why i don't use weblogic jms topics (article)
TRANSCRIPT
Winter 2014
Content-Enabling YourInsurance Business
Using Oracle BPM andWebCenter Content
ASM Metrics
Enforcing Principle ofLeast Privilege
Maturity of ServiceOriented Architectures
Future is now, ODI 12c
And more:18 authors, 17 articles,
4 ACE's, 6 ACEDirectors, ...
OTech Magazine: Bigger & BetterWhen in September the first issue of OTech Magazine cameout, I could not have dreamed about the things that wereabout to happen. I had set an initial target for myself of onethousand readers. And how conservative that turned out tobe. This initial goal was met within a matter of hours.
The first issue of OTech Magazine was released on TuesdaySeptember 24 2013. During the heat of Oracle OpenWorldthe magazine created a rush. The initial goal of 1 thousandhits on the magazine was reached within hours. In the firstweek the magazine was viewed over 16 thousand times.After a month we had 21 thousand hits on the magazine andcounting. The total views after initial release of the magazineis over 25 thousand. The peak of the hits on the magazinewas during the first week after release, creating a massive13542 hits on the Thursday after publication.
With these numbers it was time to start looking at this – nolonger an innocent hobby – as a more and more professionalventure.
So here we are. With the help from dozens of friends,relatives, pals and some of the finest Oracle-folks in theworld we created an even bigger (and I really do think) betterissue of the magazine. And it’s an issue that we all (yes youtoo as a reader of this) can be very proud of. Every singleperson who helped with this magazine did it in his or herown valuable time. And look at the result:
- 136 pages of pure Oracle technology knowledge- 18 hard working authors, the best in their field- 4 Oracle ACE’s, 6 ACE Directors
This magazine – that started off as just a way to have somefun – is turning into something magical: it might even turnout to become the Oracle-glossy. Not some fancy-schmancything that’s all nice pictures and only marketing, butsomething real. Something that you and I would like to readwhen we have a spare moment. Just to put you feet on thetable and read a bit about real insight knowledge about ourfield of work.
Enjoy. I know I did.Cheers!
Douwe Pieter van den Bos
Foreword
SOA Made Simple: choosing the right SOA and BPM Suitecomponent based on classificationRonald van Luttikhuizen – Vennster
Tips and tricks for installing and maintaining FMWproductsPeter Lorenzen – CGI
Enforcing Principle of Least PrivilegeBiju Thomas – OneNeck IT Solutions
An Introduction to Design Considerations for a HighlyAvailable Oracle Access Manager DeploymentRobert Honeyman - Honeyman IT Consulting
Oracle WebCenter Experts Complete the IT PuzzleTroy Allen – TekStream
Maturity of Service Oriented ArchitecturesDouwe Pieter van den Bos - Ome-B.nl Creative Software Solutions
The World According to Oracle: Oracle OpenWorld 2013and beyondLucas Jellema – AMIS
From Requirements to Tool ChoiceSten Vesterli - Scott/Tiger
NoSQL and OracleJames Anthony - e-DBA
Case Management or Business Process Management?Lonneke Dikmans – Vennster
OTech Contents
Enterprise Deployment of Oracle Fusion MiddlewareProducts, Part 1Simon Haslam - Veriton Ltd
Data Security in Case ManagementMarcel van de Glind & Aldo Schaap – AMIS
Oracle Business Intelligence and Essbase Together: Youdon’t know what you don’t know…Neil Sellers - Qubix International Ltd
Why I Don’t Use WebLogic JMS TopicsAhmed Aboulnaga – Raastech
ASM MetricsBertrand Drouvot
Future is now, ODI 12cGurcan Orhan, Global Maksimum
Content-Enabling Your Insurance Business using OracleBPM and WebCenter ContentRaoul Miller – TEAM informatics
Information page
OTech Contents
SOA Made Simple: choosing the right SOAand BPM Suite component based onclassificationRonald van Luttikhuizen - Vennster
Organizations that have just started their SOA effort usuallyonly have a couple of services in place. Services arediscovered in a process that is called “service identification”.Services are either identified ‘top down’ based on thebusiness processes and the to-be architecture or top-downby projects based on the services needed at that moment.Service identification is usually an iterativeapproach, so after a number of iterations you’llhave dozens of services.
Is it hard for clients to find the services they need?Does it take too long to answer specific questionsfrom stakeholders such as security officers and IToperations about the services in your organization?Is it difficult to make consistent choices on thedesign and implementation of services? If so, youmight benefit from creating a service classification.
What is a service classification and why use it?Different stakeholders need different informationabout the services in your organization, such as:
• The functionality that is offered by the service (serviceconsumers);• Channels through which the service can be accessed(service consumers, security officer);• Contract and interface of the service (service consumers,service providers);
• Technology used to implement the service (serviceproviders: software architects, developers, operations);• Security constraints and measures such as authentication(service consumers, service providers, security officer);• Visibility of the service to the outside world (serviceproviders, security officer).
At some point it will become unmanageable to list allmetadata in big documents. We need to be able to focus oncertain aspects of a service, and leave other criteria out.Basically, we create a certain viewpoint or filter on ourservices. This is called a classification.
Figure 1: Criteria to use for your classification
Service Oriented Architecture
Classification for service producersThere is no one, true service classification. Differentstakeholders have different requirements and need to knowdifferent things about the services. It is very well possiblethat you need to create and maintain several classifications.
Arguably, (future) consumers of your services are the mostimportant stakeholders to consider. Without use, we can justas well discard a service. Consumers need to know whatfunctionality services offer, if they are allowed to use aservice and under what conditions, and should be able toeasily search for services. An example of a serviceclassification for consumers would be a matrix with thefunctional domains of your organization (HR, CRM, Finance,etc.) on one hand and the accessibility of the service (private,internal use, external use) on the other hand. Such aclassification is often used in a Service Registry in whichconsumers can search for existing services to use.
Although valid for service consumers, classification is alsovery useful when you are designing, building, andmaintaining services. The following classification that isbased on granularity and the ability of services to becombined into larger services is proposed for thesestakeholders. This article shows you how this classificationcan be used to pick the right SOA and BPM Suite componentwhen building services.
Figuur 2: Service Classification based on Granularity and Composition
Service Oriented Architecture
Elementary services are the smallest possible building blocksthat still provide value on their own. They are typically shortrunning. Examples are a ClaimDataService used by aninsurance company for storing claim metadata and aDocumentService used to store and retrieve documents.Composite services are created when a particularcombination of services is reoccurring. Theseservices combine several associated actionsin one transaction. An example is aClaimService used by an insurance companyto both register the claim metadata usingthe ClaimDataService and to store theassociated documents using theDocumentService as one operation. Processservices are longer running services that arecreated by combining elementary andcomposite services and often have a humanstep associated with them to handleexceptions or certain specific tasks. Anexample is a ClaimToPaymentService thathandles a claim from start to end; this bothinvolves human and automated steps.
This classification appeals to designers anddevelopers since combining components inlarger objects is a natural way of thinking fordesigners and developers and guidelinesand implementation choices differ betweenthese service types.
Figure 3: Examples of elementary, composite, and process services
Service Oriented Architecture
Classifying to know what OracleFusion Middleware product to useOracle Fusion Middleware is acomprehensive stack and consists ofvarious products and suites. Thefollowing products are especiallyinteresting from a SOA point-of-view:
• Oracle Service Bus (OSB): Oracle’sstrategic Enterprise Service Bus thatcan be used for protocoltransformation (e.g. RMI to SOAP),data transformation, securing ofservices based on policies,virtualization of the underlyingservice implementation, integrationvarious components into services,and so on.• Oracle SOA Suite: a platform thatlets you combine building blocks suchas Business Rules, BPEL components,Human Workflow, and so on intocomposite applications that are calledSOA composites. The SOA Suite usesthe SCA standard to create SOAcomposites.• Oracle BPM Suite: an extension to SOA Suite that providesBPMN and Adaptive Case Management capabilities toorchestrate activities in to processes.
The big question is: what product to use in what scenario?This choice can have a big impact on the overall quality of thesolution you’re building with it. The following diagram showshow the classification is mapped to the various products.
Figure 4: Oracle Fusion Middleware
Service Oriented Architecture
Figure 5: Mapping of Fusion Middleware onto Service Classification
A service is a capability; in SOA everything isconsidered a service. A service consists of threecomponents: an interface (how the service can beused and accessed), an implementation (how theservice is realized) and a contract (what consumerscan expect from a service and under whatconditions they can use the service). In case of theDocumentService that we discussed earlier, theimplementation could be an off-the-shelf DocumentManagement System, the interface a SOAP WebService described by a WSDL and XSDs, and thecontract an SLA defining the cost of usage,availability, owner, response time, and so on. The remainderof the article will discuss what product to choose for theimplementation of services, and what product to use foraccessing the service; or exposing its interface.
Implementation of Elementary ServicesIn IT, the implementation can be anything: whether it is apackaged application such as Oracle EBS and Oracle FusionApplications, or custom-built software using Java, PL/SQL,Oracle SOA Suite, or OSB.
Figure 6: Example of a simple calculation Web Service implemented in Java (J-WS)
Service Oriented Architecture
Important considerations when choosing Oracle SOA Suite orOSB as implementation platform for elementary services:
• Don’t use Oracle BPEL or OSB as general purposeprogramming language for elementary services. Programlogic such as calculations or a high degree of conditionalstatements are better suited for imperative programminglanguages such as Java or PL/SQL. SOA Suite offers you thecapability to include Java logic in SOA Composites as Springcomponents.
• You can expose any component of SOA Suite as a service bywrapping it in a SOA Composite of its own. For example,Business Rules and Human Workflow are components thatare often used from other components such as BPEL, BPMN,and Case Management and packaged together with thesecomponents into SOA Composites. However, on their ownthey can also provide added value and be exposed andpackaged independently as SOA Composite using SOA Suite.
Figure 7: Example of a service that is implemented using SOA Suite (BPEL,Mediator, and Business Rule)
This article is basedon SOA Made Simplebook by LonnekeDikmans and Ronaldvan Luttikhuizen:
http://www.packtpub.com/service-oriented-architecture-made-simple/book.
Service Oriented Architecture
Implementation of Composite ServicesComposition is the combination of several smaller servicesinto a larger service that offers more added value. When wecombine only a few services in a straight-forward fashion(e.g. sequentially invoke service operation A followed by theinvocation of service operation B) we call this aggregation.When the composition is more complex and involves moreconditional logic, we use the term orchestration.
• Use BPEL, which is part of SOA Suite, for orchestration.• Use OSB for simple aggregation flows only. Transformationand routing logic in OSB flows becomes cluttered and hardto maintain if it gets to wieldy .
Figure 8: Putting too much (complex) composition logic into OSB results incluttered flows
Figure 9: Implementation of a Composite Service operation in BPEL
SOA Suite has more components available than OSB thatcan be used to implement the composition logic. Forexample the use of Domain-Value Maps (DVM) to mapvarious data elements onto each other, and the use ofBusiness Rules to encapsulate fast changing logic. BusinessRules as well as DVMs can be changed at runtime withoutthe need for software modifications which provides greaterflexibility. While SOA Suite offers more functionality, OSB ismore light-weight and performs better for simple servicesthat process large amounts of messages.
Service Oriented Architecture
By default the operations of a service are implemented inone message flow diagram in OSB (Proxy Service). Thatmeans that if a composite service has several operations,each containing a complex composition, the message flowbecomes very cluttered. You could create a separate ProxyService for every operation but that results in overhead. InSOA Suite you can easily use a Mediator component thatredirects every service operation invocation to its own BPELcomponent. The BPEL editor only shows the flow for oneoperation as opposed to showing the flows for everyoperation. Implementation of Process Services.
For the implementation of longer running services FusionMiddleware offers several choices:
• Use Adaptive Case Management when there are manydifferent variations in the process flow. This is the case withknowledge-driven processes in which users determine thenext action in the process as it progresses. Adaptive CaseManagement was added to the BPM Suite in 11g PS 6.• For deterministic processes such as invoice processing inwhich efficiency is important, you can either choose BPMN(BPM Suite) or BPEL. BPEL is a more technical and rigidnotation, while BPMN is better suited for process modellingby business analysts on a higher level and provides moreflexibility.
Figure 10: Difference between BPMN (upper) notation and BPEL (lower)
A best-practice for services, independent of their type, is tohave guidelines in place for the size of messages you allow inOSB or SOA Suite. Small messages can be inline, largermessages should be sent as an attachment, and bigmessages should be handled with a claim check pattern. Theactual handling of such large file is best left to tools that arebetter suited for this like FTP servers, ODI, or the upcomingOracle Managed File Transfer product.
Publishing the interfacesSo far you have seen what product to use for theimplementation of different types of services. Besides thetechnology to build services, we also need to know howservice consumers will access the capabilities of the services.
Service Oriented Architecture
There are several choices toexpose services to the outsideworld:• Expose serviceimplementations by using theirproprietary interface. This isoften the product or technologyin which the service was build.For example, you can expose aPL/SQL package and use that asthe interface or use RMI toexpose Java components.• Expose the service implementations by using a standardinterface such as a SOAP Web Service or REST service. Youcan for example use JAX-WS to expose Java components asSOAP or REST services or use Oracle JCA adapters totransform a (proprietary) technology to a standard interface.Note that Oracle offers various JCA adapters for RelationalDatabases, JMS, File, FTP, AQ, MQ, and so on that are built onthe Java JCA standard and expose those technologies asSOAP Web Services. These JCA adapters are deployed onOracle WebLogic Server and can be invoked from both OSBand SOA Suite.• Use an Enterprise Service Bus like OSB as a central platformto expose your services to the outside world.The latter approach increases the flexibility of your services.Changes in the service implementations can be mediated inthe OSB. You can use it as a platform for versioning ofservices, content-based routing to the appropriate serviceimplementation, transformation from a canonical dataformat to a local data format, protocol transformation,applying security measures that are defined in your servicecontracts, and so on.
Figure 11: Exposing a service using Oracle ServiceBus
SummaryOracle offers a number of componentsthat are part of the SOA and BPMSuite. A technical service classificationhelps you decide which of thesecomponent to use for theimplementation and interfaces of yourservices in what scenario. It is a goodpractice to create service classifications
as part of your SOA governance. Create classifications basedon the needs of your stakeholders.
Ronald van LuttikhuizenVennster
Service Oriented Architecture
Tips and tricks for installing andmaintaining FMW productsPeter Lorenzen - CGI
IntroductionThe purpose of this article is to provide an overview ofinformation that I feel is important to know when you installand maintain Oracle Fusion Middleware (FMW) products.
DocumentationOracle has lots of FMW documentation and locating the rightone can be a challenge.
Getting startedThe best place to start is with the “FMW Download,Installation, and Configuration Readme Files“(http://goo.gl/GygKSP). There is a readme file for each FMWrelease.
The readme file will lead you to the rest of thedocumentation. It will help you locate the right software aswell as install and configure FMW.
It is highly recommended to read the following manuals:• Fusion Middleware System Requirements andSpecifications (http://goo.gl/gOcMpS)• FMW Installation Planning Guide (11g)(http://goo.gl/QR7dZJ)• Installing and Configuring the FMW Infrastructure (12c)(http://goo.gl/J4xnZq)
Product installation guidesEach FMW product has its own installation guide. Make sureyou read these in detail, since some of them have uniqueinformation. There are for example, important differencesbetween Java Components and System Components(http://goo.gl/NaEW5n). By the way, please note that themanagement of System Components has changedsignificantly between FWM 11g and 12c, as OPMN has beenreplaced with Node Manager (http://goo.gl/xPUZBz).
Release NotesAll products have Release Notes. They contain informationabout what to do when the software is not working, asexpected. The Release Notes are part of the documentationlibrary for the product. The Release Notes are updatedperiodically, so it is a good idea to check them regu-larly.
There is also a Known Issues list, for some products. This isnot part of the documentation li-brary and can sometimes bereferred to as Release Notes. An example is the “KnownIssues for Oracle SOA Products and Oracle AIA FoundationPack” (http://goo.gl/E1jBHL). It lists known issues for BAM,BPEL, OSB, SOA, BPM Suite etc.
I assume that the reason for the two “Release Notes” is thatthere are many known issues and it is easier to maintain thislist than the documentation library.
The Release Notes can sometimes list patches that should beinstalled. An example is the OSB 11.1.1.7 that lists fourrequired WebLogic Server patches.
Oracle Fusion Middleware
Repository Creation UtilityMany FMW products require a repository in a database. Youcannot just use any database or any Oracle database. Someof the products have very specific requirements for theconfigura-tion of the database. Sometimes the RepositoryCreation Utility (RCU) will complain about a missingrequirement, but this can be ignored for someproducts. It is therefore a good idea to read theRCU documentation:• Creating Schemas with the Repository CreationUtility (12c) (http://goo.gl/GFt89w)• FMW Repository Creation Utility User's Guide(11g) (http://goo.gl/rYS7SY)
Downloading softwareOracle has three different locations fordownloading software.
Oracle Technology Network (OTN)At the OTN site, you can download most OracleFMW software for free. Although you do nothave to pay to download the software, it is not free to use!You can use the software while doing a proof of concept ordeveloping a new application. As soon as you go intoproduction, how-ever, proper licensing is required for all thesoftware used, including environments used formaintenance and the development of new releases, etc. Thisis also true for software installed on developers laptops.
Make sure that you understand the OTN Developer License(http://goo.gl/He919f) before down-loading software formOTN.
There is another license model - the OTN Free DeveloperLicense (http://goo.gl/1CUW97). It only covers the WebLogicServer. It allows a single developer to use the WebLogicServer for free, also after going into production. This is nice,but the license only covers WebLogic, there is no OSB, SOASuite etc. Therefore, it is only for pure Java applications.
Oracle Software Delivery CloudThe http://edelivery.oracle.com sitehas existed for some time, and isnow not surprisingly a cloudservice.When you download software fromthe site, you acknowledge that youhave already obtained a validlicense or that the 30 day OracleSoftware Delivery Cloud TrialLicense is used.You are not required to use the siteand as long as you have yourlicenses in order, it does not matterfrom which site you get the
software. I normally use OTN for everything.
My Oracle Support (MOS)You need a valid support agreement to access the MOS site.From MOS you can download patches, updates and otherfixes.
OTN and Edelivery only contain the latest releases of aproduct. If you need an older release or legacy software fromone of Oracle’s acquisitions, it is necessary to create a MOSService Re-quest in order to obtain a download link.
Oracle Fusion Middleware
“Location, Location, Location”When you install FMW you should follow a strict standard ofdirectory naming.This is what I normally do:• Oracle Base/u01/app/oracle• Products /u01/app/oracle/products• Domains /u01/app/oracle/domains
The products directory contains the software installationsand the Oracle Homes. The domains directory contains thedomain homes, with all the configuration data.
For example:•MW_HOME /u01/app/oracle/products/wls1212• DOMAIN_HOME /u01/app/oracle/domains/myDomain
Whatever you do, make sure you do not keep your domainsunder the Middleware Home. It makes good sense to keepbinaries and configurations separate, as you can run intoproblems when you have to upgrade to a new major FMWversion in the future.
The only exception is Portal, Forms, Reports and Discoverer,where the domains must be under the Middleware Home.Otherwise the software will not work! For example:/u01/app/oracle/product/pfrd11.1/user_projects/myDomain
Hopefully this will be fixed in a coming release.
If you keep the domains separate from the software, you canharden your installation, by having a special OS user thatowns the software installation. Another user will own thedomain home and will only be granted read and execute
rights to the software.
In WebLogic 12.1.2 this works without any problems, but inprevious releases the Node Man-ager configuration and logfiles were located under the Middleware home. Therefore,you need to move the node manager configuration files andchange the configuration, so the log files are written to adifferent location.
Remember to check out Oracles recommendations forselecting directories:http://goo.gl/vxdy4x
Oracle Fusion Middleware
JavaThese days you have to reinstall Java at least every quarter,because of security patches and new releases. Here are twotips that can make life a bit easier.
Soft linksSince the Java installation is referenced in several files underthe Middleware home and the domain homes, you need tochange these references every time you install a newrelease. It is easy to create a script that does this, but I preferto create a soft link to the current Java installa-tion andreference this everywhere.
# Java Home/u01/app/oracle/product/jdk1.7.0_45
# Create soft linkcd /u01/app/oracle/productln -s jdk1.7.0_45 java_current
/u01/app/oracle/product/java_current now pointsto /u01/app/oracle/product/jdk1.7.0_45.
It is not a perfect solution, as some programs will use thereal location when they access the soft link, which can getyou into trouble now and then.
You can do the same on Windows with symlinks.
@REM Java HomeD:\oracle\product\jdk1.7.0_45
@REM Create symlinkcd D:\oracle\productmklink /d java_current jdk1.7.0_45
D:\oracle\product\java_current now points toD:\oracle\product\jdk1.7.0_45.
Whatever you do, please make sure you always remove theold Java installation. I have experi-enced situations wherecustomers were using an old Java installation because theyhad forgot-ten to change the references to the old.
cacertsWhen you install Java, it contains a default keystore calledcacerts. If you use this, you must remember to copy it to thenew Java installations every time you reinstall. This is boundto go wrong and you will have to spend time figuring outwhy. Never use cacerts, but instead use a custom keystore.
Oracle Fusion Middleware
“Less is more”You should always install as little aspossible. This goes for the OS, thedatabase, FMW etc. Maintenance iseasier and security is better. Do notinstall products, options,demos/examples etc. that you do notneed.
When you create a WebLogic domain,you should select as few products aspossible. If you select all possibleproducts, you might even end up in asituation where a domain does notwork. Some products conflict and thedomain wizard does not warn youabout this. For example, the SOASuite conflicts with the SIP Server (http://goo.gl/MFU0qA).
It can be a bit difficult to figure out which product to selectwhen creating a domain. The Domain Template Reference(http://goo.gl/2m3Xjy) will be of some help.
“Silence is golden”Installing everything manually is fine as long as you onlyhave a couple of environments, but as soon as you havemore, it will be difficult to ensure that the environments areidentical. If they are not identical, there is a good chance thatdevelopers, testers etc. will run into problems, because ofsmall discrepancies.
To maximize predictability in your environments, you canscript everything. Oracle has tools that will enable silent
installation, scripted domaincreation and deployment.
Here is an example of a silentinstallation and scripted domaincreation of the OSB 11.1.1.6 onRed Hat 6:http://theheat.dk/blog/?p=771
You can use the Oracle WebLogicScripting Tool (WLST) to createdata sources, JMS queues etc.This blog post contains a WLSTscript for creating a data source:http://theheat.dk/blog/?p=1467
You can deploy applications viaWLST both online and offline. For more information, checkthe documentation (http://goo.gl/2Ivt5G).
The WebLogic server, of course, also supports ant andmaven.
It is a good idea to use scripted deployment for allenvironments. Make sure scripts are continu-ously createdand maintained from the start of a project. It should be acontinuous process and not done at the last minute.
Oracle Fusion Middleware
Configuration File ArchivingYou can configure the WebLogic Server to make a backup ofthe configuration whenever you change it. The configurationfiles live in the DOMAIN_HOME/config directory and itssubdirecto-ries.
If you enable Configuration Archiving, all the configurationfiles will be stored in a jar file every time a change isactivated.
The jar files are placed in the DOMAIN_HOME/configArchivedirectory.
