Oracle Fusion Middleware Infrastructure Best Practices

Arun Reddy
Technical Director
Raastech
Oracle Fusion Middleware
Infrastructure Best Practices
Schoolcraft College – Vistatech Center
Room Vt460
November 13, 2013
2:05pm – 2:50pm

© Raastech, Inc. 2013 | All rights reserved. Slide 2 of 34raastech.com
About Raastech
 Systems integrator founded in 2009
 Headquartered in the Washington DC area
 Specializes in Oracle Fusion Middleware
 Oracle Gold Partner & Reseller
 Oracle SOA Specialized
 Certified staff in multiple disciplines
 OCE, OCA, OCP, ITIL, CISSP, PMP, etc.
 Continued contributions to the technology community
 Sponsor and volunteer of numerous users groups
 Ongoing publishing of books, articles, whitepapers, and blogs
 Regular presenters at major conferences

About Arun
 14+ years of Infrastructure Administration
 Focus on Oracle Fusion Middleware infrastructure
implementation, Security, High Availability, and
Disaster Recovery
 OCA, ITIL, PMP Certified
 Active WMOUG member/presenter

What is this presentation about?
 For Oracle Fusion Middleware administrators
 Covers common infrastructure best practices for:
 Installations
 Patching
 Administration
 Deployments
 Security

Why do I need it?
 I want to Reduce the OWFM Infrastructure Maintenance because I’m
tired of opening change requests/change controls
 To know what I can do different for my OWFM Infrastructure to make it
more stable and highly available
 Is there anything that I’m not doing right with my installations, patching
or deployment?
 I don’t want my phone to ring when I’m watching Lions game or
Breaking Bad
 “I think the presenter is cool.” My n

Overview

Understanding Oracle Fusion Middleware
 “Oracle Fusion Middleware” is a misleading term
 Used to describe middleware products such as:
 Business Intelligence (e.g., OBIEE, Discoverer)
 Integration (e.g., SOA Suite, OSB)
 Identity Management (e.g., Oracle Access Manager)
 Monitoring (e.g., OEM Grid Control)
 But usually used to describe a single product:
 WebLogic Server

WebLogic Server: Foundation for Fusion Middleware
 WebLogic Server is the core foundation of all Oracle
Fusion Middleware products
OEM Grid
Control
OBIEE
Access
Manager
SOA Suite
WebCenter
Portal
Data
Integrator
Oracle WebLogic Server
Clustering – JNDI – Resource Adapters – JDBC – Security – Self Tuning

Oracle WebLogic Server
 At a glance:
 Java application server
 Acquired from BEA
 Replaces Oracle Application Server 9i/10g
 Required for almost all Oracle Fusion Middleware products
 Current releases:
 Oracle WebLogic Server 11g (10.3.6)
 Oracle WebLogic Server 12c (12.1.2)
Majority of OFM
products are not yet
available for 12c

WebLogic Server Architectural Considerations
 Typically fronted by WebTier/OHS/Apache
 Requires JDK (Sun JDK, JRockit, or new JDK7)
 Requires shared filesystem for cluster (in 11g) for tlogs
WebLogic Server WebLogic Server WebLogic Server
Shared File
System
WebTier WebTier WebTier
Single AdminServer
to administer entire
cluster Node Manager
runs on every
server
Hardware load
balancer

WebLogic Server 12c New Features
 Certified with JDK7
 Zip distribution is only 164 MB
 Supports Java EE 6
 T-Logs can now be database persisted
(no shared file system needed)
 Improved high availability, performance, and disaster
recovery
 200+ new features

Installations

Operating System Tuning Parameters
 Proper OS tuning improves system performance by
preventing the occurrence of error conditions.
 Below are some key parameters to consider
O/S Parameters Default Proposed
Linux tcp_fin_timeout
By reducing the value , TCP/IP releases closed connections faster, providing more resources for new
connections.
60 30
Linux Backlog connections queue (tcp_max_syn_backlog)
When the server is loaded or has many clients with bad connections, it can result in an increase in half-
open connections
1024 4096
Linux File Descriptors (open files) 1024 4096 (32bit)
8192 (64bit)
WIN2008 MaxUserPort
Under heavy loads it may be necessary to adjust the MaxUserPort. This parameter determines the
availability of user ports requested by application
16383 65532
WIN2008 Set the power option setting to “High performance”
With High Performance power scheme, processors are always locked at the highest performance state
Balanced High
Performance

Separation of Binaries and Config
 Dedicated user and shared group for Installations
 Separate binaries in the Fusion Middleware Home and Configuration
directories
 The binaries include the Oracle WebLogic Home, Oracle JDK, Coherence binaries
and any required Fusion Middleware binaries (Files/Directories are mostly read)
 The Configuration directories include all Domain homes, application files and
nodemanager configuration (Files/Directories are both read and written at runtime)
 Advantages
 Less chances of binary corruption
 Easy Patching

Shared File Systems
 Use shared file systems for
 Admin Server
 JMS Persistent Stores
 Application Deployments
 Configuration Plans
 Tlogs
 Advantages are
 Easy Recovery of the admin server
 Easy Recovery of the XA and JMS transactions
 Required for Server Migration

