8
System Management

This chapter provides an overview of Oracle9i Application Server system management features and benefits. The topics include:

• System Management Overview

• System Management Architecture

• About Management

• Management Features

• About Security

• Security Features

System Management Overview

In today's Internet economy, where success is directly impacted by the availability and performance of your production Web sites and applications, you need to be able to rely on a highly secure, highly available, and finely tuned production deployment platform.

Oracle9i Application Server provides a set of industry standards-based management facilities to simplify all aspects of Web site administration. It includes a comprehensive deployment infrastructure designed to streamline application deployment by leveraging a single security and directory framework for all applications and by providing administrators with a single management tool to manage, monitor, tune, and troubleshoot across all Oracle9iAS instances.

Oracle9i Application Server uses Oracle Enterprise Manager to enable Web site administrators to configure Oracle9iAS instances, to monitor and optimize them for performance and scalability, and to respond proactively to problem conditions.

Oracle9i Application Server also provides an SSL/X.509V3 Certificate-based security architecture, which provides user authentication through SSL certificates, encrypted SSL communication, and single signon across applications.

Oracle Internet Directory, an LDAP directory, provides a single repository and administration for user accounts.

System Management Architecture

Oracle9i Application Server System Management architecture consists of the following sections:

• Middle Tier: All of Oracle9i Application Server applications, such as J2EE and Web Cache, Portal and Wireless, Business Intelligence and Forms, and Unified Messaging, exist and are executable on the middle tier.

• Infrastructure: Infrastructure installations provide a centralized location for managing data used by application servers. Most of this data is managed programmatically by application server instances and components and is invisible to users. An infrastructure contains the following components:
  • Metadata Repository is an Oracle9i Enterprise Edition database. It is pre-seeded with the schemas used by all Oracle9iAS components, including any schemas needed for components demos.

  • Oracle9iAS Single Sign-On enables users to access multiple accounts and applications with a single password. Oracle9iAS Single Sign-On retrieves user information from Oracle Internet Directory.

  • Oracle Internet Directory is Oracle's implementation of Lightweight Directory Access Protocol (LDAP), version 3. Application server instances, components, and infrastructures store security and management information in the directory.

An example of such an architecture is shown in Figure 8-1.

Figure 8-1 Oracle9i Application Server System Management Architecture

Text description of the illustration asins009.gif

See Also: Oracle9i Application Server Administrator's Guide Oracle9i Application Server Installation Guide

About Management

Oracle Enterprise Manager provides an integrated solution for centrally managing your Oracle environment. Combining a graphical console, common services, and administrative tools, Oracle Enterprise Manager provides a comprehensive system management platform for managing Oracle products.

As an Oracle9iAS administrator, you can use the Oracle Enterprise Manager Web site and the Oracle Enterprise Manager Console to manage your Oracle9iAS installations.

See Also: Oracle9i Application Server Administrator's Guide

Using the Oracle Enterprise Manager Web Site

For Oracle9iAS Release 2.0, Oracle introduces the Oracle Enterprise Manager Web site, which provides Web-based management tools designed specifically for Oracle9iAS. Using this Web site, you can monitor and configure the components of your Oracle9i Application Server installations. You can deploy applications, manage security, and create and manage Oracle9i Application Server clusters.

The Oracle Enterprise Manager Web site is installed on the middle tier as part of the Oracle9i Application Server installation option.

Depending on the type of Oracle9iAS installation you support, you can use the Enterprise Manager Web site independently to manage individual Oracle9iAS instances and clusters, or you can use it with the Oracle Enterprise Manager Console to manage your entire Oracle environment.

Using the Oracle Enterprise Manager Console

The Oracle Enterprise Manager console provides a wider view of your Oracle environment, beyond Oracle9iAS. Use the Console to automatically discover and manage databases, application servers, and Oracle applications across your entire network.

The Console and its related components are installed with the Oracle Management Server as part of the Oracle9iAS Infrstructure installation option. The Console is part of the Oracle Management Server component of the Oracle9iAS Infrastructure.

