OraTransplant

Two interesting posts by Steven Chan

I finally managed to read up on all the blogs and stumbled upon two very interesting articles by Steven Chan that are very relevant to us:

• OracleAS 10g Upgrade Paths which describes how Oracle eBusiness Suite handles the upgrade and co-existence of the later AppServer versions. As Steven describes there are a lot of Application Server releases and he is trying to shed some light on them.
• Will the Real JRE Please Stand Up?. This posting describes why you need a specially patches version of Sun 1.5.0_10. Very interesting read and very relevant to us as a technology customer who uses the same tech stack as eBusiness Suite.

Jaap Poot started blogging

One of our DBA’s, Jaap Poot, has started blogging actively. Jaap will describe the challenges he faces during his daily job as an Oracle Database and Application Server administrator at Eurotransplant.

Jaap has always been a pleasure to work with both at Eurotransplant and our former joined employer. He has a wide range of knowledge about all sorts of techniques and systems (Oracle database, application server, Unix/Linux, networking, Windows, hardware, etc). He’s one of the few people I know that have such a thorough knowledge of these diverse techniques. This makes him a crucial player in introducing new technology at Eurotransplant.

Webcache 10.1.2 does not support TLS1.0/SSL3.1 out-of-the-box

We run Oracle Webcache version 10.1.2.0.2 and had troubles connecting to application behind the webcache using the newly released Internet Explorer 7 and from a J2SE 6 Java Virtual Machine. It turns out that Oracle Webcache does not support the latest SSL cipher suite TLS1.0 (also known as SSL3.1) out-of-the-box.

The webcache.xml has a LISTEN element to configure the listening ports. When using SSL this has an SSLENABLED attribute. By default this is set to “SSLV3_V2H”. As it turns out this setting does not support the newer TLS1.0 cipher suite. Internet Explorer 6 did not use TLS1.0 with the default configuration. As it turns out J2SE 6 does use TLS1.0 by default and we had some installations of Internet Explorer 7 that were also configured to use TLS1.0. Some other installations of Internet Explorer 7 where configured differently. Perhaps this was a difference between the beta and final release.

The Webcache guide does not have anything on this parameter. The only related documentation I could find is Metalink Note 342626.1 and a PDF on securing Oracle Application Server. The Metalink Note just advices to change the SSLENABLED parameter from SSLV3_V2H to SSL without really explaining why. The PDF on hardening an application server advices to do the opposite; change from SSL to SSLV3_V2H for extra security. All I want to do is enable the more secure TLS1.0 cipher suite and the PDF suggests I’m opening a security hole with the workaround from the Metalink Note.

I’ve asked Oracle support to document the behavior of the different values I can use for the SSLENABLED parameter. Let’s hope they come up with a satisfactory answer. Until then it’s running the risk of a potential security hole or configure your clients to not use TLS1.0 which is also less secure.

Update 13-jan-2007: Oracle support replied with the possible settings for SSLENABLED and their meaning:

• NONE - No SSL support
• SSLV3 - NZ setting of nzos_Version_3_0 - SSL protocol version 3
• SSLV3_V2H - NZ setting of nzos_Version_3_0_With_2_0_Hello - SSL protocol version 3 with support of version-2 hello message
• SSLV2 - NZ setting of nzos_Version_2_0 - SSL protocol version 2
• SSL - NZ setting of nzos_Version_Undetermined - no specific version specified

The setting of SSL will accept both SSLv2, SSLv3 and TLSv1 connections. This confirms my testing that SSL is the only setting that adds support for the latest TLS1.0 cpher suite. Unfortunately this also adds support for SSL version 2, which is not secure by today standards.

Since the newer browsers and clients will start using TLS1.0, Webcache administrators will want to enable TLS1.0 support. Currently this also means supporting SSLv3. I’ve asked Oracle support to file an enhancement request to get this fixed and add a setting that only supports SSLv3 and TLSv1

Single Sign On prevents Caching

Recently we found out that Oracle Single Sign On is preventing caching of all files served from a SSO protected resource. This caused performance issues since all supporting files like GIF images and JavaScripts were not cached in the client browser.

We use Oracle Single Sign On (SSO) to limit access to our web applications. For this we setup Security Constraints in the web.xml of our J2EE applications. On top of that, we also limit access to the entire virtual directory with a Location directive in the Apache config:

  OssoConfigFile /somewhere/osso-https.conf
  OssoIpCheck off
  OssoIdleTimeout off
  
    require valid-user
    AuthType Basic
  

This Location directory makes sure you need a valid SSO session before you are allowed to access anything in this virtual directory. This not only helps protecting resources that the developer “forgot” to protect in the web.xml, but the main reason for this was a workaround for a SSO bug we encountered earlier this year.