When the Archive Configuration Count limit is reached, theoldest file is overwritten.
I consider it best practice to use Configuration File Archiving.The files do not take up much space and they can provideyou with valuable information about changes you might notbe aware of.
For more details read this blog post:http://theheat.dk/blog/?p=1385
Entropy problems on Linux serversI install WebLogic on many new servers and have frequentlyencountered problems because of low entropy. Thesymptom is that it takes a long time for a WebLogic server tostart. The CPU has no load and the log files do not reveal anyproblems. It can also happen when you start the NodeManager for the first time. I once waited 10 minutes for theNode Manager to start on a powerful blade server, withnothing else running. It happens both for physical and virtualservers.
It is one of the things that can be both puzzling andfrustrating until you find out what is going on.
The problem is with the way random numbers arecalculated. It is not a FMW problem, but a Linux problem. Ioften meet people who do not know about this, so if you useLinux you might want to have a look at the details and theworkarounds in this blog post:http://theheat.dk/blog/?p=1539
Error Correction Support PoliesIn my experience, most people know about Oracle LifetimeSupport. An Oracle product gener-ally moves through threedifferent support stages: Premier (5 years) > Extended (3years) > Sustaining (perpetual). Each stage has differentbenefits, and there are fewer and fewer bene-fits as youmove to Extended and Sustaining, and at the same time theprice goes up.
Oracle Fusion Middleware
What is not so well known, is that this is not the whole story.If we look at the WebLogic Server 11g aka. 10.3.x, it is inPremier Support until December 2018. The latest Patch Set is10.3.6, so if you use 10.3.6 you are OK for some years. Butwhat if you use 10.3.5? If you look in the Criti-cal PatchUpdate (CPU) from October 2013:“Patch Set Update and Critical Patch Update October 2013Availability Document (Doc ID 1571391.1)”
In the “Final Patch History” section you will see that July 2013was the final CPU for WebLogic Server 10.3.5. Even thoughWebLogic Server 11g is supported for years, CPUs etc. areonly available if you are running the latest Patch Set e.g.10.3.6. This is governed by the Oracles Error CorrectionSupport Policy (ECP). The ECP states that when a new PatchSet is released, Oracle will only deliver error corrections tothe previous Patch Set within a certain grace period.
The grace period is to provide the customer with time to planand apply the Patch Set:“Grace Period: up to 1 year for first patch set (minimum 3months), and up to 2 years for sec-ond and subsequentpatch sets.”
This means, that if you use WebLogic Server 10.3.5 you havesupport, but Oracle will not make any new patches, leavingyou in a vulnerable situation.
It is my experience that the ECP is often forgotten. Make surethat your customers are aware of the benefits of installingthe latest Patch Sets and understand the risks of not doingso.
You can find lists of the ECP grace periods on MOS.
For more information, check this blog post:http://theheat.dk/blog/?p=1753
PatchingA big part of installing and maintaining FMW is tocontinuously apply the right patches.To do this you need to know the terminology and thedifferent kind of patches Oracle supplies.
Security patchesEach quarter Oracle releases security updates. The patchprogram is called Critical Patch Up-date (CPU). It includes allOracle products including Java. Java was added with theOctober 2013 CPU.
In the beginning the patches released by the CPU programwere also called CPU patches, but from October 2012 thename was changed to Security Patch Updates (SPU). Theprogram is still called CPU, but the patches are called SPUpatches.
A SPU patch is a cumulative patch consisting of security fixes.
Oracle announces the release dates for the CPUs around ayear in advance.
Sometimes Oracle will release one-off security patches ifparticularly nasty bugs are found. It does not happen often,and as far as I can recall there have not been any in 2013.
Proactive patches
Oracle Fusion Middleware
Oracle releases proactive patches on the same quarterlyschedule as CPU patches. Proactive patches come in threeflavors.
Patch Set Updates (PSU)For some products the SPU patches have been replaced withPatch Set Updates (PSU). This is true for the database andthe WebLogic server. You can see the full product list in:“Patch Set Updates for Oracle Products (Doc ID 854428.1)”.
A PSU patch is a cumulative patch consisting of security fixesand other stabilizing changes. It is a SPU plus other non-security related changes. No enhancements are included.
Bundle Patches (BP)BPs are cumulative patches that are issued between patchsets. They usually only include bug fixes, but may containminor enhancements. For example, the OSB 11.1.1.6currently has two BPs and the SOA Suite 11.1.1.7 has one.
You can find a list of all FMW BPs and PSUs here:“Master Note on Fusion Middleware Proactive Patching –Patch Set Updates (PSUs) and Bun-dle Patches (BPs) (Doc ID1494151.1)”
Suite Bundle Patches (SBP)A SBP is a collection of product BPs for a suite. For example,an Oracle Identity Management SBP consists of OAM, OAAM,and OIM BPs.
Version numbersWhen you apply a proactive patch, the fifth number in theproduct version is incremented.
Here is a WebLogic server 10.3.6 with the October PSU:./u01/app/oracle/product/wls103/wlserver_10.3/server/bin/setWLSEnv.shjava weblogic.version
WebLogic Server 10.3.6.0.6 PSU Patch forBUG17071663 Tue OCT 02 13:01:30 IST 2013WebLogic Server 10.3.6.0 Tue Nov 15 08:52:36PST 2011 1441050
ConflictsSince SPU/PSU patches are cumulative, they will conflict witheach other, so you will need to remove older SPU/PSUpatches before applying new ones.
Oracle Fusion Middleware
Overlay patchesSometimes you need to install one-off patches that are notincluded in the proactive patches. These patches are nowcalled interim patches.
If a proactive patch makes changes to the same code as aninterim patch, they will conflict. If they do, you need a newversion of the interim patch that matches the versionnumber of the proactive patch. These are called overlaypatches.
If no overlay patch exists for an interim patch, you canrequest that Oracle creates one.
Conflict resolutionResolving conflicts can be difficult. The following MOS notehas a section called “PSUs and Patch Conflict Resolution” thatcan help you:“Announcing Oracle WebLogic Server PSUs (Patch SetUpdates) (Doc ID 1306505.1)”
Here is an example I recently encountered. The latest releaseof the WebLogic Portal is 10.3.6. Currently no security or
proactive patches exist for the Portal, but you can installWebLogic PSU patches. However, when you try to apply thelatest PSU you get an error:
Conflict condition details follow:Patch BYJ1 is mutually exclusive and cannotcoexist with patch(es): CYXN
CYXN is a fix for the 13000612 bug. If you check:“Oracle WebLogic Server Patch Set Update 10.3.6.0.6 FixedBugs List (Doc ID 1589769.1)”
You will see that the fix for this bug was included in the first10.3.6 PSU (10.3.6.0.1). This means you can remove the CYXNpatch as it was already included in the latest PSU.
MOS Recommended Patch AdvisorIt can be difficult to figure out which patches to install. Oraclehas tried to help with the Recom-mended Patch Advisor onMOS. It is a work-in-progress initiative. I have not used itmuch yet, but it seems to be working fine.
Oracle Fusion Middleware
Keep currentIt is not an easy job to keep an FMW installation updated andsecure. Things are moving fast and if you are not up-to-dateand proactive, you can run into problems.
A current example is the Java 7 update 51 that will bereleased in January 2014. If an Oracle Forms installation isnot patched before the update is installed on the clients, itwill break Forms.
For more details, check this blog post:http://theheat.dk/blog/?p=1681
Unfortunately, there is no silver bullet for staying current,but the list below will help you.
Critical Patch Update Alert E-mailsSign up for Oracles CPU Alert e-mails. Oracle will inform youwhen a new CPU has been re-leased. You will also get anemail if Oracle releases one-off security patches.
MOS information centersCheck the product specific information centers on MOS:• OSB (Doc ID 1293368.2)• SOA Suite 11g (Doc ID 1369339.2)• Weblogic Server Patching & Maintenance InformationCenter (Doc ID 1573509.2)• …
Master Note on FMW Proactive Patching – PSUs and BPs (DocID 1494151.1)Make sure you check this MOS note, it contains a list of allFMW PSUs and BPs.
Blogs, Twitter etc.I follow many blogs and read a lot of tweets to keep up.
Wrap upIn this article, I have collected an overview of various subjectsI believe you should be aware of as an FMW administrator.The subjects are broad and encompass various issues thatcan be hard to come by if you are new to FWMadministration.
If you have, questions or comments please feel free to dropby - http://theheat.dk or https://twitter.com/theheatDK.
Peter LorenzenCGI Denmark
Oracle Fusion Middleware
Enforcing Principle of Least PrivilegeBiju Thomas - OneNeck IT Solutions
One of the top features of Oracle Database 12c thatattracted me is the ability to enforce principle of leastprivilege with ease. Ever since database vendors startedtaking security seriously, the principle of least privilegetheory is in play. To identify the privileges required by anapplication or user in Oracle database versions prior 12c wasa tedious trial and error process. Many applications I havecome across run with DBA or DBA like privileges, this isbecause no privilege analysis done at application design anddevelopment time. For application design and developmentteam the focus is always on getting the development workcompleted and delivering the project. Security, especiallyleast privilege, is not a focus item where team wants tospend time. It is easy to grant system privileges (especiallyDBA or ANY privileges like INSERT ANY TABLE) to get theapplication working.
Oracle Database 12c brings the Privilege Analysis feature toclearly identify the privileges required by an application forits functioning and tells the DBA which privileges can berevoked, to enforce the principle of least privilege and makethe database and application more secure. Privilege analysisfeature is available only in Enterprise Edition and it requiresDatabase Vault license, which is an extra cost option. Thegood thing is that Database Vault need not be enabled to usePrivilege Analysis - one less thing to worry.
In a nutshell, privilege analysis works as below:- Define a capture - to identify what need to be analyzed- Enable the capture, to start capturing- Run the application or utility whose privilege need to beanalyzed- Disable the capture- Generate results from capture for review- Implement the results, from the findings
I will explain the steps using SQL command line as well asusing Enterprise Manager Cloud Control 12c. To do theprivilege analysis you need the CAPTURE_ADMIN role, thisrole is granted to DBA role, so if you have DBA privileges onthe 12c database, you can perform the analysis.
Figure 1: Privilege Analysis
Oracle Database Security
Demo EnvironmentFor demonstration purposes I am going to use the OEschema that comes with Oracle Database 12c examples - ithas 14 tables and several other objects. We want to analyzethe privileges of OE_ADM user who currently has thefollowing privileges.
- SELECT ANY TABLE- INSERT ANY TABLE- UPDATE ANY TABLE- DELETE ANY TABLE- ALTER ANY TRIGGER- CREATE PROCEDURE- CREATE TABLE- CREATE SYNONYM- CREATE ANY INDEX- ALL privs on ORDERS and ORDER_ITEMS tables- CONNECT and DBA Roles
SQL> select object_type, count(*) from dba_objectswhere owner = 'OE' group by object_type;
OBJECT_TYPE COUNT(*)----------------------- ----------SEQUENCE 1LOB 15TYPE BODY 3TRIGGER 4TABLE 14INDEX 48SYNONYM 6VIEW 13
FUNCTION 1TYPE 37
OE_ADM user connects using SQL*Developer to run thescripts and reports. Our objective is to remove the ANYprivileges from OE_ADM user and grant appropriateprivileges based on the tasks performed during the analysisperiod.
New package DBMS_PRIVILEGE_CAPTURE has thesubprograms to manage the privilege analysis. TheCAPTURE_ADMIN role has execute privilege on thispackage.
Define and Start CaptureThe very first step in privilege analysis is to create a capture,to define what actions need to be monitored. Four types ofanalysis can be defined in the capture:
- Database (G_DATABASE - 1): If no condition is defined,analyzes used privilege on all objects within the wholedatabase. No condition or roles parameter specified for thistype of capture.- Role (G_ROLE - 2): Analyses privileges exercised through arole. Specify the roles to analyze using the ROLES parameter.- Context (G_CONTEXT - 3): Use this to analyze privileges thatare used through an application module or specific context.Specify a CONDITION to analyze- Role and Context (G_ROLE_AND_CONTEXT - 4): Combinationof role and context.
Oracle Database Security
The CREATE_CAPTURE subprogram is used to define thecapture. For our demo, we want to use the Role and Context,because we want to know what privilege from the DBA role isbeing used as well as what other privileges granted toOE_ADM are used when the application used is “SQLDeveloper”.
Figure 2: OEM Screen to Create a Privilege Analysis Policy
Figure 2 shows the OEM screen to create a capture policy.With few clicks you can easily create the policy. Based on thecontext additional input is captured.
The SQL to define the policy as shown in Figure 2 is:
BEGINDBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(name => 'Analyze_OE_ADM' ,description => 'Review Privileges used by
OE_ADM through SQL Developer' ,type =>
DBMS_PRIVILEGE_CAPTURE.G_ROLE_AND_CONTEXT ,roles => ROLE_NAME_LIST('DBA','CONNECT') ,condition => 'SYS_CONTEXT(''USERENV'',
''MODULE'') = ''SQL Developer'' ANDSYS_CONTEXT(''USERENV'', ''SESSION_USER'') =''OE_ADM''');END;/
Oracle Database Security
Once the policy is defined, it shows up in the OEM PrivilegeAnalysis main screen, from where you can enable, disable,generate report and drop the policy. See figure 3.
Figure 3: Privilege Analysis screen of OEM
You can click on the start button to start capture, oruse the below SQL to start the capture.
EXECUTEDBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE (name =>'Analyze_OE_ADM');
Now run the application and for a period of time, so thatOracle can capture all the privileges used.
Stop Capture and Generate ReportsOk, now that OE_ADM user has performed their tasks usingSQL Developer, let us stop the capture and review theprivileges used.
EXECUTE DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE(name => 'Analyze_OE_ADM');
Using OEM you can click on the Stop Capture button asshown in Figure 3. Now click the Generate Report button.Using SQL you can accomplish this by :
EXECUTE DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT(name => 'Analyze_OE_ADM');
OEM shows the number of unused privileges in the summaryscreen as shown in figure 4.
Figure 4: unused privileges
Once you run the Generate Results procedure, all theDBA_USED_ views as well as DBA_UNUSED_ views arepopulated. You may query these views to generate revokescripts or to prepare reports. The DBA_USED_ views show theprivileges used by the user for the policy. The DBA_UNUSED_views show the privileges that are assigned to the user, butare not used. The _PATH views show the privilege path (howthe privileged was given to the user, through which role).
Oracle Database Security
Capture Privilege - DBA Views Populated with GenerateResults Procedure
DBA_USED_OBJPRIVSDBA_USED_OBJPRIVS_PATHDBA_USED_PRIVSDBA_USED_PUBPRIVSDBA_USED_SYSPRIVSDBA_USED_SYSPRIVS_PATHDBA_USED_USERPRIVSDBA_USED_USERPRIVS_PATHDBA_UNUSED_COL_TABSDBA_UNUSED_OBJPRIVSDBA_UNUSED_OBJPRIVS_PATHDBA_UNUSED_PRIVSDBA_UNUSED_SYSPRIVSDBA_UNUSED_SYSPRIVS_PATHDBA_UNUSED_USERPRIVSDBA_UNUSED_USERPRIVS_PATH
OEM makes it easier on you to see the reports and evengenerate a revoke script. Figure 5 shows the drop downmenu under Actions.
Figure 5: OEM Options under Actions
The Reports menu shows a summary, as well as used andunused privilege listing that you can export to an excel file.To be able to use the Revoke Scripts option, OEM needs tocomplete a setup as shown in figure 6.
Figure 6: OEM Setup for Revoke Scripts Generation
Oracle Database Security
The revoke script revokes all unused roles and privilegesfrom the role granted to the user, in this case this is notdesired, because we do not want to mess with the DBA role.Here the Create Role menu comes for help. Figure 7 showsthe OEM screen to create the role; you have option tocustomize the role creation as well.
Figure 7: Create Role screen of OEM
This creates a new role for you with only the used privileges -how sweet is that!
Biju ThomasOneNeck IT Solutions
Oracle Database Security
An Introduction to Design Considerationsfor a Highly Available Oracle AccessManager DeploymentRobert Honeyman - Honeyman IT Consulting
The use of Single-Sign-On (SSO) and Access Management isan often requested feature when implementing web andmiddleware applications to improve security and reduceadministration. The primary reason SSO is desirable as anEnterprise technology is the centralization of userinformation and a single login / access control point formany applications. However once a centralized SSOinfrastructure is implemented it becomes service critical forall applications using it. If SSO infrastructure becomesinoperable then all dependent applications are alsoinaccessible, so the SSO infrastructure is a potential “SinglePoint of Failure” for the Enterprise. This means there is aresponsibility to ensure resilience and High Availability for anSSO system beyond that of the individual dependentapplications.
This article provides an introduction to the considerationsrequired to build a High Availability SSO infrastructure tosupport Oracle Fusion Middleware deployments. An SSOsolution needs to ensure service continuity for allcomponents of the SSO and access control service andassociated data repositories.
The Oracle product offering for SSO and conventional accesscontrol is Oracle Access Manager 11g, subsequently referredto as “OAM”. In case you are not familiar with OAM I providea quick summary of the OAM product features and generaldeployment requirements.
OAM has capabilities beyond a conventional username andpassword SSO and can support more sophisticatedauthentication methods such as Security Token, Kerberos,Windows Logon integration and Identity Federation. In orderto impose authentication and access control to anapplication a resource definition is created in OAM. In thecase a web application the resource would store a URLdefinition to protect. An authentication scheme is thenattached to the protected resource using a policy definition.This would commonly impose a credential verification lookupto an LDAP directory when authenticating, and subsequentlyauthorizing access. A web SSO authenticated and authorizeduser receives OAM_ID and OAM_AuthnCookie_hostnamecookies from OAM to allow them ongoing access toprotected resources. OAM stores user session informationon the server-side so is able to ensure user session validity.
OAM supports multi-level authentication and has the abilityto create access control policies based on groupmemberships and user attribute values. These featuressupplement basic authentication allow a more fine-grainedaccess control to web and middleware application resources.OAM also provides full integration with Fusion Middlewareproducts through Oracle specific SSO features and supportsnative OAM and legacy Oracle Single Sign-On login agents forolder Oracle middleware deployments.
All these features aside OAM is fundamentally an OracleFusion Middleware application and is built in the typicalfashion. It is deployed to Weblogic and uses an OracleDatabase repository created with the Repository CreationUtility (RCU) to host access control policy data. The otherrequired component for an OAM SSO solution is an LDAPdirectory to store user identity data, the SSO credentials and
Oracle Access Manager
user attribute information.
To summarize from above when considering a HighAvailability OAM SSO configuration we need to consider thefollowing main components, and their back end data stores:
• LDAP User Identity Store• Oracle Access Manager
The main options for an OAM User Identity Store are shownin Table 1. The table outlines the differences between theoptions.
For the purposes of this article we specify configuration of aHigh Availability (HA) Oracle Internet Directory (OID)deployment. OID has adequate HA capabilities and hascomprehensive and proven integration options with FusionMiddleware products, including legacy products such asForms and Reports. The Weblogic Embedded LDAP optionenabled by default when OAM is installed is not suitable foran Enterprise HA solution due to its limited scalability. OracleUnified Directory is specified by Oracle in the latestEnterprise Configuration Guides however it is not fullycertified with all Oracle Fusion Middleware products at thetime of writing.To achieve High Availability all components need to be
configured with resilience. This means thinking aboutdatabases, middleware, web servers and connections to alltiers for the high-level components. Multiple targets must bedeployed for each tier of these high-level components andconnections routed in a resilient manner. This means loadbalancing and failover is required for all connections to alltargets. Some of the sub-components have integratedsoftware load balancing capabilities, others require externalor hardware load balancing.
Oracle Access Manager
Table 2 outlines the connections which use load balancingprovided by the Oracle Fusion Middleware and Databaseproducts. WebGate agents are configured to access multipleAccess Server Proxy targets through the OAM AdminConsole. Oracle HTTP Server (OHS) connections use astandard Weblogic reverse proxy approach usingWebLogicCluster directives. Database connection failover ishandled through standard methods appropriate to theconnection type.
Table 3 outlines services which require external loadbalancing. These services are the front-door access to OAM,OID and management services.
Oracle Access Manager
Figure 1 illustrates a simplified layout of an OAM SSOsolution integrated with OID and a single dependentapplication. This diagram omits the management servicesused to configure the “Live” services involved to reducecomplexity in the diagram.
The two Oracle Databases OIDDB and OAMDB shown shouldbe configured in Real Application Clusters (RAC)configurations. I will not elaborate on how to configure a RACcluster here, but will re-iterate the connections from theOAM Weblogic cluster use JDBC whereas OID databaseconnections use TNS. This means that OAM database
connections must implement Multi or GridLink Data Sourcesfor connection resilience whereas OID must use TransparentApplication Failover (TAF) for connection resilience. TAF canbe configured on the client side in tnsnames.ora or as is nowrecommended on the server-side as TAF policy attached to
the serving RAC cluster and database.
Once the database requirements have beensatisfied we must consider the OID LDAPservices to implement the User Identity Storefor OAM. Figure 1 shows OID implemented asan Identity Management Cluster denoted byIDM LDAP Cluster contained in IDMDomain.An OID Identity Management Cluster is not aWeblogic cluster. An OID Cluster shares statethrough the ODS schema held in the OIDdatabase, and the OID nodes do not replicatestate between nodes directly. As the OIDservices do not use Weblogic the IDMDomainis not strictly required, but typicallymanagement services are also deployedwhich do require Weblogic. In these typicalconfigurations an OID cluster is registered asan OPMN managed target to the IDMDomain.The management services are DirectoryServices Manager, Fusion Middleware Control
and Weblogic Administration.
Oracle Access Manager
The OID LDAP server targets must be load balanced in around-robin fashion without stickiness and presentedthrough a virtual server denoted by theldap.mycompany.com box in Figure 1.
The following further requirements should be givenconsideration when implementing a High Availability OIDcluster:• A time service such as NTP to ensure cluster node timesynchronization• Port translation to present the service on industryrecognized LDAP ports• Timeouts at the load balancer and OID level to preventuntimely connection drops• Disabling LDAP entry caching to preserve data integrityacross the cluster
The time service is critical for stable operation and is checkedduring OID cluster installation so must be configured inadvance. NTP deployment is straightforward to implementby a Systems Administrator and does not require furtherelaboration.
Port translation allows services to run on Oracle defaultunprivileged ports on OID hosts while still presenting theservice on standard registered ports through the LoadBalancer. The OID port translation mappings forldap.mycompany.com are shown in Table 3.
Load Balancer timeouts for the LDAP service may berequired by the Enterprise for compliance or operationalreasons. If this is the case the OID attributeorclldapconntimeout should be used to set the OID idletimeout to less than the external Load Balancer timeout. This
will prevent hard connection drops during quiet periodswhich could affect service from OID hangs.
OID entry caching is a performance enhancing feature toprevent unnecessary database round-trips. However as theentry cache is not synchronized across an OID cluster it mustbe disabled in an OID cluster configuration. To disable OIDentry caching set the OID attribute orclcacheisenabled=0.
