EBS OCI architecture2.0 linkedin.pptx

Lift and Shifted 20TBOracle EBS to
Cloud (OCI)
Oracle E-Business Suite
RunningOracle E-BusinessSuite onOracleCloud Infrastructure
Ref:Oracle Lift andShift
RunningOracleE-BusinessSuiteonOracleCloudInfrastructure | Manjunath Narayanaiah
1

Oracle’s Investments for EBSCustomers
BuildingUpon theStrengths of EBS as an Integrated,GlobalSuite
RunningOracleE-BusinessSuiteonOracleCloudInfrastructure| Manjunath Narayanaiah
2

What isOracle E-BusinessSuite onOracleCloud
RunningOracleE-BusinessSuiteonOracleCloudInfrastructure| Manjunath Narayanaiah
3

EBS onOracleCloud Infrastructure -WorkloadUseCases
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
4

WhyCustomersSelectOracleCloud Infrastructure (OCI) for EBSWorkloads
5

Oracle E-BusinessSuite onOracleCloud
KeyManagement
6

Oracle E-BusinessSuiteCloud Manager
UI for EBS Provisioning, Lift & Shift, and Lifecycle Management
7
• Environment deployment
• One-Click provisioning
 Marketplace image for E85 12.2.x with Demo Database
• Advanced provisioning
 Compute
 VM DB Systems (single-node or RAC)
 Exadata DB Systems.
• Lift and Shift
 This capability enables you to migrate on-premise EBS environments
• Oracle Enterprise Command Center (ECC) Framework Marketplace image
• Lifecycle management
— Optimized backup and restore
— Snapshot-based cloning of EBS with Database in Compute
— Support for databases that have been upgraded to DB 19c in Compute
— Planned: Upgrade on DB Services, Elasticity, DR, Refresh and many more

Oracle E-BusinessSuiteCloudAutomationTools
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah 8

Oracle E-BusinessSuiteCloud Manager Interfaces

Deployment - Separation of Duties

Example ofTenancyConfiguration performed byTenancyAdministrators

NetworkConfiguration by NetworkAdministrators

Cloud Manager Deployment and Network ProfileConfig by EBSCloud ManagerAdministrators

Cloud Manager Deployment and Network ProfileConfig by EBSCloud ManagerAdministrators
14

Defining Network Resources performed by NetworkAdministrators
15

Deployment
16

Oracle E-Business Suite Provisioning
One - Click and Advanced Provisioning from EBS Cloud Manager
17

Oracle E-Business Suite Provisioning
ProvisioningOptions
18

Oracle E-Business SuiteCloud Manager
One-Click andAdvanced Provisioning
19

Advanced Provisioning
20

Advanced Provisioning
21

Oracle E-Business Suite Migration toOCI
Lift andShift withOracle E-Business Suite automation tools
22

Lift andShift fromOn-Premises toOracleCloud
E-BusinessSuite Migration Flow
23

Lift andShift fromOn-Premises toOracleCloud
24

Oracle E-BusinessSuite Lift andShift
25

Oracle E-BusinessSuite Lift andShift
Select backup created fromOn-Premises environment using EBSCloud Backup Module
26

Provisioning from Backup
27

EBS OCI: HA Security Architecture with Single Availability Domain
28
HPHC - NTT Data |

Oracle E-Business Suite Security
Oracle E-Business Suite Security in OCI – Securing Data
RunningOracleE-BusinessSuiteonOracleCloudInfrastructure| ManjunathNarayanaiah 29

Securing Data
Oracle E-Business Security
• Encryption, keys, and HSM
• OCI vault and secrets
• OCI storage options
• Private endpoints
• Data Safe
Running Oracle E-Business Suite on Oracle Cloud Infrastructure | Manjunath Narayanaiah 30

Securing Data
E-BusinessSecurity: Encryption, keys, and HSM: Encryption
31
Encryption
• Encryption is used to transform plain text data into ciphertext.
• Decryption is used to transform ciphertext into plain text.
• Encryption key/key pair is generated for a specific algorithm that can be used for encryption or
digital signing.
• AES symmetric keys:
 Same key encrypts and decrypts data. cannot be used for digital signing
• RSA asymmetric keys:
 Public key encrypts and private key decrypts data. can be used for digital signing
• ECDSA keys:
 Can be used only for digital signing. not for encryption and decryption of data

