Advanced Deployment Architectures for Oracle E-Business Suite Steven Chan, Sr. Director, Applications Technology Integration Ivo Dujmovic, Director, Applications Technology Integration
Architectural Goals A. Ensure maximum security B. Ensure maximum performance & scalability C. Ensure business continuity D. Provide extra services to end-users E. Integrate with other systems F. Provide dynamic capacity September 2008
Architectural Goals A. Ensure maximum security B. Ensure maximum performance & scalability C. Ensure business continuity D. Provide extra services to end-users E. Integrate with other systems F. Provide dynamic capacity
Demilitarized Zone (DMZ) Attack DMZ Protected Zone Perimeter network Portions of a corporate network between the corporate intranet and external networks Single or multi-segment DMZ-based servers have restricted responsibilities Security breaches remain contained within DMZ References: Note 287176.1
Configuration A.1 Internal Users staff.acme.com partners.acme.com Internal EBS App Server External Users Internet External EBS App Server EBS Database DMZ Risk: Internal users can attack database References: Note 287176.1 (11i), 380490.1 (R12)
Configuration A.2 DMZ 2 Internal Users staff.acme.com partners.acme.com Internal EBS App Server External Users Internet External EBS App Server EBS Database DMZ 1 References: Note 287176.1 (11i), 380490.1 (R12)
Reverse Proxy Server External Users Reverse Proxy EBS App Server An intermediate server between a client and a web server Makes requests to the web server on behalf of the client Allows use of standard ports (80, 443) on external side; higher ports internally Filter requests to web server via rules Optionally allows for content caching Oracle HTTP Server, WebCache, Apache, other reverse proxy products References: Note 287176.1 (11i), 380490.1 (R12)
Configuration A.3 DMZ 3 Internal Users Internal EBS App Server External Users Internet Reverse Proxy External EBS App Server DMZ 1 DMZ 2 Release 11i Database References: Note 287176.1 (11i), 380490.1 (R12)
Enabling Single Sign-On for EBS Single Sign-On & Oracle Internet Directory Server By default, E-Business Suite has its own login (AppsLocalLogin) and its own user directory (FND_USER) E-Business Suite may be optionally integrated with OracleAS 10g Login is delegated to Single Sign-On 10g OracleAS 10g Infrastructure Database User management is delegated to Oracle Internet Directory 10g OracleAS 10g Components References: Note 233436.1, 261914.1 (11i); 376811.1 (R12)
Configuration A.4 External Users (via VPN) Oracle Application Server 10g Portal Single Sign-On Oracle Internet Directory Discoverer Other Fusion Middleware Components E-Business Suite Application Server Intranet E-Business Suite Database Internal Users References: Note 233436.1, 261914.1 (11i); 376811.1 (R12)
E-Business Suite Integration with OracleAS 10g 11i Runs Oracle9i Application Server 1.0.2.2.2 on mid-tier Runs Release 11i application-tier services such as Forms, Jserv Integrated with an external stand-alone Oracle Application Server 10g instance for optional services (e.g. Single Sign-On) 12 Runs Oracle Application Server 10g on mid-tier Runs Release 12 application-tier services such as Forms, OC4J Integrated with an external stand-alone Oracle Application Server 10g instance for optional services (e.g. Single Sign-On) References: Note 233436.1, 261914.1 (11i); 376811.1 (R12)
Configuration A.5 Internal Users External Users Single Sign-On 10g Internal EBS App Server Oracle Internet Directory Server 10g OracleAS 10g Infrastructure Database Internet Reverse Proxy External EBS App Server EBS Database References: Note 233436.1, 261914.1 (11i); 376811.1 (R12)
Tips Monitor Oracle Security Technology Center www.oracle.com/technology/deploy/security Apply quarterly Critical Patch Updates Read Best Practices for Securing Oracle E-Business Suite (11i: Note 189367.1; R12: Note 403537.1) Work with stakeholders and executive sponsors to prioritize security objectives
Architectural Goals A. Ensure maximum security B. Ensure maximum performance & scalability C. Ensure business continuity D. Provide extra services to end-users E. Integrate with other systems F. Provide dynamic capacity
