Alternative Methods to Allow Access to Oracle WebLogic Server Administration Console from Trusted Hosts for Oracle E-Business Suite Release 12.2 (Doc ID 2542826.1)

Alternative Methods to Allow Access to Oracle WebLogic Server Administration Console from Trusted Hosts for Oracle E-Business Suite Release 12.2 (Doc ID 2542826.1)

Alternative Methods to Allow Access to Oracle WebLogic Server Administration Ports from Trusted Hosts for Oracle E-Business Suite Release 12.2

This knowledge document describes alternative methods to allow access to the Oracle WebLogic Server Administration Console and Fusion Middleware Control if you cannot individually specify all the trusted hosts from which an Oracle E-Business Suite administrator will access these consoles.

The most current version of this document can be obtained in My Oracle Support Knowledge Document 2542826.1.

There is a change log at the end of this document.

In This Document

• Section 1: Overview
• Section 2: Configuring Access for Administrators
  • Option 1: Adding Specific Trusted Hosts
  • Option 2: Allowing an IP Range
  • Option 3: Using SSH Tunneling

Section 1: Overview

After you apply either the April 2019 Critical Patch Update (CPU) or the Oracle E-Business Suite Technology Stack Delta 11 release update pack (R12.TXK.C.Delta.11) to Oracle E-Business Suite Release 12.2, AutoConfig will secure access to the Oracle WebLogic Server ports using Oracle WebLogic Server connection filters. All the existing application tier nodes of the Oracle E-Business Suite instance are allowed unrestricted access to Oracle WebLogic Server ports. However, by default, there are no trusted hosts defined for the Oracle WebLogic Server Administration ports, which are used by the Oracle WebLogic Server Administration Console and Fusion Middleware Control. You have three options to allow your administrators access to the consoles. These options are described in Section 2.

This security enhancement reflects our secure-by-default initiative in Oracle E-Business Suite and is intended to reduce the attack surface. Controlling access to the Oracle WebLogic Server ports, and particularly the administration ports, is very important to the security posture of the Oracle E-Business Suite infrastructure, and this new feature has been put in place to automate the use of the Oracle WebLogic Server connection filters.

Section 2: Configuring Access for Administrators

Option 1: Adding Specific Trusted Hosts

You can use the context variable s_wls_admin_console_access_nodes to specify the trusted hosts used by administrators that require access to the consoles. In the value for this context variable, you must list the host name or IP address for each trusted host. For details, see Only Allow Access to Oracle WebLogic Server Administration Console from Trusted Hosts, Oracle E-Business Suite Setup Guide.

If you cannot list the specific host names or IP addresses for all your trusted hosts, then you can use one of the alternative methods in the following sections to allow access to the Oracle WebLogic Server Administration ports.

Option 2: Allowing an IP Range

Apply Patch 29781255:R12.TXK.C on top of either the April 2019 Critical Patch Update (CPU) or the Oracle E-Business Suite Technology Stack Delta 11 release update pack (R12.TXK.C.Delta.11). This patch allows you to specify resolvable hosts as well as a range of IP addresses such as a Classless Inter-Domain Routing (CIDR) range in the context variable s_wls_admin_console_access_nodes.

For example, for the CIDR range 192.0.2.0/24, set the context variable as follows:

<s_wls_admin_console_access_nodes oa_var="s_wls_admin_console_access_nodes">192.0.2.0/24</s_wls_admin_console_access_nodes>

Option 3: Using SSH Tunneling

Administrators who already have operating system access to the primary application tier node can use SSH tunneling to access the Oracle WebLogic Server Administration Console and Fusion Middleware Control through the Oracle WebLogic Server Administration ports. 

Establish the tunnel as follows:

ssh <OS_user>@<remhost> -L localhost:<WLS_admin_port>:<remhost>:<WLS_admin_port>

where <remhost> is the host name of your primary application tier node.

On a Windows client, you can use either one of the following executables:

• Windows 10: OpenSSH ssh from Microsoft
  If you use ssh, follow the syntax for ssh shown in the preceding example.
• Windows 7: plink from PuTTY
  If you use plink, use the following command:
  
  C:\> plink.exe -N -Llocalhost:<WLS_admin_port>:<primary-apptier>:<WLS_admin_port> <OS_user>@<primary-apptier>
  For example, if the Oracle WebLogic Server Administration port is 7001 and the OS user is oracle, use the following command:
  
  C:\> plink.exe -N -Llocalhost:7001:<primary-apptier>:7001 oracle@<primary-apptier>

After setting up SSH tunneling from your UNIX or Windows client, you can securely access the Oracle WebLogic Server Administration Console and Fusion Middleware Control. Launch a browser from your client and connect to the following administrative URLs as required.

• Oracle WebLogic Server Administration Console - http://localhost:<WLS_admin_port>/console
• Fusion Middleware Control - http://localhost:<WLS_admin_port>/em

Note: You must reestablish the SSH tunnel each time the client tier is disconnected from the network, each time the client tier is rebooted, or if you log off of the client.

Change Log

Date	Description
2019-08-09	Added information on Patch 29781255:R12.TXK.C in Section 2 Option 2 and information on Windows clients in Section 2 Option 3.
2019-07-01	Added link to Administration Console Online Help in Section 2 Option 2.
2019-06-19	Expanded overview in Section 1.
2019-05-31	Updates to clarify terminology.
2019-05-21	Initial publication.

My Oracle Support Knowledge Document 2542826.1 by Oracle E-Business Suite Developmen