Claesson.org

When a product goes into production sometimes it may run into performance issues due a number of issues such as traffic increases and uses of the product it was not designed for originally (as more user discover more and more about using the product in their daily work).

The Performance Troubleshooting Guideline Series (Doc Id: 560382.1) series of whitepapers, from My Oracle Support, covers the techniques (by tier) to help detect and address performance issues for products using the Oracle Utilities Application Framework. The whitepaper covers all the versions of the Oracle Utilities Application Framework so covers a lot of versions of various products.

While the whitepaper is comprehensive and includes a process for diagnosing performance issues there are some general advice that can help you address performance issues and even prevent them. Here is a summary of advice that you should consider when configuring your product as well as diagnosing performance issues:

• Enable automatic caching on browser - One of the common issues I see with new implementations is that they setup their browsers for development and testing with settings that are not appropriate for production. One of the most common ones is the cache setting for Internet Explorer. When the browser gets a page it looks in its cache for the page and its static elements to save on redownloading them for the current session. If the elements are in the cache and they are still active (we assign an "expiry" date and time to each element when they are downloaded) then the browser will use them to render the screen. If they are not there or expired new versions are downloaded prior to rendering a screen. This has a slight delay to the loading of the screen till the cache is populated. If the browser cache parameter is set ot an inefficient value such as "Every Visit to Every Page" then this slight delay can result in large delays to transactions as the screen is loaded each time it is called. This also means bandwidth is greatly increased. By setting the value to "Automatic", the recommended setting for production, optimizes the transmission and rendering of the screens. I have seen performance increase up to 10 fold and bandwidth drop a similar amounf by ensuring this setting is set to "Automatic". Now this setting must be global, across all your users, to have an positive result in terms of bandwidth reduction.
• Ensure you machine meets the minimal requirements for the software - The rendering speed of pages depends on the power available to the browser to render them. Now the Oracle Utilities Application Framework simplifies the rendering somewhat, by offloading some of the complex rendering to the server, but I have seen customers use underpowered client machines that are not even designed to run the underlying operating system at its optimal level let alone a browser application. The Oracle Utilities Application Framework product does not require a powerful machine by no means but a reasonable one (as outlined in the Installation Guide for the product) would greatly benefit performance of rendering.
• Do not underestimate firewalls and virus protection - I saw less and less of this issue over time but not all sites have implemented firewalls or even virus protection on their computers. This is bandwidth and machine killer for the client machines. If you are a site that uses firewalls and virus protection then also be aware that these exact a performance premuim on all processes on a machine so performance can be affected. I am not suggesting that you not install these protections, just be aware of their impact on performance when you test to factor them in.
• Web/Business Application Server optimization settings - There are a number of settings in the J2EE Web Application Server that can determine the performance of your product. These typically are
  • Thread pool sizing - Most J2EE server have dynamic sizing but it there is no harm in checking that you can support the number of connections to an individual server. Too few and you have delays in processing transactions.
  • Internal limits  - Internal tolerances of the Web Application Server. For example, WebLogic uses Socket Readers to control internal management of work and if you do not have enough then there are delays in processing calls.
  • JVM memory parameters - These parameters control the amount of memory for the product and the frequency of garbage collection. If they are not set appropriately for your traffic volumes then garbage collection happens too often and that can cause delays in the processing of transactions.
• Child JVM optimizations - If you are using Oracle Utilities Customer Care and Billing and Oracle Enterprise Taxation and Policy Management then you should consider looking at optimizing the number of child JVMs and the recycling time for effective memory management of these JVMs. If there are too few child JVM's or they are running low on memory they can cause delays in transactions.
• Update statistics often - One of the most common remedies for performance for online as well as batch is to ensure the database statistics for your site are up to date. I cannot stress this more than any remedy. In fact any customer I talk to this is one of the things I point out and when they are updated, performance problems seem to disappear more often than not. To explain, Oracle (as well as other databases in the marketplace) use Cost based optimization to determine the optimal path. When executing a new SQL statement, as paths are cached for reuse, Oracle quickly assesses the available access paths based upon the statistics in the database and chooses the lowest cost one to execute. As with humans, if you have the wrong information in front of you, then you can make potentially the wrong decision. Updating the statistics, using dbms_stats, on a regular basis gives the latest information to the optimizer to help it make the best decision it can at execution time.

