SOA Infrastructure

Sizing Oracle Coherence Applications

2010-08-24T12:10:00.000-07:00

The following is the last of the five posts which will list the best practices and performance suggestions for tuning one’s Oracle Coherence environment. This is a general guide that will evolve as new product features are added to Oracle Coherence.

Sizing Oracle Coherence

Remember there are 4 types of virtual machines in Coherence:

JVMs that are used for data storage (“storage JVMs”)
JVMs that run client applications and do not store data (“client JVMs”)
JVMs that run client applications and connect to the cluster via Coherence*Extend (TCP/IP)
.NET applications that run client applications and connect to the cluster via Coherence*Extend (TCP/IP)

The protocol for storage and client JVMs (type 1 and 2 above) is TCMP (“Tangosol Cluster Management Protocol”, based on UDP unicast).

Tips for Sizing Oracle Coherence

Allow extra space for overhead

Every object has one full backup on another JVM on another machine

If a JVM fails, Oracle Coherence automatically fails over AND creates new backups on other JVMs

This means that if a JVM fails, other JVMs will need to accommodate the backups of the objects

Rule-of-thumb: each 1 GB JVM can store 350 MB of actual object data

That means a 16 GB machine will support about 4.5 GB of raw object data. 13 JVMs * 350 MB = 4.55 GB

Question #1: How many 1 GB JVMs can you run on a box with 16 GB of RAM?

Answer: At most 13
Start with 16 GB of RAM
Subtract RAM required for OS and other apps
/ divide by 1.2 (remember, 1 GB of heap uses 1.2 GB of RAM)
(16 GB – 400 MB ) / 1.2 GB = ~ 13

Question #2: How many 16 GB machines will be required to support 20 GB of data in the grid?

Answer: At least five (six for HA)
* Each JVM handles 350 MB
* You have 13 JVMs per machine
* You have 4.5 GB per machine (13 * 350 MB)
* 20 GB / 4.5 GB per box = 4.44
* Round up to 5

I hope these series of five posts on Oracle Coherence have been helpful to you!

Tuning Oracle Coherence*Web Applications

2010-08-17T12:04:00.000-07:00

The following is the fourth of five posts which will list the best practices and performance suggestions for tuning one’s Oracle Coherence environment. This is a general guide that will evolve as new product features are added to Oracle Coherence.

Oracle Coherence*Web

Oracle Coherence*Web is an HTTP session management module and a drop-in replacement for application server container session management. It basically “wraps” existing web applications, no runtime byte code manipulation is done and any requests to use sessions (from servlets, JSPs, filters, etc) are intercepted by Oracle Coherence*Web wrappers. For more details you can look at:

Coherence*Web Session Management Module
Coherence*Web and WebLogic Server
Coherence*Web and Other Application Server Containers

High-Level Steps to enable Oracle Coherence*Web

Run the inspector on the existing WAR/EAR file (This generates a coherence-web.xml configuration file. This file wraps all servlets, filters, etc with Coherence implementations. It also contains configuration settings for Coherence*Web)

Inspect and (if any changes are required) modify the coherence-web.xml file

Run the installer process on the existing WAR/EAR which generates a new WAR/EAR and backs up the original WAR/EAR.

You now deploy the new WAR/EAR to the Application Server Container

The complete steps for the Oracle WebLogic Server are listed here.

Troubleshooting Oracle Coherence*Web

Obtain a baseline for the application without Coherence to properly determine how sessions are being used and replicated. This will make it easier to compare with Coherence and further troubleshoot.
Network throughput can be an issue as well. Run a datagram test to determine how much one can push between machines. This will help tune the network between the web application tier and the data grid. Review the first post in this series and specifically in the networking section.
The session model will be a factor in the performance; the split session model is default and will keep small session attributes in the near cache while large ones will be accessed from the grid. If the application regularly uses lots of large attributes, another model may be more appropriate. Review the Session Models at this link.
Review their cache configuration file. From a web application caching perspective, Coherence*Web in a web-app really gets a big benefit from a near caching scheme, where objects of a size less than 1K are kept in the local JVM, avoiding the network hop and marshalling/deserialization.
If one is deploying multiple web applications, sometimes it's desirable to share session attributes and sometimes it is not. There is configuration for scoping link on this page.
For sizing it depends on the web-application and how the web-application uses the session to determine the proper size of the grid. Some testing with some average test cases should be used to arrive at a metric such as “1 user takes X MB in the grid”.

Tuning/Troubleshooting Oracle Coherence Applications

2010-08-10T12:01:00.000-07:00

The following is the third of five posts which will list the best practices and performance suggestions for tuning one’s Oracle Coherence environment. This is a general guide that will evolve as new product features are added to Oracle Coherence.

Troubleshooting Multicast Issues

If you have Oracle Coherence installed on the hosts between which you're testing multicasting, you can use its multicast connectivity test
In addition you can use its datagram test to measure network throughput. The practical max on a well-tuned gigabit Ethernet link is ~115MB/sec.
Finally make sure to use: -Djava.net.preferIPv4Stack=true
Optionally one can use Well-Known-Addresses (WKA or Unicast) to eliminate any multicast issue.
If one is on Windows 2003, 2008, Vista, or Windows 7 and are experiencing problems with sharing ports for multicast check the registry for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Afd\Parameters\DisableAddressSharing and see if it is set to “1”. If so change this to “0”, reboot the machine, and retest. From Microsoft: "Enhanced socket security was added with the release of Windows Server 2003. In previous Microsoft server operating system releases, the default socket security easily allowed processes to hijack ports from unsuspecting applications. In Windows Server 2003, sockets are not in a sharable state by default. Therefore, if an application wants to allow other processes to reuse a port on which a socket is already bound, it must specifically enable it. "
If one is on Windows, run the following command to generate some further information on the machine’s networking:

netsh firewall show state verbose=enable

Log Messages Explanation

Review the following link for causes and actions to common TCMP (Tangosol Cluster Management Protocol, based on UDP unicast) log messages from Coherence.

Troubleshooting Checklist for Oracle Coherence Applications

2010-08-03T11:50:00.000-07:00

The following is the second of five posts which will list the best practices and performance suggestions for tuning one’s Oracle Coherence environment. This is a general guide that will evolve as new product features are added to Oracle Coherence.

General Oracle Coherence Performance Questions

The following is a general list of questions to review when troubleshooting performance issues with Coherence.

What application server is being used in conjunction with Oracle Coherence?
Is Oracle Coherence being run within the same JVM as the app-server container or is the data grid setup outside of the app-server container? (i.e. is storage disabled here with –Dtangosol.coherence.distributed.localstorage=false )
How many storage nodes are being used for Oracle Coherence? (Is there adequate storage for all the data?)
What size is the java heaps for these storage nodes?
Are the out-of-the-box Oracle Coherence configuration files being used from within coherence.jar? (i.e. Coherence itself has not been tuned to the environment/application?) See Sample Cache Configuration Files for details.
Are configuration files specified via a –D flag to the Oracle Coherence Cache Servers or within a jar file? i.e. -Dtangosol.coherence.override=<file> and -Dtangosol.coherence.cacheconfig=<file> being used?
What is the Thread-count set for Oracle Coherence?
What type of partitioning is being used? Is a near-cache being used or replicated? “Partitioned/Distributed cache gives a real linear scalability and should be used in pretty much all scenarios. With Replicated cache the same data are copied over to all the nodes and is very performance taxing if data are changed.” Information on the near-cache, partitioned cache and replicated cache.
Multicast or Unicast? (Review the Multicast Troubleshooting section below.)
Is this a 32 bit JVM or a 64 bit JVM? JRockit or Sun JVM?
What garbage collection algorithm is being used?
Review the Platform-Specific Deployment Considerations section of the documentation.

Tuning a Oracle Coherence Application

2010-07-27T11:38:00.001-07:00

The following is the first of five posts which will list the best practices and performance suggestions for tuning one’s Oracle Coherence environment. This is a general guide that will evolve as new product features are added to Oracle Coherence. In general the key performance killers for any data-grid are the: Network, Java Virtual Machine (JVM) configuration and grid configuration. Network is critical and running a multicast test will help validate the environment.

Tuning a Oracle Coherence Application

Network Topology:

Check the Network
Check the MTU size. Oracle Coherence uses a packet size based on the standard 1500 byte MTU. If one is on Windows, this operating system includes a fast I/O path for "small" packets, where small is defined as 1024 bytes. Increasing this limit to match the MTU can significantly improve network performance. FastSendDatagramThreshold is the registry value for this on Windows. To make these changes to your registry, run the included "optimize.reg" registry file in the Oracle Coherence product installation.
Run the Datagram test to measure network throughput and check the success rate. The practical max on a well-tuned gigabit Ethernet link is ~115MB/sec.
Make sure there is a 1 GB network between all servers (avoid mixed speed networks)
Network Switch tuning (avoid multiple switches)
Are Cisco switches involved? The solution is to make sure unicast is being used with WKA (Well-Known Addresses). See the following link with Cisco Switches around packet pauses (visible when coherence logging is turned up).
Check the JMX MBean for packet delivery/receiver success rates when running these basic tests.

Operating System:

Adjust UDP buffer size on the operating systems where the Oracle Coherence Servers are running.

JVM Tuning:

Start with a Java Heap of 1 GB (-Xms=1g -Xmx=1g) for each Oracle Coherence Server and tune from there based on performance tests, application profile, and the operating system (32 bit or 64 bit OS). A JVM with 1 GB heap uses 1.2 GB of physical RAM.
Do not configure your JVMs to exceed physical RAM since this will cause swapping and bad performance.

1. Run “swap –l”, “top”, or “vmstat” to verify the system is not swapping and RAM is available
2. Allow ~400 MB for the operating system
3. Take into account other software running on the system

If one is using Oracle HotSpot VM, make sure to use the “-server” argument. This is a link to all HotSpot VM Options.
If one is using Oracle JRockit RealTime VM, the following parameters are a good starting point

-Xms=1g -Xmx=1g -XgcPrio:deterministic -XpauseTarget=10ms -Xverbose:opt,memory,gc,gcpause,memdbg,compaction,starttime,load,cpuinfo,systemgc -Xverbosetimestamp –Xgcreport -Xverboselog:/full/path/logfile.log

If one is running into strange Network issues, make sure to first add the following flag to the Oracle Coherence Server nodes: -Djava.net.preferIPv4Stack=true

Oracle Coherence Application Tuning

Use getall() and putall() APIs which will result in a huge performance improvement
Serialization: Use either the ExternalizableLite interface or POF (Portable Object Framework) from Coherence. POF will result in the best performance gains (up to seven times (7x) compared to java.io.Serializable) however there is more initial code to with POF.
Entry Processors - can be used to update data instead of doing: lock(id), value=getID, setValue
Set once across the wire instead of multiple locks/etc in order to execute business rules where the data lives. Three times (3x) improvement from less network hops. Use invokeAll() API and look into setting the thread count in cache configuration to higher than one for this.
Use “lite” events such as event listeners which can be configured to receive or not receive old/new values.
Database integration – Caching Strategy

Coherence Behind - Use Oracle Coherence as L2 Cache for ORM (Oracle TopLink JPA)
Coherence to the side - Application manages Data Crud in Oracle Coherence next to OR/M
Coherence on Top - Coherence is the system of record, use cacheloaders and cache stores to integrate with Data Sources

Review the Production Checklist which contains information on the following topics:

Oracle Coherence Networking Links

Coherence TCMP Network Protocol Explanation TCMP stands for “Tangosol Cluster Management Protocol” which is based on UDP Unicast.

Oracle Coherence 3.5 Book Review Results

2010-05-26T08:30:00.000-07:00

Review of Oracle Coherence 3.5 Book

The following is my review of the Oracle Coherence 3.5 eBook from Packt Publishing.

High-Level Overview

I though this was an excellent book on Oracle Coherence!
Each chapter builds upon the previous like building blocks to build a solid foundation of knowledge and is an excellent reference book.
The core chapters (5,6,7,8) are very powerful, a great read and I highly recommend reading this book!

Detail:

Preface: Review/Refresh of "What Coherence is..." for everyone. More advanced users of Coherence can skip this part.
Chapter 1: A review and background of RASP, basic testing and foundations of applications/application testing. "Why/What Coherence is..." A good review for people of all levels.
Chapter 2: Getting started with Coherence from installation to the first application. Excellent starting part for Coherence users to get their hands on starting and troubleshooting a basic Coherence application and setup.
Chapter 3: Great information on the different types of caches and when to best make use of each one.

Chapter 4: This goes into the concept of Domain Models and Serialization choices (Portable Object Format - POF) for your application.
Chapters 5, 6, 7, 8: I really enjoyed these next several chapters since they get into the fun stuff of Coherence! Including:

Querying the data-grid with a variety of options in the most performant ways
Submitting work-requests to the Coherence Data Grid from your application where the power of the Data Grid is used to parallel process and aggregate your request
Data Grid Events where you can do multiple things like listen for data changes and take various actions.
Finally using Coherence and backing data stores (the database is the classic example here) to use the power of Coherence as the Data Grid layer and read/write changes to/from the backing data store. All-in-all, these core chapters are very powerful and a great read!

Chapter 9: This goes into good depth on what a Coherence*Extend client is to the data grid, when to use this, and the how-to's on setting it up.
Chapter 10 and 11: Integration from .NET and C++ clients into a Coherence Data Grid gives very good insight if this is a use-case for you. If not, it is a great read on the power and flexibility of Coherence to be accessed from multiple technologies outside of Java.

Suggestions:

I really liked how Chapter 2 included the hands-on part so more hands-on examples included per chapter (where appropriate) would have been very nice.
The Coherent Bank application contains *alot* of great code to review and make use of and ties all of the chapters together. I had one issue with the version of the code-sample I downloaded from the website when running the application so hopefully this is updated on the website in the future. My specific exception was when accessing the deployed web-application:

Problem accessing /bank/login. Reason:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'testDataCreator' defined in ServletContext resource
[/WEB-INF/bank-servlet.xml]: Invocation of init method failed; nested exception is (Wrapped) java.io.NotSerializableException: com.seovic.samples.bank.domain.Customer

Coherence 3.5 Book Review

2010-04-19T07:21:00.000-07:00

I am currently reviewing the new Oracle Coherence 3.5 eBook out from Packt Publishing and hope to have some comments out soon. Looks to be a great book and I look forward to reading it!

Setting up Oracle Data Integrator (ODI) with Change Data Capture (CDC): DB Table to WebLogic Server JMS Queue

2010-02-15T14:12:00.000-08:00

Introduction:

The following shows detailed steps on how to setup ODI with Change Data Capture on a database table so that all changes to a database table are loaded into a target. In this case the target is a JMS Queue hosted on a WebLogic Server 10.3 container.

Pre-requisites

Download Oracle 10gR2 Database if it is not already installed
Download ODI 10.1.3.5
Install ODI 10.1.3.5
Review ODI Documentation
Download and install WebLogic Server 10.3
Understanding of JMS Queues

Setup ODI Repositories:

The following information makes assumptions that this will be setup on a Windows machine however the same concepts would apply to a UNIX/LINUX environment.

Create a Master Repository in an Oracle DB. In this case we will set this up under a user in our local Oracle 10gR2 Database. We will use the “system” user and connect to our local DB which was setup earlier (jdbc:oracle:thin:@localhost:1541:orcl). Goto Start –> All Programs -> <ORACLE_HOME> ->Oracle Data Integrator -> Repository Management -> Create Master Repository
This will take a couple of minutes to create the necessary ODI information within the database and schema one provided.
Startup the Topology Manager and create a Work repository. This is needed prior to starting up the Oracle Designer. Goto Start –> All Programs -> <ORACLE_HOME> -> Oracle Data Integrator -> Topology Manager.
Create a connection to the repository by clicking on the “New” icon and fill in the data like below: (SUPERVISOR/SUNOPSIS are the default user/password and need to be in capitals)

Goto the repositories tab (the 5^th one from the beginning) and create some named work repository. Right click and select “Insert new work repository”.

