Dear Folks,
We came accross weblogic issue where we couldn't able to access the console,getting following error.
The Server is not able to service this request: [Socket:000445]Connection rejected, filter blocked Socket, weblogic.security.net.FilterException: [Security:090220]rule 2
This is the issue started after we applied April 2019 CPU patches on one of our 12.2.8 EBS environment.
From April2019 patches, Oracle allows only trusted hosts to access Weblogic console. Refer below document for more details and refer section Configuring Oracle WebLogic Server Connection Filter
https://docs.oracle.com/cd/E26401_01/doc.122/e22953/T174296T589913.htm#T672703
Fix
---
** Log in to the primary node of the Oracle E-Business Suite instance.
** Start the Oracle WebLogic Admin Server from the run file system.
** Take a backup of the run file system context file.
** Edit the run file system context file to set the value for the s_wls_admin_console_access_nodes context variable to the list of trusted hosts that are allowed to access the Admin Server. For each host,
specify either the FQDN or the IP address. Use commas to separate the hosts in the list. For example:
<s_wls_admin_console_access_nodes oa_var="s_wls_admin_console_access_nodes">admin-ws1.example.com,admin-ws2.example.com</s_wls_admin_console_access_nodes>
Note: When you add the fully qualified domain name or the IP address for a host to the list in thes_wls_admin_console_access_nodes context variable, ensure that the host name is resolvable from all application tier nodes of the Oracle E-Business Suite instance.
** Run AutoConfig.
** Stop and restart the Oracle WebLogic Admin Server.
We had followed the above fix and updated hostnames (Application,DB) in context files. However issue still remains.
The Admin server log shows below IP address. So we'd added IP to context file to resolve issue.
10.70.200.201( This IP address belongs to NAT'd IP )
However it seems to be specific to one VPN.
So we approached Oracle to get clarity about the issue. They finally came up with below alternative workaround.
In order to fix this issue, please comment or remove the following lines in domain config.xml:
go to $EBS_DOMIAN_HOME/config
<connection-filter>oracle.apps.ad.tools.configuration.wls.filter.EBSConnectionFilterImpl</connection-filter>
<connection-filter-rule><host>.<domain> * * allow</connection-filter-rule>
<connection-filter-rule>0.0.0.0/0 * * deny</connection-filter-rule>
<connection-logger-enabled>true</connection-logger-enabled>
Once done, save and restart admin server.
Now access the console and set the filter rules as per the following document:
NOTE :: Even in JULY CPU Oracle didn't fix this issue. As we were following with them. They are going to raise a BUG.
We came accross weblogic issue where we couldn't able to access the console,getting following error.
The Server is not able to service this request: [Socket:000445]Connection rejected, filter blocked Socket, weblogic.security.net.FilterException: [Security:090220]rule 2
This is the issue started after we applied April 2019 CPU patches on one of our 12.2.8 EBS environment.
From April2019 patches, Oracle allows only trusted hosts to access Weblogic console. Refer below document for more details and refer section Configuring Oracle WebLogic Server Connection Filter
https://docs.oracle.com/cd/E26401_01/doc.122/e22953/T174296T589913.htm#T672703
Fix
---
** Log in to the primary node of the Oracle E-Business Suite instance.
** Start the Oracle WebLogic Admin Server from the run file system.
** Take a backup of the run file system context file.
** Edit the run file system context file to set the value for the s_wls_admin_console_access_nodes context variable to the list of trusted hosts that are allowed to access the Admin Server. For each host,
specify either the FQDN or the IP address. Use commas to separate the hosts in the list. For example:
<s_wls_admin_console_access_nodes oa_var="s_wls_admin_console_access_nodes">admin-ws1.example.com,admin-ws2.example.com</s_wls_admin_console_access_nodes>
Note: When you add the fully qualified domain name or the IP address for a host to the list in thes_wls_admin_console_access_nodes context variable, ensure that the host name is resolvable from all application tier nodes of the Oracle E-Business Suite instance.
** Run AutoConfig.
** Stop and restart the Oracle WebLogic Admin Server.
We had followed the above fix and updated hostnames (Application,DB) in context files. However issue still remains.
The Admin server log shows below IP address. So we'd added IP to context file to resolve issue.
10.70.200.201( This IP address belongs to NAT'd IP )
However it seems to be specific to one VPN.
So we approached Oracle to get clarity about the issue. They finally came up with below alternative workaround.
In order to fix this issue, please comment or remove the following lines in domain config.xml:
go to $EBS_DOMIAN_HOME/config
<connection-filter>oracle.apps.ad.tools.configuration.wls.filter.EBSConnectionFilterImpl</connection-filter>
<connection-filter-rule><host>.<domain> * * allow</connection-filter-rule>
<connection-filter-rule>0.0.0.0/0 * * deny</connection-filter-rule>
<connection-logger-enabled>true</connection-logger-enabled>
Once done, save and restart admin server.
Now access the console and set the filter rules as per the following document:
NOTE :: Even in JULY CPU Oracle didn't fix this issue. As we were following with them. They are going to raise a BUG.
Fix for anove one
Alternative Methods to Allow Access to Oracle WebLogic Server Administration Console from Trusted Hosts for Oracle E-Business Suite Release 12.2 (Doc ID 2542826.1)
Please add IP address of your internal node in config.xml file
<s_wls_admin_console_access_nodes oa_var="s_wls_admin_console_access_nodes">192.0.2.0/24</s_wls_admin_console_access_nodes>
Thanks.
Sreeharsha
