Oracle by Example branding Create a Non-JRF Instance Using Oracle WebLogic Server for OCI with an Existing VCN

section 0Before You Begin

This 45-minute tutorial shows you how to create a non-Java Required Files (JRF) instance for Oracle WebLogic Server using the Marketplace in the Oracle Cloud Infrastructure.


Oracle WebLogic Server for Oracle Cloud Infrastructure (Oracle WebLogic Server for OCI) can create a domain without JRF components. Oracle WebLogic Server for OCI is accessed as a collection of applications in the Oracle Cloud Infrastructure Marketplace.

Oracle Cloud Infrastructure Marketplace is an online store that's available in the Oracle Cloud Infrastructure Console. When you launch an Oracle WebLogic Server for OCI application from Marketplace, it prompts you for some basic information, and then directs you to Resource Manager to complete the configuration of your Oracle WebLogic Server domain and supporting cloud resources.

Oracle Cloud Infrastructure Vault (formerly known as Key Management) enables you to manage sensitive information using vaults, keys, and secrets when creating an Oracle WebLogic Server domain. A vault is a container for encryption keys and secrets. A standard vault is hosted on a hardware security module (HSM) partition with multiple tenants, and uses a more cost-efficient, key-based metric for billing purposes.

A virtual private vault provides greater isolation and performance by allocating a dedicated partition on an HSM. Secrets store credentials such as required passwords for a new domain. You use an encryption key in a vault to encrypt and import secret contents to the vault. Secret contents are based64-encoded. Oracle WebLogic Server for OCI uses the same key to retrieve and decrypt secrets when creating the domain.

This tutorial uses the Oracle WebLogic Suite BYOL application along with an existing VCN and an existing subnet, and an existing load balancer to provision a non-JRF domain in WLSDRCompartment. The compute instances, networks, and the other resources that are provisioned by Oracle WebLogic Server for OCI for your Oracle WebLogic Server domain are created in the WLSDRCompartment.

This tutorial creates a compartment-level Oracle Cloud Infrastructure policy that enables you to work with resources and create resources in WLSDRcompartment.

What Do You Need?

  • An Oracle Cloud Infrastructure cloud tenant.
  • An Oracle Cloud Infrastructure user name and password. You must belong to at least one group.

    You must be an Oracle Cloud Infrastructure administrator. If you are not an administrator, you must be able to create dynamic groups and policies, use secrets, and view tenancies in your tenancy.

  • A dynamic group that lists the OCID of the compartment in which users who are not administrators can create domains. The Oracle Cloud Infrastructure administrator creates this dynamic group.

    See Create Root Policies and Create Dynamic Groups and Policies.

section 1Create a Compartment

  1. Sign in to the Oracle Cloud Infrastructure Console.
  2. At the top of the Console, to switch the region, select a different region from the Region menu. The instance is created in the selected region.
  3. Click the navigation menu Menu icon, select Identity & Security. Under Identity, click Compartments.
  4. On the Compartments page, click Create Compartment.
  5. For Name, enter WLSDRCompartment.
  6. Enter the Description for the compartment.
  7. Select a compartment from the Parent Compartment drop-down list.

    You may also select the default root compartment of the tenancy as the Parent Compartment.

  8. Click Create Compartment.

section 2Create an Oracle Cloud Infrastructure Policy

If you do not have Administrator privileges, do the following to create an Oracle Cloud Infrastructure policy that enables you to work with or create resources in the WLSDRCompartment compartment:

  1. Sign in to the Oracle Cloud Infrastructure Console.
  2. Click the navigation menu Menu icon, select Identity & Security. Under Identity, click Policies.

    Note: Ensure that you create the policy within WLSDRCompartment compartment that you have created earlier for the non-JRF instance.

  3. Click Create Policy.
  4. Enter the policy Name and Description.
  5. From Policy Options, select the Policy Use Cases and Common Policy Templates.

    The policy builder displays the policy statements for the selected use case and policy template.

  6. Select the Groups and Location.

    Now, the policy statement is displayed for the selected groups and location. For example, if the groups is Adminstrators and the location is WLSDRCompartment, the policy statement is Allow Administrators to manage users in WLSDRCompartment.

    You can modify the policy statements using the Customize (Advanced) option. For a sample compartment policy, download the text file.

  7. Click Create.

section 3Create an SSH Key Pair

On a UNIX or UNIX-like platform, do the following:

  1. Run the following ssh-keygen command:

    ssh-keygen -b 2048 -t rsa

  2. In the prompt, enter the path to the file in which you want to save the key. If you wish to accept the default path and file name, press Enter.
  3. In the prompt, enter a passphrase.