In the Topology Manager, create a Physical Architecture for the Database Schema where you will be connecting to (the 1^st tab at the bottom). (NOTE: It is assumed that there are some tables in this schema already.) Select the technology (in this case “Oracle”), then right click and select “Insert Data Server”. Before clicking “ok” to save, one will have to create the Logical Layer as well (see later steps). Fill in the user/password to the schema one will be connecting to and fill in the JDBC information in the JDBC tab.

Next right click this Data Server and select “Insert Physical Schema”. Select the schema one want and then on the “Context” tab is where one will select the Logical Schema. The Logical Schema will first need to be created in the next step before selecting it here and clicking “ok”. (You may get an error while saving this however first save it and then open it up so the Logical Schema can be created.)

In the Topology Manager, create a Logical Architecture for the Database Schema where you will be connecting to (the 3^rd tab at the bottom). This will be needed for the Physical Architecture layer you created. Select the technology (in this case “Oracle”), then right click and select “Insert Logical Schema”.

Setup ODI for use with WebLogic JMS Queues:

The following outlines the pre-work necessary to setup ODI to work with WebLogic JMS Queues.

Create the JMS queues on WebLogic Server

The following outlines the steps necessary to create a basic JMS queue for this example. If one already has a JMS queue defined on a WebLogic Server, this section can be skipped.
WLS Domain Creation

1. Create a default WLS 10.3 Domain. Run <BEA_HOME>\wlserver10.3\common\bin\config.cmd
2. Select the defaults (7001 as the port, weblogic/weblogic) into some named directory.
3. Start the newly created domain by running startWebLogic.cmd in the directory where the Domain was created.
4. Login to the WLS console: http://localhhost:7001/console as weblogic/weblogic

Create a JMS Server:

1. Services -> Messaging -> JMS Server -> Select New
2. Create a name, select Persistent Store (File Store).
3. Target this to the AdminServer

Create a JMS Module:

1. Services -> Messaging -> JMS Module -> Select New
2. At the end, select add resources to it.

Create a JMS Resource (Queue in this case):

1. Select "new" and click "Queue". In this example the JNDI Name is “TestQueueJNDI” and the Queue name is “weblogic.jms.poc.TestQueue”. The Queue name specified here will be the same string used in ODI when defining the Physical Architecture. Please make a note of it.
2. Click "Create a new Subdeployment"
3. Target the JMS Server which was just created.

Update ODI to work with WLS JMS

The following outlines the pre-work necessary to setup ODI to work/connect to WLS JMS Queues.

Within the WebLogic Server installation one will need to create a jar file which ODI will use for connecting to a WLS JMS Queue. Review the documentation
Build the wlfullclient5.jar file for use with ODI by doing the following:

First change the directory to the WL_HOME/server/lib directory
Run the command: java -jar wljarbuilder.jar -profile wlfullclient5
Copy the resulting wlfullclient5.jar file to the <ORACLE_HOME>\oracledi\drivers directory

Modify the <ORACLE_HOME>\oracledi\bin\odiparams.bat file to use JDK 1.5 instead of the default of JDK 1.4. This is the only ODI file which needs to be modified to use JDK 1.5. Specifically in this file add the following line right before the existing “if” statement:

set ODI_JAVA_HOME=C:\bea10x\jrockit_150_11
if "%ODI_JAVA_HOME%" == "" set ODI_JAVA_HOME=%JAVA_HOME%

If the ODI Designer is running, shut it down and restart it so the changes take effect. If not, then one will not be able to successfully test the JMS Connection from ODI to WLS.

Create JMS Architecture in ODI Topology Manager

After restarting ODI Designer, one can create and test the connections to WebLogic Server JMS Queues. The following outlines the steps required to setup JMS Queues in ODI.

In the Topology Manager, create a Physical Architecture for the WLS JMS Queue where you will be connecting to (the 1^st tab at the bottom).
Right click on JMS Queue in the Physical Architecture. Fill in the Definition and JNDI tabs to look like the following screenshots. Modify the host:port name and user/password to what is defined in the WebLogic Server Domain one is connecting to.

Clicking “ok” to save. (There may be a message about the Logical Layer however that is created in the next step.)
Create the Logical Layer for this JMS Queue.

Make sure the Physical Schema for the JMS Data Server has the Logical Layer defined in the “Context” tab.

Now one can test the connection to WLS JMS to make sure everything is setup correctly. Open up the Data Server defined for the WLS JMS Queue and click the “Test” button at the bottom.

ODI Designer:

Startup the ODI Designer: Goto Start -> All Programs -> <ORACLE_HOME> -> Oracle Data Integrator -> Designer
Create a new connection to this new Master Repository and Work Repository. Click the “New” icon next to the default “Login Name”
Connect with the SUPERVISOR/SUNOPSIS (user/password and all capitals), supply the Oracle Database information where the master repository was created, and the name of the Work Repository which was just created.

Back in the Oracle Designer we will now create a Model based on the Logical Schema we created in the Topology Manager.
Create a Project under the Projects tab.
Next import the Knowledge Modules. Right click the project, select Import, and then “Import Knowledge Modules”. Select the directory under <ORACLE_HOME>\oracledi\impexp, and then select each knowledge module individually. We will select:

· CKM SQL
· IKM SQL Incremental Update
· IKM SQL to JMS Append
· JKM Oracle 10g Consistent (LOGMINER)
· LKM SQL to SQL

Create a Model for the Database table

Right click and select “Insert Model”.
In the definition tab, select the technology and Logical Schema (created in the Topology Manager) and then click the “Reverse” button to get the tables for this schema into the model view. Click “ok”. NOTE: There are SQL statements to create the test table for the schema user in the APPENDIX section which one can use to test with.

Double click the Model name you created and select the Journalizing tab. Make sure that the tab is filled out and looks like the following. Because you want to capture changes to the tables in a consistent fashion, you select the Consistent option and the JKM Oracle 10g Consistent (LOGMINER) knowledge module. This knowledge module, shown in the figure below, will capture new and changed data, using the LogMiner feature of Oracle Database 10g. Read the notes section for additional details on the user accessing the tables.

Click “ok”.
Next right-click the tables in turn, and choose Changed Data Capture ->Add to CDC. Then edit the model again to select the Journalized Tables tab. If there are multiple tables use the up and down arrow keys to place the tables in the correct order.
Next add a subscriber to the journal by returning to the Designer application, right-clicking the Model, and choosing Changed Data Capture ->Subscriber->Subscribe. You add a new subscriber and execute the code locally to ensure that the code executes correctly. Once this step is complete, you have set up the changed-data capture process and you are ready to begin building your interfaces.
Now one is ready to create the journal that captures changed data from these two tables. To do this, right-click the model again and choose Changed Data Capture ->Start Journal. Click OK to execute the code locally, and then start up the Operator application to check the progress of the operation. If all has gone well, you will be presented with a list of completed steps similar to the following. In order to start the Operator goto Start -> All Programs –> <ORACLE_HOME> -> Oracle Data Integrator -> Operator and login to the repository when presented with the same login screen.

At this point if CDC is working properly the table should have a green icon instead of the yellow/orange icon. If this is not the case, then CDC is not properly setup.

Create a Model for JMS DataStore in ODI Designer

Right click and select “Insert Model”.
In the definition tab, select the technology and Logical Schema (created in the Topology Manager).

Next within this Model, right click and select “Insert Datastore”.
Create a Datastore making sure the Name and Resource name is the name of the JMS Queue which was created within WebLogic Server. Also note that the “Datastore Type” is set to “table”.

Within this Datastore, click on the “Files” tab and make sure the format of how the JMS Text Message will look like. This means that the JMS Text Message sent to the queue can have all of the columns of data from the DB table separated by “,” in this case. The delimiter can be anything one chooses.

Next define the columns of data which can be added to this JMS Text message. In this case we are adding all of the columns of data from the DB table into the resulting JMS Message. Right click on the Column name and select “Insert Column”. This will be used in the mapping part in the interface defined later on.

Create the Interface (DB to WLS JMS)

Now we can create a new interface which will take the data from SUPPORT_CASE table in an Oracle Database when CDC happens and load it to a JMS Queue hosted on a WebLogic Server container.
In the Project tab, right click the interface to create a new interface.
Make sure the checkbox for “Staging Area Different from Target” is selected. Select the Logical Schema for the staging area. In this case it is the Oracle DB.

Click on the Diagram tab and drag and drop the tables from the model for the target (“weblogic.jms.poc.testQueue” Datastore in this example) and the table for the source onto the respective locations on the Diagram Tab.
Join and map any columns to the target column in the Diagram tab.
Also on the diagram tab on the Interface, select the source, enable “Journalized Data Only”. Make sure the filter created has the correct subscriber name one wants. The resulting picture should look something like this:

Click on the Flow tab to see how the data will be combined. Here one will see two boxes. One for the Staging Area (which is on the Database) and one on the Target Area (the WLS JMS Queue). Click on the Target Area and in the IKM dropdown box select “IKM SQL to JMS Append’. Click “apply” and there should be no errors.

Next select the Controls tab to make sure the Control Knowledge Module was selected. This is used for handling constraint errors in the target table. Select the CKM SQL Knowledge Module, which will handle erroneous data for any ISO-92-compliant database. Click “OK”.
The interface is now successfully created to load journalized data from the DB table into a WLS JMS Queue. Next the Package and Scenario will be created to automate the flow of this at runtime.

Create the ODI Packages and Execute:

Now create an Oracle Data Integrator package to carry out the following steps:

Check the SUPPORT_CASE journalized data to see if new or changed data records have been added.
If journalized data is detected, extend the journal window.
Execute the interface to read from the journalized data and load the target data store which in this case will be a WebLogic Server JMS Queue.
Purge the journal window.
Start this package again. (This will be in a loop ready for new journal changes.) Creating this package and then deploying it as an Oracle Data Integrator scenario effectively creates a real-time, continuously running ETL process.

Create the Package and Scenario for setting up CDC

The purpose of this is to automate setting up CDC within one’s environment.

1. To create this package, navigate to the Projects tab in the Designer application, locate the folder containing the interfaces you defined earlier, find the Packages entry, right-click it, and select Insert Package. Give the package a name and then navigate to the Diagram tab in the package details dialog box.
2. The next step in this package will be to drag the Model just created onto the canvas. Within the General Tab of this step, select the Drop down under “Type” and select “Journalizing Mode”.
3. Select “Stop” under Journalizing to stop this if it was already running so it can be successfully rerun.

4. The next step in this package will be to drag the Model just created onto the canvas again. Within the General Tab of this step, select the Drop down under “Type” and select “Journalizing Mode”.
5. Under the “Journalizing” section of the General tab, select “Start” and “Add Subscribers”. Add the “SUBA” subscriber to the list.

6. Connect the first step to this step with a green “ok” arrow and a red “ko” arrow.
7. Right click on this package to create a Scenario.
8. This scenario can be executed either from the tool by right clicking and selecting “Execute” or by running this from the command line.
9. Execute this Scenario so that Journaling is initially started. The next section will explain how to create and setup the main CDC process in a loop so that changes are continuously consumed.

Create the Package and Scenario for the Main CDC process

1. To create this package, navigate to the Projects tab in the Designer application, locate the folder containing the interfaces you defined earlier, find the Packages entry, right-click it, and select Insert Package. Give the package a name and then navigate to the Diagram tab in the package details dialog box.
2. Using the toolbox on the right, go to the Event Detection folder and add the OdiWaitForLogData tool to the package canvas, as shown in the figure below. This tool will monitor the journalized data on a regular basis. In this case the step name has been changed to “Waiting for Changes”.
3. In this step update the following parameters:

a. Logical Schema: Change this to the Logical Schema being used in your interface
b. Subscriber: The subscriber name
c. CDC Set: Change this to your Model Name and the Logical Schema name. It is in the form of: <%=odiRef.getObjectName("L","model_code","logical_schema", "D")%>

Example: <%=odiRef.getObjectName("L","ORACLE_SPOZ2_MODEL","Oracle 10gR2 Logical Schema SPOZ2", "D")%>

4. The next step in this package will be to drag the Model just created containing the Database table onto the canvas. Within the General Tab of this step, select the Drop down under “Type” and select “Journalizing Mode”.
5. Under the “Consumption” section of the General tab, select “Extend Window” and “Lock Subscribers”. Add the “SUBA” subscriber to the list.

6. Connect the first step to this step with a green “ok” arrow.
7. Next Drag the Interface just created for Populating the WLS JMS Queue after the previous step.

8. Connect the second step to this step for the interface with a green “ok” arrow.
9. The next step in this package will be to drag the Model again onto the canvas after the interface. Within the General Tab of this step, select the Drop down under “Type” and select “Journalizing Mode”.
10. Under the “Consumption” section of the General tab, select “Purge Journal” and “Unlock Subscribers”. Add the “SUBA” subscriber to the list.

11. Connect the third step from the interface to this step with a green “ok” arrow.
12. Right click on this package to create a Scenario.

13. After creating this Scenario, open up the package just created.
14. In this package, drag and drop the scenario to the last step in the list after “Purge and Unlock”.
15. Connect the fourth step from the “Purge and UnLock” step to this final step (the scenario) with a green “ok” arrow.
16. Click on the named scenario which was just added to the package and make sure to select “Asynchronous” in the parameters listed under the General tab.

17. Click “ok” to save and close the package.
18. Right click the scenario created in step 12 and click “Regenerate”.

19. The reason for doing steps 13 through 17 is to avoid any issues around log files growing too quickly and too large in the work repository. Plus one would not be able to clean the log file here.
20. This scenario can be executed either from the tool by right clicking and selecting “Execute” or by running this from the command line.

Testing the Main CDC Scenario:

1. Make sure the Journal has been started by executing the scenario you created. Example: “SETTING_UP_CDC_SCEN”.
2. Make sure the main CDC scenario is executing by right clicking the named Scenario (for example “SUPPORT_CASE_TO_WLS_JMS_Q_SCEN”) and then starting the “Operator” utility. Here you should see something like this (notice the green icon that does not have a checkmark):

3. Goto the Model section, right click on the table with CDC setup on it and select “Data”.
4. In the window which comes up, change some data and hit enter. Click “ok” so the changes take effect. (Notice Changes were made to the name to add “7777” to it).

5. Go back to the Operator utility, click Refresh and you’ll notice that the Package ran and the interface to populate the JMS Queue executed. Double click on the “Pop. WLS JMS Queue” and select the “Execution” tab. There you will notice that the “Number of Inserts” shows a “1” meaning that one JMS message was sent to the target WLS JMS Queue.

6. Also notice that the scenario was stopped and restarted (by adding the scenario to the package to start again) as to avoid any log issues in the ODI Work Repository.
7. Login into the WebLogic Server Console, click on “Services”, “Messaging”, “JMS Modules”, the name of the JMS Module created, the name of the Queue created, click the Monitoring tab, select the box next to the Queue name and then click “Show Messages”.

8. Click on the Message ID to view the contents of the message in the JMS Queue.

9. Notice the change which was made to the “name” and that each field from the DB table is separated by a “,” (as was previously setup in the “Files” tab of the data store defined in the Model).
10. This scenario will continue to run (by design in the Package created) until one chooses to stop it.

