Skip to main content
This document is for:
Invicti Enterprise on-demand, Invicti Enterprise on-premises

Configure Invicti Shark on Oracle WebLogic server (Windows)

Integrating Invicti Shark with Oracle WebLogic Server enhances your application security by enabling advanced runtime analysis and vulnerability detection directly within your deployed applications. Invicti Shark, part of our Interactive Application Security Testing (IAST) technology, provides precise insights by monitoring application behavior during scans helping to reduce false positives and uncover complex vulnerabilities that traditional testing methods might miss.

Prerequisites

Before configuring Invicti Shark on WebLogic, ensure you meet these prerequisites:

Required software

  • Oracle WebLogic server 15.1.1.0.0 or a compatible version: 12.2.1.4, 14.1.1.0, 14.1.2.0
  • Java JDK 21 or a compatible JDK version for your WebLogic version
  • Windows server or Windows 10/11 with Administrator access
  • Invicti Shark JAR file - Shark (IAST and SCA).jar

WebLogic domain configuration

  • A WebLogic domain must be created and configured
  • Admin credentials for the WebLogic domain
  • WebLogic Server must be running for WLST configuration steps

Invicti IAST Bridge

Important

The Invicti IAST Bridge must be installed and running before configuring Invicti Shark. The bridge facilitates communication between the Invicti scanner and the Shark agent.

For instructions on installing and configuring the IAST Bridge, see:Configure Invicti IAST Bridge

Configuration overview

Configuring Invicti Shark on Windows WebLogic requires two essential steps:

  1. Environment Configuration - Modifying setDomainEnv.cmd to load the Shark Java agent
  2. WLST Configuration - Using WebLogic Scripting Tool (WLST) to configure WebAppContainer settings

Both steps are required for proper Invicti Shark operation. The WLST configuration enables Shark to access deployed application files, which is critical for vulnerability detection.

Step 1: Prepare Invicti Shark JAR File

1.1 Create lib directory

Create a directory to store the Invicti Shark JAR file:

mkdir C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\lib
note

Replace base_domain with your actual domain name if different.

1.2 Copy Invicti Shark JAR

Copy your Invicti Shark JAR file to the lib directory:

copy "C:\path\to\Shark (IAST and SCA).jar" "C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\lib\"

note

Replace C:\path\to\ with the actual path where you downloaded the Shark JAR file.

1.3 Verify JAR location

Confirm the JAR file is in the correct location:

dir "C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\lib\Shark (IAST and SCA).jar"

Step 2: Configure environment (setDomainEnv.cmd)

2.1 Open setDomainEnv.cmd

Open the domain environment configuration file in a text editor:

notepad C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\bin\setDomainEnv.cmd

2.2 Add Invicti Shark configuration

  1. Press Ctrl+End to navigate to the end of the file
  2. Locate the last lines of the file (typically related to WLS_POLICY_FILE)
  3. Add the following two lines at the very end of the file:
@REM Configure Invicti Shark IAST Agent

set JAVA_OPTIONS=%JAVA_OPTIONS% -javaagent:%DOMAIN_HOME%\lib\Shark (IAST and SCA).jar -Dacusensor.debug.log=ON -DUseSunHttpHandler=true

2.3 Save the file

Save the file (Ctrl+S) and close the text editor.

Step 3: Configure WebLogic via WLST (Critical step)

This step configures WebLogic to allow Invicti Shark to access deployed application files. This configuration is essential for proper vulnerability detection.

3.1 Create WLST configuration script

Create a new file named configure-shark.py in a convenient location (e.g., C:\configure-shark.py):

notepad C:\configure-shark.py

3.2 Add Configuration Script

Copy and paste the following script into the file:


# Invicti Shark Configuration for Windows WebLogic
# Update the variables below to match your environment

ADMIN_USERNAME = 'weblogic'
ADMIN_PASSWORD = 'your_password'  # CHANGE THIS to your WebLogic admin password
ADMIN_URL = 't3://localhost:7001'
DOMAIN_NAME = 'base_domain'  # CHANGE THIS if your domain name is different
SERVER_NAME = 'AdminServer'  # CHANGE THIS if your server name is different
SHARK_JAR_PATH = 'C:/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/lib/Shark (IAST and SCA).jar'

print('Configuring Invicti Shark for WebLogic...')

# Connect to WebLogic
connect(ADMIN_USERNAME, ADMIN_PASSWORD, ADMIN_URL)

# Configure WebAppContainer - CRITICAL for Shark to access WAR files
edit()
startEdit()
cd('/WebAppContainer/' + DOMAIN_NAME)
cmo.setShowArchivedRealPathEnabled(true)
save()
activate()
print('WebAppContainer configured successfully!')

# Configure ServerStart for Shark agent
edit()
startEdit()
cd('/Servers/' + SERVER_NAME)

try:
    cd('ServerStart/' + SERVER_NAME)
except:
    cmo.createServerStart()
    cd('ServerStart/' + SERVER_NAME)

shark_args = '-javaagent:' + SHARK_JAR_PATH + ' -Dacusensor.debug.log=ON -DUseSunHttpHandler=true'
set('Arguments', shark_args)
save()
activate()
print('Shark agent configured successfully!')

disconnect()
print('Configuration complete! Restart WebLogic for changes to take effect.')
exit()

3.3 Update configuration variables

Before running the script, update the following variables to match your environment:

  • ADMIN_PASSWORD - Your WebLogic administrator password
  • DOMAIN_NAME - Your domain name (if different from base_domain)
  • SERVER_NAME - Your server name (if different from AdminServer)
  • SHARK_JAR_PATH - Path to your Shark JAR file (if different)

3.4 Save the script

Save the file (Ctrl+S) and close the text editor.

