Friday Nov 07, 2014

Traditional datacenter capabilities needed from public and private PaaS

Cloud technology has become mainstream with its promise of infinitely expandable and low cost “pay as you go” services. Referring back to my prior blog highlighting the the ComputerWorld cloud/PaaS survey report, almost 82% of the survey respondents expressed that they want the same mission-critical capabilities from cloud as they do from their existing in-house datacenters.


The top requirements for private PaaS environments include service level guarantees , disaster recovery, and management tools in addition to integration with applications still housed in the data center. Whereas, service-level guarantees and access control in the form of integrated identity management rank amongst the most important factors in public PaaS environments. If you would like to learn more about how your peers are approaching the adoption of public and private cloud PaaS environments, please read the ComputerWorld Survey Report.

Thursday Nov 06, 2014

WebLogic and Oracle Database Success Story: Russian Insurance Company Increases Application Scalability and Triples Data Volume

Объявление на русском языке
Alfastrakhovanie PLC
Moscow, Russia
Insurance Industry

Alfastrakhovanie PLC offers more than 100 insurance products and services through partner channels across Russia. With 400 branch offices located in all nine Russian time zones, Alfastrakhovanie serves 20 million private clients and 440,000 companies. In 2013, Russian rating agency Expert RA listed Alfastrakhovanie as one of the five leading Russian insurance companies by premiums and reinsurance, and gave the company's financial reliability the highest possible A++ rating.

Alfastrakhovanie faced the multiple challenges of ensuring fast access to customer information across 400 branch locations, ensure high availability of applications, and provide scalable services.

By utilizing Oracle Database, Oracle WebLogic & Oracle Hyperion Panning, they met their performance goals by processing data volumes at triple their prior rate and provided their insurance agents with reliable, fast access to decision-making tools.

" The fast pace of our development and expansion in the Russian insurance market left no room for compromise when choosing a database management platform and supporting technology. Oracle technology enabled us to deal with data volumes that were increasing twofold to threefold per year with no adverse effect... Our growth would be impossible without that performance."

Alfastrakhovanie specifically utilized WebLogic Server to rapidly develop and deploy Java EE applications to enhance the company's applications portfolio, ensure application scalability, and reducing operating costs.

Learn more on the official announcement in English or Russian.

Friday Oct 31, 2014

Portic Barcelona uses WebLogic for Private PaaS, Achieves 32x Performance Improvement

Portic Barcelona S.A. (Portic) is a service provider used by the logistics community of the Port of Barcelona. Portic’s mission is to improve the competitiveness of the Port of Barcelona Logistics Community through a technological platform that facilitates interaction between its members through its information services to logistics agents and other customers.

Portic's goal was to establish a hardware-independent, cost-effective, centralized platform support and maintenance with a single, strategic supplier to reduce complexity and enable the group to focus on core services instead of IT systems. It used Oracle WebLogic Suite as a foundation for building an on-premise cloud across web servers, application servers, and databases—deploying databases and applications 12x faster, within minutes instead of hours.

“Oracle SuperCluster combined with Oracle VM Server for SPARC and Oracle WebLogic Suite offered an integrated solution capable of consolidating and virtualizing the platform quickly and cost effectively—for a 5x better price/performance ratio than the other solutions we evaluated,” said Vinicio González, director de sistemas, Portic Barcelona.

Read the FULL STORY here.

Wednesday Oct 29, 2014

WebLogic Success Story in Brazil: Automated Project Workflow & Improved Monitoring of Trade Initiatives

Anúncio em Português
The Brazilian Trade and Investment Promotion Agency
(Agência Brasileira de Promoção de Exportações e Investimentos)

Brasilia, Brazil
Professional Services Industry

The Brazilian Trade and Investment Promotion Agency (Apex-Brasil) fosters the overseas competitiveness of Brazilian companies by promoting international trade-promotion initiatives, such as trade missions, targeted business-matching financing, as well as supporting Brazilian companies to participate in major international trade fairs.