APPENDIX:

SQL statements to create the sample SUPPORT_CASE and SUPPORT_CASE_TRG tables.

drop table support_case;
create table support_case
(
customerid varchar2(20),
name varchar2(50),
email varchar2(30),
address varchar2(50),
city varchar2(40),
state varchar2(20),
zip varchar2(15),
country varchar2(30),
phone varchar2(20),
orderid varchar2(20),
constraint supportcase_pk primary key(customerid)
);
INSERT INTO support_case VALUES('1','Scott King','sking@oracle.com', '200 Main Street', 'New York', 'NY', '10022', 'USA', '212-555-1212', '200');
INSERT INTO support_case VALUES('2','Steven Pozarycki', 'steve@oracle.com', '22 Pinckney Street', 'Morris Plains', 'NJ', '07950', 'USA', '617-863-4444', '500');
INSERT INTO support_case VALUES('3', 'Murali M', 'murali@oracle.com', '180 Patriots Road', 'Boston', 'MA', '02116', 'USA', '617-285-2222', '300');
INSERT INTO support_case VALUES('4','Lloyd Doe, 'lloyd@oracle.com', '56 Cambridge Street', 'Boston', 'MA', '02116', 'USA', '617-452-3333', '400');
commit;

drop table support_case_trg;
create table support_case_trg
(
customerid varchar2(20),
name varchar2(50),
email varchar2(30),
address varchar2(50),
city varchar2(40),
state varchar2(20),
zip varchar2(15),
country varchar2(30),
phone varchar2(20),
orderid varchar2(20),
constraint supportcase_trg_pk primary key(customerid)
);
commit;

Setting up Oracle Data Integrator (ODI) with Change Data Capture (CDC) between two Database Tables

2010-02-02T07:29:00.000-08:00

Introduction:

The following shows detailed steps on how to setup ODI with Change Data Capture on a database table so that all changes to a database table are loaded into a target. In this case a different database table is the target however the target could be anything.

Pre-requisites

1. Download Oracle 10gR2 Database if it is not already installed
2. Download ODI 10.1.3.5
3. Install ODI 10.1.3.5
4. Review ODI Documentation

Setup ODI:

The following information makes assumptions that this will be setup on a Windows machine however the same concepts would apply to a UNIX/LINUX environment.

Create a Master Repository in an Oracle DB. In this case we will set this up under a user in our local Oracle 10gR2 Database. We will use the “system” user and connect to our local DB which was setup earlier (jdbc:oracle:thin:@localhost:1541:orcl). Goto Start -> All Programs -> <ORACLE_HOME> –> Oracle Data Integrator -> Repository Management -> Create Master Repository
This will take a couple of minutes to create the necessary ODI information within the database and schema one provided.
Startup the Topology Manager and create a Work repository. This is needed prior to starting up the Oracle Designer. Goto Start -> All Programs -> <ORACLE_HOME> -> Oracle Data Integrator -> Topology Manager.
Create a connection to the repository by clicking on the “New” icon and fill in the data like below: (SUPERVISOR/SUNOPSIS are the default user/password and need to be in capitals)

Goto the repositories tab (the 5^th one from the beginning) and create some named work repository. Right click and select “Insert new work repository”.

In the Topology Manager, create a Physical Architecture for the Database Schema where you will be connecting to (the 1^st tab at the bottom). (NOTE: It is assumed that there are some tables in this schema already.) Select the technology (in this case “Oracle”), then right click and select “Insert Data Server”. Before clicking “ok” to save, one will have to create the Logical Layer as well (see later steps). Fill in the user/password to the schema one will be connecting to and fill in the JDBC information in the JDBC tab.

Next right click this Data Server and select “Insert Physical Schema”. Select the schema one want and then on the “Context” tab is where one will select the Logical Schema. The Logical Schema will first need to be created in the next step before selecting it here and clicking “ok”. (You may get an error while saving this however first save it and then open it up so the Logical Schema can be created.)

In the Topology Manager, create a Logical Architecture for the Database Schema where you will be connecting to (the 3^rd tab at the bottom). This will be needed for the Physical Architecture layer you created. Select the technology (in this case “Oracle”), then right click and select “Insert Logical Schema”.

Startup the ODI Designer: Goto Start -> All Programs -> <ORACLE_HOME> -> Oracle Data Integrator -> Designer
Create a new connection to this new Master Repository and Work Repository. Click the “New” icon next to the default “Login Name”
Connect with the SUPERVISOR/SUNOPSIS (user/password and all capitals), supply the Oracle Database information where the master repository was created, and the name of the Work Repository which was just created.

Back in the Oracle Designer we will now create a Model based on the Logical Schema we created in the Topology Manager.
Create a Project under the Projects tab.
Next import the Knowledge Modules. Right click the project, select Import, and then “Import Knowledge Modules”. Select the directory under <ORACLE_HOME>\oracledi\impexp, and then select each knowledge module individually. We will select:

· CKM SQL
· IKM SQL Incremental Update
· JKM Oracle 10g Consistent (LOGMINER)
· LKM SQL to SQL

Create a Model. Right click and select “Insert Model”.
In the definition tab, select the technology and Logical Schema (created in the Topology Manager) and then click the “Reverse” button to get the tables for this schema into the model view. Click “ok”. NOTE: There are SQL statements to create the test tables for the schema user in the APPENDIX section which one can use to test with.

Double click the Model name you created and select the Journalizing tab. Make sure that the tab is filled out and looks like the following. Because you want to capture changes to the tables in a consistent fashion, you select the Consistent option and the JKM Oracle 10g Consistent (LOGMINER) knowledge module. This knowledge module, shown in the figure below, will capture new and changed data, using the LogMiner feature of Oracle Database 10g. Read the notes section for additional details on the user accessing the tables.

Click “ok”.
Next right-click the tables in turn, and choose Changed Data Capture ->Add to CDC. Then edit the model again to select the Journalized Tables tab. If there are multiple tables use the up and down arrow keys to place the tables in the correct order.
Next add a subscriber to the journal by returning to the Designer application, right-clicking the Model, and choosing Changed Data Capture ->Subscriber->Subscribe. You add a new subscriber and execute the code locally to ensure that the code executes correctly. Once this step is complete, you have set up the changed-data capture process and you are ready to begin building your interfaces.
Now one is ready to create the journal that captures changed data from these two tables. To do this, right-click the model again and choose Changed Data Capture ->Start Journal. Click OK to execute the code locally, and then start up the Operator application to check the progress of the operation. If all has gone well, you will be presented with a list of completed steps similar to the following. In order to start the Operator goto Start à All Programs à <ORACLE_HOME> à Oracle Data Integrator à Operator and login to the repository when presented with the same login screen.

At this point if CDC is working properly the table should have a green icon instead of the yellow/orange icon. If this is not the case, then CDC is not properly setup.
Now we can create a new interface which will take the data from SUPPORT_CASE table in an Oracle Database when CDC happens and load it to a different table called SUPPORT_CASE_TRG in an Oracle Database.
In the Project tab, right click the interface to create a new interface. Drag and drop the tables from the model onto the respective target and source locations on the Diagram Tab.
Join and map any columns to the target column in the Diagram tab.
Click on the Flow tab to see how the data will be combined.
Next select the Controls tab to make sure the Control Knowledge Module was selected, used for handling constraint errors in the target table. Select the CKM SQL Knowledge Module, which will handle erroneous data for any ISO-92-compliant database. Click “apply”.
Next test the interface. To do this, click Execute at the bottom right corner of the interface dialog and then open to the Operator application to check the progress of the interface. Within the operator application it will show the execution of the interface loading the data into the SUPPORT_CASE_TRG table:

Now that we know the interface works, we can update the interface to load the changed data via the Journal tables were created earlier. You can verify that the four records were put into the SUPPORT_CASE_TRG table by right clicking on the table and selecting “View Data”.
Prepare the Data with Consistent Journaling only: On the model: right click -> Changed Data Capture -> Consumption -> Extend window
Then Lock the subscriber which will be consuming on the Model. On the model: right click -> Changed Data Capture -> Consumption -> Lock Subscribers
Go back into the Diagram tab on the Interface, select the source, enable “Journalized Data Only” and click “Apply”.

Click on the filter icon in the Diagram and make sure the subscriber is the one you locked earlier. In this case “SUBA”. The Implementation tab should look like this:

To test this updated interface, you update some records in the SUPPORT_CASE table (right click, select “Data”, modify a record and click “apply”). Right click the SUPPORT_CASE table: Changed Data Capture -> Journal Data and it should show changes in the Journal table.

Create the ODI Package and Execute:

Now create an Oracle Data Integrator package to carry out the following steps:

Check the SUPPORT_CASE journalized data to see if new or changed data records have been added.
If journalized data is detected, extend the journal window.
Execute the interface to read from the journalized data and load the target data store.
Purge the journal window.
Start this package again. (This will be in a loop ready for new journal changes.) Creating this package and then deploying it as an Oracle Data Integrator scenario effectively creates a real-time, continuously running ETL process.

Create the Package and Scenario for setting up CDC

The purpose of this is to automate setting up CDC within one’s environment.

1. To create this package, navigate to the Projects tab in the Designer application, locate the folder containing the interfaces you defined earlier, find the Packages entry, right-click it, and select Insert Package. Give the package a name and then navigate to the Diagram tab in the package details dialog box.
2. The next step in this package will be to drag the Model just created onto the canvas. Within the General Tab of this step, select the Drop down under “Type” and select “Journalizing Mode”.
3. Select “Stop” under Journalizing to stop this if it was already running so it can be successfully rerun.

4. The next step in this package will be to drag the Model just created onto the canvas again. Within the General Tab of this step, select the Drop down under “Type” and select “Journalizing Mode”.
5. Under the “Journalizing” section of the General tab, select “Start” and “Add Subscribers”. Add the “SUBA” subscriber to the list.

6. Connect the first step to this step with a green “ok” arrow and a red “ko” arrow.
7. Right click on this package to create a Scenario.
8. This scenario can be executed either from the tool by right clicking and selecting “Execute” or by running this from the command line.
9. Execute this Scenario so that Journaling is initially started. The next section will explain how to create and setup the main CDC process in a loop so that changes are continuously consumed.

Create the Package and Scenario for the Main CDC process

1. To create this package, navigate to the Projects tab in the Designer application, locate the folder containing the interfaces you defined earlier, find the Packages entry, right-click it, and select Insert Package. Give the package a name and then navigate to the Diagram tab in the package details dialog box.
2. Using the toolbox on the right, go to the Event Detection folder and add the OdiWaitForLogData tool to the package canvas, as shown in the figure below. This tool will monitor the journalized data on a regular basis. In this case the step name has been changed to “Waiting for Changes”.
3. In this step update the following parameters:

a. Logical Schema: Change this to the Logical Schema being used in your interface
b. Subscriber: The subscriber name
c. CDC Set: Change this to your Model Name and the Logical Schema name. It is in the form of: <%=odiRef.getObjectName("L","model_code","logical_schema", "D")%>

Example: <%=odiRef.getObjectName("L","ORACLE_SPOZ2_MODEL","Oracle 10gR2 Logical Schema SPOZ2", "D")%>

4. The next step in this package will be to drag the Model just created onto the canvas. Within the General Tab of this step, select the Drop down under “Type” and select “Journalizing Mode”.
5. Under the “Consumption” section of the General tab, select “Extend Window” and “Lock Subscribers”. Add the “SUBA” subscriber to the list.

6. Connect the first step to this step with a green “ok” arrow.
7. Next Drag the Interface just created after the previous step.
8. Connect the second step to this step for the interface with a green “ok” arrow.
9. The next step in this package will be to drag the Model again onto the canvas after the interface. Within the General Tab of this step, select the Drop down under “Type” and select “Journalizing Mode”.
10. Under the “Consumption” section of the General tab, select “Purge Journal” and “Unlock Subscribers”. Add the “SUBA” subscriber to the list.

11. Connect the third step from the interface to this step with a green “ok” arrow.
12. Right click on this package to create a Scenario.

13. After creating this Scenario, open up the package just created.
14. In this package, drag and drop the scenario to the last step in the list after “Purge and Unlock”.
15. Connect the fourth step from the “Purge and UnLock” step to this final step (the scenario) with a green “ok” arrow.
16. Click on the named scenario which was just added to the package and make sure to select “Asynchronous” in the parameters listed under the General tab.

17. Click “ok” to save and close the package.
18. Right click the scenario created in step 12 and click “Regenerate”.

19. The reason for doing steps 13 through 17 is to avoid any issues around log files growing too quickly and too large in the work repository. Plus one would not be able to clean the log file here.
20. This scenario can be executed either from the tool by right clicking and selecting “Execute” or by running this from the command line.

Testing the Main CDC Scenario:

1. Make sure the Journal has been started by executing the scenario you created. Example: “SETTING_UP_CDC_SCEN”.
2. Make sure the main CDC scenario is executing by right clicking the named Scenario and then starting the “Operator” utility. Here you should see something like this (notice the green icon that does not have a checkmark):

3. Goto the Model section, right click on the table with CDC setup on it and select “Data”.
4. In the window which comes up, change some data and hit enter. Click “ok” so the changes take effect. (Notice Changes were made to the name to add “7777” to it).

5. Go back to the Operator utility, click Refresh and you’ll notice that the Package ran.

6. Double click on the “CDC Changes Consumed” and select the “Execution” tab. There you will notice that the “Number of Updates” shows a “1” meaning that one row was updated in the target table.

7. Verify that changes were made to the target table in the database by right clicking on the target table and selecting “Data”.
8. This scenario will continue to run (by design in the Package created) until one chooses to stop it.

APPENDIX:

SQL statements to create the sample SUPPORT_CASE and SUPPORT_CASE_TRG tables.

drop table support_case;
create table support_case
(
customerid varchar2(20),
name varchar2(50),
email varchar2(30),
address varchar2(50),
city varchar2(40),
state varchar2(20),
zip varchar2(15),
country varchar2(30),
phone varchar2(20),
orderid varchar2(20),
constraint supportcase_pk primary key(customerid)
);
INSERT INTO support_case VALUES('1','Scott King','sking@oracle.com', '200 Main Street', 'New York', 'NY', '10022', 'USA', '212-555-1212', '200');
INSERT INTO support_case VALUES('2','Steven Pozarycki', 'steve@oracle.com', '22 Pinckney Street', 'Morris Plains', 'NJ', '07950', 'USA', '617-863-4444', '500');
INSERT INTO support_case VALUES('3', 'Murali M, 'murali@oracle.com', '180 Patriots Road', 'Boston', 'MA', '02116', 'USA', '617-285-2222', '300');
INSERT INTO support_case VALUES('4','Lloyd Smith', 'lloyd.e.smith@oracle.com', '56 Cambridge Street', 'Boston', 'MA', '02116', 'USA', '617-452-3333', '400');
commit;

drop table support_case_trg;
create table support_case_trg
(
customerid varchar2(20),
name varchar2(50),
email varchar2(30),
address varchar2(50),
city varchar2(40),
state varchar2(20),
zip varchar2(15),
country varchar2(30),
phone varchar2(20),
orderid varchar2(20),
constraint supportcase_trg_pk primary key(customerid)
);
commit;

Oracle Entitlements Server (OES) and Oracle Virtual Private Database (VPD) Integration

2009-11-20T13:55:00.000-08:00

The following guide centers around integration of Oracle Entitlements Server (OES) and Oracle Virtual Private Database (VPD). It is also known as Fine-Grained Access Control (FGAC), and some call it Row Level Security (RLS). The database package used for VPD is called DBMS_RLS. The main functionality of VPD is to automatically add extra where clauses to SQL statements. Depending on how you defined your VPD policies, it can be applied to select, update, insert, and/or delete statements of specific tables.
This document will include information on the manual steps on setting up this integration up for any table within a schema. The current documentation offers a specific example however that puts all of the SQL behind the scenes where a DB administrator may not allow one to run automated SQL scripts.