The Management Server, the Console, and Oracle Agent are installed on the Oracle9iAS Infrastructure host, along with the other infrastructure components.

See Also: Oracle9i Application Server Installation Guide

Management Features

Oracle Enterprise Manager includes the following features that enable you to manage your Oracle9iAS framework:

• Single Point for Distributed Configuration and Management

• Performance Monitoring

• Dynamic Monitoring Service

• J2EE Deployment and Administration

Single Point for Distributed Configuration and Management

Oracle Enterprise Manager Web site provides a complete management solution for administering and configuring the application server and its components. It allows you to effectively manage the Oracle9iAS environment remotely by enabling tasks such as:

• Automatically detecting all Oracle9iAS instances and their associated components on a target node for management by the Oracle9iAS administrative tools.

• Providing the ability to start and stop all Oracle9iAS components.

• Providing a single point to create and manage Oracle9iAS farms and clusters. Clusters provide a central point for managing multiple Oracle9iAS instances that host a common set of J2EE applications.

• Performing common administrative operations for all Oracle9iAS components, including configuring ports and log files.

Oracle Enterprise Manager Web site and the infrastructure repository simplifies configuration and administration of the Oracle9iAS infrastructure and provides you with all the tools you need to focus on monitoring key day and day usage and performance patters.

Performance Monitoring

Accurate, timely, and relevant performance and troubleshooting data is absolutely essential in maintaining and monitoring the state of your production Web sites and applications. Oracle9iAS provides a host of critical performance data that are essential to tune your application server, identify resource availability issues, or help tune your application server to achieve maximum throughput and the minimum response time possible.

Oracle Enterprise Manager Web site provides a comprehensive aggregate view of the current and historical status of your Oracle9iAS environment. It allows you to monitor status, usage, and performance data for your entire Oracle9iAS environment including:

• Instance and component availability and uptime statistics

• Resource utilization including CPU and memory

• Server load and responsiveness including user volumes, active requests, request throughput and process time, error rates

Dynamic Monitoring Service

Oracle Enterprise Manager leverages an underlying service, the Dynamic Monitoring Service (DMS), to collect the performance data discussed above. Oracle9iAS has been fully instrumented with DMS to provides comprehensive set of built-in performance metrics to automatically measure runtime performance statics, which allows you to monitor the duration of important phases of request processing as well as status information such as the number of requests being handled at any given moment.

In addition, you can easily add monitoring to your own applications through the DMS library and API. The performance metrics are measured automatically and continuously using efficient performance instrumentation hooks, no extra configuration is required. You can view your DMS metrics through a browser as well as through the OEM console.

J2EE Deployment and Administration

Oracle9iAS enables you to easily administer OC4J and your J2EE applications. This interface supports:

• Configuring OC4J through declarative property sheets, as an alternative to manually editing XML files.

• Configuring application services and resources including Web sites (IP and URL paths for Web modules), JDBC data sources and security settings including user groups and roles.

• Deploying J2EE applications through a wizard that allows deployment to a single OC4J container or cluster and automates mapping URL paths, data sources, selecting a user manager and mapping security roles

• Browsing and maintaining applications including installing application updates or patches, and modifying application configuration.

• Monitoring the availability, usage, and performance of all applications to determine request volume, longest response time, and additionally, for Servlets and JSPs load time, service time and overhead.

About Security

Oracle9i Application Server provides a comprehensive integrated security framework supporting all its components, as well as third party and custom application deployed on Oracle9iAS. The framework is based on Oracle9iAS Single Sign-On for authentication, the Java Authentication and Authorization Service (JAAS) for security services in J2EE, and Oracle Internet Directory for authorization and user provisioning.

See Also: Oracle9i Application Server Security Guide

Figure 8-2, illustrates how the elements of Oracle9i Application Server function together. Following is the functionality of the various components:

• Oracle9iAS Web Cache is positioned in front, where it provides efficiency.

