[i]

Oracle Application server 10g concepts and administration 

This article explains how to administer an Oracle application server 10g.

Topics

Administrative Component Overview

Managing OracleAS 10g with Enterprise Manager(OEM)

Managing OracleAS 10g with Command-line interfaces

OracleAS 10g infrastructure

Single Sign-On (SSO)

Oracle HTTP Server (OHS)

Managing The Oracle Web Cache

J2EE in OracleAS 10g

Management of OC4J (Oracle Container for J2EE)

Database connections and TopLink

OracleAS 10g security 

Administrative Component Overview 

Application Server 10g has many administrative utilities grouped in three main categories: General administration tools, Web Cache Administration tools and application layer administration tools. 

I.     General Administration Components: 

The following are the main administrative interfaçes for the Application Server 10g infrastructure: 

§        LDAP Server (OID):  Used to manage the LDAP directory to maintain user-access privileges.

§        Single-Sign-On (SSO): Provides centralized management and allows easy password management and access control.

§        Metadata repository (asdb): Its an Oracle Database that stores configuration information and metadata. This include data used by LDAP, OMS and SSO.

§        Mod_osso_module: This provides communication between the SSO-enabled login server and the Oracle HTTP Server (OHS) listener. 

II.     Web Administration Components: 

Includes two components: the Web Cache and OHS. 

§        Oracle HTTP Server (OHS): This is the HTTP listener that intercepts incoming requests and routs them to the appropriate Application Server 10g component. Upon completition of the transaction, the OHS sends the completed HTML or XML back to the originating IP address.

§        Web Cache: This component provides RAM caching for images , as well as page content.

III.     Application Management Components:

This category includes administrative tools for application development, primary for java applications: 

§        J2EE server (Oc4J): This component allows you to deploy and manage Java-based applications. You have to configure J2EE server to ensure proper communications between OC4J and other Application Server 10g components.

§        Oracle Process Manager and Notification (OPMN): OC4J is started and managed with OPMN, which is also responsible for monitoring all application Server 10g processes and propagating configuration changes across clusters.

§        Distributed Configuration Manager (DCM): DCM is a handy command-line utility that can be used instead of the GUI for starting and stopping Application Server 10g services.

Top of the document 

Managing OracleAS 10g with Enterprise Manager(OEM) 

To start Enterprise Manager use the following command:

emctl start em 

If you have installed the infrastructure repository, then the default EM console page will be the EM Farm page used to administer all instances within your application server: 

§        Instances: Each J2EE app server or infrastructure is called an instance

§        Clusters: is an arbitrary collection of instances.

§        Farms: is a collection of instances and clusters that make up your application server 10g  system and share a common repository database(asdb). 

The Farm page allows you to drill-down and see the details for each instance using the EM Instance Manager page., it also allows you to define new clusters and assigns instances to them. For each instance, the Instance Manager page allows you to manage all of the application Server 10g components.

Top of the document 

Managing OracleAS 10g with Command-line interfaces 

The command-line programs are spread across the following locations that you should include in your PATH environment variable:

PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/dcm/bin:$ORACLE_HOME/j2ee/home:$ORACLE_HOME/ldap/bin:\

$ORACLE_HOME/ldap/odi/admin/:$ORACLE_HOME/oca/bin:$ORACLE_HOME/opmn/bin:$ORACLE_HOME/portal/admin/plsql/sso:\

$ORACLE_HOME/sso/lib/:$ORACLE_HOME/uddi/lib/:$ORACLE_HOME/upgrade:$ORACLE_HOME/wireless/bin: 

There are three main command-line interfaces: 

§        opmnctl ($ORACLE_HOME/opmn/bin/opmnctl): Provides a startall and stopall argument that will manage all of the Application Server 10g server processes.

§        dcmctl ($ORACLE_HOME/dcm/bin/dcmctl): Is the master utility for Application Server 10g. DCM is responsible for maintaining configuration by updating the configuration files on each server, it also stores the values of the parameters within each configuration file on each server within asdb

§        emctl ($ORACLE_HOME/bin/emctl): It is used for managing the OEM agent, changing OEM passwords, starting and stopping the OEM console. 