Prerequisites

Oracle 10g Release 2 (10.2.0.1.0) is installed and configured.
The OES Administration Server has already been installed on one system and is running successfully.
Web Service SSM is installed and on another system (or the same system), as described in Configuring SSMs Using ConfigTool. The Web Service SSM needs to be installed and configured properly before you install the Oracle SSM. If not, then this is covered in the first section.
The Oracle SSM and the Web Service SSM instance must be on the same system.
Typically one will have one WebService SSM per physical machine.
The currently logged on user must belong to the ora_dba group on Windows or dba group on UNIX. For instance, if the currently logged on user is 'joe' then 'joe' needs to be in the ora_dba or dba group, as appropriate. This is required in order to connect as "system" user with a DB administrator role.
The following steps in this document have been done on a Windows system only.

Architecture of the OES/VPD Integration

Steps to Configure the Oracle-SSM for VPD

The following steps are listed in the order required for this to properly work. The DB administrator will need to run their section of steps before the “DB USER” steps can be completed and so forth.

SSM Creation:

This is done by the user currently logged onto the Windows system where the OES SSM binaries have been installed. The following will create instances of the SSMs who do the work of enforcing the policies which are written in the OES Administration Server and distributed to these end-points.

Create the WebService SSM instance

Goto: OES_HOME\ales32-ssm\webservice-ssm\adm

Backup the myssm_config.properties and edit the file with settings for your environment. A sample myssm_config.properties is provided in the Appendix section.

Verify that the settings are “ok”: ConfigTool.bat -check myssm_config.properties

Process the settings: ConfigTool.bat -process myssm_config.properties

The following is the output from the tool if it successfully runs:

Is Admin in the same BEA-HOME as SSM: [default: Yes]:
Give the location of the Admin: c:\bea922\ales32-admin
Checking if default ARME port is free: 8000
Checking if default SSMWS port is free: 9000
Generating policy files based on templates...
Checking if SSM instance already present
Checking to see if SSM ARME port is free.
Checking JDBC parameters...
Checking to see if asipassword was run...
Check completed successfully.
Starting to make changes...
Creating SSM instance...
Done creating SSM instance.
Loading ALES Policy. Please wait ...
Number of Identities processed : 1, time is: Thu Oct 16 2008 11:01:45 EDT
Number of Resources processed : 15, time is: Thu Oct 16 2008 11:01:50 EDT
Number of ARME and SCM processed : 1, time is: Thu Oct 16 2008 11:01:52 EDT
Number of Resource Bindings processed : 2, time is: Thu Oct 16 2008 11:01:53 EDT

Number of Users and Groups processed : 1, time is: Thu Oct 16 2008 11:01:54 EDT
Number of Declarations processed : 55, time is: Thu Oct 16 2008 11:01:55 EDT
Number of Resource Attributes processed : 45, time is: Thu Oct 16 2008 11:01:57 EDT
Number of Authorization and Role Mapping Rules processed : 1, time is: Thu Oct 16 2008 11:01:59 EDT

Set password for user: admin
New password of user //user/WSDir/admin/ set.

Done loading ALES Policy.

Based on the properties file (ssm.instance.name = ssmws) this will create an instance in the following directory: OES_HOME\ales32-ssm\webservice-ssm\instance\ssmws

It also does the following:
- Creates a resource in the tree: (ales.resource.root = //app/policy/ssmws)

Creates the user for this SSM (ssm.admin.name = admin) in the Identity directory configured (ales.identity.dir = WSDir)

Creates a SSM Configuration ID (ssm.conf.id = ssmws) in OES with the security providers configured.

Next, create another user in the “WSDir” Identity where the WebService SSM instance is bound to. In this case we will create a user called “spoz” which will be used later on.

Logon to the Administration Console for the OES Administration Server: https://localhost:7010/asi
Click on “Identity” in the left-hand pane.
Click on “WSDir” in the right-hand pane (which we just created)
Click the “Edit Users” button with the “WSDir” Name highlighted.
On the next window one should notice “WSDir->Users” at the top of the page.
Select “New” to add a new user called “spoz” and click “ok” so there is an “entry” for this subject here. This will use the password which is set in the database for authentication.

Start the WebService-SSM: OES_HOME\ales32-ssm\webservice-ssm\instance\ssmws\bin\WLESws.bat (“console” option or “start” option) to make sure this process starts successfully. If it is started successfully in “console” mode, one should see the following output. If not, then check the “OES_HOME\ales32-ssm\webservice-ssm\instance\ssmws\bin\system_console.log” file for this instance. Example output (the “Error” below will only happen on the initial start time since it is checking for the existence of a file):

OES_HOME\ales32-ssm\webservice-ssm\instance\ssmws\bin>WLESws.bat console

Starting "SSMWS.ssmws.SPOZ03" in console mode...
--> Wrapper Started as Console
Launching a JVM...
Wrapper (Version 3.0.5)

Phoenix 4.0.4

2008-10-16 11:27:20,183 [Phoenix-Monitor] ERROR com.bea.security.providers.autho
rization.asi.ARME.engine.UpdateManager - arme can not find state.chk file.
ARME is started now

Shutdown the WebService-SSM in order to configure the Oracle SSM instance in the next section. If this process is run in the foreground it can be stopped with Ctrl-C or if it is run in the background it can be stopped with OES_HOME\ales32-ssm\webservice-ssm\instance\ssmws\bin\WLESws.bat stop

Configure the WebService SSM instance with the following additional value in its configuration file. The configuration file in question will be located at the following directory where INSTANCE_HOME is the “ssmws” token one user earlier:

OES_HOME\ales32-ssm\webservice-ssm\instance\<INSTANCE_NAME>\config\WLESws.wrapper.conf

Verify that the content of the file has a line such as the following (the number reference below does not matter as long as it is not duplicated in the file). OES_HOME refers to the directory where the OES SSM product was installed and should be substituted here:

wrapper.java.classpath.66=OES_HOME/ales32-ssm/webservice-ssm/lib/CredentialHolder.jar

Update the WebService SSM Installation Directory:

NOTE: The following two steps only need to be done once per machine where the SSM binaries are installed.

Make sure the following text is added to the following file and the file is formatted correctly as an XML file:: OES_HOME\ales32-ssm\webservice-ssm\lib\com\bea\security\ssmws\soap\.castor.xml

<class name="com.bea.security.ssmws.credentials.ORACredentialHolderImpl">
<map-to cst:xml="simpletextidentityassertion" />

<field name="cookie" type="java.lang.String" >
<bind-xml node="text"/>
</field>
</class>

<class name="com.bea.security.ssmws.credentials.ORAEncodedCredentialHolderImpl">
<map-to cst:xml="encodedtextidentityassertion" />

<field name="cookie" type="java.lang.String" >
<bind-xml node="text"/>
</field>
</class>

Also make sure the following text is added to this additional file and the file is formatted correctly as an XML file: OES_HOME\ales32-ssm\webservice-ssm\lib\com\bea\security\credentials\.castor.xml

<class name="com.bea.security.ssmws.credentials.ORACredentialHolderImpl">
<map-to cst:xml="simpletextidentityassertion" cst:ns-uri="http://security.bea.com/ssmws/ssm-soap-types-1.0.xsd" />

<field name="cookie" type="java.lang.String" >
<bind-xml node="text"/>
</field>
</class>

<class name="com.bea.security.ssmws.credentials.ORAEncodedCredentialHolderImpl">
<map-to cst:xml="encodedtextidentityassertion" cst:ns-uri="http://security.bea.com/ssmws/ssm-soap-types-1.0.xsd" />

<field name="cookie" type="java.lang.String" >
<bind-xml node="text"/>
</field>
</class>

Create the Oracle SSM instance

First run the OES_HOME\ales32_SSM\oracle-ssm\adm\instancewizard.cmd command to create an Oracle SSM instance. During the install it will ask for three settings which are outlined below with sample values:

Instance name: oraclessm (The name which is used to create a directory structure on disk)
SM WS Port: 9000 (This is the WebService Port value used earlier when creating a WebService SSM instance.)
SM WS Config ID: ssmws (This is the WebService SSM instance configuration ID name used earlier.)

At completion of the utility the instance will be located at: OES_HOME\ales32-ssm\oracle-ssm\instance\oraclessm

Finally restart the WebService SSM instance you created earlier. OES_HOME\ales32-ssm\webservice-ssm\instance\ssmws\bin\WLESws.bat (“console” option or “start” option) to make sure this process starts successfully.

DB administrator Steps:

These are the steps that are required to be run by the DB administrator user to initially setup the database and schema for the DB user who will be accessing the tables within that schema later on. Please make sure that the proper “SQLPlus” executable is in one’s path so it is pointing to the correct TNSNAMES.ora file.
If one already has an existing schema, then step 1 can be ignored and the rest of the steps would need to be followed.

In the database instance directory of the ORACLE_HOME (ORACLE_DB_INSTALL_DIR\ORACLE_DB_NAME in this case), create an "ssm-properties" directory and create an oracle-ssm.properties file in that directory. See the Appendix for the sample oracle-ssm.properties file after updating with the correct values for your system.

If you are creating a new user, then the following SQL should be run as the DB administrator user. Example where ORCL is the SID:

SQLPLUS system/password@ORCL
CREATE TABLESPACE spoz_DATA DATAFILE 'C:\oracle\product\10.2.0\db1\oradata\spoz_DATA.dbf' size 384M autoextend on;
CREATE USER spoz IDENTIFIED BY password DEFAULT TABLESPACE spoz_DATA QUOTA UNLIMITED ON spoz_DATA;
GRANT JAVASYSPRIV TO spoz;
GRANT JAVA_ADMIN TO spoz;
GRANT DBA TO spoz;
ALTER USER spoz QUOTA UNLIMITED ON spoz_DATA;
COMMIT;
DISCONNECT;
EXIT;

Whichever schema you are using (the newly created one from step 1 or an existing one), the following SQL script should be run as the DB administrator user to set the database. Example where “SPOZ” is what was created in step 1:

SQLPLUS system/password@ORCL @setDataBase.sql SPOZ
-------------------------------------------------------------------
--setDataBase.sql Script to Grant the Privileges (executed by sys as sysdba user generally)
-------------------------------------------------------------------
-- If sys is granting privilege then he must login as sysdba
GRANT CREATE SESSION TO &&1;
GRANT CREATE ANY TABLE TO &&1;
GRANT CREATE ANY PROCEDURE TO &&1;
GRANT JAVASYSPRIV TO &&1;
-- The following grant line may have to be done by the DB Admin
GRANT EXECUTE ON DBMS_RLS TO &&1;
-- The following grant statements are optional and should not be allowed in a production database.
GRANT ALTER ANY PROCEDURE TO &&1;
GRANT CREATE ANY TRIGGER TO &&1;
GRANT ALTER ANY TRIGGER TO &&1;
GRANT DROP ANY TRIGGER TO &&1;
-- These are required
EXEC DBMS_JAVA.grant_permission('&&1', 'SYS:java.util.PropertyPermission', '*', 'read,write');
EXEC DBMS_JAVA.grant_permission('&&1', 'SYS:java.security.SecurityPermission', 'putProviderProperty.JsafeJCE', '' );
EXEC DBMS_JAVA.grant_permission('&&1', 'SYS:java.lang.RuntimePermission', 'getProtectionDomain', '' );
/
COMMIT;
Disconnect;
/
EXIT

Next, load the necessary Java JAR files into the schema one is using. If there are some errors/failures about not finding some class files which could not be resolved, then it is ok to ignore these. In the following scripts they are loading the specified jar files into the “SPOZ” schema created in step 1.

Where:

ORACLE_DB_INSTALL_DIR = The name of the directory where the Oracle DB Product was installed on this Windows system.
ORACLE_DB_NAME = The name of the DB instance which is currently running on this system.
OES_HOME = The name of the home directory on this system where the OES Product was installed.

“Parameterized” Commands:

ORACLE_DB_INSTALL_DIR\ORACLE_DB_NAME\bin\loadjava.bat -resolve -schema spoz OES_HOME/ales32-ssm/oracle-ssm/lib/saaj.jar
ORACLE_DB_INSTALL_DIR\ORACLE_DB_NAME\bin\loadjava.bat -resolve -schema spoz OES_HOME/ales32-ssm/oracle-ssm/lib/jaxrpc.jar
ORACLE_DB_INSTALL_DIR\ORACLE_DB_NAME\bin\loadjava.bat -resolve –schema spoz OES_HOME/ales32-ssm/oracle-ssm/lib/wsdl4j-1.5.1.jar
ORACLE_DB_INSTALL_DIR\ORACLE_DB_NAME\bin\loadjava.bat -resolve –schema spoz OES_HOME/ales32-ssm/oracle-ssm/lib/log4j.jar
ORACLE_DB_INSTALL_DIR\ORACLE_DB_NAME\bin\loadjava.bat -resolve –schema spoz OES_HOME/ales32-ssm/oracle-ssm/lib/commons-logging-1.0.4.jar
ORACLE_DB_INSTALL_DIR\ORACLE_DB_NAME\bin\loadjava.bat -resolve -schema spoz OES_HOME/ales32-ssm/oracle-ssm/examples/tools/axis_1.3/lib/commons-discovery-0.2.jar
ORACLE_DB_INSTALL_DIR\ORACLE_DB_NAME\bin\loadjava.bat -resolve -schema spoz OES_HOME/ales32-ssm/oracle-ssm/examples/tools/axis_1.3/lib/axis.jar
ORACLE_DB_INSTALL_DIR\ORACLE_DB_NAME\bin\loadjava.bat -resolve -schema spoz OES_HOME/ales32-ssm/oracle-ssm/lib/ssmwsClientStub.jar
ORACLE_DB_INSTALL_DIR\ORACLE_DB_NAME\bin\loadjava.bat -resolve -schema spoz OES_HOME/ales32-ssm/oracle-ssm/lib/OracleSsm.jar

“Full Example Commands”: (To minimize parameter substitution)

C:\oracle\product\10.2.0\db1\BIN\loadjava.bat -resolve -schema spoz C:/bea922/ales32-ssm/oracle-ssm/lib/saaj.jar
C:\oracle\product\10.2.0\db1\BIN\loadjava.bat -resolve -schema spoz C:/bea922/ales32-ssm/oracle-ssm/lib/jaxrpc.jar
C:\oracle\product\10.2.0\db1\BIN\loadjava.bat -resolve -schema spoz C:/bea922/ales32-ssm/oracle-ssm/lib/wsdl4j-1.5.1.jar
C:\oracle\product\10.2.0\db1\BIN\loadjava.bat -resolve -schema spoz C:/bea922/ales32-ssm/oracle-ssm/lib/log4j.jar
C:\oracle\product\10.2.0\db1\BIN\loadjava.bat -resolve -schema spoz C:/bea922/ales32-ssm/oracle-ssm/lib/commons-logging-1.0.4.jar
C:\oracle\product\10.2.0\db1\BIN\loadjava.bat -resolve -schema spoz C:/bea922/ales32-ssm/oracle-ssm/examples/tools/axis_1.3/lib/commons-discovery-0.2.jar
C:\oracle\product\10.2.0\db1\BIN\loadjava.bat -resolve -schema spoz C:/bea922/ales32-ssm/oracle-ssm/examples/tools/axis_1.3/lib/axis.jar
C:\oracle\product\10.2.0\db1\BIN\loadjava.bat -resolve -schema spoz C:/bea922/ales32-ssm/oracle-ssm/lib/ssmwsClientStub.jar
C:\oracle\product\10.2.0\db1\BIN\loadjava.bat -resolve -schema spoz C:/bea922/ales32-ssm/oracle-ssm/lib/OracleSsm.jar

“DB USER” Steps:

These are the steps that are required to be run by the database user who has access to the named schema that either already exists or has just been created by the DB administrator user in the previous section.

