Passwordless SSH from WebLogic

June 7, 2010 at 09:30:50
Specs: AIX v5 R2
(Firstly, I appreciate that with the Forum in which this question belongs is a moot point. I hope Unix is a reasonable choice due to the problems apparently centering around the use of SSH).

This problem relates to an application that runs on a WebLogic cluster of 2 managed servers, with one admin server associated with them. The service needs to read from, and write to, flat files on an AIX box in the same internal secure zone as the WebLogic cluster. This J2EE application therefore builds strings for the SSH commands, makes a Runtime object and does a Runtime.exec(ssh command string).

The WebLogic servers are RHEL4 (64-bit) and the target box for the SSH is AIX.

The problem is that SSH is interactive - you can't pass a password to it in your command string. Public/private key pairs therefore need to be set up on the target platform and the platform running the SSH command.

So to run the SSH successfully from a WebLogic installation on a local PC, one simply loads the private key using Putty Authentication Agent.

To successfully run the SSH from the WebLogic Admin server, we have got the following to work:
1) Target the deployment of the application only on to the WebLogic admin server - not the 2 managed servers.
2) Ensure the WebLogic Admin service is not running.
3) Load the key using a command such as: ssh-agent sh -c 'ssh-add < /dev/null && bash'
4) From the Bash shell spawned by the above command, start the WebLogic Admin service.
5) Our findings indicate that the WL Service has inherited the loaded key and can seamlessly connect to the target server.

This leaves the following problems remaining:
1) The correct final setup is that the application is targeted to the 2 managed servers, not the admin server. But when the admin server starts up WebLogic on the 2 managed servers, the problem is the private key is not loaded up for them, and the SSH command fails to login.
2) When performing system testing, UAT etc., it is perfectly feasible to log on to the WL Admin server and load the key (step 3 above) and then start the service (step 4 above). However, when the service goes live, this is not feasible; if the servers went down (e.g. power cut), it would not be acceptable for the service to remain down until support staff were available to log in, load the SSH key, and start WebLogic.

Does anyone have any suggestions, or have involvement with systems which already have to automatically support passwordless logins coming from a WL Cluster?

See More: Passwordless SSH from WebLogic

Report •

June 8, 2010 at 09:41:19
The WL startup scripts on the managed servers have been updated to load the key before calling the usual commands to start WebLogic. The script changes use the 'expect' utility to respond to the password prompt. i.e. expect is the ideal solution to this type of problem, I was just unaware of expect until today.

Report •
Related Solutions

Ask Question