They faced the multiple challenges of integrating their ERP system with Oracle Business Intelligence [BI], automation and transparency for business projects and tracability of project statuses to increase corporate efficiency.
By utilizing Oracle SOA Suite, Oracle ADF & Oracle WebLogic, they met their performance goals with availability now at 99.9%.

" having the ability to analyze management and enterprise data allows us to check the impact and result of each project and corporate action, and this has guided us in decision-making, significantly improving our results."

Apex-Brasil specifically utilized WebLogic Server as part of their solution to manage the project-management application’s development environments and to integrate business systems. This reduced their IT environment complexity and ensured easy integration of all components. By choosing this robust solution, Apex-Brasil was able to successfully implement a scalable architecture that ensured business continuity and high availability.

Learn more on the official announcement in English or Portugese.

Friday Oct 17, 2014

Customers Speak: Cloud Needs Guarantees, PaaS Growing Rapidly

Do you want to know what mission-critical capabilities the market is prioritizing for cloud platform as a service [PaaS]? Are you wondering what development language your peers are choosing for cloud?

A new survey of 300 IT executives conducted by ComputerWorld Strategic Marketing Services on Cloud adoption helps answer these questions and more. The report highlights:

  • The current state of cloud adoption in the marketplace
  • Key challenges to cloud PaaS adoption
  • The most critical cloud PaaS capabilities
  • User requirements the market prioritizes
Read this Computer World Survey Report to learn how your cloud plans stack against your peers’ and what your priorities should be.

Thursday Oct 16, 2014

What does a Telecom Services Provider have in common with a Travel Group?

Verizon Communications and TUI Travel are winners of the Oracle Excellence Awards for Fusion Middleware Innovation for the Cloud Application Foundation category at this year's OpenWorld. They were honored at the Oscar-like ceremony held on Tuesday, Sept 30th. [You can find an overview of the Fusion Middleware Innovation Awards Ceremony and the full list of winners across all 12 categories in the following blog post: And The Winners Are.... ].

Verizon's goal was to build a robust, high-availability solution that provides responses in less than 500 milliseconds while ensuring data integrity across multiple data centers. They wanted to create a common service layer and expose the in-memory grid as a service, which will allow other systems to leverage this platform and provide a better customer experience. The Verizon system now caches the entire customer base on Oracle Coherence grid (5 TB across multiple data centers) which reduces the load on the back-end Oracle Database by about 60 percent and improves the response time from 2.8 second to approx. 0.3 seconds. The Coherence grid-as-a-service enables customer information to be stored in one place and provides a 360-degree view of the customer from ordering to billing. 


The use case for TUI Travel, as expected, is very different. TUI's new transfer redesign project included a complete new set of functionalities to ensure that transfers during travel could be sold door to door or from any place to any place. In order to achieve this, a point in polygon algorithm is loaded in the Coherence Grid. This can detect if a given GPS point is inside the subset of polygons loaded into each Coherence grid node. Instead of refreshing (polling) the data from the database to Coherence, TUI Travel uses Golden Gate HotCache to push the changes to Coherence as soon as they happen. WebLogic 12c helps TUI to do side by side deployments and enables horizontal scaling. WebLogic also enabled TUI to reduce risks in the deployment and minimize total time for deployment.

Congratulations to Verizon and TUI Travel for winning this year's Oracle Excellence Awards for Fusion Middleware Innovation in the Cloud Application Foundation category! 

Oracle Uses WebLogic, Database, Enterprise Manager to Strengthen Cloud Security and Optimize Performance

Oracle overall develops database and middleware software, application software, and hardware systems for their customers. But, we also eat our own "dog food" when it comes to the cloud, security and Big Data principles. As you learned at Open World 2014, we're focused on driving transformation in the cloud and bringing a unified platform to the market that will allow maximum flexibility, availability and choice. We can do that by leveraging the same products we sell (like WebLogic) but leveraging their strength in our own internal services.

For example, Oracle is enabling near-real-time analysis of its cloud systems’ behavior by various means, including Oracle WebLogic Server Diagnostic Framework, Oracle Enterprise Manager Monitoring Templates and corrective actions, and by collecting and analyzing hundreds of metrics and log files on a near-real-time basis.