Having reviewed the requirements for the OAM User IdentityStore we must consider OAM itself. The OAM SSO and accesscontrol services run as a Java application and are deployed ina conventional Weblogic cluster denoted by WLS oamclustercontained in IAMDomain in Figure 1. The OAM Weblogicapplication runs the Access Service and Access Agent Proxiesand also serves standard content such as SSO login pages.The OAM cluster implements an Oracle Coherencedistributed object cache to replicate shared state across themanaged servers in the cluster. The OAM Coherencedeployment replicates both configuration and policy changesmade from the OAM Admin Console and session state foractive user login sessions. This means policy, configurationand session information is always synchronized and up todate across the whole cluster, so failover from one OAMnode to another is seamless. The use of Coherence forcluster replication dictates that clustered nodes should beconnected to each other by a high bandwidth and lowlatency network connection. This means co-location in thesame data centre on a Gigabit or better network or possiblya very good cross-site link. This being said there arealternatives for multi-site configurations which are usuallypreferable.
Oracle Access Manager
One exceptional data set that is not replicated by Coherenceis initial request data used by OAM prior to a logged on usersession being established. This includes original requests toprotected URLs to allow re-direction to protected resourcesafter login. By default the initial request data is stored in theOAM Server, but as it is not replicated by Coherence the pre-login session data could be lost in the event of an OAMWeblogic managed server failure. To cater for thiseventuality an OAM_REQ cookie can be used to store thepre-login session information. If a managed server fails, datais still available in the user’s browser session. The OAM_REQcookie is enabled by setting the RequestCacheType toCOOKIE in the OAM Admin Console.
As shown in Table 2 load balancing of the Oracle AccessServers is achieved through software, however an EnterpriseHA configuration requires a separate Oracle HTTP ServerWeb Tier. The Web Tier hosts must be externally loadbalanced. The following further considerations apply to theOAM high-level component.
• A time service such as NTP to ensure cluster node timesynchronization• Port translation for web tiers to present the service on theindustry HTTPS port• Shared storage for OAM Admin Server domain directories• OAM Integration with OID as a User Identity Store• Timeouts to from OAM to the User Identity Store•WebGate to Access Server connection resilience• Timeouts from WebGates to OAM
The time service requirement is the same as for OID and allmulti-node HA configurations.
The port translation requirement applies to OAM Web Tierhosts only. Port mappings for OAM Web Tiers onsso.mycompany.com are provided in Table 3.
Resilient shared storage must be used for the OAM AdminServer domain directories for two reasons.1. The Admin Server needs to be able to start up on anyserver in the cluster in case of a failure this is not possible ifthe storage is hosted locally.2. The Admin Server domain directory is the master copy, sowe do not want to lose access to these files due to a hostfailure.
OAM Integration with OID is achieved by first configuring OIDto operate as an Identity Store using an Oracle suppliedscript idmConfigTool.sh for UNIX derivative operatingsystems. This script loads OID schema objects required byOAM and sets up user accounts to manage the OAM Adminconsole and provide OAM access account to connect to OID.The OAM access account to OID is privileged but not a super-user for security reasons. After OID has been prepared as anIdentity Store it needs to be created as an Identity Store inthe Data Sources section of the OAM Admin Console. Theload balanced ldap.mycompany.com OID cluster VIP and theOAM access account cn=oamLDAP,dc=mydomain,dc=comshould be used to connect to OID. At this point the OID UserIdentity Store should be set as the Default Store and SystemStore for administrator credentials. Finally to set OID to beused for user credential searches the LDAP AuthenticationModule must be changed to use OID as the Identity Storeinstead of the Weblogic embedded LDAP server.
Oracle Access Manager
The Identity Store definition page in the OAM Admin Consoleprovides configurable timeout settings for OAM’s connectionto the OID User Identity Store. In the single-site examplepresented here there is no secondary Identity Store and HighAvailability is provided through the OID cluster and OracleRAC. Nevertheless it may be worthwhile setting some of thetimeouts as waiting indefinitely for a response may not bedesirable as it may increase the load on a stressed or failingservice. The following settings allow control over IdentityStore wait times and operations:
• Wait Timeout: places a time limit on obtaining a connection• Results Time Limit: limits the length of time for an IdentityStore operation
The diagram in Figure 1 shows an integrated web applicationwith a WebGate Policy Enforcement Point module installedon the web server. The WebGate in this example must beregistered with OAM either through the OAM Admin Consoleor using another Oracle supplied tool called RREG. The RREGtool uses XML configuration files to configure WebGates andassociated protected resources from the command line. Thepoint to note here is that to achieve High Availabilty aWebGate must be configured to load balance and failoverrequests to multiple Access Servers in oamcluster. This isachieved through specifying multiple OAM servers in theWebGate configuration using a combination of primary andsecondary servers in the WebGate configuration. Typicallyservers in the same oamcluster should be specified asprimary servers to the WebGate. Secondary servers are onlyinvoked on failover as a result of the Failover Thresholdbeing reached.
The amount of time a WebGate waits for a response from anAccess Server is also configurable in the AAA TimeoutThreshold setting. In some situations it may be worth settingthis timeout to avoid long pauses with a WebGate waiting fora TCP timeout where an Access Server has failed.
This article has explored some of the considerations andrequirements for a Highly Available Oracle Access ManagerSSO solution, using Oracle Internet Directory as the UserIdentity Store. Oracle Access Manager is a product with manyapplications and configuration possibilities, and HighAvailability configurations are inherently complex. As a resultthere are many more options, aspects of OAM configurationsand related topics which I hope to cover in future.
Robert HoneymanHoneyman IT Consulting
Oracle Access Manager
Oracle WebCenter Experts Complete the ITPuzzleTroy Allen - TekStream
Remember those rainydays when we were kids,nothing to do, can’t playoutside unless you wantto get drenched andmuddy (I’ll admit, therewere plenty of rainy daysthat that was just theticket)? Puzzles werealways a great alternativeto having to wash themud out from behindyour ears, and I lovedthem. The only problem Ihad with puzzles wasfinding the right piece tostart with. I’d look at thepicture on the box, try toorganize all the pieces
out, grouping them by putting all the ones with an edgetogether, all the ones that looked like they clouds togetherand so forth. The bigger the puzzle, the more planning I hadto do. Now days, my puzzles don’t include cardboardcutouts but computers and software that have to beorganized and connected in just the right way to make thepicture of an IT director’s vision come to life.
Designing the infrastructure for Oracle’s WebCenterproducts can be a daunting task for IT organizations new tothe technology, or even to experienced 10G administratorswishing to deploy Oracle WebCenter 11g. Even those whoare familiar with WebCenter 11g must discover the hiddensurprises brought about by the latest Dot 8 release of theproduct set. It is a puzzle, figuring out what parts fittogether, how they work to communicate, and it can bedifficult to find that one piece to start out with. While thereare many products under the WebCenter banner, this articlewill focus on the latest release ofWebCenter Content withsome highlights onWebCenter Portal.
Oracle has written hundredsof pages on how toimplement the OracleWebCenter product set, andI’m not going to dig into allthe details that they havealready disclosed. Instead, Ithink it’s more valuable tofocus on overviewing theelements of theinfrastructure, key decisionsthat need to be made,exploring some of thehidden gotchas that comewith the product set, andproviding some ideas thatcan help to make yourimplementation moresmoothly.
Oracle WebCenter
Puzzle ElementsThe basic elements of the WebCenter puzzle can be brokendown into hardware, network, security, and software.
They are all dependentupon each other, but partof putting the puzzletogether is looking at eachone separately as well ashow they fit into the largerpicture.
WebCenter Content andWebCenter Portal bothrequire, at a minimum,
database, file store system, security application (unless usingwhat comes with WebLogic Server), application server, webtier, and the WebCenter application. While some of theseapplications and software elements can run together on thesame servers, it is generally best-practice to have themseparated out. The following is a standard WebCenterreference architecture provided by Oracle.
The reference architecture calls out several elements, but atits basic level, it notates database, network, security, andsoftware.
WebCenter supports several varieties of database. Youshould check out the supported type and version for thespecific versions of WebLogic Server and WebCenterContent/WebCenter Portal you will be deploying.
Specs for WebCenter Content can be found here:http://www.oracle.com/technetwork/middleware/webcenter/content/oracle-ecm-11gr1.xls.
Oracle WebCenter
Specs for WebCenter Portal and WebLogic Server can befound here:http://www.oracle.com/technetwork/middleware/downloads/fmw-11gr1certmatrix.xls
WebCenter also supports several different operating servicesand versions. Ensure that the operating system of choicematches those listed in the above certification matrixesprovided by Oracle.
Determining the hardwarerequirements for all the softwareelements can be tricky. Fordatabase, keep in mind thatunless you are planning to storefiles as blobs within the database,most of the data transactions willbe for metadata storage, system
detail and logging, and for searching. Storing content outsideof the database usually represents a smaller databasefootprint. Sizing against WebCenter Content/Portal, in thiscase, should be based on the expected searches that userswill be performing. Database should also be configured forRAC or GRID.
Sizing hardware for WebCenter Content and WebCenterPortal is usually based on the number of transactionsexpected at any given time. Understanding the uses cases ofyour systems and the volumes of user interactions will becritical. As a general rule, 40 to 50 transactions per secondper CPU per GHz is a good rule-of-thumb for sizingWebCenter applications.
Network and inter-applicationcommunication plays a largerole in constructing theWebCenter puzzle. WebCenterrelies on communication tosecurity applications,application server(s), otherWebCenter products, and useraccess. In most cases, SSLencryption is supported and can be configured for outsideserver access as well as inter-application access.Communication ports are also configurable (even thoughmost installations utilize out-of-the-box ports). One of thelargest gotchas in the overall network for WebCenter is filesystem access rights and permissions. There are manyinteractions between the WebCenter products that requirefile system access and this should be planned out in advanceof any installations.
Both WebCenter Content andPortal allow administrators toeither use the built-in securitythat comes with WebLogicServer, or to utilize a third-partysecurity application like Oracle’sIdentity Management orMicrosoft’s LDAP services.
When deploying WebCenter Content and WebCenter Portalto create a single user application, it is best to deploy withOracle Identity Management or Microsoft LDAP. Single Sign-On (SSO) is also a key factor to make the user experience ofthe application as smooth as possible. While there are manyoptions for SSO, WebCenter is an Oracle product andrequires less “configuration” when using SSO provided by
Oracle WebCenter
Oracle products. Configuring Kerberos and SAML can be achallenge at times.
WebCenter Content hasseveral elements that makeup the overall applicationincluding refinery services forcontent conversion, imagingfor document capture fromfax and scanners, andmultiple components that canbe turned on includingRecords Management.WebCenter Portal provides
two primary options for operation, Spaces and Portal.Understanding the overall use cases of the system you arepiecing together will help to determine what portions of theproducts should be enabled. For some features, likeenabling PDFConverter on WebCenter Content, require thatthe Inbound Refinery (also referred to as the ConversionServer) runs on Windows to support cVista’sPDFCompressor. Reviewing the Installation andConfiguration guides for the WebCenter products (foundhere http://docs.oracle.com/cd/E29542_01/index.htm) canhelp determine the appropriate operating systems of thehardware it will be installed on.
WebCenter Content Dot 8 (11.1.1.8) provides some newfeatures that will impact the servers, security, and networkaspects of the overall puzzle. Dot 8 introduces a newWebCenter UI based on ADF (Application DevelopmentFramework) that makes it a necessity to utilize a securityapplication outside of WebLogic Server.
Oracle WebCenter
"Even those who are familiar withWebCenter 11g must discover the hiddensurprises. It is a puzzle, figuring out what
parts fit together.."
Key DecisionsThe following decisions,among many that need to bemade, will help in determiningwhat puzzle pieces are neededand how they will ultimately fittogether.
• Decide on the ProductsBased on established BusinessRequirements and Use Cases,align the appropriateWebCenter products andfeatures to ensure needs arebeing met• Decide on the HardwareBased on the selectedWebCenter products andfeatures and how the systemwill be utilized, first determinethe types of environmentsthat will need to be configured(Development, QA/Testing,Production, DisasterRecovery). It will be importantto determine whatenvironments (if any) will beconfigured for clustering to support Highly Available andHighly Reliable access to the application. The WebCenterproducts and features may dictate what operating systemswill be required and this should be included in the decisiontree.
• Decide on the DatabaseSome companies rely heavily on Microsoftdatabase applications and are not comfortablewith Oracle database products. While WebCenterdoes support Microsoft as a database platform,there are some considerations that need to bemade. Using Microsoft database with WebCenterContent means that you will be limited to usingDatabase Full Text for searching. While this is avalid search option, it does require that the indexbe completely rebuilt whenever new metadatafields are introduced; this can take considerabletime to complete if there are a large number ofdocuments in the repository. Otherconsiderations include some of the features thatOracle database provides, and have been testedagainst WebCenter, such as encryption at rest formetadata and content, database clustering (RACand GRID), and de-duplication (removing multiplecopies of the same file).• Decide on a Security ApplicationIn most cases, it is best to utilize an externalsecurity application to support single usermanagement across multiple instances of theWebCenter products as well as making it easierfor SSO configuration. While third-party
applications can be utilized successfully, Oracle tends toprovide the greatest amount of support for Oracle on Oracleapplications.
Oracle WebCenter
Final Thoughts – Completing the PuzzleThe only way to really make sure that you get all the pieces intogether, get them sorted, line them up, and put themtogether to finish the WebCenter puzzle is to Analyze,Investigate, and Document, Document, and Document.
Analyze your requirements fully. Understand what the endgame of the application is meant to be and ensure that youhave all the details available.
Investigate all the options that are available to you from aninfrastructure and software perspective to ensure that youhave a configuration that will enable the outcome of youranalysis.
Document your findings. Document every step of the wayand utilize revision controls so that you can look back onwhere you came from and where you wound up at. Makenotes along the way as to why certain decisions were made(this will help you down the road especially when you expandor upgrade your systems). Document your final solutionBEFORE you implement it. This will give you a dry run onpaper (with logical and technical diagrams, process flowcharts, and requirement matrix). It is more cost effective towalk through the process and catch the obvious issues thanto perform a full install only to find major issues whileperforming the beginning steps of the solution’s deployment.
One additional note that can make a huge difference: Get anextra set of eyes and hands on the project. Even if you havealready deployed WebCenter and are just doing an upgrade,this isn’t something that most people do day-in and day-out.Find resources that only focus on WebCenter applicationsand understand all the “undocumented features and
gotcha’s” that come with enterprise level applications. Thecost upfront will same you big money in the maintenanceand support of your solution in the years to come.
Troy AllenTekStream
Oracle WebCenter
Maturity of Service Oriented ArchitecturesDouwe Pieter van den Bos, Ome-B.nl Creative Software Solutions
IntroductionService Oriented Architecture, SOA, help organizationsbecome more agile, flexible and can reduce the cost ofownership of the landscape. SOA certainly can help middle-and large organizations to get more control over theirarchitecture, while creating opportunities in the businessfield.
However, there are some big challenges that are to be made.Because SOA is not only a way of working in the IT domain,the whole organization needs to be on track. Like allarchitectures, Service Oriented architecture has maturity.Some organizations are very SOA-aware and the entireorganization is built on the principles of the architecture,other organizations are just starting out and have onlyimplemented a Service Bus.
Knowing what steps to take in the future can providevaluable insights for both technology and business sponsorsin the organization. In short: SOA-Maturity is a keen way toscope the next steps in further development (maturing) ofthe entire organization in becoming more and more agileand flexible.
SOA-Maturity: Why?Knowing where you stand and where you’re heading canhelp in a lot of ways. All organizations are very busy workingon IT-programs, business enhancement initiatives andalignment projects. But where do we stand? And what
investment is the best effort to make?
Using SOA Maturity Models we answer a few essential‘Why?’s for any organization.
Complexity. Service Oriented Architectures are complex. Toget insight in the complexity of an organization we need toknow its ambitions and vision. This helps us to define wherewe’re heading and how complex (and therefore costly) theroad ahead is.
Future-proof. For members of the board there is nodisappointment larger than realizing that large investmentswhere invalid. When we know the maturity and road aheadof the organizations’ architecture, we can define what stepsare to be taken. And how future-proof they are. Taking inaccount the age and agility of all dimensions of SOA (from ITinfrastructure to maintenance organization structures) wecreate a clear view of the sustainability of the environment.
Roadmap. Using the SOA-Maturity approach we create aclear and feasible roadmap of further development. Thishelps us to define the necessary next steps in furthergrowing up of the organization. The roadmap, as a finalproduct in the maturity assessment, shows where to invest,and where not.
$’s and €’s. Eventually, it all comes down to numbers.Knowing the roadmap of further maturing the organizationsarchitecture gives insight in what investments arenecessities, and what are mere wishes. In other words: wenow know how to put our money where it’s worth.
Service Oriented Architecture
SOA-Maturity ModelsThere are various models available to measure SOA-Maturity. Two of them are used widely and have their ownpro’s and con’s. There’s an extensive model that is publishedand maintained by The Open Group (the same organizationof TOGAF) and there’s a model that Oracle uses itself. In thetable below the differences of the models are explained.
This said, although the differences, both models are quitesimilar. And for both models it’s important to use the partnecessary for the task at hand. The Open Group model(OSIMM) is very comprehensive but if you use the parts thatyou need it offers a lot of flexibility and maturity as a modelitself. The Oracle model on the other hand is fairlyunderstandable, but might be a bit too simple for verycomplex environment. And, of course, both models can becombined, just what you want.
The Open Group Service Integration Maturity Model (OSIMM) ©The Open Group
Although we discussed two different models, both work thesame. They both use various measurements:
Dimensions of SOA: technology and organization. Thesedimensions – like IT-infrastructure, information, governance,project management, etcetera – ensures that themeasurement is not only done on the technology side ofthings.
Indicators: level of SOA-maturity. All models work withvarious indicators to know on what level of SOA-Maturity anorganization is. These indicators give insight in the maturitylevel – like no SOA, Ad Hoc, opportunistic, systematic,managed and optimized – the organization is on or the levelit wants to be.
Service Oriented Architecture
Level of adoption. The level of adoption of SOA-principlestells a lot about the maturity and is a very importantindicator of the level of SOA-maturity. These levels – such asonly adoption on project level or organization wide adoptionof the most important principles – offer insight in how theprinciples are embraced by the organization.
The Oracle SOA Maturity Model ©Oracle
But most important: SOA-Maturity Measurement is anassessment. It’s a process that needs to be done with theright people, with the right will. It’s not something you can doon your own, without backup from the organization(although you will know that the level of adoption is quitelow).
SOA-Maturity MeasurementSOA-Maturity Measurement is an assessment. This meansthat it is a process that involves various stakeholders,multiple actors, different dimensions and – especially – loadsand loads of questions.
The process of SOA-Maturity Measurement is as follows:
The SOA-Maturity Measurement process
First we need to know how the surroundings look like.Therefore we need to identify the dimensions and to identifythe stakeholders.
Looking at Identify the Dimensions, we have a fairlycomprehensive model to take into account. In the OracleSOA-Maturity Model we see 8 dimensions, in The OpenGroup OSIMMmodel we can identify 7 layers / dimensions.These are all fairly similar although Oracle recognizesprojects and portfolios as a separate dimension. This isactually pretty smart, since we have to take into account thatit is possible that the environment is changing as we speak.Plus the way projects are governed is of interest to us in thisstage.
Service Oriented Architecture
The 8 dimensions in the Oracle SOA-Maturity Model ©Oracle
When we are identifying the stakeholders we have a fewhelpful models in place. The RACI-table is the most importantone here. Using the ‘Responsible, Accountable, Consulted,Informed’method we can quickly identify – per dimension –who the main stakeholders are. This can help with theworkshop that will give understanding of the current stateand the future vision of the organization architecture.
During the Assess Current State phase we have to getinvestigate what the current state of the architecture is.Beware of some ‘nice-weather’ answers you might getbecause some of the stakeholders might not benefit fromthe (cold) truth. But that said: per dimension there arequestions in place that can be asked. Especially in the OpenGroup OSIMMmodel there are extensive questionnaires
available to assess this state.
With the answers being provided – either during a workshopor during various interviews – we can use indicators todetermine what the current state is. In the OSIMMmodel wesee a comprehensive list of what indicator and whatattributes combined give a certain maturity level.
Example of maturity indicators in the OSIMM model ©The Open Group
Of course, the most fun part is to Define the Future Visionon Service Oriented Architecture. But this is also the trickiestpart. It happens more than once that an organization forgetsessential stakeholders, or that organizations define a futurevision that is not realistic.
So there’s a nice challenge. Because we don’t want tooambitious, but we also do not want to be too laid back aboutthe things we want to do in the future. This because we reallywant to work and need things to do. When we’re looking atthe future vision take into account where the organization as
Service Oriented Architecture
a whole wants to stand in relation to Service OrientedArchitecture. Especially the OSIMMmodel works very good inthis case since the relation to TOGAF is a very natural one.
Defining the future vision is ongoing work for anorganization itself. However, it is possible to create enoughinsight in the matter within one intensive workshop as longas the most relevant stakeholders are participating andwilling.
When we have a clear view on where we stand (AssessCurrent State) and know where we want to go (Define FutureVision) we can learn what the gap between those places is.During the GAP Analysis we create the view on where themost of the work is to be done. This is the first step in whichwe learn where we should put our money.
Example of a GAP Analysis in a graph.
Using the insights we got during the GAP Analysis we canIdentify Activities we need to do in order to fit the gap.These activities need to be addressed to stakeholders andhave a clear goal, purpose and date. All activities shouldfollow SMART (Specific, Measurable, Assignable, Realistic andTime-bound).
Another method that is used a lot in the Scrum Developmentmethod is also practical to use: INVEST. This stands for:Independent, Negotiable, Valuable, Estimable, Sized andTestable. Especially within an Agile developmentenvironment this might help. In this article I will not gofurther into this method, since it is very Scrum specific.
Create RoadmapWhen we have done our SOA-Maturity Measurement wehave enough ammo to create a roadmap. The Roadmaphelps us make the right decisions and offers us insight in theprojects that needs to be done in order to grow as anorganization. During this phase there are a few things tobear in mind.
- Steps in a roadmap always follow a certain order. Beware ofthis when you are shuffling the steps to take.- Always have in mind which activities are adding actualvalue, which offer nothing but constraints and which can beseen as mere wishes from one or two stakeholders.- Order the activities. Not by random but by the value theyadd to the organization as a whole.- Prioritize. Therefore you will need to add numbers to theactivities. Think about the entire sum of things: this meansboth the necessary effort and the value it brings.
Service Oriented Architecture
ConclusionSOA-Maturity Measurement is an effective way to keep ontrack and to see what needs to be done. It offersorganizations a complete view and insight in the way theorganization is developing itself. Using various tools, theright stakeholders and smart questions it is possible to giveanswer to the further development of your Service OrientedArchitecture within the span of one day.
Douwe Pieter van den BosOme-B.nl
Service Oriented Architecture
The World According to Oracle –Oracle OpenWorld 2013 and beyondLucas Jellema - AMIS
What the short, mid and long term plans are of OracleCorporation is interesting for many stakeholders. Amongthese are industry analysts, Oracle’s customers, partners,competitors and of course the hundreds of thousands if notmillions of technical specialists whose daily livelihoodsdepend on Oracle. Communications about these plans ofOracle as well as living proof of the execution of those plansare ongoing. Every week brings press releases, productlaunches and roadmap updates. However, the best time ofthe year to get a complete overview of where Oracle standsand is going, is during the Oracle OpenWorld conference. Forclose to a week, Oracle staff from all ranks and across allproduct offerings present, outline, demonstrate, defend andlaunch statuses and plans, roadmaps and decisions, newacquisitions and classic products. One week in September toget up to speed with Oracle’s plans and actions.
