Oracle® Application Server 10g Advanced Topologies for Enterprise Deployments 10g (9.0.4) Part No.
Oracle Application Server 10g Advanced Topologies for Enterprise Deployments, 10g (9.0.4) Part No. B12115-01 Copyright © 2003, Oracle. All rights reserved. Primary Author: Orlando Cordero The Programs (which include both the software and documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws.
Contents Send Us Your Comments ....................................................................................................................... vii Preface ................................................................................................................................................................. ix Intended Audience...................................................................................................................................... Structure of This Guide ........
2.5.2 2.6 2.6.1 2.6.2 2.6.3 2.6.4 2.6.5 2.6.6 2.6.7 2.6.8 2.7 3 Configuring Single Sign-On in an Enterprise Deployment Topology 3.1 3.2 3.3 3.3.1 3.3.2 4 About High Availability ............................................................................................................ About Security............................................................................................................................. Multiple Single Sign-On Middle Tiers with One Oracle Internet Directory .........
.2 5.2.1 5.2.2 5.2.3 5.2.4 5.3 5.3.1 5.3.2 5.3.3 5.4 6 Enterprise Data Center Topology: Multiple Departments Sharing the Same Data Center .................................................................................................................... 5-3 Management Considerations Checklist............................................................................ 5-4 Oracle Enterprise Manager Application Server Control Checklist .............................. 5-4 Backup and Recovery Consideration...
vi
Send Us Your Comments Oracle Application Server 10g Advanced Topologies for Enterprise Deployments, 10g (9.0.4) Part No. B12115-01 Oracle welcomes your comments and suggestions on the quality and usefulness of this publication. Your input is an important part of the information used for revision.
viii
Preface The Oracle Application Server 10g Advanced Topologies for Enterprise Deployments covers requirements, new features in the installer, Oracle Application Server concepts that affect installation, compatibility with other products, and managementin information for an enterprise topology.
Related Documents For more information, see the following guides: ■ Oracle Application Server 10g Administrator’s Guide ■ Oracle Application Server 10g Concepts Conventions This guide uses the following conventions: Convention Meaning boldface text Boldface type in text indicates objects (such as buttons and fields) on screens. code Text in the code font indicates filenames, commands, or contents of configuration files.
1 Enterprise Topology Overview This chapter contains the following: ■ About Enterprise Topologies and Why Oracle Recommends Them ■ Recommended Topologies ■ Enterprise Data Center Topology: J2EE Applications ■ Departmental Topology ■ Development Life Cycle Topology 1.1 About Enterprise Topologies and Why Oracle Recommends Them An enterprise topology is an advanced installation and configuration of Oracle Application Server, usually in a large setting such as a data center.
Recommended Topologies ■ Introduce Oracle Enterprise Manager as a one-stop management tool for managing an enterprise. To learn more about Oracle Server 10g Concepts. Application Server concepts, see Oracle Application For requirements and installation information for each of the topologies, see Chapter 11 of the Oracle Application Server 10g Installation Guide. 1.
Enterprise Data Center Topology: J2EE Applications Figure 1–1 Enterprise Data Center Topology: J2EE Applications External Clients DMZ Firewall HTTP / HTTPS Web Server Tier DMZ Load Balancer Infrastructure Firewall Infrastructure DMZ Real Application Clusters or Cold Failover Cluster Oracle Internet Directory Web Cache Oracle HTTP Server for Single Sign-On and Delegated Administration Services SQL*Net Oracle HTTP Server, including mod_oc4j OC4J for Single Sign-On and Delegated Administration Servic
Enterprise Data Center Topology: J2EE Applications computers in the J2EE Business Logic DMZ tier. To increase performance and availability, the mod_oc4j module in Oracle HTTP Server performs load balancing and failover. ■ Another set of computers runs Oracle Application Server Single Sign-On and Oracle Delegated Administration Services.
