Here I’m going to explain the alternative methods to allow access to the Oracle WebLogic Server Administration Console and Fusion Middleware Control if you cannot individually specify all the trusted hosts from which an Oracle E-Business Suite administrator will access these consoles.
After you apply either the April 2019 Critical Patch Update (CPU) or the Oracle E-Business Suite Technology Stack Delta 11 release update pack (R12.TXK.C.Delta.11) to Oracle E-Business Suite Release 12.2, AutoConfig will secure access to the Oracle WebLogic Server ports using Oracle WebLogic Server connection filters. All the existing application tier nodes of the Oracle E-Business Suite instance are allowed unrestricted access to Oracle WebLogic Server ports. However, by default, there are no trusted hosts defined for the Oracle WebLogic Server Administration ports, which are used by the Oracle WebLogic Server Administration Console and Fusion Middleware Control.
You have three options to allow your administrators access to the consoles :
- Option 1: Adding Specific Trusted Hosts
- Option 2: Allowing an IP Range
- Option 3: Using SSH Tunneling
Adding Specific Trusted Hosts :
You can use the context variable s_wls_admin_console_access_nodes to specify the trusted hosts used by administrators that require access to the consoles. In the value for this context variable, you must list the host name or IP address for each trusted host. For details, Please see Only Allow Access to Oracle WebLogic Server Administration Console from Trusted Hosts, Oracle E-Business Suite Setup Guide.
Known Issue: You may encounter an issue in which the AdminServer cannot be started if any of the trusted hosts specified in the s_wls_admin_console_access_nodes context variable are unavailable. To resolve this issue, apply the October 2019 CPU or a later cumulative CPU.
If you cannot list the specific host names or IP addresses for all your trusted hosts, then you can use one of the alternative methods in the following sections to allow access to the Oracle WebLogic Server Administration ports.
Allowing an IP Range :
Apply Patch 29781255:R12.TXK.C on top of either the April 2019 Critical Patch Update (CPU) or the Oracle E-Business Suite Technology Stack Delta 11 release update pack (R12.TXK.C.Delta.11). This patch allows you to specify resolvable hosts as well as a range of IP addresses such as a Classless Inter-Domain Routing (CIDR) range in the context variable s_wls_admin_console_access_nodes.
For example, for the CIDR range 192.0.2.0/24, set the context variable as follows:
<s_wls_admin_console_access_nodes oa_var=”s_wls_admin_console_access_nodes”>192.0.2.0/24</s_wls_admin_console_access_nodes>
To specify multiple IP addresses or ranges in the s_wls_admin_console_access_nodes context variable, enter them as a list separated by commas.
Note: Patch 29781255:R12.TXK.C is included in the October 2019 Critical Patch Update (CPU). If you have applied the October 2019 CPU, or a later cumulative CPU, then you do not need to apply Patch 29781255:R12.TXK.C separately.
Using SSH Tunneling :
Administrators who already have operating system access to the primary application tier node can use SSH tunneling to access the Oracle WebLogic Server Administration Console and Fusion Middleware Control through the Oracle WebLogic Server Administration ports.
Establish the tunnel as follows:
ssh <OS_user>@<remhost> -L localhost:<WLS_admin_port>:<remhost>:<WLS_admin_port>
where <remhost> is the host name of your primary application tier node.
On a Windows 10 client, you can use the OpenSSH ssh executable from Microsoft. Follow the same syntax for ssh shown in the preceding example.
After setting up SSH tunneling from your UNIX or Windows client, you can securely access the Oracle WebLogic Server Administration Console and Fusion Middleware Control. Launch a browser from your client and connect to the following administrative URLs as required.
- Oracle WebLogic Server Administration Console - http://localhost:<WLS_admin_port>/console
- Fusion Middleware Control - http://localhost:<WLS_admin_port>/em
Note: You must reestablish the SSH tunnel each time the client tier is disconnected from the network, each time the client tier is rebooted, or if you log off of the client.