This article summarizes status and future for many parts ofthe Oracle technology stack, based on the official andinformal news, gathered during Oracle OpenWorld 2013.What was said, what was intended, what was carefullyomitted and what could be read between the lines has beenassembled into this one overview.
The article however opens with a discussion about threemajor transitions – substantial course changes for that redsuper tanker called Oracle. These transitions dictate much ofwhat is going on in Redwood Shores – that will impact manydifferent products, Oracle’s position in various markets and
the overall customers do business with Oracle. The threetransitions discussed here are not specific to Oracle –mostof the IT industry and its customers face or will face similarchallenges. Nor is Oracle necessarily the first to handle thesechallenges. In fact - as may be expected from super tankers –Oracle cannot rapidly react to quickly emerging trends.
When we look at the curve of technology (innovation)adoption, Oracle hardly can be considered an innovator. Itmay sometimes be an early adopter on the left side of thechasm, frequently it will be on right side of that chasm. Interms of spending your investment dollar wisely, that is notnecessarily a bad place to be. However, it usually means thatyou are a little late in each new game and have to try to catchup with the other players [or simply catch one of them].
Figure: Oracle is not well positioned to be a true innovator; it frequently does wellas early adopter
Oracle OpenWorld
Of course when Oracle starts to play in a certain area, itusually means business. The tanker may not react quickly,but its momentum is huge.
Oracle states that it wants not only to provide the full stackand mutually integrated platform components but alsoproducts that are best in class – a phrase that seems toreplace best of breed. This means that when a selection ismade for a specific product – be it an RDBMS, a service bus,an enterprise content management system or an Identity &Access Management solution – the Oracle product should beone of the top options, even without the added benefits ofthe complete stack. Oracle products have to be leaders,firmly positioned in the Gartner Magic Quadrant – shownbelow.
Figure – Oracle’s products should be best in class, firmly positioned in the leaderquadrant
Oracle’s ability to execute is usually high – based on thebreadth of the company portfolio and the size of its R&Dbudgets. Development of a vision – that both does justice tothe specific product or technology trend at hand and fits inwith Oracle’s over-all strategy and stack can sometimes takea little longer. More an Early Adopter or Early Majority thanan Innovator.
Sometimes however, Oracle does act on the cutting edge. Forexample by setting up a group that is relatively independentof the organization hierarchy and traditional lines of budgetand control, such as is the case with the Oracle ApplicationUser Experience team. Or by having the innovation takeplace outside of Oracle and then acquiring the innovator.This phenomenon occurred dozens of times over the lastdecade (to name just a few: KSplice, Collaxa, Oblix,Moniforce, Nimbula, Xsigo Systems). Of course in some coreproduct lines, Oracle drives the innovation itself – such as inrelational database technology.
Three transitions at Oracle drive many of the productroadmaps, providing the undercurrent for basically anythingbeing planned, developed and rolled out. Three transitionsthat Oracle has embraced, made part of its strategy andshould ensure the continued cornering of the magicquadrant.
1. Desktop => MobileAn increasing number of enterprise users has an increasingpercentage of its interaction with enterprise systems notthrough a connected desktop PC or laptop with full screenbrowser but instead through a variety of different “any-timeany-place” devices including but not limited to smartphonesand tablets. This has huge implications for the user
Oracle OpenWorld
experience, software delivery, security, data synchronization,back-end infrastructure and many more aspects.
Oracle focuses on the enterprise market; it will not targetconsumers directly. However, we see a blurring of thetraditional line between pure internal corporate users andexternal agents. The internal users may be part of theenterprise, however when they use their own device on alocation of their choosing, they are not all that internalanymore. Additionally, many organizations invite businesspartners, temporary workers, customers or citizens tointeract with their enterprise systems through web sites andother channels – tracking their orders, self-servicing theiraccount and even participating in business processes. Theseoutsiders are hard to tell apart from employees that roamabout.
Oracle has made mobility – or multi-channel interaction -even more prominent in its directions forward. Not just thetools to create user interfaces that run in on-device browsersbut also the back-end infrastructure required runningscalable mobile (multi-channel) applications. Part of thelatter is the Oracle Mobile Cloud Service that wasannounced.
The Oracle Mobile Cloud Service provides a proxy – whichcan be cloud based or on-premises – that all mobile devicesconnect to. This proxy provides various services such ascaching, enrichment, authentication and authorization,format and protocol adaption, that are typically required tosupport enterprise grade mobile apps and that are largelystateless. The Oracle Mobile Cloud Service proxy mediatesbetween all the mobile devices out there in the world andthe internal enterprise systems. Mobile devices do not
directly access the enterprise systems.
Security is a major component of the mobile revolution.Authentication and single sign on from external devices byusers with varying clearance levels in much larger numbersthan just the employee head count is an interestingchallenge. Security of data on devices outside the securityperimeter of the enterprise is another consideration. Oracleannounced support in its Identity and Access ManagementSuite for both these challenges, including management ofsecure containers on bring-your-own-devices that hold theenterprise assets and have a form of remote managementthat is compliant with privacy laws.
Oracle does not want to get into platform specific, nativemobile apps. However, it has a need for cross-platformmobile applications that can also run in off-line conditions.Such apps are provided with middleware products like BIFoundation, BPM and WebCenter Content and for manyelements of the Applications portfolio. The technology Oracleuses for the development of these mobile applications iscurrently called ADF Mobile, based on Apache Cordova (akaPhoneGap). This technology may shortly be rebranded toOracle Mobile Development Framework – or something ofthat nature – perhaps in conjunction with the Mobile Cloudplatform that was mentioned before.
RESTAn important part in the support for the variety of channelsand devices Oracle strives for is broad REST(Representational State Transfer) & JSON (JavaScript ObjectNotation) support. RESTful services have become the defacto standard for the interaction between modern userinterfaces running either as HTML5 in browsers or as native
Oracle OpenWorld
apps and their enterprise back end. These services areinvoked over HTTP using relatively simple messages and thebasic verbs available in HTTP (GET, POST, PUT, DELETEproviding CRUD on resources) – usually with JSON as thedata format structure, as the compact and native browseralternative to XML.
Support for REST and JSON has become a common themeacross many components of the Oracle technology stack.Some examples: the Mobile Cloud Service and other cloudservices from Oracle expose RESTful APIs that can beconsumed by mobile devices. Oracle’s SOA Suite is currentlybeing enhanced with support for RESTful Web Services thatspeak JSON. The Oracle Database is being extended tosupport JSON in a way that is similar to the support forXML(Type). ADF can consume RESTful/JSON based services asof 12.1.2 (July 2013). The next release of ADF (12.1.3,sometime in the first half of 2014), is expected to also alloweasy publication of RESTful/JSON services from the ADF BCframework. Coherence 12c exposes RESTful APIs forretrieving and manipulating data. Products such asWebCenter Content have had support for RESTful APIs forsome time and other products follow that lead. Shortly, mostadministration actions we can perform on WebLogic throughWLST will also be available through RESTful APIs.
User Experience – simplicity, mobility and extensibilityDifferent channels, devices and user groups require diversityin the user experience. The enterprise user of the lastdecade typically accessed user interfaces from a browserrunning on a desktop using a keyboard and a mouse. Mostapplications were designed with power users in mind,focusing on a wide scope of functionality. The userinteracting with the enterprise systems of today and
tomorrow do that in a variety of ways, including touchdevices without a keyboard such as tablets and smartphones. Most of them will typically require only a smallpercentage of the full functional breadth of the application.
Oracle has made a bold statement: it wants to lead in thearea of User Experience. It has put together a strong teamthat explores user experience in an out-of-the-box manner,embracing new technologies such as voice capture, GoogleGlasses and modern media traits such as info graphics andeBooks including multi media. This UX team will lead the wayfor all Oracle products in terms of how their user experienceshould be designed and implemented. Note that anyone canbenefit from their ideas and processes using resources ontheir public website: usableapps.oracle.com.
One important statement coming out of the UX team is thatOracle’s Applications should keep the 90:90:10 ratio in mind:10% of functionality that 90% of the users need for 90% oftheir interaction. This can be translated for example to a veryattractive, very accessible, largely read only layer that iswrapped around the core power user parts of theapplications. This layer exposes key information in anintuitive way, allowing for very easy navigation and providingthe starting point for drilling down into core areas wheremore complex data manipulations are available. Self Serviceis an important topic supported in this layer: opening upapplication functionality for new user communities that onlyneed access to specific parts, information and actions. Theseusers should not require training to use the application,should have an intuitive experience such as they get on aniPad and other tablets. This approach is implemented (underthe name Fuse) in the Release 7 implementation of FusionApplications HCM – heavily using the ADF components Spring
Oracle OpenWorld
Board, PanelDrawer and Vertical Tabs.
The mantra simplicity, mobility, extensibility very conciselysummarizes the philosophy of the User Experience team.Mobility in this case states that the user interfaces aredesigned to support various channels and devices (mobile –smart phone, small tablet, large tablet - and desktop browserfor the power user. Design of the user experience will startfrom the tablet – screen size, form factor, touch and gesture– to create the UI taking centre stage in the 90:90:10approach. HTML5 is an important factor in the actualimplementation of the tablet user interface.
Extensibility refers to the ability for end users to change theappearance and the behavior of applications and even of
business logic and -processes. This functionality available inthe browser mimics to a certain degree the behavior of thedesign time IDEs. Examples are the Page Composer, ReportComposer and Data Composer used in Fusion Applications,WebCenter Portal as a whole and the BPM ProcessComposer through which business processes can bedesigned and modified.
2. On Premises => CloudOrganizations will rapidly be using IT assets that they do notcompletely control themselves. The times of on-site datacentres where all enterprise data and applications reside aregone. Not before long, the vast majority of enterprises willhave a mix of on-premises and public cloud-basedapplications and infrastructures. Drivers include elasticscalability, reduced upfront investment, quick deployment,outsourced administration and reduced around-the-worldnetwork latency. Supporting efficient and secureadministration, migration and integration are among thegreatest challenges
Oracle OpenWorld
All software from Oracle should run both on-premises aswell as in the cloud. The capabilities of the Oracleinfrastructure components should also be made availablethrough cloud services. Oracle wants to provide a completecloud stack – including IaaS, PaaS and SaaS offerings – aswell as enable enterprise to run their own private cloudinfrastructure. The essence of the cloud is multi-tenancy andelastic scalability, quick start up time and pay for real usage.Through efficient usage of machine and human resources,the cost of cloud services can be very competitive asopposed to dedicated, decentralized alternatives.
Moving components from on-premises to cloud or vice versashould be painless: the infrastructure and the platform in thecloud should be the same (so far as possible) as on-premise.That is the strategy that Oracle is currently working on.New in Oracle’s view on the Cloud is the acknowledgementof the third party public cloud. The collaboration withMicrosoft that offers images with Oracle Database andWebLogic Server on the Microsoft Azure Cloud (on Windowsor on Linux) is an example of this. Customers and eitherbring their own license or acquire a pay-as-you-go license.
SaaSIn the SaaS space, Oracle’s cloud offerings are the mosttangible. Fusion Applications were published as cloud servicefairly early on and Oracle acquired a number of establishedSaaS providers to further boost its SaaS portfolio and marketshare. These include Taleo, Eloqua, RightNow, Compendiumand BigMachines.
In the spring of 2013, Fusion Applications ERP offerings in theOracle Cloud were extended with Oracle Financials Cloud,Oracle Procurement Cloud, Oracle Project Portfolio
Management Cloud and Oracle Supply Chain ManagementCloud. These ERP services along with the HCM services willbe integrated with SalesForce – as was announced in June.
Figure: overview of Oracle’s (intended) cloud portfolio
PaaSPlatform as a Service offerings make elastically scalabledatabase and application server capacity available fromproviders to remote consumers. Oracle’s PaaS servicesexpose the Oracle Database, WebLogic Server and otherFusion Middleware facilities to consumers. Until OracleOpenWorld 2013, only the Java and Database Service werelive. These offer limited access to a WebLogic ManagedServer and an Oracle Database schema. During OracleOpenWorld 2013, Oracle announced new PaaS services:Database Instance as a Service and Web Logic Server as aninstance.
Oracle OpenWorld
With this DB instance as a Service, consumers have accessover any protocol including SQL*Net and JDBC to your owndatabase instance (11g or 12c). Customers have root accessto the Virtual Machine’s Operating System. SQL*Net access isavailable for example for loading/exporting large datavolumes. The database instance runs inside a Nimbula‘environment’ that you cannot break out of. Three flavorswith different levels of service management and uptime areavailable. The highest level includes a two-node RAC cluster.
The WebLogic Instance as a Service is similar to the OracleDatabase Cloud Service. It offers the same WLS that you useon-premise. Oracle manages it, or you make use of your rootlevel access. It is the full fledge Java EE container with ADFruntime – not the somewhat restricted edition offered in theJava Cloud.
Other PaaS Services that were announced in the roadmapare database backup and recovery, Java, Developer, Mobile,Documents, BI and the Cloud Marketplace where partnersand developers can publish and monetize their ownapplications and extensions to the Oracle applications.
IaaSOracle announced two new IaaS services: Elastic Computeand Elastic Storage as a Service (similar to what Amazonoffers with EC2 and S3). These services complement the SaaSand PaaS offerings from Oracle by ensuring customers of theSaaS and PaaS offerings that they can stay within the OracleCloud if they want to simply store files or deploy a custom or3rd party application. Oracle does not necessarily wants tocompete with other cloud vendors at the IaaS level – itcannot do so on price and there really is no other way forthat type of low level service - but it does want to make sure
its customers can do all they want in terms of cloud in theOracle Cloud
Oracle will start offering a Storage service (late 2013) and aCompute service (probably early 2014). The pricing will bevery similar to AWS and Google.
Identity as a Service is a service on the horizon – withsupport for authentication, access management andusers/roles/permissions - to eventually allow you to replaceon-premises IdM. Other planned IaaS services areMessaging, Naming, Elastic Load balancing, Elastic IPaddresses. Messaging is currently the closed to go live: itprovides messaging through queuing with publish/subscribeover http. Messaging can play an important role in cloud on-premises integration.
The Oracle Cloud is hosted across the globe, in regional datacenters in the USA and Canada, UK and The Netherlands,Singapore, Japan and Australia– with new data centers beingconsidered in for example Germany, China and India.
3. Database managed, structured data => BigData &HadoopNever did the world revolve around structured, relationaldata. However, enterprises have focused for decades onautomating their own structured data without paying muchattention to non-structured data and data outside their ownsystems. With technology advances in both hardware andsoftware and the increasing availability of digital assets, itbecomes attractive for many organizations to try to extractvalue from unstructured data from both within and beyondthe enterprise boundaries. Additionally, near real timeresponses to events in social media or in the execution of
Oracle OpenWorld
business processes has become an option: continuousevaluation of data – structured and unstructured – is startingto become feasible, also at enterprise business scale.
Oracle used to be on top of data management for nearly alldata relevant to enterprises. With the advent of big data andthe new ways in which that data is acquired, managed andprocessed, Oracle has to radically re-establish itself toachieve a similar position.
Internet of ThingsThe major theme of Oracle OpenWorld 2013 was Internet ofThings. This refers to the quickly growing number of devicesthat are directly or indirectly connected to the Internet:devices such as sensors, cameras, microphones and alsoprinters, refrigerators, cars and other equipment.
At the present, the number of these connected devices isestimated at around 6 billion. This is expected to grow to 50billion in 2020. Many of these devices are fairly simple – lowpower, simple I/O ports, low end CPU’s. However, what weconsider simple today usually has the computing power of astandard desktop PC a decade ago. This means that thedevices can easily run a Java Virtual Machine with quitesophisticated logic.
The ability to run Java on embedded devices has beenavailable for a long time, but with the increased capabilitiesof the devices and the easy application of common Javaprogramming skills in that environment as well as the quickgrowing connectivity (either local Bluetooth or other nearfield communication or the true internet connectivity and thecheap availability of for example the Raspberry PI, the stageseems set for rapid growth.
These devices produce data – by measuring, sensing,recording and otherwise registering values. The signals fromthe edge devices are typically processed in local gatewaysthat turn raw data into more meaningful messages throughpattern matching, aggregation, filtering and other eventprocessing strategies. Often, local gateways will send theiroutput to enterprise backend services where all thesemessages together represent big data or even huge data.The combination of volume, variety and velocity presents aserious challenge, especially when information must bederived in real time and immediate action is required.
In addition to all the data streaming in from the Internet ofThings, there is of course quite a bit of data from the Internetof People. Data from various social media constitutes animportant part of Big Data, and this constituent is typicallyunstructured. Oracle by the way offers a range of products tocollect social data, interpret this data and respond in nearreal time to, for example, complaints or questions on socialmedia; these products together make up the Social Servicesoffering apparently called SRM for Social RelationshipManagement.
A fairly common approach to handling Big Data is arising:data is gathered in NoSQL databases, processed using MapReduce in an Hadoop distribution and then stored on theHadoop File System (HDFS). The thus produced outcomesare then frequently transferred to relational database suchas the data warehouse.
New trends around Big Data seem to render this last stepless common. One of these is Big SQL, which is the ability touse SQL to access the data on HDFS. Oracle intends to makeit possible to call out from the database to HFDS in order to
Oracle OpenWorld
query the processed Big Data directly from within thedatabase and even allow joins between relational tables anddata sitting on the Hadoop File System. Similarly, Oracle willenable Enterprise R to combine analysis of relational datawith Big Data. Another development is the ability to reachout to data on Hadoop directly from Endeca – Oracle’sproduct for Information Discovery. Something similar is onthe roadmap for BI Foundation (formerly known as OBI EE):the BI Server will generate Native HiveQL and will be able toquery data directly from Hadoop through Hive.
All in all it seems like the thresholds for gathering Big Dataand integrating information extracted from Big Data withtraditional data sources and infrastructures are loweringrapidly. This will help many more organizations to leveragevalue from data that currently goes to waste.
Platform Product AnnouncementsIn addition to the three trends and their ramifications acrossthe product portfolio, there were a number of very specificproduct announcements that captured the eyes of thecrowds. The In Memory Database option was arguably thebiggest single announcement from the Oracle OpenWorld2013 conference. Oracle Database 12c will be extended –sometime in 2014 – with the in memory option that helps tospeed up queries with up to a factor of 100 by keepingselected tables and partitions in memory, in a parallelaccessible read format. The secret sauce of this featurecompared to the competition (SAP Hana among others) isthe fact that Oracle uses a dual format (columnar for fastread and row format for fast update to disk) which in turnmeans that all applications and most administration toolsare completely unaware of whether some data is held inmemory in columnar format.
The M6-32 “Big Memory Machine” that was also announcedis very suited to run the in memory database option. Itcomes with up to 32 TB of DRAM, a brand new processor –the SPARC M6 that doubles the cores of the M5 that itreplaced – and offers 96 threads per processor. The M6 isavailable as a general purpose computer and in super-clusterform.
This year’s most striking new hardware announcement wasthe Oracle Database Backup and Recovery Appliance. Thisappliance is meant to be able to create reliable copies ofhundreds or thousands of databases in an enterprise.Instead of using a long backup window, often in the middleof the night with minimal database activity, the appliance isgeared to take time-stamped snapshots of a databasesystem. Once a full copy has been created, updates occurthrough snapshots that capture only the changes since thelast snapshot. The appliance makes use of the existingRecovery Manager (RMAN) feature in Oracle databasesystems. By telling RMAN to run "in an incremental-forever"configuration, the database system will send quick, periodicsnapshots to the storage-equipped appliance, where theywill be saved. If a restore is required, data loss is minimized.In addition to this appliance, the same functionality isavailable as cloud service.
Rising stars in the Oracle product catalogue are Endeca(Information Discovery) and GoldenGate (near real time datachange capture and transfer). These products’ features wereshowcased across the Oracle stack.
Oracle OpenWorld
ConclusionThe Oracle product evolution is moving forward along themantras of its corporate strategy: complete, open,integrated, best in class and provided from the cloud. Theevolution is heavily influenced by the three transitionsmobile, cloud and big data.At Oracle OpenWorld, one can get a fairly good impression ofwhat is going to happen. It is quite another story to discoverwhen that is going to take place. Release dates for upcomingproducts are only given in very vague and approximateterms. The figure below indicates what seems to be the bestguess overview of imminent releases.
Currently slated for Spring 2014 are Fusion Middleware12.1.3 and Java 8. The database update that ships the in-memory option is harder to forecast; somewhere mid 2014is our current guess. Cloud services have been announced indroves, yet they have had some difficulty in the past tomaterialize. Based on Oracle’s statements, the Storage andCompute service as well as the Database and WebLogic as aninstance services should become available around the timeof publishing this article: late 2013. The Developer Cloudcould be available in that same timeframe. APEX 5.0 seemsmid-to-late 2014 material, but this is based on very littlefactual information.
Oracle OpenWorld
Lucas JellemaAMIS
From Requirements to Tool ChoiceSten Vesterli, Scott/Tiger
To the man who has only a hammer, everything looks like a nail.And to an Oracle developer, every set of applicationrequirements used to look like a job for Oracle Forms.
Fortunately, we now have a full toolbox available. Butapplication requirements do not lead as clearly to the tool choiceas nails, screws and bolts. We will have to stop and think a bit inorder to identify the right tool for the job. This article covers themain areas you need to consider.
Why do I need a tool?An application at its simplest needs to accept data from theuser, store them, optionally perform some calculation, anddisplay results to the user. In this article, we will considertraditional systems where the storage is handled by an Oraclerelational database.
The purpose of the development tool is to help you get datafrom the database onto a screen for the user to see andmanipulate, and to move data from the screen back into thedatabase. Ideally, the application developer will spend all of hisor her time on implementing business logic and nothing on the“plumbing” code that performs this simple data transportation.
What are my choices?You have three tools available from Oracle:• Oracle Forms• Oracle Application Express (APEX)• Oracle Application Development Framework (ADF)
Oracle Forms has been around for a long time, and there is avery large number of existing applications built in Oracle Forms.As the following graph from Google Trends show, it is also stillvery much a searched-for topic.
NoSQL
The NoSQL movement is attempting to provide an alternative that isfaster for simple inserts (because there is no indexing). On the otherhand, NoSQL uses longer time to retrieve data (because there is noindexing). This is useful for systems that receive massive amounts ofdata very quickly, but not for the normal administrative systems weconsider here
Oracle Forms, ADF or APEX
Another way to look at the actual developer interest for thesetools is to look at the number of new discussion threads on theOracle Technology Network. For November 2013, APEX wasmost popular, followed by ADF.
Programming language choiceThe framework you choose should take care of the fundamentaltask of transporting data between the screen and the databaseand preferably also handling more sophisticated features like listof values and master-detail navigation. A good framework alsoallows you to declaratively specify data validation without havingto write actual program code.
But at some point, the capability of the framework ends and thedeveloper has to start writing code. At that point, it becomesimportant, which programming language the tool uses.Oracle Forms and Oracle APEX both use the PL/SQL languagebeloved of Oracle developers. That means that thesedevelopers will immediately be able to transfer their database
programming skills to implementing business logic. However,PL/SQL skills are actually quite rare among the generaldeveloper population, and do not seem to be growing.