Enterprise Data Center Topology: J2EE Applications Figure 1–2 Enterprise Data Center Topology: J2EE Applications that need to access mod_plsql External Clients DMZ Firewall HTTP / HTTPS Web Server Tier DMZ Load Balancer Infrastructure Firewall Infrastructure DMZ Real Application Clusters or Cold Failover Cluster Oracle Internet Directory Web Cache Oracle HTTP Server for Single Sign-On and Delegated Administration Services SQL*Net Oracle HTTP Server, including mod_oc4j mod_plsql OC4J for Single Si
Enterprise Data Center Topology: Portal, Wireless, and Business Intelligence Applications The Oracle Internet Directory contains data for external and internal users. Oracle Application Server Single Sign-On authenticates users based on the data in Oracle Internet Directory. You can install the OracleAS Metadata Repository and the Oracle Internet Directory in a Real Application Clusters or Oracle Application Server Cold Failover Clusters environment.
Departmental Topology Figure 1–3 Enterprise Data Center Topology: Portal, Wireless, and Business Intelligence Applications 1.5 Departmental Topology A departmental configuration topology is a subset of considerations and requirements that overlap the enterprise data center configuration. Target Users This topology is a smaller scale version of the topology described in Section 1.3, "Enterprise Data Center Topology: J2EE Applications".
Departmental Topology Description This topology (Figure 1–4) consists of an OracleAS Infrastructure, plus several middle tiers, including at least one Portal and Wireless middle tier. This topology uses two metadata repositories: ■ ■ one for product metadata (installed on computer 2). The Portal middle tier uses this metadata repository. and Wireless one for Identity Management services (installed on computer 1). All the middle tiers use this metadata repository for Identity Management services.
Development Life Cycle Topology 1.5.1 Installation Sequence Install the items in the following order. The computers are listed in Figure 1–4. 1. Computer 1: Install an OracleAS Infrastructure 10g with Identity Management services and OracleAS Metadata Repository. See Section 6.14, "Installing OracleAS Infrastructure 10g" in the Oracle Application Server 10g Installation Guide for specific steps.This creates a database to contain the OracleAS Metadata Repository.
Development Life Cycle Topology 1.6.1 Moving Applications from Test to Stage To move applications from a test to a stage environment, you deploy them on middle tiers in the stage environment. The applications use the Identity Management and Oracle Application Server Metadata Repository of the stage environment. If an application uses custom data in a database, you need to move that data from that database to a database in the stage environment. 1.6.
2 Installation and Configuration Considerations for an Enterprise Topology The following sections contain installation and configuration considerations for these topologies: ■ ■ ■ ■ J2EE Applications Topology Enterprise Topology: Portal, BI, Wireless, Forms and Reports Services Installation and Configuration Departmental Topology: Departments Hosting Their Applications Enterprise Topology: Development Life Cycle Topology Installation and Configuration ■ Enterprise Topology Post-Installation Tasks ■ J2
J2EE Applications Topology Table 2–1 (Cont.
Enterprise Topology: Portal, BI, Wireless, Forms and Reports Services Installation and Configuration Do not select Oracle Application Server Single Sign-On or Oracle Delegated Administration Services in the Select Configuration Options screen. You will install these components in the next step. Note: 2. Web Server Tier DMZ: Install Oracle Application Server Single Sign-On and Oracle Delegated Administration Services.
Enterprise Topology: Portal, BI, Wireless, Forms and Reports Services Installation and Configuration Table 2–2 Considerations when installing and configuring Portal, BI, Wireless, and Forms and Reports Consideration User Consideration Overview Web Server Tier: OHS stand alone installs on multiple machines Application Server Tier: Middle tiers hosted on one big machine or multiple machines for multiple applications Infrastructure: Dedicated or shared Product Metadata Services.
Departmental Topology: Departments Hosting Their Applications Table 2–2 (Cont.) Considerations when installing and configuring Portal, BI, Wireless, and Forms and Reports Consideration User Consideration Distributed Install Topology Web Server Tier: OHS in DMZ – 1, separate from application server. Application Server Tier: Application Server in DMZ – 2 Product Metadata Services: In DMZ – 2 for most cases.
