Before You Begin with Oracle WebLogic Cloud

Before you create a domain with Oracle WebLogic Cloud, you must complete one or more prerequisite tasks.

Some tasks are required for any type of Oracle WebLogic Server domain that you create with Oracle WebLogic Cloud. Other tasks are optional or only applicable for specific domain configurations.

Understand Service Requirements

You require access to several Oracle Cloud Infrastructure components and services in order to use Oracle WebLogic Cloud.

  • Compute
  • Key Management
  • Resource Manager
  • Load Balancing (optional)
  • Database (optional)

Check the service limits for these components in your Oracle Cloud Infrastructure tenancy and, if necessary, request a service limit increase.

Key Management offers virtual vaults and virtual private vaults. A virtual private vault provides greater isolation and performance by allocating a dedicated partition on a hardware security module (HSM). A virtual vault is hosted on a partition with multiple tenants, and uses a more cost-efficient, key-based metric for billing purposes. Each type of vault has a separate service limit in your Oracle Cloud Infrastructure tenancy.

Oracle is offering customers the opportunity to try out virtual vaults in our limited availability release. When requesting a service limit increase, you can also indicate that you want to try virtual vaults.

See:

Create a Compartment

Create compartments in Oracle Cloud Infrastructure for your Oracle WebLogic Cloud resources, or use existing compartments.

When you create a domain with Oracle WebLogic Cloud, by default the compute instances, networks, and load balancer are all created within a single compartment. You can, however, choose to use two compartments, one compartment just for the compute instances (WebLogic Server and bastion nodes), and another compartment for all the network resources that are created for the domain (including load balancer, virtual cloud network, subnets, security lists, route tables and gateways).

Access to Oracle Cloud Infrastructure resources in a compartment is controlled through policies. Your Oracle Cloud Infrastructure user must have management access for Marketplace applications, Resource Manager stacks and jobs, compute instances, and block storage volumes. If you want to use Oracle WebLogic Cloud to create resources for a domain like networks and load balancers, you must also have management access for these resources.

A sample policy is shown below:

Allow group MyGroup to manage instance-family in compartment MyCompartment
Allow group MyGroup to manage virtual-network-family in compartment MyCompartment
Allow group MyGroup to manage volume-family in compartment MyCompartment
Allow group MyGroup to manage load-balancers in compartment MyCompartment
Allow group MyGroup to manage orm-stacks in compartment MyCompartment
Allow group MyGroup to manage orm-jobs in compartment MyCompartment
Allow group MyGroup to manage app-catalog-listing in compartment MyCompartment
Allow group MyGroup to manage vaults in compartment MyCompartment
Allow group MyGroup to manage keys in compartment MyCompartment
Allow group MyGroup to read metrics in compartment MyCompartment

In addition, you must have database listing access if you intend to create a domain that includes the Java Required Files (JRF) components:

Allow group MyGroup to inspect autonomous-transaction-processing-family in compartment MyATPCompartment
Allow group MyGroup to inspect database-family in compartment MyCompartment

If you plan to create a JRF-enabled domain using an Oracle Cloud Infrastructure Database, then the database and the virtual cloud network (VCN) on which it's created must be in the same compartment as your Oracle WebLogic Server compute instances. If you plan to use an Oracle Autonomous Transaction Processing database, then the database can be in a different compartment than your compute instances.

See Managing Compartments and Common Policies in the Oracle Cloud Infrastructure documentation.

See also Create Policies for the Dynamic Group.

Create an Encryption Key

Create an encryption key in Oracle Cloud Infrastructure Key Management. This will allow you to encrypt the passwords required for Oracle WebLogic Cloud.

Oracle WebLogic Cloud uses a single key to decrypt all passwords for a single domain.

Create a vault and encryption key in Key Management, or use an existing vault and key. Oracle WebLogic Cloud supports keys in both virtual vaults and virtual private vaults. See Managing Keys in the Oracle Cloud Infrastructure documentation.

Encrypt Passwords

Use Oracle Cloud Infrastructure Key Management to encrypt the passwords that you need to create a domain with Oracle WebLogic Cloud.

You must provide these passwords in the encrypted format and not as plain text:

  • Administrator password for the new domain
  • Administrator password for an existing database, if you are creating a domain that includes the Java Required Files (JRF) components

You cannot use the console to encrypt or decrypt sensitive data in Key Management. You must use the Oracle Cloud Infrastructure command line interface (CLI) or API. See CLI Quickstart in the Oracle Cloud Infrastructure documentation.

Before encrypting passwords, you must do the following:

  • Identify the Cryptographic Endpoint of your vault in Key Management
  • Identify the OCID of your encryption key in Key Management
  • Encode the passwords in base64 format. For example, on Linux:

    echo -n 'Your_Password' | base64

Use the CLI or API to encrypt your passwords:

oci kms crypto encrypt --key-id Key_OCID --endpoint Crypto_Endpoint --plaintext Base64_Password

See Using Keys in the Oracle Cloud Infrastructure documentation.

