In December, we talked quite a bit about patching Java and WebLogic on the blog and podcast. There was a WebLogic CVE, and then a patch, to apply. If you want a recap on the CVE and patching process, here are the posts:
While applying the patches, I wanted to script the process so patching would be consistent across all our servers. I pulled the scripts into a GitHub project for sharing and reuse. If you haven’t scripted a WebLogic patch, this would be a place to start. The scripts use PowerShell and built for WebLogic 10.3.6. So, they use SmartUpdate instead of OPatch. I also added in a Java patch to the process too. You could pull out the Java patch script to use by itself. One more note: all the patches, Java, and scripts were set to run from the folder e:\installers\weblogic1036-2015-CVE-Patches
. If you use these for your environment, or just use them as a template, you’ll want to update those paths for your specific configuration.
There is nothing ground-breaking about these scripts 🙂 I can write scripts, but I’m not the best script developer out there. If you see places where the scripts need improvement, file an issue with the project or submit a pull request! The main goal with this project and post is to get others started with scripting. Scripting, even if the scripts are basic, can benefit administrators. I hope that this quick overview might help someone get started.
Scripts Overview
These scripts are writtin in PowerShell. If PowerShell scripts are not enabled on the server, run this command to allow PowerShell scripts to run:
set-executionpolicy unrestricted
-
Install new SmartUpdate version (3.3.0)
installSmartUpdate.ps1
The
silent.xml
file is used for a silent install (no prompts). The installation directory is set toe:\oracle
. If you want a different directory, change the value for “BEAHOME”. 1. Stop all web servers running on the server .stopPIAServices.ps1 The script looks for any Windows service that containts “*-PIA” in the name. If you have any WebLogic domains were not created by theinstallNTService
script, you may need to shut them down by hand. -
Prepare and copy files from the
weblogic1036-2015-CVE-Patches
folderprepareFiles.ps1
This script performs tasks to prepare different files for patching: On our servers, two files needed updates to run the Smart Update utility.
registry.xml
needed to remove a reference to Tuxedo;bsu.cmd
needed an increase in memory to the Java Heap. Theregistry.xml
file also contains a reference to the server where it was installed. The script will change that value based on the new server’s name. The original files are backed up first and a.bkp
extension is added to the file name. The script also copiesjdk-1.7.0_79
to oure:\java
folder. If you want the new java version in a different location, you can change the path in the file. -
Apply both WebLogic patches The patches we are applying resolve the December 2015 CVE with WebLogic. If you are using these scripts for future patches, you’ll want to update the patch ID’s in the script.
applyWebLogicPatches.ps1
Both patches are applied to WebLogic using the
bsu
command. The script assumes your patches are in the foldere:\patches\cve-2015-4852
. NOTE: On one of our servers, the second patch stalled during the “Checking for Conflicts” step. If the script stalls for more than a few minutes, hitCntl-C
. -
Update the JAVA_HOME values
updateJavaVersion.ps1
The
JAVA_HOME
value in thesetEnv.cmd
script will be updated to the new path. You must update this script for each server. The paths in the script are hard-coded. (The hard coding is an obvious candidate to fix next. Should be able to use the Get-ChildItem cmdlet to find all thesetEnv.cmd
files.) -
Update Registry value for JAVA_HOME
updateRegistryJavaVersion.ps1
The
JAVA_HOME
value in the Registry for each web service will be updated. You must update this script for each server. The paths in the script are hard-coded. (Again, another place for improvement. Need to find a search cmdlet for the Registry. Could look for-PIA
in the service name.) -
Start all web servers running on the server.
startPIAServices.ps1
Again, this looks for all Windows services that have
*-PIA
in the name and starts them. That’s it.
The scripts are pretty simple, and you can write a wrapper script to run all the sub-scripts. That way you’d have one script to kick off. Or, you could add these into a tool like Rundeck to execute from a centralized place. Once you start down the path of scripting, many opportunities open up to speed up everyday tasks.
Hi, is there a way to do Weblogic patching or Java upgrade using unix scripts, as its taking us days to deal with patching 500+ servers every month.
thanks
Sid
Hi Sid, yes, it is possible. You can use the code here as an example (since this is Windows code). You can also use the DPK to apply patches to Java, WebLogic and Tuxedo. That would be a great way to help you automate applying patches to that many servers.