Enterprise Topology: Development Life Cycle Topology Installation and Configuration Table 2–3 (Cont.) Considerations for the Departmental Topology Consideration User Considerations Third-Party Products Depending on the load on the application, Load balancers might be needed 2.
Enterprise Topology Post-Installation Tasks 2.5.1 Infrastructure OracleAS Portal needs post-installation steps with Oracle Internet Directory and OracleAS Web Cache at the Infrastructure level. 2.5.1.1 OracleAS Portal and Oracle Internet Directory Every OracleAS Portal middle-tier installation drops and recreates the Portal users in Oracle Internet Directory (OID).
J2EE Applications Topology Post-Installation Tasks 2.
J2EE Applications Topology Post-Installation Tasks Site definitions enable Web Cache to apply different caching rules for different sites. Requests for different sites can also be routed to specific origin servers through Site-to-Server Mappings. Site Definitions in Web Cache must match the visibly external host name. By default Web Cache takes on the default name and port numbers of the host it is installed on. Alias definitions enable the mapping of multiple host names to a single site.
What to Read Next 2.6.6 Oracle Application Server Single Sign-On If you are working with multiple Single Sign-on servers, you may need to perform additional configurations to the Oracle HTTP Server. See Chapter 3.3, "Multiple Single Sign-On Middle Tiers with One Oracle Internet Directory" for more information. 2.6.7 OracleAS Portal Post-installation tasks for Oracle Portal include: ■ Chapter 4.3, "Load Balancing Considerations" ■ Chapter 4.
3 Configuring Single Sign-On in an Enterprise Deployment Topology The following sections provide brief information and additional resources for OracleAS Single Sign-On in an enterprise deployment topology: ■ About High Availability ■ About Security ■ Multiple Single Sign-On Middle Tiers with One Oracle Internet Directory 3.1 About High Availability The availability of a system or any component in that system is defined by the percentage of time that it works normally.
Multiple Single Sign-On Middle Tiers with One Oracle Internet Directory 3.3 Multiple Single Sign-On Middle Tiers with One Oracle Internet Directory The simplest high availability scenario involves failover within the single sign-on instance itself, at the middle tier. Adding middle tiers increases scalability and therefore makes the single sign-on server more available. In this configuration, a single HTTP load balancer is placed in front of two or more Oracle HTTP servers.
Multiple Single Sign-On Middle Tiers with One Oracle Internet Directory Figure 3–1 Two Single Sign-On Middle Tiers, One Oracle Internet Directory 3.3.
Multiple Single Sign-On Middle Tiers with One Oracle Internet Directory Metadata Repository." When presented with the component list for this installation type, choose Oracle Internet Directory only. 3. Install the Oracle Application Server infrastructure on the middle tiers sso1.mydomain.com and sso2.mydomain.com, again choosing the option "Identity Management and Oracle Application Server Metadata Repository." 4.
Multiple Single Sign-On Middle Tiers with One Oracle Internet Directory Configure the HTTP load balancer The HTTP load balancer used can be hardware such as BigIP, Alteon, or Local Director or software such as Oracle Application Server Web Cache. ■ Hardware Load Balancer If you are using a hardware load balancer, configure one pool of real servers with the addresses 138.1.34.172 and 138.1.34.173. Configure one virtual server with the address 138.1.34.234.
Multiple Single Sign-On Middle Tiers with One Oracle Internet Directory 2. Use the Administer Partner Applications page to delete the existing entry for the partner application sso1.mydomain.com. 3. Set the environment variable ORACLE_HOME to point to the Oracle home for sso1.mydomain.com. Include $ORACLE_HOME/jdk/bin in the PATH variable. 4. Run the registration script. For the URLs, be sure to substitute values appropriate for your installation. The script creates a partner application called sso.