Securing Data
E-BusinessSecurity: Encryption, keys, and HSM: HardwareSecurity Module (HSM)
32
• HSM is a physical computing device:
• A temper-evident hardware
• Used to manage digital keys
• Performs cryptographic functions
• OCI vault services uses HSMs that meet Federal Information Processing Standards (FIPS)
140-2 Security Level 3 security certification:
• Tamper-resistant
• Requires identity-based authentication
• Deletes keys from device when it detects tampering

Securing Data
E-BusinessSecurity:Types of Keys inVault
33
• Master encryption keys
 Create master encryption keys or import master encryption keys into vault.
 Master encryption keys are used to generate data encryption keys.
• Data encryption keys
 Generated by the master encryption key, used to encrypt data

Securing Data
E-BusinessSecurity:Types of Keys inOCIVault
34
• Wrapping keys
 Used to encrypt content that is imported content into the vault
 Provided part of the vault service free of cost

Securing Data
E-BusinessSecurity:Types of Keys inOCIVault : Master Encryption Key – Protection Modes
35
• Master encryption keys can have one of two protection modes.
• HSM
 Such keys are stored in an HSM, cannot be exported from HSM.
 All cryptographic operations happen inside the HSM.
• Software
 It's stored on a server, can be exported to perform cryptographic operations.
 It is software protected while at rest and is encrypted by a root key on HSM.

Securing Data
E-BusinessSecurity:Types of Keys inOCIVault : Master Encryption Key – Protection Modes
36
• Master encryption keys can have one of two protection modes.
• HSM
 Such keys are stored in an HSM, cannot be exported from HSM.
 All cryptographic operations happen inside the HSM.
• Software
 It's stored on a server, can be exported to perform cryptographic operations.
 It is software protected while at rest and is encrypted by a root key on HSM.

Securing Data
E-BusinessSecurity:OCIStorageOptions
37
• Local NVMe devices in Dense l/O Shapes:
 Provide high performance. but not protected by OCI
 Protect application data in dense l/O shapes from device failure, instance failure, and
availability domain failure using 0/5 raid tools
• Block storage volumes (boot and block) are highly available within an availability domain.
 Clone volumes within an availability domain.
 Create block storage backup custom policies to automatically take backups and also
replicate backups to another region for disaster recovery capabilities.
 Use volume groups to create point—instime and crash-consistent backups and clones.

Securing Data
E-BusinessSecurity:OCIStorageOptions
38
• File Storage
 File systems are highly available within an availability domain.
 Use snapshots (copy on write) available for file systems to protect from user actions.
 Use scripts / tools to copy the data to Object Storage or anotherAD.
• Object Storage
 Objects are highly available within a region (replicated to all availability domains in the
region).
 Set retention policies to avoid accidental deletion.
 Use replication policies or copy specific objects to another region to protect data from
region failures.

Securing Data
E-BusinessSecurity:OCIStorageOptions: BlockStorage
39

Securing Data
E-BusinessSecurity:OCIStorageOptions: FileStorage
40

Securing Data
E-BusinessSecurity:OCIStorageOptions:ObjectStorage
41

Securing Data
E-BusinessSecurity:OCIStorageOptions:ObjectStorage
42

Securing Data
E-BusinessSecurity:OCIServicesUseVault for Encryption
43

Securing Data
E-BusinessSecurity: Data Protection – Best Practices
44
• Encrypt Data
 Block storage volumes. file systems, Object Storage objects , Exadata Cloud Service , autonomous
container database, and streaming are by default encrypted by Oracle-managed keys.
 An Oracle-managed vault has a master encryption key. which provides a data encryption key to the
respective service to encrypt data
 Thus, any data in these services are encrypted by default.

Securing Data
E-BusinessSecurity: DataSafe
45
• Fully integrated Cloud Service focused on protecting sensitive and regulated data in Oracle databases
 Cloud databases &
 On-premises databases
• Includes features such as
 Security assessment
 User assessment
 Data discovery
 Data masking
 Activity auditing

Securing Data
E-BusinessSecurity: DataSafe :ArchitectureOptions
46
• Oracle Data Safe service is primarily a database and a web application.

Securing Data
E-BusinessSecurity: DataSafe : Private Endpoints
47
• It is a network endpoint in aVCN.
• Created in the sameVCN where you have OCI databases provisioned:
 DB systems and autonomous databases
 Only one private endpoint can be created in aVCN.
 The private endpoint can be in any subnet of the sameVCN.
• The private endpoint needs access to the target database.
 Using rules in a network security group in theVCN

Securing Data
E-BusinessSecurity: DataSafe : Private Endpoints:Architecture
48
• Private endpoint is a network endpoint within theVCN, through which Data Safe can interact with the
databases in OCI.