The following example is a script that starts the asdb database, the listener, the infrastructure instance, and the Enterprise Manager web site: 

# set the environment variables: ORACLE_HOME, ORACLE_SID and PATH

echo Starting Listener

lsnrctl start

echo Starting database

sqlplus /nolog <<EOF

connect /as sysdba

startup

EOF

echo Starting all opmnctl controlled processes

opmnctl startall

echo Staring the EM web site

emctl start em 

The following table shows how to start/stop some Oracle Application Server components: 

Oracle HTTP server

EM Console

OEM Agent

OMS Commands

Start/Stop OPMN,DCM, and all components

dcmctl start –ct ohs

dcmctl stop –ct ohs

 

emctl start em

emctl stop em

emctl status em

emctl start agent

emctl stop agent

emctl status agent

emctl start oms

emctl stop oms

emctl status oms

opmnctl startall

opmnctl stopall

 The command-line utilities are classified by categories such as Forms, Reports, J2EE, LDAP, OID, SSO , Web Cache, Wireless,… 

The following table lists some of the command-line utilities and their usage: 

Command

Usage

Category

iasua.sh

Upgrade assistant

OracleAS 10g

dcmctl

Managing OracleAS 10g components

DCM

dmstool

Used for viewing performance metrics

DMS

eulbuilder.jar

Discoverer end-user layer java command line interface

Discoverer

Ifweb90

Allows to preview a form in a web browser

Forms

ldapadd

The OID add utility for adding entries, their object classes, and attributes.

LDAP

ldapaddmt

Like ldapadd, but with support for multiple threads for adding entries concurrently.

LDAP

ldapbind

Determines whether you can authenticate a client to a server.

LDAP

ocactl

Certificate authority administration tool

OCA

emctl

Starts, stops, and manages security for OEM.

OEM utility

oidctl

Starts and stops Oracle Internet Directory.

OID

oidmon

Manages OID processes.

OID

opmnctl

Starts, stops, and gets status on OPMN managed processes. This is the main tool for starting and stopping an instance.

OPM

rwserver

Invokes the Reports server.

Reports

rwcgi

Translates and delivers information between HTTP and the Reports server

Reports

rwrun

Runs a report using OracleAS 10g Reports Services in-process server.

Reports

ssocfg.sh

Updates host, port, and protocol of SSO URL.

SSO

ssooconfig.sql

Points SSO to different OID.

SSO

ossoreg.jar

The mod_osso registration tool.

SSO

webcachectl

Manages Web Cache processes, including the administration server process, cache server process, and auto-restart process

Web Cache

uddiadmin.jar

Manages UDDI registry.

Web services.

portalRegistrar.sh

Registers the mobile gateway parameter with Application server Portal 10g.

Wireless

ReRegisterSSO.sh

Reregisters the wireless Single Sign-On partner application with the Single Sign-on server.

Wireless

 Top of the document 

OracleAS 10g infrastructure 

The OracleAS 10g infrsatructure is a database (asdb) that contains all of the metadata and internal information for all SSO components, Oracle Internet Directory, Oracle Portal, Oracle Wirless, and some DCM components. The asdb database stores the schemas of the differents components of OracleAS 10g.  

The OracleAS 10g components rely on iasdb database being available when they are started. After the components are started, the iasdb database can be stopped without effects to OHS and Java. However SSO, Portal, and Wireless, will not be able to function. You should take steps to ensure continuous availibility of iasdb database, for example using Data Guard, RAC triple mirroring of disks.

Starting and Stopping the Infrastructure. 

The asdb must be started in a specific order because some components rely on its availaibility.  We should respect the following order: 

1.Start the asdb listener process(lsnrctl start).

2.Start the asdb database.

3.Start OID

4.Start OHS

5.Start OC4J_DAS.

6.Start  The Web Cache

7.Start OMS.

