Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Oracle Fusion Middleware Infrastructure Best Practices

1,514 views

Published on

MOUS 13

Published in: Technology
  • Be the first to comment

Oracle Fusion Middleware Infrastructure Best Practices

  1. 1. Arun Reddy Technical Director Raastech Oracle Fusion Middleware Infrastructure Best Practices Schoolcraft College – Vistatech Center Room Vt460 November 13, 2013 2:05pm – 2:50pm
  2. 2. © Raastech, Inc. 2013 | All rights reserved. Slide 2 of 34raastech.com About Raastech  Systems integrator founded in 2009  Headquartered in the Washington DC area  Specializes in Oracle Fusion Middleware  Oracle Gold Partner & Reseller  Oracle SOA Specialized  Certified staff in multiple disciplines  OCE, OCA, OCP, ITIL, CISSP, PMP, etc.  Continued contributions to the technology community  Sponsor and volunteer of numerous users groups  Ongoing publishing of books, articles, whitepapers, and blogs  Regular presenters at major conferences
  3. 3. © Raastech, Inc. 2013 | All rights reserved. Slide 3 of 34raastech.com About Arun  14+ years of Infrastructure Administration  Focus on Oracle Fusion Middleware infrastructure implementation, Security, High Availability, and Disaster Recovery  OCA, ITIL, PMP Certified  Active WMOUG member/presenter
  4. 4. © Raastech, Inc. 2013 | All rights reserved. Slide 4 of 34raastech.com What is this presentation about?  For Oracle Fusion Middleware administrators  Covers common infrastructure best practices for:  Installations  Patching  Administration  Deployments  Security
  5. 5. © Raastech, Inc. 2013 | All rights reserved. Slide 5 of 34raastech.com Why do I need it?  I want to Reduce the OWFM Infrastructure Maintenance because I’m tired of opening change requests/change controls  To know what I can do different for my OWFM Infrastructure to make it more stable and highly available  Is there anything that I’m not doing right with my installations, patching or deployment?  I don’t want my phone to ring when I’m watching Lions game or Breaking Bad  “I think the presenter is cool.” My n
  6. 6. © Raastech, Inc. 2013 | All rights reserved. Slide 6 of 34raastech.com Overview
  7. 7. © Raastech, Inc. 2013 | All rights reserved. Slide 7 of 34raastech.com Understanding Oracle Fusion Middleware  “Oracle Fusion Middleware” is a misleading term  Used to describe middleware products such as:  Business Intelligence (e.g., OBIEE, Discoverer)  Integration (e.g., SOA Suite, OSB)  Identity Management (e.g., Oracle Access Manager)  Monitoring (e.g., OEM Grid Control)  But usually used to describe a single product:  WebLogic Server
  8. 8. © Raastech, Inc. 2013 | All rights reserved. Slide 8 of 34raastech.com WebLogic Server: Foundation for Fusion Middleware  WebLogic Server is the core foundation of all Oracle Fusion Middleware products OEM Grid Control OBIEE Access Manager SOA Suite WebCenter Portal Data Integrator Oracle WebLogic Server Clustering – JNDI – Resource Adapters – JDBC – Security – Self Tuning
  9. 9. © Raastech, Inc. 2013 | All rights reserved. Slide 9 of 34raastech.com Oracle WebLogic Server  At a glance:  Java application server  Acquired from BEA  Replaces Oracle Application Server 9i/10g  Required for almost all Oracle Fusion Middleware products  Current releases:  Oracle WebLogic Server 11g (10.3.6)  Oracle WebLogic Server 12c (12.1.2) Majority of OFM products are not yet available for 12c
  10. 10. © Raastech, Inc. 2013 | All rights reserved. Slide 10 of 34raastech.com WebLogic Server Architectural Considerations  Typically fronted by WebTier/OHS/Apache  Requires JDK (Sun JDK, JRockit, or new JDK7)  Requires shared filesystem for cluster (in 11g) for tlogs WebLogic Server WebLogic Server WebLogic Server Shared File System WebTier WebTier WebTier Single AdminServer to administer entire cluster Node Manager runs on every server Hardware load balancer
  11. 11. © Raastech, Inc. 2013 | All rights reserved. Slide 11 of 34raastech.com WebLogic Server 12c New Features  Certified with JDK7  Zip distribution is only 164 MB  Supports Java EE 6  T-Logs can now be database persisted (no shared file system needed)  Improved high availability, performance, and disaster recovery  200+ new features
  12. 12. © Raastech, Inc. 2013 | All rights reserved. Slide 12 of 34raastech.com Installations