“When was the last time you saw a young PL/SQLprogrammer?”
Oracle ADF, on the other hand, uses Java to implementbusiness logic. This skill is widely available among developersbut can be rare inside organizations that have been using theOracle database and traditional Oracle development tools likeOracle Forms.
For many developers, this choice of language is an importantcriterion for selecting a tool. However, that is quite misguided. Aprogrammer who knows one of these two programminglanguages can easily learn enough of the other to be able toimplement the business logic functionality necessary. What ismuch more important is what kind of application you are tryingto build.
Data-driven applicationsTraditionally, a database application has had a user interfacethat reflected the underlying data structure. If your system workswith invoices, there will be an INVOICES table, and becausethere is an invoice table, there will be an INVOICE.FMB OracleForms screen.
What happens if the user has a workflow where invoices have tobe mapped to project lines in the project module? Well, becausethere is a PROJECTS table, there is a PROJECT.FMB screen.And if the user needs to place invoice information on the projectscreen, he will have to open the invoice screen, copy the invoicenumber to Windows Notepad, open the project screen and
Oracle Forms, ADF or APEX
paste in the invoice number. The user interface is tied to thedata model.
The Oracle E-Business Suite, built with Oracle Forms, is anexample of a data-driven application.
This is a simpler approach for the tool builder, because thedeveloper will simply point to a database table and the tool canthen read the data dictionary to determine which columns areavailable and create matching fields on the screen. It is alsosimpler for the developer, because the architecture of theapplication is defined in advance by the data modeler.
However, this is not necessarily simpler for the end user as theabove example shows.
User interface driven applicationsThe other way of building applications is by starting with theuser. This is the approach that Oracle took when they weredesigning Oracle Fusion Applications – actually investigating thespecific workflow needs of real users. In this approach, youcreate the screens first – as paper prototypes or mockups – andthen test them with the users in several iterations until you havecreated an application that makes sense to the user andsupports her workflow.
Some development approaches then go directly from thescreens to the data model. This leads to what data modelerswould consider a very poor data model. This type of model willoften perform very poorly when you want to query data acrossentities, and it becomes brittle and hard to maintain as theapplication changes.
So what do you do if you have screens that match the user’sreality and requirements, and a good relational data model inthird normal form and need to put them together? You need tocreate a business object layer between your database and theuser interface.
Because Oracle faced this challenge in building Oracle FusionApplications, they had to develop a tool that supported thisapproach. And that tool is Oracle ADF, which uses ADFBusiness Components in the middle and ADF Faces and ADFTask Flows for the user interface.
This is a more complex approach for the tool builder, who has toprovide tools for handling this mapping. It is also more complexfor the application developer who now has to create an explicitmapping between three layers and not just between the screensand the database.
However, it allows you to implement exactly the screens yourusers need.
Decision SupportThe difference between the different programming languages isvery minor compared to the difference between data-driven anduser interface driven applications. Any experienced developerthat knows one language can learn the other. Therefore, theprogramming language should not seriously affect your choiceof tool.
Oracle Forms, ADF or APEX
The really serious consideration that you have to make iswhether your application needs are so complex that you requirea business object layer between your user interface and yourdata model. Your process should look like this:
You need to start with a good data model that represents themajor entities that the application needs, as well as therelationship between them. This requires classic data modelingskills like it has for as long as there have been relationaldatabases.
“No good application was ever built on a bad datamodel”
When you have the data model, you should figure out whetherscreens built on these tables are good enough for your needs.Create screen designs on paper or mockups and perform testswith actual end users to see if this first design will meet theirneeds.
• If data-driven screens meet the needs of your users,develop the application with a data-driven tool like Oracle APEXto get the benefit of faster development time• If data-driven screens do not meet the needs of yourusers, develop the application with a business component layerusing Oracle ADF to get the benefit of freely connecting yourscreens with the data model
We used to have only a hammer – now we have different tools.Use the right tool in order to meet the needs of your users withthe least development effort.
Sten VesterliScott/Tiger
Oracle Forms, ADF or APEX
NoSQL and OracleJames Anthony - e-DBA
The NoSQL bandwagon is really rolling right now, but italways strikes me that there is a lot of confusion (mostlyunderstandable) in exactly what NoSQL is, where it’s usedand how it replaces (or otherwise) the traditional RDBMS.A lot of the press and reporting of NoSQL databases seemsto focus on the threat they pose to the RDBMS, indeed I thinkit’s fair to say a few obituaries have already been written…allof which i think will come back to haunt the authors just likethose who predicated the death of the mainframe in the 90s,00s etc.
This article sets out to the be the first in a series that explainswhat NoSQL is, and how we see it as a technology. Hopefullywe’ll unpick some myths and set a few records straight, butdon’t take this as gospel either, do your own research, createyour own use cases and see how NoSQL can benefit you(and I’m pretty sure it will).
So first let’s get a few things straight, and first off:
So that’s that stated very clearly! NoSQL databases (perhapsbetter called Data Stores in many cases) are often linked toBigData processing - perhaps as the store for MapReducedata, or perhaps as the store of BigData but they aren’talways the same thing. Indeed one of our own use cases forNoSQL is definitively small data (in the range of a few 10s ofGB) the technology just suited our use case down to theground - but more of that later. But the “what’s thedifference between NoSQL and BigData?” question is the oneI’m asked the most at places like Oracle OpenWorld and theOUG.
The second thing I’d like to clear up : NoSQL isn’t a singlething!
Now this is going to be more confusing, and even as I writethis I suspect someone, somewhere, is adding to the list; butright now I’ll generalise NoSQL data stores into 4 categories:
1) Key Value2) Column family3) Document4) Graph
In the first of these articles we’ll discuss (briefly) each ofthese types to give you the grounding. Then in the nextarticle we’ll discuss Oracle’s NoSQL database (imaginativelytitled “Oracle NoSQL Database”), but this grounding in thedifferent types will allow you to see how Oracle’s offeringdiffers from some of the other databases out there. Finallybefore we start just a quick note; I will discuss a few NoSQLproducts in here, this shouldn’t be considered an exhaustivelist, nor does it indicate any preference on my part, it’s simplyperhaps showing you the most common ones we come
Oracle NoSQL Database
across in our work. If you come from one of the otherproducts don’t shoot me on this one, and it certainly doesn’tmean I’ve forgotten about you!
In this first article at least I’m not going to cover theunderlying technical architecture, that’s for another time.Forgive me if you want to dive straight into ring spaces,compaction, avro, sharing etc. we will get there I promise!But I think it’s important at this stage to recognise that mostNoSQL databases were created to address a perceivedinability of the RDBMS to provide certain capabilities, be thatmulti-geography active-active configurations, very large datavolumes or horizontal scale out. Whether the perception ofthese weaknesses was more based around open-source asopposed to commercial RDBMS’ (most notably MySQL) I’llleave for another later article, but do note that most of ouruse cases for NoSQL deployments have been to addressspecific technical challenges with a specialised tool. One ofthe things we will explore in depth in the next article is howNoSQL databases often relax the CAP (Consistency,Availability, Partition Tolerance) and ACID (Atomic,Consistency, Isolation, Durability) mechanisms of a “normal”RDBMS. Anyway, for now lets get back to the different typesof NoSQL database/datastore.
Key Value Data StoresKey Value (KV) NoSQL databases (of which the Oracle NoSQLdatabase is one) are in some ways the easiest to discuss, sowe can start with this type. KV is exactly what it says… youhave a key and a value. You store “stuff” by key and youretrieve stuff by key… as simple as that! Let’s look at somecode (bear with me!)
Putting Data into the NoSQL Database :NoSQLDataAccess.getDB().put(myKey, value);
Getting data out of the NoSQL Database :ValueVersion vv =NoSQLDataAccess.getDB().get(myKey);
So ignore the bits that aren’t in bold, for now that’s not asrelevant, and just focus on the bits in bold. See how simplethat is? You store stuff with a key and you get stuff with akey! Ok, it’s got to be more complex than that? Wellobviously, otherwise I could teach my 5 year old to do it, solet’s deal with the obvious questions first:
Question 1: What does the key look like? For those of us fromthe RDBMS background the key isn’t like a primary key, it’sprobably not a single value. A key is much more likely to be amultipart string, perhaps with both a primary and secondarycomponent, and we refer to this as the Key Path. Let’s take asimple example first as we’ll explore this type specificallywhen we are looking at the Oracle NoSQL Database.
/stocktick/symbol/time
So the key is firstly a string, and contains multiple parts. Thefirst part identifies the Key as a stock tick, this isn’t actuallyanything other than an identifier- it allows us to identify thedata type we want when we’re using the Datastore formultiple different types of data, so if I stored session data inthere my key path might look like /sessiondata/sessionid.The next two entries denote the stock symbol (ORCL forinstance) and the time at which that tick occurred.
Oracle NoSQL Database
Question 2: What’s the value? This might sound like anobvious question, but actually it’s very relevant. The value iswhatever you want it to be, and as simple or as complex asyou care to make it. It could be a simple String, but morelikely it’s going to be an object of some type, perhaps theserialisation of internet session data (a really great use casefor NoSQL - and I’ll come back to this in the next article), or aJSON document containing a lot more information in astructured format. Taking my previous example of a stocktick, the value might look like
Value: {“name" : “TickData","namespace" :
"com.companyX.stockticker.avro","type" : "record",
"fields": [{"name": “currBid", "type":
“double", "default": ""},{"name": “currAsk", "type":
“double", "default": ""},{"name": “currVolume",
"type": “long", "default": ""}]
}
Again ignore the stuff that’s not in bold. We have a valuedefined that is called TickData and contains a record withthree fields in, bid, ask and volume. We will come back tonotation, JSON and AVRO in the next article so for now justnotice how the value isn’t just a simple string but allows forcomplexity.
Column family DataStoresPerhaps the most “famous” type of NoSQL database(although MongoDB has to be up there from our nextcategory) is in the form of HBase, Google BigTable andCassandra, and certainly the most synonymous with BigData.Column family data stores (not to be confused with columnarstore databases!) are formally defined as “sparse,distributed, persistent, multi-dimensional sorted map”… andI’m pretty sure that makes that entirely clear for everyoneand I can leave it at that? No? Alright then let’s try andexplain….
I generally find when trying to explain this type of datastorewithin e-DBA it’s best to use an example, so let’s for onemoment imagine we are a newly formed company looking toindex web pages and provide a brand new web searchfacility at blazing speed, let’s just call ourselves Goggle!What we need to do is index data in rows and columns butwe also want to add an extra dimension in time (becauseweb pages and their embedded links change over time)
So now we have the following:Index : (row, column, time)
And we’ve also crossed off the first part of that fairly longwinded formal definition "sparse, distributed, persistent,multi-dimensional sorted map”, as we now know where ourmulti-dimensional comes from.
Oracle NoSQL Database
Let’s look at what a row might look like.. and this time I’ll usean example.
For now ignore the way the URL has been represented; I’llexplain that shortly. Notice how we allow for multipleversions of a search of the URL to be stored (multi-dimensional), think also how for each URL we’re going tohave a totally different number of links embedded within thepage that we want to store in columns so each row can havean arbitrary number of columns, and this forms the sparsepart of our definition.
What next? Well we can deal with the distributed andpersistent part in a single explanation. Databases such asHBase use an underlying datastore, HDFS ( HadoopDistributed File System) to persist the data, and they actuallypersist to an immutable file in this case (changes are dealtwith by creating new copies). These file systems are designednot just to persist the data but also to distribute it acrossmultiple locations, both for data protection but also to allowprocessing to be moved to the locality of the data andparallelised across many nodes. Ok, so at this point we’re upto..."sparse, distributed, persistent, multi-dimensionalsorted map”, well hopefully from the above image you cansee the map portion too, and I promised to come back to theway the URL was portrayed. This is a good example of why
sorting and locality work, and the reason I left this until afterthe discussion of distribution.
Let me illustrate… let’s say I’m indexing www.e-dba.com as inthe example above. The e-DBA domain has a bunch of subdomains hanging off it, not just www perhaps something likethis
blogs.e-dba.comdemos.e-dba.commobile.e-dba.comwww.e-dba.com
etc…
Now add into the mix the millions (billions?) of otherdomains out there and you can see that if I don’t reverse thesort order and I just work of the lexicographical order if Iwant to re-index the whole of e-dba.com and all it’ssubdomains I’ve got a lot of places to store this in. I’ve alsogot a lot of places (and by places Imean disk locations ordifferent servers) to hit to service a search on all of the e-dba.com domains. Reversing the order;
com.e-dba.blogscom.e-dba.demoscom.e-dba.mobilecom.e-dba.www
This means that my key values will all be stored in the samelocation providing greater locality of data and allowing me torecord and retrieve results much faster. So there we have anexample of sorting and we’ve finally covered the definition!Phew!
Oracle NoSQL Database
Finally before we leave Column family data stores a couple ofpoints, firstly lots of other stuff happens inside thesedatabase such as compression (allowing faster scanning),MapReduce integration etc. but in general this form ofdatabase has limited queries with no joins etc (althoughmechanisms exist to work around this). If you expect to justfire up one of these and have the same sort of analytics asyour Oracle RDBMS you’ll probably be disappointed. Asalways though that’s not to say things aren’t changingrapidly, and that it doesn’t fit your needs.
Asking for your inputAs a quick note and suggestion, I tend to find this is thesingle hardest family of data stores to understand, but thereis some really, really clever technology involved (again, notsuggesting that other NoSQL databases don’t, they are justperhaps easier to understand) so I’d be interested to know ifyou’d like me to drill into more detail on this type ofdatabase, in particular HBase which is included within theOracle BigData appliance.
Document DatastoresRecently we’ve seen a huge rise in the number of peopleexploring Document data stores, and in particular MongoDB.Much of this is fuelled by developers, with them seeing theproduct as a very attractive, developer led solution.Document database such as MongoDB and CouchDB areactually one of the easiest to explain, in that they are similarto KeyValue stores but the value is always a document - mostoften in the JSON or BSON format.
JSON document storage is a huge benefit for manydevelopers in that it offers a “schema-less” design. This isn’tto say there is no structure to the data, quite the opposite,but rather than the schema is flexible and can be modifiedby the developer. Again, perhaps a small example illustratesbest. Let’s start with a simple JSON document for storingcustomer information.
{"firstName": "James","lastName" : ”Anthony","age" : 38,"address" :{
"streetAddress": ”Farr House","city" : ”Chelmsford",”county" : ”Essex","postCode" : ”CM1 1QS"
},}
The first thing you’ll probably realise from this if you’re froma RDBMS background is that it’s very much denormalised,and that’s a key thing to remember, document stores aretypically denormalised, with the document providing all ofthe data about the entity you’re interested in. Clearly this hasadvantages and disadvantages, and we’ll talk about some ofthese shortly.
Oracle NoSQL Database
Now let’s say the developer has stored this information, butthen the application scope changes and we also want tocapture phone number information, in JSON baseddevelopment that’s easy, we just change the document.. nounderlying “fixed” tables/columns to deal with...
{"firstName": "James","lastName" : ”Anthony","age" : 38,"address" :{
"streetAddress": ”Farr House","city" : ”Chelmsford",”county" : ”Essex","postCode" : ”CM1 1QS"
},"phoneNumber":[
{"type" : ”work","number": ”01245200510"
},]
}
Extending this further, one of our other customers providestwo phone numbers, and we allocate these to different fieldswithin the record type...
{"firstName": “Alex","lastName" : ”Louth","age" : 37,"address" :{
"streetAddress": ”Farr House","city" : ”Chelmsford",”county" : ”Essex","postCode" : ”CM1 1QS"
},"phoneNumber":[
{"type" : ”work","number": ”01245200510"
},{
"type" : ”mobile","number": ”0777 111 222"
}]
}
Oracle NoSQL Database
Hopefully you can see how this flexibility is somethingdevelopers love, no need to keep going back to the designphase, no need to get DBAs to modify the structure and noORM layers to deal with. Indeed so popular is this model thatat OOW2013 I attended a great session showing theupcoming JSON storage facilities within the Oracle 12cdatabase that will provide exactly this sort of functionalitybut with all the benefits of the RDBMS behind it and accessto the data through both SQL and Restful services, personallyI think this will change the game somewhat and the“flexibility” and developer led drive for document databaseswill be more of a level playing field between the OracleRDBMS and NoSQL with Oracle offering all of thefunctionality, plus arguably more.
So what are some of the drawbacks of the JSON model? Welldenormalisation clearly increases the storage requirements,and you don’t get the ability (easily) to do other functionssuch as scan for all customers with a given record type (andclearly you’d have to retrieve a LOT of data). MongoDB andothers are also now providing secondary indexing to addresssome of these issues but it doesn’t take much to realise thatthis denormalised, read everything about an entity, modelsare somewhat contradictory when other databases such ascolumnar storage databases (and the Oracle InMemorydatabase coming in 12c) show how reading individualcolumns when performing analytics provide massiveperformance gains.
For now I’m going to leave this topic as in a future edition I’llbe writing an article all about JSON document storage anddatabases with specific reference to those upcoming 12c(12.1.0.2) features.
Graph DatastoresGraph databases are the final type of NoSQL database I’llcover, and probably the most niche. Having said that theseare niche, they are becoming more prevalent with peoplenow using Facebook Graph search and the release of theRDF Graph for Oracle NoSQL Database! So what is a Graphdata model and how does it differ?
Graph databases are all about the relationships betweenentities rather than the entities themselves, and schemasevolve by adding new relationships. At this point you’reprobably thinking “but my RDBMS does this with ForeignKeys”. Well sort of yes, but it is much more about the type ofquestions you ask of the database.Graph databases support query and discovery using Graphpatterns and traversals, meaning we ask questions aboutreachability, connectivity, “same as” and proximity. A classicexample of this might be “Who is part of this group”, andextending this out “Who is a friend of all the people withinthis group”
Oracle NoSQL Database
The basic structure of graph storage is the triple
With triplesconnected toform theGraph. Just likeJSON, KeyValueand Columnfamilydatabases theschema doesn’thave to bedefined upfront and isflexible in its
implementation, with new triples being added and therelationships between entities defined as we go. In Graphdatabases it is the “edges” (the connections) betweenVertices (theentities/nodes) weare interested inusing for traversal.
Personally I can see Graph databases becoming morepopular over time, as we move toward modellingrelationships between entities but we’ll leave this subject fornow and perhaps ask the question to you if you’d like to seesomething more in-depth on the Graph capabilities of theOracle NoSQL Database?
James Anthonye-DBA
Oracle NoSQL Database
1
Case Management or Business ProcessManagement?Lonneke Dikmans - Vennster
Oracle recently released a new component in the OracleBusiness Process Management Suite: the case. This is animportant step forward in supporting business processes inyour organization. In this article you will learn how and whento use BPMN 2.0 as a way to support the business and whenand how to use case management.
Not all processes are the sameThere are different reasons why organizations want a systemto support their business process:
• To automate the process or part of the process and make itmore efficient;• To trace the steps for future reference or legal reasons, aso called audit trail;• To help employees make decisions about actions they cantake to increase the quality.
Example: Procure-to-PayThe procurement process is a typical example of a processthat is predictable. The number of possible steps is limitednumber and the order of the steps is predictable as well.
1. The process starts when somebody in the organizationneeds to order an item (say pencils)2. The purchasing department checks the order to ensure itcomplies with company policies and a supplier is selected.3. The goods are ordered with the supplier.4. The goods are delivered at the organization and the
supplier sends an invoice.5. The invoice is made payable in the ERP system and theinvoice is paid in the next payment batch.
Of course there are exceptions to this process: theorganization might have decided to go paperless and not payfor pencils anymore, the pencils could be out of stock, thepencils could not be delivered or the invoice could beincorrect. But these are exceptions, not part of the ‘regular’process or ‘happy flow’.
This process is a typical example of a business process theorganization wants to run as efficiently as possible, both interms of time and in terms of cost.
A number of steps can be automated:1. Selecting a supplier could be automated, if the purchasingdepartment keeps a list of preferred suppliers;2. The invoice could be made payable automatically in theERP system without human interference if the goods arereceived as ordered and all supplier data are correct;
Systems that support these types of business processes aretraditionally called BPMS: Business Process ManagementSystems. These systems typically are transaction centric andfocus on the automation of steps. The order and steps areknown design time.
Example: Court casesAn example of a very different process is a court case. Thepredictability of the outcome varies greatly. Some courtcases are very predictable, for example undefended moneyclaims, or family cases where the parties propose anagreement and the courts only examine them marginally.
Oracle BPM Suite
2
Other cases have very unpredictable outcomes. The matrixbelow shows how many of the civil court cases in theNetherlands fall within the different categories. Even thoughthe minority of the cases is unpredictable, these cases takethe most judicial time. There is a large amount ofinformation. Judges spend time on understanding the factsand interpreting norms. To do this, they have a number ofactivities that they can perform, ranging from reading files,hearing witnesses to visiting the location (Source: technologyfor justice, Dory Reiling, 2009)
Illustration 1. Matrix of Judicial Roles and Caseloads (source: technology forjustice, Dory Reiling, 2009)
The goal of a system that supports court cases is three-fold:•Make the process more efficient. Not so much byautomating steps, but by using self-service and digital meansto structure the information.
• To trace the steps for future reference or legal reasons, a socalled audit trail;• To help employees make decisions about actions they cantake to increase the quality and efficiency.
Systems that support these types of (unpredictable)processes are traditionally supported by Adaptive CaseManagement Systems. These systems typically are documentcentric or ‘unstructured-data-centric’ because it concernsenterprise content including video and pictures as well. Thefocus is on the knowledge worker and the order and stepsare determined runtime based on the characteristics of thecase and the decisions of the knowledge worker.
BPM versus ACMTo summarize the differences, you can check the tablebelow. BPM stands for Business Process Management. ACMis the acronym that is used for Adaptive Case Management.Note that in real life a lot of processes are a combination ofpredictable (sub) processes and adaptive case management.
Oracle BPM Suite
3
Supporting business processes and casesIn the previous paragraph you have read that organizationswant to improve or manage the way the business is run. Theimprovement can be either in terms of efficiency (BPM) orquality (ACM) or both. To accomplish this organizations stepthrough a number of phases:•Modeling. In this phase you design and model the businessprocess that needs to be supported by the BPM or ACMplatform.• Simulation. Simulate the designed processes to see ifrequirements are met, given the predicted load andresources (people and IT).
Illustration 2. Phases in BPM and ACM
• Implementation. Build the business process in the toolingthat the BPM or ACM platform offers.• Execution. Deploy the process to the BPM or ACM platformand run it.•Monitoring. Monitor the processes and instances at
runtime by collecting metrics and other information. (BAM).• Optimization. Based on runtime metrics, you can improvethe design of your process thereby starting another iterationof the BPM or ACM lifecycle.
The cycle is the same for BPM and for ACM. The type ofprocess you model, simulate, implement, execute andmonitor is different though, as you have seen in the firstparagraph.
BPMmodeling: BPMN 2.0There are several standards for process modeling available.In the past there were tools that modeled processes in onelanguage, and then executed them in another. For exampleone would model the process in BPMN 1.1 and then executeit in XPDL or BPEL. Since the arrival of BPMN 2.0 this is nolonger necessary. Apart from being a modeling notation, thestandard also prescribes a file format (XML). This makes itpossible for process engines to execute the process model.
