Access the Administration Consoles for Oracle Java Cloud Service

You can use various consoles to administer the software that an Oracle Java Cloud Service Software instance is running, and to also administer related Oracle Cloud services.

Topics:

Note:

Security check warnings are displayed at the top of the console. See About the Security Checkup Tool for the warnings and how to handle them.

About the Security Checkup Tool

Oracle WebLogic Server Administration console includes a security checkup tool that displays security check warnings. These security check warnings are displayed for Oracle Java Cloud Service instances that are created using WebLogic Server versions 12.2.1.3 and 12.2.1.4.

In case of Oracle Java Cloud Service instances created after July 20, 2021, or the instances on which the July 2021 PSUs are applied, the message Security warnings detected. Click here to view the report and recommended remedies is displayed at the top of the Oracle WebLogic Server Administration console. When you click the message, a list of security warnings are displayed as listed in the following table.

The warning messages listed in the table are examples.

Security Warnings

Warning Message Resolution

Warning Message	Resolution
`Tunneling is enabled on server channel channel-dep. Allowing T3 or IIOP to be tunneled on a server channel may allow deserialization of specially crafted, malicious serialized objects that can potentially cause denial of service.` Note: This warning is displayed only for existing Oracle Java Cloud Service instances created before release 22.1.1 (January 31, 2022) on which the October 2021 PSUs are applied.	Disable tunneling on `channel-dep` server channel. See Disable Tunneling on Server Channel.
`Remote Anonymous RMI T3 or IIOP requests are enabled. Set the RemoteAnonymousRMIT3Enabled and RemoteAnonymousRMIIIOPEnabled attributes to false.`	Disable the anonymous RMI T3 and IIOP requests in the WebLogic Server Administration Console as soon as possible unless your deployment requires anonymous T3 or IIOP (not typical). See Disable Remote Anonymous RMI T3 and IIOP Requests. Note: These attribute settings are also applicable to Oracle Traffic Director, but only for service instances running Oracle Traffic Director 12.2.1.4.

Tunneling is enabled on server channel channel-dep. Allowing T3 or IIOP to be tunneled on a server channel may allow deserialization of specially crafted, malicious serialized objects that can potentially cause denial of service.

Note: This warning is displayed only for existing Oracle Java Cloud Service instances created before release 22.1.1 (January 31, 2022) on which the October 2021 PSUs are applied.

Disable tunneling on channel-dep server channel. See Disable Tunneling on Server Channel.

Remote Anonymous RMI T3 or IIOP requests are enabled. Set the RemoteAnonymousRMIT3Enabled and RemoteAnonymousRMIIIOPEnabled attributes to false.

Disable the anonymous RMI T3 and IIOP requests in the WebLogic Server Administration Console as soon as possible unless your deployment requires anonymous T3 or IIOP (not typical). See Disable Remote Anonymous RMI T3 and IIOP Requests.

Note: These attribute settings are also applicable to Oracle Traffic Director, but only for service instances running Oracle Traffic Director 12.2.1.4.

Note:

For existing Oracle Java Cloud Service instances created before release 21.3.2 (August 26, 2021), you see the SSL host name verification and the umask warnings. See Security Checkup Tool Warnings.

After you address the warnings, you must click Refresh Warnings to see the warnings removed in the console.

For Oracle Java Cloud Service instances created after July 20, 2021, though the java properties to disable anonymous requests for preventing anonymous RMI access are configured, the warnings still appear. This is a known issue in Oracle WebLogic Server.

If you want to perform anonymous RMI requests,, you must set the java properties for anonymous RMI T3 and IIOP requests. See Set the Java Properties.

Configure the Wildcard Host Name Verifier

To address the SSL hostname verification warnings, you must configure the wildcard host name verifier in the Administration console.

Locate the Change Center and click Lock & Edit to lock the editable configuration hierarchy for the domain.
Under Domain structure, select Environment and then select Servers.
In the Servers table, select the server instance you want to configure.
On the Configuration tab, select SSL and then expand Advanced.
Set the Hostname Verification field to Custom Hostname Verifier and enter weblogic.security.SSL.HostnameVerifier in the Custom Hostname Verifier field.
After saving the changes, return to Change Center and click Activate Changes
Repeat steps 3 to 5 for all instances of administration server and managed server.

Update Administration Server Startup Properties

To address the SSL hostname verification warnings, you must update the startup.properties file for the administration server.

From your computer, run the ssh command to create an SSH tunnel to the node as the opc user.
Command format is:
```
ssh -i path_to_private_key opc@<node_IP_address>
```
Change to the oracle user.
```
sudo su - oracle
```
Navigate to the nodemanager directory and list the files in the directory.
```
cd /u01/data/domains/domain_name/servers/admin_server_name/data/nodemanager
ls
```
Where, domain_name and admin_server_name must be replaced with your domain name and the administration server name.
Open the startup.properties file in vi editor.

For SSL Arguments, remove -Dweblogic.security.SSL.ignoreHostnameVerification=false and save the file.

Example of startup.properties file:

RotateFileCount=7
FileTimeSpanFactor=3600000
RestartMax=2
FileSizeKB=500
AutoRestart=true
NumberOfFilesLimited=true
RestartDelaySeconds=0
SSLArguments=-Dweblogic.ReverseDNSAllowed\=false
RotationType=bySize
RestartInterval=3600
RotationTimeStart=00\:00
FileTimeSpan=24

Restart Managed Server Using Node Manager

To address the SSL hostname verification warnings, you must restart the managed sever using node manager.

Locate the Change Center and click Lock & Edit to lock the editable configuration hierarchy for the domain.
Under Domain structure, select Environment and then select Servers.
Click Control, and in the Servers table, select a managed server.
In the Shutdown drop-down list, select Force shutdown now.
Click Yes to confirm.