    The passphrase is not mandatory. However, it is recommended that you specify a passphrase to protect your private key against unauthorized use.

  4. When prompted, enter the passphrase again to confirm it.

    The command generates an SSH key pair consisting of a public key and a private key. When you create a domain using Oracle WebLogic Server for OCI, you specify the public key. You then access the compute instances from an SSH client using the private key.

On a Windows platform, you can use the PuTTY Key Generator utility. See Creating a Key Pair in the Oracle Cloud Infrastructure documentation.

section 4Create a Vault and Key

  1. Sign in to the Oracle Cloud Infrastructure Console.
  2. Click the navigation menu Menu icon. select Identity & Security, and then click Vault.
  3. Click Create Vault.

    Note: Ensure that you create the vault in the WLSDRCompartment compartment.

  4. For Name, enter WebLogicOCIVault.
  5. Select the Make it a virtual private vault check box if you want to create the vault as a dedicated partition on the HSM, sets pricing based on the maximum usage against key limits, and accommodates greater performance needs.
  6. Click Create Vault.

    Wait for the vault to be created.

  7. Click the new vault.
  8. Click Master Encryption Keys, and then click Create Key.
  9. For Name, enter WebLogicOCIKey.
  10. Click Create Key.

    Wait for the key to be created and enabled before you create a secret.

section 5Create a Secret for Your WebLogic Password

  1. In the vault, click Secrets, and then click Create Secret.
  2. For Name, enter WebLogicAdminSecret.
  3. Select the key WebLogicOCIKey that you created.
  4. For Secret Contents, enter the password you want to use for the WebLogic Server administrator.

    The password must start with a letter, is between 8 and 30 characters long, contain at least one number, and, optionally, any number of the special characters ($ # _).

  5. Click Create Secret.

    Wait for the secret to be created.

  6. Click the secret name.
  7. Copy the OCID for the secret.

section 6Validate the Existing Network Setup

  1. In Cloud Shell, create a validation script named See Script File To Validate Network Setup.
  2. Set execute permission to the file.

    chmod +x

  3. Run the following command:

    ./ -w <WLS Subnet OCID>

  4. If you configure a load balancer, run the following command for the load balancer subnet to access port 443 and load balancer CIDR in WebLogic Server subnet to access port 7003.
    ./ -w <WLS_Subnet_OCID> -l <LB_Subnet_OCID>

    If you configure file system storage, run the following command for the file system storage subnet to access the ports 111 (both TCP and UDP), 2048-2050 (TCP), and 2048 (UDP).
    ./ -w <WLS_Subnet_OCID> -l <FSS_Subnet_OCID>

    An example message if the existing network setup does not comply with the requirements should look similar to:

    ERROR: Port 22 is not open for access by WLS Subnet CIDR [] in WLS Subnet [<WLS Subnet OCID>]
    ERROR: Port 9071 is not open for access by WLS Subnet CIDR [] in WLS Subnet [<WLS Subnet OCID>]

section 7Launch a Stack

  1. Sign in to the Oracle Cloud Infrastructure Console.
  2. Click the navigation menu Menu icon, select Marketplace, and then select All Applications.
  3. Locate and select the Oracle WebLogic Suite BYOL application.

    The following details of Oracle WebLogic Suite BYOL are displayed:

    • Application Type - Stack.
    • The latest 12c version of the application.
    • The type of billing it uses - BYOL (Bring Your Own License).
  4. Select the WLSDRCompartment compartment.
  5. Select the Oracle Standard Terms and Restrictions check box, and then click Launch Stack.

    The Create Stack page opens.

section 8Create the Stack

  1. On the Stack Information page of the Create Stack wizard, the name of the stack is displayed (application name appended with the time stamp).
  2. Enter a description for the stack. However, this information is optional.

    The following additional details are also displayed:

    • Create in Compartment - The name of the (WLSDRCompartment)compartment you selected earlier, upon launching the stack.
    • Terraform Version - 0.12x
  3. Click Next.

    The Configure Variables page opens.

  4. For Resource Name Prefix, type MyWLS.

    You can use a maximum of 16 characters to define the prefix. This prefix will be used by all the resources that are created when you create the stack.

  5. For WebLogic Server Shape, select VM.Standard2.1. This shape will be used by all compute instances.
  6. For SSH Public Key, upload the SSH public key file or paste the contents of the file.

    After creating the stack, you can connect to the WebLogic Server compute instances by using an SSH client and the corresponding private key.

