Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Why I Don't Use WebLogic JMS Topics (article)


Published on

OTech Magazine - Issue 6, Winter 2014

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Why I Don't Use WebLogic JMS Topics (article)

  1. 1. Winter 2014 Content-Enabling Your Insurance Business Using Oracle BPM and WebCenter Content ASM Metrics Enforcing Principle of Least Privilege Maturity of Service Oriented Architectures Future is now, ODI 12c And more: 18 authors, 17 articles, 4 ACE's, 6 ACE Directors, ...
  2. 2. OTech Magazine: Bigger & Better When in September the first issue of OTech Magazine came out, I could not have dreamed about the things that were about to happen. I had set an initial target for myself of one thousand readers. And how conservative that turned out to be. This initial goal was met within a matter of hours. The first issue of OTech Magazine was released on Tuesday September 24 2013. During the heat of Oracle OpenWorld the magazine created a rush. The initial goal of 1 thousand hits on the magazine was reached within hours. In the first week the magazine was viewed over 16 thousand times. After a month we had 21 thousand hits on the magazine and counting. The total views after initial release of the magazine is over 25 thousand. The peak of the hits on the magazine was during the first week after release, creating a massive 13542 hits on the Thursday after publication. With these numbers it was time to start looking at this – no longer an innocent hobby – as a more and more professional venture. So here we are. With the help from dozens of friends, relatives, pals and some of the finest Oracle-folks in the world we created an even bigger (and I really do think) better issue of the magazine. And it’s an issue that we all (yes you too as a reader of this) can be very proud of. Every single person who helped with this magazine did it in his or her own valuable time. And look at the result: - 136 pages of pure Oracle technology knowledge - 18 hard working authors, the best in their field - 4 Oracle ACE’s, 6 ACE Directors This magazine – that started off as just a way to have some fun – is turning into something magical: it might even turn out to become the Oracle-glossy. Not some fancy-schmancy thing that’s all nice pictures and only marketing, but something real. Something that you and I would like to read when we have a spare moment. Just to put you feet on the table and read a bit about real insight knowledge about our field of work. Enjoy. I know I did. Cheers! Douwe Pieter van den Bos Foreword
  3. 3. SOA Made Simple: choosing the right SOA and BPM Suite component based on classification Ronald van Luttikhuizen – Vennster Tips and tricks for installing and maintaining FMW products Peter Lorenzen – CGI Enforcing Principle of Least Privilege Biju Thomas – OneNeck IT Solutions An Introduction to Design Considerations for a Highly Available Oracle Access Manager Deployment Robert Honeyman - Honeyman IT Consulting Oracle WebCenter Experts Complete the IT Puzzle Troy Allen – TekStream Maturity of Service Oriented Architectures Douwe Pieter van den Bos - Creative Software Solutions The World According to Oracle: Oracle OpenWorld 2013 and beyond Lucas Jellema – AMIS From Requirements to Tool Choice Sten Vesterli - Scott/Tiger NoSQL and Oracle James Anthony - e-DBA Case Management or Business Process Management? Lonneke Dikmans – Vennster OTech Contents
  4. 4. Enterprise Deployment of Oracle Fusion Middleware Products, Part 1 Simon Haslam - Veriton Ltd Data Security in Case Management Marcel van de Glind & Aldo Schaap – AMIS Oracle Business Intelligence and Essbase Together: You don’t know what you don’t know… Neil Sellers - Qubix International Ltd Why I Don’t Use WebLogic JMS Topics Ahmed Aboulnaga – Raastech ASM Metrics Bertrand Drouvot Future is now, ODI 12c Gurcan Orhan, Global Maksimum Content-Enabling Your Insurance Business using Oracle BPM and WebCenter Content Raoul Miller – TEAM informatics Information page OTech Contents
  5. 5. SOA Made Simple: choosing the right SOA and BPM Suite component based on classification Ronald van Luttikhuizen - Vennster Organizations that have just started their SOA effort usually only have a couple of services in place. Services are discovered in a process that is called “service identification”. Services are either identified ‘top down’ based on the business processes and the to-be architecture or top-down by projects based on the services needed at that moment. Service identification is usually an iterative approach, so after a number of iterations you’ll have dozens of services. Is it hard for clients to find the services they need? Does it take too long to answer specific questions from stakeholders such as security officers and IT operations about the services in your organization? Is it difficult to make consistent choices on the design and implementation of services? If so, you might benefit from creating a service classification. What is a service classification and why use it? Different stakeholders need different information about the services in your organization, such as: • The functionality that is offered by the service (service consumers); • Channels through which the service can be accessed (service consumers, security officer); • Contract and interface of the service (service consumers, service providers); • Technology used to implement the service (service providers: software architects, developers, operations); • Security constraints and measures such as authentication (service consumers, service providers, security officer); • Visibility of the service to the outside world (service providers, security officer). At some point it will become unmanageable to list all metadata in big documents. We need to be able to focus on certain aspects of a service, and leave other criteria out. Basically, we create a certain viewpoint or filter on our services. This is called a classification. Figure 1: Criteria to use for your classification Service Oriented Architecture
  6. 6. Classification for service producers There is no one, true service classification. Different stakeholders have different requirements and need to know different things about the services. It is very well possible that you need to create and maintain several classifications. Arguably, (future) consumers of your services are the most important stakeholders to consider. Without use, we can just as well discard a service. Consumers need to know what functionality services offer, if they are allowed to use a service and under what conditions, and should be able to easily search for services. An example of a service classification for consumers would be a matrix with the functional domains of your organization (HR, CRM, Finance, etc.) on one hand and the accessibility of the service (private, internal use, external use) on the other hand. Such a classification is often used in a Service Registry in which consumers can search for existing services to use. Although valid for service consumers, classification is also very useful when you are designing, building, and maintaining services. The following classification that is based on granularity and the ability of services to be combined into larger services is proposed for these stakeholders. This article shows you how this classification can be used to pick the right SOA and BPM Suite component when building services. Figuur 2: Service Classification based on Granularity and Composition Service Oriented Architecture
  7. 7. Elementary services are the smallest possible building blocks that still provide value on their own. They are typically short running. Examples are a ClaimDataService used by an insurance company for storing claim metadata and a DocumentService used to store and retrieve documents. Composite services are created when a particular combination of services is reoccurring. These services combine several associated actions in one transaction. An example is a ClaimService used by an insurance company to both register the claim metadata using the ClaimDataService and to store the associated documents using the DocumentService as one operation. Process services are longer running services that are created by combining elementary and composite services and often have a human step associated with them to handle exceptions or certain specific tasks. An example is a ClaimToPaymentService that handles a claim from start to end; this both involves human and automated steps. This classification appeals to designers and developers since combining components in larger objects is a natural way of thinking for designers and developers and guidelines and implementation choices differ between these service types. Figure 3: Examples of elementary, composite, and process services Service Oriented Architecture
  8. 8. Classifying to know what Oracle Fusion Middleware product to use Oracle Fusion Middleware is a comprehensive stack and consists of various products and suites. The following products are especially interesting from a SOA point-of-view: • Oracle Service Bus (OSB): Oracle’s strategic Enterprise Service Bus that can be used for protocol transformation (e.g. RMI to SOAP), data transformation, securing of services based on policies, virtualization of the underlying service implementation, integration various components into services, and so on. • Oracle SOA Suite: a platform that lets you combine building blocks such as Business Rules, BPEL components, Human Workflow, and so on into composite applications that are called SOA composites. The SOA Suite uses the SCA standard to create SOA composites. • Oracle BPM Suite: an extension to SOA Suite that provides BPMN and Adaptive Case Management capabilities to orchestrate activities in to processes. The big question is: what product to use in what scenario? This choice can have a big impact on the overall quality of the solution you’re building with it. The following diagram shows how the classification is mapped to the various products. Figure 4: Oracle Fusion Middleware Service Oriented Architecture
  9. 9. Figure 5: Mapping of Fusion Middleware onto Service Classification A service is a capability; in SOA everything is considered a service. A service consists of three components: an interface (how the service can be used and accessed), an implementation (how the service is realized) and a contract (what consumers can expect from a service and under what conditions they can use the service). In case of the DocumentService that we discussed earlier, the implementation could be an off-the-shelf Document Management System, the interface a SOAP Web Service described by a WSDL and XSDs, and the contract an SLA defining the cost of usage, availability, owner, response time, and so on. The remainder of the article will discuss what product to choose for the implementation of services, and what product to use for accessing the service; or exposing its interface. Implementation of Elementary Services In IT, the implementation can be anything: whether it is a packaged application such as Oracle EBS and Oracle Fusion Applications, or custom-built software using Java, PL/SQL, Oracle SOA Suite, or OSB. Figure 6: Example of a simple calculation Web Service implemented in Java (J-WS) Service Oriented Architecture
  10. 10. Important considerations when choosing Oracle SOA Suite or OSB as implementation platform for elementary services: • Don’t use Oracle BPEL or OSB as general purpose programming language for elementary services. Program logic such as calculations or a high degree of conditional statements are better suited for imperative programming languages such as Java or PL/SQL. SOA Suite offers you the capability to include Java logic in SOA Composites as Spring components. • You can expose any component of SOA Suite as a service by wrapping it in a SOA Composite of its own. For example, Business Rules and Human Workflow are components that are often used from other components such as BPEL, BPMN, and Case Management and packaged together with these components into SOA Composites. However, on their own they can also provide added value and be exposed and packaged independently as SOA Composite using SOA Suite. Figure 7: Example of a service that is implemented using SOA Suite (BPEL, Mediator, and Business Rule) This article is based on SOA Made Simple book by Lonneke Dikmans and Ronald van Luttikhuizen: http://www.packtpub. com/service-oriented- architecture-made- simple/book. Service Oriented Architecture
