Monday Jul 27, 2015

Restricted View

Restricted View is Not So Bad!

slide_220791_874557_free[1]  You are going on vacation and have booked a hotel with beautiful views, but when you arrive you discover that your room can only see the beautiful beach if you crane your neck out of the window and look at an angle.  That is pretty frustrating for a vacation but often that is exactly what we want to achieve with SOA Suite.  For example we may want the finance department composites to not be visible to the HR department and vice-versa.

The Problem

You often want to restrict the visibility of composites, for example keeping departments separated from each other.  This separation of concerns is a hallmark of good governance and many SOA Suite customers have this requirement, controlling who can see which composites.

Early Solution

In 11g the only fully supported way to do this was to run a separate domain for each department, and many customers did this.  Alternatively other customers created a custom admin application that enforced departmental segmentation on a single domain.  The first solution is heavy on machine resources and administrative overhead, the second requires custom coding and adds a maintenance overhead.

12.1.3 to the Rescue

 In 12.1.3 the partitions support custom application roles that grant access only to the given partition.  Users granted the role on the Finance partition will be able to see only information related to that partition, other partitions will not be visible to them.  This allows the Finance and HR departments to share the same domain but still not be able to see each others composites.  This is documented in section 7.3 Securing Access to Partitions of the document Oracle® Fusion Middleware Administering Oracle SOA Suite and Oracle Business Process Management Suite.

Making it Work

The following steps enable you to set up partition level access.

1. Create a Partition

From the EM console right click soa-infra and select manage partitions.  This will take you to the partition management page.


From here click the Create button to bring up the Create New SOA Partition dialog which will allow you to choose a name for the partition (which cannot be changed) and a work manager to associate with the partition.


    2. Create User

Using EM or WebLogic consoles create a new user such as FinanceMonitor that will have restricted access to the domain.  This user should be assigned to the Monitor group.


3. Grant Role to User

Using the EM console right click soa-infra and select Security->Application Roles.  This will take you to the Application Roles page.


From this page scroll down to find the role you want to assign and then click edit which will take you to the Edit Application Role page.


Here you can click Add to add a user, group or another role to this role.


Your user now has restricted access to the domain, being limited to his role on the given partition.

4. Test Access

We can test that the access is working as expected by logging on to the EM console as our new restricted partition user.

Note that our new user can only see the partition to which he has been assigned a role.


Roles Available

There are several roles available, each partition has the same set of roles prefixed with the partition name.  The following roles are available and described in Table 7-2 Partition Roles.

  • Composer
  • Deployer
  • Tester
  • Monitor
  • ApplicationOperator

So the HR partition would have the roles HR_Composer, HR_Deployer etc.

Note that these roles are each quite restrictive.  For example our FinanceMonitor user cannot use the Test button because he lacks the Finance_Tester role.  A Finance_Tester cannot see the flow trace.  To enable our FinanceMonitor to run tests we would have to grant him the Finance_Tester role as well.

As an alternative to assigning multiple roles to a user or group you could create a role and grant it the multiple roles you required.

 If you see a blank screen when logging in it is likely that you forgot to assign the monitor role to your user.


The partitions in SOA Suite 12.1.3 are much more useful than those in 11g and allow separation of roles to control visibility and functionality available to EM users.  This is very easy to set up and manage.

Wednesday Mar 19, 2014

Zero to SOA in Minutes! Announcing the SOA/BPM 11g Virtual Machine appliance

I am pleased to announce the availability of Oracle's SOA/BPM/OSB 11g Virtual Machine appliance. This VirtualBox virtual machine is meant for testing and evaluation purposes only. It is not certified, nor licensed for any production use. It is our most comprehensive virtual machine to date, with the following Oracle products installed, configured and functionally integrated within the appliance:
  •     Oracle Linux 6 Update 4 (64-bit)
  •     Oracle Database Express Edition 11g Release 2
  •     Oracle SOA Suite (includes Service Bus)
  •     Oracle Event Processing
  •     Oracle BPM Suite
  •     Oracle Webcenter Content (Enterprise Content Management)
  •     Oracle Webcenter Suite
  •     Oracle Webcenter Portal
  •     Oracle JDeveloper
  •     Oracle JRockit
  •     Java SE Development Kit

Refer to the README document for full details on the appliance features, installation guide, memory configurations, URLs, credentials and other recommended software.


