Importance of Administration Port on WebLogic
This feature is very important for WebLogic domain management but WebLogic admins usually don’t take advantage of “WebLogic Administration Port” property.
I am highly recommending enabling “Administration Port” for WebLogic domains which have high transaction traffic.
Why WebLogic Administration Port?
By enabling Administration Port, you can separate administration traffic from application traffic in your domain. That’s fair enough to switch your WebLogic management to administration port.
Oracle Documentation: In production environments, separating the two forms of traffic ensures that critical administration operations (starting and stopping servers, changing a server’s configuration, and deploying applications) do not compete with high-volume application traffic on the same network connection.
How to do it?
- Firstly, shutdown all managed servers. This means for the production systems, you have to make a planned system work. If you don’t want to make and downtime do the restart job one by one.
- Click “Domain name” on the Domain Structure menu. On “$Domain_Name > Configuration > General” tab, then make “Enabled Administration Port” checked as below (No: 1). Change default port value to another, I’ve set it to 9902 (No:2)
Click SAVE button.
- Click on “Activate Changes” button.When WebLogic Managed servers are at RUNNING states, you’ll get below Warning. Just shut down ALL managed servers and try to activate again.
An error occurred during activation of changes, please see the log for details.[Management:141191]The prepare phase of the configuration update failed with an exception:Cannot dynamically enable adminstration port on Managed servers when they are running
After the activation, Administration Port feature activated and you CANNOT use old port for accessing WebLogic console. You’ll see below screen after the activation.
WARNING on previous WebLogic console PORT: Console/Management requests or requests with <require-admin-traffic> specified to ‘true’ can only be made through an administration channel
WebLogic: Previous Admin Console Port / URL
WebLogic Administration Port Log:
####<Aug 13, 2015 6:50:08 PM EEST> <Notice> <Server> <maya01> <AdminServer> <[ACTIVE] ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’> <weblogic> <> <> <1439481008557> <BEA-002613> <Channel “DefaultAdministration” is now listening on 172.17.42.1:9902 for protocols admin, ldaps, https.>
Anymore you must USE the new administration port for accessing WebLogic console. My new address is https://localhost:9902/console.
The administration port accepts only secure, SSL traffic, and all connections via the port require authentication by a server administrator. Because of these features, enabling the administration port imposes the following restrictions on your domain:
- The Administration Server and all Managed Servers in your domain must be configured with support for the SSL protocol.
- All servers in the domain, including the Administration Server, enable or disable the administration port at the same time.
Errors: When you try to reach the domain by new https address, it’s possible that you CAN see below warnings on your browsers.
SSL server probably obsolete.
Server has a weak ephemeral Diffie-Hellman public key
Secure Connection Failed
An error occurred during a connection to 10.100.3.227:7002. The server certificate included a public key that was too weak. (Error code: ssl_error_weak_server_cert_key)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
There is a problem with this website’s security certificate.
The security certificate presented by this website is not secure.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
* If you get above errors while accessing WebLogic https console, you must regenerate your default keystore and trust with 2048 key size.
* If you still cannot access to WebLogic administration port SSL console, just make sure that your WebLogic Admin Server’s ListenAddress is set properly. Otherwise, kill AdminServer process, then set your ListenAddress manually by editing config.xml.
If you still cannot login to Admin console, just rollback the Administration port feature by editing config.xml as below. I am listing some administration port errors below for people who facing these problems.
The following failures occurred: — [Security:090896] The SSL ListenPort attribute 9902 cannot be the same as the Administration Port for the server. Errors must be corrected before proceeding.
* If you want to access WebLogic 11g (10.3.6) SSL console with default JKS and TURST, you can use Opera Browser for accessing. Opera still accepts default WebLogic JKS certificate configuration by accepting untrusted option.
WebLogic Administration Port WLST Connection:
You cannot access to WLST console with previous connection address, you must use new administration port address. Otherwise, you’ll get below error:
WLSTException: Error occured while performing connect : User ‘principals=[weblogic, Administrators]’ has administration role. All tasks by adminstrators must go through an Administration Port.
This Exception occurred at Wed Sep 11 10:08:37 VET 2015. javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://localhost:7701: Destination unreachable; nested exception is: javax.net.ssl.SSLKeyException: [Security:090542]Certificate chain received from localhost – 0:0:0:0:0:0:0:1 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.; No available router to destination] javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://localhost:7701: Destination unreachable; nested exception is: javax.net.ssl.SSLKeyException: [Security:090542]Certificate chain received from localhost – 0:0:0:0:0:0:0:1 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.; No available router to destination]
C:\Middleware1036\wlserver_10.3\common\bin>C:\Java\jrockit-jdk1.6.0_45-R28.2.7-4.1.0\bin\java –cp c:\Middleware1036\wlserver_10.3\server\lib\weblogic.jar -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.TrustKeyStore=DemoTrust -DskipWLSModuleScanning weblogic.WLST connect_and_list.py
Please comment and follow for new posts and problem solutions.
Have a good administration day 🙂