Further, Oracle is using big data to improve cloud environment performance and ensure service-level-agreement compliance, which includes latency of less than one second. For example, it can now rapidly and effectively track and analyze how Java Virtual Machines in Oracle Public Cloud are using heap memory.

In these types of ways, by utilizing the products we already have, we're demonstrating a commitment to stability, ease of use, security and usefulness of the Oracle Cloud.

Maybe start out with a free trial of our WebLogic-in-the-cloud solution, Java Cloud Service. It's easy to try - Larry even gave a demo of it during one of his keynotes and noted how he was confident it would work in a live situation. And of course, it went off without a hitch.

More details on this topic can be found in a broader Oracle case study - on ourselves.

Friday Oct 10, 2014

Announcing WebLogic on Oracle Database Appliance 12.1.3.0.0

Oracle WebLogic Server on Oracle Database Appliance 12.1.3 offers a complete solution for building and deploying enterprise Java EE applications in a fully integrated system of software, servers, storage, and networking that delivers highly available database and WebLogic services. The world's most popular database, Oracle Database and the industry's best application server, WebLogic Server have been combined in this industry-unique appliance to provide high availability and the simplicity of One-Button deployment. And to top it all off, it reduces IT cost with a unique capacity-on-demand software licensing model.

Here you can download the new version of WebLogic on ODA 12.1.3 which offers WebLogic templates for 11g  (10.3.6), 12c (12.1.2 and 12.1.3).

http://www.oracle.com/technetwork/middleware/weblogic-oda/downloads/index.html

The following highlighted new features are included in this release:

  • Oracle Database 12c support on ODA integrated with WebLogic Server.
  • WebLogic on ODA provisioning tool now offers not only multi domain and multi cluster options in the wizard-driven templates, but also the single WebLogic instance provisioning.
  • Provides Coherence provisioning in the wizard-driven templates.
  • Much faster provisioning with new ‘snap’ feature
  • New licensing options include a 'pool' of WebLogic licenses with min/max range, that can be allocated to WebLogic, Oracle Traffic Director and other Oracle Cloud Application Foundation products.

Monday Sep 29, 2014

WebLogic Server 12.1.3 on JDK 8

WebLogic Server 12.1.3 is now certified on Java SE 8. We started working on this about two years ago. It required changes both in product code and various 3rd party tools like ASM for bytecode manipulation and Eclipse Java Development Tools for compiling Java Server Pages (JSP). It’s supported on Windows, Linux, and Solaris 64-bit platforms with HotSpot JDK8 Update 20 or later. Gone are the days when you need to get MaxPermSize set correctly on the command line (it’s ignored by JDK8). This certification is specifically for WebLogic Server and does not include other Oracle software unless specifically stated.

I won’t list all of the new Java SE 8 features here (see http://www.oracle.com/technetwork/java/javase/8-whats-new-2157071.html for a list) but you can now use the popular features like Lambda expressions and default methods in your application code including JSP’s. See the example below for a simple servlet that makes use of Lambda expressions.

Java SE 8 has new API’s for JDBC 4.2 and is supported for WebLogic Server 12.1.3 running on Java SE 8 with a JDBC driver that supports JDBC 4.2. The Derby 10.10 driver that is shipped with WebLogic Server 12.1.3 has been tested with JDBC 4.2 (see http://db.apache.org/derby/docs/10.10/ref/rrefjdbc4_2summary.html for more information). WLS data source uses dynamic proxies so that API’s in the vendor interfaces show through to the application. The combination of dynamic proxies along with the new JDK8 default methods meant that no changes were necessary for WLS to support JDBC 4.2; all of work is done in the JVM and the vendor JDBC driver. I’ll write a separate blog with more information on JDBC 4.2.

One area that needs integration is the Java EE 7 Concurrency Features in JSR 236 and Java SE use of fork/join and the parallel streams features. At this time, WebLogic Server 12.1.3 does not support applications using fork/join and the parallel streams features so avoid using them when building WLS applications. The reason for this restriction is that the threads used by the fork/join thread pool will not be WebLogic Server managed threads. Any of the work performed in these threads may not be able to make use of WebLogic Server or Java EE facilities because the state of these threads, including security and transaction state, may not be created properly. Further, these threads will not be controlled by WebLogic Server Work Manager thread management facilities, possibly resulting in excessive thread usage.