  11. 11. Implementation of Composite Services Composition is the combination of several smaller services into a larger service that offers more added value. When we combine only a few services in a straight-forward fashion (e.g. sequentially invoke service operation A followed by the invocation of service operation B) we call this aggregation. When the composition is more complex and involves more conditional logic, we use the term orchestration. • Use BPEL, which is part of SOA Suite, for orchestration. • Use OSB for simple aggregation flows only. Transformation and routing logic in OSB flows becomes cluttered and hard to maintain if it gets to wieldy . Figure 8: Putting too much (complex) composition logic into OSB results in cluttered flows Figure 9: Implementation of a Composite Service operation in BPEL SOA Suite has more components available than OSB that can be used to implement the composition logic. For example the use of Domain-Value Maps (DVM) to map various data elements onto each other, and the use of Business Rules to encapsulate fast changing logic. Business Rules as well as DVMs can be changed at runtime without the need for software modifications which provides greater flexibility. While SOA Suite offers more functionality, OSB is more light-weight and performs better for simple services that process large amounts of messages. Service Oriented Architecture
  12. 12. By default the operations of a service are implemented in one message flow diagram in OSB (Proxy Service). That means that if a composite service has several operations, each containing a complex composition, the message flow becomes very cluttered. You could create a separate Proxy Service for every operation but that results in overhead. In SOA Suite you can easily use a Mediator component that redirects every service operation invocation to its own BPEL component. The BPEL editor only shows the flow for one operation as opposed to showing the flows for every operation. Implementation of Process Services. For the implementation of longer running services Fusion Middleware offers several choices: • Use Adaptive Case Management when there are many different variations in the process flow. This is the case with knowledge-driven processes in which users determine the next action in the process as it progresses. Adaptive Case Management was added to the BPM Suite in 11g PS 6. • For deterministic processes such as invoice processing in which efficiency is important, you can either choose BPMN (BPM Suite) or BPEL. BPEL is a more technical and rigid notation, while BPMN is better suited for process modelling by business analysts on a higher level and provides more flexibility. Figure 10: Difference between BPMN (upper) notation and BPEL (lower) A best-practice for services, independent of their type, is to have guidelines in place for the size of messages you allow in OSB or SOA Suite. Small messages can be inline, larger messages should be sent as an attachment, and big messages should be handled with a claim check pattern. The actual handling of such large file is best left to tools that are better suited for this like FTP servers, ODI, or the upcoming Oracle Managed File Transfer product. Publishing the interfaces So far you have seen what product to use for the implementation of different types of services. Besides the technology to build services, we also need to know how service consumers will access the capabilities of the services. Service Oriented Architecture
  13. 13. There are several choices to expose services to the outside world: • Expose service implementations by using their proprietary interface. This is often the product or technology in which the service was build. For example, you can expose a PL/SQL package and use that as the interface or use RMI to expose Java components. • Expose the service implementations by using a standard interface such as a SOAP Web Service or REST service. You can for example use JAX-WS to expose Java components as SOAP or REST services or use Oracle JCA adapters to transform a (proprietary) technology to a standard interface. Note that Oracle offers various JCA adapters for Relational Databases, JMS, File, FTP, AQ, MQ, and so on that are built on the Java JCA standard and expose those technologies as SOAP Web Services. These JCA adapters are deployed on Oracle WebLogic Server and can be invoked from both OSB and SOA Suite. • Use an Enterprise Service Bus like OSB as a central platform to expose your services to the outside world. The latter approach increases the flexibility of your services. Changes in the service implementations can be mediated in the OSB. You can use it as a platform for versioning of services, content-based routing to the appropriate service implementation, transformation from a canonical data format to a local data format, protocol transformation, applying security measures that are defined in your service contracts, and so on. Figure 11: Exposing a service using Oracle Service Bus Summary Oracle offers a number of components that are part of the SOA and BPM Suite. A technical service classification helps you decide which of these component to use for the implementation and interfaces of your services in what scenario. It is a good practice to create service classifications as part of your SOA governance. Create classifications based on the needs of your stakeholders. Ronald van Luttikhuizen Vennster Service Oriented Architecture
  14. 14. Tips and tricks for installing and maintaining FMW products Peter Lorenzen - CGI Introduction The purpose of this article is to provide an overview of information that I feel is important to know when you install and maintain Oracle Fusion Middleware (FMW) products. Documentation Oracle has lots of FMW documentation and locating the right one can be a challenge. Getting started The best place to start is with the “FMW Download, Installation, and Configuration Readme Files“ ( There is a readme file for each FMW release. The readme file will lead you to the rest of the documentation. It will help you locate the right software as well as install and configure FMW. It is highly recommended to read the following manuals: • Fusion Middleware System Requirements and Specifications ( • FMW Installation Planning Guide (11g) ( • Installing and Configuring the FMW Infrastructure (12c) ( Product installation guides Each FMW product has its own installation guide. Make sure you read these in detail, since some of them have unique information. There are for example, important differences between Java Components and System Components ( By the way, please note that the management of System Components has changed significantly between FWM 11g and 12c, as OPMN has been replaced with Node Manager ( Release Notes All products have Release Notes. They contain information about what to do when the software is not working, as expected. The Release Notes are part of the documentation library for the product. The Release Notes are updated periodically, so it is a good idea to check them regu-larly. There is also a Known Issues list, for some products. This is not part of the documentation li-brary and can sometimes be referred to as Release Notes. An example is the “Known Issues for Oracle SOA Products and Oracle AIA Foundation Pack” ( It lists known issues for BAM, BPEL, OSB, SOA, BPM Suite etc. I assume that the reason for the two “Release Notes” is that there are many known issues and it is easier to maintain this list than the documentation library. The Release Notes can sometimes list patches that should be installed. An example is the OSB that lists four required WebLogic Server patches. Oracle Fusion Middleware
  15. 15. Repository Creation Utility Many FMW products require a repository in a database. You cannot just use any database or any Oracle database. Some of the products have very specific requirements for the configura-tion of the database. Sometimes the Repository Creation Utility (RCU) will complain about a missing requirement, but this can be ignored for some products. It is therefore a good idea to read the RCU documentation: • Creating Schemas with the Repository Creation Utility (12c) ( • FMW Repository Creation Utility User's Guide (11g) ( Downloading software Oracle has three different locations for downloading software. Oracle Technology Network (OTN) At the OTN site, you can download most Oracle FMW software for free. Although you do not have to pay to download the software, it is not free to use! You can use the software while doing a proof of concept or developing a new application. As soon as you go into production, how-ever, proper licensing is required for all the software used, including environments used for maintenance and the development of new releases, etc. This is also true for software installed on developers laptops. Make sure that you understand the OTN Developer License ( before down-loading software form OTN. There is another license model - the OTN Free Developer License ( It only covers the WebLogic Server. It allows a single developer to use the WebLogic Server for free, also after going into production. This is nice, but the license only covers WebLogic, there is no OSB, SOA Suite etc. Therefore, it is only for pure Java applications. Oracle Software Delivery Cloud The site has existed for some time, and is now not surprisingly a cloud service. When you download software from the site, you acknowledge that you have already obtained a valid license or that the 30 day Oracle Software Delivery Cloud Trial License is used. You are not required to use the site and as long as you have your licenses in order, it does not matter from which site you get the software. I normally use OTN for everything. My Oracle Support (MOS) You need a valid support agreement to access the MOS site. From MOS you can download patches, updates and other fixes. OTN and Edelivery only contain the latest releases of a product. If you need an older release or legacy software from one of Oracle’s acquisitions, it is necessary to create a MOS Service Re-quest in order to obtain a download link. Oracle Fusion Middleware
  16. 16. “Location, Location, Location” When you install FMW you should follow a strict standard of directory naming. This is what I normally do: • Oracle Base/u01/app/oracle • Products /u01/app/oracle/products • Domains /u01/app/oracle/domains The products directory contains the software installations and the Oracle Homes. The domains directory contains the domain homes, with all the configuration data. For example: • MW_HOME /u01/app/oracle/products/wls1212 • DOMAIN_HOME /u01/app/oracle/domains/myDomain Whatever you do, make sure you do not keep your domains under the Middleware Home. It makes good sense to keep binaries and configurations separate, as you can run into problems when you have to upgrade to a new major FMW version in the future. The only exception is Portal, Forms, Reports and Discoverer, where the domains must be under the Middleware Home. Otherwise the software will not work! For example: /u01/app/oracle/product/pfrd11.1/user_projects/myDomain Hopefully this will be fixed in a coming release. If you keep the domains separate from the software, you can harden your installation, by having a special OS user that owns the software installation. Another user will own the domain home and will only be granted read and execute rights to the software. In WebLogic 12.1.2 this works without any problems, but in previous releases the Node Man-ager configuration and log files were located under the Middleware home. Therefore, you need to move the node manager configuration files and change the configuration, so the log files are written to a different location. Remember to check out Oracles recommendations for selecting directories: Oracle Fusion Middleware
