Oracle Fusion Middleware Infrastructure Best Practices

Arun Reddy Technical Director Raastech

Oracle Fusion Middleware Infrastructure Best Practices

Schoolcraft College Vistatech Center Room Vt460

November 13, 2013 2:05pm 2:50pm

Raastech, Inc. 2013 | All rights reserved. Slide 2 of 34 raastech.com

About Raastech

Systems integrator founded in 2009

Headquartered in the Washington DC area

Specializes in Oracle Fusion Middleware

Oracle Gold Partner & Reseller

Oracle SOA Specialized

Certified staff in multiple disciplines

OCE, OCA, OCP, ITIL, CISSP, PMP, etc.

Continued contributions to the technology community

Sponsor and volunteer of numerous users groups

Ongoing publishing of books, articles, whitepapers, and blogs

Regular presenters at major conferences

Raastech, Inc. 2013 | All rights reserved. Slide 3 of 34 raastech.com

About Arun

14+ years of Infrastructure Administration

Focus on Oracle Fusion Middleware infrastructure implementation, Security, High Availability, and

Disaster Recovery

OCA, ITIL, PMP Certified

Active WMOUG member/presenter

Raastech, Inc. 2013 | All rights reserved. Slide 4 of 34 raastech.com

What is this presentation about?

For Oracle Fusion Middleware administrators

Covers common infrastructure best practices for:

Installations

Patching

Administration

Deployments

Security

Raastech, Inc. 2013 | All rights reserved. Slide 5 of 34 raastech.com

Why do I need it?

I want to Reduce the OWFM Infrastructure Maintenance because Im tired of opening change requests/change controls

To know what I can do different for my OWFM Infrastructure to make it more stable and highly available

Is there anything that Im not doing right with my installations, patching or deployment?

I dont want my phone to ring when Im watching Lions game or Breaking Bad

I think the presenter is cool. My n

Raastech, Inc. 2013 | All rights reserved. Slide 6 of 34 raastech.com

Overview

Raastech, Inc. 2013 | All rights reserved. Slide 7 of 34 raastech.com

Understanding Oracle Fusion Middleware

Oracle Fusion Middleware is a misleading term

Used to describe middleware products such as:

Business Intelligence (e.g., OBIEE, Discoverer)

Integration (e.g., SOA Suite, OSB)

Identity Management (e.g., Oracle Access Manager)

Monitoring (e.g., OEM Grid Control)

But usually used to describe a single product:

WebLogic Server

Raastech, Inc. 2013 | All rights reserved. Slide 8 of 34 raastech.com

WebLogic Server: Foundation for Fusion Middleware

WebLogic Server is the core foundation of all Oracle Fusion Middleware products

OEM Grid

Control OBIEE

Access

Manager SOA Suite

WebCenter

Portal

Data

Integrator

Oracle WebLogic Server

Clustering JNDI Resource Adapters JDBC Security Self Tuning

Raastech, Inc. 2013 | All rights reserved. Slide 9 of 34 raastech.com

Oracle WebLogic Server

At a glance:

Java application server

Acquired from BEA

Replaces Oracle Application Server 9i/10g

Required for almost all Oracle Fusion Middleware products

Current releases:

Oracle WebLogic Server 11g (10.3.6)

Oracle WebLogic Server 12c (12.1.2)

Majority of OFM products are not yet

available for 12c

Raastech, Inc. 2013 | All rights reserved. Slide 10 of 34 raastech.com

WebLogic Server Architectural Considerations

Typically fronted by WebTier/OHS/Apache

Requires JDK (Sun JDK, JRockit, or new JDK7)

Requires shared filesystem for cluster (in 11g) for tlogs

WebLogic Server WebLogic Server WebLogic Server

Shared File System

WebTier WebTier WebTier

Single AdminServer to administer entire

cluster Node Manager runs on every

server

Hardware load balancer

Raastech, Inc. 2013 | All rights reserved. Slide 11 of 34 raastech.com

WebLogic Server 12c New Features

Certified with JDK7

Zip distribution is only 164 MB

Supports Java EE 6

T-Logs can now be database persisted (no shared file system needed)

Improved high availability, performance, and disaster recovery

200+ new features

Raastech, Inc. 2013 | All rights reserved. Slide 12 of 34 raastech.com

Installations

Raastech, Inc. 2013 | All rights reserved. Slide 13 of 34 raastech.com

Operating System Tuning Parameters

Proper OS tuning improves system performance by preventing the occurrence of error conditions.