Step 4: Start WebLogic Server

4.1 Start WebLogic

Start your WebLogic server:

cd C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain
startWebLogic.cmd

4.2 Wait for Server Startup

Wait for the server to fully start. Look for the message:

<Notice> <WebLogicServer> <BEA-000360> <The server started in RUNNING mode.>

Step 5: Apply WLST configuration

5.1 Run WLST script

Important

Keep WebLogic running. Open a new Command Prompt and run the WLST configuration script:

cd C:\Oracle\Middleware\Oracle_Home\oracle_common\common\bin
wlst.cmd C:\configure-shark.py

5.2 Verify Success

The script should display:


Configuring Invicti Shark for WebLogic...
WebAppContainer configured successfully!
Shark agent configured successfully!
Configuration complete! Restart WebLogic for changes to take effect.

Step 6: Restart WebLogic server

6.1 Stop WebLogic

Return to the Command Prompt where WebLogic is running:

  1. Press Ctrl+C
  2. Type Y and press Enter to confirm shutdown

6.2 Start WebLogic

Start WebLogic again:


cd C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain
startWebLogic.cmd

Step 7: Verify Invicti Shark Installation

7.1 Check Startup Logs

Monitor the WebLogic startup logs for the following messages:

Success Indicator 1: Java Agent Loaded

Look for the -javaagent parameter in the startup command line:

-javaagent:C:\Oracle\...\Shark (IAST and SCA).jar -Dacusensor.debug.log=ON -DUseSunHttpHandler=true

Success Indicator 2: Shark Agent Started

Look for the Invicti Shark initialization message:

[invicti.debug] INFO Invicti Java Sensor Starting ... com.invicti.iast.agent.Agent premain

Success Indicator 3: Hook Setup Success

Confirm the agent hooks are installed:

[invicti.debug] FINE com.invicti.iast.agent.AgentLoader loadAgent Hook Setup - Success
[invicti.debug] FINE com.invicti.iast.agent.AgentLoader loadAgent premain complete

Success Indicator 4: Bridge Connection

Verify the bridge is configured:

[invicti.debug] FINE com.invicti.iast.agent.AgentLoader loadProperties Bridge configured at localhost & port 7880

7.2 Verify Configuration Persistence

You can verify the configuration was saved correctly by running this WLST script:

Create a file verify-shark.py:


connect('weblogic', 'your_password', 't3://localhost:7001')
serverConfig()
cd('/Servers/AdminServer/ServerStart/AdminServer')
args = get('Arguments')
print('Current Arguments: ' + str(args))
if 'Shark (IAST and SCA).jar' in str(args):
    print('[OK] Invicti Shark is configured!')
else:
    print('[ERROR] Invicti Shark is NOT configured')
disconnect()
exit()

Run it:

cd C:\Oracle\Middleware\Oracle_Home\oracle_common\common\bin
wlst.cmd C:\verify-shark.py

Troubleshooting

Invicti Shark not loading

Symptom: No [invicti.debug] messages in WebLogic logs

Solutions:

  1. Verify the Shark JAR file is in the correct location:
   dir "C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\lib\Shark (IAST and SCA).jar"
  1. Check that setDomainEnv.cmd was modified correctly:
   findstr "Shark" C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\bin\setDomainEnv.cmd
  1. Verify WLST configuration was applied:
  • Run the verification script from Step 7.2

NullPointerException errors

Symptom: Errors like java.lang.NullPointerException at java.io.File.<init>

Solution: This indicates the WLST configuration (Step 3) was not applied correctly. The setShowArchivedRealPathEnabled(true) setting is critical for Shark to access WAR file contents.

Re-run the WLST configuration script:

cd C:\Oracle\Middleware\Oracle_Home\oracle_common\common\bin
wlst.cmd C:\configure-shark.py

Then restart WebLogic.

Bridge connection issues

Symptom: Scanner cannot connect to Shark agent

Solutions:

  1. Verify the IAST Bridge is running and configured correctly
  2. Check firewall settings allow communication on port 7880
  3. Verify the bridge configuration matches your WebLogic server address
  4. Check WebLogic logs for bridge connection messages

Configuration lost after restart

Symptom: Invicti Shark works initially but stops after WebLogic restart

Solution: Ensure both configuration steps were completed:

  1. setDomainEnv.cmd modification (Step 2)
  2. WLST configuration (Step 3)

Both configurations are required for persistence across restart.

Summary

Required configuration steps

  1. ✅ Place Shark JAR in domain lib folder
  2. ✅ Modify setDomainEnv.cmd to load Java agent
  3. ✅ Run WLST script to configure WebAppContainer and ServerStart
  4. ✅ Restart WebLogic Server
  5. ✅ Verify Shark is loaded and running
  6. ✅ Ensure IAST Bridge is running
  7. ✅ Configure and run Invicti scan

Key configuration files

ComponentLocation
Shark JARC:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\lib\Shark (IAST and SCA).jar
setDomainEnv.cmdC:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\bin\setDomainEnv.cmd
WLST ScriptC:\configure-shark.py (temporary, can be deleted after configuration)

Important notes

  • Both setDomainEnv.cmd and WLST configurations are required
  • The WLST step configures ShowArchivedRealPathEnabled, which is critical for Shark to access application files
  • Configuration persists across WebLogic restarts
  • The IAST Bridge must be running for scanner-to-agent communication

Supported WebLogic versions

This configuration has been tested on the following WebLogic version:

  • Oracle WebLogic Server 15.1.1.0

For information on all supported application servers and frameworks, refer to the Invicti documentation.

Additional resources

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Last updated on
Was this page useful?