  17. 17. Java These days you have to reinstall Java at least every quarter, because of security patches and new releases. Here are two tips that can make life a bit easier. Soft links Since the Java installation is referenced in several files under the Middleware home and the domain homes, you need to change these references every time you install a new release. It is easy to create a script that does this, but I prefer to create a soft link to the current Java installa-tion and reference this everywhere. # Java Home /u01/app/oracle/product/jdk1.7.0_45 # Create soft link cd /u01/app/oracle/product ln -s jdk1.7.0_45 java_current /u01/app/oracle/product/java_current now points to /u01/app/oracle/product/jdk1.7.0_45. It is not a perfect solution, as some programs will use the real location when they access the soft link, which can get you into trouble now and then. You can do the same on Windows with symlinks. @REM Java Home D:oracleproductjdk1.7.0_45 @REM Create symlink cd D:oracleproduct mklink /d java_current jdk1.7.0_45 D:oracleproductjava_current now points to D:oracleproductjdk1.7.0_45. Whatever you do, please make sure you always remove the old Java installation. I have experi-enced situations where customers were using an old Java installation because they had forgot-ten to change the references to the old. cacerts When you install Java, it contains a default keystore called cacerts. If you use this, you must remember to copy it to the new Java installations every time you reinstall. This is bound to go wrong and you will have to spend time figuring out why. Never use cacerts, but instead use a custom keystore. Oracle Fusion Middleware
  18. 18. “Less is more” You should always install as little as possible. This goes for the OS, the database, FMW etc. Maintenance is easier and security is better. Do not install products, options, demos/examples etc. that you do not need. When you create a WebLogic domain, you should select as few products as possible. If you select all possible products, you might even end up in a situation where a domain does not work. Some products conflict and the domain wizard does not warn you about this. For example, the SOA Suite conflicts with the SIP Server ( It can be a bit difficult to figure out which product to select when creating a domain. The Domain Template Reference ( will be of some help. “Silence is golden” Installing everything manually is fine as long as you only have a couple of environments, but as soon as you have more, it will be difficult to ensure that the environments are identical. If they are not identical, there is a good chance that developers, testers etc. will run into problems, because of small discrepancies. To maximize predictability in your environments, you can script everything. Oracle has tools that will enable silent installation, scripted domain creation and deployment. Here is an example of a silent installation and scripted domain creation of the OSB on Red Hat 6: You can use the Oracle WebLogic Scripting Tool (WLST) to create data sources, JMS queues etc. This blog post contains a WLST script for creating a data source: You can deploy applications via WLST both online and offline. For more information, check the documentation ( The WebLogic server, of course, also supports ant and maven. It is a good idea to use scripted deployment for all environments. Make sure scripts are continu-ously created and maintained from the start of a project. It should be a continuous process and not done at the last minute. Oracle Fusion Middleware
  19. 19. Configuration File Archiving You can configure the WebLogic Server to make a backup of the configuration whenever you change it. The configuration files live in the DOMAIN_HOME/config directory and its subdirecto-ries. If you enable Configuration Archiving, all the configuration files will be stored in a jar file every time a change is activated. The jar files are placed in the DOMAIN_HOME/configArchive directory. When the Archive Configuration Count limit is reached, the oldest file is overwritten. I consider it best practice to use Configuration File Archiving. The files do not take up much space and they can provide you with valuable information about changes you might not be aware of. For more details read this blog post: Entropy problems on Linux servers I install WebLogic on many new servers and have frequently encountered problems because of low entropy. The symptom is that it takes a long time for a WebLogic server to start. The CPU has no load and the log files do not reveal any problems. It can also happen when you start the Node Manager for the first time. I once waited 10 minutes for the Node Manager to start on a powerful blade server, with nothing else running. It happens both for physical and virtual servers. It is one of the things that can be both puzzling and frustrating until you find out what is going on. The problem is with the way random numbers are calculated. It is not a FMW problem, but a Linux problem. I often meet people who do not know about this, so if you use Linux you might want to have a look at the details and the workarounds in this blog post: Error Correction Support Polies In my experience, most people know about Oracle Lifetime Support. An Oracle product gener-ally moves through three different support stages: Premier (5 years) > Extended (3 years) > Sustaining (perpetual). Each stage has different benefits, and there are fewer and fewer bene-fits as you move to Extended and Sustaining, and at the same time the price goes up. Oracle Fusion Middleware
  20. 20. What is not so well known, is that this is not the whole story. If we look at the WebLogic Server 11g aka. 10.3.x, it is in Premier Support until December 2018. The latest Patch Set is 10.3.6, so if you use 10.3.6 you are OK for some years. But what if you use 10.3.5? If you look in the Criti-cal Patch Update (CPU) from October 2013: “Patch Set Update and Critical Patch Update October 2013 Availability Document (Doc ID 1571391.1)” In the “Final Patch History” section you will see that July 2013 was the final CPU for WebLogic Server 10.3.5. Even though WebLogic Server 11g is supported for years, CPUs etc. are only available if you are running the latest Patch Set e.g. 10.3.6. This is governed by the Oracles Error Correction Support Policy (ECP). The ECP states that when a new Patch Set is released, Oracle will only deliver error corrections to the previous Patch Set within a certain grace period. The grace period is to provide the customer with time to plan and apply the Patch Set: “Grace Period: up to 1 year for first patch set (minimum 3 months), and up to 2 years for sec-ond and subsequent patch sets.” This means, that if you use WebLogic Server 10.3.5 you have support, but Oracle will not make any new patches, leaving you in a vulnerable situation. It is my experience that the ECP is often forgotten. Make sure that your customers are aware of the benefits of installing the latest Patch Sets and understand the risks of not doing so. You can find lists of the ECP grace periods on MOS. For more information, check this blog post: Patching A big part of installing and maintaining FMW is to continuously apply the right patches. To do this you need to know the terminology and the different kind of patches Oracle supplies. Security patches Each quarter Oracle releases security updates. The patch program is called Critical Patch Up-date (CPU). It includes all Oracle products including Java. Java was added with the October 2013 CPU. In the beginning the patches released by the CPU program were also called CPU patches, but from October 2012 the name was changed to Security Patch Updates (SPU). The program is still called CPU, but the patches are called SPU patches. A SPU patch is a cumulative patch consisting of security fixes. Oracle announces the release dates for the CPUs around a year in advance. Sometimes Oracle will release one-off security patches if particularly nasty bugs are found. It does not happen often, and as far as I can recall there have not been any in 2013. Proactive patches Oracle Fusion Middleware
  21. 21. Oracle releases proactive patches on the same quarterly schedule as CPU patches. Proactive patches come in three flavors. Patch Set Updates (PSU) For some products the SPU patches have been replaced with Patch Set Updates (PSU). This is true for the database and the WebLogic server. You can see the full product list in: “Patch Set Updates for Oracle Products (Doc ID 854428.1)”. A PSU patch is a cumulative patch consisting of security fixes and other stabilizing changes. It is a SPU plus other non- security related changes. No enhancements are included. Bundle Patches (BP) BPs are cumulative patches that are issued between patch sets. They usually only include bug fixes, but may contain minor enhancements. For example, the OSB currently has two BPs and the SOA Suite has one. You can find a list of all FMW BPs and PSUs here: “Master Note on Fusion Middleware Proactive Patching – Patch Set Updates (PSUs) and Bun-dle Patches (BPs) (Doc ID 1494151.1)” Suite Bundle Patches (SBP) A SBP is a collection of product BPs for a suite. For example, an Oracle Identity Management SBP consists of OAM, OAAM, and OIM BPs. Version numbers When you apply a proactive patch, the fifth number in the product version is incremented. Here is a WebLogic server 10.3.6 with the October PSU: . /u01/app/oracle/product/wls103/wlserver_10.3/se rver/bin/ java weblogic.version WebLogic Server PSU Patch for BUG17071663 Tue OCT 02 13:01:30 IST 2013 WebLogic Server Tue Nov 15 08:52:36 PST 2011 1441050 Conflicts Since SPU/PSU patches are cumulative, they will conflict with each other, so you will need to remove older SPU/PSU patches before applying new ones. Oracle Fusion Middleware
  22. 22. Overlay patches Sometimes you need to install one-off patches that are not included in the proactive patches. These patches are now called interim patches. If a proactive patch makes changes to the same code as an interim patch, they will conflict. If they do, you need a new version of the interim patch that matches the version number of the proactive patch. These are called overlay patches. If no overlay patch exists for an interim patch, you can request that Oracle creates one. Conflict resolution Resolving conflicts can be difficult. The following MOS note has a section called “PSUs and Patch Conflict Resolution” that can help you: “Announcing Oracle WebLogic Server PSUs (Patch Set Updates) (Doc ID 1306505.1)” Here is an example I recently encountered. The latest release of the WebLogic Portal is 10.3.6. Currently no security or proactive patches exist for the Portal, but you can install WebLogic PSU patches. However, when you try to apply the latest PSU you get an error: Conflict condition details follow: Patch BYJ1 is mutually exclusive and cannot coexist with patch(es): CYXN CYXN is a fix for the 13000612 bug. If you check: “Oracle WebLogic Server Patch Set Update Fixed Bugs List (Doc ID 1589769.1)” You will see that the fix for this bug was included in the first 10.3.6 PSU ( This means you can remove the CYXN patch as it was already included in the latest PSU. MOS Recommended Patch Advisor It can be difficult to figure out which patches to install. Oracle has tried to help with the Recom-mended Patch Advisor on MOS. It is a work-in-progress initiative. I have not used it much yet, but it seems to be working fine. Oracle Fusion Middleware
  23. 23. Keep current It is not an easy job to keep an FMW installation updated and secure. Things are moving fast and if you are not up-to-date and proactive, you can run into problems. A current example is the Java 7 update 51 that will be released in January 2014. If an Oracle Forms installation is not patched before the update is installed on the clients, it will break Forms. For more details, check this blog post: Unfortunately, there is no silver bullet for staying current, but the list below will help you. Critical Patch Update Alert E-mails Sign up for Oracles CPU Alert e-mails. Oracle will inform you when a new CPU has been re-leased. You will also get an email if Oracle releases one-off security patches. MOS information centers Check the product specific information centers on MOS: • OSB (Doc ID 1293368.2) • SOA Suite 11g (Doc ID 1369339.2) • Weblogic Server Patching & Maintenance Information Center (Doc ID 1573509.2) • … Master Note on FMW Proactive Patching – PSUs and BPs (Doc ID 1494151.1) Make sure you check this MOS note, it contains a list of all FMW PSUs and BPs. Blogs, Twitter etc. I follow many blogs and read a lot of tweets to keep up. Wrap up In this article, I have collected an overview of various subjects I believe you should be aware of as an FMW administrator. The subjects are broad and encompass various issues that can be hard to come by if you are new to FWM administration. If you have, questions or comments please feel free to drop by - or Peter Lorenzen CGI Denmark Oracle Fusion Middleware