Run SQLPlus as the user with access to the schema (“SPOZ” in this case) and verify that there are java objects loaded. Example:

SQLPLUS spoz/password@ORCL

Then run:

SELECT object_name, object_type, status FROM user_objects WHERE object_type IN ('JAVA SOURCE', 'JAVA CLASS', 'JAVA RESOURCE') ORDER BY object_type, object_name;

Optionally create a “test” table where one will enable these policies on. If not, then one will already have a table which will need to be secured and step 2 can be skipped.

CREATE TABLE cust_payment_info(first_name varchar2(11), last_name varchar2(10), order_number number(5), credit_card_number varchar2(16));
INSERT INTO cust_payment_info values ('Jon', 'Oldfield', 10001, '5446959708812985');
INSERT INTO cust_payment_info values ('Chris', 'White', 10002, '5122358046082560');
INSERT INTO cust_payment_info values ('Alan', 'Squire', 10003, '5595968943757920');
INSERT INTO cust_payment_info values ('Mike', 'Anderson', 10004, '4929889576357400');
INSERT INTO cust_payment_info values ('Annie', 'Schmidt', 10005, '4556988708236902');
INSERT INTO cust_payment_info values ('Elliott', 'Meyer', 10006, '374366599711820');
INSERT INTO cust_payment_info values ('Celine', 'Smith', 10007, '4716898533036');
INSERT INTO cust_payment_info values ('Steve', 'Haslam', 10008, '340975900376858');
INSERT INTO cust_payment_info values ('Albert', 'Einstein', 10009, '310654305412389');
commit;

Create the functions within the DB which use the OES Plugin.

SQLPLUS spoz/password@ORCL @functions.sql
-------------------------------------------------------------------
--functions.sql Script to Create the functions (executed by the schema user where the java classes need to be loaded)
-------------------------------------------------------------------
CREATE OR REPLACE FUNCTION selectFilter(schema in VARCHAR2,tab IN VARCHAR2, dbname IN VARCHAR2, client_id IN VARCHAR2, action IN VARCHAR2) RETURN VARCHAR2 AS LANGUAGE JAVA
NAME 'com.bea.security.oraclessm.OracleSSM.selectFilter(java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String) return java.lang.String';
/
COMMIT;
/
CREATE OR REPLACE FUNCTION addSelectFilter(schema IN VARCHAR2, tab IN VARCHAR2) RETURN VARCHAR2 AS
dbname VARCHAR2(2000);
client_id VARCHAR2(2000);
result VARCHAR2(2000);
BEGIN
dbname := Lower(sys_context('USERENV','DB_NAME'));
client_id := (Sys_Context('USERENV','CLIENT_IDENTIFIER'));
result := selectFilter(Lower(schema), Lower(tab), dbname, client_id, 'select');
DBMS_SESSION.SET_IDENTIFIER('');
RETURN result;
END;
/
COMMIT;
/
CREATE OR REPLACE FUNCTION addUpdateFilter(schema IN VARCHAR2, tab IN VARCHAR2) RETURN VARCHAR2 AS
dbname VARCHAR2(2000);
client_id VARCHAR2(2000);
result VARCHAR2(2000);
BEGIN
dbname := Lower(sys_context('USERENV','DB_NAME'));
client_id := (Sys_Context('USERENV','CLIENT_IDENTIFIER'));
result := selectFilter(Lower(schema), Lower(tab), dbname, client_id, 'update');
DBMS_SESSION.SET_IDENTIFIER('');
RETURN result;
RETURN result;
END;
/
COMMIT;
/
CREATE OR REPLACE FUNCTION addDeleteFilter(schema IN VARCHAR2, tab IN VARCHAR2) RETURN VARCHAR2 AS
dbname VARCHAR2(2000);
client_id VARCHAR2(2000);
result VARCHAR2(2000);
BEGIN
dbname := Lower(sys_context('USERENV','DB_NAME'));
client_id := (Sys_Context('USERENV','CLIENT_IDENTIFIER'));
result := selectFilter(Lower(schema), Lower(tab), dbname, client_id, 'delete');
DBMS_SESSION.SET_IDENTIFIER('');
RETURN result;
END;
/
COMMIT;
/
CREATE OR REPLACE FUNCTION setClientIdentifier(token VARCHAR2) RETURN VARCHAR2 AS
BEGIN
DBMS_SESSION.SET_IDENTIFIER(token);
RETURN 'done';
END;
/
COMMIT;
/
CREATE OR REPLACE PROCEDURE init AS LANGUAGE JAVA
NAME 'com.bea.security.oraclessm.OracleSSM.init()';
/
COMMIT;
/
CREATE OR REPLACE TRIGGER LOGON_TRIGGER
AFTER LOGON ON SCHEMA
BEGIN
init;
END;
/
COMMIT;
/
EXIT
-------------------------------------------------------------------
-- End of document
-------------------------------------------------------------------

Optional: One can still run a “select * from cust_payment_info;” at this point and see the data from the tables. This same behavior would also still apply to the already existing table as well.

SQL> select * from cust_payment_info;

FIRST_NAME LAST_NAME ORDER_NUMBER CREDIT_CARD_NUMB
----------- ---------- ------------ ----------------
Jon Oldfield 10001 5446959708812985
Chris White 10002 5122358046082560
Alan Squire 10003 5595968943757920
Mike Anderson 10004 4929889576357400
Annie Schmidt 10005 4556988708236902
Elliott Meyer 10006 374366599711820
Celine Smith 10007 4716898533036
Steve Haslam 10008 340975900376858
Albert Einstein 10009 310654305412389

9 rows selected.

Create the policies with the DB on the “test” table from step 3 or on the actual table one is using. The script has references to the name of the schema, in this case it is “spoz”. NOTE: If one has an already existing table, then this is the point where the following policies would apply to one’s table name. Please use the following SQL statements and substitute your “table name” with the table name in these scripts (called “cust_payment_info”).

SQLPLUS spoz/password@ORCL @oraclessm_policy.sql
-------------------------------------------------------------------
--oraclessm_policy.sql Script to Create the functions (executed by the schema user where the java classes need to be loaded)
-------------------------------------------------------------------
execute dbms_rls.add_policy(object_schema => 'spoz', object_name => 'cust_payment_info',policy_name => 'selectPolicy', function_schema =>'spoz', policy_function => 'addSelectFilter',statement_types => 'SELECT', update_check => FALSE, ENABLE => TRUE, static_policy => FALSE, policy_type => dbms_rls.context_sensitive, long_predicate => TRUE, sec_relevant_cols => NULL,sec_relevant_cols_opt => NULL)
/

execute dbms_rls.add_policy(object_schema => 'spoz', object_name => 'cust_payment_info',policy_name => 'updatePolicy', function_schema =>'spoz', policy_function => 'addUpdateFilter',statement_types => 'UPDATE', update_check => FALSE, ENABLE => TRUE, static_policy => FALSE, policy_type => dbms_rls.context_sensitive, long_predicate => TRUE, sec_relevant_cols => NULL,sec_relevant_cols_opt => NULL)
/

execute dbms_rls.add_policy(object_schema => 'spoz', object_name => 'cust_payment_info',policy_name => 'deletePolicy', function_schema =>'spoz', policy_function => 'addDeleteFilter',statement_types => 'DELETE', update_check => FALSE, ENABLE => TRUE, static_policy => FALSE, policy_type => dbms_rls.context_sensitive, long_predicate => TRUE, sec_relevant_cols => NULL,sec_relevant_cols_opt => NULL)
/

COMMIT
/
Disconnect
/
EXIT

At this point, if one now runs a “select * from cust_payment_info;” (or a “select” from the existing table one has enforced policies on in step 5) they will not see any data from the tables since this is now being enforced by OES:

SQL> select * from cust_payment_info;
select * from cust_payment_info
*
ERROR at line 1:
ORA-28112: failed to execute policy function

Back out the policies on the DB table:

One can back out the policies setup on the “test” table by running the following SQL statements as the “spoz” user in this example. The same methodology would also apply to any table where these policies were applied to.

SQLPLUS spoz/password@ORCL @oraclessm_drop_policy.sql
-------------------------------------------------------------------
--oraclessm_drop_policy.sql Script to Drop the functions (executed by the schema user where the java classes need to be loaded)
-------------------------------------------------------------------
execute dbms_rls.drop_policy(object_schema => 'spoz', object_name => 'cust_payment_info', policy_name => 'selectPolicy')
/
execute dbms_rls.drop_policy(object_schema => 'spoz', object_name => 'cust_payment_info', policy_name => 'updatePolicy')
/
execute dbms_rls.drop_policy(object_schema => 'spoz', object_name => 'cust_payment_info', policy_name => 'deletePolicy')
/
COMMIT
/
Disconnect
/
EXIT

At this point, if one now runs a “select * from cust_payment_info;” they will now see all of the original data since the DB policies are no longer in effect. This also does not invoke the OES Plugin to goto the OES Authorization engine.

SQL> select * from cust_payment_info;

FIRST_NAME LAST_NAME ORDER_NUMBER CREDIT_CARD_NUMB
----------- ---------- ------------ ----------------
Jon Oldfield 10001 5446959708812985
Chris White 10002 5122358046082560
Alan Squire 10003 5595968943757920
Mike Anderson 10004 4929889576357400
Annie Schmidt 10005 4556988708236902
Elliott Meyer 10006 374366599711820
Celine Smith 10007 4716898533036
Steve Haslam 10008 340975900376858
Albert Einstein 10009 310654305412389

9 rows selected.

Setup the Policies within the OES Administration Server and Distribute to the SSMs

The following will set up a resource tree and policies on the “test” table we have been using so far in the examples. If one has an already existing table that they have applied policies to, then one would be able to follow the structure below and substitute their “table name” for cust_payment_info since the structure and simple policies could be the same.

Next we will setup the OES Resource tree for the sample test table called “cust_payment_info”. If one has used an existing table, then the same structure below will apply however one would substitute their table name for “cust_payment_info” below. From a high level, the following is how the resource tree in ALES looks like:

//app/policy/
ssmws (binding level to the WebService-SSM)
orcl (SID level)
spoz (schema level)
cust_payment_info (table level)

In Order to create this structure, one will goto the resource node at “ssmws” (this is the binding point to the WebService SSM so everything being enforced by this SSM will fall under this node).
Once on the “ssmws” node, click “New” to create a new resource. In this case it would be “orcl” for the SID level we will be under.
Next select “orcl” and repeat the procedure to create the resource “spoz” for the schema level name.
Finally repeat and create the table(s) one has enforced with the DB policies earlier (the dbms_rls.add_policy SQL statement)
The following is a picture of what the resource tree looks like along with the policies for the cust_payment_info table. Instructions on how to create these policies will be outlined in the next step.

Setup OES Policies for the Resource structure under the WebService SSM binding.

Once one has highlighted the resource in question (in this case cust_payment_info resource), then click “New” in the right-hand pane to create a New authorization policy.

This will open a pop-up window where one can specify the “effect”, action, subject and any constraint on the policy.

Once “ok” is clicked, one can create as many policies as desired.

Once that is done, click on the “Save and Distribute” hyperlink at the top of the page to push the policies out to the SSMs so the new policies can be immediately be enforced.

If one was to export these policies into a text file, they would look like the following:

grant( //priv/select, //app/policy/ssmws/orcl/spoz/cust_payment_info, //user/WSDir/spoz/) if report_as("Apply_Where","order_number = 10002");

grant( //priv/delete, //app/policy/ssmws/orcl/spoz/cust_payment_info, //user/WSDir/spoz/) if report_as("Apply_Where","order_number = 10002");

grant( //priv/update, //app/policy/ssmws/orcl/spoz/cust_payment_info, //user/WSDir/spoz/) if report_as("Apply_Where","order_number = 10002");

Finally login to the Administration Configuration Console (https://localhost:7010/asi) to perform the following steps only for the first time when the WebService SSM named “ssmws” is created. This is to create a new Identity Asserter.

Go to SSM Configuration of the Web Service SSM (named “ssmws” in this case) and click on Authentication.

Click Configure a new “FGACIdentityAsserter” and click “create”.

Click on the “Details” tab of the “FGACIdentityAsserter” and enter the value of “oraclessm111111111111111” for the Key (This value is from the ORACLE_HOME\ssm-properties\oracle-ssm.properties) and click Apply.

Go to Deployment. On Configuration tab, distribute configuration.

Restart the Web Service SSM instance.

Test the Example

In order to test this example one can do the following when accessing the table being secured within the Schema:

Run SQLPlus to connect to the Schema:

SQLPLUS spoz/password@ORCL

Run some SQL doing a select from the table in question and observe the results:

SQL> select * from cust_payment_info;

FIRST_NAME LAST_NAME ORDER_NUMBER CREDIT_CARD_NUMB
----------- ---------- ------------ ----------------
Chris White 10002 5122358046082560

This shows that the OES policy on the cust_payment_info table for the user “spoz” is in effect now. Instead of returning all of the rows as what previously would have happened, the policy is adding a where clause that adds “WHERE ORDER_NUMBER = 10002”. This is the written out policy within OES:
OES Policy:

grant
Privilege: select
Resource: //app/policy/ssmws/orcl/spoz/cust_payment_info
Subject: //user/WSDir/spoz/)
Constraint: report_as("Apply_Where","order_number = 10002")

Troubleshooting

If the issue at hand is troubleshooting in development “why” a particular policy was either a GRANT or DENY then the best thing to do would be to enable debugging with the SSM instance’s log4j.properties file which is located in the “config” directory of the SSM instance. Once that is done, restart the SSM instance, run the application in question to exercise the policy, and then look into the SSM “instance” log directory for the system_console.log file. Open this file up in a text editor, scroll to the bottom and look for the policy decision in question to understand why a policy evaluated the way it did.

Step by Step Details on Debugging an SSM Instance:

Enable debugging on the WebService-SSM to see verbose debug logging as the application is run. This is a good place to look in order to determine why something is or is not authorized. To enable debugging goto the OES_HOME\ales32-ssm\webservice-ssm\instance\ssmws\config directory.

Edit the log4j.properties file and uncomment these lines:

log4j.logger.com.bea.security.providers.authorization = DEBUG
log4j.logger.com.wles.util.DebugStore=DEBUG

Clear out the log files in OES_HOME\ales32-ssm\webservice-ssm\instance\ssmws\log

Re-run the SQL example.

View the “system_console.log” file under OES_HOME\ales32-ssm\webservice-ssm\instance\ssmws\log

This will show examples of a correct authorization such as:

2008-10-17 13:21:48,730 [SocketListener0-1] DEBUG com.wles.util.DebugStore - queryAccess: DebugStore:
========== Policy Evaluation Info ==========
RequestResource is: //app/policy/ssmws/orcl/spoz/cust_payment_info
UserInfo:
Name: //user/WSDir/spoz/
Groups: //sgrp/WSDir/allusers/
Resource Present: true
Roles Granted: NONE
Role Mapping Policies: NONE
ATZ Policies:
1. Result: true; Policy Type: grant
Privilege: //priv/select
Resource: //app/policy/ssmws/orcl/spoz/cust_payment_info
Subject: //user/WSDir/spoz/
Constraints: report_as("Apply_Where","order_number = 10002")
Delegator: null
========== Policy Evaluation Info ==========
2008-10-17 13:21:48,730 [SocketListener0-1] DEBUG com.bea.security.providers.authorization.asi.ARME.engine.ARME - unlock policy lock for read
2008-10-17 13:21:48,746 [SocketListener0-1] DEBUG com.bea.security.providers.authorization.asi.AuthorizationProviderImpl - result is GRANT
2008-10-17 13:21:48,746 [SocketListener0-1] DEBUG com.bea.security.providers.authorization.asi.AccessResultLogger - Subject Subject:
Principal: WSDir
Principal: spoz
privilege select resource //app/policy/ssmws/orcl/spoz/cust_payment_info result PERMIT

Appendix

WebService SSM “myssm_config.properties” sample

Items in bold are ones that should be changed depending on your installation directory, webservice instance name, hostnames and ports.

