9-2 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle ECM Suite 2. Oracle also recommends using host name verification for the communication between Node Manager and the servers in the domain. This requires the use of certificates for the different addresses used in the domain. This chapter explains the steps for configuring certificates in the hosts for host name verification. See Section 9.3, Enabling Host Name Verification Certificates for Node Manager for further details.

9.2 Changing the Location of the Node Manager Log

Edit the Node Manager properties file located at MW_HOMEwlserver_10.3 commonnodemanagernodemanager.properties. Add the new location for the log file using the following line: LogFile=ORACLE_BASEadminnodemanager.log Oracle recommends that this location is outside the MW_HOME directory and inside the admin directory for the EDG. Restart Node Manager for the change to take effect.

9.3 Enabling Host Name Verification Certificates for Node Manager

Perform these steps to set up SSL for communication between Node Manager and the Administration Server: ■ Step 1: Generating Self-Signed Certificates Using the utils.CertGen Utility ■ Step 2: Creating an Identity Keystore Using the utils.ImportPrivateKey Utility ■ Step 3: Creating a Trust Keystore Using the Keytool Utility ■ Step 4: Configuring Node Manager to Use the Custom Keystores ■ Step 5: Configuring Managed WLS Servers to Use the Custom Keystores ■ Step 6: Changing the Host Name Verification Setting for the Managed Servers

9.3.1 Generating Self-Signed Certificates Using the utils.CertGen Utility

The certificates added in this chapter as an example address a configuration where Node Manager listens on a physical host name HOST.mycompany.com and a WLS managed server listens on a virtual host name VIP.mycompany.com. Whenever a server is using a virtual host name, it is implied that the server can be migrated from one node to another. Consequently, the directory where keystores and trust keystores are maintained ideally must reside on a shared storage that is accessible from the failover. If additional host names are used in the same or different nodes, the steps in this example will need to be extended to:

1. Add the required host names to the certificate stores if they are different from

HOST.mycompany.com and VIP.mycompany.com.

2. Change the identity and trust store location information for Node Manager if the

additional host names are used by Node Manager or for the servers if the additional host names are used by managed servers. Note: The passwords used in this guide are used only as examples. Use secure passwords in a production environment. For example, use passwords that consist of random sequences of both uppercase and lowercase characters as well as numbers. Setting Up Node Manager 9-3 Follow the steps below to create self-signed certificates on HOST. These certificates should be created using the network name or alias. For information on using trust CA certificates instead, see Configuring Identity and Trust in Oracle Fusion Middleware Securing Oracle WebLogic Server. The examples below configure certificates for HOST.mycompany.com and VIP.mycompany.com; that is, it is assumed that both a physical host name HOST and a virtual host name VIP are used in HOST. It is also assumed that HOST.mycompany.com is the address used by Node Manager and VIP.mycompany.com is the address used by a managed server or the administration server. This is the common situation for nodes hosting an administration server and a Fusion Middleware component, or for nodes where two managed servers coexist with one server listening on the physical host name and one server using a virtual host name which is the case for servers that use migration servers. 1. Set up your environment by running the WL_HOMEserverbinsetWLSEnv.sh script. In the Bourne shell, run the following commands: HOST cd WL_HOMEserverbin HOST . .setWLSEnv.sh Verify that the CLASSPATH environment variable is set: HOST echo CLASSPATH 2. The directory where keystores and trust keystores are maintained must be on shared storage that is accessible from all nodes so that when the servers fail over manually or with server migration, the appropriate certificates can be accessed from the failover node. Oracle recommends using central or shared stores for the certificates used for different purposes like SSL set up for HTTP invocations, etc.. In this case, SOAHOST2 uses the cert directory created for SOAHOST1 certificates. Create a user-defined directory for the certificates: HOST mkdir certs 3. Change directory to the directory that you just created: HOST cd certs 4. Run the utils.CertGen tool from the user-defined directory to create the certificates for both HOST. mycompany.com and VIP. mycompany.com. Syntax all on a single line: java utils.CertGen Key_Passphrase Cert_File_Name Key_File_Name [export | domestic] [Host_Name] Examples: HOST java utils.CertGen welcome1 HOST.mycompany.com_cert HOST .mycompany.com_key domestic HOST.mycompany.com HOST java utils.CertGen welcome1 VIP.mycompany.com_cert VIP .mycompany.com_key domestic VIP.mycompany.com

9.3.2 Creating an Identity Keystore Using the utils.ImportPrivateKey Utility