  7. For WebLogic Server Node Count, select 2.

    This value indicates the number of Managed servers you want to create.

  8. For WebLogic Server Admin User Name, weblogic is the default name.

    Use the default name.

  9. For Validated Secrets OCID for WebLogic Server Admin Password, enter the Oracle Cloud Infrastructure Domain (OCID) of the secret. This secret stores the password for the WebLogic Server administrator.

    Note: Creating the secrets for passwords is one of the prerequisite tasks you should complete before starting this tutorial.

  10. For Network Compartment, select WLSDRCompartment.

    All the network resources and the domain compute instances will be created in this stack compartment.

  11. For Virtual Cloud Network Strategy, retain the default value of Use Existing VCN.
  12. For Existing Network, select the name of an existing VCN.
  13. For Subnet Strategy, retain the default value of Use Existing Subnet.
  14. For Validated Existing Network, enter YES.
  15. For Subnet Compartment, select the compartment to use for this existing subnet.
  16. For Subnet Type, select Use Private Subnet and Regional Subnet for the subnet span.
  17. For Existing Subnet for WebLogic Server, select the name of an existing regional subnet from the list of regional and availability domain-specific subnets. See Create a Virtual Cloud Network.
  18. By default, Provision Bastion node on Public Subnet is checked when you select Use Private Subnet as the Subnet Type. Keep the default value.

    Provision a bastion compute instance on a public subnet to provide access to the WebLogic Server compute instances that you create on a private subnet.

  19. For the Existing Subnet for Bastion Host, select the name of an existing regional subnet from the list of regional and availability domain-specific subnets.
  20. For Bastion Host Shape, select VM.Standard2.1.
  21. Click Add Load Balancer.
  22. For Create or Use Existing Load Balancer, select Use Existing Load Balancer to distribute application traffic to the WebLogic Managed servers.
  23. For Existing Load Balancer, enter the OCID for the existing load balancer.
  24. For Existing Load Balancer Backend Set Name, enter the name of the backend set for the existing load balancer that has a routing policy associated with the backend set.

    The backend set should not have any have any backends. See Configure a Load Balancer.

  25. Select Add File System Storage.
  26. For File Storage Availability Domain, select the availability domain in which you want to create the file system and mount target.
  27. For Existing Mount Target Compartment, select the compartment where you have subnet for existing mount target.
  28. For Existing Subnet for mount Target, select the existing subnet to use for mount target.

    Note: This subnet must be available in the selected VCN.

  29. Ensure that the OCI Policies check box is selected.
  30. Click Next to verify the details you've entered.
  31. On the Review page of the wizard, review the information you've provided, and then click Create.

    The Job Details page of the stack in Resource Manager opens. The job name has the ormjobyyyymmddnnnnnn format.

  32. Monitor the progress of the job periodically until it is finished.

    If an email address is associated with your user profile, you will receive an email notification.

You can now access and manage your new domain.

section 9Test Weblogic Server

  1. From the Job Details page, click Application Information.
  2. For Web Logic Instances, click Show, and note the Private IP Address for the compute instance, MyWLS-wls-0.
  3. For Bastion Instance, click Show, and note the Public IP Address for the compute instance, MyWLS-bastion-instance.
  4. From your computer, open an SSH tunnel to use dynamic port forwarding to an unused port on the bastion compute instance. Connect as the opc user and provide the path to the private key that corresponds to the public key that you specified when you created the stack.

    The SSH command format is:

    ssh -C -D port_for_socks_proxy -i path_to_private_key opc@bastion_public_ip

    The following example uses port 1088 for SOCKS proxy:

    ssh -C -D 1088 -i ~/.ssh/mykey.openssh opc@

  5. In your browser settings, set up the SOCKS (version 5) proxy configuration. Specify your local computer and the same SOCKS port that you used in your SSH command.
  6. Under Application Information, click the Web Logic Server Administration Console URL.


    The WebLogic Server Administration Console is displayed.

  7. Enter the administrator credentials for the domain.
  8. From the Domain Structure panel on the left, click Deployments.
  9. Locate the sample-app application.
  10. Return to the Oracle Cloud Infrastructure Console.
  11. Click the navigation menu Menu icon, select Networking, and then click Load Balancers.
  12. Click MyWLS-lb.
  13. Identify the IP Address for this load balancer.
  14. Browse to the following URL:


    The sample application is displayed.

  15. Return to the load balancer in the Oracle Cloud Infrastructure Console.
  16. Click the Virtual Cloud Network link, MyWLS-MyWLStackNetwork.
  17. Identify the subnets that were created for your stack.

more informationWant to Learn More?