Tips & Tricks for Java & SOA Cloud Service

Copyright © 2017, eProseed UK Ltd
TIPS & TRICKS FOR JAVA & SOA CS
Simon Haslam
Technical Director
eProseed
1

Copyright © 2017, eProseed UK Ltd.
INTRODUCTION
Simon Haslam
• Platform / Infrastructure Architect
with a focus on HA, DR, automation etc
• Using Oracle products since 1994 (Oracle7)
• Formerly UKOUG App Server & Middleware SIG Chair
About eProseed
• Multi award-winning Oracle Platinum Partner
• HQ in Luxembourg with 9 subsidiaries across the world
including UK, NL, PT, KSA, USA & now Australia!
• A highly technical Oracle practice with 7 active ACEDs

3 Membership Tiers:
• Oracle ACE Director
• Oracle ACE
• Oracle ACE Associate
bit.ly/OracleACEProgram
500+ Technical Experts
Helping Peers Globally
Connect:
Nominate yourself or someone you know: acenomination.oracle.com
@oracleace
Facebook.com/oracleaces
oracle-ace_ww@oracle.com

INSPIRATION FOR THIS PRESENTATION
I have a note where I keep “tips & tricks” I find as I work…
– This is my current list but is work in progress (I haven’t done everything
possible in PaaS ☺ )
– Some are opinions, mainly with an Ops/Admin focus – YMMV!
– I have perfectionist tendencies (but am in therapy!) and want to improve
each batch of environments I provision
– Oracle Cloud changes all the time (monthly releases) – in future they may
change/become irrelevant
– Even if you are not using SOA CS or JCS today hopefully they may be a
useful reference for later
4

THERE’S NO MAGIC HERE, FOLKS!
5

6
• Setup and Identity
• VMs: SSH and internal access
• SSL & Certificates
• Networking & VPN
• Provisioning

TIP 1: PRACTICE ON A TRIAL ACCOUNT
8
• There’s a lot to learn:
– User management
– How consoles look, what names fit
– Auto generated names
– You usually (pre-OIC) have one identity domain for both live and test – consider
that for organisation
– You will probably end up with things in the wrong place – usually it’s
easier/quicker to start fresh
– Makes you less nervous about creating stuff that might cost £££!
• If you get to choose name your domain very carefully!
– Depends on how cloud was purchased and type – may get choice or maybe just
a123456
– Oracle added feature to rename but that is superficial

TIP 2: CHOOSE YOUR IDENTITY DOMAIN CAREFULLY
9
• Name is used a lot in URLs and references
– Since IDCS + PaaS name is in log-in URL too, e.g.
https://myservices-eproseeduk.console.oraclecloud.com
• You may or may not get to choose
– Depends on how cloud was purchased and type – may get choice or maybe just
a123456
– Oracle added feature to rename but that is superficial
• Domains can’t be re-used later AFAIK so think about it carefully
especially if you are a multi-national
– E.g. I recently created “eproseeduk” in case we want to use “eproseed” globally
– Are there annoying domain squatters out there…?
• This is probably vanity/perfectionism led! Most corporates may be
happy with a123456 ☺

TIP 3: CREATE A PROVISIONING USER
• The username of user who creates instances & other artefacts ends up in URIs. Default
usernames are email addresses.
• Create a provisioning user
• Create the provisioning user as a name, not an email address
– I like something short, typically just the organisation name
10

TIP 4: CREATE A STORAGE USER
• The domain name is in the storage container name BUT the storage user is what the
PaaS instances use for backup/restore.
• OPC user passwords expire after ~4 months – you can’t prevent this
– If you let them expire your backups will break
– If your database backups break you start using more Recovery Area
– If your Recovery Area fills up the database archiver can’t archive the redo log
– If the archiver can’t archive the redo log the db can’t do a log switch
– BANG!
• OPC “password change dance” was possible but probably won’t be for long
• Create a separate storage user to limit the scope of a password change
11
Practise change of OPC storage user password before user expiry!!!