Load-Balancers User1 User2 User3 Distributes requests from clients to multiple nodes Types discussed here DNS-based HTTP Layer Supported but not discussed here Apache Jserv Layer Forms Metric Server Concurrent Processing Layer Database Layer Node1 Node2 Node3 References: Note 217368.1 (11i), 380489.1 (R12)
High Availability Terminology Client Requests Client Requests On Failover Node 1 (Active) Node 2 (Active) Node 1 (Active) Node 2 (Passive) Active-Active Used for balancing load & improving scalability Active-Passive Used for business continuity References: Note 217368.1 (11i), 380489.1 (R12)
DNS-Based Load Balancing Q: IP for ebs.acme.com? Users query DNS LBR for IP address of URL, then cache that address for future queries User DNS LBR A: 10.10.10.10 DNS LBR supplies different IP addresses to different users depending on load of a given node Vendor-dependent: may use heartbeat checks against nodes and sophisticated algorithms for loadbalancing 10.10.10.10 10.10.10.20 10.10.10.30 References: Note 217368.1 (11i), 380489.1 (R12)
Configuration B.1 User EBS App Server 1 EBS App Server 2 EBS Database DNS LBR References: Note 217368.1 (11i), 380489.1 (R12)
HTTP Layer Load-Balancing Users navigate to Web Entry Point User HTTP Layer LBR HTTP Layer LBR routes all subsequent traffic for a specific user to a specific Web Node LBR must support persistent session connections (cookie-based or IP-based stickiness ) LBRs may use heartbeat checks for node death detection & restart, and sophisticated algorithms for loadbalancing Web Node 1 Web Node 2 Web Node 3 References: Note 217368.1 (11i), 380489.1 (R12)
Configuration B.2 ebs.acme.com EBS App Server 1 User HTTP Layer LBR EBS App Server 2 EBS Database References: Note 217368.1 (11i), 380489.1 (R12)
Configuration B.3 Internal Users HTTP LBR2 DMZ 3 Web Node 1 Web Node 3 Web Node 4 External Users Internet Reverse Proxy HTTP LBR1 Web Node 2 EBS Database DMZ 1 DMZ 2 References: 11i: Note 217368.1, 287176.1; R12: 380489.1, 380490.1
Configuration B.4 Internal Users HTTP LBR2 External Users Single Sign-On 10g Web Node 3 Web Node 4 Oracle Internet Directory Server 10g OracleAS 10g Infrastructure Database Internet Reverse Proxy HTTP LBR1 Web Node 1 EBS Database Web Node 2 References: 11i: Note 233436.1, 261914.1, 217368.1, 287176.1; R12: 376811.1, 380489.1, 380490.1
Real Application Clusters (RAC) Allows multiple database servers to access the same data in parallel Application Server RAC Instance 1 Private Interconnect RAC Instance 2 Improves scalability & fault-tolerance Supported with 9i, 10gR1, 10gR2, 11gR1 Databases Supports Automatic Storage Management (ASM), Cluster Ready Services (CRS), Parallel Concurrent Processing (PCP) Shared Filesystem References: Note 312731.1 (11i), 388577.1 (R12)
RAC Configuration Options General Pooling All RAC nodes handle all transactions Functional Specialization Specific RAC nodes handle transactions for specific Applications modules: RAC node 1 dedicated to Order Management RAC node 2 dedicated to Payroll References: Note 312731.1 (11i), 388577.1 (R12)
Configuration B.5 DMZ 3 Internal Users Internal EBS App Server External Users Internet Reverse Proxy External EBS App Server DMZ 1 DMZ 2 RAC 1 RAC 2 Shared EBS DB Filesystem References: 11i: Note 287176.1, 312731.1; R12: 380490.1, 388577.1
Configuration B.6 Internal Users HTTP LBR2 DMZ 3 Web Node 1 Web Node 3 Web Node 4 External Users Internet Reverse Proxy HTTP LBR1 Web Node 2 RAC 1 RAC 2 DMZ 1 DMZ 2 Shared EBS DB Filesystem References: 11i: Note 217368.1, 287176.1, 312731.1; R12: 380490.1, 388577.1, 389489.1
Configuration B.8 HTTP LBR2 Internal Users External Users LBR1 SSO Node 1 SSO Node 2 Web Node 3 Web Node 4 Internet Reverse Proxy HTTP LBR1 Web Node 1 RAC 1 RAC 2 OID 1 OID 2 Web Node 2 Shared EBS DB Filesystem OracleAS 10g Infrastructure DB Refs: 11i: Note 233436.1, 217368.1, 287176.1, 312731.1; R12: 380490.1, 388577.1, 389489.1; OracleAS HA Guide
OracleAS Web Cache Content-aware server accelerator User OracleAS Web Cache Can act as a: Reverse-proxy server Web caching Load-balancer & failover detection Fully certified with the E-Business Suite for web (HTML) traffic Caches static & dynamic content, but not user-specific secure content Web Node 1 Web Node 2 Web Node 3 References: OracleAS Web Cache Administrator s Guide (10.1.2.0.2), Note 306653.1