Create a Dynamic Group

Create a group in Oracle Cloud Infrastructure whose members are the compute instances that you will create with Oracle WebLogic Cloud.

  1. Access the Oracle Cloud Infrastructure console.
  2. From the navigation menu, select Identity, and then click Compartments.
  3. Copy the OCID for the compartment that you plan to use for the Oracle WebLogic Server compute instances.
  4. Click Dynamic Groups.
  5. Click Create Dynamic Group.
  6. Enter a Name and Description.
  7. For Rule 1, create a rule that includes all instances in the selected compartment in this group.

    ALL {instance.compartment.id = 'WLS_Compartment_OCID'}

    Provide the OCID for the compartment.

  8. Click Create Dynamic Group.

Create Policies for the Dynamic Group

Create policies in Oracle Cloud Infrastructure so that the compute instances in Oracle WebLogic Cloud can access your encryption key.

Oracle WebLogic Server domains that use databases in Oracle Autonomous Transaction Processing require an additional policy so that the compute instances can access the database's wallet.

  1. Access the Oracle Cloud Infrastructure console.
  2. From the navigation menu, select Identity, and then click Policies.
  3. Select the Compartment in which you want to create the policies.
  4. Click Create Policy.
  5. Enter a Name and Description.
  6. For Statement, enter the following statement.

    Format:

    Allow dynamic-group Group_Name to use keys in compartment Vault_Compartment_Name

    Provide the name of the dynamic group and the name of the compartment where your encryption key is located. For example:

    Allow dynamic-group MyInstancesGroup to use keys in compartment MyCompartment
  7. If you plan to create domains that include the Java Required Files (JRF) components, and plan to associate the domains with a database in Oracle Autonomous Transaction Processing, then create an additional statement in this policy.
    1. Click the Add button.
    2. For Statement 2, enter the following statement.

      Format:

      Allow dynamic-group Group_Name to manage autonomous-transaction-processing-family in compartment DB_Compartment_Name

      Provide the name of the dynamic group, and the name of the compartment where your database is located. For example:

      Allow dynamic-group MyInstancesGroup to manage autonomous-transaction-processing-family in compartment MyCompartment
  8. Click Create.

Create an SSH Key

Create a secure shell (SSH) key pair so that you can access the compute instances in your Oracle WebLogic Server domains.

A key pair consists of a public key and a corresponding private key. When you create a domain using Oracle WebLogic Cloud, you specify the public key. You then access the compute instances from an SSH client using the private key.

On a UNIX or UNIX-like platform, use the ssh-keygen utility. For example:

ssh-keygen -b 2048 -t rsa -f mykey
cat mykey.pub

On a Windows platform, you can use the PuTTY Key Generator utility. See Creating a Key Pair in the Oracle Cloud Infrastructure documentation.

Create a Virtual Cloud Network

Oracle WebLogic Cloud can create a Virtual Cloud Network (VCN) in Oracle Cloud Infrastructure for a new Oracle WebLogic Server domain, or you can create your own VCN before creating a domain.

A VCN includes one or more subnets, route tables, security lists, gateways, and DHCP options.

By default subnets are public. Any compute instances assigned to a private subnet cannot be directly accessed from outside of Oracle Cloud.

If you create a VCN before creating a domain, then the VCN must meet the following requirements:

  • The VCN must use DNS for hostnames.
  • The VCN must include an Internet gateway.
  • If you plan to create a public subnet in this VCN before creating a domain, then the VCN must include a route table that directs traffic to the Internet gateway.
  • If you plan to use a private subnet for the Oracle WebLogic Server compute instances, then the VCN must include a Network Address Translation (NAT) gateway. If you want to create the private subnet before creating a domain, then the VCN must also include a route table that directs traffic to the NAT gateway.

If you use an existing VCN for a domain, and also choose for Oracle WebLogic Cloud to create new subnets for the domain, then Oracle WebLogic Cloud will also create the required route tables in the VCN.

See VCNs and Subnets in the Oracle Cloud Infrastructure documentation.

Create a Subnet for the Oracle WebLogic Server Nodes

Oracle WebLogic Cloud can create a subnet in Oracle Cloud Infrastructure for a new Oracle WebLogic Server domain, or you can create your own subnet before creating a domain.

A subnet is a component of a Virtual Cloud Network (VCN). When you create a domain with Oracle WebLogic Cloud, the Oracle WebLogic Server compute instances are assigned to a subnet.

By default subnets span an entire region in Oracle Cloud Infrastructure. Alternatively, you can create subnets that are specific to one availability domain (AD) in a region. Oracle WebLogic Cloud supports both regional and AD-scoped subnets.

If you assign a private subnet to the domain, the nodes cannot be directly accessed from outside of Oracle Cloud. Oracle WebLogic Cloud can create a bastion node on a public subnet, which you can use to administer the nodes that comprise your domain.

