About Creating a Domain
Learn about the options you have when creating a domain with Oracle WebLogic Server for OCI.
You have several options to choose from when you create a domain:
-
Billing Type
With Universal Credits (also called UCM), you are billed for the cost of the Oracle WebLogic Server license (based on OCPUs per hour) in addition to the cost of the compute resources. This option is not available for Oracle WebLogic Server Standard Edition.
With Bring Your Own License (BYOL), you reuse your existing on-premises Oracle WebLogic Server licenses in Oracle Cloud. You are billed only for the cost of the compute resources.
-
Domain Type and Database
A basic domain does not require an existing database. See Create a Basic Domain.
A JRF-enabled domain requires access to an existing Oracle Autonomous Database or Oracle Cloud Infrastructure Database (DB System). A JRF-enabled domain includes the Java Required Files (JRF) components, and the database is used to contain the JRF schema.
See Create a Domain and Create a Database.
-
OS Management Hub
When you create a domain, Oracle WebLogic Server for OCI can create an OS Management Hub Profile and register that profile with the OCI Compute instances created for the domain. You can also select an existing OS Management Hub Profile and have that profile registered with the OCI Compute instances created for the domain. See Listing Profiles in the Oracle Cloud Infrastructure documentation to find an existing profile.
Note:
To prevent a proliferation of new profiles Oracle strongly recommends that you use an existing profile. Once you have created one stack with a new profile, then you can reuse that profile in other stacks. See Listing Profiles in the Oracle Cloud Infrastructure documentation to find the profile created by a stack and get its OCID.
-
Secured Production Mode
When you create a domain, Oracle WebLogic Server for OCI can also set up that domain according to the lockdown guide by selecting Enable Secured Production Mode. Oracle WebLogic Server for OCI creates a WebLogic domain that differs from a domain created without this feature in the following ways:
- Secured Production Mode is enabled. In secured production mode, your production domain is highly secure because the security configuration defaults are more secure, insecure configuration items are logged as warnings, and default authorization and role mapping policies are more restrictive.
- An administrative port is set. An administration port limits all administrative traffic between server instances in a WebLogic Server domain to a single port.
- TLS (SSL) is configured end to end:
- All t3 and http access points are disabled.
- A custom identity keystore and a custom trust keystore are created on each node:
- A new wildcard certificate is generated using the OCI Certificate Service and added to the custom identity keystore on each node.
- A certificate chain is retrieved from the OCI Certificate Service for the wildcard certificate and populated in the custom trust keystore on each node.
- The WebLogic Administration Server and all WebLogic Managed Servers have TLS (SSL) configured with Custom Identity and Custom Trust referencing the contents in these keystores.
- Node Manager TLS (SSL) is configured to use the custom identity store with the wildcard certificate.
- The load balancer uses the certificate chain to access the TLS external channel.
- If Authentication Using Identity Domains (aka Identity Cloud Service) is also enabled it uses the same identity and trust keystore contents as the domain.
- Hostname verification is enabled for all TLS communication.
- TLS version is set to a minimum of version 1.2.
- Obvious names such as "system, admin, administrator, or weblogic" for users with Admin role are disallowed.
- Two administrative users are created.
- Password requirements for new users are set as follows:
- Reject if Password Contains the User Name
- Reject if Password Contains the User Name Reversed
- Minimum Length: 8 characters
- Maximum Length: 30 characters
- Maximum Instances of any Character: 4
- Maximum Consecutive Characters: 3
- Mimimum Number of Alphabetic Characters: 1
- Minimum Number of Numeric Characters: 1
- Minimum Number of Lower Case: 1
- Minimum Number of Upper Case: 1
- Mimimum Number of Non-Alphabetic Characters: 1
- Mimimum Number of Non-Alphanumeric Characters: 1
- An Auditing Provider is created for the Default Authentication Provider.
- The thread pool limit in the Overload configuration is set.
- By default, boot.properties with encrypted credentials is not created.
