Restrict access to Oracle EBS 12.2 WebLogic Admin Console only from Trusted Hosts

Oct 30, 2020

Share this post
issues-after-qlikview-version-upgrade-on-passive-node-of-production-servers

Oracle has released a security feature from April 2019 CPU (Critical Patch Update) to restrict WebLogic Admin Console access to specific hosts/nodes/machines that will be referred as “Trusted Hosts”.

The crucial component to setup the security feature is Oracle EBS 12.2 context variable s_wls_admin_console_access_nodes in the context file. The security restriction can be enforced through one of the following options.

    • Restrict WebLogic Amin Console access from single trusted host (static ip).
    • Restrict WebLogic Amin Console access from multiple trusted hosts (static ip).
    • Restrict WebLogic Amin Console access from independent multiple trusted hosts (static ip).
    • Restrict WebLogic Amin Console access from trusted hosts (Dynamic ip).
    • Restrict WebLogic Amin Console access from single trusted host (static ip).

Accessing Weblogic Amin Console from single trusted host with static ip address using “s_wls_admin_console_access_nodes” context variable

Set the context variable s_wls_admin_console_access_nodes as following.

 Example with Host Name

<s_wls_admin_console_access_nodes oa_var=”s_wls_admin_console_access_nodes”>admin-ws1.example.com,admin-ws2.example.com</s_wls_admin_console_access_nodes>

Example with IP Address

<s_wls_admin_console_access_nodes oa_var=”s_wls_admin_console_access_nodes”>192.0.2.0</s_wls_admin_console_access_nodes>

    • Restrict WebLogic Amin Console access from multiple trusted hosts (static ip) for a specific range of ip addresses.

Accessing Weblogic Amin Console from multiple trusted hosts with static ip addresses using “s_wls_admin_console_access_nodes” context variable for a range a ip addresses for example for ip addresses 192.0.2.0 to 192.0.2.24

Set the context variable s_wls_admin_console_access_nodes as following.

<s_wls_admin_console_access_nodes oa_var=”s_wls_admin_console_access_nodes”>192.0.2.0/24</s_wls_admin_console_access_nodes>

    • Restrict WebLogic Amin Console access from independent multiple trusted hosts (static ip).

Accessing Weblogic Amin Console from multiple trusted hosts with static ip addresses using “s_wls_admin_console_access_nodes” context variable for a range a ip addresses for example for ip addresses 192.0.2.5 and 192.0.2.77

Set the context variable s_wls_admin_console_access_nodes as following.<s_wls_admin_console_access_nodes oa_var=”s_wls_admin_console_access_nodes”>admin-ws1.example.com,admin-ws2.example.com</s_wls_admin_console_access_nodes><s_wls_admin_console_access_nodes oa_var=”s_wls_admin_console_access_nodes”>192.0.2.0, 192.0.2.0</s_wls_admin_console_access_nodes>

    • Restrict WebLogic Amin Console access from trusted host with dynamic ip address.

Accessing Weblogic Amin Console from trusted hosts with dynamic ip address using SSH Tunnelling method.

ssh <OS_user>@<remhost> -L localhost:<WLS_admin_port>:<remhost>:<WLS_admin_port>

Example

ssh ebapplprd@ebsprdapp1 -L localhost:7002:ebsprdapp1:7002