Before You Begin with Oracle WebLogic Server for Oracle Cloud Infrastructure

Before you create a domain with Oracle WebLogic Server for Oracle Cloud Infrastructure, you must complete one or more prerequisite tasks.

Some tasks are required for any type of Oracle WebLogic Server domain that you create with Oracle WebLogic Server for Oracle Cloud Infrastructure. Other tasks are optional or only applicable for specific domain configurations.

Understand Service Requirements

You require access to several services in order to use Oracle WebLogic Server for Oracle Cloud Infrastructure.

  • Identity and Access Management (IAM)
  • Compute, Network, Block Storage
  • Vault, Key, Secret
  • Resource Manager
  • Load Balancing (optional)
  • Database (optional)
  • Tagging (optional)

Check the service limits for these components in your Oracle Cloud Infrastructure tenancy and, if necessary, request a service limit increase.

In Oracle Cloud Infrastructure Vault (formerly known as Key Management), a standard vault is hosted on a hardware security module (HSM) partition with multiple tenants, and uses a more cost-efficient, key-based metric for billing purposes. A virtual private vault provides greater isolation and performance by allocating a dedicated partition on an HSM. Each type of vault has a separate service limit in your Oracle Cloud Infrastructure tenancy. The limit for secrets spans all vaults.

See:

Create Root Policies

You must be an Oracle Cloud Infrastructure administrator, or be granted the following root-level permissions, in order to create domains with Oracle WebLogic Server for Oracle Cloud Infrastructure.

When you create a domain, Oracle WebLogic Server for Oracle Cloud Infrastructure creates a dynamic group and root-level policies that allow the compute instances in the domain to:

  • Access keys and secrets in Oracle Cloud Infrastructure Vault
  • Access the database wallet if you're using Oracle Autonomous Transaction Processing

Identity and Access Management (IAM) policies let you control what type of access a group of users has and to which specific resources. Most IAM policies are set at the compartment level, while some are at the tenancy (root) level:

  • Create dynamic groups
  • Create root level policies
  • Inspect tag namespaces and apply defined tags from those namespaces to cloud resources

The following sample root policy grants these permissions to a group of users who are not administrators:

Allow group MyGroup to manage dynamic-groups in tenancy
Allow group MyGroup to manage policies in tenancy
Allow group MyGroup to use tag-namespaces in tenancy

See these topics in the Oracle Cloud Infrastructure documentation:

Create a Compartment

Create compartments for your Oracle WebLogic Server for Oracle Cloud Infrastructure resources, or use existing compartments.

This task is typically performed by an administrator.

When you create a domain with Oracle WebLogic Server for Oracle Cloud Infrastructure, by default the compute instances, networks, and load balancer are all created within a single compartment. You can, however, choose to use two compartments, one compartment just for the compute instances (WebLogic Server and bastion nodes), and another compartment for all the network resources that are created for the domain (including load balancer, virtual cloud network, subnets, security lists, route tables and gateways).

See Managing Compartments in the Oracle Cloud Infrastructure documentation.

Create Compartment Policies

If you are not an Oracle Cloud Infrastructure administrator, you must be given management access to resources in the compartment in which you want to create a domain.

Access to Oracle Cloud Infrastructure resources in a compartment is controlled through policies. Your Oracle Cloud Infrastructure user must have management access for Marketplace applications, Resource Manager stacks and jobs, compute instances, and block storage volumes. If you want Oracle WebLogic Server for Oracle Cloud Infrastructure to create resources for a domain like networks and load balancers, you must also have management access for these resources.

A sample policy is shown below:

Allow group MyGroup to manage instance-family in compartment MyCompartment
Allow group MyGroup to manage virtual-network-family in compartment MyCompartment
Allow group MyGroup to manage volume-family in compartment MyCompartment
Allow group MyGroup to manage load-balancers in compartment MyCompartment
Allow group MyGroup to manage orm-family in compartment MyCompartment
Allow group MyGroup to manage app-catalog-listing in compartment MyCompartment
Allow group MyGroup to manage vaults in compartment MyCompartment
Allow group MyGroup to manage keys in compartment MyCompartment
Allow group MyGroup to manage secret-family in compartment MyCompartment
Allow group MyGroup to read metrics in compartment MyCompartment