• Oracle HTTP Server supplies the basic Web services which are provided by Apache.

• Oracle9iAS Portal provides the infrastructure, including the ability to create and manage Web pages. It lets you display multiple Web pages on each Web page, with links to content through Java applications.

• Java engine lies underneath Oracle9iAS Web Cache and Oracle HTTP Server, supporting their ability to link efficiently.

• Oracle9iAS Single Sign-On enables users to login to Oracle9iAS and gain access to those applications for which they are authorized, without requiring them to re-enter a user name and password for each application.

• Oracle Internet Directory serves the rest of the stack by providing authentication, and a centralized user model where by users can be created and managed on an enterprise scale.

Figure 8-2 Security Architecture of Oracle9i Application Server

Text description of the illustration sysmgse3.gif

Security Features

Oracle9iAS includes the following security features that enable you to secure your Oracle9iAS framework:

• Oracle9iAS Single Sign-On

• Java Authentication and Authorization Service (JAAS)

• Oracle Internet Directory

Oracle9iAS Single Sign-On

An important security feature of Oracle9iAS is support of single signon (SSO) to Web-based applications. Oracle9iAS Single Sign-On addresses the problem of "too many passwords". With the rapid growth of the Internet, this problem has been increasingly prevalent, causing users inconvenience that typically results in poor security practices, and increased administrative costs.

Oracle9iAS Single Sign-On resolves this problem by enabling users to login to Oracle9iAS and gain access to those applications for which they are authorized, without requiring them to re-enter a user name and password for each application.

It is fully integrated with Oracle Internet Directory, which stores user information. It supports LDAP-based user and password management through OID.

Figure 8-3 shows the architecture of Oracle9iAS Single Sign-On.

Figure 8-3 Oracle9iAS Single Sign-On Architecture

Text description of the illustration sso.gif

Oracle9iAS Single Sign-On provides the following functionality:

• Authenticates users and passes their identities securely to partner applications, such as Oracle9iAS Portal. It prompts users for a username and password when they access the system for the first time in a given time period, and verifies the password presented by the user.

• Uses cookies, which are formatted pieces of information stored on a browser client by a Web server. Cookies allow Web servers to store and retrieve information about the client user, effectively maintaining client state information in the otherwise stateless Web environment.

• Supports Public Key Interface (PKI) client authentication, which enables PKI authentication to a wide range of Web applications. By means of an API, Oracle9iAS Single Sign-On can integrate with third-party authentication mechanisms such as Netegrity Site Minder.

With Oracle9iAS Single Sign-On, users typically sign on to a centrally administered Single Sign On Server through a central Web portal. Once it authenticates the user, Single Sign On Server displays links to all the applications for that user.

Using a central Web portal with a centrally administered Single Sign On Server has these advantages:

• Convenience: The user enters the user name and password only once, at a central corporate Web portal, to access all the needed applications. From the user's perspective, authentication to each application happens transparently.

• Increased Security: Fewer user name and password combinations lowers the risk of unauthorized access to a user's restricted information.

• Ease of Administration: Oracle9iAS Single Sign-On provides centralized provisioning of user accounts, so that administrators can easily create new user accounts. Centralizing the authentication process also makes it possible to support additional authentication mechanism in a localized manner. For example, you can implement an LDAP-based authentication, or digital certificate-based authentication, and the change would be localized to the SSO Server.

Partner and External Applications

There are two kinds of applications to which Oracle9iAS Single Sign-On provides access:

• Partner Applications

• External Applications

Partner applications are integrated with the SSO Server. They contain an Oracle9iAS Single Sign-On API that enables them to accept a user's identity as validated by the SSO Server.

External applications are Web-based applications that retain their authentication logic. They do not delegate authentication to the SSO Server and, as such, require a user name and password to provide access. Currently, these applications are limited to those which employ an HTML form for accepting the user name and password. The user name may be different from the SSO user name, and the SSO Server provides the necessary mapping.

