Friday, April 8, 2022
Implications of latest Oracle WebLogic Server connection filters for Oracle EBS r12.2 customers
Above screenshot might click many Apps DBAs who have recently applied -
1. April 2019 CPU Patch
2. Upgraded to Latest AD and TXK level (C.11)
Recently I applied Oracle E-Business Suite Technology Stack Delta 11 on an EBS r12.2.7 implementation.
After applying patch we went for sanity checks and when trying to open Weblogic Server console I got this -
The Server is not able to service this request: [Socket:000445]Connection rejected, filter blocked Socket, weblogic.security.net.FilterException: [Security:090220]rule 2
Below are metalink ids ideally Apps DBAs should refer to for resolving this-
Alternative Methods to Allow Access to Oracle WebLogic Server Administration Console from Trusted Hosts for Oracle E-Business Suite Release 12.2 (Doc ID 2542826.1)
ORA-12547 While Client Connecting Via SSH Tunnel (Doc ID 454252.1)
Oracle Community also has few tips for this-
https://community.oracle.com/message/15413970#15413970
Troubleshooting Part -
cd $FMW_HOME/user_projects/domains/EBS_domain_/config/
cat config.xml | grep connection-filte
oracle.apps.ad.tools.configuration.wls.filter.EBSConnectionFilterImpl< connection-filter>
appsnode * * allow
0.0.0.0/0 * * deny
We will be exploring all the 3 scenarios with real-time usecases.
Option 1: Adding Specific Trusted Hosts
1. This can be done by using context variable - s_wls_admin_console_access_nodes
A comma seperated set of ips/hostnames(fqdns) can be used like as follows to allow set of system administrators/weblogic administrators
to access console -
host1.domain.com,host2.domain.com
2. Execute autoconfig on run filesystem.
3. Stop and start Oracle Weblogic admin server
adadminsrvctl.sh stop
adadminsrvctl.sh start
4. perform fs_clone to synchronize filesystems
adop phase=fs_clone
Option 2: Allowing an IP Range
This option will be available after applying Patch 29781255:R12.TXK.C.
There will be requirements where you need to provide IP range and it is important to
first understandd how CIDR works.
According to CIDR ruling, you can have a factor set to 4^n
This implies we can have ip range as
4,16,64,256
Sample example to narrow down IP range -
195.168.1.32/24 ---> 256 IP Hosts
195.168.1.32/26 ---> 64 IP Hosts
195.168.1.32/28 ---> 16 IP Hosts
195.168.1.32/30 ---> 04 IP Hosts
I first checked for patch if already applied as a standard practice.
Query 1-
set lines 1000
col APPLIED_FILE_SYSTEM_BASE for a40
SELECT b.bug_number, asp.adop_session_id, asp.bug_number patch#,
asp.session_type, asp.applied_file_system_base,
asp.start_date, asp.end_date
FROM ad_bugs b, ad_patch_run_bugs prb, ad_patch_runs pr,
ad_patch_drivers pd, ad_adop_session_patches asp
WHERE b.bug_id = prb.bug_id
AND prb.patch_run_id = pr.patch_run_id
AND pr.patch_driver_id = pd.patch_driver_id
AND pr.patch_run_id = asp.patchrun_id
AND prb.applied_flag = 'Y'
AND b.bug_number = '&bug_num';
Enter value for bug_num: 29781255
old 11: AND b.bug_number = '&bug_num'
new 11: AND b.bug_number = '29781255'
no rows selected
Query 2-
SELECT adb.bug_number,ad_patch.is_patch_applied('122', 1045, adb.bug_number)
FROM ad_bugs adb
WHERE adb.bug_number in (29781255);
Query 3-
select ad_patch.is_patch_applied('R12',-1,29781255) from dual;
Once patch was applied, we update CONTEXT file on run fs as follows -
cat $CONTEXT_FILE | grep wls | grep nodes
195.168.1.32/30
This can me below set of 4 ips -
195.168.1.32-to-195.168.1.35
Note: Easy way to calculate range of Ips is using online calculator -
https://www.ipaddressguide.com/cidr
Executed autoconfig and started admin server to reflect changes.
Option 3: Adding Specific Trusted Hosts
SSH tunneling is pre-requisite here and I achieved it using putty.
For lab environment using static ips, this can be simply achieved using below -
1. Ssh -> Logging
Provide Destination IP address and keep port for ssh as 22.
Save it with some name to it can be loaded later for future reference.
2. Connection -> SSH -> Tunnels
Provide Source port, client machine's port which is open and not blocked or used by any other application.
In my case it was 81.
Provide Destination Hostname:Port and click on 'Add'
3. Go back to session and save it.
4. If you are not intending to logon to server, you can use option under 'Ssh' -
5. Login to saved session and monitor Event log for putty Session -
5. Few more settings are required on your web-browser, I used Firefox here -
127.0.0.1 is for Localhost.
Clear browser cache and try console again -
https://maazdba.blogspot.com/2019/09/implications-of-latest-oracle-weblogic.html
Subscribe to:
Posts (Atom)
Database Options/Management Packs Usage Reporting for Oracle Databases 11.2 and later (Doc ID 1317265.1)
Database Options/Management Packs Usage Report You can determine whether an option is currently in use in a database by running options_pa...
-
In this Document Goal Ask Questions, Get Help, And Share Your Experiences With This Article Solution 12c TDE FAQ documentation Quick...
-
This document describes how to develop and deploy customizations in an Oracle E-Business Suite Release 12.2 environment. Follow thes...
-
This document also provides links to two presentations on the subject: Oracle OpenWorld presentation "Technical Upgrade Best Practice...