The advice above is merely a summary of the advice in the whitepapers and the whitepaper document techniques used by customers to address performance issues in their implementations. Some customers incorporate this advice in their monitoring regimes to help identity issues before they become problems.

I strongly advise customers to take a look at the whitepapers to find advice that may assist. It saves time and helps keep your system healthy.

Easy access to a wide variety of contract elements is essential when trying to handle the complexities inherent in managing revenue contracts. A contract administrator needs to keep a watchful eye on contract terms, billing plans, revenue recognition plans, project progress, team members, limits, withholdings, budgets, lots and lots of dates, and numerous other details in order to ensure good governance of an organization’s revenue. To ease the burden of the weary contract administrator, we recently added the Contracts Workbench to the PeopleSoft Contracts application in the PeopleSoft ESA 9.1 Bundle #16.

Designed based on requirements from several industries, the Contracts Workbench acts as a window into information from the PeopleSoft Contracts, Grants, and Project Costing applications. The data users see is dependent on which applications are installed, meaning that an organization can take advantage of the Contracts Workbench even if it is not using all three of the applications. Additionally, business analysts and users can configure sections of the Contracts Workbench to display only the award, contract, and project information relevant to the way their organization does business. Contract administrators and accountants can view and access information to identify instantly the need for adjustments, and they can quickly update contract lines, projects, bill plans, and so on.

Lately everyone is talking about Fusion Applications - Oracle's next generation ERP Applications. Since Identity Management is built into Fusion Applications, Oracle Applications customers will benefit from "out of the box" integration with the Oracle Identity Platform. In most deployments today, customers are sourcing user accounts from HR applications and using the HR apps as a logical place to trigger user access changes across the enterprise. The ERP system is a logical place to derive entitlement information as well, since the ERP systems have the most context knowlegde of the user and their job role. 

With integrated Identity Management in Fusion Applications, all of the external authorization for data and forms is handled by Oracle Entitlements Server. User on-boarding, off-boarding, change and termination is handled via Oracle Identity Manager and web access control is handled by Oracle Access Manager. In the background Oracle Internet Directory provides the high scale repository for Fusion Apps. All of these capabilities are encapsulated in the Identity Platform and utilized as a service by Fusion Applications. You can learn more by reading the paper on Identity and Fusion Apps. 

In the next few months we will be presenting a series of short webcasts that describe how Identity Management works with Oracle Applications and Fusion Applications. Steve Miranda, Senior VP of Oracle Applications Development, presents a good primer of Oracle's Applications strategy in this presentation below.

@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->

Setup of a  LDS/ADAM Active Directory  LDAP server on Weblogic for use with Oracle BPM 11g 11.1.1.5 Feature Pack.

There may be many reasons why it might be beneficial or necessary to configure a separate LDAP for your BPM/SOA suite implementation. Corporate LDAPs are often huge, slow, ill maintained, restricted to change and even full of circular references.   

One of my customers were setting up their environments for current latest version of Oracle BPM 11g. One of the steps was to configure a directory to handle both authentication and user groups. The chosen LDAP of choice was a poor sister of Active Directory called LDS. I say poor because it is not exactly the same and the AD weblogic providers are designed to work with the elder brother. Therefore the standard procedure of setting up a AD provider just didn't work with LDS, because of some missing attributes in LDS. But I made it work anyway. This is how I did it.

Active Directory (AD) is a directory service provided by  Microsoft which uses the Lightweight Access Protocol (LDAP). AD servers are commonly called Domain controllers. A less well known relative of AD is the Lightweight Directory Service (AD LDS) which was previously know as Active Directory Application Mode (ADAM).

By default, a service instance supports querying against a single LDAP identity store. You can configure the service to support a virtualized identity store which queries multiple LDAP identity stores. This feature, known as identity virtualization

Which Authentication Provider?

Weblogic already has an embedded LDAP which we use to login to the console. In our particular case we want to keep using this and also another we have been given. Weblogic provides many authentication providers to cover most bases, and even the possibility to create your own.  The AD provider works fine for a normal AD. However to make authentication work with LDS we need to use the base LDAP authenticator. When we are finished we can still login to the BPM Workspace using the user weblogic defined in the embedded LDAP and a user defined in LDS.