There have been many enhancements in the area of security in JDK8. You might need to install the new Unlimited Strength Java(TM) Cryptography Extension Policy Files for the Java(TM) Platform, Standard Edition Runtime Environment 8. You can download the JCE Unlimited Strength Jurisdiction Policy Files for JDK8 at http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html.

It’s likely that you will want to upgrade to the latest version of your favorite IDE if you want to make use of JDK8 features in your development. In general, I have found that many tools have already been revised for JDK8 support. The only thing I have found that isn’t updated yet is jarjar (it has an embedded copy of ASM 4, which doesn’t work with JDK8). Java 8 is available as an update for Eclipse Kepler and built into Eclipse Luna (4.4). Oracle ships “Oracle Enterprise Pack for Eclipse (12.1.3.1.1)”, also known as OEPE, that runs on Luna and support JDK 7 and 8 (see http://www.oracle.com/technetwork/developer-tools/eclipse/downloads/index.html). If you use Eclipse for development with Oracle products, you should give OEPE a try for “unparalleled development experience for Eclipse developers looking to leverage Oracle's Middleware, Mobile, Database and Cloud Platforms."

The “What’s New” document for WebLogic Server 12.1.3 has been updated with more information about JDK8 support (see http://docs.oracle.com/middleware/1213/wls/NOTES/index.html#NOTES193). So download the latest HotSpot SE 8 JVM and try out some new features.

Calculator.java servlet:

import java.io.IOException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebServlet(
name = "Calculator",
urlPatterns = "/calculator"
)
public class Calculator extends HttpServlet implements Servlet {
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
doPost(request, response);
}

protected void doPost(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
Integer number1 = Integer.valueOf(request.getParameter("number1"));
Integer number2 = Integer.valueOf(request.getParameter("number2"));
String operator = request.getParameter("operator");

Calculator myCalc = new Calculator();
IntegerMath multiplication = (num1, num2) -> num1 * num2;
IntegerMath division = (num1, num2) -> num1 / num2;
IntegerMath addition = (num1, num2) -> num1 + num2;
IntegerMath subtraction = (num1, num2) -> num1 - num2;

Integer result = 0;
switch(operator) {
case("+"):
result=myCalc.operatorBinary(number1,number2,addition);
break;
case("-"):
result=myCalc.operatorBinary(number1,number2,subtraction);
break;
case("*"):
result=myCalc.operatorBinary(number1,number2,multiplication);
break;
case("/"):
result=myCalc.operatorBinary(number1,number2,division);
break;
}
request.setAttribute("result", result);
request.getRequestDispatcher("calculator.jsp").forward(request, response);
}

interface IntegerMath {
int operation(int number1, int number2);
}

public int operatorBinary(int number1, int number2, IntegerMath op) {
return op.operation(number1, number2);
}
}

calculator.jsp

<form id="calculator" action="calculator" method="post">
<p>
First number <input name="number1" type="text"/>
<select name="operator">
<option value="*"> * </option>
<option value="/"> / </option>
<option value="+"> + </option>
<option value="-"> - </option>
</select>
Second number <input name="number2" type="text"/>
<button type="submit"> Calculate </button>
</p>
<p> Result: <span id="result">${result}</span></p>
</form>

P.S. There are patches available on My Oracle Support for two bugs that you might need to download.

  • Patch 18729264 - JAVA8 JDT GA MAY FAIL WITH JDK8 RUNTIME AND "-SOURCE" / "-TARGET" LESS THAN 1.8
  • Patch 18428696 - EJBGEN HAS REFERENCES TO SUN.MIRROR.APT, WHICH GOES AWAY IN JDK8

Tuesday Sep 16, 2014

JMS JDBC Store Performance on Oracle RAC

Much performance testing has been done in the area of JMS running on a JDBC store on an Oracle RAC Cluster. The goal of this article is to point to some existing documentation, point out a new, related feature in WLS 12.1.3, and summarize the various approaches.