If you use a separate compartment for network resources, make sure you set up the appropriate policy for the network compartment. For example:

Allow group MyGroup to manage virtual-network-family in compartment MyNetworkCompartment
Allow group MyGroup to manage load-balancers in compartment MyNetworkCompartment

In addition, you must have database listing access in the compartment that contains your database, if you intend to create a domain that includes the Java Required Files (JRF) components. For example:

Allow group MyGroup to inspect autonomous-transaction-processing-family in compartment MyDBCompartment
Allow group MyGroup to inspect database-family in compartment MyDBCompartment

See Common Policies in the Oracle Cloud Infrastructure documentation.

Create an Encryption Key

An encryption key allows you to encrypt the contents of secrets required for Oracle WebLogic Server for Oracle Cloud Infrastructure.

Oracle WebLogic Server for Oracle Cloud Infrastructure can use one or more keys in Oracle Cloud Infrastructure Vault to decrypt the secrets for a single domain.

Use Oracle Cloud Infrastructure Vault to create a vault and encryption key, or use an existing vault and key. Oracle WebLogic Server for Oracle Cloud Infrastructure supports keys in standard vaults and virtual private vaults. See Managing Keys in the Oracle Cloud Infrastructure documentation.

Create Secrets for Passwords

Use secrets in Oracle Cloud Infrastructure Vault to store the passwords that you need to create a domain with Oracle WebLogic Server for Oracle Cloud Infrastructure.

You must provide secrets for these passwords:

  • Administrator password for the new domain
  • Administrator password for an existing database, if you are creating a domain that includes the Java Required Files (JRF) components
  • Client secret for an existing confidential application, if you are creating a domain that uses Oracle Identity Cloud Service for authentication

You must use Oracle Cloud Infrastructure Vault to create your secrets. When you create a domain using Oracle WebLogic Server for Oracle Cloud Infrastructure, you'll be asked to provide the OCID values of the secrets.

To create a secret and copy the OCID:

  1. Access the Oracle Cloud Infrastructure console.
  2. Navigate to the vault that contains your encryption key.
  3. Click Secrets, and then click Create Secret.
  4. Enter a name to identify the secret.
  5. Select your encryption key.
    The key is used to encrypt the secret contents while they're imported to the vault.
  6. In Secret Contents, enter the password you want to store in this secret.
    Ensure the password meets the criteria for which it will be used (for example, WebLogic Server administrator password).

    Passwords entered in plain-text are base64-encoded before they are sent to Oracle WebLogic Server for Oracle Cloud Infrastructure.

  7. Click Create Secret.
  8. When the secret is created, click the name.
  9. Copy the OCID for the secret.
  10. Repeat steps 2 through 9 to create the remaining secrets you need.

See Managing Secrets in the Oracle Cloud Infrastructure documentation.

Create an SSH Key

Create a secure shell (SSH) key pair so that you can access the compute instances in your Oracle WebLogic Server domains.

A key pair consists of a public key and a corresponding private key. When you create a domain using Oracle WebLogic Server for Oracle Cloud Infrastructure, you specify the public key. You then access the compute instances from an SSH client using the private key.

On a UNIX or UNIX-like platform, use the ssh-keygen utility. For example:

ssh-keygen -b 2048 -t rsa -f mykey
cat mykey.pub

On a Windows platform, you can use the PuTTY Key Generator utility. See Creating a Key Pair in the Oracle Cloud Infrastructure documentation.

Create a Virtual Cloud Network

Oracle WebLogic Server for Oracle Cloud Infrastructure can create a Virtual Cloud Network (VCN) in Oracle Cloud Infrastructure for a new Oracle WebLogic Server domain, or you can create your own VCN before creating a domain.

A VCN includes one or more subnets, route tables, security lists, gateways, and DHCP options.

By default subnets are public. Any compute instances assigned to a private subnet cannot be directly accessed from outside of Oracle Cloud.

If you create a VCN before creating a domain, then the VCN must meet the following requirements:

  • The VCN must use DNS for hostnames.
  • The VCN must include an Internet gateway.
  • If you plan to create a public subnet in this VCN before creating a domain, then the VCN must include a route table that directs traffic to the Internet gateway.