Why do we need a SOA Developer Virtual Machine?

Virtual Machines (VM) play an important role in increasing developer productivity; saving hours, if not days, of provisioning effort in standing up a fully functional, configured Fusion Middleware platform for testing and evaluation. Think of it as your very own Platform as a Service (PaaS) on your laptop/desktop!

What can I use the VM for?

A developer VM can prove useful for a variety of reasons: quick internal demos, proof of concepts, testing etc. For those new to Oracle SOA or BPM Suite, it can serve as a powerful tool to learn these technologies, which is why it is very popular for developer learning and training sessions. In fact, the VM includes pre-configured lab artifacts - "PO Processing" and "Sales Quote" - that are used in Oracle instructor-led training sessions and in the "Getting Started" books on Oracle SOA Suite and Oracle BPM Suite.  

What benefits does the VM provide beyond simply installing the Oracle SOA Suite?

For enterprise development, installation of Oracle SOA Suite (or any single piece of software for that matter) is only a fraction of the overall effort needed to build an end-to-end configured development environment. Typical effort in standing up an integrated software stack on a "bare-metal" would involve the following provisioning tasks:

  • Create base image: Install supported version of the Linux OS e.g. Oracle Linux, Ubuntu, EC2 AMIs etc.
  • Setup base image: Security policies, firewalls, port forwarding rules, hard drive partitions on block storage
  • Install pre-requisite software: Java, Database
  • Install Fusion Middleware: SOA Suite, BPM Suite, Web Center and any other modules, run RCU with correct schema names and passwords
  • Setup Fusion Middleware: WLS domain with correct templates needed for SOA+BPM+BAM+Service Bus+WebCenter
  • Configure Modules: Association between BPM and WebCenter Content/Portal with the correct security setup 
  • Install additional tools/software: JDeveloper IDE, extensions
  • Optimize the environment: WLS console properties, front-end host, external listen address etc. for your network topology
  • Create accounts: Seed demo user accounts with email addresses (or other user accounts)

While you can always automate the above-mentioned steps, having a pre-provisioned DevOps style machine image can help you reduce development costs. It can get you from zero to a fully working SOA environment in minutes, on any developer's laptop. The benefits go beyond simply time to provision, it allows you to do more with less resources. For example, the VM allows developers to quickly switch between multiple running instances, each testing a new feature or version without the need for additional hardware.

We sincerely hope you enjoy using this VM and would love to hear your feedback!

Thursday Dec 19, 2013

Oracle SOA Black Belt Cheat Sheets (Free Download of the Year!)

'Tis the season of giving, so for this last post of the year, I am pleased to make available some of our most requested cheat sheets used internally and by various implementation partners world wide. These cheat sheets were created as part of the Oracle SOA Black Belt training sessions - advanced hands-on workshops that are available only to experienced Oracle SOA practitioners to gain deeper insight into the workings of the engine, enabling them to architect scalable solutions. If you have gone through this workshop, or have been working with the BPEL engine, I hope you will find this as a handy resource.

In case you are curious about this "black belt" workshop, here is a day-by-day blog written by one of our attendees.

And if you are wondering, yes, in some locations, we actually do hand out physical black belts - thanks to Jürgen Kress' SOA Community. Follow the tweets for more pictures.

Click on the link to download each. In case of any errors or if you would like to see more such collateral, please do provide feedback.

Weblogic Server Essentials Cheat Sheet (pdf)

SOA Essentials Cheat Sheet (pdf)

BPEL Service Engine Internals Cheat Sheet (pdf)

SOA Diagnostics Cheat Sheet (pdf) -- Thanks to Shawn Bailey for this one!

Happy Holidays and see you in the next year!

