By default, when you start a domain component, such as Oracle HTTP Server instance, the script prompts you for the NodeManager password. It is good security-wise, not so great for the automation.
When I figured out that our script wrapper start OHS with the plain-text password in the code, I start looking for a more secure solution.
echo "plain-text-password" | $DOMAIN_HOME/bin/startComponent.sh ohs1
As it always happens, I found the answer in the documentation. The script startComponent.sh has additional parameter storeUserConfig. It allows you to store NodeManager credentials under ~/.wlst folder.
And because I use Ansible for the automation let's take a look at the instance configuration and start tasks.
Configure instance credentials:
- name: Configure {{ instance_name }} credentials
no_log: yes
shell:
cmd: |
export WLST_PROPERTIES="-Dweblogic.MaxMessageSize=3000000 -Djavax.net.ssl.trustStore={{ jks_home }}/trust.jks"
echo "{{ node_password }}" | {{ domain_home }}/bin/startComponent.sh {{ instance_name }} storeUserConfig<
The quick explanation of the code above:
- name: Name for the task
- no_log: Do not log commnad and output to protect sensibtive information
- shell: Ansible module, executes shell commands on target machine
- cmd: Module argument with the commands to execute. Intial "|" indicates multi-line value, that will be passed "as-is" to the module.
Start instance task:
- name: Start {{ inatnace_name }}
shell:
cmd: |
export WLST_PROPERTIES="-Dweblogic.MaxMessageSize=3000000 -Djavax.net.ssl.trustStore={{ jks_home }}/trust.jks"
{{ domain_home }}/bin/startComponent.sh {{instance_name }}
Small hint: if you use custom identity and custom trust certificates for NodeManager, don't forget to specify trust certificate store so you wouldn't have issues with the secured connection.
Image by Gerd Altmann from Pixabay