8.Start OEM intelligent Agent.

9.Start em 

The following scripts are used to start and stop the OracleAs 10g components: 

 startall.ksh: This script calls ‘startinfra.sh’ and ‘startmidtier.sh’ scripts.

 startinfra.sh performs the following actions: 

1.Start listener: $ORACLE_HOME/bin/lsnrctl start

2.Start iasdb database:

                $ORACLE_HOME/bin/sqlplus /nolog<<EOF

                connect /as sysdba

                startup

                EOF

3.Start all OPM processes: $ORACLE_HOME/opmn/bin/opmnctl startall

4.Check the status of infrastructure: $ORACLE_HOME/dcm/bin/dcmctl getState –v –I $INFRA

5.Start OMS: $ORACLE_HOME/bin/emctl start oms

6.Start OEM:

                $ORACLE_HOME/bin/emctl start agent

                $ORACLE_HOME/bin/emctl start em 

 startmidtier.sh performs the following actions: 

1.Start all OPM processes: $ORACLE_HOME/opmn/bin/opmnctl startall

2.Check the status of infrastructure: $ORACLE_HOME/dcm/bin/dcmctl getState –v –I $MIDTIER

3.Start OEM:  $ORACLE_HOME/bin/emctl start em 

 stopinfra.sh is the exact inverse of the start script startinfra.sh 

Top of the document 

Single Sign-On (SSO) 

With SSO, each user has only one password for all applications within OracleAS 10g framework. SSO is designed for web-based users.

To enable SSO after installation, use the following procedure: 

Edit the rwservlet configuration file $ORACLE_HOME/reports/conf/rwservlet.properties and change the parameter singlesignon to the value ‘yes’.

Configure OHS to use SSO : Make an entry in mod_osso.conf file and enable mod_osso in the OMS configuration file. 

Top of the document 

Oracle HTTP Server (OHS) 

OHS built on Apache version 1.3  is a reliable, secure and capable web server. OHS is an integral part of OracleAS 10g and should be started or stopped using dcmctl or opmctl utility. Stopping just OHS will cause problems in the instance beacuse opmn monitors the processes and may restart OHS if it detects that it is down. Thus, it is recommended that the instance be brought down using opmnctl if you need to bring down or restart OHS from the command-line. Once running, OHS is easily configured, started, or stopped using the EM web site.

Each Application Server 10g instance installs an OHS and has a unique configuration file $ORACLE_HOME/Apache/Apache/conf/httpd.conf. When OHS starts, it reads three file: httpd.conf, access.conf, and srm.conf. The oracle_apache.conf is an included file in httpd.conf, it is used to load and configure specific Oracle Modules.

The parameters in httpd.conf file are grouped into three sections: global parameters, default server parameters, and virtual host parameters.

Global parameters:

ServerRoot $ORACLE_HOME/Apache/Apache

When OHS is looking for configuration or log files, it will use the ServerRoot as the base directory. For example, is ErrorLog is set “logs/error_log”, OHS will log errors to $ORACLE_HOME/Apache/Apache/logs/error_log

PidFile $ORACLE_HOME/Apache/Apache/logs/httpd.pid

This file store the OS pid of the parent server process of OHS.

MinSpareServers    5

OHS checks periodically that there are five spare processes waiting to handle new requests, if there are fewer than five, the parent process will prespawn additional processes.

MaxSpareServers    10

If there are more than 10 spare processes, the parent process will kill some  of the idle child processes.

StartServers           5

When OHS starts, it spawns five child server processes.

MaxClients            150

Used to limit the number of child server processes that OHS can create

LoadModule   mmap_static_module libexec/mod_mmap_static.so

LoadModule   vhost_alias_module libexec/mod_vhost_alias.so

OHS reads the directives for each module so it can dynamically load and use the module when needed. All modules available to OHS are listed under  ServerRoot/libexec and end with “.so”. To list the modules currently loaded, use ServerRoot/bin/httpd -l

Default Server Parameters 

Port 7778

The port where OHS waits for requests

Listen 7779

Allows you to have OHS listen on additionnal ports or even others IPs. For example listen 192.166.5.200:7779

User oracle

Group oracle

If you have specified port numbers below 1024, OHS should be started as root user. However, for security reasons, you don’t want Apache responding to request as root. By setting the User and Group parameters, the parent process will spawn child processes running under oracle user instead of root user.