The server may take a while to shut down. You can click the Refresh icon to manually refresh the console page.
Select the managed server that you want to shut down and click Start.
Click Yes to confirm.
Repeat steps 3 to 7 for all instances of managed server.

After saving the changes, return to Change Center and click Activate Changes.

Set the Java Properties

You can perform anonymous RMI requests by setting the java properties for anonymous RMI T3 and IIOP requests.

To set the java properties to disable the Remote Anonymous RMI T3 and IIOP Requests in the WebLogic Server Administration console:

Locate the Change Center and click Lock & Edit to lock the editable configuration hierarchy for the domain.
Under Domain structure, select Environment and then select Servers.
In the Servers table, select the server instance you want to configure.
On the Configuration tab, select Server Start.
Remove the following properties from Arguments:
- Dweblogic.security.remoteAnonymousRMIT3Enabled=false
- Dweblogic.security.remoteAnonymousRMIIIOPEnabled=false

After saving the changes, return to Change Center and click Activate Changes.

Disable Remote Anonymous RMI T3 and IIOP Requests

You can disable the anonymous requests from clients.

To disable the remote anonymous RMI T3 and IIOP requests in the WebLogic Server Administration console:

Locate the Change Center and click Lock & Edit to lock the editable configuration hierarchy for the domain.
Under Domain structure, select the domain name, and then select the Security tab.
Expand Advanced and deselect Remote anonymous RMI access via IIOP and Remote anonymous RMI access via T3.

After saving the changes, return to Change Center and click Activate Changes.

Disable Tunneling on Server Channel

To disable tunneling on server channel channel-dep:

Locate the Change Center and click Lock & Edit to lock the editable configuration hierarchy for the domain.
Under Domain structure, select Environment and then select Servers.
In the Servers table, select the administration server instance you want to configure.
On the Protocols tab, select Channels.
Select the channel-dep network channel and then expand Advanced.
Clear the Tunneling Enabled check box.
After saving the changes, return to Change Center and click Activate Changes.

Access an Administration Console for a Service Instance

From an Oracle Java Cloud Service instance, you can access the administration consoles for the software that the service instance is running.

You can access these consoles:

WebLogic Server Administration Console
Fusion Middleware Control Console
Load Balancer Console (Oracle Traffic Director only)

Note:

By default, if you created your service instance in an Oracle Cloud Infrastructure Classic region, external access to these administration consoles is disabled for security purposes. If you did not enable console access while provisioning your service instance, see Enabling Console Access in an Oracle Java Cloud Service Instance. If you created your service instance in an Oracle Cloud Infrastructure region, this procedure is not necessary. Access to the administration consoles is enabled by default in these regions.

Note:

If you created your service instance and chose not to assign public IP addresses, then these administration consoles are not directly accessible from the Internet. They are accessible only from within your private IP network, or from your on-premises data center over a VPN network.

Note:

Prior to modifying the default configuration of these software components, see Administration Best Practices. For example, if you disable a console or modify the default port number used to access it, the shortcuts described here may not work.

To access a console:

Access the Oracle Java Cloud Service console.

Click Manage this instance

for the desired service instance, and then open the console that you want to access:

To access this console	Click this shortcut
WebLogic Server Administration Console	Open WebLogic Server Administration Console
Fusion Middleware Control Console	Open Fusion Middleware Control Console
Load Balancer Console	Open Load Balancer Console

A new browser opens and you are redirected to the selected console’s login page.

If the server is protected with a self-signed certificate, you will be warned that this certificate is not trusted.

Accept the certificate if prompted. These steps are browser-dependent.
- If you are using Firefox, click Advanced , click Add Exception and then click Confirm Security Exception.
- If you are using Chrome, click Advanced and then click Proceed.
When the console login page appears, enter the Oracle WebLogic Server user name and password you provided when you created the service instance.
If you created this service instance from a QuickStart template, these credentials were generated for you and placed in an archive file that you downloaded to your local machine.

Access the Console of a Related Oracle Cloud Service

You can access the consoles for related Oracle Cloud services, such as Oracle Database Cloud Service, from the Oracle Java Cloud Service console.

Access the Oracle Java Cloud Service console.
Click the menu at the top left of the page, expand Services, and then choose the service that you want to access.
For example, choose Database Classic to access the Oracle Database Cloud Service console.

Access the Administration Console for a Service Instance Attached to a Private Subnet

You can access the administration compute instance of an Oracle Java Cloud Service instance through a bastion host attached to a public subnet.

Note:

For this procedure to work, you must have created a bastion host and configured security rules in Oracle Cloud Infrastructure to allow SSH connections from the public internet to the bastion host, and to allow TCP traffic from the bastion host to the other compute nodes in the VCN.

Sign in to the web console of Oracle Java Cloud Service.
Locate the instance for which you want to access the administration consoles.
Click Manage this instance for the required instance, hover over (but don’t click) each console option in the menu (Open Fusion Middleware Control Console and Open WebLogic Server Administration Console), and then copy the URL shown in the browser’s status bar at the bottom of the window.
Open an SSH tunnel to the bastion host on your local computer as opc user.

ssh -D <Localport> -fCqN -i key <opc@bastionPublicIPaddress>

where, bastionPublicIPaddress is the public IP address of the bastion host.
In your browser settings, set up the SOCKS (version 5) proxy configuration. Specify your local computer and the same port that you used in your SSH command.
In the browser, enter the URL of the administration console that you noted earlier.
Alternatively, sign in to the Oracle Java Cloud Service web console from within the bastion host, locate your service instance, and select the required console menu option from the Manage this instance menu.