First, let me point out suggestions in optimization of the Oracle database table that is used for the JMS backing store. The current JMS documentation proposes using a reverse index when enabling "I/O Multi-threading", which in turn is only recommended for heavy loads. If you have licensed the Oracle database partitioning option, you can use global hash partition indexes for the table. This cuts down the contention on the index, reduces waiting on the global cache buffer, and can significantly improve the response time of the application. Partitioning works well in all cases, some of which will not see significant improvements with a reverse index. See http://www.oracle.com/technetwork/database/availability/maa-fmw-soa-racanalysis-427647.pdf (this document also has some interesting comments about pool and cache size). A second recommendation is to use secure files to improve performance, make storage more efficient, and ease manageability. This is generally recommended to improve throughput with a JDBC store when message sizes are large and when network connections to the database are slow. See the details about secure files at http://www.oracle.com/technetwork/database/availability/oraclefmw-soa-11gr1-securefiles-1842740.pdf. Combining these together, the schema for the JMS backing store would look something like this:

CREATE TABLE JMS1.JMSWLSTORE (
        ID INT NOT NULL, 
        TYPE INT NOT NULL, 
        HANDLE INT NOT NULL, 
        RECORD BLOB NOT NULL,
        PRIMARY KEY (ID) USING INDEX GLOBAL PARTITION BY HASH (ID) PARTITIONS 8
        TABLESPACE JMSTS 
   )
   LOB (RECORD) STORE AS SECUREFILE (TABLESPACE JMSTS ENABLE STORAGE IN ROW); 

The number of partitions should be a power of two to get similar sizes in the partitions. The recommended number of partitions will vary depending on the expected table/index growth and should be analyzed over time by a DBA and adjusted accordingly. See the “Oracle Database VLDB and Partitioning Guide” for other relevant parameters. Look at the custom DDL feature to use a custom JMS JDBC store table (see http://docs.oracle.com/middleware/1213/wls/CNFGD/store.htm#i1160628).

These improvements work whether you are using Multi Data Source (MDS) or Active GridLink (AGL) running against a RAC Cluster.

A new trick was added to the performance arsenal in WLS JMS 12.1.3. As with any application that uses a database, there’s overhead in all round-trips from the application to the database. The JMS JDBC store code uses batching with databases that support it. Depending on the configured batch sizes (i.e., DeletesPerBatchMaximum and InsertsPerBatchMaximum) and the number of operations in the transaction, the transaction will consist of one or more round-trips for the batch execution(s) and a round-trip for the commit. The new configuration option OraclePiggybackCommitEnabled also piggy backs the commit on the batch operation for Oracle-only Thin driver. For small transactions, a single round-trip executes the batch and does the commit, cutting in half the number of round-trips.

Much work has been done looking at the overall performance for both MDS and AGL. Starting with the connection affinity enhancements in WLS 12.1.2, the performance of MDS configured with failover (as opposed to round-robin) and AGL is roughly the same. The MDS failover algorithm reserves all connections on one instance until it fails so that there is affinity of connections. Prior to WLS 12.1.2, MDS with failover has better performance than AGL because AGL does not have affinity of connections to a single instance. The use of AGL over MDS is recommended because it provides superior RAC support in many areas including management and failover (see http://docs.oracle.com/middleware/1212/wls/JDBCA/gridlink_datasources.htm#BABHGDJH for more details). However, AGL is only licensed for use with WebLogic Suite or Exalogic Elastic Cloud Software (EECS). Finally, the key to performance is not only the number of work threads (as one might expect) but the number of concurrent producers and consumers. For less than ten producers and consumers, use normal services on multiple RAC instances with the hash partitioned index and secure files for the LOB, as described above. For higher concurrency (over nine producers and consumers), it is more efficient to use a singleton database service. It should be configured with a preferred instance and failover instance for High Availability.

Optimization of the use of a WLS data source for a JMS JDBC store can significantly improve the performance of JMS throughput and the corresponding application. As with all performance investigations, you will need to test this with your own application and data.