Login to the weblogic console as an admin user (e.g weblogic). Navigate to Authentication Provider setup and select the type as LDAPAuthenticator

Home >Summary of Servers >AdminServer >Summary of Servers >Summary of Security Realms >myrealm >Realm Roles >DEV >Summary of Security Realms >myrealm >Providers

Click OK. Then click on the new BPM_LDAPAuthenticator you just created and change the Control Flag to SUFFICIENT. Then click on the save button 

Click on the Provider Specific Tab                

Update the values of the fields of the provider. Update all the values in one go before you click save. Below are some sample values. They will be different for your own LDAP. You should use an LDAP explorer UI tool to check how yours is setup. These are initial settings. We will look into tuning when we have it working.

Click Save 

Click the reorder button and use the arrow to move the new authenticator to be the second on the list. 

Save the changes .

Restart Admin and SOA servers.

Login to the weblogic console again as an admin user (as above)

Navigate to where the users and group are defined 

Home >BPM_LDAPAuthenticator >Providers >BPM_LDAPAuthenticator >Providers >Summary of Security Realms >myrealm >Providers >Users and Groups

Check the a user in LDS exists and then click on the link to see the details for this userLogin

Click on the Groups tab to see the groups the user is a member of

Confirm that the console shows that the user is a member of group that you know it belongs to

NB: If you cannot see both the user and the group then you must check the settings above. Fix them and restart the servers again. As a last resort it may also be necessary to delete the authenticator and recreate it again using the steps above.

Login to the Enterprise Manager console of the SOA server http://<servername>:<soaport>/em

Navigate to Security Provider Configuration as shown in the below screenshot 

Click on the Configure button and the green plus sign to add a new property. The name is virtualize and the value is true.

Click OK.

If this does not exist then restart the Admin and SOA servers

Update the configuration of jps-config.xml to add the following configurations. The text in red is new text to be added. The name below  BPM_LDAPAuthenticator is the name of the new LDAPAuthenticator you have chosen above.

<serviceInstance provider="idstore.ldap.provider" name="idstore.ldap">

            <property value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider" name="idstore.config.provider"/>

            <property value="oracle.security.idm.providers.stdldap.JNDIPool" name="CONNECTION_POOL_CLASS"/>

            <property value="true" name="virtualize"/>

<serviceInstanceRef ref="BPM_LDAPAuthenticator"/>

</serviceInstance>

<serviceInstance name="BPM_LDAPAuthenticator" provider="idstore.ldap.provider">

<property name="idstore.type" value="ACTIVE_DIRECTORY" />

 </serviceInstance>

@page { margin: 0.79in }
P { margin-bottom: 0.08in }
H2 { margin-bottom: 0.08in }
H2.western { font-family: "Arial", sans-serif; font-size: 14pt; font-style: italic }
H2.cjk { font-family: "Droid Sans Fallback"; font-size: 14pt; font-style: italic }
H2.ctl { font-family: "Lohit Hindi"; font-size: 14pt; font-style: italic }
-->

Restart the Admin and SOA weblogic servers.

Now login to the BPM Workspace console with the weblogic user and and user seeded in LDS. If that works then go grab a cup of tea, you are done for now.!!

This article explains how to configure OEG as Kerberos Service for authenticating requests using SPNEGO tokens.

For the purpose of this article, I will demonstrate a use case that involves the following 3 machines:

DC-SERVER.WINDC.DEMO.ORACLE.COM (Windows 2008 Server R2)
This server is the Active Directory Domain Controller and also acts as the Kerberos KDC.
The name of the domain is WINDC.DEMO.ORACLE.COM.

OEG-SERVER.ORACLE.COM (Windows 2008 Server R2)
This server hosts the Oracle Enterprise Gateway (version 11.1.1.6)
This server runs standalone, and is NOT part of the Windows Domain WINDC.DEMO.ORACLE.COM.

