Overview
Patch management is an important process in software maintenance to ensure systems are protected against vulnerability, instability and reduced efficiency. Patching involves applying updates that may include feature enhancement, security and bug fixes.
Like any software, keeping WebLogic Server up dated with the latest patches is crucial to its security, stability and performance. It is recommended to implement a patching strategy to ensure a seamless upgrade process.
This article describes how the Oracle WebLogic Management Service can be used to apply WebLogic Server Patch Set Update (PSU) to managed WebLogic domains on Oracle Cloud Infrastructure (OCI).
Understanding Patch Management for Oracle WebLogic Server
Patch management is a complex and involved process. Understanding the patch management lifecycle can significantly reduce the operational overhead and increase the security and stability of WebLogic Server.
You must develop a patching strategy that aligns with your environments and business objectives. It is important to stay informed on the latest patches released by Oracle for WebLogic Server by subscribing to Oracle’s security alerts and patch release announcement.
Oracle regularly release patches on a quarterly schedule (January, April, July and October), known as Critical Patch Update (CPU) and Patch Set Update (PSU).
- Critical Patch Update (CPU) – collection of security fixes + PSU + SPU + BP
- Patch Set Update (PSU) – cumulative patch bundle for Oracle product, collection of security and priority fixes
It is important to assess its applicability to your environment when a patch is released. Not all patches are relevant as some may address components or features that are not in use. However, neglecting a patch can lead to detrimental impact on the system.
Applying patches to WebLogic domains using Oracle WebLogic Management Service
Patching should be carried out using Oracle’s recommended tools and procedures. Oracle Universal Installer (OUI) and OPatch Utility are typically used to apply patches in WebLogic Server.
It is recommended to automate the patch management process whenever possible to reduce human errors and ensure consistency across environments. Oracle Enterprise Manager offers a centralized and efficient solution for automating patching in on-premises environments.
For enterprises running WebLogic Server on Oracle Cloud Infrastructure (OCI), the Oracle WebLogic Management Service offers a centralized platform to manage WebLogic Server instances on OCI. It enables lifecycle management operations, including patching, starting, stopping, and restarting WebLogic domains on compute instances.
Oracle WebLogic Management Service can be used to apply patches to managed domains on OCI, applying updates to the entire domain simultaneously. This means every server in the domain gets patched instead of having to patch servers one at a time. Patch inventory is also maintained and kept up-to-date by the WebLogic Management Service.
Configuring Oracle WebLogic Management Service for Patching
The patching capability in WebLogic Management Service is disabled by default for all managed domains. Once enabled, you can apply recommended patches including PSU and CPU for Oracle WebLogic Server and Oracle Fusion Middleware Infrastructure.
For each WebLogic domain managed by the WebLogic Management Service, you would see a corresponding managed domain in Oracle WebLogic Management Service console. This is the top level where you can find the general domain information on its product type, WebLogic Server (WLS) or Fusion Middleware (FMW), product version, number of servers that have the recommended patches installed, whether patching is enabled and whether the servers are ready for patching.
The example domain below shows the WebLogic Server product running version 12.2.1.4.
Select the domain you wish to patch to see more details. On the Domain details page, you can view detailed information for each managed server, including the server name, restart order, compute instance hosting the server, JDK version, and the last update timestamp.
It also indicates that the servers are not running on the recommended patches, as they are marked False under the On recommended patches column.
Let’s walkthrough the steps in applying the latest Patch Set Update (PSU) and recommended patches.
Enable Patching
By default, patching is disabled in all managed domains. This feature is enabled after you accept the terms of use for each domain. Once accepted, you can apply and remove the latest patches. You will only be prompted to accept the terms of use the first time you enable patching.
To enable patching, navigate to the Domain details page and select Edit Domain Settings. Check the boxes under the Patching section to Enable patching and Enable rollback when patching fails.
Rollback operates at the domain level, meaning if any server fails during patching, all servers will be rolled back.
Save changes.
Changing the Restart Order (Optional)
The servers within the domain will be patched based on the sequence defined by their Restart order. By default, the Admin Server is patched first, as it has a restart order of 0, followed by Managed Servers in ascending order.
If multiple servers are running on the same compute instance and are using the same WebLogic Server installation, then all servers will be patched simultaneously.
In the example below, both the Admin Server and Server 1 are running on the same compute instance, meaning they will be patched and restarted together, even though Server 1 has a restart order of 1.
You can manage the restart order by prioritizing specific servers. However, modifying the restart sequence may affect system availability, dependency resolution and application performance.
To modify the restart order, select the checkbox for your server and click Set restart order, then enter a numerical value for the restart order.
Save changes.
For this this example, we will leave the restart order to default.
Configure Credentials for Server Restart
When patches are applied, the WebLogic Management Service must restart the servers according to the defined restart order. It can restart servers configured to use either the Node manager or custom scripts. In either case, the WebLogic and Node Manager administrative credentials may be required. These can be supplied using encrypted WebLogic boot properties or by specifying OCI Secrets that store the credentials.
From the More actions dropdown menu, choose Edit WebLogic credentials or Edit Node Manager credentials to select your credential option.
Select the checkboxes to enable Domain configuration for both WebLogic and Node Manager credentials. This uses the WebLogic domain administrative credentials stored in the boot properties.
Save changes.
Check Server Readiness for Patching
You can verify if your WebLogic Server domain is ready for patching using Oracle WebLogic Management Service. Patch Readiness in WebLogic Management Service is a pre-patching evaluation process designed to ensures a smooth, secure, and efficient patch deployment.
On the Domain details page, you can see the patch readiness status for each server under the Patch readiness column. For a more detailed view, including state, restart order, and patch status, access the View patch readiness details panel from the Action menu.
You can review the evaluations in the Patch readiness details panel. Any checks marked as Warning or Failed will display the issue details, allowing you take corrective action.
Applying Patches
Once all servers pass the patch readiness check, the WebLogic domain is ready for patching, you can apply the latest patches shown on the Apply recommended patches page.
The Apply Recommended Patches page displays a list of recommended patches to be applied. At the bottom of Page 2, the latest quarterly Patch Set Update (PSU) from January 2025 is included. There is no option to select individual patches for installation, all patches in the list will be installed when applied.
To install the patches, click Apply.
The patching process will start, and its progress can be monitored on the Work requests page.
The servers in the domain will be patched according to the restart order assigned to each server. As a result, the Admin Server and Server 1 will be patched first since they share the same instance and have a patching order of 0.
As shown below, midway through the update progress, the Admin Server and Server 1 have been updated first, marked as True under the On recommended patches column.
After patching is complete, the work request status will show Succeeded, and all the servers running the recommended patches will be marked True under the On recommended patches column.
Your domain is now updated to the latest recommended patches including the latest PSU.
Uninstalling Patches (Optional)
In you need to uninstall previously installed patches, you can select Remove recommended patches on the Domain details page. This will bring up the Remove recommended patches page, where you can review the patches for removal.
Select Remove to begin removal.
The patch removal process will start, and its progress can be tracked in the Work requests page.
Summary
This article showed how Oracle WebLogic Management Service is used to apply WebLogic Server Patch Set Update (PSU) and recommended patches to managed WebLogic domains on Oracle Cloud Infrastructure (OCI).
Utilizing Oracle WebLogic Management Service for patching improves automation, security and centralized control, while reducing downtime and ensuring compliance with security standard. It provides an efficient and reliable solution for managing WebLogic Server updates on Oracle Cloud Infrastructure.