In a WebLogic server domain set as a Production domain, when we try to connect to the Node Manager with WLST we get the following error:
Cannot connect to Node Manager. : Access to domain ‘testcluster’ for user ‘weblogic’ denied

This blog gives the solution to solve the issue.
First of all, we observe that the Node Manager is working fine because it is accessible with the WLS admin console and the managed servers can be started/stopped successfully.
The managed servers can also be started when we first connect to the AdminServer with WLST.

The reason is that by default, the nmConnect command cannot be used in a production environment because the Node Manager credentials have been automatically set when the domain was created. The AdminServer knows these credentials by default, this is verified by the start of the managed servers through the AdminServer using the administration console or WLST.

To use nmConnect we have to do the following steps:

A) Change the default Node Manager username and password

  • startup the Admin Server and access the administration console.
  • click your domain’s name from the “Domain Structure” (e.g testcluster) area:
  • navigate to the “Security” tab and click on “Advanced”. You will find the Node Manager credentials:
  • click “Lock and Edit” and change the credentials

e.g.
NodeManager Username: nmuser
NodeManager Password: n0d3mgr

  • click “Save” and “Activate Changes”

No restarts are required.

B) With WLST, enroll the machine on each physical server and connect to the Node Manager

  • set the correct environment variables
cd  $WL_HOME/server/bin
source setWLSEnv.sh
  • launch WLST

java weblogic.WLST

  • connect to the AdminServer
wls:/offline> connect('weblogic','welcome1','t3://vmlinuxwl2:8001')
Connecting to t3://vmlinuxwl2:8001 with userid weblogic ...
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'testcluster'.

Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.

  • nmEnroll the server
wls:/testcluster/serverConfig> nmEnroll('/home/wladmin/WLSsecurity')
Enrolling this machine with the domain directory at /home/wladmin/WLSsecurity ...
Successfully enrolled this machine with the domain directory at /home/wladmin/WLSsecurity.
wls:/testcluster/serverConfig>wls:/testcluster/serverConfig>
  • disconnect from AdminServer
wls:/testcluster/serverConfig> disconnect()
 Disconnected from weblogic server: AdminServer
 wls:/offline>
  • connect to the Node Manager using the Node Manager user name and password defined in the previous step
wls:/offline> nmConnect('nmuser','n0d3mgr','localhost','5556','testcluster','/app/Oracle/Middleware/user_projects/domains/testcluster','plain')
Connecting to Node Manager ...
Successfully Connected to Node Manager.
wls:/nm/testcluster>
  • start a managed server (optional)

wls:/nm/testcluster> nmStart(‘MS1’) Starting server MS1 … Successfully started server MS1 … wls:/nm/testcluster>

NB: the security like SSL, password file etc… has not been covered in this blog