OracleAS Clusters User Clusters of multiple Web Cache instances Single logical cache Web Cache 1 Web Cache 2 Cluster members communicate with each other Coordinated & distributed content caching Coordinated node death detection & failure management Web Node 1 Web Node 2 Web Node 3 References: OracleAS Web Cache Administrator s Guide (10.1.2.0.2), Note 306653.1 (11i), 380486.1 (R12)
Tips Examine cost-effectiveness of SMP vs Linux-based commodity servers on the middle-tier Minimize 11i administration overhead via: Oracle Applications Manager Oracle Applications Management Pack Oracle Enterprise Manager Grid Control AutoConfig Shared application file systems
Architectural Goals A. Ensure maximum security B. Ensure maximum performance & scalability C. Ensure business continuity D. Provide extra services to end-users E. Integrate with other systems F. Provide dynamic capacity
Business Continuity A.k.a. Disaster Recovery Planning for catastrophic site failures Not just tape backups: operational failover Can also be used for managing planned outages Requires decisions about operational priorities (e.g. Should all E-Business Suite services be fully operational after a disaster or just a subset? ) Potentially expensive, but what are the costs of total system failure? References: http://www.oracle.com/technology/deploy/availability/htdocs/maa.htm
Active-Passive Architectures Production Standby AppServer Database Data & Configuration Synchronization AppServer Database San Francisco Austin, TX Completely standalone, self-contained sites Data and configurations synchronized constantly between sites via Oracle DataGuard and physical standby References: Note 216212.1 (11i), 452056.1 (R12)
Configuration C.1 Production User HTTP LBR 1 AS Node 1 AS Node 2 EBS DB Standby DNS LBR AS Node 3 Traffic rerouted to offsite HTTP Layer LBR in event of disaster HTTP LBR 2 AS Node 4 EBS DB References: Note 217368.1 (11i), 380489.1 (R12)
Supported Architectures All standard architectures supported via failover (e.g. RAC, DMZs, load-balancers, OracleAS 10g integration) Failover site architectures may be: Exact duplicates of production sites Reduced in scale (e.g. fewer web nodes) Reduced in scope (e.g. support internal employees but not external users)
Not a Weekend Project 1. Work closely with users, stakeholders, executive sponsors 2. Prioritize disaster recovery needs carefully 3. Research options, check references 4. Work with platform hardware vendors, experienced consultants and partners 5. Deploy proof-of-concept testbeds 6. Test thoroughly
Architectural Goals A. Ensure maximum security B. Ensure maximum performance & scalability C. Ensure business continuity D. Provide extra services to end-users E. Integrate with other systems F. Provide dynamic capacity
OracleAS 10g Integration Options 1. Access Apps via Oracle Single Sign-On 2. Access Apps via Oracle Access Manager 3. Manage users with Oracle Internet Directory 4. Design custom portals with Oracle Web Center 5. Design custom portals with Oracle Portal 6. Analyse data with Discoverer 7. Analyse data with Business Intelligence Applications
Configuration D.1 Internal Users HTTP LBR4 External Users HTTP LBR1 Web Node 1 Web Node 2 Web Node 3 Web Node 4 Oracle Internet Directory Server 10g OracleAS 10g Infrastructure Database Internet Reverse Proxy LBR2 LBR3 RAC 1 RAC 2 LBR5 SSO Node 1 SSO Node 2 Portal Node 1 Portal Node 2 Shared EBS DB Filesystem Disc. Node 1 Disc. Node 2 Refs: 11i: Note 233436.1, 217368.1, 287176.1, 312731.1, 305918.1; R12: 376811.1, 380491.1, 380489.1, 380484.1, 388577.1
Architectural Goals A. Ensure maximum security B. Ensure maximum performance & scalability C. Ensure business continuity D. Provide extra services to end-users E. Integrate with other systems F. Provide dynamic capacity
Integration With Other Applications The E-Business Suite supports integration with: 1. Other applications via Oracle Integration 2. PeopleSoft, Oracle Collaboration Suite using a common enterprise OracleAS 10g instance for: Single Sign-On & Oracle Internet Directory 10g Portal 10g 3. Other authentication systems & LDAP directories via OracleAS 10g Identity Management
