Oracle EBS R12 Weblogic issue After CPU patch

Oracle EBS R12 Weblogic issue After CPU patch

Faced Issue Of WebLogic screen after applying Security CPU patch where we couldn't able to access the console.

Oracle EBS Suite Weblogic Server connection filtering

After you apply either the April 2019 Critical Patch Update (CPU) or the Oracle E-Business Suite Technology Stack Delta 11 release update pack (R12.TXK.C.Delta.11) to Oracle E-Business Suite Release 12.2,

 AutoConfig will secure access to the Oracle WebLogic Server ports using Oracle WebLogic Server connection filters.

All the existing application tier nodes of the Oracle E-Business Suite instance are allowed unrestricted access to Oracle WebLogic Server ports. However, by default, there are no trusted hosts defined for the Oracle WebLogic Server Administration ports, which are used by the Oracle WebLogic Server Administration Console and Fusion Middleware Control

This security enhancement reflects our secure-by-default initiative in Oracle E-Business Suite and is intended to reduce the attack surface. Controlling access to the Oracle WebLogic Server ports, and particularly the administration ports, is very important to the security posture of the Oracle E-Business Suite infrastructure, and this new feature has been put in place to automate the use of the Oracle WebLogic Server connection filters.

Note: As of the January 2020 CPU, the IP address or address range for client workstations used by administrators can be configured using either IPv4 or IPv6.

Configuring Access for Administrators

Option 1: Adding Specific Trusted Hosts

You can use the context variable s_wls_admin_console_access_nodes to specify the trusted hosts used by administrators that require access to the consoles. In the value for this context variable, you must list the host name or IP address for each trusted host. For details, see Only Allow Access to Oracle WebLogic Server Administration Console from Trusted Hosts, Oracle E-Business Suite Setup Guide.

Known Issue: You may encounter an issue in which the AdminServer cannot be started if any of the trusted hosts specified in the s_wls_admin_console_access_nodes context variable are unavailable. To resolve this issue, apply the October 2019 CPU or a later cumulative CPU.

If you cannot list the specific host names or IP addresses for all your trusted hosts, then you can use one of the alternative methods in the following sections to allow access to the Oracle WebLogic Server Administration ports.

Option 2: Allowing an IP Range

Apply Patch 29781255:R12.TXK.C on top of either the April 2019 Critical Patch Update (CPU) or the Oracle E-Business Suite Technology Stack Delta 11 release update pack (R12.TXK.C.Delta.11). This patch allows you to specify resolvable hosts as well as a range of IP addresses such as a Classless Inter-Domain Routing (CIDR) range in the context variable s_wls_admin_console_access_nodes.

For example, for the CIDR range 192.0.2.0/24, set the context variable as follows:

<s_wls_admin_console_access_nodes oa_var="s_wls_admin_console_access_nodes">192.0.2.0/24</s_wls_admin_console_access_nodes>

Note: Patch 29781255:R12.TXK.C is included in the October 2019 Critical Patch Update (CPU). If you have applied the October 2019 CPU, or a later cumulative CPU, then you do not need to apply Patch 29781255:R12.TXK.C separately.

ISSUE – Example

The Server is not able to service this request: [Socket:000445]Connection rejected, filter blocked Socket, weblogic.security.net.FilterException: [Security:090220]rule 2 

•        Log in to the primary node of the Oracle E-Business Suite instance.
•          Start the Oracle WebLogic Admin Server from the run file system, if it is not already running.
•          Take a backup of the run file system context file.
•          Edit the run file system context file to set the value for the s_wls_admin_console_access_nodes context variable to the list of trusted hosts that are allowed to access the Admin Server. For each host, specify either the fully qualified domain name or the IP address. Use commas to separate the hosts in the list. For example:
• <s_wls_admin_console_access_nodes oa_var="s_wls_admin_console_access_nodes">admin-ws1.example.com,admin-ws2.example.com</s_wls_admin_console_access_nodes>
• Note: When you add the fully qualified domain name or the IP address for a host to the list in thes_wls_admin_console_access_nodes context variable, ensure that the host name is resolvable from all application tier nodes of the Oracle E-Business Suite instance.
•          Run AutoConfig.
•          Stop and restart the Oracle WebLogic Admin Server.Note:
•  You will be able to access the Oracle WebLogic Server Administration Console after restarting the Oracle WebLogic Admin Server.
•          Run the fs_clone operation (adop phase=fs_clone) to synchronize the changes in this setting to the patch file system.
• After you save this configuration, which allows access only to trusted hosts, you will be able to access the Oracle WebLogic Server Administration Console and Fusion Middleware Control only from client browsers executed from the hosts specified in the preceding steps.

Note: If you need to make changes without having access to the Oracle WebLogic Server Administration Console, you can update or remove the connection filter rules by editing the $DOMAIN_HOME/config/config.xml file. However, changes added this way will be overwritten by the next AutoConfig run.

 <connection-filter>oracle.apps.ad.tools.configuration.wls.filter.EBSConnectionFilterImpl</connection-filter>
 <connection-filter-rule><host>.<domain> * * allow</connection-filter-rule>
 <connection-filter-rule>0.0.0.0/0 * * deny</connection-filter-rule>
 <connection-logger-enabled>true</connection-logger-enabled>

 Once done, save and restart the services.

REFERENCE -  (Doc ID 2542826.1)