Oracle EBS R12 Weblogic
issue After CPU patch
Faced Issue Of WebLogic
screen after applying Security CPU patch where we couldn't able to access the
console.
Oracle EBS Suite
Weblogic Server connection filtering
After you apply either the April 2019 Critical Patch Update (CPU)
or the Oracle E-Business Suite Technology Stack Delta 11 release update pack
(R12.TXK.C.Delta.11) to Oracle E-Business Suite Release 12.2,
AutoConfig will secure
access to the Oracle WebLogic Server ports using Oracle WebLogic Server
connection filters.
All the existing application tier nodes of the Oracle E-Business
Suite instance are allowed unrestricted access to Oracle WebLogic Server ports.
However, by default, there are no trusted hosts defined for the Oracle WebLogic
Server Administration ports, which are used by the Oracle WebLogic Server
Administration Console and Fusion Middleware Control
This security enhancement reflects our
secure-by-default initiative in Oracle E-Business Suite and is intended to
reduce the attack surface. Controlling access to the Oracle WebLogic Server
ports, and particularly the administration ports, is very important to the
security posture of the Oracle E-Business Suite infrastructure, and this new
feature has been put in place to automate the use of the Oracle WebLogic Server
connection filters.
Note: As of the January 2020 CPU,
the IP address or address range for client workstations used by administrators
can be configured using either IPv4 or IPv6.
Configuring Access for Administrators
Option 1:
Adding Specific Trusted Hosts
Known Issue: You may encounter an issue in which the AdminServer cannot
be started if any of the trusted hosts specified in the s_wls_admin_console_access_nodes context variable are
unavailable. To resolve this issue, apply the October 2019 CPU or a later
cumulative CPU.
If you cannot list the specific host names or IP addresses for all
your trusted hosts, then you can use one of the alternative methods in the
following sections to allow access to the Oracle WebLogic Server Administration
ports.
Option 2:
Allowing an IP Range
Apply Patch 29781255:R12.TXK.C on top of either the April
2019 Critical Patch Update (CPU) or the Oracle E-Business Suite Technology
Stack Delta 11 release update pack (R12.TXK.C.Delta.11). This patch allows you
to specify resolvable hosts as well as a range of IP addresses such as a
Classless Inter-Domain Routing (CIDR) range in the context variable s_wls_admin_console_access_nodes.
For example, for the CIDR range 192.0.2.0/24, set the context variable
as follows:
<s_wls_admin_console_access_nodes
oa_var="s_wls_admin_console_access_nodes">192.0.2.0/24</s_wls_admin_console_access_nodes>
Note: Patch 29781255:R12.TXK.C is included in the October 2019
Critical Patch Update (CPU). If you have applied the October 2019 CPU, or a
later cumulative CPU, then you do not need to apply Patch 29781255:R12.TXK.C
separately.
ISSUE – Example
The Server is not able to service
this request: [Socket:000445]Connection rejected, filter blocked Socket,
weblogic.security.net.FilterException: [Security:090220]rule 2
- Log in to the primary node of the Oracle E-Business Suite
instance.
- Start the Oracle WebLogic Admin Server from the run file system,
if it is not already running.
- Take a backup of the run file system context file.
- Edit the run file system context file to set the value for
the s_wls_admin_console_access_nodes context variable to the list of trusted hosts that are allowed
to access the Admin Server. For each host, specify either the fully qualified
domain name or the IP address. Use commas to separate the hosts in the list.
For example:
- <s_wls_admin_console_access_nodes
oa_var="s_wls_admin_console_access_nodes">admin-ws1.example.com,admin-ws2.example.com</s_wls_admin_console_access_nodes>
- Note: When you add the
fully qualified domain name or the IP address for a host to the list in thes_wls_admin_console_access_nodes context
variable, ensure that the host name is resolvable from all application tier
nodes of the Oracle E-Business Suite instance.
- Run AutoConfig.
- Stop and restart the Oracle WebLogic Admin Server.Note:
- You will be able to
access the Oracle WebLogic Server Administration Console after restarting the
Oracle WebLogic Admin Server.
- Run the fs_clone operation (adop phase=fs_clone) to synchronize the changes in this
setting to the patch file system.
- After you save this configuration, which allows access only to
trusted hosts, you will be able to access the Oracle WebLogic Server
Administration Console and Fusion Middleware Control only from client browsers
executed from the hosts specified in the preceding steps.
Note: If you need to make changes without having
access to the Oracle WebLogic Server Administration Console, you can update or
remove the connection filter rules by editing the $DOMAIN_HOME/config/config.xml file. However, changes added this way
will be overwritten by the next AutoConfig run.
<connection-filter>oracle.apps.ad.tools.configuration.wls.filter.EBSConnectionFilterImpl</connection-filter>
<connection-filter-rule><host>.<domain>
* * allow</connection-filter-rule>
<connection-filter-rule>0.0.0.0/0
* * deny</connection-filter-rule>
<connection-logger-enabled>true</connection-logger-enabled>
Once done,
save and restart the services.
REFERENCE -
(Doc ID 2542826.1)