Wednesday Nov 13, 2013

Cloud to On-Premise Connectivity Patterns

Do you have a requirement to convert an Opportunity in to an Order/Quote in Oracle E-Business Suite? Or maybe you want the creation of an Oracle RightNow Incident to trigger an on-premise Oracle E-Business Suite Service Request creation for RMA and Field Scheduling? If so, read on.

In a previous blog post, I discussed integrating TO cloud applications, however the use cases above are the reverse i.e. receiving data FROM cloud applications (SaaS) TO on-premise applications/databases that sit behind a firewall. Oracle SOA Suite is assumed to be on-premise with with Oracle Service Bus as the mediation and virtualization layerThe main considerations for the patterns are are security i.e. shielding enterprise resources; and scalability i.e. minimizing firewall latency. Let me use an analogy to help visualize the patterns: the on-premise system is your home - with your most valuable possessions - and the SaaS app is your favorite on-line store which regularly ships (inbound calls) various types of parcels/items (message types/service operations). You need the items at home (on-premise) but want to safe guard against misguided elements of society (internet threats) who may masquerade as postal workers and vandalize property (denial of service?). Let's look at the patterns.

Pattern: Pull from Cloud

The on-premise system polls from the SaaS apps and picks up the message instead of having it delivered. This may be done using Oracle RightNow Object Query Language or SOAP APIs. This is particularly suited for certain integration approaches wherein messages are trickling in, can be centralized and batched e.g. retrieving event notifications on an hourly schedule from the Oracle Messaging Service.

To compare this pattern with the home analogy, you are avoiding any deliveries to your home and instead go to the post office/UPS/Fedex store to pick up your parcel. Every time.

Pros: On-premise assets not exposed to the Internet, firewall issues avoided by only initiating outbound connections

Cons: Polling mechanisms may affect performance, may not satisfy near real-time requirements

Pattern: Open Firewall Ports

The on-premise system exposes the web services that needs to be invoked by the cloud application. This requires opening up firewall ports, routing calls to the appropriate internal services behind the firewall. Fusion Applications uses this pattern, and auto-provisions the services on the various virtual hosts to secure the topology. This works well for service integration, but may not suffice for large volume data integration.

Using the home analogy, you have now decided to receive parcels instead of going to the post office every time. A door mail slot cut out allows the postman can drop small parcels, but there is still concern about cutting new holes for larger packages.

Pros: optimal pattern for near real-time needs, simpler administration once the service is provisioned

Cons: Needs firewall ports to be opened up for new services, may not suffice for batch integration requiring direct database access

Pattern: Virtual Private Networking

The on-premise network is "extended" to the cloud (or an intermediary on-demand / managed service offering) using Virtual Private Networking (VPN) so that messages are delivered to the on-premise system in a trusted channel.

Using the home analogy, you entrust a set of keys with a neighbor or property manager who receives the packages, and then drops it inside your home.

Pros: Individual firewall ports don't need to be opened, more suited for high scalability needs, can support large volume data integration, easier management of one connection vs a multitude of open ports

Cons: VPN setup, specific hardware support, requires cloud provider to support virtual private computing

Pattern: Reverse Proxy / API Gateway

The on-premise system uses a reverse proxy "API gateway" software on the DMZ to receive messages. The reverse proxy can be implemented using various mechanisms e.g. Oracle API Gateway provides firewall and proxy services along with comprehensive security, auditing, throttling benefits. If a firewall already exists, then Oracle Service Bus or Oracle HTTP Server virtual hosts can provide reverse proxy implementations on the DMZ. Custom built implementations are also possible if specific functionality (such as message store-n-forward) is needed.

In the home analogy, this pattern sits in between cutting mail slots and handing over keys. Instead, you install (and maintain) a mailbox in your home premises outside your door. The post office delivers the parcels in your mailbox, from where you can securely retrieve it.