Below are some key parameters to consider

O/S Parameters Default Proposed

Linux tcp_fin_timeout By reducing the value , TCP/IP releases closed connections faster, providing more resources for new connections.

60 30

Linux Backlog connections queue (tcp_max_syn_backlog) When the server is loaded or has many clients with bad connections, it can result in an increase in half-open connections

1024 4096

Linux File Descriptors (open files) 1024 4096 (32bit) 8192 (64bit)

WIN2008 MaxUserPort Under heavy loads it may be necessary to adjust the MaxUserPort. This parameter determines the availability of user ports requested by application

16383 65532

WIN2008

Set the power option setting to High performance With High Performance power scheme, processors are always locked at the highest performance state

Balanced High Performance

Raastech, Inc. 2013 | All rights reserved. Slide 14 of 34 raastech.com

Separation of Binaries and Config

Dedicated user and shared group for Installations

Separate binaries in the Fusion Middleware Home and Configuration directories

The binaries include the Oracle WebLogic Home, Oracle JDK, Coherence binaries and any required Fusion Middleware binaries (Files/Directories are mostly read)

The Configuration directories include all Domain homes, application files and nodemanager configuration (Files/Directories are both read and written at runtime)

Advantages

Less chances of binary corruption

Easy Patching

Raastech, Inc. 2013 | All rights reserved. Slide 15 of 34 raastech.com

Shared File Systems

Use shared file systems for

Admin Server

JMS Persistent Stores

Application Deployments

Configuration Plans

Tlogs

Advantages are

Easy Recovery of the admin server

Easy Recovery of the XA and JMS transactions

Required for Server Migration

Raastech, Inc. 2013 | All rights reserved. Slide 16 of 34 raastech.com

Deployments

Raastech, Inc. 2013 | All rights reserved. Slide 17 of 34 raastech.com

Deployment Guidelines

Do not use Autodeploy for production environments

Always deploy to a cluster even if you have a single MS

Use deployment/configuration plans

Simple but works approaches are

WLST (java.weblogic.Deployer) My preference

Ant Scripts

Maven

Restrict Admin/EM console for

Test / Lower environments

Adhoc support requests

Raastech, Inc. 2013 | All rights reserved. Slide 18 of 34 raastech.com

Custom Application Deployments

Deploy Custom Application deployments on a shared storage

Applications are deployed as EAR files to servers or read as exploded directories. Place the archives in a shared directory such as $ORACLE_BASE/admin/shared/deploy

In a shared services environment, applications should all be deployed as NOSTAGE

Admin server default is STAGE

Managed server default is NOSTAGE

In NOSTAGE, the application files reside in a location from which all cluster members can initiate a deployment (Good for large or exploded applications)

Raastech, Inc. 2013 | All rights reserved. Slide 19 of 34 raastech.com

Backups

Raastech, Inc. 2013 | All rights reserved. Slide 20 of 34 raastech.com

Environment Backup how often do we need it?

The following lists some of the common scenarios in a typical deployment that require performing a backup

After WLS is installed and a domain is created

Before and after making configuration changes to a component or cluster

Prior to deploying a custom pure Java EE application

After any major architectural changes to deployment architecture

Before and after product binary files are patched or upgraded

Important - Backup Embedded LDAP (Set it up through console)

Scheduled backups on a nightly basis or as needed, or both

Raastech, Inc. 2013 | All rights reserved. Slide 21 of 34 raastech.com

Typical Backup Schedule

Component Backup Schedule Backup Type Comments

Oracle system files Monthly Online

JDK Monthly Online

Middleware Home Monthly Online

JMS file store Never - Recreate if recovery needed. Data

loss or inconsistency may occur

Transaction logs Never - Recreate if recovery needed

SOA domain Daily Online Online backups are good as long

as no changes to the domain have

been made.