If you plan to use a private subnet for the Oracle WebLogic Server compute instances, then the VCN must meet these additional requirements:

  • The VCN must include a service gateway or a Network Address Translation (NAT) gateway, to provide access to other cloud services. For a service gateway, select the option All <Region> Services In Oracle Services Network.
  • If you want to create the private subnet before creating a domain, then the VCN must also include a route table that directs traffic to the service gateway or the NAT gateway. For a service gateway route rule, select the option All <Region> Services In Oracle Services Network.

If you use an existing VCN for a domain, and also choose for Oracle WebLogic Server for Oracle Cloud Infrastructure to create new subnets for the domain, then Oracle WebLogic Server for Oracle Cloud Infrastructure will also create the required route tables in the VCN.

See these topics in the Oracle Cloud Infrastructure documentation:

Create a Subnet for the Oracle WebLogic Server Nodes

Oracle WebLogic Server for Oracle Cloud Infrastructure can create a subnet in Oracle Cloud Infrastructure for a new Oracle WebLogic Server domain, or you can create your own subnet before creating a domain.

A subnet is a component of a Virtual Cloud Network (VCN). When you create a domain with Oracle WebLogic Server for Oracle Cloud Infrastructure, the Oracle WebLogic Server compute instances are assigned to a subnet.

By default subnets span an entire region in Oracle Cloud Infrastructure. Alternatively, you can create subnets that are specific to one availability domain (AD) in a region. Oracle WebLogic Server for Oracle Cloud Infrastructure supports both regional and AD-scoped subnets.

If you assign a private subnet to the domain, the nodes cannot be directly accessed from outside of Oracle Cloud. Oracle WebLogic Server for Oracle Cloud Infrastructure can create a bastion node on a public subnet, which you can use to administer the nodes that comprise your domain.

If you want to use an existing subnet for the Oracle WebLogic Server nodes when creating a domain, the subnet must meet the following requirements:

  • The subnet must use DNS for hostnames.
  • The subnet must have a security list that enables inbound access to the SSH port (22) and to the administration server ports (by default, 7001 and 7002).
  • The subnet must have a security list that enables inbound access to the managed server ports (by default, 7003 and 7004). If you are using a load balancer, the security list's source should be restricted to the subnets that you plan to use for the load balancer.
  • If you are creating a domain with the Java Required Files (JRF) components, the subnet must have a security list that enables outbound access to the database port (1521 by default) on the database subnet.
  • If you are creating a domain with the JRF components, and the database is on a different VCN, then the subnet must have a security list that enables outbound access to port 53 (both TCP and UDP) on the subnet that you plan to create for DNS. The subnet must also be associated with the default DHCP option for the VCN (Default DHCP Options for <vcn_name>). The subnet cannot use a custom DNS resolver.

The following table summarizes the security list requirements for an existing subnet.

Rule Type CIDR and Protocol Destination Ports Description
Stateful Ingress Your admin network, TCP 22 SSH access
Stateful Ingress Your admin network, TCP 7001, 7002 Admin server ports
Stateful Ingress Your admin network, or your load balancer subnet, TCP 7003, 7004 Managed server ports
Stateful Ingress Your database network, TCP 1521 or custom database port Database for JRF-enabled domain
Stateful Ingress DNS subnet, TCP 53 JRF-enabled domain and database is on a different VCN
Stateful Ingress DNS subnet, UDP 53 JRF-enabled domain and database is on a different VCN

Network security groups are an alternative to security lists. After creating a domain with an existing subnet, you can update the compute instances and assign them to a security group that has the required rules (inbound access to port 22, and so on).

See VCNs and Subnets in the Oracle Cloud Infrastructure documentation.

Create a Subnet for the Load Balancer

Oracle WebLogic Server for Oracle Cloud Infrastructure can create subnets in Oracle Cloud Infrastructure for the load balancer that is used to access an Oracle WebLogic Server domain, or you can create your own subnets before creating a domain.

A subnet is a component of a Virtual Cloud Network (VCN). When you create a domain with a load balancer using Oracle WebLogic Server for Oracle Cloud Infrastructure, the load balancer is assigned a subnet.