Pros: Very secure, very flexible

Cons: Introduces a new software component, needs DMZ deployment and management

Pattern: On-Premise Agent (Tunneling)

A light weight "agent" software sits behind the firewall and initiates the communication with the cloud, thereby avoiding firewall issues. It then maintains a bi-directional connection either with pull or push based approaches using (or abusing, depending on your viewpoint) the HTTP protocol. Programming protocols such as Comet, WebSockets, HTTP CONNECT, HTTP SSH Tunneling etc. are possible implementation options.

In the home analogy, a resident receives the parcel from the postal worker by opening the door, however you still take precautions with chain locks and package inspections.

Pros: Light weight software, IT doesn't need to setup anything

Cons: May bypass critical firewall checks e.g. virus scans, separate software download, proliferation of non-IT managed software


The patterns above are some of the most commonly encountered ones for cloud to on-premise integration. Selecting the right pattern for your project involves looking at your scalability needs, security restrictions, sync vs asynchronous implementation, near real-time vs batch expectations, cloud provider capabilities, budget, and more. In some cases, the basic "Pull from Cloud" may be acceptable, whereas in others, an extensive VPN topology may be well justified.

For more details on the Oracle cloud integration strategy, download this white paper.

Monday Aug 19, 2013

Integrating with - Video Demo and Whitepaper

A few months ago, I posted a video demo showing how easy it is to integrate with cloud applications such as Oracle RightNow using Oracle SOA Suite 11g. The post got a tremendous response, and I got quite a few requests to show the same ease of integration with non-Oracle SaaS vendors e.g. Check out the following videos and whitepaper developed by one of our close partners, Bristlecone, to demonstrate this integration.

The first video shows the runtime Opportunity record synchronization between and a custom application, a common integration use case with to avoid errors and inefficiencies associated with dual-data entry. The second video demonstrates the design-time for this solution and shows nuances you need to be aware of in the SaaS world e.g. handling polymorphic operations in BPEL. The accompanying white paper goes into the technical details and provides step-by-step instructions to use these patterns in your projects. All the videos are also available in this YouTube playlist.

Video 1: Runtime synchronization

Video 2: Design-time experience

Whitepaper: Integrating with with Oracle SOA Suite 11g (Bristlecone)

For more information on Oracle's solution to simplifying hybrid cloud integration complexity, download the white paper "Cloud Integration - A Comprehensive Solution"

Wednesday Apr 10, 2013

Video Demo: Hybrid Cloud Integrations using Oracle SOA Suite

The blog post "Cloud Integration in Minutes" - True or False? highlighted the challenges faced by integration projects, beyond just simple web service connectivity. However, as stated in that article, it is possible to implement SaaS API "connectivity" in minutes, and this post is going to show you how! We will go through a step-by-step approach using Oracle SOA Suite 11g, and integrate with the Oracle RightNow CX Cloud Service as an example, demonstrating the ease with which you can incorporate cloud applications in your overall enterprise integration architecture, today.

You may be hearing a lot about cloud connectivity, with "adapters" sprouting up everywhere and wondering - what's the big deal with cloud APIs? Isn't a SaaS API simply a REST/SOAP based web service call?

Yes and No! Web services standards are one of the key characteristics of cloud connectivity, however the implementations differ vastly. To use an analogy, the term "democracy" is broadly considered as a form of government wherein citizens have an equal say in decisions that affect their daily lives, however, its implementation varies vastly across countries from "direct democracy" to "representative democracy" (see Wikipedia).

Similarly, SaaS APIs are built on some key characteristics at the technical level, however the functional implementations varies drastically across vendors. As seen in the diagram below, even if every SaaS API only ever used established technical standards (on the left), the combination and configuration of those standards can result in functional API implementations (on the right) that don't seem to have anything in common.


For example, one vendor may choose to implement their SaaS APIs using REST/JSON and OAuth, whereas another may use SOAP/XML and WS-Security - an example of combination choices. Even if both used SOAP/XML, the object schemas can be different - both syntactically and semantically, for example, the definition of a "Customer" will differ in B2B and B2C scenarios. In addition, the vendors may use different WSDL types (strong vs loose typed), different customization approaches (generated vs flex fields), or how authentication credentials are sent (SOAP header vs body), or message interaction patterns (synchronous vs delayed asynchronous response), or API styles (Java code or SQL syntax), or how the ETL patterns are implemented (one file per object vs multiple zipped files).