  13. 13. © Raastech, Inc. 2013 | All rights reserved. Slide 13 of 34raastech.com Operating System Tuning Parameters  Proper OS tuning improves system performance by preventing the occurrence of error conditions.  Below are some key parameters to consider O/S Parameters Default Proposed Linux tcp_fin_timeout By reducing the value , TCP/IP releases closed connections faster, providing more resources for new connections. 60 30 Linux Backlog connections queue (tcp_max_syn_backlog) When the server is loaded or has many clients with bad connections, it can result in an increase in half- open connections 1024 4096 Linux File Descriptors (open files) 1024 4096 (32bit) 8192 (64bit) WIN2008 MaxUserPort Under heavy loads it may be necessary to adjust the MaxUserPort. This parameter determines the availability of user ports requested by application 16383 65532 WIN2008 Set the power option setting to “High performance” With High Performance power scheme, processors are always locked at the highest performance state Balanced High Performance
  14. 14. © Raastech, Inc. 2013 | All rights reserved. Slide 14 of 34raastech.com Separation of Binaries and Config  Dedicated user and shared group for Installations  Separate binaries in the Fusion Middleware Home and Configuration directories  The binaries include the Oracle WebLogic Home, Oracle JDK, Coherence binaries and any required Fusion Middleware binaries (Files/Directories are mostly read)  The Configuration directories include all Domain homes, application files and nodemanager configuration (Files/Directories are both read and written at runtime)  Advantages  Less chances of binary corruption  Easy Patching
  15. 15. © Raastech, Inc. 2013 | All rights reserved. Slide 15 of 34raastech.com Shared File Systems  Use shared file systems for  Admin Server  JMS Persistent Stores  Application Deployments  Configuration Plans  Tlogs  Advantages are  Easy Recovery of the admin server  Easy Recovery of the XA and JMS transactions  Required for Server Migration
  16. 16. © Raastech, Inc. 2013 | All rights reserved. Slide 16 of 34raastech.com Deployments
  17. 17. © Raastech, Inc. 2013 | All rights reserved. Slide 17 of 34raastech.com Deployment Guidelines  Do not use Autodeploy for production environments  Always deploy to a cluster even if you have a single MS  Use deployment/configuration plans  Simple but works approaches are  WLST (java.weblogic.Deployer)  My preference  Ant Scripts  Maven  Restrict Admin/EM console for  Test / Lower environments  Adhoc support requests
  18. 18. © Raastech, Inc. 2013 | All rights reserved. Slide 18 of 34raastech.com Custom Application Deployments  Deploy Custom Application deployments on a shared storage  Applications are deployed as EAR files to servers or read as exploded directories. Place the archives in a shared directory such as $ORACLE_BASE/admin/shared/deploy  In a shared services environment, applications should all be deployed as NOSTAGE  Admin server default is STAGE  Managed server default is NOSTAGE  In NOSTAGE, the application files reside in a location from which all cluster members can initiate a deployment (Good for large or exploded applications)
  19. 19. © Raastech, Inc. 2013 | All rights reserved. Slide 19 of 34raastech.com Backups
  20. 20. © Raastech, Inc. 2013 | All rights reserved. Slide 20 of 34raastech.com Environment Backup – how often do we need it?  The following lists some of the common scenarios in a typical deployment that require performing a backup  After WLS is installed and a domain is created  Before and after making configuration changes to a component or cluster  Prior to deploying a custom pure Java EE application  After any major architectural changes to deployment architecture  Before and after product binary files are patched or upgraded  Important - Backup Embedded LDAP (Set it up through console)  Scheduled backups on a nightly basis or as needed, or both
  21. 21. © Raastech, Inc. 2013 | All rights reserved. Slide 21 of 34raastech.com Typical Backup Schedule Component Backup Schedule Backup Type Comments Oracle system files Monthly Online JDK Monthly Online Middleware Home Monthly Online JMS file store Never - Recreate if recovery needed. Data loss or inconsistency may occur Transaction logs Never - Recreate if recovery needed SOA domain Daily Online Online backups are good as long as no changes to the domain have been made. Database Daily Online