By default subnets span an entire region in Oracle Cloud Infrastructure. Alternatively, you can create subnets that are specific to one availability domain (AD) in a region. To ensure high availability for a load balancer, you must assign it either one regional subnet, or two AD-scoped subnets.

If you want to use an existing subnet for the load balancer, the subnet must meet the following requirements:

  • The subnet must use DNS for hostnames.
  • The subnet must be public.
  • The subnet must have a security list that enables inbound access to ports 80 and 443.
  • The subnet must have a security list that enables outbound access to the managed server ports (by default, 7003 and 7004) on the subnet that you plan to use for Oracle WebLogic Server.

Network security groups are an alternative to security lists. After creating a domain with an existing subnet, you can update the load balancer and assign it to a security group that has the required rules (inbound access to port 80, and so on).

See VCNs and Subnets in the Oracle Cloud Infrastructure documentation.

Create a Subnet for the Bastion Node

Oracle WebLogic Server for Oracle Cloud Infrastructure can create a public subnet in Oracle Cloud Infrastructure for the bastion node that is used to access a private Oracle WebLogic Server domain, or you can create your own subnet before creating a domain.

A subnet is a component of a Virtual Cloud Network (VCN). When you create a domain in Oracle WebLogic Server for Oracle Cloud Infrastructure, you can assign the Oracle WebLogic Server compute instances to a public subnet or a private subnet. If you assign a private subnet, then the compute instances can not be directly accessed from outside of Oracle Cloud. Oracle WebLogic Server for Oracle Cloud Infrastructure can create a bastion compute instance on a public subnet, and from this bastion you can administer the Oracle WebLogic Server compute instances.

By default subnets span an entire region in Oracle Cloud Infrastructure. Alternatively, you can create subnets that are specific to one availability domain (AD) in a region. Oracle WebLogic Server for Oracle Cloud Infrastructure supports both regional and AD-scoped subnets.

If you want to use an existing subnet for the bastion node when creating a domain, then the subnet must meet the following requirements:

  • The subnet must use DNS for hostnames.
  • The subnet must be public.
  • The subnet must have a security list that enables inbound access to the SSH port (22).
  • The subnet must have a security list that enables outbound access to the SSH port (22) on the subnet that you plan to use for Oracle WebLogic Server.

Network security groups are an alternative to security lists. After creating a domain with an existing subnet, you can update the bastion compute instance and assign it to a security group that has the required rules (inbound access to port 22, and so on).

See VCNs and Subnets in the Oracle Cloud Infrastructure documentation.

Create a Database

Before creating an Oracle WebLogic Server domain that includes the Java Required Files (JRF) components, you must create a database in Oracle Cloud Infrastructure.

A JRF-enabled domain supports the Oracle Application Development Framework (ADF). When you create a domain with Oracle WebLogic Server for Oracle Cloud Infrastructure and associate it with an existing database, Oracle WebLogic Server for Oracle Cloud Infrastructure does the following:

  • Provisions the schemas to support the JRF components in the selected database
  • Provisions data sources in the domain that provide connectivity to the selected database
  • Deploys the JRF components and libraries to the domain

Oracle WebLogic Server for Oracle Cloud Infrastructure also provides a tool to delete the JRF schemas for a specific domain from the database.

Choose one of these database options:

  • Oracle Autonomous Transaction Processing
    • Not supported with Oracle WebLogic Server 11g
    • Create an autonomous database using either the dedicated or shared infrastructure option.
    • See Creating an Autonomous Database in the Oracle Cloud Infrastructure documentation.
  • Oracle Cloud Infrastructure Database
    • Create bare metal, virtual machine (VM), and Exadata DB systems. For a 1-node VM DB system, note that you can use the fast provisioning option to create the database. Oracle WebLogic Server for Oracle Cloud Infrastructure supports using Logical Volume Manager as the storage management software for a 1-node VM DB system.
    • Oracle WebLogic Server 11g supports Oracle Database 11g and 12.1 only.
    • See Creating Bare Metal and Virtual Machine DB Systems or Managing Exadata DB Systems in the Oracle Cloud Infrastructure documentation.