  24. 24. Enforcing Principle of Least Privilege Biju Thomas - OneNeck IT Solutions One of the top features of Oracle Database 12c that attracted me is the ability to enforce principle of least privilege with ease. Ever since database vendors started taking security seriously, the principle of least privilege theory is in play. To identify the privileges required by an application or user in Oracle database versions prior 12c was a tedious trial and error process. Many applications I have come across run with DBA or DBA like privileges, this is because no privilege analysis done at application design and development time. For application design and development team the focus is always on getting the development work completed and delivering the project. Security, especially least privilege, is not a focus item where team wants to spend time. It is easy to grant system privileges (especially DBA or ANY privileges like INSERT ANY TABLE) to get the application working. Oracle Database 12c brings the Privilege Analysis feature to clearly identify the privileges required by an application for its functioning and tells the DBA which privileges can be revoked, to enforce the principle of least privilege and make the database and application more secure. Privilege analysis feature is available only in Enterprise Edition and it requires Database Vault license, which is an extra cost option. The good thing is that Database Vault need not be enabled to use Privilege Analysis - one less thing to worry. In a nutshell, privilege analysis works as below: - Define a capture - to identify what need to be analyzed - Enable the capture, to start capturing - Run the application or utility whose privilege need to be analyzed - Disable the capture - Generate results from capture for review - Implement the results, from the findings I will explain the steps using SQL command line as well as using Enterprise Manager Cloud Control 12c. To do the privilege analysis you need the CAPTURE_ADMIN role, this role is granted to DBA role, so if you have DBA privileges on the 12c database, you can perform the analysis. Figure 1: Privilege Analysis Oracle Database Security
  25. 25. Demo Environment For demonstration purposes I am going to use the OE schema that comes with Oracle Database 12c examples - it has 14 tables and several other objects. We want to analyze the privileges of OE_ADM user who currently has the following privileges. - SELECT ANY TABLE - INSERT ANY TABLE - UPDATE ANY TABLE - DELETE ANY TABLE - ALTER ANY TRIGGER - CREATE PROCEDURE - CREATE TABLE - CREATE SYNONYM - CREATE ANY INDEX - ALL privs on ORDERS and ORDER_ITEMS tables - CONNECT and DBA Roles SQL> select object_type, count(*) from dba_objects where owner = 'OE' group by object_type; OBJECT_TYPE COUNT(*) ----------------------- ---------- SEQUENCE 1 LOB 15 TYPE BODY 3 TRIGGER 4 TABLE 14 INDEX 48 SYNONYM 6 VIEW 13 FUNCTION 1 TYPE 37 OE_ADM user connects using SQL*Developer to run the scripts and reports. Our objective is to remove the ANY privileges from OE_ADM user and grant appropriate privileges based on the tasks performed during the analysis period. New package DBMS_PRIVILEGE_CAPTURE has the subprograms to manage the privilege analysis. The CAPTURE_ADMIN role has execute privilege on this package. Define and Start Capture The very first step in privilege analysis is to create a capture, to define what actions need to be monitored. Four types of analysis can be defined in the capture: - Database (G_DATABASE - 1): If no condition is defined, analyzes used privilege on all objects within the whole database. No condition or roles parameter specified for this type of capture. - Role (G_ROLE - 2): Analyses privileges exercised through a role. Specify the roles to analyze using the ROLES parameter. - Context (G_CONTEXT - 3): Use this to analyze privileges that are used through an application module or specific context. Specify a CONDITION to analyze - Role and Context (G_ROLE_AND_CONTEXT - 4): Combination of role and context. Oracle Database Security
  26. 26. The CREATE_CAPTURE subprogram is used to define the capture. For our demo, we want to use the Role and Context, because we want to know what privilege from the DBA role is being used as well as what other privileges granted to OE_ADM are used when the application used is “SQL Developer”. Figure 2: OEM Screen to Create a Privilege Analysis Policy Figure 2 shows the OEM screen to create a capture policy. With few clicks you can easily create the policy. Based on the context additional input is captured. The SQL to define the policy as shown in Figure 2 is: BEGIN DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( name => 'Analyze_OE_ADM' , description => 'Review Privileges used by OE_ADM through SQL Developer' , type => DBMS_PRIVILEGE_CAPTURE.G_ROLE_AND_CONTEXT , roles => ROLE_NAME_LIST('DBA','CONNECT') , condition => 'SYS_CONTEXT(''USERENV'', ''MODULE'') = ''SQL Developer'' AND SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''OE_ADM'''); END; / Oracle Database Security
  27. 27. Once the policy is defined, it shows up in the OEM Privilege Analysis main screen, from where you can enable, disable, generate report and drop the policy. See figure 3. Figure 3: Privilege Analysis screen of OEM You can click on the start button to start capture, or use the below SQL to start the capture. EXECUTE DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE (name => 'Analyze_OE_ADM'); Now run the application and for a period of time, so that Oracle can capture all the privileges used. Stop Capture and Generate Reports Ok, now that OE_ADM user has performed their tasks using SQL Developer, let us stop the capture and review the privileges used. EXECUTE DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE (name => 'Analyze_OE_ADM'); Using OEM you can click on the Stop Capture button as shown in Figure 3. Now click the Generate Report button. Using SQL you can accomplish this by : EXECUTE DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT (name => 'Analyze_OE_ADM'); OEM shows the number of unused privileges in the summary screen as shown in figure 4. Figure 4: unused privileges Once you run the Generate Results procedure, all the DBA_USED_ views as well as DBA_UNUSED_ views are populated. You may query these views to generate revoke scripts or to prepare reports. The DBA_USED_ views show the privileges used by the user for the policy. The DBA_UNUSED_ views show the privileges that are assigned to the user, but are not used. The _PATH views show the privilege path (how the privileged was given to the user, through which role). Oracle Database Security
  28. 28. Capture Privilege - DBA Views Populated with Generate Results Procedure DBA_USED_OBJPRIVS DBA_USED_OBJPRIVS_PATH DBA_USED_PRIVS DBA_USED_PUBPRIVS DBA_USED_SYSPRIVS DBA_USED_SYSPRIVS_PATH DBA_USED_USERPRIVS DBA_USED_USERPRIVS_PATH DBA_UNUSED_COL_TABS DBA_UNUSED_OBJPRIVS DBA_UNUSED_OBJPRIVS_PATH DBA_UNUSED_PRIVS DBA_UNUSED_SYSPRIVS DBA_UNUSED_SYSPRIVS_PATH DBA_UNUSED_USERPRIVS DBA_UNUSED_USERPRIVS_PATH OEM makes it easier on you to see the reports and even generate a revoke script. Figure 5 shows the drop down menu under Actions. Figure 5: OEM Options under Actions The Reports menu shows a summary, as well as used and unused privilege listing that you can export to an excel file. To be able to use the Revoke Scripts option, OEM needs to complete a setup as shown in figure 6. Figure 6: OEM Setup for Revoke Scripts Generation Oracle Database Security
  29. 29. The revoke script revokes all unused roles and privileges from the role granted to the user, in this case this is not desired, because we do not want to mess with the DBA role. Here the Create Role menu comes for help. Figure 7 shows the OEM screen to create the role; you have option to customize the role creation as well. Figure 7: Create Role screen of OEM This creates a new role for you with only the used privileges - how sweet is that! Biju Thomas OneNeck IT Solutions Oracle Database Security
  30. 30. An Introduction to Design Considerations for a Highly Available Oracle Access Manager Deployment Robert Honeyman - Honeyman IT Consulting The use of Single-Sign-On (SSO) and Access Management is an often requested feature when implementing web and middleware applications to improve security and reduce administration. The primary reason SSO is desirable as an Enterprise technology is the centralization of user information and a single login / access control point for many applications. However once a centralized SSO infrastructure is implemented it becomes service critical for all applications using it. If SSO infrastructure becomes inoperable then all dependent applications are also inaccessible, so the SSO infrastructure is a potential “Single Point of Failure” for the Enterprise. This means there is a responsibility to ensure resilience and High Availability for an SSO system beyond that of the individual dependent applications. This article provides an introduction to the considerations required to build a High Availability SSO infrastructure to support Oracle Fusion Middleware deployments. An SSO solution needs to ensure service continuity for all components of the SSO and access control service and associated data repositories. The Oracle product offering for SSO and conventional access control is Oracle Access Manager 11g, subsequently referred to as “OAM”. In case you are not familiar with OAM I provide a quick summary of the OAM product features and general deployment requirements. OAM has capabilities beyond a conventional username and password SSO and can support more sophisticated authentication methods such as Security Token, Kerberos, Windows Logon integration and Identity Federation. In order to impose authentication and access control to an application a resource definition is created in OAM. In the case a web application the resource would store a URL definition to protect. An authentication scheme is then attached to the protected resource using a policy definition. This would commonly impose a credential verification lookup to an LDAP directory when authenticating, and subsequently authorizing access. A web SSO authenticated and authorized user receives OAM_ID and OAM_AuthnCookie_hostname cookies from OAM to allow them ongoing access to protected resources. OAM stores user session information on the server-side so is able to ensure user session validity. OAM supports multi-level authentication and has the ability to create access control policies based on group memberships and user attribute values. These features supplement basic authentication allow a more fine-grained access control to web and middleware application resources. OAM also provides full integration with Fusion Middleware products through Oracle specific SSO features and supports native OAM and legacy Oracle Single Sign-On login agents for older Oracle middleware deployments. All these features aside OAM is fundamentally an Oracle Fusion Middleware application and is built in the typical fashion. It is deployed to Weblogic and uses an Oracle Database repository created with the Repository Creation Utility (RCU) to host access control policy data. The other required component for an OAM SSO solution is an LDAP directory to store user identity data, the SSO credentials and Oracle Access Manager
  31. 31. user attribute information. To summarize from above when considering a High Availability OAM SSO configuration we need to consider the following main components, and their back end data stores: • LDAP User Identity Store • Oracle Access Manager The main options for an OAM User Identity Store are shown in Table 1. The table outlines the differences between the options. For the purposes of this article we specify configuration of a High Availability (HA) Oracle Internet Directory (OID) deployment. OID has adequate HA capabilities and has comprehensive and proven integration options with Fusion Middleware products, including legacy products such as Forms and Reports. The Weblogic Embedded LDAP option enabled by default when OAM is installed is not suitable for an Enterprise HA solution due to its limited scalability. Oracle Unified Directory is specified by Oracle in the latest Enterprise Configuration Guides however it is not fully certified with all Oracle Fusion Middleware products at the time of writing. To achieve High Availability all components need to be configured with resilience. This means thinking about databases, middleware, web servers and connections to all tiers for the high-level components. Multiple targets must be deployed for each tier of these high-level components and connections routed in a resilient manner. This means load balancing and failover is required for all connections to all targets. Some of the sub-components have integrated software load balancing capabilities, others require external or hardware load balancing. Oracle Access Manager