Note:
This is an optional setting due to the implications of removing these files. Without a boot.properties:- node manager will not be able to restart servers that shutdown unexpectedly.
- Restarting a Compute instance will not automatically start WebLogic servers since node manager is used to revive them. Servers should be restarted by executing the /opt/scripts/restart_domain.sh script and then entering the administration user password.
Note:
JRF domains are not supported in secured production mode on WebLogic Server release 12c (12.2.1.4).
-
Virtual Cloud Network (VCN)
Oracle WebLogic Server for OCI can create a VCN for you when you create a domain, or you can create a VCN before you create the domain. If you create a new VCN, you must specify a contiguous CIDR block of your choice.
If you create a JRF-enabled domain and select an Oracle Cloud Infrastructure Database (DB System) in a different VCN, then Oracle WebLogic Server for OCI configures local peering between the two VCNs.
-
Subnet
Oracle WebLogic Server for OCI can create a new subnet for the WebLogic Server compute instances, or you can specify a subnet that you have already created. You must specify a CIDR if you create a new subnet.
If you create a new VCN, you can only create a new regional subnet that spans the entire region.
-
Network Access
The subnet for the WebLogic domain can be public or private. If the subnet is private, the nodes cannot be accessed directly from outside of Oracle Cloud. When you create a domain on a private subnet, you can specify a public subnet for the bastion host. Oracle WebLogic Server for OCI creates this compute instance to enable you to administer the WebLogic nodes.
If you already have an existing bastion to provide public access to the compute instances, or if you already have a VPN connection to your on-premise network, then you can delete the bastion created by Oracle WebLogic Server for OCI.
See Create a Basic Domain in a Private Subnet.
Note:
-
Configuring a bastion is optional.
If you do not configure a bastion, no status is returned for provisioning. See Configure a Bastion.
- It is recommended to not configure a bastion, that is deselect the Provision Bastion Node on Public Subnet option, only in network with fast connect setup
-
-
Load Balancer
When you create a domain, Oracle WebLogic Server for OCI can also create a load balancer to distribute application traffic to the WebLogic cluster. A load balancer consists of primary and standby nodes but it is accessible from a single IP address. If the primary node fails, traffic is automatically routed to the standby node.
If you use a regional subnet for the WebLogic Server compute instances, use a regional subnet for the load balancer. The regional subnet is shared between both load balancer nodes.
By default, the load balancer is public. You can also provision a public load balancer with a reserved public IP. If you create a domain in a private subnet, then you can provision a public or private load balancer. A private load balancer does not have a public IP address and cannot be accessed from outside of Oracle Cloud.
Oracle WebLogic Server for OCI configures the load balancer to use Secure Socket Layer (SSL). A demonstration self-signed certificate is attached to the HTTPS listener. Oracle recommends you add your own SSL certificate to the load balancer after creating the domain. All traffic between the load balancer and compute instances uses HTTP.
-
Oracle Cloud Infrastructure Root Policies and Dynamic Group
When you create a domain, by default Oracle WebLogic Server for OCI creates a dynamic group and one or more root-level (tenancy) policies that allow the compute instances in the domain to access:
- Keys and secrets in Oracle Cloud Infrastructure Vault
- Load balancer resources
- The database wallet if you're using Oracle Autonomous Database to contain the required infrastructure schemas for a JRF-enabled domain
- The database network resources if you're using Oracle Cloud Infrastructure Database (DB System) to contain the required infrastructure schemas for a JRF-enabled domain
-
Authentication
By default, the domain is configured to use the local WebLogic Server identity store to maintain users, groups, and roles. Alternatively, a domain running WebLogic Server can use Oracle Identity Cloud Service to authenticate users.
In order to use Oracle Identity Cloud Service, you must create a domain that includes a load balancer.
-
Security List for DB System
When you create a JRF-enabled domain and use Oracle Cloud Infrastructure Database (DB System) to contain the JRF components, by default Oracle WebLogic Server for OCI creates a security list on the database's VCN that allows the WebLogic Server subnet to access the database.