12
• Provisioning

TIP 5: CREATE SSH USERS FOR VM ADMINS
• Have a central OPC SSH key-pair
• I typically have one for production and one for dev-test
– You may choose to have a super-user keypair per instance (if you have good key management)
• Don’t give out the OPC private key for admin use
13

TIP 6: CREATE UNIX USERS ONLY USING SCRIPTS
• Only specific users are allowed to SSH in (hard-coded list in sshd_config)
• SSH is used for ALL low level access to the VM
– Your admins
– The OPC admin account
– Oracle Cloud tooling
• If you break the SSH login configuration you will not be able to log in!
– The VM boot attempts to make sure oracle and opc keys are correct
– Oracle SM can try to push in a new OPC key only if cloud tooling access is working
• JCS built-in opc user setup/repair scripts are different to DBaaS!
• You only really find out for sure after an instance restart
14

TIP 7: CREATE AT LEAST 3 VM UNIX USER GROUPS
• It’s pretty rare for admins to need SSH access to PaaS VMs:
– Non-privileged user is not too much use (possibly for tunnelling SQL*net if you don’t have VPN)
– User allowed to sudo to oracle <= most common
– User allowed to sudo to root
• Needed to fix backup issues, even though they are often just writing to an Oracle owned filesystem or calling RMAN
15

16
• Provisioning

TIP 8: PUT ASIDE TIME FOR TLS CONFIGURATION
• Oracle doesn’t do much for you on TLS (SSL)
– JCS/SOACS use demo certificates with Cert Gen CA (i.e. easy to forge)
– Uses Key Store Service in database (new with 12.1.2)
• You can re-use all your old WLST etc for TLS config though ☺
– But if you have an internal CA some of the Cloud Monitoring (if you use that) breaks
17
With any luck Oracle will build (or buy) its own Certificate
Authority – then it could set up TLS automatically

18
• Provisioning

TIP 9: USE IP NETWORKS
• “IP Networks” on Oracle Cloud Infrastructure Classic allow you to
choose your own network numbering, and VMs to talk directly to
one another
• “Shared Network” is the original network where every VM is
allocated to a 4-IP subnet… adds all sorts of complexity
• Going forward: IP Networks (and OIC equivalent) will dominate
– No migration path – you have to re-provision
– If you have any choice then set up IP Networks from the start!
19

20
• Provisioning

TIP 10: CREATE 1 STORAGE CONTAINER PER INSTANCE
• When you create service instances that are fully managed by Oracle Cloud (i.e. not
Virtual Image service types) you need to supply Storage Cloud container
• It’s tempting to have one big bucket but don’t…
– remember in the future you may have 20 instances but want to delete one including its backups – a
storage container makes this much easier to track
• You now have an option in console and REST API to create a new container at
provisioning time
– I’m not really sure why this isn’t the default
21

TIP 11: PROVISIONING USER IS ONLY USED BY SCRIPTS
• We’ve got a special provisioning user – make sure it is only used by scripts, and not for
administration functions
22
Cloud Ops/Admins should have their own OPC users with appropriate privs
(easy to revoke etc – remember OPC console is available outside the corporate firewall)

23
• Provisioning

SUMMARY
• Oracle PaaS experience is very similar to what you’re used to for on-prem systems ☺
• You still need to plan your environments
• Support is about the same as before
• Follow my tips ☺
• Mostly “it just works”
24

MY PRESENTATION TOMORROW!
Connecting Oracle Cloud to Your Data Centre:
A Detailed Walk-through
Tomorrow (Monday 4th Dec.)
16:55 – 17:40
Hall 6B
25

18th April 2018
Park Plaza Leeds
Last chance to submit you papers on:
• APEX
• Database
• Development
• RAC Cloud infrastructure & Availability
• Systems
Call for papers close 12th December 17:00

Where?
Hall 4 Tech17
Community drinks
When?
Monday 18:45 –
19:45

Tips & Tricks for Java & SOA Cloud Service

Tips & Tricks for Java & SOA Cloud Service

More Related Content

What's hot (20)

Similar to Tips & Tricks for Java & SOA Cloud Service (20)

More from Simon Haslam (16)

Recently uploaded (20)

Tips & Tricks for Java & SOA Cloud Service