  32. 32. Table 2 outlines the connections which use load balancing provided by the Oracle Fusion Middleware and Database products. WebGate agents are configured to access multiple Access Server Proxy targets through the OAM Admin Console. Oracle HTTP Server (OHS) connections use a standard Weblogic reverse proxy approach using WebLogicCluster directives. Database connection failover is handled through standard methods appropriate to the connection type. Table 3 outlines services which require external load balancing. These services are the front-door access to OAM, OID and management services. Oracle Access Manager
  33. 33. Figure 1 illustrates a simplified layout of an OAM SSO solution integrated with OID and a single dependent application. This diagram omits the management services used to configure the “Live” services involved to reduce complexity in the diagram. The two Oracle Databases OIDDB and OAMDB shown should be configured in Real Application Clusters (RAC) configurations. I will not elaborate on how to configure a RAC cluster here, but will re-iterate the connections from the OAM Weblogic cluster use JDBC whereas OID database connections use TNS. This means that OAM database connections must implement Multi or GridLink Data Sources for connection resilience whereas OID must use Transparent Application Failover (TAF) for connection resilience. TAF can be configured on the client side in tnsnames.ora or as is now recommended on the server-side as TAF policy attached to the serving RAC cluster and database. Once the database requirements have been satisfied we must consider the OID LDAP services to implement the User Identity Store for OAM. Figure 1 shows OID implemented as an Identity Management Cluster denoted by IDM LDAP Cluster contained in IDMDomain. An OID Identity Management Cluster is not a Weblogic cluster. An OID Cluster shares state through the ODS schema held in the OID database, and the OID nodes do not replicate state between nodes directly. As the OID services do not use Weblogic the IDMDomain is not strictly required, but typically management services are also deployed which do require Weblogic. In these typical configurations an OID cluster is registered as an OPMN managed target to the IDMDomain. The management services are Directory Services Manager, Fusion Middleware Control and Weblogic Administration. Oracle Access Manager
  34. 34. The OID LDAP server targets must be load balanced in a round-robin fashion without stickiness and presented through a virtual server denoted by the box in Figure 1. The following further requirements should be given consideration when implementing a High Availability OID cluster: • A time service such as NTP to ensure cluster node time synchronization • Port translation to present the service on industry recognized LDAP ports • Timeouts at the load balancer and OID level to prevent untimely connection drops • Disabling LDAP entry caching to preserve data integrity across the cluster The time service is critical for stable operation and is checked during OID cluster installation so must be configured in advance. NTP deployment is straightforward to implement by a Systems Administrator and does not require further elaboration. Port translation allows services to run on Oracle default unprivileged ports on OID hosts while still presenting the service on standard registered ports through the Load Balancer. The OID port translation mappings for are shown in Table 3. Load Balancer timeouts for the LDAP service may be required by the Enterprise for compliance or operational reasons. If this is the case the OID attribute orclldapconntimeout should be used to set the OID idle timeout to less than the external Load Balancer timeout. This will prevent hard connection drops during quiet periods which could affect service from OID hangs. OID entry caching is a performance enhancing feature to prevent unnecessary database round-trips. However as the entry cache is not synchronized across an OID cluster it must be disabled in an OID cluster configuration. To disable OID entry caching set the OID attribute orclcacheisenabled=0. Having reviewed the requirements for the OAM User Identity Store we must consider OAM itself. The OAM SSO and access control services run as a Java application and are deployed in a conventional Weblogic cluster denoted by WLS oamcluster contained in IAMDomain in Figure 1. The OAM Weblogic application runs the Access Service and Access Agent Proxies and also serves standard content such as SSO login pages. The OAM cluster implements an Oracle Coherence distributed object cache to replicate shared state across the managed servers in the cluster. The OAM Coherence deployment replicates both configuration and policy changes made from the OAM Admin Console and session state for active user login sessions. This means policy, configuration and session information is always synchronized and up to date across the whole cluster, so failover from one OAM node to another is seamless. The use of Coherence for cluster replication dictates that clustered nodes should be connected to each other by a high bandwidth and low latency network connection. This means co-location in the same data centre on a Gigabit or better network or possibly a very good cross-site link. This being said there are alternatives for multi-site configurations which are usually preferable. Oracle Access Manager
  35. 35. One exceptional data set that is not replicated by Coherence is initial request data used by OAM prior to a logged on user session being established. This includes original requests to protected URLs to allow re-direction to protected resources after login. By default the initial request data is stored in the OAM Server, but as it is not replicated by Coherence the pre- login session data could be lost in the event of an OAM Weblogic managed server failure. To cater for this eventuality an OAM_REQ cookie can be used to store the pre-login session information. If a managed server fails, data is still available in the user’s browser session. The OAM_REQ cookie is enabled by setting the RequestCacheType to COOKIE in the OAM Admin Console. As shown in Table 2 load balancing of the Oracle Access Servers is achieved through software, however an Enterprise HA configuration requires a separate Oracle HTTP Server Web Tier. The Web Tier hosts must be externally load balanced. The following further considerations apply to the OAM high-level component. • A time service such as NTP to ensure cluster node time synchronization • Port translation for web tiers to present the service on the industry HTTPS port • Shared storage for OAM Admin Server domain directories • OAM Integration with OID as a User Identity Store • Timeouts to from OAM to the User Identity Store • WebGate to Access Server connection resilience • Timeouts from WebGates to OAM The time service requirement is the same as for OID and all multi-node HA configurations. The port translation requirement applies to OAM Web Tier hosts only. Port mappings for OAM Web Tiers on are provided in Table 3. Resilient shared storage must be used for the OAM Admin Server domain directories for two reasons. 1. The Admin Server needs to be able to start up on any server in the cluster in case of a failure this is not possible if the storage is hosted locally. 2. The Admin Server domain directory is the master copy, so we do not want to lose access to these files due to a host failure. OAM Integration with OID is achieved by first configuring OID to operate as an Identity Store using an Oracle supplied script for UNIX derivative operating systems. This script loads OID schema objects required by OAM and sets up user accounts to manage the OAM Admin console and provide OAM access account to connect to OID. The OAM access account to OID is privileged but not a super- user for security reasons. After OID has been prepared as an Identity Store it needs to be created as an Identity Store in the Data Sources section of the OAM Admin Console. The load balanced OID cluster VIP and the OAM access account cn=oamLDAP,dc=mydomain,dc=com should be used to connect to OID. At this point the OID User Identity Store should be set as the Default Store and System Store for administrator credentials. Finally to set OID to be used for user credential searches the LDAP Authentication Module must be changed to use OID as the Identity Store instead of the Weblogic embedded LDAP server. Oracle Access Manager
  36. 36. The Identity Store definition page in the OAM Admin Console provides configurable timeout settings for OAM’s connection to the OID User Identity Store. In the single-site example presented here there is no secondary Identity Store and High Availability is provided through the OID cluster and Oracle RAC. Nevertheless it may be worthwhile setting some of the timeouts as waiting indefinitely for a response may not be desirable as it may increase the load on a stressed or failing service. The following settings allow control over Identity Store wait times and operations: • Wait Timeout: places a time limit on obtaining a connection • Results Time Limit: limits the length of time for an Identity Store operation The diagram in Figure 1 shows an integrated web application with a WebGate Policy Enforcement Point module installed on the web server. The WebGate in this example must be registered with OAM either through the OAM Admin Console or using another Oracle supplied tool called RREG. The RREG tool uses XML configuration files to configure WebGates and associated protected resources from the command line. The point to note here is that to achieve High Availabilty a WebGate must be configured to load balance and failover requests to multiple Access Servers in oamcluster. This is achieved through specifying multiple OAM servers in the WebGate configuration using a combination of primary and secondary servers in the WebGate configuration. Typically servers in the same oamcluster should be specified as primary servers to the WebGate. Secondary servers are only invoked on failover as a result of the Failover Threshold being reached. The amount of time a WebGate waits for a response from an Access Server is also configurable in the AAA Timeout Threshold setting. In some situations it may be worth setting this timeout to avoid long pauses with a WebGate waiting for a TCP timeout where an Access Server has failed. This article has explored some of the considerations and requirements for a Highly Available Oracle Access Manager SSO solution, using Oracle Internet Directory as the User Identity Store. Oracle Access Manager is a product with many applications and configuration possibilities, and High Availability configurations are inherently complex. As a result there are many more options, aspects of OAM configurations and related topics which I hope to cover in future. Robert Honeyman Honeyman IT Consulting Oracle Access Manager