Multiple Single Sign-On Middle Tiers with One Oracle Internet Directory 5. Restart the Oracle HTTP Server: $ORACLE_HOME/opmn/bin/opmctl restartproc type=ohs 6. Change the base URL for the Delegated Administration Service (DAS), using the oidadmin tool: a. Start the tool: $ORACLE_HOME/bin/oidadmin b. Log in to Oracle Directory Manager as cn=orcladmin. c. Navigate to the entry that contains the attribute orcldasurlbase: cn=OperationalURLs,cn=DAS,cn=Products,cn=OracleContext d.
Multiple Single Sign-On Middle Tiers with One Oracle Internet Directory 3-8 Advanced Topologies for Enterprise Deployments
4 Networking The following sections contains networking considerations in an Oracle Application Server topology: ■ Oracle Application Server Networking Overview ■ Firewall Considerations: Opening the Right Ports ■ Load Balancing Considerations ■ Configuring Reverse Proxy Servers 4.
Oracle Application Server Networking Overview All configuration and topology data is stored in the Distributed Configuration Management metadata repository, which may be part of the Oracle Application Server Metadata Repository. For additional information on working with DCM, see the Distributed Configuration Management Reference Guide. 4.1.
Firewall Considerations: Opening the Right Ports network resources. It combines Lightweight Directory Access Protocol (LDAP) Version 3 with the high performance, scalability, robustness, and availability of Oracle9i. For more information on working with LDAP and Oracle Internet Directory, see Oracle Internet Directory Administrator’s Guide. Make sure your application developers read Oracle Internet Directory Application Developer’s Guide. 4.1.
Firewall Considerations: Opening the Right Ports to the default ports section of the Oracle Application Server 10g Administrator’s Guide. Firewall Stateful Inspection is not used between DMZ, mid-iers, and infrastructure and Oracle recommends that FSI be used in the external internet interface. For information about configuring and managing firewalls, see your administrator or the documentation for your firewall implementation. 4.2.
Configuring Multiple Middle-Tiers with a Load Balancing Router 4.3 Load Balancing Considerations In a configuration where there is a pool of applications servers (called a resource pool), and a pool of Single Sign-On servers, you’ll need to add a virtual IP address to the load balancers (either software or hardware) then add pools to the virtual IP addresses. The application server pool needs to have persistence specified.
Configuring Multiple Middle-Tiers with a Load Balancing Router Table 4–1 Additional information About the Graphic Machine Details Load balancing router Machine Name: lbr.abc.com IP Address: L1.L1.L1.L1 Listening Port: 80 Invalidation Port: 4001 (accessible only from inside) Oracle Application Server (Portal and Wireless middle-tier) 1 Machine Name: m1.abc.com IP Address: M1.M1.M1.
Configuring Reverse Proxy Servers You will notice that the infrastructure is behind the LBR. The infrastructure can be one host, or distributed over multiple hosts.
Configuring Reverse Proxy Servers Figure 4–2 Internet Configuration with Reverse Proxy Server For this example, let’s assume the following: ■ ■ ■ The published address is www.abc.com. Internal to the firewall, the server name for the Oracle Application Server middle-tier is internal.company.com. This Application Server middle-tier machine hosts contains both OracleAS Web Cache, as well as the Oracle HTTP Server.
5 Managing an Enterprise Deployment Topology This chapter provides information on managing an enterprise deployment: ■ ■ General Management Considerations Enterprise Data Center Topology: Multiple Departments Sharing the Same Data Center ■ Departmental Topology: Departments Hosting Their Applications ■ Development Life Cycle Topology 5.
General Management Considerations One way of managing log files is by using a "waterfall" approach, i.e. working on one server or component at a time during non-peak load times. This approach allows a data center to maintain high availability when a server is taken off-line, or when it is not brought down properly. Then, when that server or component has restarted, you can bring down the next server for log file maintenance, for example, one hour later.
Enterprise Data Center Topology: Multiple Departments Sharing the Same Data Center ■ ■ ■ Keep static content on NFS partitions and mount it as needed to a server or application as needed Deploy static content quickly Resynch data across an enterprise topology quickly (sometimes minutes versus hours without NFS) 5.1.7 Port Management Sometimes it can get difficult to track ports and port conflicts in a large enterprise topology, especially when specialized port configurations are implemented.