If the port numbers are above 1024, OHS can be started as oracle user and you don’t need to set the two parameters.

ServerName   itsys.localdomain.com

It defines the response name and is used in redirecting URLs.

SereverAdmin  info@itsys-consulting.com

This will give your clients an email address to contact if necessary.

DocumentRoot  $ORACLE_HOME/Apache/Apache/htdocs

Defines the directory that OHS will serve static content files from. This child processes should have read permissions on this directory.

Container Directives:

<Directory / >

      Options All

      AllowOverride All

</Directory>

They change the configuration within the area defined by the container.

ErrorLog $ORACLE_HOME/Apache/Apache/logs/error_log  common

LogLevel warn

Defines log locations. Loggin levels, and formats

Alias /icons/ “$ORACLE_HOME/Apache/Apache/icons/”

Allows OHS to use directory not under DocumentRoot. This feature opens additional subdirectories for use.

<IfModule mod_dir.c>

      DirectoryIndex index.html

</IfModule>

When OHS gets a request for a directory, it looks for a file called index.html. If it is not present, OHS will create it using the module mod_autoindex.

BrowserMatch “Mozilla/2” nokeepalive

OHS can modify the way it talks to different browser types: Here, OHS will inactivate the keepalive feature because Mozilla doesn’t support it.

 Virtual Host  

Virtual hosting is the ability to support multiple web sites from one server:

<VirtualHost  _default_ :4440/>

                   DocumentRoot “$ORACLE_HOME/Apache/Apache/htdocs”

                   ErrorLog $ORACLE_HOME/Apache/Apache/logs/error_log  common

                   Port 44401

                   …….

</VirtualHost> 

Top of the document 

Managing The Oracle Web Cache 

The OracleAS 10g Web Cache sits between the user and the application server: when a user requests a page, the Web Cache verifies the the page is still valide and, if so, returns the page from the cache. If the page has expired or marked stale, the Web Cache will request the page  from the application server, send the page back to the user, and store it in the cache for future use.

The OracleAS Web Cache not only caches static and dynamic content, but also load-balances across multiple application servers.  

To meet different individual needs, Oracle Web cache can be located in the same server as the application server, in a separate server, or in a remote server not directly in front of the OHS/application server. Another key feature of Oracle Web Cache is its ability to load-balance acrsoss multiple application servers, a weighting can be used to cause the Web Cache to favor some application servers over others. 

To know if the page in the cache is fresh or not, Oracle Web Cache uses a number of different methods, from monitoring headers to being told by the application or database that content has changed.  

The two main headers are the Expires and Cache-Control: 

§        Expires: Contains a timestamp for when the page is no longer valid.

§        Cache-Control: Defines in detail which caches can cache the page. “public” means any cache can cache the page, “private” means that only the local cache should cache the page, “no-cache” means that the server must verify if that page is current before the browser can display it, “no-store” tells all caches not to cache the page. 

For caching dynamic content, Oracle provide the invalidation from within the Application mecanism: Oracle provides a toolkit located in $ORACLE_HOME/webcache/toolkit directory that contains a Java JAR file and a couple of PL/SQL procedures that allow you  to integrate Web Cache invalidation of content into your application or database. When the database or the application changes data, it can send a notice to the Web Cache to invalidate content based on that data.  

Another method is to use HTTP invalidation messages, the database or the application can send an HTTP POST request to the Web Cache to tell what URLs are now invalid. The database can contain triggers on key tables that fire during UPDATE, INSERT, and DELET operations to invalidate content based on those tables. 