  37. 37. Oracle WebCenter Experts Complete the IT Puzzle Troy Allen - TekStream Remember those rainy days when we were kids, nothing to do, can’t play outside unless you want to get drenched and muddy (I’ll admit, there were plenty of rainy days that that was just the ticket)? Puzzles were always a great alternative to having to wash the mud out from behind your ears, and I loved them. The only problem I had with puzzles was finding the right piece to start with. I’d look at the picture on the box, try to organize all the pieces out, grouping them by putting all the ones with an edge together, all the ones that looked like they clouds together and so forth. The bigger the puzzle, the more planning I had to do. Now days, my puzzles don’t include cardboard cutouts but computers and software that have to be organized and connected in just the right way to make the picture of an IT director’s vision come to life. Designing the infrastructure for Oracle’s WebCenter products can be a daunting task for IT organizations new to the technology, or even to experienced 10G administrators wishing to deploy Oracle WebCenter 11g. Even those who are familiar with WebCenter 11g must discover the hidden surprises brought about by the latest Dot 8 release of the product set. It is a puzzle, figuring out what parts fit together, how they work to communicate, and it can be difficult to find that one piece to start out with. While there are many products under the WebCenter banner, this article will focus on the latest release of WebCenter Content with some highlights on WebCenter Portal. Oracle has written hundreds of pages on how to implement the Oracle WebCenter product set, and I’m not going to dig into all the details that they have already disclosed. Instead, I think it’s more valuable to focus on overviewing the elements of the infrastructure, key decisions that need to be made, exploring some of the hidden gotchas that come with the product set, and providing some ideas that can help to make your implementation more smoothly. Oracle WebCenter
  38. 38. Puzzle Elements The basic elements of the WebCenter puzzle can be broken down into hardware, network, security, and software. They are all dependent upon each other, but part of putting the puzzle together is looking at each one separately as well as how they fit into the larger picture. WebCenter Content and WebCenter Portal both require, at a minimum, database, file store system, security application (unless using what comes with WebLogic Server), application server, web tier, and the WebCenter application. While some of these applications and software elements can run together on the same servers, it is generally best-practice to have them separated out. The following is a standard WebCenter reference architecture provided by Oracle. The reference architecture calls out several elements, but at its basic level, it notates database, network, security, and software. WebCenter supports several varieties of database. You should check out the supported type and version for the specific versions of WebLogic Server and WebCenter Content/WebCenter Portal you will be deploying. Specs for WebCenter Content can be found here: content/oracle-ecm-11gr1.xls. Oracle WebCenter
  39. 39. Specs for WebCenter Portal and WebLogic Server can be found here: /fmw-11gr1certmatrix.xls WebCenter also supports several different operating services and versions. Ensure that the operating system of choice matches those listed in the above certification matrixes provided by Oracle. Determining the hardware requirements for all the software elements can be tricky. For database, keep in mind that unless you are planning to store files as blobs within the database, most of the data transactions will be for metadata storage, system detail and logging, and for searching. Storing content outside of the database usually represents a smaller database footprint. Sizing against WebCenter Content/Portal, in this case, should be based on the expected searches that users will be performing. Database should also be configured for RAC or GRID. Sizing hardware for WebCenter Content and WebCenter Portal is usually based on the number of transactions expected at any given time. Understanding the uses cases of your systems and the volumes of user interactions will be critical. As a general rule, 40 to 50 transactions per second per CPU per GHz is a good rule-of-thumb for sizing WebCenter applications. Network and inter-application communication plays a large role in constructing the WebCenter puzzle. WebCenter relies on communication to security applications, application server(s), other WebCenter products, and user access. In most cases, SSL encryption is supported and can be configured for outside server access as well as inter-application access. Communication ports are also configurable (even though most installations utilize out-of-the-box ports). One of the largest gotchas in the overall network for WebCenter is file system access rights and permissions. There are many interactions between the WebCenter products that require file system access and this should be planned out in advance of any installations. Both WebCenter Content and Portal allow administrators to either use the built-in security that comes with WebLogic Server, or to utilize a third-party security application like Oracle’s Identity Management or Microsoft’s LDAP services. When deploying WebCenter Content and WebCenter Portal to create a single user application, it is best to deploy with Oracle Identity Management or Microsoft LDAP. Single Sign- On (SSO) is also a key factor to make the user experience of the application as smooth as possible. While there are many options for SSO, WebCenter is an Oracle product and requires less “configuration” when using SSO provided by Oracle WebCenter
  40. 40. Oracle products. Configuring Kerberos and SAML can be a challenge at times. WebCenter Content has several elements that make up the overall application including refinery services for content conversion, imaging for document capture from fax and scanners, and multiple components that can be turned on including Records Management. WebCenter Portal provides two primary options for operation, Spaces and Portal. Understanding the overall use cases of the system you are piecing together will help to determine what portions of the products should be enabled. For some features, like enabling PDFConverter on WebCenter Content, require that the Inbound Refinery (also referred to as the Conversion Server) runs on Windows to support cVista’s PDFCompressor. Reviewing the Installation and Configuration guides for the WebCenter products (found here can help determine the appropriate operating systems of the hardware it will be installed on. WebCenter Content Dot 8 ( provides some new features that will impact the servers, security, and network aspects of the overall puzzle. Dot 8 introduces a new WebCenter UI based on ADF (Application Development Framework) that makes it a necessity to utilize a security application outside of WebLogic Server. Oracle WebCenter "Even those who are familiar with WebCenter 11g must discover the hidden surprises. It is a puzzle, figuring out what parts fit together.."
  41. 41. Key Decisions The following decisions, among many that need to be made, will help in determining what puzzle pieces are needed and how they will ultimately fit together. • Decide on the Products Based on established Business Requirements and Use Cases, align the appropriate WebCenter products and features to ensure needs are being met • Decide on the Hardware Based on the selected WebCenter products and features and how the system will be utilized, first determine the types of environments that will need to be configured (Development, QA/Testing, Production, Disaster Recovery). It will be important to determine what environments (if any) will be configured for clustering to support Highly Available and Highly Reliable access to the application. The WebCenter products and features may dictate what operating systems will be required and this should be included in the decision tree. • Decide on the Database Some companies rely heavily on Microsoft database applications and are not comfortable with Oracle database products. While WebCenter does support Microsoft as a database platform, there are some considerations that need to be made. Using Microsoft database with WebCenter Content means that you will be limited to using Database Full Text for searching. While this is a valid search option, it does require that the index be completely rebuilt whenever new metadata fields are introduced; this can take considerable time to complete if there are a large number of documents in the repository. Other considerations include some of the features that Oracle database provides, and have been tested against WebCenter, such as encryption at rest for metadata and content, database clustering (RAC and GRID), and de-duplication (removing multiple copies of the same file). • Decide on a Security Application In most cases, it is best to utilize an external security application to support single user management across multiple instances of the WebCenter products as well as making it easier for SSO configuration. While third-party applications can be utilized successfully, Oracle tends to provide the greatest amount of support for Oracle on Oracle applications. Oracle WebCenter
  42. 42. Final Thoughts – Completing the Puzzle The only way to really make sure that you get all the pieces in together, get them sorted, line them up, and put them together to finish the WebCenter puzzle is to Analyze, Investigate, and Document, Document, and Document. Analyze your requirements fully. Understand what the end game of the application is meant to be and ensure that you have all the details available. Investigate all the options that are available to you from an infrastructure and software perspective to ensure that you have a configuration that will enable the outcome of your analysis. Document your findings. Document every step of the way and utilize revision controls so that you can look back on where you came from and where you wound up at. Make notes along the way as to why certain decisions were made (this will help you down the road especially when you expand or upgrade your systems). Document your final solution BEFORE you implement it. This will give you a dry run on paper (with logical and technical diagrams, process flow charts, and requirement matrix). It is more cost effective to walk through the process and catch the obvious issues than to perform a full install only to find major issues while performing the beginning steps of the solution’s deployment. One additional note that can make a huge difference: Get an extra set of eyes and hands on the project. Even if you have already deployed WebCenter and are just doing an upgrade, this isn’t something that most people do day-in and day-out. Find resources that only focus on WebCenter applications and understand all the “undocumented features and gotcha’s” that come with enterprise level applications. The cost upfront will same you big money in the maintenance and support of your solution in the years to come. Troy Allen TekStream Oracle WebCenter
  43. 43. Maturity of Service Oriented Architectures Douwe Pieter van den Bos, Creative Software Solutions Introduction Service Oriented Architecture, SOA, help organizations become more agile, flexible and can reduce the cost of ownership of the landscape. SOA certainly can help middle- and large organizations to get more control over their architecture, while creating opportunities in the business field. However, there are some big challenges that are to be made. Because SOA is not only a way of working in the IT domain, the whole organization needs to be on track. Like all architectures, Service Oriented architecture has maturity. Some organizations are very SOA-aware and the entire organization is built on the principles of the architecture, other organizations are just starting out and have only implemented a Service Bus. Knowing what steps to take in the future can provide valuable insights for both technology and business sponsors in the organization. In short: SOA-Maturity is a keen way to scope the next steps in further development (maturing) of the entire organization in becoming more and more agile and flexible. SOA-Maturity: Why? Knowing where you stand and where you’re heading can help in a lot of ways. All organizations are very busy working on IT-programs, business enhancement initiatives and alignment projects. But where do we stand? And what investment is the best effort to make? Using SOA Maturity Models we answer a few essential ‘Why?’s for any organization. Complexity. Service Oriented Architectures are complex. To get insight in the complexity of an organization we need to know its ambitions and vision. This helps us to define where we’re heading and how complex (and therefore costly) the road ahead is. Future-proof. For members of the board there is no disappointment larger than realizing that large investments where invalid. When we know the maturity and road ahead of the organizations’ architecture, we can define what steps are to be taken. And how future-proof they are. Taking in account the age and agility of all dimensions of SOA (from IT infrastructure to maintenance organization structures) we create a clear view of the sustainability of the environment. Roadmap. Using the SOA-Maturity approach we create a clear and feasible roadmap of further development. This helps us to define the necessary next steps in further growing up of the organization. The roadmap, as a final product in the maturity assessment, shows where to invest, and where not. $’s and €’s. Eventually, it all comes down to numbers. Knowing the roadmap of further maturing the organizations architecture gives insight in what investments are necessities, and what are mere wishes. In other words: we now know how to put our money where it’s worth. Service Oriented Architecture
