You can access the WebLogic Server Administration Console external to the Kubernetes cluster using the following approaches:
NOTES:
For production use cases, Oracle recommends using a load balancer with ingress path routing rules and an SSL port to access the WebLogic Server Administration Console.
To verify that your load balancer, NodePort, or kubectl port-forward
setup is working as expected, see Test.
Do not use the WebLogic Server Administration Console to start or stop servers, or for scaling clusters. See Starting and stopping servers and Scaling.
If your domain home type is either Domain in Image or Model in Image, then do not use the Administration Console to make changes to the WebLogic domain configuration because these changes are ephemeral and will be lost when servers restart. See Choose a domain home source type.
Externally exposing administrative, RMI, or T3 capable WebLogic channels
using a Kubernetes NodePort
, load balancer,
port forwarding, or a similar method can create an insecure configuration.
For more information, see External network access security.
To access the WebLogic Server Administration Console through a load balancer, first set up an Ingress. This, in combination with SSL, is the best practice approach for production use cases.
The following path-routing
ingress instructions do not apply when you need to concurrently access multiple domains in the same Kubernetes cluster through the same external load balancer port. For the multiple domain use case, see the Host-based routing sample and make sure that the host names are resolvable by your DNS server (for example, domain1.org
and domain2.org
in the sample).
The following example sets up an ingress path routing rule to access a WebLogic Server Administration Console through a non-SSL port.
Set up a path-routing
YAML file for a Traefik load balancer:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
annotations:
kubernetes.io/ingress.class: traefik
name: traefik-pathrouting-1
namespace: weblogic-domain
spec:
routes:
- kind: Rule
match: PathPrefix(`/console`)
services:
- kind: Service
name: domain1-adminserver
namespace: weblogic-domain
port: 7001
To access the WebLogic Server Administration Console, open the following URL from your browser:
http://${HOSTNAME}:${LB_PORT}/console
Where:
${HOSTNAME}
is where the ingress load balancer is running.
To determine the ${LB_PORT}
when using a Traefik load balancer:
$ export LB_PORT=$(kubectl -n traefik get service traefik-operator -o jsonpath='{.spec.ports[?(@.name=="web")].nodePort}')
If you have an FMW Infrastructure domain, then you can add an ingress path routing rule for the PathPrefix /em
and access Fusion Middleware Control (Enterprise Manager) using the following URL:
http://${HOSTNAME}:${LB_PORT}/em
WebLogic Plugin Enabled
The following example sets up load balancer routing for access to the WebLogic Server Administration Console through an SSL port.
Enable the WebLogic Plugin Enabled
setting in the WebLogic configuration:
The WebLogic configuration setting WebLogic Plugin Enabled
, when set to true
, informs WebLogic Server about the presence of a load balancer proxy. Failure to have this setting enabled causes unexpected results in cases where the client IP address is required or when SSL terminates at the load balancer.
When using WDT to configure a WebLogic domain, use the resource section at the domain level in a model YAML file:
resources:
WebAppContainer:
WeblogicPluginEnabled: true
When using a WLST
script to configure a WebLogic domain, use these commands:
# Configure the Administration Server
cd('/Servers/AdminServer')
set('WeblogicPluginEnabled',true)
...
cd('/Clusters/%s' % cluster_name)
set('WeblogicPluginEnabled',true)
Configure an ingress path routing rule and update the ingress resource with a customRequestHeaders
value:
For example, see the following path-routing
YAML file for a Traefik load balancer. In the case of SSL termination, Traefik must pass a custom header WL-Proxy-SSL:true
to the WebLogic Server endpoints.
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
annotations:
kubernetes.io/ingress.class: traefik
name: traefik-console-tls
namespace: weblogic-domain
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: PathPrefix(`/console`)
middlewares:
- name: tls-console-middleware
namespace: weblogic-domain
services:
- kind: Service
name: domain1-adminserver
namespace: weblogic-domain
port: 7002
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: tls-console-middleware
namespace: weblogic-domain
spec:
headers:
customRequestHeaders:
WL-Proxy-SSL: "true"
sslRedirect: true
Access the WebLogic Server Administration Console using the HTTPS port:
Get the SSL port from the Kubernetes service:
# Get the ingress controller secure web port
$ SSLPORT=$(kubectl -n traefik get service traefik-operator -o jsonpath='{.spec.ports[?(@.name=="websecure")].nodePort}')
From your browser, use the following URL to access the WebLogic Server Administration Console:
https://${HOSTNAME}:${SSLPORT}/console
If you have an FMW Infrastructure domain, then you can add an ingress path routing rule for the PathPrefix /em
and access Fusion Middleware Control (Enterprise Manager) using the following URL:
https://${HOSTNAME}:${SSLPORT}/em
NodePort
Use the following steps to configure a NodePort
to access the WebLogic Server Administration Console:
Update the WebLogic Administration Server configuration to add a Network Access Point (custom channel) with the HTTP protocol, and expose this channel on a NodePort service using the domain.spec.adminServer.adminService.channels
attribute.
For an example of setting up the NodePort
on an Administration Server, see Use a NodePort
. For information about the NodePort
Service on an Administration Server, see the Domain resource document.
From your browser, use the following URL to access the WebLogic Server Administration Console:
http://hostname:adminserver-NodePort/console
The adminserver-NodePort
is the port number of the Administration Server outside the Kubernetes cluster.
If you have an FMW Infrastructure domain, then you can also access Fusion Middleware Control (Enterprise Manager) using the following URL:
http://hostname:adminserver-NodePort/em
kubectl port-forward
connectionA Kubernetes port forward command is convenient for development use cases but is not recommended for production use cases. It creates a local process external to a Kubernetes cluster that accepts external traffic on a dedicated local port and forwards this traffic to a specific pod and port in the Kubernetes cluster. If you have multiple domains, then each domain will require its own dedicated port forward command and a separate local port.
Forward a local port (that is external to Kubernetes) to the administration port of the Administration Server Pod according to these instructions.
NOTE: If you plan to access the WebLogic Server Administration Console from a browser
on a different machine than the port forwarding command,
then the port forwarding command needs to specify an --address
parameter
with an externally accessible IP address for the machine that is running the command.
In the browser, use the following URL:
http://${HOSTNAME}:${LOCAL_PORT}/console
Where:
${HOSTNAME}
is the DNS address or the IP address of the machine
where the kubectl port-forward
command is running. This is
customizable using the --address
parameter
and is localhost
or 127.0.0.1
, by default.
${LOCAL_PORT}
is the local port specified on the kubectl port-forward
command line.
If you have an FMW Infrastructure domain, then you can also access Fusion Middleware Control (Enterprise Manager) using the following URL:
http://${HOSTNAME}:${LOCAL_PORT}/em
To verify that your WebLogic Server Administration Server URL is correct, and to verify that that your load balancer,
NodePort
, or kubectl port-forward
are working as expected, run the following curl command at the same location as your browser:
$ curl http://${HOSTNAME}:${LB_PORT}/console > /dev/null && echo "Connection succeeded."
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 271 100 271 0 0 90333 0 --:--:-- --:--:-- --:--:-- 90333
Connection succeeded.
If successful, then you will see the Connection succeeded
message in the output from the command.