In short, the software industry has good technical standards (and a lot of them!), but lacks functional standards for semantic interoperability across vendor APIs. Multiply this by the number of technical protocols and clients, and you can see why functional standards are the real source of complexity in ANY integration project - SaaS or on-premise; and is the reason I consider claims of "integration in minutes" as being naive at best.

The 23 minute video below walks you step-by-step in integrating with a SaaS API, showing how Oracle SOA Suite 11g is flexible enough to adapt to any combination of the technical standards above, making it an ideal choice for hybrid cloud integrations. For more examples of hybrid cloud integrations, download this white paper.

If you are familiar with Oracle WebLogic Server certificate setups, skip the video above in the future and go to this abridged 11 minute version. If you like this video and would like to see more tips like this or have any questions, we would like to hear from you in the comments below. Special thanks to the Oracle SOA Suite integration architecture team, especially Ravindran Sankaran and Narayana Pedapudi, for help with the demo implementation.

Monday Dec 10, 2012

“Cloud Integration in Minutes” – True or False?

The short answer is “yes”. Connecting on-premise and cloud applications “in minutes” is true…provided you only consider the connectivity subset of integration and have a small number of cloud integration touch points.

At the recent Gartner AADI conference, 230 attendees filled up the Oracle session to get a more comprehensive answer to this question. During the session, titled “Simplifying Integration – The Cloud & Mobile Pre-requisite”, Oracle’s Tim Hall described cloud connectivity and then, equally importantly, the other essential and sometimes overlooked aspects of integration required to ensure a long term application and service integration strategy. To understand the challenges and opportunities faced by cloud integration, the session started off with a slide that describes how connectivity can quickly transition from simplicity to complexity as the number of applications and service vendor instances grows:

Reasons for Cloud Integration Complexity

Increased complexity puts increased demand on the integration platform

As companies expand from on-premise applications into a hybrid on-premise/cloud infrastructure with support for mobile, cloud, and social, there is a new sense of urgency to implement a unified and comprehensive service integration platform. Without getting this unified platform in place, companies face increased complexity and cost managing a growing patchwork of niche integration toolsets as well as the disparate standards mandated by each SaaS vendor as shown in the image below:

Niche integration toolsets with overlapping and incomplete functionality

Incomplete and overlapping offerings from a patchwork of niche vendors

Also at Gartner AADI, Oracle SOA Suite customer Geeta Pyne, Director of Middleware at BMC presented their successful strategy on how BMC efficiently manages their cloud integration despite disparate requirements from each vendor. From one of Geeta’s slide:

  • Interfaces are dictated by SaaS vendors; wide variety (SOAP, REST, Socket, HTTP/POX, SFTP); Flexibility of Oracle Service Bus/SOA Suite helps to support
  • Every vendor has their way to handle Security; WS-Security, Custom Header; Support in Oracle Service Bus helps to adhere to disparate requirements

At BMC, the flexibility of Oracle Service Bus and Oracle SOA Suite allowed them to support the wide variation in the functional requirements as mandated by their SaaS vendors.

In contrast to the patchwork platform approach of escalating complexity from overlapping SaaS toolkits, Oracle’s strategy is to provide a unified platform to support disparate requirements from your SaaS vendors, on-premise apps, legacy apps, and more. Furthermore, Oracle SOA Suite includes the many aspects of comprehensive integration beyond basic connectivity including orchestration, analytics (BAM, events…), service virtualization and more in a single unified interface.

Oracle SOA Suite

Oracle SOA Suite – Unified and comprehensive

To summarize, yes you can achieve “cloud integration in minutes” when considering the connectivity subset of integration but be sure to look for ways to simplify as you consider a more comprehensive view of integration beyond basic connectivity such as service virtualization, management, event processing and more. And finally, be sure your integration platform has the deep flexibility to handle the requirements of all your future SaaS applications…many of which are unknown to you now.