  44. 44. SOA-Maturity Models There are various models available to measure SOA- Maturity. Two of them are used widely and have their own pro’s and con’s. There’s an extensive model that is published and maintained by The Open Group (the same organization of TOGAF) and there’s a model that Oracle uses itself. In the table below the differences of the models are explained. This said, although the differences, both models are quite similar. And for both models it’s important to use the part necessary for the task at hand. The Open Group model (OSIMM) is very comprehensive but if you use the parts that you need it offers a lot of flexibility and maturity as a model itself. The Oracle model on the other hand is fairly understandable, but might be a bit too simple for very complex environment. And, of course, both models can be combined, just what you want. The Open Group Service Integration Maturity Model (OSIMM) ©The Open Group Although we discussed two different models, both work the same. They both use various measurements: Dimensions of SOA: technology and organization. These dimensions – like IT-infrastructure, information, governance, project management, etcetera – ensures that the measurement is not only done on the technology side of things. Indicators: level of SOA-maturity. All models work with various indicators to know on what level of SOA-Maturity an organization is. These indicators give insight in the maturity level – like no SOA, Ad Hoc, opportunistic, systematic, managed and optimized – the organization is on or the level it wants to be. Service Oriented Architecture
  45. 45. Level of adoption. The level of adoption of SOA-principles tells a lot about the maturity and is a very important indicator of the level of SOA-maturity. These levels – such as only adoption on project level or organization wide adoption of the most important principles – offer insight in how the principles are embraced by the organization. The Oracle SOA Maturity Model ©Oracle But most important: SOA-Maturity Measurement is an assessment. It’s a process that needs to be done with the right people, with the right will. It’s not something you can do on your own, without backup from the organization (although you will know that the level of adoption is quite low). SOA-Maturity Measurement SOA-Maturity Measurement is an assessment. This means that it is a process that involves various stakeholders, multiple actors, different dimensions and – especially – loads and loads of questions. The process of SOA-Maturity Measurement is as follows: The SOA-Maturity Measurement process First we need to know how the surroundings look like. Therefore we need to identify the dimensions and to identify the stakeholders. Looking at Identify the Dimensions, we have a fairly comprehensive model to take into account. In the Oracle SOA-Maturity Model we see 8 dimensions, in The Open Group OSIMM model we can identify 7 layers / dimensions. These are all fairly similar although Oracle recognizes projects and portfolios as a separate dimension. This is actually pretty smart, since we have to take into account that it is possible that the environment is changing as we speak. Plus the way projects are governed is of interest to us in this stage. Service Oriented Architecture
  46. 46. The 8 dimensions in the Oracle SOA-Maturity Model ©Oracle When we are identifying the stakeholders we have a few helpful models in place. The RACI-table is the most important one here. Using the ‘Responsible, Accountable, Consulted, Informed’ method we can quickly identify – per dimension – who the main stakeholders are. This can help with the workshop that will give understanding of the current state and the future vision of the organization architecture. During the Assess Current State phase we have to get investigate what the current state of the architecture is. Beware of some ‘nice-weather’ answers you might get because some of the stakeholders might not benefit from the (cold) truth. But that said: per dimension there are questions in place that can be asked. Especially in the Open Group OSIMM model there are extensive questionnaires available to assess this state. With the answers being provided – either during a workshop or during various interviews – we can use indicators to determine what the current state is. In the OSIMM model we see a comprehensive list of what indicator and what attributes combined give a certain maturity level. Example of maturity indicators in the OSIMM model ©The Open Group Of course, the most fun part is to Define the Future Vision on Service Oriented Architecture. But this is also the trickiest part. It happens more than once that an organization forgets essential stakeholders, or that organizations define a future vision that is not realistic. So there’s a nice challenge. Because we don’t want too ambitious, but we also do not want to be too laid back about the things we want to do in the future. This because we really want to work and need things to do. When we’re looking at the future vision take into account where the organization as Service Oriented Architecture
  47. 47. a whole wants to stand in relation to Service Oriented Architecture. Especially the OSIMM model works very good in this case since the relation to TOGAF is a very natural one. Defining the future vision is ongoing work for an organization itself. However, it is possible to create enough insight in the matter within one intensive workshop as long as the most relevant stakeholders are participating and willing. When we have a clear view on where we stand (Assess Current State) and know where we want to go (Define Future Vision) we can learn what the gap between those places is. During the GAP Analysis we create the view on where the most of the work is to be done. This is the first step in which we learn where we should put our money. Example of a GAP Analysis in a graph. Using the insights we got during the GAP Analysis we can Identify Activities we need to do in order to fit the gap. These activities need to be addressed to stakeholders and have a clear goal, purpose and date. All activities should follow SMART (Specific, Measurable, Assignable, Realistic and Time-bound). Another method that is used a lot in the Scrum Development method is also practical to use: INVEST. This stands for: Independent, Negotiable, Valuable, Estimable, Sized and Testable. Especially within an Agile development environment this might help. In this article I will not go further into this method, since it is very Scrum specific. Create Roadmap When we have done our SOA-Maturity Measurement we have enough ammo to create a roadmap. The Roadmap helps us make the right decisions and offers us insight in the projects that needs to be done in order to grow as an organization. During this phase there are a few things to bear in mind. - Steps in a roadmap always follow a certain order. Beware of this when you are shuffling the steps to take. - Always have in mind which activities are adding actual value, which offer nothing but constraints and which can be seen as mere wishes from one or two stakeholders. - Order the activities. Not by random but by the value they add to the organization as a whole. - Prioritize. Therefore you will need to add numbers to the activities. Think about the entire sum of things: this means both the necessary effort and the value it brings. Service Oriented Architecture
  48. 48. Conclusion SOA-Maturity Measurement is an effective way to keep on track and to see what needs to be done. It offers organizations a complete view and insight in the way the organization is developing itself. Using various tools, the right stakeholders and smart questions it is possible to give answer to the further development of your Service Oriented Architecture within the span of one day. Douwe Pieter van den Bos Service Oriented Architecture
  49. 49. The World According to Oracle – Oracle OpenWorld 2013 and beyond Lucas Jellema - AMIS What the short, mid and long term plans are of Oracle Corporation is interesting for many stakeholders. Among these are industry analysts, Oracle’s customers, partners, competitors and of course the hundreds of thousands if not millions of technical specialists whose daily livelihoods depend on Oracle. Communications about these plans of Oracle as well as living proof of the execution of those plans are ongoing. Every week brings press releases, product launches and roadmap updates. However, the best time of the year to get a complete overview of where Oracle stands and is going, is during the Oracle OpenWorld conference. For close to a week, Oracle staff from all ranks and across all product offerings present, outline, demonstrate, defend and launch statuses and plans, roadmaps and decisions, new acquisitions and classic products. One week in September to get up to speed with Oracle’s plans and actions. This article summarizes status and future for many parts of the Oracle technology stack, based on the official and informal news, gathered during Oracle OpenWorld 2013. What was said, what was intended, what was carefully omitted and what could be read between the lines has been assembled into this one overview. The article however opens with a discussion about three major transitions – substantial course changes for that red super tanker called Oracle. These transitions dictate much of what is going on in Redwood Shores – that will impact many different products, Oracle’s position in various markets and the overall customers do business with Oracle. The three transitions discussed here are not specific to Oracle – most of the IT industry and its customers face or will face similar challenges. Nor is Oracle necessarily the first to handle these challenges. In fact - as may be expected from super tankers – Oracle cannot rapidly react to quickly emerging trends. When we look at the curve of technology (innovation) adoption, Oracle hardly can be considered an innovator. It may sometimes be an early adopter on the left side of the chasm, frequently it will be on right side of that chasm. In terms of spending your investment dollar wisely, that is not necessarily a bad place to be. However, it usually means that you are a little late in each new game and have to try to catch up with the other players [or simply catch one of them]. Figure: Oracle is not well positioned to be a true innovator; it frequently does well as early adopter Oracle OpenWorld