Wednesday Sep 03, 2014

Developing with Oracle WebLogic Server 12.1.3 - Whitepaper and Video

Accompanying the release of Oracle WebLogic Server 12.1.3 a whitepaper was published that describes the new developer oriented features that the product release contains. As this previous blog describes, it covers in some detail the new and updated Java EE APIs provided in the release:

  • Java API for WebSocket 1.0
  • Java API for JSON Processing 1.0
  • Java API for RESTful Web Services 2.0
  • Java Persistence API 2.1

It also discusses the general developer features of Oracle WebLogic Server, including the existing Java EE 6 support and some new additional capabilities such as the WebSocket Emulation library and a programming model for developing applications that use the ServerSent-Event feature of HTML5.

A video presentation covering all these new capabilities is also available on the YouTube/OracleWebLogic channel - describing the developer features of the product and how they offer support for building modern applications.

See it directly on YouTube @ Developing with Oracle WebLogic Server 12.1.3

Or check it out with the inline viewer below.

Tuesday Sep 02, 2014

Oracle WebLogic Server 12.1.3 - Live WebCasts coming during September

Hello - 

The WebLogic Server Curriculum Development group is hosting a 3 part series of live webcasts to highlight three of the new manageability features in Oracle WebLogic Server 12.1.3:  whole server migration (including JMS) for dynamic clusters, REST-based management improvements, and Oracle Fusion Middleware Control improvements for managing Oracle WebLogic Server 12.1.3.   The schedule for topics is given below.  

Mark Lindros, who has many years of experience with Oracle WebLogic Server, as a user and courseware developer, will be delivering the webcasts.   For more details on content see Mark's blog.  All of the Events will also be recorded and posted to the Oracle Learning Library.  This is an excellent opportunity to learn about new features in Oracle WebLogic Server 12.1.3.   Hope to see you there.

Will 

Oracle WebLogic Server 12.1.3: Using Whole Server Migration with Dynamic Clusters

Date: Wednesday, September 3rd, 2014 Time: 9:00 am US/Pacific time

Oracle

This webcast will demonstrate how to configure whole server migration for clusters that contain dynamically created servers. Watch as JMS messages are placed on a queue on one server, that server is automatically migrated to another machine, and the same JMS messages are accessible by the migrated server.

To access the content this event is based on, click here


Oracle WebLogic Server 12.1.3: Using REST Services to Manage WebLogic Server

Date: Wednesday, September 10th, 2014 Time: 9:00 am US/Pacific time

Oracle

This webcast demonstrates how to use RESTful requests to manage a WebLogic Server domain. Learn how to format REST requests to start and stop servers and clusters, manage application deployments, and manage JDBC data sources... all from the command-line!

To access the content this event is based on, click here


Oracle WebLogic Server 12.1.3: Using Fusion Middleware Control to Manage WebLogic Server

Date: Wednesday, September 17th, 2014 Time: 9:00 am US/Pacific time

Oracle

This webcast demonstrates how to use Fusion Middleware Control (FMWC) to manage a WebLogic Server domain. Learn how to use FMWC to view domain statistics, start and stop servers and clusters, manage application deployments, manage JDBC data sources, and manage users and groups without using the WebLogic administration console.

To access the content this event is based on, click here

Friday Aug 15, 2014

Coming to OpenWorld? A must attend session…

NTT Docomo, Inc. is the predominant mobile phone operator in Japan. The name is officially an abbreviation of the phrase, "do communications over the mobile network", and is also from a compound word dokomo, meaning "everywhere" in Japanese. 


One of the most important of NTT Docomo’s systems is ALADIN, which is a nationwide operating system shared with its eight regional subsidiaries. ALADIN has five primary functions: customer management, phone number management, information processing and storage, sales information management, and credit investigation. To enhance cost efficiency and help ensure stable operation of ALADIN, NTT Docomo has employed Oracle WebLogic Server as a new application platform. Further information on this can be found here.