Deployments

Deployment Guidelines
 Do not use Autodeploy for production environments
 Always deploy to a cluster even if you have a single MS
 Use deployment/configuration plans
 Simple but works approaches are
 WLST (java.weblogic.Deployer)  My preference
 Ant Scripts
 Maven
 Restrict Admin/EM console for
 Test / Lower environments
 Adhoc support requests

Custom Application Deployments
 Deploy Custom Application deployments on a shared storage
 Applications are deployed as EAR files to servers or read as
exploded directories. Place the archives in a shared directory
such as $ORACLE_BASE/admin/shared/deploy
 In a shared services environment, applications should all be
deployed as NOSTAGE
 Admin server default is STAGE
 Managed server default is NOSTAGE
 In NOSTAGE, the application files reside in a location from
which all cluster members can initiate a deployment (Good for
large or exploded applications)

Backups

Environment Backup – how often do we need it?
 The following lists some of the common scenarios in a typical
deployment that require performing a backup
 After WLS is installed and a domain is created
 Before and after making configuration changes to a component or cluster
 Prior to deploying a custom pure Java EE application
 After any major architectural changes to deployment architecture
 Before and after product binary files are patched or upgraded
 Important - Backup Embedded LDAP (Set it up through console)
 Scheduled backups on a nightly basis or as needed, or both

Typical Backup Schedule
Component Backup Schedule Backup Type Comments
Oracle system files Monthly Online
JDK Monthly Online
Middleware Home Monthly Online
JMS file store Never - Recreate if recovery needed. Data
loss or inconsistency may occur
Transaction logs Never - Recreate if recovery needed
SOA domain Daily Online Online backups are good as long
as no changes to the domain have
been made.
Database Daily Online

Configuration File Backup

Configuration File Backup (contd)

Administration

BAU activities
 Starting and stopping a managed server
 Don’t use both command line and console for an operation. Use one or the other for the console
to reflect accurate server state
 User management
 Prefer Enterprise AD or LDAP
 Patching/upgrading
 Don’t Install just because it was released and Recommended by Oracle
 Node Manager facts
 Not a must for every environment
 Uses only default values unless server startup properties are defined
 If domain is not SSL enabled, no use having the NM encryption enabled
 Use nmEnroll() to enroll new servers for Node Manager

Security

Enterprise Security Requirements
 Secure Servers
 Prevent Direct access to
o Web Tier
o App Tier
o DB Tier
 Limit Services Exposed
 Isolate Tiers
 Secure Services
 Authorized users only
 Achieved by
 Network Port restrictions
 Access Management

Security Best Practices
 Control Access to OFMW Resources
 Create a separate OS user for OFMW and limit access to $MW_HOME
 Avoid running the server under a privileged account
 If OHS needs to run on port 80, use sudo privileges to start
 Enable security auditing
 Use connection filters
 Security roles and security policies protects WebLogic resources at the domain, application, and
the application-component level. Connection filters let you deny access at the network level.
 Prevent Denial of Service attacks
 Configure “Message Timeout” less than default 60 seconds
 Restrict the size of the message (default is 10MB)
 Limit the maximum open sockets (if necessary)

Security Best Practices
 Use Virtual Server names
 Separate Internal and external traffic
 Ex: blogint.raastech.com vs blog.raastech.com
 Separate admin and application traffic
 Keep the DNS/VIP names application/function specific
 Use separate Internal/External DNS entries
 Use Firewalls/Load balancers
 SSL Termination
 Expose Virtual Servers/Hosts

Console and EM Access through LB (Ex. F5 BIG IP)
 Create a filtering iRule on the BIG IP Load Balancer to disallow access to
WL Console and EM. If you are using any other Load balancer devices,
create a custom ACL accordingly.
 For example, to create the filtering iRule
 On the Main tab, expand Local Traffic, then click iRules. The iRule screen open
 In the upper right portion of the screen, click the Create button. The new iRule
screen opens
 In the Name box, enter a name for your iRule. Ex: we can use oracle-soa-filter.
 In the Definition section, copy and paste the following iRule:
when HTTP_REQUEST
{
if { [HTTP::uri] starts_with "/console" } { HTTP::respond 403 content "<html><body><b>HTTP Error 403 - Forbidden</b></body></html>” }
if { [HTTP::uri] starts_with "/em" } { HTTP::respond 403 content "<html><body><b>HTTP Error 403 - Forbidden</b></body></html>” }
}

Summary

Summary
 Plan your environment based on the key business factors
 Functionality
 Availability
 Throughput
 Future Growth / Easy Scaling
 Implement the best practices starting with lower environments
 Automate every task that can be automated
 Secure environments to avoid non-functional and human breaches
 All environments need to have a backup and Recovery plan

Q/A

Contact Information
 Arun Reddy
Technical Director
arun.reddy@raastech.com

Oracle Fusion Middleware Infrastructure Best Practices

Oracle Fusion Middleware Infrastructure Best Practices

Recommended

More Related Content

What's hot

What's hot(20)

Viewers also liked

Viewers also liked(20)

Similar to Oracle Fusion Middleware Infrastructure Best Practices

Similar to Oracle Fusion Middleware Infrastructure Best Practices(20)

More from Revelation Technologies

More from Revelation Technologies(20)

Recently uploaded

Recently uploaded(20)

Oracle Fusion Middleware Infrastructure Best Practices