### This files lists properties for the SSM configuration tool
### The ConfigTool will interactively prompt for values which
### are commented out
### SSM's config-id
### You can use the name of your application for this value
ssm.conf.id = ssmws

### Database password for user oes10gr3
db.password = password

### OES Admin Server password
ales.admin.password = password
### SSM Username and passord --> make it admin/password
ssm.admin.name = admin
ssm.admin.password = password
#####################################################
### If you have not installed OES Admin and SSM in the
### same BEA-HOME, you will need to specify the values below.
### If any commented out values are required. The ConfigTool
### will interactively prompt for values which are commented
### out
#####################################################
### This is the type of SSM
### the tool will load policies and configuration from
### BEAHOME/ales*-ssm/webservice-ssm/config/ssm.type
ssm.type = webservice-ssm
### Database user name
# db.login = db_user
### OES Admin username
# ales.admin.name = system
### name of the SSM instance directory
ssm.instance.name = ssmws
### the OES application node name
### This is like the root resource for the SSM
ales.resource.root = //app/policy/ssmws
### OES identity directory name
ales.identity.dir = WSDir
### Database JDBC URL:
### Oracle -> jdbc:oracle:thin:@<server>:<port>:<sid>
### Sybase -> jdbc:sybase:Tds:<server>:<port>
### Sql Server -> jdbc:sqlserver://<server>:<port>
### Pointbase -> jdbc:pointbase:server://<server>/ales
###
### values:
### <server>: name or IP address of database machine
### <port>: port where the database listener is running
### <sid>: SID for oracle database
db.jdbc.url = jdbc:oracle:thin:@localhost:1521:XE
### Database JDBC Driver:
### Oracle: oracle.jdbc.driver.OracleDriver
### Sybase: com.sybase.jdbc3.jdbc.SybDriver
### Sql: com.microsoft.sqlserver.jdbc.SQLServerDriver
### Pointbase: com.pointbase.jdbc.jdbcUniversalDriver
### DB2: com.ibm.db2.jcc.DB2Driver
# db.jdbc.driver = oracle.jdbc.driver.OracleDriver
### ARME's port number, by default this is 8000
arme.port = 8000
### Webservice SSM port number, default 9000
ssmws.port = 9000
### You can optionally specify an Ant script of your choice
### This will be executed after the configuration is complete.
# custom.ant.script = /your-home-dir/CustomAntScript.xml
### If you want to use SSM ConfigTool for a SSM which is installed without SCM,
### you need to uncomment the below line and set the proper SCM name
#scm.name = adminconfig

oracle-ssm.properties file Sample (for DB administrator user)

Items in bold are ones that should be changed depending on your installation directory, webservice instance name, hostnames and ports.

# File : oracle-ssm.properties

# Purpose : For use by Oracle WS-SSM client

# Flag to have FGACIdentityAsserter to be used to assert the identity of the client identifier...true means use FGACIdentityAsserter

useClientIdAsserter=true

# Flag to decide whether to use clear text or encoding for identity assertion of schema username

useSchemaClearTextAsserter=true

# Flag to decide the type of token required, whether base64-encoded or clear text

# Note : This flag is used only when useClientIdAsserter is true

isClientIdAsserterBase64Encoded=false

# Token type for third party identity asserter

# Note : This is a place holder

tokenType

# Shared secret between Oracle Web Services SSM client and ALES Web Services SSM

# Note : This same value (case-sensitive) needs to be given in the key field while configuring the FGACIdentityAsserter

secret=oraclessm111111111111111

# Oracle User Env (Note: Not setting any value here...leave this AS IS)

oracle.userenv

# System Users (Note: Not setting any value here...leave this AS IS)

system.users

# ALES Web Services SSM instance name

config.name=ssmws

# Host name of the machine where ALES Web Services SSM is installed

hostname=SPOZ03.amer.bea.com

# SSL port used for ALES Web Services SSM

port=9000

# Protocol used for accessing ALES Web Services SSM (Note : Leave it AS IS)

protocol=http

# Log4J properties file location with '/' as path separator

log4jConfigFile=C:/bea922/ales32-ssm/webservice-ssm/instance/ssmws/config/log4j.properties

# ALES Credential Type

ALES_CREDENTIAL_TYPE=ALESIdentityAssertion

# ALES Token Type

ALES_TOKEN_TYPE=ALESIdentityAssertion

# Digest Algorithm

DIGEST_ALGO=SHA1

# Password File

PASSWORD_FILE=C:/bea922/ales32-shared/keys/password.xml

# Key File

KEY_FILE=C:/bea922/ales32-shared/keys/password.key

# Alias for KeyEntry in %ALES_SSM_HOME%/webservice-ssm/instance/<instance_name>/ssl/identity.jks

CERT_ALIAS=wles-ssm

# KeyStore type

KEYSTORE_TYPE=jks

# Trusted Keystore

TRUSTED_KEYSTORE=C:/bea922/ales32-shared/keys/demoProviderTrust.jks

# Alias for KeyEntry in %ALES_SSM_HOME%/webservice-ssm/instance/<instance_name>/ssl/demo_provider_trust.jks

KEY_ALIAS=demo_provider_trust

# Identity Keystore at %ALES_SSM_HOME%/webservice-ssm/instance/<instance_name>/ssl/identity.jks

IDENTITY_KEYSTORE=C:/bea922/ales32-shared/keys/identity.jceks

# Trusted Keystore

SIGNATURE_ALGO=MD5withRSA

# List of JARs to be loaded into Oracle JVM

oracle.ssm.jar.1=C:/bea922/ales32-ssm/oracle-ssm/lib/saaj.jar

oracle.ssm.jar.2=C:/bea922/ales32-ssm/oracle-ssm/lib/jaxrpc.jar

oracle.ssm.jar.3=C:/bea922/ales32-ssm/oracle-ssm/lib/wsdl4j-1.5.1.jar

oracle.ssm.jar.4=C:/bea922/ales32-ssm/oracle-ssm/lib/log4j.jar

oracle.ssm.jar.5=C:/bea922/ales32-ssm/oracle-ssm/lib/commons-logging-1.0.4.jar

oracle.ssm.jar.6=C:/bea922/ales32-ssm/oracle-ssm/examples/tools/axis_1.3/lib/commons-discovery-0.2.jar

oracle.ssm.jar.7=C:/bea922/ales32-ssm/oracle-ssm/examples/tools/axis_1.3/lib/axis.jar

oracle.ssm.jar.8=C:/bea922/ales32-ssm/oracle-ssm/lib/ssmwsClientStub.jar

oracle.ssm.jar.9=C:/bea922/ales32-ssm/oracle-ssm/lib/OracleSsm.jar

Oracle Entitlements Server 10gR3 and Coherence 3.5 Integration

2009-10-02T13:10:00.000-07:00

The following is intended to show the current integration points around Coherence and the Oracle Entitlements Server (OES) product. The will show how a Coherence application can be configured to call out to an OES Security Module for an entitlement decision by the OES engine. The granularity of a resource provided by Coherence is to the cache-name which can be used to determine if a specific authenticated user has access to a named cache in the grid.

The value of this solution is that someone could enforce distributed policies on a named cache in the data grid so that not just “anyone” can access their data. The policies would be centrally configured and then automatically distributed to all of the endpoints (OES SSMs) for enforcement at the client level. This would eliminate the need to update the client side Coherence permissions.xml file on each individual client which could be a large maintenance task. If someone is interested in securing access to a named cache in Coherence this can achieved by following the general guide at Coherence Security Framework and implementing the com.tangosol.net.security.AccessController interface to call out to an OES SSM (Security Service Module). In this case the RMI-SSM is best used for performance reasons.

The AccessController class can be generic in nature and the code provided later on could be easily reused. However the configuration for the Coherence side would be specific to the SSM, its location, and other configuration variables for OES.

Currently only the name of the cache is exposed as a resource that one can write policies on from the Coherence ClusterPermission object. Coherence does not currently give you the name of the Object key if one has to goto that level.

“How-To” secure a Coherence Application with OES SSM:

It is assumed that one has already installed and configured the OES product (OES Admin Server and OES SSMs) and Oracle Coherence product prior to this. NOTE: A Jdeveloper sample project is available upon request. :)

OES Setup:

1. The following step only needs to be done once per machine. The reason is that the OES 10gR3 installation kit does not do this out-of-the-box during installation. Create the rmi-ssm directory structure by running the OES_HOME\ales32-ssm\webservice-ssm\adm\rmi-adm\create_rmi_ssm.(bat/sh) utility. This will create an OES_HOME\ales32-ssm\rmi-ssm directory with all of the material needed for this SSM.

2. Create an instance of an RMI-SSM by running the OES_HOME\ales32-ssm\rmi-ssm\adm\ConfigTool.(bat/sh) utility which use a configuration file to automatically create the SSM instance and configure this in the OES Admin Server which has the necessary policies. A sample “myssm_config.properties” file is located in the JDeveloper Project under the “OES_RMI_Setup” directory.

3. Build the Username Identity Asserter. This is used in this example to assert the identity passed in from the Coherence application as valid. It is assumed that the authentication done on the client side is valid and OES is being strictly used as an authorization engine. Follow the instructions listed in the OES_HOME\ales32-ssm\rmi-ssm\examples\SampleProviders\UsernameAsserter directory. You will need to copy this JAR file to the Admin Server side and the RMI-SSM instance.

4. Configure the Username Identity Asserter in the “CoherenceSSM” entry on the OES Admin Server (which was just created in step 2). Login to: https://localhost:7010/asi (default user/password is: admin/password) and look on the left-hand side under Security Configurations -> Service Control Managers -> adminconfig -> CoherenceSSM -> Authentication Providers to create a new instance of “Username Identity Asserter”. It will look like the following:

5. OES does need to know what the name of the user is since policies are written based on a Subject. For this example, we can enter the names of our users in the “asi” identity directory since the RMI-SSM points to this. In this case it will be the user names created in the keystore for the Coherence side of things (steve, larry, and bill are the sample users).

6. Create a sample group (Coherence_Group), put the user names from the “asi” identity directory into this group, and later (step 8) create a policy on the “testCache” resource which only allows members of this group access. This is what it would look like in the Entitlements Administration Console (https://localhost:7010/entitlementsadministration):

7. Create the resource tree under the binding name of the “CoherenceSSM” you just created. For example it would look like this: CoherenceSSM/testCache and CoherenceSSM/__ASTR_ (this is the literal value for the “*” that can be passed in from Coherence as well).

8. Create the Authorization Policy on both of those resources (testCache and __ASTR_). For this example I allowed the “Coherence_Group” access to these resources only. This group contained “steve”, “larry”, and “bill”. This is what the authorization policy will look like on the CoherenceSSM/testCache:

9. Copy the “pdpproxy” directory (OES_HOME\ales32-ssm\rmi-ssm\instance\CoherenceSSM\pdpproxy) to a separate location since the Coherence “client” application will need access to it (or you can modify the command line parameters to point to this). In this case it is part of the JDeveloper project already. You may need to modify the pdpproxy\PDPClientConfiguration.properties to make sure the names in this file match your environment.

10. Modify the “security.properties” which is also on the Coherence client side (in the JDeveloper project) so that the name matches what you have configured. In this case it would be “CoherenceSSM”.

Coherence Setup:

1. Create a sample Coherence application. (This is already in the JDeveloper project and called “com.oracle.oes.coherence.client.OESCoherenceClient”.)

2. Add a runAs() method around what you are trying to secure. Example:
PrivilegedAction action = new PrivilegedAction() {

public Object run() {

// All processing here is with access rights assigned to the Subject

CacheFactory.ensureCluster();

// create or get a named cache called mycache

NamedCache myCache = CacheFactory.getCache("testCache");

// put key, value pair into the cache.

myCache.put("key1", "Hello world");

System.out.println("Client Code: Inside runAs() end");

return null;

}

};

3. Modify the run configuration in JDeveloper to include the coherence configuration and the OES configuration. An example of this is located in the JDeveloper project (in the *.jpr file) and look for the “Security_Run_Storage” section.

4. Make sure there is a “-Djava.security.auth.login.config=” flag which points to a JAAS configuration file. This configuration file contains the keystore used in this example for Authentication from the Coherence application. In the JDeveloper project look at the “Coherence_Keystore.conf” file and make sure that the information in this file points to the correct location of the Keystore.jks file (this will be created in step6).

5. Modify the tangosol-coherence.xml file and make sure it points to the AccessController class which contains the code to call the OES RMI-SSM. For example:

com.oracle.oes.coherence.impl.OES_AccessController

……..

6. Create a keystore with some users configured. You can run the following set of commands to create the keystore (assuming you have Java 1.5 executable set in your environment):

keytool -genkey -v -keystore ./keystore.jks -storepass password -alias steve -keypass password -dname CN=steve,OU=MyUnit

keytool -genkey -v -keystore ./keystore.jks -storepass password -alias larry -keypass password -dname CN=larry,OU=MyUnit

keytool -genkey -v -keystore ./keystore.jks -storepass password -alias bill -keypass password -dname CN=bill,OU=MyUnit

keytool -genkey -v -keystore ./keystore.jks -storepass password -alias dave -keypass password -dname CN=dave,OU=MyUnit

Testing:

1. Start the RMI-SSM. For example: “OES_HOME\ales32-ssm\rmi- ssm\instance\CoherenceSSM\bin\WLESrmi.bat console” and make sure this starts successfully.

2. Start JDeveloper, import the JDeveloper project, and modify the classpaths to point to the correct installation location of OES and Coherence on your machine.

3. Right click and run the “com.oracle.oes.coherence.client.OESCoherenceClient”. If everything is configured correctly this will invoke the AccessController class with the authenticated user “steve” (“com.oracle.oes.coherence.impl.OES_AccessController”), contact the RMI-SSM (which is already running), and render an authorization decision. If the client is “hanging” at initializing the Security Services Framework, check that the PDPClientConfiguration.properties is configured on the command line of the Coherence client and also enable debugging in the AccessController and OES_Authorization_Impl code by setting the DEBUG value to true. This will be the output within JDeveloper:

Oracle Coherence Version 3.4.1/407

Grid Edition: Development mode

Copyright (c) 2000-2008 Oracle. All rights reserved.