Last year at OpenWorld, NTT Docomo was honored as an Innovation Award Winner for:

· Implementing real time sales and contract management system enabling all services requested by customers for immediate activations before customer leaves the Docomo store

· A robust disaster recovery strategy, room to grow the business, and ability to move custom Java development to a platform with built in standards - WebLogic

· Better performance, better reliability, better stability, and smooth migration

Meet This Year's Most Impressive Innovators!

This year we continue to honor customers for their most innovative and cutting-edge solutions using Oracle Fusion Middleware. Join us in celebrating award recipients’ great achievements and commitment to innovation.  

Oracle Fusion Middleware: Meet This Year's Most Impressive Innovators

Session ID: CON7029

Tuesday September 30, 2014 @ 5-5:45 pm (PST)

Yerba Buena Center for the Arts 
YBCA Theater (next to Moscone North)

700 Howard St., San Francisco, CA, 94103


Sunday Aug 10, 2014

Data Source Encrypted Connection Properties and SSL

Encrypted properties are needed for information that needs to be secured instead of exposing it as clear text.  For data sources, that's generally for security credentials like passwords.  Since the first release, WLS data source has only supported a single encrypted property, the database password corresponding to the database user for all connections on the data source.  That was fine for simple security but adding features like SSL needed additional passwords for the key store and trust store.  We figured out a limited solution by using the Oracle auto-login wallet with store type SSO that did not require an additional password value.  That's documented at http://docs.oracle.com/middleware/1213/wls/JDBCA/ds_security.htm#CHDBBIJH .  

We explored options for supporting additional encrypted properties including encrypting all properties with the name "Password" but it didn't seem to be an elegant solution.  In 10.3.6, we made a simple extension to connection properties to support system properties.  In WLS 12.1.3, we made a similar extension to support encrypted properties.  A JDBC property now consists of a name and a choice of a value, a system property value, or an encrypted value.  Encrypted values would commonly be used for javax.net.ssl.trustStorePassword and/or javax.net.ssl.keyStorePassword when configuring SSL.

You can set the encrypted property in a WLST script using

setEncryptedValueEncrypted(encrypt('clear-text-value'))

The clear text value (literal or variable) is encrypted and then stored as an encrypted value in the descriptor.  This works for both on-line and off-line WLST.  If you have an on-line WLST script, you can also use

setEncryptedValue('clear-text-value')

In this case, the encryption is automatically done and the encrypted value is stored.

You can also use the WLS administration console to create encrypted properties.  It's not possible to specify the encrypted values when creating a data source.  That is, the creation assistant doesn't support encrypted properties.  When you create a data source, you might need to put in a clear-text password if you want to test the connection during the creation process. You can add encrypted values to the data source definition by editing the configuration. You need to go to the Configuration Connection Pool tab (the same tab as normal properties and system properties). If you used clear-text passwords during creation for testing, you will need to remove the clear text values first.   There are two approaches to add encrypted values.  One is to type the name and clear text value directly into the Encrypted Properties text box.  When you click on the Save button, the values are encrypted.  The advantage of this approach is that you can enter multiple values directly but the downside is that between the text entry and saving the values, the values are visible on the screen.  This approach is shown in the following figure.

There is a second approach that provides secure data entry.  Note in the picture above, there is an "Add Securely" button to the right of the Encrypted Properties text box.  Clicking on that button causes a new window to pop up as in the following figure. You can enter the property name and then the encrypted value twice.  The input for the encrypted values is obscured.  When done, click on the OK button to enter the name and encrypted value in the Encrypted Properties text box.  The advantage of this approach is that the clear text value is never displayed.

You can see the product documentation for encrypted properties at http://docs.oracle.com/middleware/1213/wls/JDBCA/ds_security.htm#CHDGCDIB,  including some code examples.

The timing was good for this feature because a lot of testing was done on setting up one-way and two-way SSL configurations in the Server for WLS 12.1.3.  See http://docs.oracle.com/middleware/1213/core/ASADM/sslconfig.htm#CBDFGCAF  for a discussion of using SSL with the data tier.  This release also introduced FIPS 140 support in Oracle Fusion Middleware.  See http://docs.oracle.com/middleware/1213/core/ASADM/fips.htm  for more details. 