WIN7-CLIENT.WINDC.DEMO.ORACLE.COM (Windows 7)
This is a Windows 7 machine that is client to the Domain Controller DC-SERVER.WINDC.DEMO.ORACLE.COM.
Any user defined in Active Directory can log into this machine to the domain WINDC.
For the purpose of this demo, there are two user (DemoUser1 and DemoUser2) created in Active Directory that can log into WIN7-CLIENT.

This article will demonstrate that requests coming from WIN7-CLIENT (either via Web Browser or a Web Service client) that will call an end point defined/registered on OEG (running on OEG-SERVER) will be successfully authenticated by OEG Kerberos Service.
The credentials used to authenticate the user will be the Windows credentials of the user logged into the machine.
Note: The requests could come from any machine so long as it is a client to the Domain Controller.

The Screen shot below shows the users DemoUser1, DemoUser2 created in Active Directory on DC-SERVER.

Now begins the Kerberos Configuration....

Step 1 is to create a user account in Active Directory for OEG-SERVER.

The below screenshots show a user named OEG-SERVER created in Active Directory on DC-SERVER.

Step 2 is to create a Service Principal Name (SPN) on the Domain Controller (DC-SERVER) for OEG-SERVER

Run the following command to create the SPN that is mapped to the user account OEG-SERVER.

ktpass -princ HTTP/OEG-SERVER.ORACLE.COM@WINDC.DEMO.ORACLE.COM -pType KRB5_NT_PRINCIPAL -mapuser OEG-SERVER -pass Password1 -out c:\temp\oeg-server.keytab -crypto RC4-HMAC-NT -kvno 0

NOTE: The password in the above command must be the same as the password for the user account OEG-SERVER in Active Directory.

The below screenshot shows the command and its output.

The above command will output a keytab file (c:\temp\oeg-server.keytab).

Copy this keytab file inside some folder on OEG-SERVER.

Once the SPN is successfully created, you will notice the change in User Logon Name for the user OEG-SERVER. (see the screenshot below)

Now let’s begin the configuration in OEG...

Launch the Policy Studio, and under “External Connections”, right-click on “Kerberos Principals” and create a new Kerberos Principal. (Screenshot below)

Now, under “External Connections”, right-click on “Kerberos Services” and create a new Kerberos Service. (Screenshot below)
Click on the “Load Keytab” button to load the keytab file that was copied from DC-SERVER.

Now, let’s create a Kerberos Authentication Policy...

Create a new Policy (let’s name the policy “Kerberos Authentication”) and drag the “Kerberos Service” filter, and configure it as shown below.
Select “SPNEGO over HTTP” as the Kerberos standard. Leave all the other tabs with default configuration.

Add a “set message” and “reflect message” filter to complete the circuit. (see screenshots below)

Now, create a relative path “/kerberosauth” under “Default Services” (port: 8080), and make it point to the Policy created above.

Now, create a file called “krb5.ini” and configure it as shown below.
Copy the krb5.ini file inside C:\Windows on OEG-SERVER.

Please note that if you are using OEG 11.1.1.5, you need not create the krb5.ini file. You can do this configuration in the krb5.conf file inside OEG.

Finally, Deploy the configuration in the Gateway.

Now, we are almost ready to run the test case from a web browser running on WIN7-CLIENT, but first we need to configure some settings in the Browsers:

Firefox Settings:

Enter “about:config” in the address bar and hit enter, and then click on the “I’ll be careful, I promise” button.
Right-click on the preference name “network.negotiate-auth.trusted-uris” and select “modify”, and add the following URL: “http://oeg-server.oracle.com”

Note: You may also need to add an entry for OEG-SERVER.ORACLE.COM inside the “hosts” file on WIN7-CLIENT.

Finally, enter the URL: http://oeg-server.oracle.com:8080/kerberosauth, and hit enter.
Note: The user should NOT be prompted to enter username/password. The underlying Windows credentials of the user logged into the machine will be used for authentication.

In the example screenshot below, DemoUser1 is logged into WIN7-CLIENT, and hence you see this message.

Internet Explorer Settings:

• Under Tools > Internet Options > Advanced, make sure the option “Enable Integrated Windows Authentication” is selected.
• Under Tools > Internet Options > Security > Local Intranet > Advanced, Add this URL: “http://oeg-server.oracle.com”
• Under Tools > Internet Options > Security > Local Intranet > Custom Level, Make sure that under “User Authentication > Logon, the option “Automatic Logon only in Intranet Zone is selected.

