Merge branch 'enable-cert-mgmt' into 'main'

Enable certificate management before writing domain with servers

See merge request weblogic-cloud/weblogic-deploy-tooling!1823

Author: robertpatrick

core/src/main/python/update.py

@@ -184,6 +184,8 @@ def __update_online(model_deployer, model, model_context, aliases):
 
     topology_updater = TopologyUpdater(model, model_context, aliases, wlst_mode=WlstModes.ONLINE)
     try:
+        topology_updater.update_certificate_management_enabled()
+
         jdbc_names = topology_updater.update_machines_clusters_and_servers(delete_now=False)
         topology_updater.warn_set_server_groups()
 
@@ -248,6 +250,9 @@ def __update_offline(model_deployer, model, model_context, aliases):
     # this needs to be before first updateDomain for NativeVersionEnabled=true to update correctly
     topology_updater.update_nm_properties()
 
+    # this needs to be done before updateDomain in case server has KeyStores: DomainKeystores
+    topology_updater.update_certificate_management_enabled()
+
     __update_offline_domain()
 
     topology_updater.set_server_groups()

core/src/main/python/wlsdeploy/tool/create/domain_creator.py

@@ -556,6 +556,8 @@ def __set_core_domain_params(self):
             self.wlst_helper.set_option_if_needed(USE_SAMPLE_DATABASE, use_sample_db)
 
         self.__set_secure_and_production_modes()
+        deployer_utils.set_certificate_management_enabled(self._topology, self._domain_name,
+                                                          self.wlst_helper, self.aliases)
 
         self.__set_domain_name()
         self.__set_admin_password()
@@ -870,6 +872,7 @@ def __set_domain_name(self):
         # Stash the default name since the SecurityConfiguration subfolder name does not change
         # to the new domain name until after the domain has been written to disk and re-read.
         #
+        self.wlst_helper.cd('/')
         self.__default_domain_name = self.wlst_helper.get(NAME)
         if self.__default_domain_name is None or len(self.__default_domain_name) == 0:
             self.__default_domain_name = DEFAULT_WLS_DOMAIN_NAME

core/src/main/python/wlsdeploy/tool/deploy/deployer_utils.py

@@ -1,5 +1,5 @@
 """
-Copyright (c) 2017, 2024, Oracle and/or its affiliates.
+Copyright (c) 2017, 2025, Oracle and/or its affiliates.
 Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 """
 import os
@@ -26,9 +26,11 @@
 from wlsdeploy.aliases.location_context import LocationContext
 from wlsdeploy.aliases.model_constants import APPLICATION
 from wlsdeploy.aliases.model_constants import APP_DEPLOYMENTS
+from wlsdeploy.aliases.model_constants import CERTIFICATE_MANAGEMENT
 from wlsdeploy.aliases.model_constants import CLUSTER
 from wlsdeploy.aliases.model_constants import DYNAMIC_CLUSTER_SIZE
 from wlsdeploy.aliases.model_constants import DYNAMIC_SERVERS
+from wlsdeploy.aliases.model_constants import ENABLED
 from wlsdeploy.aliases.model_constants import FILE_URI
 from wlsdeploy.aliases.model_constants import JDBC_RESOURCE
 from wlsdeploy.aliases.model_constants import JDBC_DATASOURCE_PARAMS
@@ -41,6 +43,7 @@
 from wlsdeploy.aliases.model_constants import LIBRARY
 from wlsdeploy.aliases.model_constants import MACHINE
 from wlsdeploy.aliases.model_constants import MAX_DYNAMIC_SERVER_COUNT
+from wlsdeploy.aliases.model_constants import SECURITY_CONFIGURATION
 from wlsdeploy.aliases.model_constants import SERVER
 from wlsdeploy.aliases.model_constants import SERVER_NAME_PREFIX
 from wlsdeploy.aliases.model_constants import SERVER_NAME_START_IDX
@@ -720,6 +723,33 @@ def check_if_dynamic_cluster(server_name, cluster_name, aliases):
                 return True
     return False
 
+def set_certificate_management_enabled(topology, domain_name, wlst_helper, aliases):
+    """
+    Certificate management must be enabled when Server / KeyStores is set to "DomainKeystores"
+    in order to pass validation at writeDomain or updateDomain.
+    """
+    security_config_folder = dictionary_utils.get_dictionary_element(topology, SECURITY_CONFIGURATION)
+    cert_mgmt_folder = dictionary_utils.get_dictionary_element(security_config_folder, CERTIFICATE_MANAGEMENT)
+    cert_mgmt_enabled = dictionary_utils.get_element(cert_mgmt_folder, ENABLED)
+    if cert_mgmt_enabled is not None:
+        location = LocationContext()
+        domain_name_token = aliases.get_name_token(location)
+        location.add_name_token(domain_name_token, domain_name)
+        location.append_location(SECURITY_CONFIGURATION)
+
+        # certificate management doesn't exist in older WLS versions
+        code, message = aliases.is_valid_model_folder_name(location, CERTIFICATE_MANAGEMENT)
+        if code == ValidationCodes.VALID:
+            existing_subfolder_names = get_existing_object_list(location, aliases)
+            create_and_cd(location, existing_subfolder_names, aliases)
+
+            location.append_location(CERTIFICATE_MANAGEMENT)
+            existing_subfolder_names = get_existing_object_list(location, aliases)
+            create_and_cd(location, existing_subfolder_names, aliases)
+
+            cert_mgmt_enabled = alias_utils.convert_boolean(cert_mgmt_enabled)
+            wlst_name = aliases.get_wlst_attribute_name(location, ENABLED)
+            wlst_helper.set(wlst_name, cert_mgmt_enabled)
 
 def delete_online_deployment_targets(model, aliases, wlst_mode):
     """

core/src/main/python/wlsdeploy/tool/deploy/topology_updater.py

@@ -1,5 +1,5 @@
 """
-Copyright (c) 2017, 2024, Oracle and/or its affiliates.
+Copyright (c) 2017, 2025, Oracle and/or its affiliates.
 Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 """
 from wlsdeploy.aliases.location_context import LocationContext
@@ -201,6 +201,14 @@ def update_nm_properties(self):
         location.add_name_token(domain_token, self.model_context.get_domain_name())
         self._process_section(self._topology, [], NM_PROPERTIES, location)
 
+    def update_certificate_management_enabled(self):
+        """
+        Certificate management has to be enabled when Server / KeyStores is set to "DomainKeystores"
+        in order to pass validation at writeDomain or updateDomain.
+        """
+        domain_name = self.model_context.get_domain_name()
+        deployer_utils.set_certificate_management_enabled(self._topology, domain_name, self.wlst_helper, self.aliases)
+
     def warn_set_server_groups(self):
         # For issue in setServerGroups in online mode (new configured clusters and stand-alone managed servers
         # will not have extension template resources targeted)