But recently we investigated some performance issues with our web applications. As it turns out each page request also reloaded all supporting files like images, javascripts, etc. Somehow the browser did not cache these files in the local browser cache. HTTP Header tracing revealed that headers were sent with the HTTP Response that forbid the client to cache this information:

Pragma: no-cache
Cache-Control: no-store, Public
Expires: Thu, 01 Jan 1970 12:00:00 GMT

Further investigation revealed this was caused by Oracle Single Sign On. The Web Cache Administrator’s Guide shines some light on this. It states that by default mod_osso (single sign on) adds a Surrogate-Control:no-store header to the response. This instructs Web Cache not to cache this page. Testing revealed that mod_osso not only adds this Surrogate-Control header to instruct Oracle Web Cache, but it also adds the headers to instruct the client not to cache these pages (Pragma, Cache-Control and Expires).

The Web Cache Administrator’s Guide also explains how to disable this mod_osso behaviour with the OssoSendCacheHeaders directive in your Apache config. The example in the guide uses it in a Location directive, but testing revealed you can also use it with a Files directive. We used this to exempt certain non-confidential files from the no-proxy regime:

  OssoSendCacheHeaders off

This allows us to still restrict access to all files requiring a valid SSO session, but allows the client to cache some non-confidential files in a local cache for performance reasons. Strangely enough I could not find any reference to the OssoSendCacheHeaders directive in the Single Sign-On Administrator’s Guide.

Developer Previews of SOA Suite and JDev 10.1.3.1

I just notice Oracle released a Developer Preview version of their SOA Suite 10.1.3.1. They also released a Developer Preview version of JDeveloper 10.1.3.1 to accompany the SOA Suite.

There’s a list of new features for the JDeveloper 10.1.3.1 release. I’ll download JDev and the SOA suite later today and have a look.

Oracle e-Business Suite will use Sun JPI

Pankaj Chandiramini reports Oracle e-Business Suite 12 will replace Oracle’s own JInitiator with the native Sun Java2 Standard Edition, also known as Sun’s Java Plug-In (JPI).

We’ve been running Sun JPI since summer 2005 and had some minor troubles in the beginning, when Sun JPI wasn’t officially supported by Oracle. Oracle eBS also making the switch to Sun JPI is good news for all of us. This means JPI will get even more attention as a platform for running Forms. Currently, most documentation and MetaLink notes still assume you’re running Oracle JInitiator. eBS making the switch might change this and will make live easier for me

Pankaj also reports eBS 12 will make the switch to the latest platform, which is Application Server 10.1.2 for Forms/Reports and Application Server 10.1.3 for the Java stuff. I bet they would have liked a single platform based on 10.1.3, but Forms is skipping the 10.1.3 platform and will go from 10.1.2 to 11.x. That’s probably why they do this split configuration, since they do want to use the latest J2EE based stuff on 10.1.3.

My first day at ODTUG 2006

I won’t bother you all with my sightseeing adventures of Washington D.C. I walked around for about 10 miles (16 kilometers) and my feet are aching I also cannot include any pictures of my sightseeing and the presentations, since I forgot the USB cable to connect my camera to my laptop

I already met up with a lot of people. That’s one of the interesting things of these conferences. You get to meet up with a lot of people that you otherwise wouldn’t meet. This is where you hear all the really interesting stuff!

I attended my first session on Sunday afternoon, but that didn’t really teach me anything new. That’s the risk you run when choosing for a certain presentation based on a very short abstract in the conference schedule.

The end of the Sunday afternoon was the kickoff for the Business Intelligence Summit. It was supposed to shed light on Oracle’s Business Intelligence strategy. But to be honest, it’s still not clear to me. It was well over an hour of marketing bla-bla about Oracle BI Enterprise Edition, the re-branded Siebel Analytics product. The session ended with a 15 minute demo by Mark Rittman, which was very insightful. He has a short demo of two new features of Oracle Warehouse Builder 10gR2. It all looked very promising although we not a user (yet) of Warehouse builder.

Monday morning we had a keynote by Marco Tilli from Oracle presenting about they Fusion Middleware strategy. There were two interesting things I picked up in this session. The first is a (non official) release road map:
version 10.1.2 is production (Q1-2006)
version 10.1.3 is production (Q3-2006)
version 10.1.3.1 is the addition of the SOA Suite available before the end of 2006
version 10.1.3.2 is the addition of the Workspace Suite (not really sure what that is yet). No date was given for that release
and finally we will have version 11, for which Marco didn’t give a release date. But from the Forms version 11 webcast I had I expect this to be summer 2007.

They also did two demos during Marco’s presentation. The first one was on BPEL and Oracle Business Rules. For people following all the Oracle news, this was nothing new. The other presentation featured some of the new JSF components. This has been called RIA (Rich Internet Application) components or ADF Faces.Next. Basically, it’s AJAX enabled ADF Faces components. I already saw some of them at Oracle OpenWorld last year.

