Merge pull request #4 from gnsuryan/julypatchsecurityfix-1

gnsuryan · web-flow · commit 36a6f0b1c474 · 2021-12-20T17:33:46.000+05:30
July 2021 Patch security fix - 1
diff --git a/weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/scripts/setupAdminDomain.sh b/weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/scripts/setupAdminDomain.sh
@@ -474,6 +474,60 @@ function mountFileShare()
   fi
 }
 
+#this function set the umask 027 (chmod 740) as required by WebLogic security checks
+function setUMaskForSecurityDir()
+{
+   echo "setting umask 027 (chmod 740) for domain/admin security directory"
+
+   if [ -f "$DOMAIN_PATH/$wlsDomainName/servers/$wlsServerName/security/boot.properties" ];
+   then
+      runuser -l oracle -c "chmod 740 $DOMAIN_PATH/$wlsDomainName/servers/$wlsServerName/security/boot.properties"
+   fi
+
+   if [ -d "$DOMAIN_PATH/$wlsDomainName/servers/$wlsServerName/security" ];
+   then
+       runuser -l oracle -c "chmod 740 $DOMAIN_PATH/$wlsDomainName/servers/$wlsServerName/security"
+   fi
+
+}
+
+#this function disables remote anonymous requests as required by Weblogic security checks
+function disableRemoteAnonymousRequests()
+{
+    echo "DisableRemoteAnonymousRequests for domain  $wlsDomainName"
+    cat <<EOF >$DOMAIN_PATH/disableAnonymousRequests.py
+connect('$wlsUserName','$wlsPassword','t3://$wlsAdminURL')
+try:
+    edit("$wlsServerName")
+    startEdit()
+    cd("SecurityConfiguration/$wlsDomainName")
+
+    if hasattr(cmo,'setRemoteAnonymousRMIIIOPEnabled'):
+      cmo.setRemoteAnonymousRMIIIOPEnabled(false)
+    else:
+       print 'no attribute: SecurityConfiguration/$wlsDomainName: cmo.setRemoteAnonymousRMIIIOPEnabled'
+
+    if hasattr(cmo,'setRemoteAnonymousRMIT3Enabled'):
+      cmo.setRemoteAnonymousRMIT3Enabled(false)
+    else:
+      print 'no attribute: SecurityConfiguration/$wlsDomainName: setRemoteAnonymousRMIT3Enabled'
+
+    save()
+    activate()
+except Exception,e:
+    print e
+    print "Failed to DisableRemoteAnonymousRequests for domain  $wlsDomainName"
+    dumpStack()
+disconnect()
+EOF
+sudo chown -R $username:$groupname $DOMAIN_PATH
+runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; java $WLST_ARGS weblogic.WLST $DOMAIN_PATH/disableAnonymousRequests.py"
+if [[ $? != 0 ]]; then
+  echo "Error : Failed to DisableRemoteAnonymousRequests for domain  $wlsDomainName"
+  exit 1
+fi
+
+}
 
 #main script starts here
 
@@ -483,6 +537,7 @@ BASE_DIR="$(readlink -f ${CURR_DIR})"
 #read arguments from stdin
 read wlsDomainName wlsUserName wlsPassword wlsAdminHost oracleHome storageAccountName storageAccountKey mountpointPath isHTTPAdminListenPortEnabled adminPublicHostName isCustomSSLEnabled customIdentityKeyStoreData customIdentityKeyStorePassPhrase customIdentityKeyStoreType customTrustKeyStoreData customTrustKeyStorePassPhrase customTrustKeyStoreType serverPrivateKeyAlias serverPrivateKeyPassPhrase
 
+wlsServerName="admin"
 DOMAIN_PATH="/u01/domains"
 startWebLogicScript="${DOMAIN_PATH}/${wlsDomainName}/startWebLogic.sh"
 stopWebLogicScript="${DOMAIN_PATH}/${wlsDomainName}/bin/customStopWebLogic.sh"
@@ -526,8 +581,13 @@ create_adminserver_service
 
 admin_boot_setup
 
+setUMaskForSecurityDir
+
 enableAndStartAdminServerService
 
 echo "Waiting for admin server to be available"
 wait_for_admin
 echo "Weblogic admin server is up and running"
+
+disableRemoteAnonymousRequests
+
diff --git a/weblogic-azure-vm/arm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/scripts/setupClusterDomain.sh b/weblogic-azure-vm/arm-oraclelinux-wls-cluster/arm-oraclelinux-wls-cluster/src/main/scripts/setupClusterDomain.sh
@@ -745,6 +745,60 @@ sudo chmod -R 750 ${stopWebLogicScript}
 