Integrate EBS with Third-Party Apps Legacy Application E-Business Suite Oracle Integration Build integrations via Service Oriented Architecture (SOA) technologies Over 250 adapters for Enterprise Application Integration J2EE and open standards-based integration, including: E-Business Suite, third-party applications, database sources XML, JMS, JCA Web Services: SOAP, WSDL, UDDI B2B Protocols: RosettaNet, HIPAA, EDI
Configuration E.1 E-Business LBR1 SSO Node 1 LBR3 App Server EBS DB SSO Node 2 OID 10g Node 1 OID 10g Node 2 PeopleSoft Users LBR2 OBIEE Node 1 OBIEE Node 2 RAC 1 RAC 2 OracleAS 10g Infrastructure App Server Siebel PSFT DB App Server Siebel DB
Third-Party Single Sign-On Integration EBS Application Server delegates user authentication to Oracle Single Sign-On 10g delegates user authentication to Third-Party SSO
Supported Third-Party SSO Integrations Integrate Oracle Single Sign-On with Windows Native Authentication via Kerberos CA Entrust, CA Netegrity, IBM Tivoli, RSA PKI X.509v3 Digital Certificates Biometric and smartcard systems Other SSO systems via custom adapters Oracle Identity Federation Formerly Oblix COREid Federation SAML, WS-Federation, Liberty Alliance Oracle Access Manager Formerly Oblix COREid Access & Identity
If you already have a third-party LDAP Third-Party LDAP Oracle Internet Directory 10g synchronizes user attributes with synchronizes user attributes with E-Business Suite DB (FND_USER)
Available Oracle Internet Directory Connectors Microsoft Active Directory 2000/2003 Microsoft Exchange 2000/2003 Sun Java System Directory (Sun ONE / iplanet) 5.2 Novell edirectory 8.6 / 8.7 OpenLDAP 2.2 Any LDAP directory via LDIF files Any other directory via custom DIP agent Oracle Identity Manager Formerly Thor Xellerate Identity Provisioning Also integrates directly with E-Business Suite FND_USER & HRMS Oracle Virtual Directory Formerly OctetString Virtual Directory Engine
Configuration E.2 Third-Party SSO Third-Party LDAP Oracle Internet Directory 10g End User Single Sign-On 10g EBS Database (FND_USER) EBS Application Server References: Note 261914.1 (11i), R12 System Administrator s Guide - Security
Architectural Goals A. Ensure maximum security B. Ensure maximum performance & scalability C. Ensure business continuity D. Provide extra services to end-users E. Integrate with other systems F. Provide dynamic capacity September 2008
Dynamic Capacity Provisioning a.k.a Cloud Computing -- Direction EBS deployment spectrum: Owned: Full EBS + eco-system on-premise Hosted: Full EBS + eco-system in cloud Web 2.0: On-premise EBS + cloud-hosted eco-system Web 2.0+: On-premise core EBS + partial eco-system, cloud provides overflow/peak capacity for EBS + select additional external services Other permutations Direction: Further enhance cloud-enabling of EBS
Cloud Delivered EBS Capacity -- Direction Rigid capacity provisioning feature set forced Sizing hardware for peak requirements, or Hosted solutions by vendors with their own provisioning solutions Goal: Better managing resource underutilization Versus historical focus on high utilization Buy hardware you need for 80% of the time Peak load services could Supplement existing resources Lower cost hurdles to new functionality adoption
Cloud Delivered EBS Capacity Potential Future EBS functionality direction includes EBS Instance Fingerprint extraction Transport Alteration Stamping
EBS Instance Dimension Fingerprinting Appsprint EBS Appl_Top code level Techprint Code level for technology Oracle_Homes Configprint Technology configurations (AutoConfig) Ecoprint Ecosystem integration points (AutoConfig, MetaLink) Database dbf s Transactional data, functional configuration data (isetup) Dynamic Provisioning = Extract * Alter * Stamp
OracleAS + E-Business Suite Resources Application Server + 11i FAQ Note 186981.1 11i Documentation Roadmap Note 207159.1 Application Server + R12 FAQ Note 415007.1 R12 Documentation Roadmap Note 380482.1
Oracle E-Business Suite Technology Stack Blog http://blogs.oracle.com/schan Latest Apps techstack news Primers & FAQs Certification & desupport announcements Advanced architectures Early Adopter Programs Statements of Direction Discussions with Oracle Development Subscribe via email & RSS