The database must allow your domain to access its listen port (1521 by default):

  • Oracle Autonomous Transaction Processing - Update your access control list (ACL), if necessary.
  • Oracle Cloud Infrastructure Database - Update the network security group that is assigned to the database, or update the security lists for the subnet on which the database was created, if necessary.

To create a JRF-enabled domain with Oracle WebLogic Server for Oracle Cloud Infrastructure, you need the following information about the database:

  • Administrator credentials
  • Pluggable database (PDB) name (only for Oracle Cloud Infrastructure Database running Oracle Database 12c or later)

If your Oracle Cloud Infrastructure Database and domain are in different VCNs, then Oracle WebLogic Server for Oracle Cloud Infrastructure configures local peering between the two VCNs. To support VCN peering, you must meet the following additional requirements:

  • Multiple domains cannot use the same database.
  • The CIDRs for the VCNs must not overlap. For example, you cannot create a domain in VCN 10.0.0.0/16 that uses a database in VCN 10.0.0.1/24.
  • The database subnet must have a security list that enables outbound access to port 53 (both TCP and UDP) on the subnet that you plan to create for DNS.
  • The database subnet must be associated with the default DHCP option for the VCN (Default DHCP Options for <vcn_name>). The subnet cannot use a custom DNS resolver.

The following table summarizes the security list requirements for an existing subnet that will use local VCN peering to communicate with the domain.

Rule Type CIDR and Protocol Destination Ports Description
Stateful Ingress WebLogic Server subnet, TCP 1521 or custom database port Database access
Stateful Ingress DNS subnet, TCP 53 Access to custom DNS resolver
Stateful Ingress DNS subnet, UDP 53 Access to custom DNS resolver
Oracle WebLogic Server for Oracle Cloud Infrastructure supports the same database versions and drivers as those for on-premise WebLogic Server installations. Refer to the following documents at Oracle Fusion Middleware Supported System Configurations:
  • System Requirements and Supported Platforms for Oracle Fusion Middleware 12c (12.2.1.4.0)
  • System Requirements and Supported Platforms for Oracle Fusion Middleware 12c (12.2.1.3.0)
  • System Requirements and Supported Platforms for Oracle WebLogic Server 10.3

Create a Confidential Application

Before creating an Oracle WebLogic Server domain that integrates with Oracle Identity Cloud Service, you must create a confidential application, and then identify its client ID and client secret.

This configuration is supported only for Oracle Cloud accounts that include Oracle Identity Cloud Service 19.2.1 or later.

When creating a new domain, Oracle WebLogic Server for Oracle Cloud Infrastructure provisions an App Gateway and other security components in Oracle Identity Cloud Service. In order for Oracle WebLogic Server for Oracle Cloud Infrastructure to perform these tasks, you must provide the following information:

  • Your Oracle Identity Cloud Service instance ID, which is also referred to as your tenant name. This ID is typically found in the URL you use to access the Oracle Identity Cloud Service console, and has the format idcs-<GUID>.
  • The client ID of a confidential application in Oracle Identity Cloud Service
  • The client secret of the confidential application. You must use Oracle Cloud Infrastructure Vault to create a secret to store the client secret. You will asked to provide the OCID of the secret in the vault. See Create Secrets for Passwords.

Create a confidential application for Oracle WebLogic Server for Oracle Cloud Infrastructure, or use an existing one. You can use a single confidential application in Oracle Identity Cloud Service to create multiple domains.

  1. From the Oracle Identity Cloud Service Console, click the navigation menu, and then select Applications.
  2. Click Add.
  3. Select Confidential Application.
  4. Enter a Name, and then click Next.
  5. Click Configure this application as a client now.
  6. For Allowed Grant Types, select Client Credentials.
  7. Below Grant the client access to Identity Cloud Service Admin APIs, click Add.
  8. Select Identity Domain Administrator, and then click Add.
  9. Complete the Add Confidential Application wizard. Record the values of Client ID and Client Secret.
  10. Select the check box for your application, click Activate, and then click OK.
  11. In the Oracle Cloud Infrastructure console, create a secret in a vault to store the client secret of your confidential application.

See Add a Confidential Application in Administering Oracle Identity Cloud Service.