How to fix EBS weblogic admin console when not accessible after CPU patching

Posted in: Oracle, Technical Track

With the recent CPU patching on Oracle E-Business suite R12.2, many customers faced issues with accessible weblogic admin console from browser. This security enhancement started with the April 2019 CPU via Patch 29524595 using weblogic connection filters. More details on connection filters can be found here.

By default, the weblogic connection filters are turned ON with the above patch and lets only localhost access the URL and denies all other client hosts. The following values in $EBS_DOMAIN_HOME/config/config.xml are responsible for these changes:

<connection-filter-rule>localhost * * allow</connection-filter-rule>
<connection-filter-rule> * * deny</connection-filter-rule>

Oracle suggested providing values to new context file variable “s_wls_admin_console_access_nodes” with the list of trusted hosts for accessing the console. Based on the values, next autoconfig run populates $EBS_DOMAIN_HOME/config/config.xml with allow option.

However, it didn’t address one of our client requirements to whitelist all the hosts in a subnet for development environments and ended up having a configuration as below in $EBS_DOMAIN_HOME/config/config.xml. MOS 1508748.1 provides detailed steps for making these changes from a weblogic console. Do remember that manual changes to this config file would get overwritten by the next autoconfig run.

<connection-filter-rule>localhost * * allow</connection-filter-rule>
<connection-filter-rule>XX.XX.XX.XX/CIDR * wlsport allow http #AC</connection-filter-rule>
<connection-filter-rule> * * deny</connection-filter-rule>

While researching the recent CPU patches for E-Business suite, I came upon a new patch from Oracle – 29781255 – that enables support for CIDR subnet in context variable “s_wls_admin_console_access_nodes” as per MOS: 2542826.1. This functionality was achieved by providing a new version of & that gets invoked during autoconfig. The same with MOS: 2542826.1 which provides an option of using SSH tunneling if you have access to an E-Business host to access the weblogic console.

So, I hope the above pointers let you configure and access weblogic admin consoles as per your requirement post-EBS security patching.



Want to talk with an expert? Schedule a call with our team to get the conversation started.

3 Comments. Leave new

Than you Pavan. I’ve been having to manually delete that “deny” from the config.xml after each adautocfg if I wanted to access weblogic console via my workstation. I’ll check out that MOS doc_id.


Did you find a solution for the “deny” in the config.xml file after autocfg? I am having same issue as you describe here


Thanks Benny for update. yes, this MOS helps with whitelisting irrespective of autoconfig execution.


Leave a Reply

Your email address will not be published. Required fields are marked *