WLS 12.1.3 has a complete SSL security solution that is well tested and well documented.  Support for encrypted data source connection properties is one important piece in the solution.

P.S. Earlier versions of the documentation said "You must enable the Oracle PKI provider. This can either be done statically by updating the java.security file under the JRE or dynamically by setting it in a WLS startup class ...".  Updating the JRE java.security file was removed from the documentation in WLS 12.1.3 because testing found that it didn't work for two-way SSL. A bug was fixed in the oraclepki.jar file late in 12.1.3 and this approach now works. It may be the easier of the two approaches.

Monday Aug 04, 2014

Setting V$SESSION for a WLS Datasource

Every Oracle database connection runs in the context of a database process called a session.  There is a v$session view that contains a lot of information about the database sessions that are active.. By default when you use the Oracle Thin Driver, the value v$session.program is set to "JDBC Thin Client".  That separates out the Java applications from sqlplus and the scores of database background programs but doesn't provide much additional information since all of the Java connections look the same.  It's easy to set this and some other values on v$session using connection properties on the Oracle Thin driver.  The following connection properties are supported:  v$session.osuser, v$session.process, v$session.machine, v$session.terminal, and v$session.program.  Setting these will set the corresponding value on the session on the database side.  These values are then available from the v$session view.

The simple approach is to hard-code a value into a normal connection Property.  That's fine if you want to associate a fixed value with a data source.  It's more interesting if you dynamically set the value at runtime. For example, if there are multiple servers running within a domain and the information needs to be server specific, a normal cluster deployment with one fixed value is not useful, and the option of deploying the DataSource to every server individually and then hand-editing each one's descriptor with unique values for these properties is not manageable. You can easily handle this using a System Property.  The value that is specified is taken to be a Java system property that you set on the command line of the application server.  It is retrieved using System.getProperty() and set as the value of the connection property.    There's a new Encrypted Property in WLS 12.1.3; I'll write another article about that.

If you use bin/startWebLogic.sh to start the server, it will put -Dweblogic.Name=${SERVER_NAME}on the command line.  If you set the v$session.program System Property connection property to "weblogic.Name", your session program value will match the WLS server that is making the connection. 

You can set connection properties by editing the data source configuration on the "Connection Pool" tab in the WebLogic administration console.  Properties are set in the Properties and System Properties text boxes.  Let's say that I set four of the values to test values and one to a system property, generating the descriptor fragment as follows.

<property>
  <name>v$session.osuser</name>
  <value>test1</value>
</property>
<property>
  <name>v$session.process</name>
  <value>test2</value>
</property>
<property>
  <name>v$session.machine</name>
  <value>test3</value>
</property>
<property>
  <name>v$session.terminal</name>
  <value>test4</value>
</property>
<property>
  <name>v$session.program</name>
  <sys-prop-value>weblogic.Name</sys-prop-value>
</property>

Alternatively, you could set these values using on-line or off-line WLST.

Here's a fragment of an off-line WLST script.

cd('/JDBCSystemResource/myds/JdbcResource/myds') cd('JDBCDriverParams/NO_NAME_0') cd('Properties/NO_NAME_0') create('v$session.program','Property') cd('Property') cd('v$session.program') set('SysPropValue', 'weblogic.Name')

If $SERVER_NAME is myserver and I then go to run a query, here is the resulting output.

SQL> select program, osuser, process, machine, terminal 
  from v$session where program = 'myserver';
myserver test1 test2 test3 test4

If the server names aren't obvious enough, you could set the program to "WebLogic Server $SERVER_NAME".  You could set -Djdbc.process=<PID> to tie connections to a specific WLS server process. You might want to add the WLS data source name to the program value.  You could set osuser to the Java value "user.name".

 Using system properties can make this a powerful feature for tracking information about the source of the connections, especially for large configurations.


About

The official blog for Oracle WebLogic Server fans and followers!

Stay Connected

Search

Archives
« September 2015
SunMonTueWedThuFriSat
  
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today