How to fix EBS weblogic admin console when not accessible after CPU patching

Posted in: Oracle, Technical Track

With the recent CPU patching on Oracle E-Business suite R12.2, many customers faced issues with accessible weblogic admin console from browser. This security enhancement started with the April 2019 CPU via Patch 29524595 using weblogic connection filters. More details on connection filters can be found here.

By default, the weblogic connection filters are turned ON with the above patch and lets only localhost access the URL and denies all other client hosts. The following values in $EBS_DOMAIN_HOME/config/config.xml are responsible for these changes:

<connection-filter-rule>localhost * * allow</connection-filter-rule>
<connection-filter-rule>0.0.0.0/0 * * deny</connection-filter-rule>

Oracle suggested providing values to new context file variable “s_wls_admin_console_access_nodes” with the list of trusted hosts for accessing the console. Based on the values, next autoconfig run populates $EBS_DOMAIN_HOME/config/config.xml with allow option.

However, it didn’t address one of our client requirements to whitelist all the hosts in a subnet for development environments and ended up having a configuration as below in $EBS_DOMAIN_HOME/config/config.xml. MOS 1508748.1 provides detailed steps for making these changes from a weblogic console. Do remember that manual changes to this config file would get overwritten by the next autoconfig run.

<connection-filter-rule>localhost * * allow</connection-filter-rule>
<connection-filter-rule>XX.XX.XX.XX/CIDR * wlsport allow http #AC</connection-filter-rule>
<connection-filter-rule>0.0.0.0/0 * * deny</connection-filter-rule>

While researching the recent CPU patches for E-Business suite, I came upon a new patch from Oracle – 29781255 – that enables support for CIDR subnet in context variable “s_wls_admin_console_access_nodes” as per MOS: 2542826.1. This functionality was achieved by providing a new version of txkUpdateEBSDomain.pl & txkUpdateEBSDomain.py that gets invoked during autoconfig. The same with MOS: 2542826.1 which provides an option of using SSH tunneling if you have access to an E-Business host to access the weblogic console.

So, I hope the above pointers let you configure and access weblogic admin consoles as per your requirement post-EBS security patching.

email

Interested in working with Pavan? Schedule a tech call.

No comments

Leave a Reply

Your email address will not be published. Required fields are marked *