  22. 22. © Raastech, Inc. 2013 | All rights reserved. Slide 22 of 34raastech.com Configuration File Backup
  23. 23. © Raastech, Inc. 2013 | All rights reserved. Slide 23 of 34raastech.com Configuration File Backup (contd)
  24. 24. © Raastech, Inc. 2013 | All rights reserved. Slide 24 of 34raastech.com Administration
  25. 25. © Raastech, Inc. 2013 | All rights reserved. Slide 25 of 34raastech.com BAU activities  Starting and stopping a managed server  Don’t use both command line and console for an operation. Use one or the other for the console to reflect accurate server state  User management  Prefer Enterprise AD or LDAP  Patching/upgrading  Don’t Install just because it was released and Recommended by Oracle  Node Manager facts  Not a must for every environment  Uses only default values unless server startup properties are defined  If domain is not SSL enabled, no use having the NM encryption enabled  Use nmEnroll() to enroll new servers for Node Manager
  26. 26. © Raastech, Inc. 2013 | All rights reserved. Slide 26 of 34raastech.com Security
  27. 27. © Raastech, Inc. 2013 | All rights reserved. Slide 27 of 34raastech.com Enterprise Security Requirements  Secure Servers  Prevent Direct access to o Web Tier o App Tier o DB Tier  Limit Services Exposed  Isolate Tiers  Secure Services  Authorized users only  Achieved by  Network Port restrictions  Access Management
  28. 28. © Raastech, Inc. 2013 | All rights reserved. Slide 28 of 34raastech.com Security Best Practices  Control Access to OFMW Resources  Create a separate OS user for OFMW and limit access to $MW_HOME  Avoid running the server under a privileged account  If OHS needs to run on port 80, use sudo privileges to start  Enable security auditing  Use connection filters  Security roles and security policies protects WebLogic resources at the domain, application, and the application-component level. Connection filters let you deny access at the network level.  Prevent Denial of Service attacks  Configure “Message Timeout” less than default 60 seconds  Restrict the size of the message (default is 10MB)  Limit the maximum open sockets (if necessary)
  29. 29. © Raastech, Inc. 2013 | All rights reserved. Slide 29 of 34raastech.com Security Best Practices  Use Virtual Server names  Separate Internal and external traffic  Ex: blogint.raastech.com vs blog.raastech.com  Separate admin and application traffic  Keep the DNS/VIP names application/function specific  Use separate Internal/External DNS entries  Use Firewalls/Load balancers  SSL Termination  Expose Virtual Servers/Hosts
  30. 30. © Raastech, Inc. 2013 | All rights reserved. Slide 30 of 34raastech.com Console and EM Access through LB (Ex. F5 BIG IP)  Create a filtering iRule on the BIG IP Load Balancer to disallow access to WL Console and EM. If you are using any other Load balancer devices, create a custom ACL accordingly.  For example, to create the filtering iRule  On the Main tab, expand Local Traffic, then click iRules. The iRule screen open  In the upper right portion of the screen, click the Create button. The new iRule screen opens  In the Name box, enter a name for your iRule. Ex: we can use oracle-soa-filter.  In the Definition section, copy and paste the following iRule: when HTTP_REQUEST { if { [HTTP::uri] starts_with "/console" } { HTTP::respond 403 content "<html><body><b>HTTP Error 403 - Forbidden</b></body></html>” } if { [HTTP::uri] starts_with "/em" } { HTTP::respond 403 content "<html><body><b>HTTP Error 403 - Forbidden</b></body></html>” } }
  31. 31. © Raastech, Inc. 2013 | All rights reserved. Slide 31 of 34raastech.com Summary
  32. 32. © Raastech, Inc. 2013 | All rights reserved. Slide 32 of 34raastech.com Summary  Plan your environment based on the key business factors  Functionality  Availability  Throughput  Future Growth / Easy Scaling  Implement the best practices starting with lower environments  Automate every task that can be automated  Secure environments to avoid non-functional and human breaches  All environments need to have a backup and Recovery plan
  33. 33. © Raastech, Inc. 2013 | All rights reserved. Slide 33 of 34raastech.com Q/A
  34. 34. © Raastech, Inc. 2013 | All rights reserved. Slide 34 of 34raastech.com Contact Information  Arun Reddy Technical Director arun.reddy@raastech.com

×