Database Daily Online

Raastech, Inc. 2013 | All rights reserved. Slide 22 of 34 raastech.com

Configuration File Backup

Raastech, Inc. 2013 | All rights reserved. Slide 23 of 34 raastech.com

Configuration File Backup (contd)

Raastech, Inc. 2013 | All rights reserved. Slide 24 of 34 raastech.com

Administration

Raastech, Inc. 2013 | All rights reserved. Slide 25 of 34 raastech.com

BAU activities

Starting and stopping a managed server

Dont use both command line and console for an operation. Use one or the other for the console to reflect accurate server state

User management

Prefer Enterprise AD or LDAP

Patching/upgrading

Dont Install just because it was released and Recommended by Oracle

Node Manager facts

Not a must for every environment

Uses only default values unless server startup properties are defined

If domain is not SSL enabled, no use having the NM encryption enabled

Use nmEnroll() to enroll new servers for Node Manager

Raastech, Inc. 2013 | All rights reserved. Slide 26 of 34 raastech.com

Security

Raastech, Inc. 2013 | All rights reserved. Slide 27 of 34 raastech.com

Enterprise Security Requirements

Secure Servers

Prevent Direct access to

o Web Tier

o App Tier

o DB Tier

Limit Services Exposed

Isolate Tiers

Secure Services

Authorized users only

Achieved by

Network Port restrictions

Access Management

Raastech, Inc. 2013 | All rights reserved. Slide 28 of 34 raastech.com

Security Best Practices

Control Access to OFMW Resources

Create a separate OS user for OFMW and limit access to $MW_HOME

Avoid running the server under a privileged account

If OHS needs to run on port 80, use sudo privileges to start

Enable security auditing

Use connection filters

Security roles and security policies protects WebLogic resources at the domain, application, and the application-component level. Connection filters let you deny access at the network level.

Prevent Denial of Service attacks

Configure Message Timeout less than default 60 seconds

Restrict the size of the message (default is 10MB)

Limit the maximum open sockets (if necessary)

Raastech, Inc. 2013 | All rights reserved. Slide 29 of 34 raastech.com

Security Best Practices

Use Virtual Server names

Separate Internal and external traffic

Ex: blogint.raastech.com vs blog.raastech.com

Separate admin and application traffic

Keep the DNS/VIP names application/function specific

Use separate Internal/External DNS entries

Use Firewalls/Load balancers

SSL Termination

Expose Virtual Servers/Hosts

Raastech, Inc. 2013 | All rights reserved. Slide 30 of 34 raastech.com

Console and EM Access through LB (Ex. F5 BIG IP)

Create a filtering iRule on the BIG IP Load Balancer to disallow access to WL Console and EM. If you are using any other Load balancer devices, create a custom ACL accordingly.

For example, to create the filtering iRule

On the Main tab, expand Local Traffic, then click iRules. The iRule screen open

In the upper right portion of the screen, click the Create button. The new iRule screen opens

In the Name box, enter a name for your iRule. Ex: we can use oracle-soa-filter.

In the Definition section, copy and paste the following iRule:

when HTTP_REQUEST {

if { [HTTP::uri] starts_with "/console" } { HTTP::respond 403 content "HTTP Error 403 - Forbidden }

if { [HTTP::uri] starts_with "/em" } { HTTP::respond 403 content "HTTP Error 403 - Forbidden }

}

Raastech, Inc. 2013 | All rights reserved. Slide 31 of 34 raastech.com

Summary

Raastech, Inc. 2013 | All rights reserved. Slide 32 of 34 raastech.com

Summary

Plan your environment based on the key business factors

Functionality

Availability

Throughput

Future Growth / Easy Scaling

Implement the best practices starting with lower environments

Automate every task that can be automated

Secure environments to avoid non-functional and human breaches

All environments need to have a backup and Recovery plan

Raastech, Inc. 2013 | All rights reserved. Slide 33 of 34 raastech.com

Q/A

Raastech, Inc. 2013 | All rights reserved. Slide 34 of 34 raastech.com

Contact Information

Arun Reddy

Technical Director

[email protected]