Application Servers AWS

Oracle WebLogic Server on AWS User Guide

| Product: Oracle WebLogic Server on AWS

Overview

This image runs Oracle WebLogic Server 15c, the industry-leading enterprise Java application server. WebLogic is installed to /u01/app/oracle/product/wlserver under a dedicated oracle system account. The base_domain domain is configured with an Administration Server listening on port 7001 (HTTP) and port 7002 (HTTPS), and a Node Manager on port 5556. All processes run as the unprivileged oracle system user under systemd.

The WebLogic admin password is generated on the first boot of every deployed instance. Two instances launched from the same Amazon Machine Image never share a password. On first boot, the cloudimg-weblogic-firstboot.service starts the Admin Server with a build-time placeholder, connects via WLST, and rotates the credential to a fresh per-instance random password. The password is written to /root/weblogic-credentials.txt with mode 0600 so that only the root user can read it.

The WebLogic Administration Console at /console is served on port 7001. Port 7001 should be restricted to trusted networks in your security group. You reach the console from your workstation over an SSH tunnel, which arrives at the instance as a loopback connection.

Prerequisites

Before you deploy this image you need:

  • An Amazon Web Services account where you can launch EC2 instances
  • IAM permissions to launch instances, create security groups, and subscribe to AWS Marketplace products
  • An EC2 key pair in the target Region for SSH access to the instance
  • A VPC and subnet in the target Region, with a security group allowing inbound port 22 from your management network and inbound port 7001 restricted to your trusted networks
  • The AWS CLI (version 2) installed locally if you plan to deploy from the command line

Step 1: Launch the Instance from the AWS Marketplace

Sign in to the AWS Management Console, open the EC2 service, and select Launch instance. Under Application and OS Images choose AWS Marketplace AMIs and search for Oracle WebLogic. Select the cloudimg listing and choose Select, then Continue on the subscription summary.

Pick an instance type of m5.large or larger (WebLogic requires adequate memory for the JVM and domain startup). Choose your EC2 key pair under Key pair (login). Under Network settings select your VPC and subnet, and either create or select a security group that allows inbound port 22 from your management network and inbound port 7001 restricted to your trusted networks. Leave the root volume at the default size or larger.

Select Launch instance. First boot initialisation takes approximately two to three minutes after the instance state becomes Running and the status checks pass (the WLST password rotation is the longest part).

Step 2: Launch the Instance from the AWS CLI

The following block launches an instance from the cloudimg Oracle WebLogic Marketplace AMI. Replace the placeholder values with your own.

aws ec2 run-instances \
  --image-id <ami-id> \
  --instance-type m5.large \
  --key-name <key-name> \
  --subnet-id <subnet-id> \
  --security-group-ids <security-group-id> \
  --block-device-mappings '[{"DeviceName":"/dev/xvda","Ebs":{"VolumeSize":40,"VolumeType":"gp3"}}]' \
  --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=weblogic-01}]'

The command prints a JSON document on success. Retrieve the public address once the instance is running with aws ec2 describe-instances --instance-ids <instance-id> --query "Reservations[].Instances[].PublicIpAddress" --output text.

Step 3: Connect and Retrieve the WebLogic Admin Password

Connect over SSH with the key pair you selected and the public IP address. The SSH login user depends on the operating system of the AMI variant you launched:

AMI variant SSH login user
Oracle WebLogic 15c on AlmaLinux 9 ec2-user

The first boot service completes before the SSH daemon becomes available for the first login, so the credentials file is always in place when you first connect.

ssh ec2-user@<public-ip>
sudo cat /root/weblogic-credentials.txt

You will see output similar to the following:

# Oracle WebLogic Server 15c -- Per-Instance Credentials
# Generated: Wed May 27 22:00:00 UTC 2026
#
# Admin Console: http://3.87.218.167:7001/console
WEBLOGIC_USER=weblogic
WEBLOGIC_PASSWORD=WlsA1b2c3d4e5f6g7h8iAa1
DOMAIN_HOME=/u01/app/oracle/product/user_projects/domains/base_domain

Copy the password to a secure location. From the same SSH session you can check the service and the Java runtime:

sudo systemctl status weblogic-adminserver.service
/u01/java/jdk-21/bin/java -version

Expected output:

weblogic-adminserver.service - Oracle WebLogic Server 15c Admin Server
   Loaded: loaded (/etc/systemd/system/weblogic-adminserver.service; enabled)
   Active: active (running)

java version "21.0.10" 2026-01-20 LTS
Java(TM) SE Runtime Environment (build 21.0.10+8-LTS-217)
Java HotSpot(TM) 64-Bit Server VM (build 21.0.10+8-LTS-217, mixed mode, sharing)

WebLogic service status and Java version

Step 4: Access the Administration Console Sign-in Page

Port 7001 should be restricted to trusted networks in your security group. To reach the console from your workstation, open an SSH tunnel that forwards a local port to the instance's port 7001.

In a terminal on your workstation, run the following and leave it open:

ssh -L 17001:127.0.0.1:7001 ec2-user@<public-ip>

With the tunnel open, navigate to http://127.0.0.1:17001/console/login/LoginForm.jsp in your browser. The WebLogic Server Sign In page appears.

WebLogic Server Sign In page

Sign in with the username weblogic and the password from /root/weblogic-credentials.txt.

Step 5: WebLogic Remote Console

WebLogic Server 15c (15.1.1.0.0) ships the WebLogic Remote Console instead of the traditional browser-based Administration Console. The original HTML administration console is no longer supported and has been removed in this release. After signing in you are redirected to the welcome page that provides the Remote Console download link.