Our purchase-to-pay process would look as follows in BPMN2.0:
Illustration 3. BPMN 2.0 model for Purchase-to-Pay
Oracle BPM Suite
4
This can be modeled using the process modeler (Browserbased) that is part of the BPM Suite or using the BPM Suiteplugin of JDeveloper.
Case management modeling: CMMNOMG, the group that has defined the BPMN standard, is inthe process of defining a standard for case management:Case Management Modeling and Notation. It currently is inbeta.
A court case about a labor dispute would look something likethis:
Illustration 4. Labor Dispute modeled in CMMN
In addition to the CMMN model, you need to describe theexit and entry criteria for the different tasks, stages andmilestones and the stakeholders (or case roles) that are
allowed to execute the tasks in order to develop the case.
At this moment there is only one tool available that supportsCMMN:https://www.businessprocessincubator.com/cmmnwebmodeler.
Oracle BPM Suite
5
AlternativesInstead of creating a case model with CMMN, you can alsouse other means: BPMN 2.0 or amind map. The advantage ofBPMN 2.0 is that it shows a‘natural flow’ of the process, orthe progress. It has the concept of‘ad hoc processes’ to support thenon-deterministic nature of aprocess. See Case managementPart I for a comparison of theBPMN and CMMN:http://blog.vennster.nl/2013/09/case-management-part-1.html.
The other option is to use a mindmap to model the differentelements of a case. You can see amind map of a labor dispute case.
Illustration 5. Labor dispute in a mind map
Oracle BPM Suite
6
The biggest advantage of mind maps is that business usersare familiar with them, the disadvantage is that by its natureit is hard to enforce modeling standards.
In addition to all these models you need an excel documentor other means to model the rules that are associated withthe different activities, stages and case roles or stakeholders.
Building business processes and casesAfter the business process has been modeled (as a case oras a deterministic business process), it needs to beimplemented. This is done using JDeveloper.
BPM: using the BPMN 2.0 engineIn JDeveloper, every activity in your business process isassociated with an implementation.
Illustration 6. Implementing an activity in JDeveloper
The implementation is done using SCA, service compositearchitecture. The BPMN process is a component in yourcomposite application, just like a BPEL process is. Thedifferent activities are implemented calling externalreferences (services) or components (human tasks, businessrules) in the composite application.
Illustration 7. Composite with a BPMN process
ACM: Case componentThe case is implemented in a similar way; it is a componentin the composite application. Activities are implementedusing the human task engine, or calling a business process(BPMN). Rules that determine the availability of activities areimplemented using the business rule engine. Last but notleast, custom case activities can be defined, by implementinga Java class. Below is a picture of the composite with a case.The case has a rule dictionary associated with it, and twoactivities: a human task and a BPMN process.
Oracle BPM Suite
7
Illustration 8. Composite with Case component
When you double click the case component, theproperty editor is opened. You can definemilestones here, data and documents,stakeholders and translations.
Illustration 9. Case editor in JDeveloper
Running business processes and casesSince both BPMN processes and cases areimplemented in SCA, the processes are visible inEnterprise manager, for debugging and technicalmonitoring purposes.
For the end user, both cases and BPMN processesoffer audit trails, milestones and task lists, to keeptrack of the process. This can be viewed in theProcess workspace that is part of BPM Suite, or usinga custom application that calls the APIs for BPM andCase management. In my experience, organizationsusually prefer the latter. Components from theProcess workspace can be used in the customapplication, since these are realized as ADF regions.
For business monitoring, BAM can be used.
Oracle BPM Suite
8
ConclusionThe case component is a natural addition to the BPM Suite.Because it builds on the existing SCA infrastructure andcomponents like the BPMN engine, the human task serviceand the rules engine, it is easy to learn for developers. Forthe business it adds the flexibility that is needed to beadequately support the different types of processes in anorganization.
The table below summarizes the different phases in BPMand the corresponding tools that are used in the OracleFusion Middleware stack.
Lonneke DikmansVennster
Oracle BPM Suite
Enterprise Deployment of Oracle FusionMiddleware Products – Part 1Simon Haslam - Veriton Ltd
For quite a few years now Oracle has been producing what itcalls the “Enterprise Deployment Guides” (EDGs) for most ofthe Fusion Middleware layered products.
This is the first article in a series that will cover what theEnterprise Deployment Guides are, why you would want touse them, and what areas you might choose to deviate fromthem and why.
Firstly, what are the EDGs?The best way to think of an EDG is as a recipe for building aproduction-ready, highly available and secure FusionMiddleware platform for one specific product set, such asSOA. The recipe doesn’t justify why certain items are added,or give you any alternatives, but does provide step-by-stepinstructions. However, just like baking a chocolate cake, youmight change the recipe to suit your own desires –depending on your skill, experience, or perhaps just whetheryou’ve got all the right ingredients. No one recipe is ‘right’ or‘wrong’ just some of them will be more successful thanothers.
So, back to Fusion Middleware… Oracle have written EDGsfor the following product sets:• Oracle Business Intelligence• Oracle Identity Management• Oracle SOA Suite• Oracle WebCenter Content• Oracle WebCenter Portal
Oracle’s Exalogic engineered system, as you might haveguessed coming from Oracle’s middleware team, has someEDGs too – the current release includes Exalogic-specificWebLogic, Identity Management and SOA ones. For the braveOracle has also written a Fusion Applications EDG and thefull documentation set contains a smorgasbord of all of theabove!
An EDG gives you the suggested steps to follow but theassumption is that you will read it in conjunction with otherrelevant manuals, such as the Installation Planning Guideand the Installation Guide for your product set, the weightyHigh Availability Guide (1140 pages for 11.1.1.7) and the,comparably pamphlet-like, 188 page Disaster Recovery Guide(though admittedly the EDG doesn’t address this topic). Bythis point you’re just hoping you don’t have to dip into theAdministrator’s Guide (770 pages) or the Administrator’sGuide for your product (966 pages for SOA/BPM)…
Why would you choose to follow an EDG?I’m assuming that you are installing Oracle products formission critical, enterprise-wide systems (or at least a pilotfor such) so they will have to be both highly available andsecure.
The first reason for using an EDG is if you don’t yet feelconfident enough to build such a platform on your own. Asmany readers will know it’s relatively easy to install FusionMiddleware in a non-clustered manner – usually this issomething along the lines of: create the database and runRCU, install the software for the JDK, WebLogic and layeredproduct (such as WebCenter), then create and configure adomain. Where it gets much more complicated is when yourconfidentiality, integrity and availability requirements dictate
Oracle Fusion Middleware
the need for encryption of important traffic using properlygenerated SSL certificates (not just “demo” ones), and driveredundancy for every component to guarantee uptime.Furthermore even when you do get such a multi-component,multi-layered system installed you then need to test that thesecurity and high availability features work as you expectand that you haven’t misunderstood the purpose of someconfiguration or made any mistakes. From some recentproduct development work I now thinkthere are well over a dozen failureconditions you need to test to be confidentthat a typical Fusion Middleware HAplatform is as robust as you hope. So onceagain having the EDG as a recipe of thesteps you need to carry out to build such asystem is a great help.
Secondly, having met some of the EDGauthors now, I know that these documents,blueprints if you will, are put together byhighly skilled individuals and with broadinput from engineering. Sometimes it iseasy to look at a design decision taken in anEDG, think it is wrong and ignore it, only to later find outthere was a subtle reason for it but you hadn’t understoodthe product well enough (I’m certainly guilty of this myself!).
Why should your boss want you to follow an EDG?Those coming from an Oracle Database background, andwith a long memory, will remember OFA, or the OptimalFlexible Architecture, that Cary Millsap co-designed duringhis tenure at Oracle during the early 1990s. One keyadvantage of OFA is that is gave the DBA some directorynaming conventions that didn’t need further consideration –
if any of you have wondered why, even today, Oraclesoftware is most often installed under/u01/app/oracle/product – this is the reason. This alsomeans that other experienced DBAs naturally know where tolook and what, say, the redo log files will be called.
Likewise if you build your important middleware platformfollowing an EDG then other experienced middleware
administrators, especially those hired on ashort-term basis, will more easily be able tofind their way round your system. During aserious incident, or perhaps for a changetaking place in middle of the night whenyour body would much prefer to be tuckedup in bed, the more consistent and easierthe components are to navigate, the better.
Finally let’s consider Oracle Support. Atvarious points, whether during installation,patching, application upgrades or justfollowing unexpected errors, you may haveto call upon Oracle for assistance. OracleSupport teams must have the same
challenge as the rest of us when it comes to buildingcomplex, multi-tier test environments. Therefore they toouse EDG as a basis, so if you are both following the sameinstructions it is more likely that Oracle Support will have amore representative environment to reproduce problemsagainst. In fact last year Oracle Support ran a series ofwebcasts describing the EDGs (using SOA as an example)which I would encourage readers to view (See My OracleSupport Doc ID 1456204.1).
Oracle Fusion Middleware
So, is that all I need to know about EDGs?No, not exactly. Modern middleware platforms, such asFusion Middleware, are highly sophisticated layered suites ofsoftware that have many difference use cases. Whilst all thisglowing praise is being heaped on the EDGs pleaseremember that they are just one suggested approach andmay not suit all architectural circumstances or all sizes oforganisation – in fact in my project experience I’ve neveractually implemented what might be called a “100% EDG”build. There are many drivers which might make you chooseto deviate from the EDGs, such as licence optimisation,administration roles, special security requirements, networkdesign and so on… this will be the subject of my next article.
Simon HaslamVeriton Ltd
Oracle Fusion Middleware
Let's doBusinesstogether
OTech Magazine reaches over 25 thousandOracle professionals around the globe.Advertising in OTech Magazine is valuableand competetively prized.
For more information contact us [email protected] or +31 6 149 143 43
Data Security in Case ManagementMarcel van de Glind - AMISAldo Schaap - AMIS
Most of the data within organizations is not meant for theoutside world. It might even cause economic or politicalproblems if specific information comes out on the street.Organizations need to take precautions to protect theirvaluable data for the outside world.
But also within organizations not all data, for all kind ofreasons, should be available to everyone. For exampleemployee files should only be available to the employee him-or herself and a selected group of others within theorganizations.
This article describes how the fictive company 4Security isimplementing a method to protect their valuable data for theinside world.
The ChallengeHow to separate data access between the differentstakeholders? E.g. a Customer Contact Center employee isnot allowed to see the ‘work’ of the Analysis & Evaluationemployee. On the other hand, the A&Eemployee is allowed to see the work of the CCCemployee but is not allowed to change it.Another example is the Operational Manager(OM). He has access to all data appended to thecase. It depends on the case status whether theOM is allowed to change anything in the case.
With this in mind, how can we offer our employees a searchfacility to find specific cases. This search facility should onlysearch through the data the employee is allowed to see. Fora CCC employee this means that it should only search in thecases of his own department (the products they areauthorized for), and for these cases only in the data that hasbeen appended by his own department.
For maintainability and security reasons we want to do thisat a central place and only ones for every piece of data. Howcan this be done?
4Security the fictive company4Security is a company in the insurance branch. They exploitseveral insurance products like life insurances and healthcare insurances. Every insurances request is handledaccording to a case oriented approach. To support auniform method to handle the cases, the company isimplementing one Standard Business Process for allproducts supported by Oracle BPM. This standard businessprocess is divided into 4 phases, as illustrated in thefollowing picture. The human tasks are implemented withOracle ADF and the structured data is stored in an Oracledatabase.
Data Security
New insurance requests are handled by an employee of theCustomer Contact Center department responsible for therequested insurance product. The employee adds casedetails and information about the related companies andpeople, performs a number of default checks and optionallyadds a note.
In the next phase a number of automated informationcollection requests is performed. The outcome of theserequests is added as observations to the case file.After the collection phase the Analysis & Evaluationdepartment of the product performs an analysis andevaluation on the case. The employee can performadditional information requests, add received documents tothe case and put his findings into notes.
Finally the actual insurance is implemented. In our fictivecompany this will be an automated phase. Part of this phaseis adding the created certificate to the case file.Besides the mentioned operational force, there are alsoother stakeholder involved. The role of one of them, theoperational manager, is taken along in this article.
Problem Analysis
Data objectsExcept the documents, all case data is stored in a relationaldatabase. The documents are stored in a documentmanagement system. The database contains some metadata and references to these documents. The relational datais divided into eight different objects, namely:
• Cases• Relations• Information requests• Observations• Documents• Notes• Reference data• Logging
On a database level each object consist of multiple tables.E.g. in the picture below you will see the observation objectdata model. For simplicity we will ignore the tables in thisarticle and pretend that the objects are the actual tables.
Data Security
User accessA Customer Contact Center employee is responsible forregistering insurance request. This is done during the socalled ‘Intake’ phase. During the intake phase the CCCemployee needs write access to the case, relation, documentand note objects and read access to the reference dataobject to create a new case. At the same time the systemalso needs write access to the logging object.
To search for specific cases the CCC employee also needsread access to the same objects of all the cases he or she isauthorized to. The search facility should search in all therelational data, including the logging to determine the casestatus. It should not search in the information requests,observations, documents and notes appended during one ofthe subsequent phases.
The Analysis & Evaluation employee performs an analysis onthe case data. Base on this analysis the employee decidewhether the request is accepted or rejected. The A&Eemployee needs write access to the relation, informationrequest, observation, document and note objects and readaccess to the reference data object to do their job. Like CCCemployees they are allowed to add additional relations butthey are not allowed to create new cases. Case searching ofthe A&E employee is much richer than it for the CCCemployee. Now the searching takes place in all relationaldata the employee is authorized for. All cases hisdepartment is responsible for.
The Operational Manager of the CCC and A&E employeesneeds the system to perform his managerial tasks likereporting, monitoring and intervene. He has access to all thecases for which he carries the responsibility. He is allowed to
update the case data, except for the information requestsand observations related data. This is exclusively allocated tothe A&E experts. The search facility for the OM is similar asfor the A&E employee.
Oracle Label SecurityIt is possible to separate access to data from an applicationlevel. This means that the BPM process and the ADF taskscreens are responsible to protect the data againstunauthorized usage. This approach is rather complex and itstill does not protect against direct access to the database.For this reason 4Security has chosen to protect the data atdatabase level. They will use Label Security to protect thedata in the relational database against unauthorized use.
Selective data access control based on a user's level ofsecurity clearance can ensure confidentiality withoutoverbroad limitations. This level of access control ensuresthat sensitive data will be unavailable to unauthorizedpersons even while authorized users have access to neededdata, sometimes in the same tables. Oracle Label Security(OLS) enables access control to reach specific (labeled) rowsof a database. With OLS in place, users with varying privilegelevels automatically have (or are excluded from) the right tosee or alter labeled rows of data.
Besides the following small summary, we will not get into thedetails of OLS and only describe the implementation of4Security. OLS is making use of policies. A policy containsamong other things the definition of the label components,the data labels and the user labels. User profiles identify auser’s labels and privileges. OLS controls access to thecontents of a row by comparing that row's label with a user'slabel and privileges.
Data Security
LabelsLabels enable sophisticated access control rules. When apolicy is applied, a new column is added to each data row.This column will store the label reflecting each row'ssensitivity within that policy. Level access is then determinedby comparing the user's identity and label with that of therow. Labels consist of three components, namely levels,compartments and groups.
The label implementation of 4Security.
Data Security
Data LabelsA data row label indicates the level and nature of the row'ssensitivity and specifies the additional criteria that a usermust meet to gain access to that row. All data labels mustcontain a level component, but the compartment and groupcomponents are optional.
The data label implementation of 4 Security.
User LabelsA user label specifies that user's sensitivity level plus anycompartments and groups that constrain the user's access tolabeled data. Each user is assigned a range of levels,compartments, and groups, and each session can operatewithin that authorized range to access labeled data withinthat range.
A subset of the user label implementation of 4 Security. Forexample as you can see in this table, the operationalmanager has read and write access to all the data in thecompartments REG and INV with a maximum level of‘Sensitive’.
Data Security
Label mappingThe following table brings all labelling of 4Security together.
As mentioned before, the Operation Manager has access toall the cases for which he carries the responsibility. He isallowed to update the case data, except for the informationrequests and observations related data. This all is reflectedin this table.
Apply the policyAfter defining the policy, thepolicy must be applied to theapplication tables. Once a policyis applied, no data will beaccessible unless specialprivileges have been granted tothe user or the legacy data isupdated with appropriate datalabels.
Applications need to have proxyaccounts connect as (andassume the identity of)application users, for purposesof accessing labeled data. With
the SET_ACCESS_PROFILE privilege, the proxy account can acton behalf of the application users. The SET_ACCESS_PROFILEprocedure sets the Oracle Label Security authorizations andprivileges of the database session to those of the specifieduser. This means that when the application (user) accessesthe database the correct access profile must be set beforeany read or write operation is performed. As an example:
-- Need to specify the applicable policy and user.
exec sa_session.set_access_profile('OLS_POLICY','CUSTOMER CONTACT EMP');-- Policy is applied to the employees table.select * from employees;
Data Security
Another example:
-- Need to specify the applicable policy and user.
exec sa_session.set_access_profile ('OLS_POLICY','Analysis and Evaluation Emp');-- Label is part of the insert statement.insert into employees (employee_id, last_name,email, hire_date, job_id, ols_column) values (1000,'van de glind', '[email protected]', sysdate,'IT_PROG',char_to_label('OLS_POLICY','S:INV:PRD1'));-- Label is not part of the insert statement. Thedefault label is used.insert into employees (employee_id, last_name,email, hire_date, job_id) values (1001, 'van deglind', '[email protected]', sysdate,'IT_PROG');
These examples shows how to use the policy from adatabase level. In the situation of 4Security the policy shouldbe used within the BPM processes and the ADF task screenstogether running on a Weblogic Server that uses aconnection pool. Question is: is label security usable in thissituation? The answer is yes. It is actually rather easy.
BPMFrom BPM, data is accessed through a database adapter. It isa best practice to access the database content throughwrapper functions and not directly on the table. Thesewrapper functions make it really easy to apply a policy. Whenaccessing a database label security enabled, the databaseneeds to know who’s accessing the database and whichpolicy to apply. This information should be sent with therequest as metadata. An example:
Data Security
ADFThe task screens build in ADF have interactions with thedatabase. At 4Security the application uses BusinessComponent (ADFBC) for this. In ADF is an Application Modulea logical container for coordinated objects related to aparticular task, with optional programming logic. ApplicationModules provide a simple runtime data connection model(one connection per Application Module) and a context fordefining and executing transactions. It defines a databasesession and a transaction boundary. By extending the baseclass of the application module with the required OLSfunctionality there is a central location from where all datasecurity can be arranged. By setting the required policy andthe involved user(role) at the beginning of a session in thismodule, and to be more specific in theApplicationModule.prepareSession method, Label Security isprepared for use.
Oracle Internet DirectoryTill now 4Security has implemented the policy in thedatabase. Managing Oracle Label Security metadata in acentralized LDAP repository provides many benefits. Policiesand user label authorizations can be easily provisioned anddistributed throughout the enterprise. Implementing thepolicy in OID is out of scope for this article. For now willsuffice to mention the data that is stored in the directory.
The following Oracle Label Security data is stored in thedirectory:
• Policy information, namely policy name, column name,policy enforcement options, and audit options• User profiles identifying their labels and privileges• Policy label components: levels, compartments, groups• Policy data labels
Data Security
ConclusionThis article describes how 4Security successfullyimplemented Oracle Label Security to protect their valuabledata for the inside world. OLS could be used during thedevelopment of new applications but could also be appliedeasily to existing applications running on a Oracle database.Because OLS is implemented at the database level, thetechnology of the application running above it does notreally matter, as long as it is possible to set the access profilebefore access the data. The application of 4Security runningin a Fusion Middleware environment where the applicationconsists of several products like BPM, ADF and OID perfectlyfits this patterns. OLS offers al the required flexibility, is easyto maintain and offers the right level of security to protectdata against unauthorized usage.
Aldo SchaapAMIS
Marcel van de GlindAMIS
Data Security
Oracle® Business Intelligence and EssbaseTogetherYou don’t know what you don’t know…Neil Sellers - Qubix International Ltd
Oracle’s latest release of OBIEE (Oracle BusinessIntelligence Enterprise Edition) v11.1.1.7 has a lot of userimprovements and more integration capabilities withEssbase and the Oracle EPM (Enterprise PerformanceManagement) application suite of tools. This article forOTech magazine will focus on the integration of OBI withEPM and Essbase, looking at tools like Hyperion SmartView, BI Publisher and Workspace and the integrationbetween them.
Why Together?Oracle have been marketing for a couple of years theBusiness Intelligence Foundation Suite (BIFS) and it hasbecome the default purchase for anyone considering alicense of either Essbase or OBIEE. The main reason for thisis that out the box of BI Foundation Suite comes
• OBIEE+ : The Business intelligence Platform deliveringabilities for reporting, ad hoc query, analysis and dashboards• Essbase : For online analytical processing (OLAP)• Scorecard and Strategy Management : Scorecards• Essbase Application Link for Hyperion FinancialManagement
So on this basis many people have a number of thesetechnologies in their license portfolio but perhaps are onlyusing one of them such as Essbase. There is clearly a lot tobe gained by leveraging the whole suite of products, not onlyincreasing the ROI but also taking advantage of the manyfeatures and benefits. This is what we are going to discuss.
When we talk about OBIEE and Essbase together it ofteninvolves discussions around Essbase as a data source forOBIEE, the Essbase targeted Aggregate Persistence Wizardfor relational reporting and the integration of Essbase withother relational sources of Data using Federated Queries.Whilst these are key features I am keen to come at this froma different angle with a focus on reporting from Essbase,building Essbase and fundamentally improving Essbase usingOBIEE and the associated tools.
Oracle Business Intelligence & Essbase
A shift towards Essbase and OBIEEEssbase Integration with OBIEE v10.1.3.3.1 was firstintroduced in 2007 as a hidden feature. A small tweak to theregistry on the server and with a quick restart, Essbase wasavailable as a data source in the physical layer of the BIServer. Functionality was limited and a flat list of measuresrather than an intuitive hierarchy together with MDXgeneration issues and performance concerns meant that itclearly was something that had been started and thenswitched off as it wasn’t ready. This was the first step inbringing together the technology acquisitions of Siebel andHyperion that Oracle had made.
Traditional Reporting from Essbase in the Hyperion worldincluded Microsoft Office integration in the form of eitherthe Excel Add-in or Smart View, Hyperion Financial Reportingfor XBRL and Pixel perfect report creation from Essbase andHyperion Web Analysis formally known as Analyzer for allyour dashboard reporting. Third Party tools such as IBM(Temtec) Executive Viewer also added a useful option toreport on data from Essbase.
OBIEE brings to the table a number of options whichenhance the reporting capability from Essbase. BI Publisherespecially allowing a native connection directly to Essbasewith a new MDX Query builder to aid the data extract. I willfocus more on this later in the article.
There are many methods of building an Essbase Cube fromsimple Load Rules created in Essbase Administration Servicesto the perhaps slightly dated but fully functional EssbaseIntegration Services with a GUI drag and drop environment.Additionally ETL tools such as Oracle Data Integrator (ODI)and Informatica PowerCenter (DIM) both have adapters builtin for Essbase.