Oracle Web Cache uses one of two methods to ensure it serves the correct page to the correct requester: cookies and embedded URL parameters. Oracle Web Cache checks the cookie returned with the request or look for a parameter in the request URL to determine whether the page is present in the cache. 

Oracle Web Cache is capable of caching only some parts of the page and serving them as required, each separate element will have its own caching rules. For example the weather section my be valid for only 4 hours, while the stock section is updated every 15 minutes. 

Managing the Oracle Web Cache: 

The Web Cache is started using “opmnctl startall” command: 

$ORACLE_HOME/opmn/bin/opmnctl startall 

You can manage the Web Cache using two methods: webcachectl utility or the Web Cache Manager web site. 

1.Web Cache Manager web site:  

 To log on , direct your browser to port 4000: http://itsys:4000/webcacheadmin.

 Enter the user ias_admin and the password. 

2.webcachectl Utility: This utility is used to control the three processes that make up the Web Cache: The admin server process, which is the interface for Web Cache Manager, the cache server process that manage the cache, and the autostart process that restarts Web Cache if it crashes. You can use one of the follwing commands to start Web Cache when located in the same server as OracleAS 10g: 

 onpmctl startproc ias-component=WebCache

 opmnctl startall 

If the Web Cache is installed in a separate server, you will need to use webcachectl utility to start and stop the Web Cache processes: 

 webcachectl start

 webcachectl stop

 webcachectl restart 

To start the admin process 

 webcachectl startadm

 webcachectl stopadm

 webcachectl restartadm

To start the cache process and the autostart process: 

 webcachectl startcache

 webcachectl stopcache

 webcachectl restartcache 

To get the status of the Web Cache processes: 

 webcachectl status 

Top of the document 

J2EE in OracleAS 10g 

Java source code is compiled into a file containing byte-code. The JVM interprets the byte-code into machine code and executes it. This is why the Java code is portable to many differents operating systems.

J2EE consists of a component-based approach to designing, developing, assembling, and deploying an enterprise application. J2EE technologies is divided into three tiers: the client tier, the web tier, and the business tier: 

§        Client Tier: Consists of either an application using JavaBeans or the user’s browser.

§        Web Tier: Consists of an HTTP server providing static and dynamic HTML pages, Java Server Pages, and servlets.

§        Business Tier: This is the component that executes the business logic within EJBs. 

J2EE is a set of Java technologies designed to assist in the implementation of large, distributed , multitiered applications from the client back to the database connection. J2EE includes a wide range of components that supports security messaging, transactional integrity, sending e-mail, and processing XML: 

§        JDBC is a set of API that define methods for connecting and accessing a database within the Java language. The JDBC API allows complete access to the database, including data definition and data manipulation. New versions supports Bulk inserts, bind variables, and prepare statements.

§        JMS Java Message Service allow J2EE components to create, send, receive, and read messages.

§        JNDI Java Namimg and Directory Interface provides methods for finding objects by using attributes. This is how EJBs and other registered objects are located inside a container. A container can list the EJBs that it holds with JNDI so that other components can locate them.

§        Java Transaction API Used to manage the transaction when the application conduct multiple database operations that are independent.

§        JavaMail API allows the application to send e-mail notifications.

§        Java API for XML Processing Because XML produces “well-formed” text documents, it is used in almost all configuration files and as a great way to pass information between different platforms or systems. J2EE provides native support to both create and read XML documents.

§        JAAS Java Authentication and Authorization Service implements a standard pluggable authentication module (PAM) in Java that extends Java’s security framework in order to support user authorizations using standard authentication providers such as LDAP, JNDI, or the operating system. 

The following are some terms we need to define in this topic: 

§        Applets are small Java programs that are downloaded to the browser and run locally inside the browser’s Java Virtual Machine.

§        Servlets are Java web components that execute on the HTTP server side. They can be called directly from an application, or in an HTTP or JSP document. They are used to produce dynamic data.

§        Java Server Pages are Java web components used to emded Java into an HTML coded page. JSPs can place Java Code directly into the HTML code so that it is compiled and executed when served.