Oracle doesn’t have a release date for these new components, but they hope to have some sort of early adopter release out by the end of this year. These components look very very promising and I can’t wait to get my hands on them. Frank Nimphius will also cover these components in a presentation on Wednesday, so I’ll certainly will attend that one. I’ll see if I can get some more information there.

Oracle XML Publisher - What’s it all about? by Mark Rittman

The next session I had on Monday was by Mark Rittman on XML Publisher. This was by far the most useful session I went to so far. Mark explained what XML Publisher is and did a 45 minute demo. It all looked very interesting. He basically demoed the step-by-step he published on OTN. Take a look to get a good feeling of what XML Publisher can do.

For us. XML Publisher could be a great replacement for Oracle Reports. XML Publisher brings a clear separation between data and layout/presentation. The data can come from a SQL query over JDBC, a HTTP request feeding XML data or a call to a web service. You then apply a template to this data to build the presentation. The great thing is that you can build multiple templates for the same data-set and let the user decide which template to use. This enables things like summary reports and detail reports from the same data. The user can also select their own publishing format (HTML, PDF, XLS, etc).

The template design is done in Microsoft Word (or Adobe Acrobat). This is really great, since it is much more user friendly then the Oracle Reports builder. A small macro plug in is installed in Microsoft Word. This gives you a wizard to create a first-cut report based on the previously defined data-set. This basically gives you a simple table in Word. In each table cell a Field that represents a data item from your data set. You can then use all the layout features in MS Word you like. Mark even told us you can do some (simple) scripting in the Field items. This can make you do things like conditional formatting or displaying, although it is not as powerful as the PL/SQL triggers in Oracle Reports.

The template is then uploaded to the XML Publisher server and is available for the users. As a XML Publisher admin you can set things like security making certain reports available to only specific user(groups).

You also have two ways to deliver the data in a MS Excel (XLS) file. The most advanced one installs a .Net based plug-in to MS Excel and this allows for some fancy stuff. You can do all sorts of analysis in Excel, which goes back to the XML Publisher server to retrieve the data if necessary. You can also export to a “dumb” XLS file without any active components which might be more suitable for some users.

There’s even an online Analyzer in your browser. You can do things like cross-tabs, wit summaries and filters right in your browser. Users can take this and analyze their data without even going to Excel. This is all right from your browser, with active AJAX style components.

XML Publisher comes in a number of flavours, targeted at the different Application suites within Oracle. There’s also a standalone version of XML Publisher. This is the one you should have if you’re not running Oracle Applications. You cannot get it (yet) from OTN, so you have to go to Oracle e-delivery to get your hands on it. Mark explained that the previous 5.5 version was still a bit complex to install and get running. It required quite some handwork, whereas the latest 5.6.2 version installs and runs out-of-the-box.

By-the-way: XML Publisher will be re-branded to BI Publisher later this year and will be included in the Oracle Business Intelligence Enterprise Suite priced for a whopping 225,000 dollar per processor. XML Publisher is (and will remain) available as a standalone product. This is still priced at 40,000 per processor or 30,000 as a Application Server add-on. It’s my personal opinion that this is way overpriced. Let’s hope Oracle will one day just include it in the Application Server Enterprise Edition. Perhaps I’ll do some asking around if they have any plans in that direction.

Oracle BI Roadmap by Christina Kolotouros

The next session I visited was advertised as explaining the roadmap for the Oracle Business Intelligence Suite. This one didn’t really give me the information I was hoping for. We’re not a heavy BI user, we just use some of the traditional tools within Oracle to do some reporting. This means mainly Oracle Reports and I’m trying to figure out where Oracle is heading with it and what we should be doing. This session didn’t really help me answer these questions.

It just gave me the impression that Oracle is really focusing on integrating their BI people with the former Siebel BI people and all the attention seems to go to the high end market with their BI Enterprise Edition products. This is way out of our league.

Web Application Security Part 2 by Duncan Mills

The last session for yesterday I visited was by Duncan Mills on locking down your ADF applications. This was another really interesting session. Duncan emphasised that although your using an (advanced) framework like AFD, security is your responsibility. He went on explaining about container managed security and some of the differences between JSP/Struts and JSF regarding this. Struts has some more built-in features for securing certain actions and flows. JSF does not, so you have to group your pages in directories in your web application. These directories can then easily be secured by container managed security specified in your web.xml.

He showed a very nice open source framework he’s working on, named JSF-Security. You can find it on sourceforge and it extends the JSF Expression language with securityScope. This enables you to check if security is enabled, the username of the logged on user, the authentication type or if the logged on user is in a role. This is all done by simple EL expressions that you can use anywhere in JSF. You can typically use this with the rendered property to hide items or you can make items read-only.