The SSO offering in Oracle9iAS is a critical differentiator for users seeking a robust, fully integrated SSO architecture. Oracle9iAS leverages JAAS and LDAP capabilities of Oracle Internet Directory, to deliver a comprehensive end-to-end security infrastructure across the entire Oracle9iAS product.

Java Authentication and Authorization Service (JAAS)

Oracle9i Application Server provides an implementation of Java Authentication and Authorization Service (JAAS) that integrates with the Oracle9iAS J2EE security infrastructure to enforce security constraints for Web (servlets and JSPs) and EJB components.

JAAS support provides the following benefits:

• Integrates Java-based applications with Oracle9iAS Single Sign-On, includes authentication, thereby giving you extensible security for Java-based applications.

• Manages access control policies centrally in Oracle Internet Directory, controls access by role, and partitions security policy by subscriber.

• Supports impersonation of a specific user, allows an enterprise bean, servlet, or JSP to run with the permissions associated with the current client or a specified user.

Oracle Internet Directory

Oracle Internet Directory (OID) is a critical component of Oracle9iAS management and security infrastructure. It ensures that user accounts and groups are managed centrally through the LDAP Version 3 standard. Oracle9iAS enables users to be created centrally in OID and shared across all components in Oracle9iAS. When users log in, they are authenticated once by Oracle9iAS Single Sign-On against their OID credentials, and can thereby access multiple applications seamlessly.

Self-Service Console

Oracle Internet Directory includes a Self-Service Console, an easy-to-use, Web-based interface which allows end-users and application administrators to search for and manage data in the directory. Combined with the new Delegated Administration Service, this console provides Oracle9iAS with means of provisioning end-users in the Oracle9iAS environment. OID also enables components of Oracle9iAS to synchronize data about users and group events, so that those components can update any user information stored in their local application instances.

Password Management

Oracle Internet Directory provides users with a very directory searches through sophisticated server-side caching capabilities. OID also provides two key features that ensure administrators can deliver seamless directory services to all users:

• Alias De-reference: When a user or an application searches on an alias, OID automatically de-references the alias and returns the entry to which it refers. This feature enables administrators to change the names of objects in ways that are transparent to users and applications.

• Enhanced Proxy Capabilities: Administrators can safely establish performant, auditable middle-tier application access to the directory on behalf of end user communities.

Synchronization with Third Party LDAP Servers

The Oracle Directory Integration Platform enables customers to synchronize data between various directories and Oracle Internet Directory. The Oracle Directory Integration Platform is a set of services and interfaces which make it possible to develop synchronization solutions with third party metadirectories and other enterprise repositories, such as iPlanet. With Oracle9iAS, Oracle Internet Directory includes an agent for out-of-the-box synchronization with Oracle Human Resources and an agent for synchronizing information with selected third party LDAP servers.

Oracle Internet Directory also provides a plug-in framework for applications that require customized functionality, such as referential integrity of data. The plug-in framework is delivered as a highly-flexible PL/SQL interface, allowing user-defined operations to be invoked by the directory server before or after LDAP commands.

Key Directory Features

Oracle Internet Directory provides the following key directory features:

• Native LDAP v3 server supporting all LDAP2000-compliant RFCs, including LDAP v2 and v3 RFCs

• Supports the X.500 information, naming, and storage model

• Extensible directory schema for online modifications with no downtime

• LDAP developers APIs in Java, C, and PL/SQL to assist with application development.

Using Oracle Internet Directory with Middle Tier Components

The middle tier components use Oracle Internet Directory in the following ways:

• Application server instances and infrastructures store security and management information in Oracle Internet Directory. Oracle Internet Directory stores users information, such as user names and privileges, required for internal operation of the application server.

• JAAS stores realms and JAAS policy in Oracle Internet Directory.

• Oracle9iAS Single Sign-On validates the user name and password against user and group profiles stored in Oracle Internet Directory.

  See Also: Oracle Internet Directory Administrator's Guide