Client Code: Inside runAs() begin: security action

2009-02-04 11:33:53.926/3.345 Oracle Coherence GE 3.4.1/407 (thread=Cluster, member=n/a): Service Cluster joined the cluster with senior service member n/a

2009-02-04 11:33:57.176/6.595 Oracle Coherence GE 3.4.1/407 (thread=Cluster, member=n/a): Created a new cluster "cluster:0x30D1" with Member(Id=1, Timestamp=2009-02-04 11:33:53.66, Address=169.254.25.129:8088, MachineId=26952, Location=machine:SPOZ03,process:4724, Edition=Grid Edition, Mode=Development, CpuCount=2, SocketCount=1) UID=0xA9FE19810000011F422373FC69481F98

2009-02-04 11:33:57.222/6.641 Oracle Coherence GE 3.4.1/407 (thread=Main Thread, member=1): Loaded cache configuration from file "C:\spoz\coherence\OES_COH\coherence-cache-config.xml"

Subject is:[CN=steve, OU=MyUnit]

clusterPermission actions are:join, and ServiceName is:DistributedCache

(com.tangosol.net.ClusterPermission service=DistributedCache,cache=* join)

Cache Name is:*

accessResult is:true for

subject:[CN=steve, OU=MyUnit]

resource:*

2009-02-04 11:33:57.910/7.329 Oracle Coherence GE 3.4.1/407 (thread=DistributedCache, member=1): Service DistributedCache joined the cluster with senior service member 1

Subject is:[CN=steve, OU=MyUnit]

clusterPermission actions are:join, and ServiceName is:DistributedCache

(com.tangosol.net.ClusterPermission service=DistributedCache,cache=testCache join)

Cache Name is:testCache

accessResult is:true for

subject:[CN=steve, OU=MyUnit]

resource:testCache

Client Code: Inside runAs() end

Value in cache is Hello world

Process exited with exit code 0.

4. Change the code and pass in the user “dave” who is in the keystore however not part of the Coherence_Group for the entitlements policy as shown in the earlier screenshot. When the client is run one will see the following messages in JDeveloper and the AccessControlException is thrown as per the Coherence checkPermission API:

accessResult is:false for

subject:[CN=dave, OU=MyUnit]

resource:*

Deny and throw exception

Exception in thread "Main Thread" java.security.AccessControlException: Insufficient rights to perform the operation (com.tangosol.net.ClusterPermission service=DistributedCache,cache=* join) for Subject:[CN=dave, OU=MyUnit]

5. You can enable debugging on the RMI SSM instance to determine why access was or was not granted for the named cache.

Coherence Client Code Example:

package com.oracle.oes.coherence.client;

import com.tangosol.net.CacheFactory;
import com.tangosol.net.NamedCache;
import com.tangosol.net.security.Security;
import java.security.PrivilegedAction;
import javax.security.auth.Subject;
import com.oracle.oes.coherence.impl.OES_AccessController;

import java.security.AccessControlException;

public class OESCoherenceClient {
public OESCoherenceClient() {
}

public static void main(String[] args) {

if (args.length != 1) {
System.out.println("Please supply a user name");
System.exit(0);
}

String sName = args[0].toString();

char[] acPassword = null;
acPassword = "password".toCharArray();

System.out.println("*** Starting Client ***");
// It is assume that the main application has the username/password already from the "client"
Subject subject = Security.login(sName, acPassword);

// The coherence client only has to pass in their credentials and configure the tangosol-coherence.xml
// file to use the com.oracle.oes.coherence.impl.OES_AccessController class in the class-name of the
// access-controller section of that XML file. Each client does not need to know or reimplement the
// OES code. They would just need to wrap their coherence calls inside a runAs() method as per
// normal JAAS security.

// Do something with the cache where an entitlement decision is rendered by OES based on the
// subject, resource (testCache here), and the action/permission.
PrivilegedAction action = new PrivilegedAction() {
public Object run() {
// All processing here is taking place with access rights assigned to the corresponding Subject
System.out.println("Client Code: Inside runAs() begin: security action");
CacheFactory.ensureCluster();

// create or get a named cache called mycache
NamedCache myCache = CacheFactory.getCache("testCache");
// put key, value pair into the cache.
myCache.put("key1", "Hello world");
System.out.println("Client Code: Inside runAs() end");
return null;
}
};
Security.runAs(subject, action);

// Access the cache since it is already secured above for the same named cache
NamedCache myCache = CacheFactory.getCache("testCache");
System.out.println("Value in cache is " + myCache.get("key1"));

}
}

Example of AccessController Implementation for Integration with OES:

package com.oracle.oes.coherence.impl;

import com.bea.security.*;

import com.tangosol.net.CacheFactory;
import com.tangosol.net.ClusterPermission;

import com.tangosol.run.xml.SimpleParser;

import com.tangosol.run.xml.XmlDocument;
import com.tangosol.run.xml.XmlElement;
import com.tangosol.run.xml.XmlHelper;
import com.tangosol.util.LiteSet;
import com.tangosol.util.Resources;
import com.tangosol.util.SafeHashMap;
import java.io.*;
import java.net.URL;
import java.security.*;
import java.security.cert.CertPath;
import java.security.cert.X509Certificate;

import java.util.*;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import javax.security.auth.x500.X500PrivateCredential;

public class OES_AccessController implements com.tangosol.net.security.AccessController {

private boolean DEBUG = false;
private boolean nonOESDebug = false;
private java.security.KeyStore m_store;
private XmlElement m_xmlPermits;
private Map m_mapPublicKey;
public static final String PROPERTY_CONFIG = "tangosol.security.config";
public static final String KEYSTORE_TYPE;
public static final String SIGNATURE_ALGORITHM;
public static final Signature SIGNATURE_ENGINE;
public static final String BOUND_SSM_NAME = "CoherenceSSM/";

// OES
private OES_Authorization_Impl oesEng = new OES_Authorization_Impl();
private SecurityRuntime rt = null;
private PolicyDomain pd = null;
private AuthenticationService atnSvc = null;
private AuthorizationService atzSvc = null;

private void debugPrintPrivate (String s) {
if (nonOESDebug) System.out.println(s);
}

private void debugPrint (String s) {
if (DEBUG) System.out.println(s);
}

public OES_AccessController(File fileKeyStore, File filePermits)
throws IOException, AccessControlException
{
System.out.println("************************ IN Access Controller************");

m_mapPublicKey = new SafeHashMap();
if(!filePermits.exists() || !filePermits.canRead())
throw new IOException("Permission file is not accessible: " + filePermits.getAbsolutePath());
try
{
KeyStore store = KeyStore.getInstance(KEYSTORE_TYPE);
store.load(new FileInputStream(fileKeyStore), null);
m_store = store;
}
catch(Exception e)
{
System.out.println("Failed to load keystore: " + fileKeyStore.getAbsolutePath()+" exception:"+e.toString());
}
try
{
m_xmlPermits = (new SimpleParser()).parseXml(new FileInputStream(filePermits));
}
catch(Exception e)
{
System.out.println( "Failed to load permissions: " + filePermits.getAbsolutePath()+" exception:"+e.toString());
}

//
// Setup the services which call the OES SSM (PDP) and returns results to this Java class for enforcement (PEP)
// This will use the configuration file specified in the -Dpdp.configuration.properties.location=
// flag set on the coherence client...
//

String pdname = oesEng.tryGetPolicyDomainName();
System.out.println("--> pdname returned from the security.properties file is:"+pdname);

rt = oesEng.initializeSSM(pdname);
if (rt == null) {
System.out.println("Failed to initialize the setup to the OES SSM");
System.exit(-1);
}

// Fetch our policy domain from the runtime
pd = oesEng.tryGetPolicyDomain(rt, pdname);
if (pd == null) {
System.out.println("Failed to get the policy domain "+pdname+" for the OES SSM");
System.exit(-2);
}

// Get the authentication service from the policy domain so that the identity (subject passed here)
// can be asserted with the sample "User Name" Identity Asserter. OES will assume that authentication
// has already taken place successfully.
atnSvc = oesEng.tryGetAuthenticationService(pd);
if (atnSvc == null) {
System.out.println("Failed to get the Authentication service for the OES SSM");
System.exit(-3);
}

// Get the authorization service from the policy domain
atzSvc = oesEng.tryGetAuthorizationService(pd);
if (atzSvc == null) {
System.out.println("Failed to get the Authorization service for the OES SSM");
System.exit(-4);
}

}

/**
* The checkPermission API is the main method exposed by Coherence 3.4 where OES can plug-in and render
* a decision (grant/deny) based on the subject, action, resource passed in. The accessResult value is
* what is returned from the OES engine. If a deny is returned, then an exception is thrown as per the
* Coherence API documentation. See:
* http://download.oracle.com/otn_hosted_doc/coherence/340/com/tangosol/net/security/AccessController.html
*/
public void checkPermission(ClusterPermission clusterPermission,
Subject subject) {
// This same method can be called multiple times from a Coherence client. For example:
// joining the cluster, try to join a cache, etc...
// The current permissions from Coherence are: ALL, CREATE, DESTROY, JOIN, NONE
// Currently the most granular information one can get from Coherence is the name of the
// cache and not the actual object. See:
// http://download.oracle.com/otn_hosted_doc/coherence/340/com/tangosol/net/ClusterPermission.html

debugPrint("Subject is:"+subject.getPrincipals());
String actionATZ = clusterPermission.getActions();

debugPrint("clusterPermission actions are:"+actionATZ+", and ServiceName is:"+clusterPermission.getServiceName());
debugPrint(clusterPermission.toString());

// Get the actual name of the cache to pass to OES as the resource
String cacheNameATZ = clusterPermission.getName();
int cachePos = cacheNameATZ.indexOf("cache=");
cacheNameATZ = cacheNameATZ.substring(cachePos+6);
debugPrint("Cache Name is:"+cacheNameATZ);

// How should we best handle the "*" as a resource? This can either be added as a resource
// in OES or it can be ignored if desired
//if (cacheNameATZ.equals("*")) {
// debugPrint("Cache is actually a * here... ");
//}

// Start authentication which will assert the identity passed in. The Identity Asserter configured in
// OES for this RMI-SSM will let all identities passed since we are relying on the calling application
// to have been authenticated by some means (keystore, OAM, etc). OES needs some identity in which
// entitlements policies can be written
AuthenticIdentity ident = oesEng.tryAuthenticate(atnSvc, subject);
if (ident == null) {
System.out.println("Failed to authenticate the identiy within the OES SSM");
System.exit(-5);
}

HashMapContext appContext = new HashMapContext();
RuntimeResource resource = new RuntimeResource(BOUND_SSM_NAME+cacheNameATZ, "exampleResource");
RuntimeAction action = new RuntimeAction(actionATZ, "exampleAction");

// Call the OES authorization engine with the identity, resource, action and any hashmap context needed
AccessResult accessResult = oesEng.tryAuthorize(atzSvc, ident, resource, action, appContext);
System.out.println("accessResult is:"+accessResult.isAllowed()+" for\n\t subject:"+subject.getPrincipals()+"\n\t resource:"+resource);

// if the result is a DENY throw an exception. Otherwise it is a grant and do nothing since this is a void method...
if (!accessResult.isAllowed()) {
System.out.println("Deny and throw exception");
throw new AccessControlException("Insufficient rights to perform the operation "+clusterPermission+" for Subject:"+subject.getPrincipals());
} // of if

} // of checkPermissions

//////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////////////////////

/**
/* All helper methods for this AccessController to do the work of encrypt and decrypt
* information from the keystore where the identity and passwords are stored. This is essentially
* what the DefaultController does in Coherence. There is no OES code from this point forward.
*/
public SignedObject encrypt(Object o, Subject subjEncryptor)
throws IOException, GeneralSecurityException
{

Set setPrivateCreds = subjEncryptor.getPrivateCredentials();
if(setPrivateCreds == null)
throw new GeneralSecurityException("Subject without private credentials");
for(Iterator iter = setPrivateCreds.iterator(); iter.hasNext();)
{
Object oCred = iter.next();
PrivateKey keyPrivate = null;
if(oCred instanceof PrivateKey)
keyPrivate = (PrivateKey)oCred;
else
if(oCred instanceof X500PrivateCredential)
keyPrivate = ((X500PrivateCredential)oCred).getPrivateKey();
if(keyPrivate != null)
return encrypt((Serializable)o, keyPrivate);
}

throw new GeneralSecurityException("Not sufficient credentials");
}

public Object decrypt(SignedObject so, Subject subjEncryptor,
Subject subjDecryptor) throws ClassNotFoundException, IOException, GeneralSecurityException {
debugPrintPrivate("In decrypt for my AccessController class");
PublicKey keyPublic;
Iterator iter;

keyPublic = (PublicKey)m_mapPublicKey.get(subjEncryptor);
if(keyPublic != null)
return decrypt(so, keyPublic);
Set setKeys = null;
if(subjDecryptor != null)
{
Set setDecryptorCreds = subjDecryptor.getPublicCredentials();
if(setDecryptorCreds != null && equalsMostly(subjDecryptor, subjEncryptor))
setKeys = extractPublicKeys(setDecryptorCreds);
}
if(setKeys == null)
setKeys = findPublicKeys(subjEncryptor);
iter = setKeys.iterator();
debugPrintPrivate("about to loop...");
do {
if(!iter.hasNext()) {
break; /* Loop/switch isn't completed */
} else {
keyPublic = (PublicKey)iter.next();
Object o;
o = decrypt(so, keyPublic);
m_mapPublicKey.put(subjEncryptor, keyPublic);
return o;
}
// throw new GeneralSecurityException("Failed in looping for credentials");
} while (true);

throw new GeneralSecurityException("Failed to match credentials for " + subjEncryptor);
}

protected SignedObject encrypt(Serializable o, PrivateKey keyPrivate)
throws IOException, GeneralSecurityException
{
return new SignedObject(o, keyPrivate, SIGNATURE_ENGINE);
}

protected Object decrypt(SignedObject so, PublicKey keyPublic)
throws ClassNotFoundException, IOException, GeneralSecurityException
{
if(so.verify(keyPublic, SIGNATURE_ENGINE))
return so.getObject();
else
throw new SignatureException("Invalid signature");
}

protected boolean equalsMostly(Subject subject1, Subject subject2)
{
debugPrintPrivate("In equalsMostly... hardcode since this equals() method listed doesn't resolve to anything in public Coherence docs");
//return equals(subject1.getPrincipals(), subject2.getPrincipals()) && equals(subject1.getPublicCredentials(), subject2.getPublicCredentials());
return true;
}

protected Set extractPublicKeys(Set setPubCreds)
{
Set setCerts = extractCertificates(setPubCreds);
Set setKeys = new LiteSet();
Certificate cert;
for(Iterator iter = setCerts.iterator(); iter.hasNext(); setKeys.add(cert.getPublicKey()))
cert = (Certificate)iter.next();

return setKeys;
}

protected Set extractCertificates(Set setPubCreds)
{
Set setCerts = new LiteSet();
Iterator iter = setPubCreds.iterator();
do
{
if(!iter.hasNext())
break;
Object oCred = iter.next();
if(oCred instanceof CertPath)
{
CertPath certPath = (CertPath)oCred;
List listCert = certPath.getCertificates();
if(!listCert.isEmpty())
setCerts.add(listCert.get(0));
} else
if(oCred instanceof Certificate)
{
Certificate cert = (Certificate)oCred;
setCerts.add(cert);
} else
if(oCred instanceof Certificate[])
{
Certificate acert[] = (Certificate[])oCred;
if(acert.length > 0)
setCerts.add(acert[0]);
} else
{
CacheFactory.log("Unsupported credentials: " + oCred.getClass(), 2);
}
} while(true);
return setCerts;
}

protected Set findPublicKeys(Subject subject)
throws GeneralSecurityException
{
java.security.KeyStore store = m_store;
Set setCerts = extractCertificates(subject.getPublicCredentials());
Set setPpals = new LiteSet();
Set setKeys = new LiteSet();
Iterator iter = setCerts.iterator();
do
{
if(!iter.hasNext())
break;
java.security.cert.Certificate cert = (java.security.cert.Certificate)iter.next();
if(store.getCertificateAlias(cert) != null && (cert instanceof X509Certificate))
{
X509Certificate certX509 = (X509Certificate)cert;
setPpals.add(new X500Principal(certX509.getIssuerDN().getName()));
setKeys.add(cert.getPublicKey());
}
} while(true);
if(!setPpals.containsAll(subject.getPrincipals()))
{
CacheFactory.log("Unable to verify the Principal set: " + subject.getPrincipals(), 2);
setKeys.clear();
}
return setKeys;
}

