr. working with BEA Education Services in USA. My primary job function is to deliver training to our customers in various Technologies and Products. I see a lot of customers every week in my trainings. Many times I receive a follow up question from somone who took a training with me. The question may either be from the course material we use for the training or from a general product and technology stand point. Either way I see a lot of repeating questions. So I decided to do this blogging where not only customer who attend our trainings but also other who are interested can participate and collaborate in this blog regarding WebLogic Server and realated technologies.

I also have an oppurtunity to do blogging @ which is pretty good technical website from BEA. But I want to keep my blog more unofficial so here I am.

Feel free to collaborate or ask your questions regarding BEA products or technologies. I shall address them to the best of my knowledge. If I can't address a question directly, I shall get help from my co-workers who are an excellent team.

View Balamurali Kothandaraman's profile on LinkedIn