But do remember that this is only security by obscurity. You shouldn’t rely on this. It is just making things hidden or read-only in the user web browser as it should. There’s nothing stopping a user (or hacker) still sending this data changed in the next HTML form post. So be sure to really check for security elsewhere also. For example in your ADF Business Components, which is the second demo he showed.

Duncan also showed the use of SYS_CONTEXT to store addition metadata in your database session. Since most web applications use features like session pooling, they all use the same database user to connect to the database. This means you cannot use the USER pseudo-column to determine which user is logged in things like triggers. The same goes for things like role grants. Duncan showed how to override the prepareSession() method in your application module. You can use this method to pass the “real” end user to the database and store it in a SYS_CONTEXT.

We already do something very similar so this wasn’t really new to me. But I sat next to a guy who’s also on the customer advisory board of Development Tools whom I met at OpenWorld last year. He told me they’re also doing the same thing, but they also use role grants in the whole setup. Their big application user has all the necessary roles granted but they’re initially all disabled. During the prepareSession() stage only the roles appropriate for the current user are enabled. We didn’t think of that yet, but that’s adding an extra layer of security. I must make sure to put this in a RFC when I’m back in the office.

This completed my session for Monday. In the evening I went for dinner with the guys from Amis, who’re also here and run a couple of presentations. I’ve also agreed to meet up with Mark Rittman tomorrow for a couple of beers, and I’m looking forward to that. Socializing is one of the perks of attending these conferences and is where you get all the in-depth information. I’ll blog again with a summary of the sessions on Tuesday.

Our patch and upgrade policy

Eurotransplant allocates organs available for donation in 6 European countries. Whenever an organ donor is available in any of these six countries, Eurotransplant is notified. We collect data about that donor and start the matching to all recipients on the waiting list. This process relies heavily on IT. It’s also a very time critical process and has to be available 24×7, as you can imagine. It can be a matter of life and death for the recipients on the waiting list. That’s why we cannot take a lot of risks with installing new patches and upgrades to our (Oracle) software.

We release a new version of our system every 1.5 to 2 months. During that period, changes to the system are continuously tested. Developers finish the release at least one week before the release date. That last week is used for final testing of all critical components.

With this in mind, we defined our policy for patches and upgrades to the Oracle software. Let’s start with one-off patches. Upgrade and patch sets have to be installed on the test and development environments before the start of the next development cycle. If all goes well, the upgrade or patch set is installed on production at the end of the release cycle, when the new release goes live. So, all tests and the final critical test are done with the patch set or upgrade in place.

Larger upgrades might take even longer and will have separate test environments. A good example was our recent upgrade from database 8.1.7 to 10.2.0. Developing and testing this upgrade was so much work that is was done outside the normal development cycles.

We’re a bit more flexible with installing one-off patches. These patches are limited in scope and thus less risky than full upgrade or patch sets. Also, these tend to be more time critical since they target specific bugs we’re suffering from. A one-off patch also gets installed on test/development first. It doesn’t really matter when it’s installed as long as it is before the start of the final week of critical tests. That way the one-off patch can be installed on the production environment with the next release.

In very exceptional circumstances we can decide to install a one-off patch on production outside normal release dates. But we would only do that if we’re hitting a truly critical bug.

Eurotransplant Customer Snapshot online

Oracle Netherlands has published a (Dutch) Customer Snapshot about Eurotransplant on their site. It’s a short story explaining what Eurotransplant is and how we used Oracle products/techniques to tackle some challenges. It’s primarily about our move from client-server Forms 6i to web-deployed Forms 10g and our adoption of JDeveloper, ADF, JHeadstart and Swing. We’ve created some JHeadstart/UIX based web applications and we’ve build a Swing client that can run disconnected on a users laptop. It will synch its data with the central database through some web services running on Application Server 10g once a (UMTS) connection is available.

Ever since I have this weblog, I’ve been in touch with a number of people within Oracle. I think that’s one of the perks of having this weblog. Our close relation to Oracle has given me more insights in what’s happening within Oracle and what to expect in the coming period. The weblog also gave me the contacts that approached me for this Customer Profile. I think this close cooperation with Oracle can prove to be beneficial to both of us.

Update: Oracle Global has also released a Customer Snapshot on Eurotransplant. It’s even mentioned in the News sections on the Forms site of OTN and the J2EE for Forms/Designer Developers site on OTN.

Licensing policy change for multi-core processors

The IT-Eye weblog was just added to Orablogs. Unfortunately that was to late to pick up an entry about Oracle’s change of policy for multi-core processors. They refer to an interesting article in eWeek about this change.

I think it was about time that Oracle clarified/changed their policy on multi-core processors. The only thing that remains is a change in policy for grid computing. On the one hand Oracle is promoting use of multiple relatively small machines in a grid but on the other hand they keep charging by the processor. That forces us to minize the number of CPU’s and thus to not use grid.