WebLogic Remote Console welcome page

The WebLogic Remote Console is a standalone desktop application available for Windows, macOS and Linux. Download it from https://github.com/oracle/weblogic-remote-console/releases, install it on your workstation, and connect it to http://127.0.0.1:17001 (via the SSH tunnel) using the weblogic credentials. The Remote Console provides the full domain administration experience: Servers, Clusters, Deployments, JDBC Data Sources, JMS Resources and Security Realms.

For headless administration use WLST as described in Step 7 below.

Step 6: Deploy a Java EE Application

WebLogic accepts EAR and WAR archives. The simplest way to deploy from the console is through the Deployments page.

  1. In the left navigation under Domain Structure, select Deployments.
  2. Select Install and follow the wizard to locate and deploy your archive.
  3. Choose Install this deployment as an application, click Next, review the settings, and click Finish.

To deploy from the command line using the wldeploy utility:

sudo -u oracle /u01/app/oracle/product/wlserver/server/bin/wldeploy \
  -action deploy \
  -source /tmp/myapp.war \
  -name myapp \
  -user weblogic \
  -password <WEBLOGIC_PASSWORD> \
  -adminurl t3://127.0.0.1:7001

Replace <WEBLOGIC_PASSWORD> with the password from /root/weblogic-credentials.txt.

Step 7: Administer via WLST

The WebLogic Scripting Tool is available at /u01/app/oracle/product/wlserver/common/bin/wlst.sh. From an SSH session on the instance:

sudo -u oracle JAVA_HOME=/u01/java/jdk-21 \
  /u01/app/oracle/product/wlserver/common/bin/wlst.sh

Inside WLST, connect to the running Admin Server:

wls:/offline> connect('weblogic', '<WEBLOGIC_PASSWORD>', 't3://localhost:7001')
wls:/base_domain/serverConfig/> serverRuntime()
wls:/base_domain/serverRuntime> state()

The state() command returns RUNNING when the Admin Server is healthy. Type exit() to disconnect.

Step 8: Manage the Service

WebLogic runs as the systemd service weblogic-adminserver.service under the oracle account. The Node Manager runs as nodemanager.service. Use the standard systemctl commands:

sudo systemctl status weblogic-adminserver.service
sudo systemctl restart weblogic-adminserver.service
sudo journalctl -u weblogic-adminserver.service --since '10 minutes ago'

The WebLogic server log is written inside the domain:

sudo tail -f /u01/app/oracle/product/user_projects/domains/base_domain/servers/AdminServer/logs/AdminServer.log

Step 9: Rotate the Admin Password

The admin password was generated on first boot. To change it using WLST:

sudo -u oracle JAVA_HOME=/u01/java/jdk-21 \
  /u01/app/oracle/product/wlserver/common/bin/wlst.sh

Then inside WLST:

connect('weblogic', '<current-password>', 't3://localhost:7001')
cd('/SecurityConfiguration/base_domain/Realms/myrealm/AuthenticationProviders/DefaultAuthenticator')
cmo.resetUserPassword('weblogic', '<new-password>')
disconnect()

After rotation, update the boot.properties so WebLogic starts unattended:

sudo bash -c 'printf "username=weblogic\npassword=<new-password>\n" > /u01/app/oracle/product/user_projects/domains/base_domain/servers/AdminServer/security/boot.properties && chmod 600 /u01/app/oracle/product/user_projects/domains/base_domain/servers/AdminServer/security/boot.properties && chown oracle:oinstall /u01/app/oracle/product/user_projects/domains/base_domain/servers/AdminServer/security/boot.properties'

WebLogic encrypts the clear-text boot.properties on the next successful start.

Step 10: Enable HTTPS

For production workloads serve the Administration Console and your deployed applications over HTTPS. The recommended pattern on AWS is to terminate TLS in front of WebLogic with an Application Load Balancer and an AWS Certificate Manager certificate, and forward plain HTTP to port 7001 on the instance.

For a single instance with your own certificate, configure an SSL listen port in the Admin Server settings via the Administration Console (Server > SSL tab) and install your keystore.

Step 11: Backups and Maintenance

The domain configuration lives inside the base_domain tree. Back up the domain home and the Oracle inventory:

sudo tar --acls --xattrs -czf /var/backups/weblogic-domain-$(date +%F).tgz \
  -C /u01/app/oracle/product user_projects/domains/base_domain/config

Ship the archive to an Amazon S3 bucket.

For WebLogic patch updates, download and apply Oracle patch bundles using opatch from /u01/app/oracle/product/OPatch/.

Step 12: Scaling Beyond a Single Instance

For larger deployments:

  • Put the WebLogic tier behind an Application Load Balancer terminating TLS with AWS Certificate Manager
  • Add Managed Servers to the domain and distribute them across multiple instances in an Auto Scaling group
  • Use WebLogic Clusters for in-memory session replication and load distribution
  • Externalise JDBC connections to Amazon RDS so the application tier can scale independently of the database

The Oracle WebLogic documentation at https://docs.oracle.com/en/middleware/fusion-middleware/weblogic-server/ covers clustering, JDBC configuration, and production hardening in depth.

Screenshots

Java version and WebLogic service status

SSH session showing Java 21 version, WebLogic 15.1.1.0.0 build, and weblogic-adminserver.service active and running on first boot.

WebLogic Server Sign In page

The WebLogic Server 15.1.1 Sign In page, accessed via SSH tunnel on port 7001 with no manual configuration required.

WebLogic Remote Console welcome page

The WebLogic 15c welcome page directing administrators to download the WebLogic Remote Console for domain administration.

Support

cloudimg provides 24/7/365 expert technical support for this image. Guaranteed response within 24 hours, one hour average for critical issues. Contact support@cloudimg.co.uk.

For WebLogic administration questions consult the Oracle documentation at https://docs.oracle.com/en/middleware/fusion-middleware/weblogic-server/.