If you want to use an existing subnet for the Oracle WebLogic Server nodes when creating a domain, the subnet must meet the following requirements:

  • The subnet must use DNS for hostnames.
  • The subnet must have a security list that enables inbound access to the SSH port (22) and to the administration server ports (by default, 7001 and 7002).
  • The subnet must have a security list that enables inbound access to the managed server ports (by default, 7003 and 7004). If you are using a load balancer, the security list's source should be restricted to the subnets that you plan to use for the load balancer.
  • If you are creating a domain with the Java Required Files (JRF) components, the subnet must have a security list that enables outbound access to the database port (1521) on the database subnet.

Network security groups are an alternative to security lists. After creating a domain with an existing subnet, you can update the compute instances and assign them to a security group that has the required rules (inbound access to port 22, and so on).

See VCNs and Subnets in the Oracle Cloud Infrastructure documentation.

Create a Subnet for the Load Balancer

Oracle WebLogic Cloud can create subnets in Oracle Cloud Infrastructure for the load balancer that is used to access an Oracle WebLogic Server domain, or you can create your own subnets before creating a domain.

A subnet is a component of a Virtual Cloud Network (VCN). When you create a domain with a load balancer using Oracle WebLogic Cloud, the load balancer is assigned a subnet.

By default subnets span an entire region in Oracle Cloud Infrastructure. Alternatively, you can create subnets that are specific to one availability domain (AD) in a region. To ensure high availability for a load balancer, you must assign it either one regional subnet, or two AD-scoped subnets.

If you want to use an existing subnet for the load balancer, the subnet must meet the following requirements:

  • The subnet must use DNS for hostnames.
  • The subnet must be public.
  • The subnet must have a security list that enables inbound access to ports 80 and 443.
  • The subnet must have a security list that enables outbound access to the managed server ports (by default, 7001 and 7002) on the subnet that you plan to use for Oracle WebLogic Server.

Network security groups are an alternative to security lists. After creating a domain with an existing subnet, you can update the load balancer and assign it to a security group that has the required rules (inbound access to port 80, and so on).

See VCNs and Subnets in the Oracle Cloud Infrastructure documentation.

Create a Subnet for the Bastion Node

Oracle WebLogic Cloud can create a public subnet in Oracle Cloud Infrastructure for the bastion node that is used to access a private Oracle WebLogic Server domain, or you can create your own subnet before creating a domain.

A subnet is a component of a Virtual Cloud Network (VCN). When you create a domain in Oracle WebLogic Cloud, you can assign the Oracle WebLogic Server compute instances to a public subnet or a private subnet. If you assign a private subnet, then the compute instances can not be directly accessed from outside of Oracle Cloud. Oracle WebLogic Cloud can create a bastion compute instance on a public subnet, and from this bastion you can administer the Oracle WebLogic Server compute instances.

By default subnets span an entire region in Oracle Cloud Infrastructure. Alternatively, you can create subnets that are specific to one availability domain (AD) in a region. Oracle WebLogic Cloud supports both regional and AD-scoped subnets.

If you want to use an existing subnet for the bastion node when creating a domain, then the subnet must meet the following requirements:

  • The subnet must use DNS for hostnames.
  • The subnet must be public.
  • The subnet must have a security list that enables inbound access to the SSH port (22).
  • The subnet must have a security list that enables outbound access to the SSH port (22) on the subnet that you plan to use for Oracle WebLogic Server.

Network security groups are an alternative to security lists. After creating a domain with an existing subnet, you can update the bastion compute instance and assign it to a security group that has the required rules (inbound access to port 22, and so on).

See VCNs and Subnets in the Oracle Cloud Infrastructure documentation.

Create a Database

Before creating an Oracle WebLogic Server domain that includes the Java Required Files (JRF) components, you must create a database in Oracle Cloud Infrastructure.

A JRF-enabled domain supports the Oracle Application Development Framework (ADF). When you create a domain with Oracle WebLogic Cloud and associate it with an existing database, Oracle WebLogic Cloud does the following:

  • Provisions the schemas to support the JRF components in the selected database
  • Provisions data sources in the domain that provide connectivity to the selected database
  • Deploys the JRF components and libraries to the domain

Oracle WebLogic Cloud also provides a tool to delete the JRF schemas for a specific domain from the database.

Choose one of these database options:

The Oracle Cloud Infrastructure Database and the virtual cloud network (VCN) on which it's created must be in the same compartment as your Oracle WebLogic Server domain. The Oracle Autonomous Transaction Processing database can be in a different compartment.

The database must allow your domain to access port 1521:

  • Oracle Autonomous Transaction Processing - Update your access control list (ACL), if necessary.
  • Oracle Cloud Infrastructure Database - Update the network security group that is assigned to the database, or update the security lists for the subnet on which the database was created, if necessary.

To create a JRF-enabled domain with Oracle WebLogic Cloud, you need the following information about the database:

  • Administrator credentials
  • Pluggable database (PDB) name (only for Oracle Cloud Infrastructure Database running Oracle Database 12c or later)