All about WebLogic t3 and t3s Protocol

WebLogic's implementation of the RMI specification uses a proprietary protocol known as T3. You can think of T3 (and secure T3S) as a layer to expose/allow JNDI calls by clients.

Normally the T3 protocol is used to interact with the WebLogic console.

T3 is the protocol used to transport information between WebLogic servers and other types of Java programs. WebLogic keeps track of every Java virtual machine connected to the application. To carry traffic to the Java virtual machine, WebLogic creates a single T3 connection. 

This type of connection maximizes efficiency by eliminating multiple protocols used to communicate between networks, thereby using fewer operating system resources. The protocol used for the T3 connection also enhances efficiency and minimizes packet sizes, increasing the speed of the delivery method.

For example, if a Java client accesses an enterprise bean and a JDBC connection pool on WebLogic Server, a single network connection is established between the WebLogic Server JVM and the client JVM. The EJB and JDBC services can be written as if they had sole use of a dedicated network connection because the T3 protocol invisibly multiplexes packets on the single connection.

SSL (t3s) connection to WebLogic AdminServer – WLST (example)

Given the AdminServer (WebLogic). 

We would like to connect to AdminServer using t3s (secure) protocol. 

We can make the SSL connection by using any of the following truststores: 

1. JavaStandardTrust (default truststore for SSL communication)
2. DemoTrust
3. CustomTrust

We will use default truststore to make SSL (t3s) connection to AdminServer.

To Initiate the SSL connection, the JavaStandardTrust should have public certificate(s) of AdminServer.

So, If public certificate(s) of AdminServer is not there in JavaStandardTrust, then

1. Export the public certificate(s) of AdminServer using keytool utility
2. Suppose, we have saved the public certificate as MyServerCertificate.cer
3. Now, we need to import the public certificate to JavaStandardTrust store

• JavaStandardTrust path for windows would be %JAVA_HOME%\jre\lib\security\cacerts and for Linux it would be $JAVA_HOME\jre\lib\security\cacerts
• Now, import the certificate to windows JavaStandardTrust using keytool (similarly, we can import the certificate in Linux truststore).

keytool -import -alias "<Any Unique Alias Name>" -keystore <path of JavaStandardTrust>  -file "<path of public certificate>

keytool -import -alias "AnyAliasName" -keystore "%JAVA_HOME%\jre\lib\security\cacerts"  -trustcacerts -file "MyServerCertificate.cer"

After, we have imported the certificate to JavaStandardTrust store, we can make a  secure SSL connection to AdminServer using t3s protocol.

#Ignore hostname verification 

System.setProperty("weblogic.security.SSL.ignoreHostnameVerification", "true")

 

#Make t3s connection with AdminServer, t3s://:

adminURL = "t3s://localhost:7002"

connect("weblogic","welcome2", adminURL)

Output: SSL connection to WebLogic admin server using t3s protocol:

c:\oracle_common\common\bin>java -Dweblogic.security.SSL.ignoreHostnameVerification=true weblogic.WLST

 

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

 

wls:/offline> adminURL = "t3s://myAdminServerHost:7002"

wls:/offline>

wls:/offline> connect("weblogic","welcome2", adminURL)

Connecting to t3s://myAdminServerHost:7002 with userid weblogic ...

       

Successfully connected to Admin Server "AdminServer" that belongs to domain "osb_domain".

 

wls:/osb_domain/serverConfig/>

Ref: https://makeinjava.com/ssl-t3s-connection-to-weblogic-adminserver-wlst-example/