You may need to restart I.E.

Finally, enter the URL: http://oeg-server.oracle.com:8080/kerberosauth, and hit enter.
Note: The user should NOT be prompted to enter username/password.
In the example screenshot below, DemoUser2 is logged into WIN7-CLIENT, and hence you see this message.

DNS:

When a browser acquires a service ticket from the KDC, it presents a service principal name (SPN) for the service that it wants to connect to. This SPN is computed from the host name in the URL entered into the browser. For example if the user enters http://oeg-server.oracle.com:8080/kerberosauth, the SPN that the browser passes to the KDC in order to acquire a service ticket is HTTP/oeg-server.oracle.com@WINDC.DEMO.ORACLE.COM.

If the host name is defined in the DNS as “A-name” or host, the SPN is directly resolved from the host. For example:
On the DNS server, the following DNS record is defined:

HOST(A): oeg-server.oracle.com
On the client browser, the following URL is entered:
URL: http://oeg-server.oracle.com:8080/kerberosauth

The requested SPN is:
HTTP/oeg-server.oracle.com

Kerberos Authentication for Web Services

To configure Kerberos Authentication for web services, just plug in the “Kerberos Authentication” policy created above (minus the “Set Message” and “Reflect” filters) under the “Message Interception Points” > “Request From Client” > “Before Operation-specific Policy” tab in the Service Handler for the registered Web Service – just the same way you would intercept with a HTTP authentication policy.

Note: The WSDL url used by the web services client must contain the fully qualified name of the gateway server so that it matches the SPN.

The manager instance stores its data as objects inside the database. To do that, there is something called a datasource defined in weblogic during installation. It's basically a jdbc connection from weblogic to the database. This DS requires the following information : database hostname, database instance name, database listener port number, schema username and schema password. In my default install this was localhost, XE, 1521, ovs, mypassword.

Now that I re-organized my machines a bit, I have a larger server that runs a normal database 11.2.0.3, which I also happen to use for EM12c. So I figured I would take some load off the little atom server, keep it running Oracle VM Manager but shut down XE and move the schema over to my dedicated database host. This is a straightforward process so I just wanted to list the steps.

1) shut down Oracle VM Manager so that it does not continue updating the repository. as root : /etc/init.d/ovmm stop 2) export the schema user using the exp command for Oracle XE as oracle : cd /u01/app/oracle/product/11.2.0/xe export ORACLE_HOME=`pwd` export ORACLE_SID=XE export PATH=$ORACLE_HOME/bin:$PATH exp (enter user ovs and its password) export user (option 2) export everything including data this will create (by default) a file called expdat.dmp copy this file over to the other server with the other database The schema name is also in /u01/app/oracle/ovm-manager-3/.config (OVSSCHEMA) 3) shutdown oracle-xe as it's no longer needed as root : /etc/init.d/oracle-xe stop 4) import the ovs user into the new database. I like to do it as the user. I just simply pre-create the schema before starting import as oracle : sqlplus '/ as sysdba' create user ovs identified by MyPassword; grant connect,resource to ovs; at this point, run the imp utility on the box to import the expdat.dmp import asks for username/password, enter ovs and its password import yes on all data and tables and content. At this point you have a good complete repository. Now let's make the Oracle VM Manager weblogic instance point to the new database. 5) on the original system, restart weblogic as root :/etc/init.d/ovmm start wait a few minutes for the instance to come online 6) use the ovm_admin tool as oracle : cd /u01/app/oracle/ovm-manager-3/bin ./ovm_admin --modifyds orcl wopr8 1521 ovs mypassword My new host name for the 11.2.0.3 database is called wopr, the database instance is orcl and listener is still 1521 with schema ovs The admin tool asks for a password, this is the weblogic user password. In a simple install, this would be the same as your admin or ovs account password. 7) restart to have everything take effect. as root : /etc/init.d/ovmm stop ; sleep 5 ;/etc/init.d/ovmm start ; 8) edit the config file and update the new data vi /u01/app/oracle/ovm-manager-3/.config modify : DBHOST= SID= LSNR= OVSSCHEMA= and leave the rest as is. that should do it !