 }
 
+#this function set the umask 027 (chmod 740) as required by WebLogic security checks
+function setUMaskForSecurityDir()
+{
+   echo "setting umask 027 (chmod 740) for domain/$wlsServerName security directory"
+
+   if [ -f "$DOMAIN_PATH/$wlsDomainName/servers/$wlsServerName/security/boot.properties" ];
+   then
+      runuser -l oracle -c "chmod 740 $DOMAIN_PATH/$wlsDomainName/servers/$wlsServerName/security/boot.properties"
+   fi
+
+   if [ -d "$DOMAIN_PATH/$wlsDomainName/servers/$wlsServerName/security" ];
+   then
+       runuser -l oracle -c "chmod 740 $DOMAIN_PATH/$wlsDomainName/servers/$wlsServerName/security"
+   fi
+}
+
+#this function disables remote anonymous requests as required by Weblogic security checks
+function disableRemoteAnonymousRequests()
+{
+    echo "DisableRemoteAnonymousRequests for domain  $wlsDomainName"
+    cat <<EOF >$DOMAIN_PATH/disableAnonymousRequests.py
+connect('$wlsUserName','$wlsPassword','t3://$wlsAdminURL')
+try:
+    edit("$wlsServerName")
+    startEdit()
+    cd("SecurityConfiguration/$wlsDomainName")
+
+    if hasattr(cmo,'setRemoteAnonymousRMIIIOPEnabled'):
+      cmo.setRemoteAnonymousRMIIIOPEnabled(false)
+    else:
+       print 'no attribute: SecurityConfiguration/$wlsDomainName: cmo.setRemoteAnonymousRMIIIOPEnabled'
+
+    if hasattr(cmo,'setRemoteAnonymousRMIT3Enabled'):
+      cmo.setRemoteAnonymousRMIT3Enabled(false)
+    else:
+      print 'no attribute: SecurityConfiguration/$wlsDomainName: setRemoteAnonymousRMIT3Enabled'
+
+    save()
+    activate()
+except Exception,e:
+    print e
+    print "Failed to DisableRemoteAnonymousRequests for domain  $wlsDomainName"
+    dumpStack()
+disconnect()
+EOF
+sudo chown -R $username:$groupname $DOMAIN_PATH
+runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; java $WLST_ARGS weblogic.WLST $DOMAIN_PATH/disableAnonymousRequests.py"
+if [[ $? != 0 ]]; then
+  echo "Error : Failed to DisableRemoteAnonymousRequests for domain  $wlsDomainName"
+  exit 1
+fi
+
+}
+
 #main script starts here
 
 CURR_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
@@ -809,13 +863,16 @@ then
   createStopWebLogicScript
   create_nodemanager_service
   admin_boot_setup
+  setUMaskForSecurityDir
   create_adminserver_service
   enabledAndStartNodeManagerService
   enableAndStartAdminServerService
   wait_for_admin
+  disableRemoteAnonymousRequests
 else
   updateNetworkRules "managed"
   create_managedSetup
+  setUMaskForSecurityDir
   create_nodemanager_service
   enabledAndStartNodeManagerService
   wait_for_admin
diff --git a/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/scripts/setupDynamicClusterDomain.sh b/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/scripts/setupDynamicClusterDomain.sh
@@ -840,6 +840,61 @@ function storeCustomSSLCerts()
     fi
 }
 
+#this function set the umask 027 (chmod 740) as required by WebLogic security checks
+function setUMaskForSecurityDir()
+{
+   echo "setting umask 027 (chmod 740) for domain/$wlsServerName security directory"
+
+   if [ -f "$DOMAIN_PATH/$wlsDomainName/servers/$wlsServerName/security/boot.properties" ];
+   then
+      runuser -l oracle -c "chmod 740 $DOMAIN_PATH/$wlsDomainName/servers/$wlsServerName/security/boot.properties"
+   fi
+
+   if [ -d "$DOMAIN_PATH/$wlsDomainName/servers/$wlsServerName/security" ];
+   then
+       runuser -l oracle -c "chmod 740 $DOMAIN_PATH/$wlsDomainName/servers/$wlsServerName/security"
+   fi
+
+}
+
+#this function disables remote anonymous requests as required by Weblogic security checks
+function disableRemoteAnonymousRequests()
+{
+    echo "DisableRemoteAnonymousRequests for domain  $wlsDomainName"
+    cat <<EOF >$DOMAIN_PATH/disableAnonymousRequests.py
+connect('$wlsUserName','$wlsPassword','t3://$wlsAdminURL')
+try:
+    edit("$wlsServerName")
+    startEdit()
+    cd("SecurityConfiguration/$wlsDomainName")
+
+    if hasattr(cmo,'setRemoteAnonymousRMIIIOPEnabled'):
+      cmo.setRemoteAnonymousRMIIIOPEnabled(false)
+    else:
+       print 'no attribute: SecurityConfiguration/$wlsDomainName: cmo.setRemoteAnonymousRMIIIOPEnabled'
+
+    if hasattr(cmo,'setRemoteAnonymousRMIT3Enabled'):
+      cmo.setRemoteAnonymousRMIT3Enabled(false)
+    else:
+      print 'no attribute: SecurityConfiguration/$wlsDomainName: setRemoteAnonymousRMIT3Enabled'
+
+    save()
+    activate()
+except Exception,e:
+    print e
+    print "Failed to DisableRemoteAnonymousRequests for domain  $wlsDomainName"
+    dumpStack()
+disconnect()
+EOF
+sudo chown -R $username:$groupname $DOMAIN_PATH
+runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; java $WLST_ARGS weblogic.WLST $DOMAIN_PATH/disableAnonymousRequests.py"
+if [[ $? != 0 ]]; then
+  echo "Error : Failed to DisableRemoteAnonymousRequests for domain  $wlsDomainName"
+  exit 1
+fi
+
+}
+
 
 #main script starts here
 
@@ -923,14 +978,17 @@ then
   create_adminSetup
   createStopWebLogicScript
   admin_boot_setup
+  setUMaskForSecurityDir
   create_adminserver_service
   create_nodemanager_service
   enableAndStartAdminServerService
   enabledAndStartNodeManagerService
-  wait_for_admin  
+  wait_for_admin
+  disableRemoteAnonymousRequests
 else
   updateNetworkRules "managed"
   create_managedSetup
+  setUMaskForSecurityDir
   create_nodemanager_service
   enabledAndStartNodeManagerService
   start_cluster  