  50. 50. Of course when Oracle starts to play in a certain area, it usually means business. The tanker may not react quickly, but its momentum is huge. Oracle states that it wants not only to provide the full stack and mutually integrated platform components but also products that are best in class – a phrase that seems to replace best of breed. This means that when a selection is made for a specific product – be it an RDBMS, a service bus, an enterprise content management system or an Identity & Access Management solution – the Oracle product should be one of the top options, even without the added benefits of the complete stack. Oracle products have to be leaders, firmly positioned in the Gartner Magic Quadrant – shown below. Figure – Oracle’s products should be best in class, firmly positioned in the leader quadrant Oracle’s ability to execute is usually high – based on the breadth of the company portfolio and the size of its R&D budgets. Development of a vision – that both does justice to the specific product or technology trend at hand and fits in with Oracle’s over-all strategy and stack can sometimes take a little longer. More an Early Adopter or Early Majority than an Innovator. Sometimes however, Oracle does act on the cutting edge. For example by setting up a group that is relatively independent of the organization hierarchy and traditional lines of budget and control, such as is the case with the Oracle Application User Experience team. Or by having the innovation take place outside of Oracle and then acquiring the innovator. This phenomenon occurred dozens of times over the last decade (to name just a few: KSplice, Collaxa, Oblix, Moniforce, Nimbula, Xsigo Systems). Of course in some core product lines, Oracle drives the innovation itself – such as in relational database technology. Three transitions at Oracle drive many of the product roadmaps, providing the undercurrent for basically anything being planned, developed and rolled out. Three transitions that Oracle has embraced, made part of its strategy and should ensure the continued cornering of the magic quadrant. 1. Desktop => Mobile An increasing number of enterprise users has an increasing percentage of its interaction with enterprise systems not through a connected desktop PC or laptop with full screen browser but instead through a variety of different “any-time any-place” devices including but not limited to smartphones and tablets. This has huge implications for the user Oracle OpenWorld
  51. 51. experience, software delivery, security, data synchronization, back-end infrastructure and many more aspects. Oracle focuses on the enterprise market; it will not target consumers directly. However, we see a blurring of the traditional line between pure internal corporate users and external agents. The internal users may be part of the enterprise, however when they use their own device on a location of their choosing, they are not all that internal anymore. Additionally, many organizations invite business partners, temporary workers, customers or citizens to interact with their enterprise systems through web sites and other channels – tracking their orders, self-servicing their account and even participating in business processes. These outsiders are hard to tell apart from employees that roam about. Oracle has made mobility – or multi-channel interaction - even more prominent in its directions forward. Not just the tools to create user interfaces that run in on-device browsers but also the back-end infrastructure required running scalable mobile (multi-channel) applications. Part of the latter is the Oracle Mobile Cloud Service that was announced. The Oracle Mobile Cloud Service provides a proxy – which can be cloud based or on-premises – that all mobile devices connect to. This proxy provides various services such as caching, enrichment, authentication and authorization, format and protocol adaption, that are typically required to support enterprise grade mobile apps and that are largely stateless. The Oracle Mobile Cloud Service proxy mediates between all the mobile devices out there in the world and the internal enterprise systems. Mobile devices do not directly access the enterprise systems. Security is a major component of the mobile revolution. Authentication and single sign on from external devices by users with varying clearance levels in much larger numbers than just the employee head count is an interesting challenge. Security of data on devices outside the security perimeter of the enterprise is another consideration. Oracle announced support in its Identity and Access Management Suite for both these challenges, including management of secure containers on bring-your-own-devices that hold the enterprise assets and have a form of remote management that is compliant with privacy laws. Oracle does not want to get into platform specific, native mobile apps. However, it has a need for cross-platform mobile applications that can also run in off-line conditions. Such apps are provided with middleware products like BI Foundation, BPM and WebCenter Content and for many elements of the Applications portfolio. The technology Oracle uses for the development of these mobile applications is currently called ADF Mobile, based on Apache Cordova (aka PhoneGap). This technology may shortly be rebranded to Oracle Mobile Development Framework – or something of that nature – perhaps in conjunction with the Mobile Cloud platform that was mentioned before. REST An important part in the support for the variety of channels and devices Oracle strives for is broad REST (Representational State Transfer) & JSON (JavaScript Object Notation) support. RESTful services have become the de facto standard for the interaction between modern user interfaces running either as HTML5 in browsers or as native Oracle OpenWorld
  52. 52. apps and their enterprise back end. These services are invoked over HTTP using relatively simple messages and the basic verbs available in HTTP (GET, POST, PUT, DELETE providing CRUD on resources) – usually with JSON as the data format structure, as the compact and native browser alternative to XML. Support for REST and JSON has become a common theme across many components of the Oracle technology stack. Some examples: the Mobile Cloud Service and other cloud services from Oracle expose RESTful APIs that can be consumed by mobile devices. Oracle’s SOA Suite is currently being enhanced with support for RESTful Web Services that speak JSON. The Oracle Database is being extended to support JSON in a way that is similar to the support for XML(Type). ADF can consume RESTful/JSON based services as of 12.1.2 (July 2013). The next release of ADF (12.1.3, sometime in the first half of 2014), is expected to also allow easy publication of RESTful/JSON services from the ADF BC framework. Coherence 12c exposes RESTful APIs for retrieving and manipulating data. Products such as WebCenter Content have had support for RESTful APIs for some time and other products follow that lead. Shortly, most administration actions we can perform on WebLogic through WLST will also be available through RESTful APIs. User Experience – simplicity, mobility and extensibility Different channels, devices and user groups require diversity in the user experience. The enterprise user of the last decade typically accessed user interfaces from a browser running on a desktop using a keyboard and a mouse. Most applications were designed with power users in mind, focusing on a wide scope of functionality. The user interacting with the enterprise systems of today and tomorrow do that in a variety of ways, including touch devices without a keyboard such as tablets and smart phones. Most of them will typically require only a small percentage of the full functional breadth of the application. Oracle has made a bold statement: it wants to lead in the area of User Experience. It has put together a strong team that explores user experience in an out-of-the-box manner, embracing new technologies such as voice capture, Google Glasses and modern media traits such as info graphics and eBooks including multi media. This UX team will lead the way for all Oracle products in terms of how their user experience should be designed and implemented. Note that anyone can benefit from their ideas and processes using resources on their public website: One important statement coming out of the UX team is that Oracle’s Applications should keep the 90:90:10 ratio in mind: 10% of functionality that 90% of the users need for 90% of their interaction. This can be translated for example to a very attractive, very accessible, largely read only layer that is wrapped around the core power user parts of the applications. This layer exposes key information in an intuitive way, allowing for very easy navigation and providing the starting point for drilling down into core areas where more complex data manipulations are available. Self Service is an important topic supported in this layer: opening up application functionality for new user communities that only need access to specific parts, information and actions. These users should not require training to use the application, should have an intuitive experience such as they get on an iPad and other tablets. This approach is implemented (under the name Fuse) in the Release 7 implementation of Fusion Applications HCM – heavily using the ADF components Spring Oracle OpenWorld
  53. 53. Board, PanelDrawer and Vertical Tabs. The mantra simplicity, mobility, extensibility very concisely summarizes the philosophy of the User Experience team. Mobility in this case states that the user interfaces are designed to support various channels and devices (mobile – smart phone, small tablet, large tablet - and desktop browser for the power user. Design of the user experience will start from the tablet – screen size, form factor, touch and gesture – to create the UI taking centre stage in the 90:90:10 approach. HTML5 is an important factor in the actual implementation of the tablet user interface. Extensibility refers to the ability for end users to change the appearance and the behavior of applications and even of business logic and -processes. This functionality available in the browser mimics to a certain degree the behavior of the design time IDEs. Examples are the Page Composer, Report Composer and Data Composer used in Fusion Applications, WebCenter Portal as a whole and the BPM Process Composer through which business processes can be designed and modified. 2. On Premises => Cloud Organizations will rapidly be using IT assets that they do not completely control themselves. The times of on-site data centres where all enterprise data and applications reside are gone. Not before long, the vast majority of enterprises will have a mix of on-premises and public cloud-based applications and infrastructures. Drivers include elastic scalability, reduced upfront investment, quick deployment, outsourced administration and reduced around-the-world network latency. Supporting efficient and secure administration, migration and integration are among the greatest challenges Oracle OpenWorld
  54. 54. All software from Oracle should run both on-premises as well as in the cloud. The capabilities of the Oracle infrastructure components should also be made available through cloud services. Oracle wants to provide a complete cloud stack – including IaaS, PaaS and SaaS offerings – as well as enable enterprise to run their own private cloud infrastructure. The essence of the cloud is multi-tenancy and elastic scalability, quick start up time and pay for real usage. Through efficient usage of machine and human resources, the cost of cloud services can be very competitive as opposed to dedicated, decentralized alternatives. Moving components from on-premises to cloud or vice versa should be painless: the infrastructure and the platform in the cloud should be the same (so far as possible) as on-premise. That is the strategy that Oracle is currently working on. New in Oracle’s view on the Cloud is the acknowledgement of the third party public cloud. The collaboration with Microsoft that offers images with Oracle Database and WebLogic Server on the Microsoft Azure Cloud (on Windows or on Linux) is an example of this. Customers and either bring their own license or acquire a pay-as-you-go license. SaaS In the SaaS space, Oracle’s cloud offerings are the most tangible. Fusion Applications were published as cloud service fairly early on and Oracle acquired a number of established SaaS providers to further boost its SaaS portfolio and market share. These include Taleo, Eloqua, RightNow, Compendium and BigMachines. In the spring of 2013, Fusion Applications ERP offerings in the Oracle Cloud were extended with Oracle Financials Cloud, Oracle Procurement Cloud, Oracle Project Portfolio Management Cloud and Oracle Supply Chain Management Cloud. These ERP services along with the HCM services will be integrated with SalesForce – as was announced in June. Figure: overview of Oracle’s (intended) cloud portfolio PaaS Platform as a Service offerings make elastically scalable database and application server capacity available from providers to remote consumers. Oracle’s PaaS services expose the Oracle Database, WebLogic Server and other Fusion Middleware facilities to consumers. Until Oracle OpenWorld 2013, only the Java and Database Service were live. These offer limited access to a WebLogic Managed Server and an Oracle Database schema. During Oracle OpenWorld 2013, Oracle announced new PaaS services: Database Instance as a Service and Web Logic Server as an instance. Oracle OpenWorld