Securing Data
E-BusinessSecurity: DataSafe : SecurityAssessment
49
• Initiate security assessment for a specific database from Data Safe.

Securing Data
E-BusinessSecurity: DataSafe : UserAssessment
50
• Initiate User Assessment for a specific database from Data Safe.

Securing Data
E-BusinessSecurity: DataSafe : Data Discovery
51
• Initiate Data Discovery for a specific database from Data Safe.

Securing Data
E-BusinessSecurity: DataSafe : Data Masking
52
• Initiate Data Masking for a specific database from Data Safe.

Securing Data
E-BusinessSecurity: DataSafe :ActivityAuditing
53
• Enable Activity Auditing andView reports for a specific database from Data Safe.

Oracle E-Business: Security Posture Management

Security Posture Management
E-BusinessSecurity
55
• Cloud Guard and Security Zones
• EnableCloud Guard
• Implement security controls and policy management
• Report on security

E-BusinessSecurity:What is Needed
56

E-BusinessSecurity : CloudGuard
57
An OCI service that helps identify and fix issues to achieve and maintain a strong
security posture across all your OCI global regions:
• Monitor (reactively)
• Identify
• Achieve and
• Maintain a strong security posture

E-BusinessSecurity : CloudGuard:SecurityZones
58
ComplementsCloud Guard:
• CloudGuard detects after some configuration or action happens (reactive).
• SecurityZones can prevent some insecure actions from ever happening (blocking).
Provides strong security policy sets as “recipes"
• Aligns with most compliance objectives and security requirements
Policies are enforced when insecure actions are attempted and blocked from happening.
• All attempts are logged.
• All blocked actions include information on what happened and how to correct the attempted
action.

E-BusinessSecurity : CloudGuard
59
• AnOCI service that helps customers to maintain a strong security posture.
• CoversOCI services:Compute. Networking, lAM.Object Storage. LBaaS. DBaaS. etc.

E-BusinessSecurity : CloudGuard: Reporting Region
60
• The reporting region for Cloud Guard is the default region of the tenancy.
 There is no effect of changing the region in the region drop-down list.
 Other regions that are monitored are called monitored regions.
• Targets in all regions can be monitored by Cloud Guard.
• Integration with Events and Notification services happen only in Reporting Region.

E-BusinessSecurity : CloudGuard:Terms
61

E-BusinessSecurity : CloudGuard:Concepts
62
• Target
 Defines the scope of a compartment (all resources in it) that Cloud Guard should check
• Detector
 Performs checks and identifies potential security problems based on their type and configuration
 Organized as detector recipes with rules
• Detector rules
 Provides a specific definition of a class of resources, with specific actions or configurations. that cause a detector to
report a problem.
• Detector recipes ( collection of Detector rules)
 Provides the baselines for examining the resources and activities in the target

E-BusinessSecurity : CloudGuard:Concepts
63
• Problem
 Any action or setting on a resource that could potentially cause a security problem
• Responder
 An action that Cloud Guard can take when a detector has identified a problem
• Responder Rules
 Define the specific actions to take. If any one responder rule is triggered. it triggers the responder.
• Responder recipes (Collection of Responder Rules)
 Define the action or set of actions to take in response to a problem that a detector has identified

E-BusinessSecurity : CloudGuard: Problem LifeCycle
64
• Problems can be: Database is not backed up aut
 Remediated - Fixed using Cloud Guard responder
 Resolved - Fixed by other process
 Dismissed - ignored/closed
• if Cloud Guard detects an issue again for an Open (unresolved) problem. it will update the problem history but
will not create a new problem.
• If Cloud Guard detects an issue for a previously resolved configuration problem, it will re-open the issue and
update the history.
• if Cloud Guard detects an issue for a previously dismissed configuration problem, it
• will update the history.
• If Cloud Guard detects an issue for a previously resolved/dismissed activityproblem, it will create a new
problem.
• Fix the problem or fix the baseline

E-BusinessSecurity : CloudGuard: EnableCloudGuard
65
• Enable Cloud Guard in the tenancy.
• lAM policies are required to allow Service Cloud Guard to read/use various resources in the tenancy.
• Configure OCI lAM groups who will have Cloud Guard related privileges.
 Make OCI lAM users who need these privileges members of respective OCI lAM groups.
 Configure OCI lAM policies to grant privileges to appropriate OCI lAM groups.
• In OCI Menu. go to Security -> Cloud Guard and enable Cloud Guard.
 You can enable across tenancy
 Or only specific compartments
• Choose detector recipe.
• Enable Cloud Guard.
• As an ongoing activity, customize the Cloud Guard configuration as required.

