HOME / DOCUMENTATION / Configure AcuSensor on WebLogic Server

Configure AcuSensor on Oracle WebLogic server

Integrating the AcuSensor with Oracle WebLogic Server enhances your application security by enabling advanced runtime analysis and vulnerability detection directly within your deployed applications. AcuSensor, part of our interactive application security testing (IAST) technology, provides precise insights by monitoring application behavior during scans—helping to reduce false positives and uncover complex vulnerabilities that traditional testing methods might miss.

This document outlines two supported methods for configuring AcuSensor on WebLogic, empowering development and security teams to strengthen their DevSecOps pipeline without significantly impacting performance or operations:

  • Method 1: Modifying the startWebLogic.sh startup script
  • Method 2: Using WLST (WebLogic Scripting Tool) to update server configuration

Method 1: Modify startWebLogic.sh

Step 1: Locate the startup script

  1. Navigate to your WebLogic domain’s bin directory. Example path: /u01/oracle/user_projects/domains/base_domain/bin

Step 2: Edit the script

  1. Open the startWebLogic.sh file in a text editor and locate the JAVA_OPTIONS configuration.
  2. Append the following line to include the AcuSensor agent:

export JAVA_OPTIONS="$JAVA_OPTIONS -javaagent:/u01/oracle/otherlibs/AcuSensor.jar -Dacusensor.debug.log=ON -DUseSunHttpHandler=true"

Replace /u01/oracle/otherlibs/AcuSensor.jar with the actual path to your AcuSensor JAR file.

Step 3: Save and restart

  1. Save the updated startWebLogic.sh file.
  2. Stop the WebLogic Server: ./stopWebLogic.sh
  3. Restart the WebLogic Server: ./startWebLogic.sh

Step 4: Verify AcuSensor activation

  1. Check the server logs for AcuSensor initialization messages. Look for log lines similar to:

[invicti.debug] INFO Invicti Java Sensor Starting ... com.invicti.iast.agent.Agent premain

  1. Logs are typically located under: /u01/oracle/user_projects/domains/base_domain/servers/your_server/logs

Method 2: Configure via WLST script

Step 1: Launch WLST and connect

  1. Open a terminal and navigate to your WebLogic domain directory.
  2. Launch WLST:

./wlst.sh

  1. Connect to the WebLogic Server:

connect('admin', 'password', 't3://weblogic_server_address:port')

🛠️

Replace admin, password, weblogic_server_address, and port with your actual credentials and host information.

Step 2: Navigate to ServerStart MBean

serverConfig()
cd('/Servers/your_server_name/ServerStart/your_server_name')

🛠️

Replace your_server_name with your actual WebLogic server name.

Step 3: Set Java options

set('Arguments', '-javaagent:/u01/oracle/otherlibs/AcuSensor.jar -Dacusensor.debug.log=ON -DUseSunHttpHandler=true')

🛠️

Update the JAR file path if necessary.

Step 4: Save and exit

save()
exit()

Step 5: Restart and verify

  1. Stop the WebLogic Server:

./stopWebLogic.sh

  1. Start the WebLogic Server:

./startWebLogic.sh

  1. Check the logs for successful AcuSensor startup:

[invicti.debug] INFO Invicti Java Sensor Starting ... com.invicti.iast.agent.Agent premain

Supported WebLogic versions

This configuration has been tested on the following WebLogic versions:

  • 12.2.1.4
  • 14.1.1.0
  • 14.1.2.0

Refer to this Java websites overview document for all supported servers and frameworks information.