Best Practices from Oracle Development's A‑Team

  • April 22, 2015

JCS (Java Cloud Service) - An Alternative to the SSH Tunnel

The recommended way to use WLST with JCS is to use an SSH Tunnel. While this isn't that difficult to setup and use, it is an extra step that some may feel as unnecessary.  It also changes the way you have been accustomed to using WLST against your on-premise WebLogic instances. This blog will attempt to provide a few configuration steps that will negate the need for using an SSH tunnel so that you can deploy to JCS the same way you have been accustomed to with your on-premise WebLogic domains. There are 3 main actions that need to be performed to set this up properly:

  1. 1. Create a New Network Channel
  2. 2. Open up Port in the Compute Console
  3. 3. SSL Setup

Step 1: Create a New Network Channel in the WebLogic Server Console for Your Admin Server

  1. a. Navigate to Servers->AdminServer->Protocols->Channels
  2. b. Click Lock & Edit
  3. c. Click New
  4. d. Create a T3 channel with the name of ExternalChannelT3 and click Next

    [caption id="attachment_31538" align="alignleft" width="875"]newt3channel1 External T3 Channel[/caption]

  5. e. Here we are choosing a new Listen Port to use.  As you can see, I have set both the Listen Port and External Listen Port to be the same.  The most important part here is the External Listen Address.  This MUST be the EXTERNAL IP Address/Host Name that you are accessing the WLS Console over.  It should be the same as what you currently see in your Address Bar. Click Next to continue.newt3channel2
  6. f. Enable HTTP Tunneling.
  7. g. Ensure HTTP is also enabled for this channel.
  8. h. Finally, click Finish and Activate Changes.newt3channel3


Step 2: Open a new network port in the Compute Console

See http://docs.oracle.com/cloud/latest/dbcs_dbaas/CSDBI/GUID-95C7A0BD-208C-4D8E-A1DF-BBC1EDBA7755.htm

While the link above describes opening a port for SQL*Net, the instructions are the same. Just change port 2484 for 7003.

  1. a. Sign into the My Services application by clicking the link in your Welcome e-mail or by going to http://cloud.oracle.com, clicking Sign In, and selecting Public Cloud Services as your My Services Data Center.The Platform Services Dashboard is displayed.
  2. b. In the entry for Oracle Compute Cloud Service, click Open Service Console.The Oracle Compute Cloud Service console's Overview page is displayed with the Instances tile selected.
  3. c. Click Network button.The Oracle Compute Cloud Service console's Network page is displayed.
  4. d. Click the Protocols tile on the left of the page, and then click Create Protocol. In the Create Protocol dialog, enter the following information.
    • Name: Any name to identify the new port, for example, ExternalT3Port
    • Port Type: tcp
    • Port Range Start: 7003
    • Port Range End: 7003
    • Description: Any description of your choice.
  5. e. Click Create.
  6. f. Click the Access Rules tile on the left side of the page, and then click Create Access Rule. In the Create Access Rule dialog, enter the following information.
    • Name: Any name to identify the access rule.
    • Status: Enabled
    • Protocol: Select the name of the protocol you created in the steps above, for example ExternalT3Port.
    • Source: Select IP Lists, and then select public-internet from the list.
    • Destination: Select the name of the network group to use as the target for this access rule. Since we are connecting to the Admin Server, we need to choose the associated network group. By default, this is ora_admin
    • Description: Any description of your choice.
  7. g. Click Create.

Step 3: SSL Setup

If you want to use SSL as well, follow the same steps above except create a T3S channel instead of a T3 channel. Choose a different port such as 7004.

Now this where you must pay attention since your typical SSL client will not work out of the box. JCS has set a default minimum protocol to be TLS version 1.2. If you take a look at the start-up arguments for your WebLogic Server, you will see the following system property:


This sets the minimum protocol version to accept as TLS 1.2. The reason this causes problems is JSSE does not enable TLS 1.2 by default. WebLogic provides the means to enable this via a system property. Please see the following documentation:


The solution seems simple enough right? Let's just add the following system property to your client:


That enables all TLS1.x. But, there is a gotcha! That only works if you are NOT using the Thin T3 client. There is an open bug (20758863) to enable the protocolVersion system property for the Thin T3 Client as well. But for now you will need to use the full client or weblogic.jar.

Thanks for reading!

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha