Upload
raastech
View
214
Download
1
Tags:
Embed Size (px)
Citation preview
Arun Reddy Technical Director Raastech
Oracle Fusion Middleware Infrastructure Best Practices
Schoolcraft College Vistatech Center Room Vt460
November 13, 2013 2:05pm 2:50pm
Raastech, Inc. 2013 | All rights reserved. Slide 2 of 34 raastech.com
About Raastech
Systems integrator founded in 2009
Headquartered in the Washington DC area
Specializes in Oracle Fusion Middleware
Oracle Gold Partner & Reseller
Oracle SOA Specialized
Certified staff in multiple disciplines
OCE, OCA, OCP, ITIL, CISSP, PMP, etc.
Continued contributions to the technology community
Sponsor and volunteer of numerous users groups
Ongoing publishing of books, articles, whitepapers, and blogs
Regular presenters at major conferences
Raastech, Inc. 2013 | All rights reserved. Slide 3 of 34 raastech.com
About Arun
14+ years of Infrastructure Administration
Focus on Oracle Fusion Middleware infrastructure implementation, Security, High Availability, and
Disaster Recovery
OCA, ITIL, PMP Certified
Active WMOUG member/presenter
Raastech, Inc. 2013 | All rights reserved. Slide 4 of 34 raastech.com
What is this presentation about?
For Oracle Fusion Middleware administrators
Covers common infrastructure best practices for:
Installations
Patching
Administration
Deployments
Security
Raastech, Inc. 2013 | All rights reserved. Slide 5 of 34 raastech.com
Why do I need it?
I want to Reduce the OWFM Infrastructure Maintenance because Im tired of opening change requests/change controls
To know what I can do different for my OWFM Infrastructure to make it more stable and highly available
Is there anything that Im not doing right with my installations, patching or deployment?
I dont want my phone to ring when Im watching Lions game or Breaking Bad
I think the presenter is cool. My n
Raastech, Inc. 2013 | All rights reserved. Slide 6 of 34 raastech.com
Overview
Raastech, Inc. 2013 | All rights reserved. Slide 7 of 34 raastech.com
Understanding Oracle Fusion Middleware
Oracle Fusion Middleware is a misleading term
Used to describe middleware products such as:
Business Intelligence (e.g., OBIEE, Discoverer)
Integration (e.g., SOA Suite, OSB)
Identity Management (e.g., Oracle Access Manager)
Monitoring (e.g., OEM Grid Control)
But usually used to describe a single product:
WebLogic Server
Raastech, Inc. 2013 | All rights reserved. Slide 8 of 34 raastech.com
WebLogic Server: Foundation for Fusion Middleware
WebLogic Server is the core foundation of all Oracle Fusion Middleware products
OEM Grid
Control OBIEE
Access
Manager SOA Suite
WebCenter
Portal
Data
Integrator
Oracle WebLogic Server
Clustering JNDI Resource Adapters JDBC Security Self Tuning
Raastech, Inc. 2013 | All rights reserved. Slide 9 of 34 raastech.com
Oracle WebLogic Server
At a glance:
Java application server
Acquired from BEA
Replaces Oracle Application Server 9i/10g
Required for almost all Oracle Fusion Middleware products
Current releases:
Oracle WebLogic Server 11g (10.3.6)
Oracle WebLogic Server 12c (12.1.2)
Majority of OFM products are not yet
available for 12c
Raastech, Inc. 2013 | All rights reserved. Slide 10 of 34 raastech.com
WebLogic Server Architectural Considerations
Typically fronted by WebTier/OHS/Apache
Requires JDK (Sun JDK, JRockit, or new JDK7)
Requires shared filesystem for cluster (in 11g) for tlogs
WebLogic Server WebLogic Server WebLogic Server
Shared File System
WebTier WebTier WebTier
Single AdminServer to administer entire
cluster Node Manager runs on every
server
Hardware load balancer
Raastech, Inc. 2013 | All rights reserved. Slide 11 of 34 raastech.com
WebLogic Server 12c New Features
Certified with JDK7
Zip distribution is only 164 MB
Supports Java EE 6
T-Logs can now be database persisted (no shared file system needed)
Improved high availability, performance, and disaster recovery
200+ new features
Raastech, Inc. 2013 | All rights reserved. Slide 12 of 34 raastech.com
Installations
Raastech, Inc. 2013 | All rights reserved. Slide 13 of 34 raastech.com
Operating System Tuning Parameters
Proper OS tuning improves system performance by preventing the occurrence of error conditions.