Oracle Business Intelligence & Essbase
All these methods are further enhanced by Essbase Studiowhich consolidates cube construction activities, unifiesmodelling of many sources and enables reuse of hierarchies,metrics, dimensions and elements at a very granular level.OBIEE brings more to the table with Essbase Studiosupporting the BI Server as a source allowing you to model inthe BI Server and then leverage this to build and Essbasecube.
Essbase Integration Capabilities in 11.1.1.7.1A number of beneficial features have been included in thelatest release of OBIEE which make the Essbase integrationseven more seamless. There are many to list out but I havetried to focus on, what I consider are the important ones andhave a bias towards Essbase. These can be broken down into4 categories
• OBI / Essbase Integrated InfrastructureThe Complete installation of Essbase including the Essbasetools is delivered with BI Install mitigating the need forcomplex installs and post-install configuration FinancialReporting, EAS, Essbase Studio and Calculation Manager alsoinstalled with BI. This also allows for all services to bemanaged through Oracle Enterprise Manager.
Oracle Business Intelligence & Essbase
• Support for BI security negating the need for Sharedservices in BI only use casesIntegrating Essbase into the BI Architecture platform allowsfor all services to be managed through Oracle EnterpriseManager providing a central place to manage Security anddiagnostics logs.
• BI Server and Essbase InteractionBI Server ODBC Procedures to create & execute EssbaseCalculations and MAXL scripts allows for a huge amount offlexibility when implementing with Essbase. You could forexample run a business process (Essbase calculation script)to update some data real-time if there was a requirement tosupport the need.
Additionally Logical SQL syntax for updating, deletinginserting single & multiple measures has been includedgiving a greater amount of control of Essbase from with theBI Server.
• Presentation Services Essbase oriented featuresAn Option is now available to show how hierarchies aredisplayed giving you a property that allows you to have yourtotals at the bottom or after the children, perhaps wherethey should be in a lot of cases. The option applies to all axisand impacts all applicable views.
A further option controls whether nulls in rows/columns aresuppressed in sparse data sets suppress #missing intraditional Essbase terminology. The default is suppress butyou can override at view-level and it applies to row, columnedges, it impacts all applicable views.
Oracle Business Intelligence & Essbase
Extended Essbase and EPM Integration CapabilitiesFurther to the above 4 Categories which I see as more ofplatform enhancements to OBIEE, I have summarised 3further capabilities that I think will help you maximise yourreturn on investment in the Business Intelligence FoundationSuite (BIF).
The 3 at the top of my list are:
• OBIEE Smart View ExtensionThe OBIEE Smart View Extension provides a very goodalternative to querying the OBI RPD, also giving you theoption to publish that query back to the BI server all within afamiliar MS Excel interface. For example if you were carryingout your Group Financial Budget or Forecast using OracleHyperion Planning through Smart View you could very easilyin real-time switch to another sheet in the work book toquery that Essbase database through the OBIEE extension orperhaps look at the same through MS Word or MSPowerPoint. This capability gives you a single user interfaceto carry out the end to end needs of the process you areworking through without the need to jump between systems.
• EPMWorkspace IntegrationOracle have tried to embed OBIEE functionality within theHyperion Workspace before but removed it when it didn’treally work. Their second attempt is much better and you arenow able to consume, create and edit BI content withinWorkspace with access to the BI Catalog, BI Home, BIInteractive Dashboards all SSO enabled able to pass andconsume HSS tokens. The result is a web portal giving youaccess to tools such as Hyperion Planning and FinancialManagement alongside reporting from BI all under a singleroof giving a great user experience.
Oracle Business Intelligence & Essbase
• BI Publisher EnhancementsThe last capability I want to talk about is probably the mostexciting in my eyes and represents a significant reportingstep forward for Essbase users out there in need of boostingthe look and feel of their reporting solution in a slick easy touse front end.
The latest release of BI Publisher includes a new Querybuilder GUI giving you the capability to drag and dropdimensions and members from an Essbase cube into aReporting layout. It also gives you a read out of the MDX asyou go which is very clever and perfect for giving you somepointers on writing MDX queries which I don’t mindadmitting are not my strongest point.
Further to this you can easily report against Essbase &Planning cubes without the need to introduce them into theRPD, meaning it is effectively plug and play. Allowing you tocombine data coming directly from Essbase on OBIdashboards, combine Essbase data with data from othersources in the same report and ultimately use BI Publisherfor production style reporting against Essbase.
Once you have a data model in place using the EssbaseQuery Builder you are then able to switch your attention tothe actual BI Publisher report and run through the step bystep wizard to create your desired report. This capabilitybrings the quick start reporting capability on top of Essbasethat we have been missing for a number of years.
Oracle Business Intelligence & Essbase
Closing NoteFrom the points raised in this article I hope you can see thata lot of work has gone into making the BI Foundation Suite atruly integrated suite of tools that’s talk to each otherseamlessly and work together. I have been working withEssbase for many years and this latest integration with BIgives users the most advance platform yet for reporting fromEssbase and indeed building Essbase.
Neil SellersQubix International Ltd
Oracle Business Intelligence & Essbase
Solution-Architecture-in-a-Day SOA-Maturity-in-a-Day Oracle-Design-in-a-Day
At Ome-B.nl, Creative Software Solutions weoffer various one-day workshops. Duringthese workshops – where you are in the lead– we set up a complete view of the challengeahead and how to make a the project asuccess. Within a week after the sessionyou’re offered an extensive report on howthe solution is designed. This report is theideal starter point for a project, tender, ITprogram or Enterprise Architecture.
The fixed fee for all sessions (includingmaterial, workshop, pre-session intake,report and evaluation) is 2.500 euro (ex.taxes, transportation). All the sessions will beorganized in-house at your location.
For more information please contact us atwww.ome-b.nlor call us at +31 6 149 143 43.
Why I Don’t Use WebLogic JMS TopicsAhmed Aboulnaga, Raastech
Lack of true high availability and the inability to createdurable subscribers on distributed topics are the twoprimary reasons to avoid using WebLogic JMS topics.
“WebLogic JMS is an enterprise-class messaging systemthat is tightly integrated into the WebLogic Serverplatform.” ~Oracle documentation
Oracle WebLogic Server 11g provides the ability to create JMSdestinations, namely JMS topics or JMS queues. JMSdestinations are used extensively for integrationdevelopment, particularly in point-to-point and publish-subscribe models. Topics are useful in the sense that theyallow a message to be published once and consumed bymultiple subscribers. The message stays in the topic until allsubscribers to the message consume the message. This isparticularly useful in a publish-subscribe model as shown inthe figure below.
Contrast this with queues, in which a message is producedinto the queue and consumed once (aka first-in-first-out).This is usually used in a point-to-point type of integration.
This article assumes testing in a 2-node middleware cluster.Some SOA (or Java) code is deployed to all nodes of thecluster and a JMS topic is defined in this cluster.
The expected behavior is as follows:1. If there is a single consumer to this topic, we expect thateven though this code is deployed to all 2 nodes of thecluster, that the message is consumed only once. (Note: Thecluster is merely to provide high availability to our existingcode.)2. The message is equally available to all 2 nodes of thecluster, so if any nodes fail, the message is still available andcan be consumed without manual intervention.3. If one of the consumers is down at any point in time, whenthe consumer is back up, it is able to consume the messagesfrom the topic.
In this article, I will attempt to describe the behavior of the“singleton” property as well as the forwarding policies withinJMS topics to highlight the high availability challenges.
The CodeThe screenshot below depicts a very simple SOA compositethat consists of a Mediator service and a BPEL project. Theseare 2 separate flows; the Mediator service (top) accepts arequest and dumps it into a WebLogic JMS topic, shown inthe External References swimlane. The BPEL process(bottom) consumes the message from the JMS topic.
Oracle Fusion Middleware
In this example, we have a single producer of the messageand a single consumer. This code will be deployed to a 2-node cluster.
The “singleton” propertyWithin composite.xml in the code, simply adding thesingleton property as shown in the figure below in the JMSJCA Adapter binding is all that is needed. This articledemonstrates testing this with and without this property.
Creating a Uniform Distributed TopicIn WebLogic Server, a Uniform Distributed Topic called“AhmedTopic” is created and targeted to 2 JMS Servers, sincethe current architecture assumes a 2-node cluster. Thus,though the topic is available on both nodes (i.e., distributed),it is seen by the code as a single entity.
Setting the JMS Forwarding Policy in TopicsJMS topics include a forwarding policy that can either be setto “Replicated” or “Partitioned”. Both will be demonstratedshortly.
Test #1: Replicated without SingletonRecall that our SOA code example had a single producer (theMediator service) and a single consumer (the BPEL process).Thus, every message enqueued to the JMS topic should bedequeued only once. It should make no difference whetherour code is deployed to a single-node, 2-node, or 8-nodecluster.
Oracle Fusion Middleware
Observing the instance flow in the screenshot above revealssome quite unusual behavior. Recall that we are using aforwarding policy of “Replicated” and are not using the“singleton” property in our code.
Though the message is produced only once, this resulted in 4consumer instances! Basically, this is what happens:1. Mediator produces a single message.2. Message is replicated across both JMS Servers on bothnodes (since the forwarding policy is “replicated”).3. Since the code physically resides on 2 SOA servers,each SOA server will create an instance, consuming themessage from each of the JMS Servers, resulting in 4instances and 4 messages consumed total.
Test #2: Replicated with SingletonUsing the same test, but simply adding the “singleton”property in the code. This resulted in 2 instances.
Basically, this is what happens:1. Mediator produces a single message.2. Message is replicated across both JMS Servers on bothnodes.3. Though the code physically resides on 2 SOA servers, thecode on only one of the servers will consume the message,yet it still consumes it off of both JMS Servers, resulting in 2instances and 2 messages consumed total.
Oracle Fusion Middleware
Test #3: Partitioned without SingletonThis test changes the forwarding policy to “partitioned”without the “singleton” property in the code. This resulted in2 instances.
This is what happens:1. Mediator produces a single message.2. Message resides on only a single JMS Server.3. Since the code physically resides on 2 SOA servers, eachSOA server will create an instance, finding and consumingthe message from the JMS Server which has the message,resulting in 2 instances and 2 messages consumed total.
Test #4: Partitioned with SingletonThe final test uses a JMS forwarding policy of “replicated”with the code using the “singleton” property. This resulted in1 instance, which is the behavior that we want!
Basically, this is what happens:1. Mediator produces a single message.2. Message resides on only a single JMS Server.3. Though the code physically resides on 2 SOA servers, onlyone of the JMS Servers will actually have the message andthe singleton property will enforce only a single instanceconsumption as shown, resulting in 1 instance and 1message consumed total.
Oracle Fusion Middleware
SummaryTest #4 appears to be the behavior we are looking for, butthat is partially true. By using a partitioned forwarding policyin the JMS topic in conjunction with the singleton property inthe code results in the behavior we expect, which is for eachsingle message produced in the topic, the message will beconsumed once by each consumer.
Our examples above demonstrated a single consumerscenario, but adding more consumers to the topic wouldappear to operate just fine.
There are two problems though:1. Using a partitioned forwarding policy means that if thephysical node on which the JMS server resides on is down,the messages are not available for consumption. This doesnot satisfy our high availability requirement.2. If you have 3 consumers, as shown in the first figure of thisarticle, and the first two have already consumed the 60messages, yet the last one has not yet completed; if theserver is restarted, these messages are lost. This is typicallyresolved by creating a “durable subscriber” on the topic foreach of the consumers. This is common practice andessentially tells the JMS topic that we have 3 consumers, andnot to clear the messages from the topic until all 3consumers have consumed the messages. WebLogic Serverdoes not allow you to create durable subscribers ondistributed topics.
In order to use WebLogic JMS topics, we would have tosacrifice availability of the topic and risk messages being lostif one of the consumers is down or the server is restarted.
Therefore, it is my recommendation to avoid using WebLogicServer 11g’s implementation of JMS topics until theselimitations are addressed.
Instead, utilize a multi-queue architecture as shown below.The burden is now on the producer to enqueue the messageto 3 separate queues.
Oracle Fusion Middleware
References• Singleton (Active/Passive) Inbound Endpoint LifecycleSupport Within Adaptershttp://docs.oracle.com/cd/E23943_01/integration.1111/e10231/life_cycle.htm#BABDAFBH• Uniform Distributed Topic: Configuration: Generalhttp://docs.oracle.com/cd/E15586_01/apirefs.1111/e13952/pagehelp/JMSjmsuniformdestinationsjmstopicconfiggeneraltitle.html• Using Replicated Distributed Topicshttp://docs.oracle.com/cd/E23943_01/web.1111/e13727/dds.htm#BABEAGDF• Using Partitioned Distributed Topicshttp://docs.oracle.com/cd/E23943_01/web.1111/e13727/dds.htm#autoId16• Tuning Topicshttp://docs.oracle.com/cd/E23943_01/web.1111/e13814/jmstuning.htm#PERFM294• Developing Advanced Pub/Sub Applicationshttp://docs.oracle.com/cd/E23943_01/web.1111/e13727/advpubsub.htm
Oracle Fusion Middleware
Ahmed AboulnagaRaastech
ASMMetricsBertrand Drouvot
ASMmetrics are a goldmine: Everything we need is wellinstrumented into the ASM cumulative views. We justneed to manipulate them efficiently.That’s why I created the asm_metrics.pl: A new utility toextract and to manipulate them in real-time. It helps meevery day when I am working with ASM and I hope it wouldhelp any DBA working with ASM too.
HistoryWhen I need to deal with the ASM I/O statistics, the toolsprovided by Oracle (asmcmd iostat and asmiostat.sh fromMOS [ID 437996.1]) do not suit my needs. The metricsprovided are not enough, the way we can extract and displaythem is not customizable enough, and we don’t see the I/Orepartitions within all the ASM or database instances into aRAC environment.
Then, I decided to create my own asmiostat utility(asm_metrics.pl) that is helpful for 4 main reasons:
1. It provides useful real-time metrics:
• Reads/s: Number of read per second.• KbyRead/s: Kbytes read per second.• Avg ms/Read: ms per read in average.• AvgBy/Read: Average Bytes per read.•Writes/s: Number of write per second.• KbyWrite/s: Kbytes write per second.• Avg ms/Write: ms per write in average.
• AvgBy/Write: Average Bytes per write.
I’ll explain how they are computed and extracted later on.
2. It is RAC aware: You can display the metrics for all the ASMand (or) database instances or just a subset.
3. You can aggregate the results following your needs in acustomizable way: Aggregate per ASM Instances, databaseinstances, Diskgroup, Failgroup or a combination of all ofthem.
4. It does not need any change to the source: Simplydownload it and use it.
How does it work?The script takes a snapshot each second (default interval)from the gv$asm_disk_iostat cumulative view as of 11GR1(example from 12.1.0.1.0)
Oracle Automated Storage Management
or gv$asm_disk_stat (example from 12.1.0.1.0)
And computes the delta with the previous snapshot.
The only difference with gv$asm_disk_stat is the information
available in memory while v$asm_disk access the disks to re-collect some information.
Extract from the oracle documentation:
Since the information required doesn’t require to “re-collect”it from the disks (as a discovery of new disks is not needed),gv$asm_disk_stat is more appropriated here.
In this article I will describe the utility. Another article will bewritten later on to describe use cases.
First let’s see the metrics reported by the tool (alreadyexplained above):
• The output is like the following:
Oracle Automated Storage Management
In this example we can see the metrics for the DATAdiskgroup per database instances (for all the ASM instances,failgroups and disks).
Important remarkThe blank value for one those fields (INST, DBINST, DG, FG,DSK) means that the values have been aggregated for thisparticular field.
For example on this screenshot
You can see the metrics aggregated by failgroups, disks,diskgroup per database instances, database instances andASM instances.
How are those metrics computed?The metrics are computed this way:
• Reads/s comes from the delta computation of the READScolumn divided by the snapshot wait interval.
• KbyRead/s comes from the delta computation of theBYTES_READ column divided by the snapshot wait interval.
• Avg ms/Read comes from the delta computation of theREAD_TIME / READS columns.
• AvgBy/Read comes from the deltacomputation of the BYTES_READ / READScolumns.
•Writes/s comes from the deltacomputation of the WRITES column
divided by the snapshot wait interval.
• KbyWrite/s comes from the delta computation of theBYTES_WRITTEN column divided by the snapshot waitinterval.
• Avg ms/Write comes from the delta computation of theWRITE_TIME / WRITES columns.
• AvgBy/Write comes from the delta computation of theBYTES_WRITTEN / WRITES columns
Oracle Automated Storage Management
What are the features of the utility?
To explain the features, let’s have a look to the help:
So:
1. You can choose the number of snapshots to display andthe time to wait between the snapshots. The purpose is tosee a limited number of snapshots of a specified amount ofwait time between snapshots.
2. You can choose on which ASM instance to collect themetrics thanks to the -INST= parameter. Useful in RACconfiguration to see the repartition of the ASM metrics perASM instances.
3. You can choose for which DB instance to collect the
metrics thanks to the -DBINST= parameter (wildcardallowed). In case you need to focus on a particular databaseor a subset of them.
4. You can choose on which Diskgroup tocollect the metrics thanks to the -DG=parameter (wildcard allowed). In case youneed to focus on a particular diskgroup or asubset of them.
5. You can choose on which Failgroup tocollect the metrics thanks to the -FG=parameter (wildcard allowed). In case youneed to focus on a particular failgroup or asubset of them.
6. You can choose on which Exadata Cells tocollect the metrics thanks to the -IP=parameter (wildcard allowed). In case you
need to focus on a particular cell or a subset of them.
7. You can aggregate the results on the ASM instances, DBinstances, Diskgroup, Failgroup (or Exadata cells IP) levelthanks to the -SHOW= parameter. Useful to get an overviewof what is going on per ASM Instances, per diskgroup orwhatever you want, as this is fully customizable.
8. You can display the metrics per snapshot, the averagemetrics value since the collection began (that is to say sincethe script has been launched) or both thanks to the-DISPLAY= parameter. So that you can get the metrics persnapshots, since the script has been launched or both.
Oracle Automated Storage Management
9. You can sort based on the number of reads, number ofwrites or number of IOPS (reads+writes) thanks to the-SORT_FIELD= parameter (so that you could for example findout which database is the top responsible for the I/O). Sothat you can find the ASM instances, the database Instances,or the diskgroup, or the failgroup or whatever you want thatis generating most of the I/O reads, most of the I/O writes ormost of the IOPS (reads+writes)
The main entry for the tool is located to this blog page:http://bdrouvot.wordpress.com/asm_metrics_script/ fromwhich you’ll be able to download the script or copy thesource code.
Feel free to download it and to provide any feedback.
The next article will focus on use cases: See the ASMpreferred read in action, find out the most physical IOconsumers through ASM in real time, some Flex ASM 12cfindings and so on.
Bertrand Drouvot
Oracle Automated Storage Management
We're looking for damn good content!
The call for content for the Spring-issue ofOTech magazine is now open!
Go to www.otechmag.com/call-for-contentand share your knowledge with over 25thousand readers worldwide.
FUTURE IS NOW, ODI 12C.Gurcan Orhan, Global Maksimum
In my first article of OTech Magazine, I would like to sharemy impressions about the latest release of Oracle DataIntegrator, which is ODI 12c. What Oracle say, what weshould expect, what ODI 12c gives to us, etc.
Initially let’s overview the major enhancements and changesfor ODI 12c regarding previous versions;
• Change of names of tools and properties• Installation• Complete change on UI• In enterprise• Integration with other Oracle products• Knowledge Module architecture
Change of Names of Tools and PropertiesNames of components are changed with ODI 12c. Here’swhat we will talk about from now on in order not to causecollusion.
InstallationWe now have 3 types of installation of ODI.• Standalone : SDK (Software Development Toolkit) andStandalone Agent.• Developer : SDK, ODI Studio and Standalone Agent.• Java EE : SDK and JEE components to deploy agent to WebLogic Server.
RCUIn prior versions of ODI, if you were using RCU (RepositoryCreation Utility) to create master and work repositories, yourmaster and work repositories of ODI was created undersame schema. This could not be a problem when you areworking in your own environment for laboratory purposes.But in real world, when sharing the repository with manycolleagues such as developers, application operators, adminsfor development, test and production environment, thisfeature won’t be so effective, because it is generally neededthat master and work repositories should be in differentschemas. Main reason for this is that, we need to deployeverything in the work repository from prod to test andmaybe to dev and let the master repository has eachenvironment’s own information.
Now new version of RCU supports different schemas forwork and master repositories.
Complete Change on UIUser Interface is completely changed in ODI 12c andarchitecture is switched from “declarative design” to“declarative flow-based design”. New UI shouldn’t mean to bea colorful make-up, but this new look brings, newarchitecture, new methodology and new logic. If you haveused OWB (Oracle Warehouse Builder) before, it won’t be
Oracle Data Integrator
much problem to be familiar with ODI 12c, because – to me -it is the mix of ODI 10G, ODI 11G and OWB 11G.Because of the flexibility and extensibility of the newapproach, it will be much more simpler to use and todevelop integration projects. So it is time to talk about thenew features that is hidden in the new UI.
New Operators (based on Developer’s Guide)10 operators are implemented in ODI 12c to boost up E-L-Tflows and reduce development effort.
1. Aggregate : A projector component to summarize data anduse major aggregation functions that most databasessupport. Group By statement can be left to ODI automaticallyor can be overridden with manual group by clause.
2. Dataset : A container component that allows us to groupmultiple data sources and join them through relationshipjoins and is logically implemented. A dataset can containdatastores, joins, lookups, filters and reusable mappings(with no input but one output signature is allowed). Datasetis a relationship-based component and exactly the same howwe develop in ODI 11G in logical design. Upgraded or
imported projects from ODI 11G willcontain datasets, which is developed inODI 11G.
3. Distinct : A projector componentwhich simply uses distinct SQLoperator and outputs the uniquevalues of obtained select statement.
4. Expression : A selector componentthat inherits attributes from apreceding component in the flow andadds additional reusable attributes. Anexpression can be used to define anumber of reusable expressions withina single mapping. Attributes can berenamed and transformed fromsource attributes using SQLexpressions.
Oracle Data Integrator
5. Filter : A selector component that can select a subset ofdata based on a filter condition. Can be located in a datasetor directly in the flow component of a mapping and cancontain any type of SQL statements (and, or, like, functions,etc.).
6. Join : A selector component that creates a join betweenmultiple flows. The attributes from upstream component arecombined as attributes of the Join component. Can belocated in a dataset or directly in the flow component of amapping and can contain any type of SQL statements (and,or, like, functions, etc.).
7. Lookup : A selector component that returns data from alookup flow being given a value from a driving flow. Theattributes of both flows are combined, similarly to a joincomponent. A lookup can be implemented in generated
code either through a left outer join or a nested selectstatement. Can be located in a dataset or directly in the flowcomponent of a mapping and can contain any type of SQLstatements (and, or, like, functions, etc.).
8. Set : A projector component that combines multiple inputflows into one using set operators like UNION, INTERSECT,EXCEPT, MINUS and others.
9. Sort : A projector component that will apply a sort order tothe rows of the processed dataset, using the SQL ORDER BYstatement.
10. Split : A projector component that divides a flow into twoor more flows based on specified conditions. Split conditionsare not necessarily mutually exclusive: a source row isevaluated against all split conditions and may be valid formultiple output flows.
