Implications of latest Oracle WebLogic Server connection filters for Oracle EBS r12.2 customers



Above screenshot might click many Apps DBAs who have recently applied -
1. April 2019 CPU Patch
2. Upgraded to Latest AD and TXK level (C.11)


Recently I applied Oracle E-Business Suite Technology Stack Delta 11 on an EBS r12.2.7 implementation.
After applying patch we went for sanity checks and when trying to open Weblogic Server console I got this -
The Server is not able to service this request: [Socket:000445]Connection rejected, filter blocked Socket, weblogic.security.net.FilterException: [Security:090220]rule 2

Below are metalink ids ideally Apps DBAs should refer to for resolving this-
Alternative Methods to Allow Access to Oracle WebLogic Server Administration Console from Trusted Hosts for Oracle E-Business Suite Release 12.2 (Doc ID 2542826.1)
ORA-12547 While Client Connecting Via SSH Tunnel (Doc ID 454252.1)

Oracle Community also has few tips for this-
https://community.oracle.com/message/15413970#15413970


Troubleshooting Part -



cd $FMW_HOME/user_projects/domains/EBS_domain_<CONTEXT_NAME>/config/
cat config.xml | grep connection-filte
    <connection-filter>oracle.apps.ad.tools.configuration.wls.filter.EBSConnectionFilterImpl< connection-filter>
    <connection-filter-rule>appsnode * * allow</connection-filter-rule>
    <connection-filter-rule>0.0.0.0/0 * * deny</connection-filter-rule>




We will be exploring all the 3 scenarios with real-time usecases.

Option 1: Adding Specific Trusted Hosts

1. This can be done by using context variable - s_wls_admin_console_access_nodes
A comma seperated set of ips/hostnames(fqdns) can be used like as follows to allow set of system administrators/weblogic administrators
to access console -

<s_wls_admin_console_access_nodes oa_var="s_wls_admin_console_access_nodes">host1.domain.com,host2.domain.com</s_wls_admin_console_access_nodes>

2. Execute autoconfig on run filesystem.
3. Stop and start Oracle Weblogic admin server
 adadminsrvctl.sh stop
 adadminsrvctl.sh start
4. perform fs_clone to synchronize filesystems
 adop phase=fs_clone




Option 2: Allowing an IP Range

This option will be available after applying  Patch 29781255:R12.TXK.C.
There will be requirements where you need to provide IP range and it is important to
first understandd how CIDR works.

According to CIDR ruling, you can have a factor set to 4^n
This implies we can have ip range as
4,16,64,256

Sample example to narrow down IP range -
195.168.1.32/24 ---> 256  IP Hosts
195.168.1.32/26 --->  64  IP Hosts
195.168.1.32/28 --->  16  IP Hosts
195.168.1.32/30 --->  04  IP Hosts


I first checked for patch if already applied as a standard practice.

Query 1-
set lines 1000
col APPLIED_FILE_SYSTEM_BASE for a40
SELECT b.bug_number, asp.adop_session_id, asp.bug_number patch#,
       asp.session_type, asp.applied_file_system_base,
       asp.start_date, asp.end_date
FROM ad_bugs b, ad_patch_run_bugs prb, ad_patch_runs pr,
     ad_patch_drivers pd, ad_adop_session_patches asp
WHERE b.bug_id = prb.bug_id
  AND prb.patch_run_id = pr.patch_run_id
AND pr.patch_driver_id = pd.patch_driver_id
  AND pr.patch_run_id = asp.patchrun_id
  AND prb.applied_flag = 'Y'
  AND b.bug_number = '&bug_num';
Enter value for bug_num: 29781255
old  11:   AND b.bug_number = '&bug_num'
new  11:   AND b.bug_number = '29781255'

no rows selected

Query 2-
SELECT adb.bug_number,ad_patch.is_patch_applied('122', 1045, adb.bug_number)
FROM ad_bugs adb
WHERE adb.bug_number in (29781255);
Query 3-
select ad_patch.is_patch_applied('R12',-1,29781255) from dual;


Once patch was applied, we update CONTEXT file on run fs as follows -

cat $CONTEXT_FILE | grep wls | grep nodes
<s_wls_admin_console_access_nodes oa_var="s_wls_admin_console_access_nodes">195.168.1.32/30</s_wls_admin_console_access_nodes>

This can me below set of 4 ips -
195.168.1.32-to-195.168.1.35

Note: Easy way to calculate range of Ips is using online calculator -
https://www.ipaddressguide.com/cidr

Executed autoconfig and started admin server to reflect changes.



Option 3: Adding Specific Trusted Hosts

SSH tunneling is pre-requisite here and I achieved it using putty.
For lab environment using static ips, this can be simply achieved using below -
1. Ssh -> Logging
Provide Destination IP address and keep port for ssh as 22.

Save it with some name to it can be loaded later for future reference.

2. Connection -> SSH -> Tunnels
Provide Source port, client machine's port which is open and not blocked or used by any other application.
In my case it was 81.

Provide Destination Hostname:Port and click on 'Add'

3. Go back to session and save it.

4. If you are not intending to logon to server, you can use option under 'Ssh' -

5. Login to saved session and monitor Event log for putty Session -

5. Few more settings are required on your web-browser, I used Firefox here -





127.0.0.1 is for Localhost.

Clear browser cache and try console again -


at No comments:

Query to Check AD and TXK code levels in your EBS environment


Below query can be very handy in finding out current AD and TXK code levels.


col ABBREVIATION for a10
set lines 1000
col NAME for a50
col CODELEVEL for a20
SELECT ABBREVIATION,NAME,codelevel FROM AD_TRACKABLE_ENTITIES WHERE abbreviation in ('txk','ad');


ABBREVIATI NAME                                               CODELEVEL
---------- -------------------------------------------------- ------------
ad         Oracle Applications DBA                            C.11
txk        Oracle Applications Technology Stack               C.11

at 1 comment:
Subscribe to: Posts (Atom)