E-BusinessSecurity : CloudGuard:TypicalSecurity roles
66

E-BusinessSecurity : CloudGuard: ManagingTargets
67
• Add targets to expand or change the scope of what Cloud Guard monitors.
 Target can be entire tenancy or any combination of compartments.
• Change the detector and responder recipes added to a target.
• Change the settings for individual rules in the recipe.

E-BusinessSecurity : CloudGuard: Managing Detector Recipes
68
• View, clone, and modify detector recipes to fit the specific security needs of your environment.
 Oracle-Managed recipes - you cannot modify them
 User-Managed recipes - cloned fromOracle-Managed and can be modified by you
• Each detector recipe consists of a set of detector rules (which report a problem).
• Compartment Inheritance for recipes
 Apply detector recipes to compartments, also inherited to its child compartments.
• Inheritance for Detector Rules fields (lower-level rules override)
• Oracle. tenant. target. descendant compartments of a target

E-BusinessSecurity : CloudGuard: Managing Responder Recipes
69
• View, clone, and modify responder recipes to fit the specific security needs of your environment.
• Each responder recipe uses multiple responder rules. each of which defines the specific actions to
take.
• CloneOracle-Managed Responder recipes and createUser-Managed Responder recipes to fine-
tune the recipes.

E-BusinessSecurity : CloudGuard: Managing Lists
70
• A managed list is a reusable list of parameters that makes it easier to set the scope for detector
and responder rules.
• A managed list is a tool that can be used to apply certain configurations to detectors.
• A predefined "TrustedOracle lP address space" list contains all the Oracle lP addresses that you
want to regard as trusted when you define rules for detectors and responders.
• CloudGuard also lets you define your own managed lists as needed.

E-BusinessSecurity : CloudGuard: Processing Reported Problems
71
Processing problems. which is at the core of the functionality that CloudGuard provides. involves:
• Prioritizing problems to focus on highest risks
• Examining problem details to determine what's happening
• Resolving each problem to ensure that risks are countered and "false alarms” do not continue in
the future
• Examining problem details to determine what's happening.
 Problem page
• Resolving each problem to ensure that risks are countered and "false alarms" do not continue in
the future
 ResponderActivity page

E-BusinessSecurity : CloudGuard: Notifications
72
• Use OCI Events and Notifications services to send notifications, whenever Cloud Guard detects a problem for
which you want to be notified.
• Use the Notification Responder - Cloud Event that can emit problem details to Events Service.
• The Cloud Event responder rule is part of the Responder recipe, which needs to be attached to a
corresponding target or targets
• You must set up Events and Notifications from your Cloud Guard Reporting Region. which aggregates
problems from the monitored regions and send out the Cloud Event from the Reporting Region.
• Ensure that the Compartment selected for the Event rule is either the compartment where the resource
exists. or a parent of that compartment
• If you are processing problems entirely within Cloud Guard, you do not need to configure notifications.

E-BusinessSecurity : CloudGuard: Integration with Events and NotificationsServices
73

E-BusinessSecurity : SecurityZone
74
• An OCI service that supplements Cloud Guard
• Customers use predefined security zone policies (provided by Oracle).
• Enforce (proactively) those policies on OCI resources in a compartment.

E-BusinessSecurity : SecurityZone:Tenets
75
• Security Zones are special - they contain sensitive data and resources.
• Security Zones are restrictive by design.
• Public access is evil - sensitive data should be protected from the Internet as much as possible.
• Security Zones make it difficult to create weak security pastures and configurations.
• Compartments are associated with a security zone only when the compartment is created.
• For GA, any child compartments are part of the same security zone as the parent compartment.

E-BusinessSecurity : SecurityZoneConcepts
76
• Security Zone
 An association between a compartment and a security zone recipe
• Security Zone Recipe
 A collection of security zone policies
• Security Zone Policy
 A security requirement for resources in a security Zone

77
OracleSecurityZones
An association between a compartment and a security zone recipe. Resource operations in a security zone are
validated against all policies in the recipe.
Security zone recipe
A collection of security zone policies.Your tenancy has a predefined recipe named Maximum Security Recipe,
which includes all available security zone policies. Oracle manages this recipe, and you can’t modify it.