Reusable MappingsA reusable mapping can have generic input and outputsignatures to connect to an enclosing flow, and it can alsocontain sources and targets that are encapsulated inside thereusable mapping. This means to improve productivity ofdevelopment phase. Similar flows can be now based onreusable mappings and when it is needed to change low-level architecture, only change of reusable mapping wouldbe enough.
Multiple TargetsODI 12c now supports multiple targets in a single flow. Inprevious releases of ODI, we were developing manyinterfaces to load different target tables with the same orsimilar structure. With the help of split component, we now
Oracle Data Integrator
have ability to load different target datastores of differenttechnologies with different methods in one ODI 12cmapping. Since loading methods are applied on target, wecan optionally split into two or more targets of one is SlowlyChanging Dimension, the other Incremental Update and theother Append within the same mapping.
Executing Mapping in ParallelThis feature is not meant to be running mappings in parallelmode, since we can already do this in ODI 11G. Sincetemporary objects during a mapping has now have individualunique name customized by an option in the physical view ofa map and loading into staging area can be made in parallelmode, we now have ability to execute queries in parallelmode for the same mapping.
Step-by-Step DebuggerDebugging is the most important activity for a developerwhen writing code and developing something. In ODI 10G,we were using some workarounds like adding a 1=2 filter tothe interfaces or running the package in developmentenvironment, moving the original table and creating emptytables to see what the SQL statements look like. In ODI 11G,simulation of any execution implemented and we can nowsee what code is producing and sending to database oroperating system and check the statements.In ODI 12c, many steps further to this feature, we now havestep-by-step debugger. Mappings, packages, procedures andscenarios can be debugged in a step-by-step manner withadding breakpoints to interrupt execution at predefinedlocations. Variables’ values can be introspected and valuescan be seen in any step. Additionally, data of underlyingsources and targets can be queried, including content ofuncommitted transactions for better insight.
In EnterpriseIn ODI 10G, agents behave as background client applicationsand cannot be managed, controlled or monitored through amanagement utility. In ODI 11G, Java EE agents areimplemented and can be deployed to WebLogic Server andmonitored through Enterprise Manager 12c. In ODI 12c, bothstandalone agents and Java EE agents can be deployed toWebLogic Management Framework and can be managedwithin Oracle Enterprise Manager 12c.
Oracle Data Integrator
With this enhancement we now can have the ability to dofollowing;• User-interface driven configuration through theConfiguration Wizard.•Multiple configurations can be maintained in separatedomains.• Node Manager can be used to control and automaticallyrestart agent.• High-Availability (HA) and scalability is fully supported viaclustered deployments for Java EE agents. ODI 12ccomponents deployed in WebLogic Server benefits from thecapabilities of clustering for scalability, including JDBCconnection pooling and load balancing. In addition to thecluster-inherited HA capabilities, the run-time agent alsosupports a connection retry mechanism to transparentlyrecover sessions running in repositories that are stored inHA-capable database engines such as Oracle RAC.• ODI 12c simplifies complex data-centric deployments byimproving visibility and control for with a unified set ofmanagement interfaces.• ODI 12c console leverages the Oracle ApplicationDevelopment Framework (ADF) and Ajax Framework for arich user experience. Using this console, production users(mostly administrators) can set up an environment, exportand import the repositories, manage run-time operations,monitor the sessions, diagnose the errors, browse design-time artifacts and generate lineage reports.• In addition, this interface integrates seamlessly with theOracle Enterprise Manager Fusion Middleware ControlConsole and allows administrators to monitor from a singlescreen not only their data integration components but theirother Fusion Middleware components as well.
• To help maximize the value of ODI 12c, Oracle offers theManagement Pack for ODI 12c. This leverages OracleEnterprise Manager Cloud Control’s advanced managementcapabilities, to provide an integrated and top-down solutionfor your ODI 12c environments by providing a consolidatedview of your entire ODI 12c infrastructure enabling users tomonitor and manage all of their components centrally fromOracle Enterprise Manager Cloud Control. Additionally, youcan obtain real-time and historical in-depth performancestatistics for the ODI Standalone and JEE Agents.
There are new features not only in agent side, but also insecurity side. ODI 12c can further integrate with leadingIdentity Management solutions through its integration withthe Oracle Platform Security Services (OPSS), which providean authorization model and control access to resources.Enterprise roles can be mapped into Oracle Data Integratorroles to authorize enterprise users across different tools.
Oracle Data Integrator
Integration with other Oracle productsAs it is for sure, Oracle Warehouse Builder (OWB) is at theedge of its life. Last major release (11G R2) has beenreleased and only minor releases will be releasing in thefuture. Oracle 12c is the latest database version that willhave OWB bundled. As it is announced in Oracle Open World’13, next release of Oracle database will not contain OWB. Sowhat will your OWB projects’ future going to be?
ODI 12c is now supporting OWB mappings. You can nowexecute OWB jobs inside ODI 12c through theOdiStartOwbJob tool. OWB repository can now be configuredas a data server in Topology and users can examine OWB jobexecution details displayed in ODI 12c console, in operatorand in Enterprise Manager. Before migrating from OWB to
ODI, you can now create OWB packages in ODI 12c and startexecuting OWB jobs within ODI and get ready to prepare formigration.
On the other hand, integration with Oracle Golden Gate(OGG) has been enhanced. To reduce loading andtransformation time, you can easily configure and deployreal-time data warehousing solutions without impacting
source systems or batch window dependencies.
The integration of OGG as a source for the ChangeData Capture (CDC) framework inside of ODI 12c hasbeen improved in the following areas :
• OGG source and target systems are now configuredas data servers in ODI 12c’s Topology. Physical andlogical schemas represent capture and deliveryprocesses. This representation in topology allowsseparate physical configuration for multipleenvironments, following the overarching philosophyaround contexts.•Most OGG parameters can be added to capture anddelivery processes in the physical schemaconfiguration. The user interface provides supportfor selecting parameters from a library ofparameters. This minimizes the need for themodification of the OGG parameter files after
generation.• A single ODI 12c mapping can be used for journalizedChange Data Capture load and bulk load of a target. This isenabled through the use of the OGG Journalizing KnowledgeModules as well as the definition of multiple deploymentspecifications attached to a single mapping. This powerfulfeature allows a single mapping logical design to be reused in
Oracle Data Integrator
different physical configurations.• OGG parameter files can now be automatically deployed tosource and target OGG instances through the JAgenttechnology. In addition, OGG instances can now be started orstopped from ODI 12c.
Knowledge Module architectureODI 12c continues to support Knowledge Modulearchitecture, but now with some enhancements. KnowledgeModule architecture is power of ODI and set of library codesthat has ability to change SQL statements via options andother elements to provide us for flexible, modular andextensible processes.
ODI 12c has introduced a new style of Knowledge Module,called Component-Style Knowledge Modules, in addition toTemplate-Style Knowledge Modules available from ODI 11G.This new style of Knowledge Module provides an extensiblecomponent framework that improves the overall mappingdesign, where for example users are able to declare thetransformation order. These also improve reusability as theycan be plugged together; in addition to helping avoid codeand data duplication as well as providing improved Oracleconnectivity.
ConclusionNo matter if you are using ODI for data warehousing,application integration, OLTP reporting or other purposes, itis the unique tool that supports heterogeneous environmentin both source or target side, and has extensive features thatallows you fast developing cycles and quick responses withability of flexibility, high-performance, open and integrated E-L-T architecture and high productivity. With merging OWBfunctionality into new version of ODI, it became morepowerful without losing prior powerful features.
• Data Warehousing and Business Intelligence : Byexecuting high-volume, high- performance loading of datawarehouses, data marts, On Line Analytical Processing(OLAP) cubes, and analytical applications, ODI 12ctransparently handles incremental loads and slowly changingdimensions, manages data integrity and consistency, andanalyzes data lineage.• Big Data : By providing prebuilt integration with Big Datatechnologies, such as HDFS and Hive, businesses are able toleverage additional sources of data previously too large andunwieldy to gain benefits from. Oracle delivers integrationfor Big Data technologies leveraging a metadata drivenprocess while enabling data integration resources to easilymanage how Big Data is extracted, loaded, and transformed.• Service-Oriented Architecture (SOA) : By calling onexternal services for data integration and by deploying dataservices and transformation services that can be seamlesslyintegrated within an SOA infrastructure. ODI 12c’sarchitecture additionally provides support for high-volume,high-performance bulk data processing to an existingservice-oriented architecture.•Master Data Management (MDM) : By providing acomprehensive data synchronization infrastructure for
Oracle Data Integrator
customers who build their own data hubs, work withpackaged MDM solutions, or coordinate hybrid MDMsystems with integrated SOA process analytics and BusinessProcess Execution Language (BPEL) compositions.•Migration : By providing efficient bulk load of historicaldata (including complex transformations) from existingsystems to new ones. Oracle Golden Gate then seamlesslysynchronizes data for as long as the two systems coexist, andODI 12c continues to complement as needed fortransformations.
References;• ODI 12c New Featureshttp://docs.oracle.com/middleware/1212/odi/ODIDG/whatsnew.htm#ODIDG109• ODI 12c Developer’s Guidehttp://docs.oracle.com/middleware/1212/odi/docs.htm• ODI 12c Data Sheethttp://www.oracle.com/us/products/middleware/data-integration/odi-ee-ds-2030747.pdf
Gurcan OrhanGlobal Maksimum
Oracle Data Integrator
Content-Enabling Your Insurance BusinessUsing Oracle BPM and WebCenter ContentRaoul Miller – TEAM informatics
TEAM has worked with a number of insurance industrycompanies over the years and the advantages of content-enabling these enterprises are numerous. Many insuranceorganizations have grown through acquisition, with the endresult that they have parallel legacy systems in place withincreasingly evolving complexity in meeting the challenges ofintegrating them. This makes the insurance industry ideal fordeployment of SOA/BPM as an integration methodology andadding content and records management to this is a no-brainer (as the insurance industry is so document andrecord-driven).
Last year Oracle published a white paper (link) on how bestto use their BPM (business process management) tools in aninsurance industry setting. I won’t restate all their reasons asto why the Oracle solution is a good fit – but suffice to saythat the Oracle Insurance business unit has a lot ofexperience in the area and solutions to meet all your needs.However, what was missing from the white paper was thevalue and flexibility gained by adding WebCenter Content,Records, and Imaging to the mix.
We are currently working with a number of customers onexactly these integrations – allowing for secure upload offiles from agents’ offices, scanning and uploading of paperforms and documents (using capture and distributedcapture), migrating legacy images from mainframe systemsto modern Oracle WebCenter Content systems, and allowingusers (for the first time) to truly search and retrieve content
based on metadata and full text searches.
Case Study: Insurance Company AInsurance company A is a large organization in APACresponsible for workers compensation and accident claims.The organization required a very secure system (as it willcontain medical records and other potentially sensitiveinformation) with extremely granular security capabilitiesand a high level of audit capabilities. The system had to bescalable enough to meet the needs of every person in thecountry and visitors from overseas. Historic content wasmigrated from their existing legacy system and new contentsubmitted either electronically through an upload screen orscanned from paper. A final wrinkle was that bandwidth tomany of the organization’s remote branch offices was quitepoor, so the overhead of the application needed to be low.
TEAM worked with Oracle and FINEOS, a third-party software
WebCenter Content
vendor, which delivered the case management softwareused at the front end. This installation is a prime example of
“invisible ECM” or what I call CaI (Content as Infrastructure) inthat end users are unaware of the content / recordsmanagement system sitting behind their user interface andonly a few administrators have access to the OracleWebCenter Content user interface. The new systemleverages all the content management capabilities of Oracle
WebCenter Content (including the retention, conversion,indexing, security, and auditing functions) while integratingseamlessly with the industry-specific front-end. The ContentManagement version deployed at Insurance Company A isthe 10gR3 release, which is why the logical diagram belowshows the content servers with standalone web serversrather than deployed on the same application serverplatform as the Content Integration Suite in the middlewaretier. We would expect to make this change when the client
upgrades in the next 12-18 months.
The system has been successfullydeployed in production for over 7years and ingests 10-20 million recordsper year. The system was tested tomanage 200 million records on theexisting infrastructure; we have 2-3years to design the physicalinfrastructure for the next majorrelease.
Case Study: Insurance Company BInsurance Company B is a US-basedindividual and commercial insurancecompany that has acquired twoequally large competitors in the past 5years. Although the business is run asone organization, there are still threesets of back-end infrastructure in place(with three sets of IT staff to supportthem). The majority of their recordsare stored as TIFF or proprietary imageformats in legacy systems on failing(and unsupported) hardware.
WebCenter Content
This customer has a number of major challenges:• Volume of images needing to be imported andconverted is very high – approximately 600-700 million items.While we know that WebCenter Content can supportcollections this large, the storage systems have to becarefully designed to ensure reliability and performance.The best approach is to split the huge single instancecollection into a number of smaller functional collections andaccess them all via web services with intelligent routingrather than rely on close-coupling to a single unwieldyinstance.• The customer has chosen to procure scanning fromone vendor, BPM and SOA from a second, and contentmanagement from Oracle. While WebCenter’s standards-based architecture and integration methods ensure this ispossible, using products from a single vendor simplifies theintegration discussions, support considerations, andgenerally lowers overall cost (through license bundling).• The customer has a vacuum in architectural andtechnical leadership which complicates the design anddeployment process. In any complex environment,organizations require clear vision and firm leadership todeliver complex functionality to the business. In its absence,point solutions, short-term fixes and siloed applications willtend to proliferate causing more issues in the long term.
The solution we are proposing to Insurance Company B usescomponents from different vendors integrated via anEnterprise Service Bus (ESB) to migrate from their legacyplatforms to a more-modern SOA-enabled delivery process.Although their SOA and ESB vendor is not Oracle, theprocess of delivery would be identical if it were. Ingestion ofnew content is simple – although the business encourages
submission of content via secure email, web upload, or XMLdata transfer (over HTTPS), there is still a high volume ofpaper which is scanned, OCR’ed and indexed, then passed toWebCenter Content via a custom connector that packagesPDF images and associated security and metadata andpasses them on via HTTPS to the repository. Legacy contentwould be passed through a conversion and organizationprocess (by another TEAM partner) and packaged into bulkupload packages for ingestion using the standard bulk-loadtools.
Once the raw content is managed and indexed by theWebCenter Content systems, users will interact with itthrough their standard web-enabled applications. Newcontent is passed via web services to the BPM system andworkflow managed through these methods; updated contentis managed through a parallel track. Requests for new,archive or legacy imported content are passed to the ESB asweb service requests and routed to the correct WebCenterContent instances based on traffic rules defined within theESB. Because the overall collection is so large, full textindexing is not useful or required and all searches aremanaged via metadata. However, certain content instanceshave full text indexing enabled to support futurefunctionality for targeted searches.
Overall Best PracticesWorking with a number of insurance companies, we havebeen able to derive some best practices for these large (andoften) complex entities and processes:
• Metadata Management - Best Practices aroundmetadata fall into two broad categories - master datamanagement, or “ownership” of various metadata, and
WebCenter Content
development ofa scalableinformationarchitecture.The former is akey takeawayfor anycomplexsystem; everymetadata filedin anintegratedsystem musthave a singlesystem of
record and that environment is the only one that can updatethese values. Every other system will treat that metadatavalue as read-only. Updates may be initiated from otherenvironments, but they will trigger a web service requestthat is routed back to its “owner” and update the recordthere. All metadata need not be owned by a single systembut each field must be managed by only one system.
Although it is technically feasible to pass updates frommultiple systems and keep them in sync, in practice this isvery complex and almost always fails somewhere, leading todata corruption that needs to be fixed.
Development of scalable information architecture followsfrom master data management but is much harder to pindown into simple guidance. Simply stated, an organization’ssecurity and metadata model needs to reflect its currentbusiness needs while allowing scope to adapt as thebusiness evolves. Every business will require something
slightly different to reflect its unique history, processes,focus, and plans. The key consideration here for aninsurance client to have all aspects of the business reflectedin the workshops that are held to define the information andsecurity architecture.
• Security Integrations - As insurance companies dealwith a lot of personal and financial data about their clients,security is obviously an extremely important considerationwithin the design process. The organizations themselveshave usually worked out the requirements for auditing,restricting access to “need to know”, separation ofresponsibilities, etc. Translating these to business rules issometimes a challenge but the capabilities of identitymanagement, database advanced security, WebCenterRecords auditing and BPM have been able to deliver these atall the clients we have been engaged with.One particular challenge often seen in companies that havegrown by merger and acquisition (such as InsuranceCompany B above) is that they may have multiple userdirectories to store user and agent identities. AlthoughWebLogic Server (WLS) (which handles the authenticationand authorization duties for all WebCenter applications andBPM) can be configured to query multiple authentication and
WebCenter Content
Authorization providers, we have found that a more elegantand scalable approach is to use either Oracle VirtualDirectory (OVD) or Oracle Internet Directory (OID) as a singlesource of user and identity data and use the tools that comewith these to collect identity and user data from multipletargets. Integration of WLS and WebCenter applications withOVD and OID is straightforward and fully supported.
• Using SOA and ESB - As both of the examples aboveillustrated, integration of different applications andenvironments is most easily achieved through a service-oriented architecture brokered using an Enterprise ServiceBus. Because WebCenter Content was designed from thevery beginning as a service-oriented application running onJava, integration of all the application’s capabilities via webservice and ESB is straightforward and well-documented.However, content enablement of the enterprise will require afairly mature deployment of SOA within the organization aswell as clear leadership and understanding of best practicesand business goals for the outcome. Both of the examplesdescribed previously deployed solutions from differentvendors, illustrating the beauty of a standards-basedapproach. However, time to deployment and long-termsupport cost is usually lower when deploying all componentsfrom a single vendor as the integration steps are tested andsupported by the vendor.
• BPM integration - Associated with SOA and ESB,Business Process Management is an essential part of anyinsurance industry deployment of content management.While WebCenter Content has its own inbuilt workflowengine, this is optimized for approval and notification ofcontent and is not designed to integrate directly withexternal systems and data sources. Fortunately, there is a
standard BPM integration delivered with WebCenter Contentalong with a limited use license of the BPM suite. This allowsorganizations to develop complex workflows (or better, tointegrate with existing business processes) for new andupdated content as well as allowing for processes to requestcontent and metadata from the WCC system. Although thedelivered integration is for Oracle’s BPM suite, we havemodified this to work with third party BPM solutions formany clients – the beauty of Oracle embracing andsupporting the BPMN and BPEL standards for their BPMproducts.
• Search integration - Searching and optimizing users’search experiences could cover a whole additional article butis an important consideration for the insurance industry (andother complex deployments). One advantage of usingexisting tools to access the stored content managed withinWebCenter Content is that the queries made to therepository via web service or java integrations are almostalways structured queries using metadata and security. Itwould be extremely rare for an external system to pass anunstructured text query to the system. If that were requiredthough, the challenge would not be in the integration, thestandardization of the query language, or the format of thesearch results; it is the validity and usefulness of thoseresults without some kind of ranking or organization. Thisproblem is usually solved by adding a layer of searchmanagement such as Oracle’s Secure Enterprise Search orGoogle’s Search Appliance and relying on the rankingalgorithms within those applications.
Search is a vital component of any content solution (whatgood is content management if users cannot find thatcontent?) but any discussions of design and deployment of
WebCenter Content
that search must focus on shaping the user experience toprovide targeted and useful search results, which is almostalways delivered through metadata searches. Full textsearching is usually only useful when filtering the results ofthat initial structured search.
ConclusionThe insurance industry is one where content enablement canyield substantial returns in a short time period. Because theindustry is, by-and-large, still very paper-driven thepossibilities for improvement in process, service andhandling time are very real; however, the underlyingcomplexity of existing systems and legacy integrations canmake the initial design and deployment of a contentmanagement system challenging.
We have found that clear architectural and businessleadership is required to bring the various parties togetherand design a modern solution to content management,integrated with business processes and leveraging the powerof an enterprise service bus to share content, conversion,search and distribution services across multiple platforms.Metadata management and information architecture are keyto the process as well and require a combination of anexperienced implementation partner, a mature applicationvendor and champions within all areas of the business.
WebCenter Content
Raoul MillerTEAM informatics
OTech MagazineOTech Magazine is an independent magazine for Oracle professionals.OTech Magazine‘s goal is to offer a clear perspective on Oracle technologiesand the way they are put into action. OTech Magazine publishesnews stories, credible rumors and how-to’s covering a variety of topics.As a trusted technology magazine, OTech Magazine provides opinion andanalysis on the news in addition to the facts.
OTech Magazine is a trusted source for news, information and analysisabout Oracle and its products. Our readership is made up of professionalswho work with Oracle and Oracle related technologies on a daily basis, inaddition we cover topics relevant to niches like software architects, developers,designers and others.
OTech Magazine‘s writers are considered the top of the Oracle professionalsin the world. Only selected and high-quality articles will make themagazine. Our editors are trusted worldwide for their knowledge in theOracle field.
OTech Magazine will be published four times a year, every season once. Inthe fast, internet driven world it’s hard to keep track of what’s importantand what’s not. OTech Magazine will help the Oracle professional keepfocus.
OTech Magazine will always be available free of charge. Therefore thedigital edition of the magazine will be published on the web.OTech Magazine is an initiative of Oracle ACE Douwe Pieter van den Bos.Please note our terms and our privacy policy at www.otechmag.com.
IndependenceOTech Magazine is an independent magazine. We are not affiliated, associated,authorized, endorsed by, or in any way officially connected with TheOracle Corporation or any of its subsidiaries or its affiliates. The officialOracle web site is available at www.oracle.com. All Oracle software, logo’setc. are registered trademarks of the Oracle Corporation. All other companyand product names are trademarks or registered trademarks of theirrespective companies.In other words: we are not Oracle, Oracle is Oracle. We are OTech Magazine.
Intellectual PropertyOTech Magazine and otechmag.com are trademarks that you may not usewithout written permission of OTech Magazine.The contents of otechmag.com and each issue of OTech Magazine, includingall text and photography, are the intellectual property of OTech Magazine.You may retrieve and display content from this website on a computerscreen, print individual pages on paper (but not photocopy them), andstore such pages in electronic form on disk (but not on any server or otherstorage device connected to a network) for your own personal, non-commercialuse. You may not make commercial or other unauthorized use, bypublication, distribution, or performance without the permission of OTechMagazine. To do so without permission is a violation of copyright law.
All content is the sole responsibility of the authors. This includes all text andimages. Although OTech Magazine does it’s best to prevent copyright violations,we cannot be held responsible for infringement of any rights whatsoever. Theopinions stated by authors are their own and cannot be related in any way toOTech Magazine.
Programs and Code SamplesOTech Magazine and otechmag.com could contain technical inaccuraciesor typographical errors. Also, illustrations contained herein may show prototypeequipment. Your system configuration may differ slightly. The websiteand magazine contains small programs and code samples that arefurnished as simple examples to provide an illustration. These exampleshave not been thoroughly tested under all conditions. otechmag.com,therefore, cannot guarantee or imply reliability, serviceability or functionof these programs and code samples. All programs and code samplescontained herein are provided to you AS IS. IMPLIED WARRANTIES OFMERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULARPURPOSE ARE EXPRESSLY DISCLAIMED.
OTech Information
Winter 2014