Enterprise Data Center Topology: Multiple Departments Sharing the Same Data Center ■ Management Considerations Checklist ■ Oracle Enterprise Manager Application Server Control Checklist ■ Backup and Recovery Consideration ■ Application Deployment and Performance Considerations 5.2.1 Management Considerations Checklist ■ ■ Use the monitoring and alerting capabilities of Oracle Enterprise Manager to ensure you are notified of any potential performance problems in your system(s).
Departmental Topology: Departments Hosting Their Applications ■ Business Intelligence (BI) applications are working against a data warehouse with tighter security ■ All applications are accessible by Portal and Wireless devices ■ Self Service Applications are using IP and Workflow 5.
Development Life Cycle Topology ■ ■ ■ J2EE applications deployed on Oracle Application Server clusters with or without Web Cache Portal applications using Web Cache Monitor application performance and availability using the Oracle Enterprise Manager Application Server Control. 5.4 Development Life Cycle Topology Test Environment: For application server installation use Oracle Enterprise Manager Application Server Control. For standalone components use command line tools.
6 Performance and Tuning Considerations The most important factor in optimizing the performance of your enterprise deployment topology is understanding how to monitor its behavior and resource usage. Oracle Application Server provides several tools to help. See Oracle Application Server 10g Performance Guide for more information on how to monitor your installation. In addition, most hardware vendors supply a number of tools to monitor hardware resource usage.
SSL 6.3 SSL Remember that the use of SSL can add substantial performance overhead and use it appropriately. The first request in an SSL session takes more longer than subsequent requests. You should also understand how to configure session duration for SSL. See the Oracle Application Server 10g Performance Guide and Oracle Application Server Certificate Authority Administrator’s Guide for more information 6.4 Oracle Internet Directory (OID) When using OID, use LDAP caching.
Portal information on tuning database connections and working with JDBC and PL/SQL metrics. 6.10 Portal For portal installations with high usage, you can increase the concurrency of the Portal Parallel Page Engine. However, if your system(s) lack sufficient resources to handle the increased concurrency, this can have a negative impact on your overall performance.
Portal 6-4 Advanced Topologies for Enterprise Deployments
Index A E advance invalidation request, 2-9 alias definitions multiple host names, 2-9 site definitions, 2-9 Application Deployment considerations, 5-5 Application deployment considerations, 5-4 Application Server Control Management checklist, 5-4 management tasks, 5-5 performance metrics, 4-3 Enterprise Data Center Topology J2EE Applications, 1-2 Portal, Wireless, and Business Intelligence Applications, 1-6 Portal, Wireless, and Business Intelligence Applications, Description, 1-6 Portal, Wireless, and
L High Availability Features adding, 1-8 LDAP system performance, 6-2 Load Balancing Router Configuring with multiple middle-tiers, 4-5 Log Files managing with waterfall approach, 5-2 maximum limit, 5-1 Mining, 5-3 rotating, 5-1 Logging Levels optimizing, 6-2 loopback Configuration steps, 4-7 Configuring with NAT, 4-6 I iASPT and mod_oc4J, 4-4 and OC4J, 4-4 configuring, 4-4 specifying wallet information, 4-4 index option, 2-9 Infrastructure DMZ description, 1-5 installing, 1-5 Infrastructures joining or
origin server (OS) SSL certificate configuring, 2-8 P Port Tunneling about, 4-4 Portal Parallel Page Engine handling increased concurrency, 6-3 Portal Provider UI Framework and Default JPDK Instance URL, 2-7 Ports Managing, 5-2 proxy server, 4-7 Q quality of service, ensuring, 1-1 R Recommended Topologies, 1-2 Reverse Proxy Servers Configuring, 4-7 routers configuring load-balancing, 4-5 S Security, 3-1 Single Sign On Middle Tier, 1-3 Single Sign On Middle Tier (Web Server Tier DMZ) about, 1-3 Site Defi
Index-4