78
Security zone policy
A security requirement for resources in a security zone. In general. security zone policies align with these
security principles:
• Resources can't be moved from a security zone to a standard compartment because it might be less secure.
• Data in a security zone can't be copied to a standard compartment because it might be less secure
• All the required components for a resource in a security zone must also be located in a security zone.
Resources that are not in a security zone might be vulnerable. For example. a compute instance in a security
zone can't use a boot volume that is not in a security zone.
• Resources in a security zone must not be accessible from the public Internet.
• Resources in a security zone must be encrypted using customer-managed keys.
• Resources in a security zone must be regularly and automatically backed up.
• Resources in a security zone must use only configurations and templates approved by Oracle.

79
• Enforce (proactively) security policies on OCI resources in a compartment.

E-BusinessSecurity : SecurityZone Recipes
80
• A recipe is a collection of security zone policies.
• When you create/manage a OCI resource in a security zone. OCI automatically validates the policies within
the recipe that is assigned to the security zone.
• Oracle has a predefined recipe named Maximum Security recipe.
 You cannot edit/ manage this recipe.

E-BusinessSecurity : SecurityZone Policy Principles
81
• OCI validates resource management tasks with security policies.
 If a policy is violated. then the operation is denied.
• Each policy impacts one or more OCI resources and are categorized by security principles:
 Restrict resource movement
 Restrict resource association
 Deny public access
 Require encryption
 Ensure data durability
 Ensure data security
 Use only configurations approved by Oracle

E-BusinessSecurity : ManagementSecurityZones
82
• You can create and delete security zones.
 Each security zone is associated with a single compartment.
 The compartment name is the same as the security zone.
• Identify the policies to be enforced in security zones.
 Each security zone is assigned a security recipe.
• A security zone can have sub/children compartments that are also security zones.

E-BusinessSecurity : SecurityZones: Policy Principles
83
• Any resource created within a security zone will have to abide by the security policies.
Examples:

E-BusinessSecurity : SecurityZones: IAM Policy
84
• Within tenancy, create OCI lAM policies to control who has access to security zones and recipes.
• Specify who has what type of control.

Oracle E-Business Suite Lifecycle Management
Oracle E-Business Suite Lifecycle Management with EBS Cloud Manager

Oracle E-Business SuiteCloning onCompute
LaunchCloningActivity
86

FastClone EBS environmentCompute toCompute
87

Clone Details
88

Review andSubmitCloningActivity
89

Oracle E-Business Suite Backup and Restore
90

91

Create a Backup
92

Scheduling of Backups —Create Policy
93

Scheduling of Backups —Attaching Backup Policv to EBS Environment
94

Provisioning from Backup
95

Oracle E-Business
Multi-ZoneSupport - DMZ+
• iSupplier
• iStore

Oracle E-Business
Multi-ZoneSupport — DMZ+
97

Multi-ZoneSupport
DemilitarizedZone (DMZ)
98

Multi-ZoneSupport
Functional Redirection perZone — FunctionalAffinity
99

EBS Environment Elasticity
Adding and DeletingApplicationTier Nodes
100

AddingApplicationTier Nodes
101

DeletingApplicationTier Nodes
102

Extensibility Framework
Engine andTasks

Engine andTasks
104

Creating aCustomTask
105
RunningOracleE-BusinessSuiteonOracleCloudInfrastructure| ManjunathNarayanaiah

Extending anActivity Plan
106

Advanced Lift and Shift - Reduced down time
Provisioning andConfiguration Process

Advanced Lift andShift - Reduced down time
108

Advanced Lift andShift - Reduced down time
109

Advanced Lift andShift
Promote EBSStandby into Production
110

111

112

FeatureSummary - 20.2.1
113

Oracle E-BusinessSuite onOracleCloudAutomation
Roadmap
114

Questions
115

Appendix
116

EBS OCI architecture2.0 linkedin.pptx

Recommended

Recommended

More Related Content

Similar to EBS OCI architecture2.0 linkedin.pptx

Similar to EBS OCI architecture2.0 linkedin.pptx (20)

Recently uploaded

Recently uploaded (20)

EBS OCI architecture2.0 linkedin.pptx