Wednesday Oct 03, 2012

Oracle Service Bus Customer Panel - Choice Hotel's Deployment Description at OpenWorld

Choice Hotels shared their Oracle Service Bus deployment during the recent Customer Panel on Oracle Service Bus.  Charlie Taylor of Choice provides an excellent in-depth description of architectural guidelines including project naming and project structure.  Below is a screenshot from the session highlighting the flow from proxy service to business service, transformation, orchestration and more:

Choice Hotels Service Bus Image

For more information about Oracle OpenWorld SOA & BPM Session, please see the Focus on SOA and BPM document 

Oracle SOA Suite customer panel: Successful Application Integration & SOA Projects

At the recent SOA Suite customer panel, Roger Brown from UNS Energy, Fabio Ravagni from Cencosud and Paras Jain from Cisco discussed their recent SOA Suite implementations, business drivers and challenges, architecture and lessons learned.

Roger started by describing how UNS redesigned their internet portal to improve their customer experience and reduce manual steps in their business processes.

Through the use of Oracle Service Bus, Oracle BPEL Process Manager and Oracle Business Activity Monitoring, they provided more self-service functionality, automated their business processes and increased the use of their web site by 12.98% for number of visits and 33.58% for average visit duration.

The screenshot below shows the UNS architecture:

>UNS SOA architecture

Next Fabio described the challenges Cencosud faced through continuous expansion of their business, different standards and levels of expertise and large volumes of information.

By introducing Oracle SOA Suite, Oracle Data Integrator and Oracle Enterprise Repository, and with the help of Oracle Consulting, they significantly simplified their integration model, reduced their maintenance effort and increased their integration governance.

The picture below shows the implemented solution with so far more than 400 services in production and more than 20 ongoing projects, which will make use of the new integration platform.

>Cencosud implemented solution

Last, but not least, Paras discussed the challenges the Webex division of Cisco faced with a highly manual service fulfillment process, multiple data sources and the resulting large room for errror and delay in customer time-to-service.

Through a redesign of their order fulfillment process and the introduction of Oracle SOA Suite (see below), they significantly improved their SLAs, eliminated duplicate orders, provided higher visibility into the order process and aligned business and IT.

Ciscos system flow

For more information about Oracle OpenWorld SOA & BPM Session, please see the Focus on SOA and BPM document

Monday Mar 19, 2012

Integrating with Oracle Fusion Applications: Discovering Integration Artifacts

Rajesh Raheja, software architect at Oracle, has recently posted the first of a series of blogs on the topic of integrating with Oracle Fusion Applications, which is the next generation of enterprise applications built on top of Oracle Fusion Middleware. His goal is to share the ease with which integrations are now possible using standards-based technologies with enterprise applications. You can find his full blog post here.

Friday May 27, 2011

Purging Strategies in Oracle SOA Suite 11gR1 PS3

UPDATE: the detailed whitepaper on "SOA 11g Database Growth Management Strategy" is now available.

Just a quick post before taking off for the long Memorial Day weekend in the US (we are off on Monday).

Since shipping Oracle SOA Suite 11g we’ve seen an explosion of the amount of data being processed by the product across the world. The net result of this is a corresponding growth in audit data and increasingly more complex needs on the purging side: often times purges need to happen on running system and that means with the least possible impact on operations. We have added several improvements in PS3 to the purge scripts. Here is a set of slides describing the various purging strategies now available in Oracle SOA Suite: from the graphical tools in Enterprise Manager, to PL/SQL scripts (looped purge and parallel purge) and database partitioning.

image This slide deck is a work in progress so please leave your questions on purging in comments and I will try to address them in the next version (and if I don’t, Deepak will in the more substantial whitepaper that he is preparing on this very topic).


Find Us on facebook Follow us on twitter Oracle SOA Suite forum
SOA PM team
Welcome to the Oracle SOA Suite team blog. We'll use this site for news and information that did not make it into our official documentation for a reason or another.


« June 2016