Forum Discussion
Open Port Issue Exists after implementing Entra Id containers
Hi All,
We are currently in PeopleSoft 8.61.07(FSCM) and recently implemented Entra ID containers for SSO. We see ports sometimes remain open between Entra ID container and Weblogic.
Are there any recommendations to fix the open port issue ?
Currently, we are bouncing the container when the open port count is going high (when TCP count goes more than 1000)
Looking for recommendations to fix the open port issue as it creates more manual work to monitor the count and bounce it periodically.
Please do let me know if you need any further information
Thank you!
Ramya Sivasubramanian
My team is interested to understand if anyone else who has used Apache with the WebLogic Plugin have any tips for us - We have built a Podmain container based on RHEL 9 that runs Apache as a reverse proxy leveraging the Oracle Weblogic plugin and mod_auth_openidc for Open ID Connect authentication with Microsoft Entra ID
Hi rsj8466,
When using Apache as a reverse proxy with the WebLogic plugin and mod_auth_openidc for OpenID Connect authentication with Microsoft Entra ID, it's important to ensure that the Apache proxy settings, like timeout and connection management, are optimized for your environment. You’ll also want to verify that the OpenID Connect authentication flow is configured correctly, including making sure that the necessary claims and scopes are passed to Apache.
For the WebLogic plugin, double-check that it’s properly forwarding requests and handling authentication as expected. On the security side, ensure that SSL/TLS is enabled for communication between Apache, WebLogic, and Entra ID, and that the token validation and key management practices are up-to-date.
Also, it’s a good idea to monitor logs in both Apache and WebLogic to catch any issues early and make sure everything scales properly as your environment grows.
Regards!
Hello
The issue you are describing seems to involve open TCP ports between the Entra ID container and WebLogic, which can potentially lead to resource management problems and requires you to bounce the container when the port count exceeds a threshold.
Can you first check the following steps?
Check for Unclosed Connections: Investigate why ports are not being closed. It could be due to:
- Long-lived or idle sessions.
- Improper connection handling in WebLogic or the Entra ID container.
Review Application Logs: Analyze logs from WebLogic and Entra ID for errors or unusual behaviors related to connection handling.
Configure Timeouts:
- Adjust timeout settings in WebLogic for idle connections.
- Set appropriate timeouts for the Entra ID container.
TCP Keep-Alives:
- Ensure that TCP keep-alive settings are properly configured to detect and close stale connections
Connection Limits:
- Define connection limits in WebLogic and the container to prevent excessive open connections.
Monitoring Tools: (Monitor and Automate Port Management)
- Use tools like Prometheus, Nagios, or Dynatrace to monitor open connections in real time.
Automate Container Restarts:
- Implement scripts or container orchestration (e.g., Kubernetes) to automatically restart the container when TCP port usage reaches a critical threshold.
Connection Pools: (WebLogic Tuning)
- Ensure that WebLogic connection pools are optimized to reuse existing connections and release unused ones promptly.
Thread Management:
- Review and adjust thread pool configurations to handle requests efficiently.
Idle Connection Timeout at Network Level: (Networking and Firewall Settings)
- Configure firewalls or load balancers to terminate idle connections after a certain period.
and Lastly,
Ensure that both PeopleSoft (8.61.07) and WebLogic are running the latest supported versions with all relevant patches applied. Sometimes, issues like this are addressed in newer updates.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Best Regards,
Ali Koc
Increase the Ephemeral Port Range:
This helps if your application is creating many outbound connections. For example, add or adjust in /etc/sysctl.conf:net.ipv4.ip_local_port_range = 1024 65000
Then reload with sysctl -pReduce TCP FIN Timeout: Lowering the timeout can free up ports sooner:
net.ipv4.tcp_fin_timeout = 30
For outgoing connections, you might enable reuse of sockets in TIME_WAIT state:
net.ipv4.tcp_tw_reuse = 1
(Ensure that this setting is appropriate for your network topology and workload; in some environments, it can cause unexpected behavior.)
Implement Connection Pooling and Keep-Alives
Review Timeout and Retry Settings
Increase File Descriptor LimitsMonitor and Automate as a Temporary Workaround
Monitor Connection States: Use tools like netstat, ss, or even custom scripts to monitor the TCP connection states (e.g., TIME_WAIT, ESTABLISHED). Understanding whether the ports are lingering in TIME_WAIT or if connections remain unexpectedly open will help narrow down the issue.Automate Container Restarts: While not a permanent fix, if connection leaks are unavoidable until a patch or configuration change is applied, consider automating the container restart process when the open port count exceeds a threshold. This can reduce manual intervention.
Hi rsj8466!
Seems like there could be a connection leak or session handling issue between Entra ID and Weblogic. One thing to check is if the connection pooling settings are properly configured to close idle connections. You could also try increasing the TCP timeout settings to ensure connections are cleaned up more effectively. It may help to monitor and fine tune the settings in both Entra ID and Weblogic to avoid the need for manual intervention.
Hope it helps!