Below are some key parameters to consider
O/S Parameters Default Proposed
Linux tcp_fin_timeout By reducing the value , TCP/IP releases closed connections faster, providing more resources for new connections.
60 30
Linux Backlog connections queue (tcp_max_syn_backlog) When the server is loaded or has many clients with bad connections, it can result in an increase in half-open connections
1024 4096
Linux File Descriptors (open files) 1024 4096 (32bit) 8192 (64bit)
WIN2008 MaxUserPort Under heavy loads it may be necessary to adjust the MaxUserPort. This parameter determines the availability of user ports requested by application
16383 65532
WIN2008
Set the power option setting to High performance With High Performance power scheme, processors are always locked at the highest performance state
Balanced High Performance
Raastech, Inc. 2013 | All rights reserved. Slide 14 of 34 raastech.com
Separation of Binaries and Config
Dedicated user and shared group for Installations
Separate binaries in the Fusion Middleware Home and Configuration directories
The binaries include the Oracle WebLogic Home, Oracle JDK, Coherence binaries and any required Fusion Middleware binaries (Files/Directories are mostly read)
The Configuration directories include all Domain homes, application files and nodemanager configuration (Files/Directories are both read and written at runtime)
Advantages
Less chances of binary corruption
Easy Patching
Raastech, Inc. 2013 | All rights reserved. Slide 15 of 34 raastech.com
Shared File Systems
Use shared file systems for
Admin Server
JMS Persistent Stores
Application Deployments
Configuration Plans
Tlogs
Advantages are
Easy Recovery of the admin server
Easy Recovery of the XA and JMS transactions
Required for Server Migration
Raastech, Inc. 2013 | All rights reserved. Slide 16 of 34 raastech.com
Deployments
Raastech, Inc. 2013 | All rights reserved. Slide 17 of 34 raastech.com
Deployment Guidelines
Do not use Autodeploy for production environments
Always deploy to a cluster even if you have a single MS
Use deployment/configuration plans
Simple but works approaches are
WLST (java.weblogic.Deployer) My preference
Ant Scripts
Maven
Restrict Admin/EM console for
Test / Lower environments
Adhoc support requests
Raastech, Inc. 2013 | All rights reserved. Slide 18 of 34 raastech.com
Custom Application Deployments
Deploy Custom Application deployments on a shared storage
Applications are deployed as EAR files to servers or read as exploded directories. Place the archives in a shared directory such as $ORACLE_BASE/admin/shared/deploy
In a shared services environment, applications should all be deployed as NOSTAGE
Admin server default is STAGE
Managed server default is NOSTAGE
In NOSTAGE, the application files reside in a location from which all cluster members can initiate a deployment (Good for large or exploded applications)
Raastech, Inc. 2013 | All rights reserved. Slide 19 of 34 raastech.com
Backups
Raastech, Inc. 2013 | All rights reserved. Slide 20 of 34 raastech.com
Environment Backup how often do we need it?
The following lists some of the common scenarios in a typical deployment that require performing a backup
After WLS is installed and a domain is created
Before and after making configuration changes to a component or cluster
Prior to deploying a custom pure Java EE application
After any major architectural changes to deployment architecture
Before and after product binary files are patched or upgraded
Important - Backup Embedded LDAP (Set it up through console)
Scheduled backups on a nightly basis or as needed, or both
Raastech, Inc. 2013 | All rights reserved. Slide 21 of 34 raastech.com
Typical Backup Schedule
Component Backup Schedule Backup Type Comments
Oracle system files Monthly Online
JDK Monthly Online
Middleware Home Monthly Online
JMS file store Never - Recreate if recovery needed. Data
loss or inconsistency may occur
Transaction logs Never - Recreate if recovery needed
SOA domain Daily Online Online backups are good as long
as no changes to the domain have
been made.
Database Daily Online
Raastech, Inc. 2013 | All rights reserved. Slide 22 of 34 raastech.com
Configuration File Backup
Raastech, Inc. 2013 | All rights reserved. Slide 23 of 34 raastech.com
Configuration File Backup (contd)
Raastech, Inc. 2013 | All rights reserved. Slide 24 of 34 raastech.com
Administration
Raastech, Inc. 2013 | All rights reserved. Slide 25 of 34 raastech.com
BAU activities
Starting and stopping a managed server
Dont use both command line and console for an operation. Use one or the other for the console to reflect accurate server state
User management
Prefer Enterprise AD or LDAP
Patching/upgrading
Dont Install just because it was released and Recommended by Oracle
Node Manager facts
Not a must for every environment
Uses only default values unless server startup properties are defined
If domain is not SSL enabled, no use having the NM encryption enabled
Use nmEnroll() to enroll new servers for Node Manager
Raastech, Inc. 2013 | All rights reserved. Slide 26 of 34 raastech.com
Security
Raastech, Inc. 2013 | All rights reserved. Slide 27 of 34 raastech.com
Enterprise Security Requirements
Secure Servers
Prevent Direct access to
o Web Tier
o App Tier
o DB Tier
Limit Services Exposed
Isolate Tiers
Secure Services
Authorized users only
Achieved by
Network Port restrictions
Access Management
Raastech, Inc. 2013 | All rights reserved. Slide 28 of 34 raastech.com
Security Best Practices
Control Access to OFMW Resources
Create a separate OS user for OFMW and limit access to $MW_HOME
Avoid running the server under a privileged account
If OHS needs to run on port 80, use sudo privileges to start
Enable security auditing
Use connection filters
Security roles and security policies protects WebLogic resources at the domain, application, and the application-component level. Connection filters let you deny access at the network level.
Prevent Denial of Service attacks
Configure Message Timeout less than default 60 seconds
Restrict the size of the message (default is 10MB)
Limit the maximum open sockets (if necessary)
Raastech, Inc. 2013 | All rights reserved. Slide 29 of 34 raastech.com
Security Best Practices
Use Virtual Server names
Separate Internal and external traffic
Ex: blogint.raastech.com vs blog.raastech.com
Separate admin and application traffic
Keep the DNS/VIP names application/function specific
Use separate Internal/External DNS entries
Use Firewalls/Load balancers
SSL Termination
Expose Virtual Servers/Hosts
Raastech, Inc. 2013 | All rights reserved. Slide 30 of 34 raastech.com
Console and EM Access through LB (Ex. F5 BIG IP)
Create a filtering iRule on the BIG IP Load Balancer to disallow access to WL Console and EM. If you are using any other Load balancer devices, create a custom ACL accordingly.
For example, to create the filtering iRule
On the Main tab, expand Local Traffic, then click iRules. The iRule screen open
In the upper right portion of the screen, click the Create button. The new iRule screen opens
In the Name box, enter a name for your iRule. Ex: we can use oracle-soa-filter.
In the Definition section, copy and paste the following iRule:
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/console" } { HTTP::respond 403 content "HTTP Error 403 - Forbidden }
if { [HTTP::uri] starts_with "/em" } { HTTP::respond 403 content "HTTP Error 403 - Forbidden }
}
Raastech, Inc. 2013 | All rights reserved. Slide 31 of 34 raastech.com
Summary
Raastech, Inc. 2013 | All rights reserved. Slide 32 of 34 raastech.com
Summary
Plan your environment based on the key business factors
Functionality
Availability
Throughput
Future Growth / Easy Scaling
Implement the best practices starting with lower environments
Automate every task that can be automated
Secure environments to avoid non-functional and human breaches
All environments need to have a backup and Recovery plan
Raastech, Inc. 2013 | All rights reserved. Slide 33 of 34 raastech.com
Q/A
Raastech, Inc. 2013 | All rights reserved. Slide 34 of 34 raastech.com
Contact Information
Arun Reddy
Technical Director