//////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////////////////////

static
{
String sConfig = System.getProperty("tangosol.security.config");
XmlDocument xml = null;
String sKeystoreType = "JKS";
String sAlgorithm = "SHA1withDSA";
if(sConfig != null && sConfig.length() > 0)
{
URL url = Resources.findResource(sConfig, null);
Throwable e = null;
if(url != null)
try
{
xml = XmlHelper.loadXml(url.openStream());
}
catch(Throwable t)
{
e = t;
}
if(xml == null)
{
System.out.println("Unable to load DefaultController configuration file \"" + sConfig + "\";");
if(e != null)
System.out.println("e is:"+e);
System.out.println("Using default configuration.");
}
}
try
{
if(xml == null)
xml = XmlHelper.loadXml(com.tangosol.net.security.DefaultController.class, "ISO-8859-1");
sKeystoreType = xml.getSafeElement("keystore-type").getString(sKeystoreType);
sAlgorithm = xml.getSafeElement("signature-algorithm").getString(sAlgorithm);
}
catch(Throwable e) {System.out.println("In throwable for static?"); }
Signature engine;
try
{
engine = Signature.getInstance(sAlgorithm);
}
catch(Exception e)
{
throw new ExceptionInInitializerError(e);
}
KEYSTORE_TYPE = sKeystoreType;
SIGNATURE_ALGORITHM = sAlgorithm;
SIGNATURE_ENGINE = engine;
}

}

OES Authorization Client Code:

package com.oracle.oes.coherence.impl;

import com.bea.security.*;

import java.io.*;

import java.util.Enumeration;
import java.util.Properties;

import javax.security.auth.Subject;

/**
* This class does the work of connecting to the OES SSM and providing the Coherence Client
* (in the checkPermissions method) an easy way to call the isAccessAllowed API from OES.
*/
public class OES_Authorization_Impl {

public OES_Authorization_Impl() {
}

private boolean DEBUG = false;

// To enable quick performance stats on ATZ calls for a maximum looping number
// disable debug on the RMI-SSM and this will be in sub-millisecond time after the
// first ATZ call.
private boolean QUICK_PERF = false;
private int MAX_LOOP = 100;

// Default policy domain name however it will read the security.properties file in
// the working directory for the actual name.
public static final String DEFAULT_CONFIGURATION_ID = "asiadmin";

// Token type expected by the User Name Identity Asserter configured in the OES SSM
private static String USERID_TOKEN_TYPE = "USERID_TOKEN";

protected String tryGetPolicyDomainName() {
// Check for the standard system property
String configId = System.getProperty("wles.realm");

Properties props = new Properties();
if (configId == null) {
try {
props.load(new BufferedInputStream(new FileInputStream("security.properties")));

String realmName = props.getProperty("wles.realm");
if (realmName != null) {
configId = realmName;
} else {
String realm1Name = props.getProperty("wles.realm.1");
if (realm1Name != null) {
configId = realm1Name;
} else {
configId = DEFAULT_CONFIGURATION_ID;
}
}
} catch (java.io.IOException e) {
// File does not exist - ignore and set configId to default value
configId = DEFAULT_CONFIGURATION_ID;
}
}
return configId;
}

protected SecurityRuntime initializeSSM(String configId) {
SecurityRuntime rt = null;

// Initialize this applications configuration
debugPrint("Initializing the Security Runtime for configId--> "+configId);
AppConfig cfg = new AppConfig("Java API Example Application");

cfg.useConfiguration(configId);
//
// Add this application naming definitions to the config
try {
// default file name located in the working directory of this project. This
// API call is required with the contents of this file.
cfg.addNameAuthorityDefinitionFile("exampleNames.xml");

} catch (FileNotFoundException fnfExc) {
System.out.println(fnfExc.getLocalizedMessage());
return rt;
}

debugPrint("Cfg AppName is:"+cfg.getApplicationName());
debugPrint("Cfg Client UID is:"+cfg.getClientUID());
String list[] = cfg.getPolicyDomainURLs();

if (list != null ) {
for (int i=0;i Access Allowed: " + String.valueOf(accessResult.isAllowed()));
debugPrint("---> Decision Time: " + accessResult.getDecisionTime().toString());

// By default the data is returned separated by the rule which generated it (i.e. one response context per rule).
// The "getMergedContexts" method will merge all the response contexts into a single context.
HashMapContext responseContext =
(HashMapContext)collector.getMergedContexts();
if (responseContext != null) {
if (responseContext.size() != 0) {
AppContextElement[] res =
responseContext.getElements(responseContext.getNames());
for (int i = 0; i < responseContext.size(); i++) {
debugPrint(" Response context: " +
res[i].getName() + "=" +
res[i].getValue());
}
} else {
debugPrint(" Response context has 0 elements");
}
} else {
debugPrint(" Response context is NULL");
}
collector.clear();

} catch (Exception e) {
System.out.println(e.getLocalizedMessage());
}

return accessResult;
}

private void debugPrint(String s) {
if (DEBUG)
System.out.println(s);
}

} // of class

Oracle Entitlements Server (OES) Using Oracle Coherence for Access to Distributed Attribute Data

2009-09-11T18:56:00.000-07:00

The value of this solution is that someone can use the data in the grid to create specific entitlement policies. The data used for the entitlement could be updated at anytime using a Coherence application to dynamically change the result of a policy at run-time based on business needs or conditions.

This use-case can be done for accessing distributed attribute data in a cache grid. Many end-users already use Oracle Coherence and re-using the information from a Coherence Grid with OES would strengthen a distributed SOA environment. These name/value pairs from a Coherence Grid can be used as attributes within Oracle Entitlements Server (OES).

How does this currently work?

OES can use the Oracle Coherence product to access an Oracle Coherence Data Grid. At startup of the OES Security Module, the Coherence product will startup and connect to a configured Coherence cluster containing distributed data. Once Coherence connects, it automatically gets a copy of all the data already within that grid. The data can be retrieved with a custom OES Attribute Retriever for use in Authorization Policy decisions for an application. See the diagram below which shows how this works "Out-of-the-Box" today:

Current Solution for OES/Coherence Attribute Retrievers

This use-case can currently be solved using OES and Coherence. In the description below a WebLogic Portal application was used with OES, a custom attribute retriever and Coherence in a sample domain/test environment.

NOTE:

Any application can be used for testing and a "WebLogic Portal" application is not necessary. It is used as an example here of what it would look like.

Setup you WLS Domain:

\coherence-3.3.1\lib
set COHERENCE_LIBS=%COHERENCE_DIR%\tangosol.jar;%COHERENCE_DIR%\coherence.jar;%COHERENCE_DIR%\coherence-web.jar
set CLASSPATH=%PRE_CLASSPATH%;%WEBLOGIC_CLASSPATH%;%POST_CLASSPATH%;%WLP_POST_CLASSPATH%;%COHERENCE_LIBS%

NOTE: Coherence is using the default cache-config.xml file which is bundled within the coherence jar files. The implication of this is that Coherence is not tune for performance and if one wants to override this, then a -Dtangosol.coherence.cacheconfig= flag would need to be applied to the java start line for WebLogic Server pointing to the coherence configuration file of choice.

Run a client to load the data into the coherence grid. In this case the only cluster member of the Coherence Grid is the Coherence Server started within the container. The idea is that there is *already* an existing Coherence Grid with Distributed Data which one will connect to.

Start the WLS Domain which has its security enforced by OES with the startWebLogic.cmd/sh file. Within OES an Attribute Retriever is used which gets the requested attribute from the Coherence Grid. See the sample Attribute Retriever Code below.

Make sure the Attribute Retriever and attribute being used is configured within the Authorization Provider of the WLS container.

Test your sample application to see if your policy which has the attribute being retrieved will retrieve it from the Coherence Grid. In this example, a Portal application was used and I modified the following resource within the OES Administration Console to check the value of the attribute we are retrieving:

Resources:

Constraint:

Subjects:

Access the Portal application URL and login.

If the Coherence Grid is running, then the value of "OK" should be returned in the Attribute Retriever

As a test, change the value in the Grid for the "coh_AccessPage" attribute to something other than "OK".

Logout of the Portal application and log back in. This time you will see a different result and the user not authorized to see the page. If you are having problems with the authorization, please review the previous blog on Troubleshooting authorization decisions.

OES Custom Attribute Retriever Code

The Coherence added code is in bold:

package com.bea.ales.sample2;

import com.bea.security.providers.authorization.asi.AttributeRetriever;
import weblogic.security.spi.Resource;
import weblogic.security.service.ContextHandler;

import javax.security.auth.Subject;
import java.util.*;

// Modify the build path for this application to include
// the tangosol.jar and coherence.jar files within one's environment.
import com.tangosol.net.CacheFactory;
import com.tangosol.net.NamedCache;

/**
* Implementation for performing attribute retrieval.
* This plugin can get to remote repositories to figure out the value
* of a certain attribute at runtime. Multiple retrievers may be
* registered for the same attribute name, they will be called in
* order until one returns a non-null result.
*/
public class CohAttributeRetriever implements AttributeRetriever {

private static final String cohaccessPage = "coh_AccessPage";
private String[] attributes = {cohaccessPage };
private NamedCache myCache = null;

// “Prime” the Coherence information within the constructor
// of the AttributeRetriever
public CohAttributeRetriever() {

CacheFactory.ensureCluster();
myCache = CacheFactory.getCache("mycache");
}
/**
* Returns the names of attributes handled by this class.
* indicates that the retriever will be considered capable of
* handling any attribute name.
*
* @return the names associated with this object
*/
public String[] getHandledAttributeNames() {
return attributes;
}

/**
* Retrieve the value of the named attribute.
* Additional authorization request data
* is made available to allow for more complex attribute retrieval.
*
* @param name the name of the needed attribute
* @param subject the subject associated with the request
* @param roles the role membership of the subject
* @param resource the resource associated with the request
* @param contextHandle the context associated with the request
* @return the attributes value, or null if not found
*/
public Object getAttributeValue(String name,
Subject subject,
Map roles,
Resource resource,
ContextHandler contextHandle) {

// Set default value
String attrValue = "no";

if (name.equals(cohaccessPage)) {

try {

// The only call to the Coherence Named Cache to get
// whatever attribute is needed from the Coherence Grid

attrValue = (String)myCache.get(cohaccessPage);

System.out.println("--> COH Value is \"" + attrValue + "\"");
} catch (Exception e) {
System.out.println("E:"+e.getLocalizedMessage()+" "+ e);
}
finally {}
return attrValue;
}

// default value returned...
return attrValue;
}

}//end of AttributeRetriever

Step by Step Details on Debugging an Oracle Entitlements Server (OES) Security Module Instance

2009-09-04T13:27:00.000-07:00

The following details how-to troubleshoot authorization failures in an Oracle Entitlements Server Security Module Instance. The OES product is available for download from the following link.

What is OES? From the OES documentation: "Oracle Entitlements Server provides fine-grained entitlement management solution that secures critical applications with performance and reliability. By combining centralized policy management with distributed policy decision-making and enforcement, it allows you to rapidly adapt to changing business requirements. Typical uses include fine-grained entitlements for application functionality, dynamic data redaction and privacy at the source, and controlling access to web service endpoints."

Troubleshooting:

If the issue at hand is troubleshooting in development “why” a particular policy was either a GRANT or DENY then the best thing to do would be to enable debugging with the SSM instance’s log4j.properties file which is located in the “config” directory of the SSM instance. Once that is done, restart the SSM instance, run the application in question to exercise the policy, and then look into the SSM “instance” log directory for the system_console.log file. Open this file up in a text editor, scroll to the bottom and look for the policy decision in question to understand why a policy evaluated the way it did.

Step by Step Details on Debugging an SSM Instance:

Enable debugging on the RMI-SSM to see verbose debug logging as the application is run. This is a good place to look in order to determine why something is or is not authorized. To enable debugging in this example, goto the OES_HOME\ales32-ssm\rmi-ssm\instance\\config directory. In the following example there is an RMI-SSM instance called "CoherenceSSM" which one will see referenced.

Edit the log4j.properties file and uncomment these lines: log4j.logger.com.bea.security.providers.authorization = DEBUG log4j.logger.com.wles.util.DebugStore=DEBUG
Clear out the log files in BEA_HOME\ales32-ssm\rmi-ssm\instance\CoherenceSSM\log
Re-start the SSM instance.
View the “system_console.log” file under BEA_HOME\ales32-ssm\rmi-ssm\instance\CoherenceSSM\log
This will show an example of an incorrect authorization because the user “dave” is not part of the Coherence_Group for this resource:

This will show an example of an correct authorization because the user “steve” IS part of the Coherence_Group for this resource:
2009-02-03 21:21:57,969 [RMI TCP Connection(4)-141.144.104.221] DEBUG com.wles.util.DebugStore - queryAccess: DebugStore:

========== Policy Evaluation Info ==========

RequestResource is: //app/policy/CoherenceSSM/testCache

UserInfo:

Name: //user/asi/steve/

Groups: //sgrp/asi/Coherence_Group/ //sgrp/asi/allusers/

Resource Present: true

Roles Granted: NONE

Role Mapping Policies: NONE

ATZ Policies:

1. Result: true; Policy Type: grant

Privilege: any

Resource: //app/policy/CoherenceSSM/testCache

Subject: //sgrp/asi/Coherence_Group/

Constraints: NONE

Delegator: null

========== Policy Evaluation Info ==========

2009-02-03 21:21:57,969 [RMI TCP Connection(4)-141.144.104.221] DEBUG com.bea.security.providers.authorization.asi.ARME.engine.ARME - unlock policy lock for read

2009-02-03 21:21:57,969 [RMI TCP Connection(4)-141.144.104.221] DEBUG com.bea.security.providers.authorization.asi.AuthorizationProviderImpl - result is GRANT

2009-02-03 21:21:57,969 [RMI TCP Connection(4)-141.144.104.221] DEBUG com.bea.security.providers.authorization.asi.AccessResultLogger - Subject Subject:

Principal: asi

Principal: steve

Principal: Coherence_Group

privilege join resource //app/policy/CoherenceSSM/testCache result PERMIT

SOA Infrastructure

Sizing Oracle Coherence Applications

Tuning Oracle Coherence*Web Applications

Tuning/Troubleshooting Oracle Coherence Applications

The following is the third of five posts which will list the best practices and performance suggestions for tuning one’s Oracle Coherence environment. This is a general guide that will evolve as new product features are added to Oracle Coherence.

Troubleshooting Checklist for Oracle Coherence Applications

Tuning a Oracle Coherence Application

Network Topology:

Oracle Coherence Networking Links

Important Links

Oracle Coherence 3.5 Book Review Results

Coherence 3.5 Book Review

Setting up Oracle Data Integrator (ODI) with Change Data Capture (CDC): DB Table to WebLogic Server JMS Queue

Setting up Oracle Data Integrator (ODI) with Change Data Capture (CDC) between two Database Tables

Oracle Entitlements Server (OES) and Oracle Virtual Private Database (VPD) Integration

WebService SSM “myssm_config.properties” sample

oracle-ssm.properties file Sample (for DB administrator user)

Oracle Entitlements Server 10gR3 and Coherence 3.5 Integration

Oracle Entitlements Server (OES) Using Oracle Coherence for Access to Distributed Attribute Data

Step by Step Details on Debugging an Oracle Entitlements Server (OES) Security Module Instance