§        JavaBeans is a reusable software component implemented in some type of integrated development environment(IDE) used to create application and build user interfaces. A bean is a chunk of reusable code that is integrated into an application. Any bean that is not entity EJB must use the JDBC API to connect to a database.

§        Enterprise JavaBeans are server-side, reusable components that are used to implement business logic. An enterprise bean must run in a container as an independent subapplication that waits for requests and then answers them. This, a J2EE application can be thought of as a series of subapplications, all running to support the main application. Entity EJBs have built-in connectivity  with the database provided by the container.

§        J2EE Containers Provide the infrastructure for running EJBs. An EJB must be deployed into a container before it can be used. The container starts the EJB when it is accessed and provides all required services the EJB needs. Oracle Container is OC4J.

§        JAR, WAR and EAR files To deploy EJBs and other components in the J2EE application, they must be packaged. All parts of a module are packaged together. This includes JSP files, images, utility classes, and whatever is required to make that component a self contained package. An entire application can be packaged into a JAR file that JVM will execute. Standard JavaBeans and Enterprise JavaBeans are packaged into JAR files. WAR files are JAR files that end in .war and are used to package and deploy web components into web containers. They can contain HTML documents, servlets, JSPs, or applet class file. WAR archives also contain an XML file  called a deployement descriptor that describes the components (web.xml). An EAR file is an enterprise archive used to package modules of a J2EE application. An EAR file is a JAR file that ends in .ear and can contain JAR, WAR files, and  an application descriptor  (application.xml). To create these files manually, you use the packager tool called jar:

                               jar –cvf test1.jar

                               jar –cvf test1.war 

Enterprise JavaBeans 

EJBs contain the business logic of the application . Applications find EJBs by using JNDI service and interact with them through the conatiner. By encapsulating business logic inside EJBs, you can distribute the application across different servers or have multiple copies of an EJB on different servers to load-balance the application.

There are three types of Enterprise JavaBeans: 

§        Session EJBs can be used to interact with a customer database to include executing dynamic or static SQL, or stored Java, or PL/SQL procedures or functions. The state of a bean is defined as the variable values it holds. A stateless session EJB implements business logic and doesn’t maintain a state between calls. A statefull session EJB maintains a state between method calls. Methods can be used to change its state, and the new state will be maintained until it is changed again or it is removed from the container. A statefull bean can support only one client, while a stateless bean can support multiple clients one at a time.

§         Entity EJBs represent business data rather than business logic  An entity EJB represents data in a database, such as customer invoice, and can be shared by many clients and has a unique identifier called a primary key.  They connect to a database through the container which implements all the database connectivity. They come in two flavors: Container managed persistance (CMP) and bean managed. CMP forces the container to handle the task of reading and writing objects attributes back and fourth to the database. Bean Managed, require that the developer handle the task of persisting object attributes to the database and then loading them back into the EJB when it is instantiated. This means writing all the SQL required via JDBC.

§        Message-Driven EJBs process JMS messages asynchronously. They have no interfaces that clients can call directly. 

OC4J Oracle Container for J2EE. 

OC4J provides all the services an EJB needs to interact with other EJBs, the client application and the server resources. When an EJB is accessed, the container is responsible for starting the EJB and managing the execution of the request (instatiate a bean, select one from a pool  of instatiated beans, or use an EJB already running). The Container maintains transactions, security, and persistence of the EJB. It may handles the database connectivity of the entity bean, or the entity bean may connect to the database using JDBC. 

OC4J is also a container for servlets, it implements a servlet container to execute servlets. The module mod_oc4j on the Oracle HTTP server is the default method for communicating with OC4J to handle servlets and JSPs. Mod_oc4j uses Apache Jserv Protocl or HTTP request  to communicate with OC4J. When deployed as a WAR file, the servlet container is responsible for executing the servlets contained in the WAR file, which includes uncompressing the file and installing the servlet.

The servlet running inside the OC4J servlet container has access to the full array of J2EE APIs, including database connectivity and EJBs running in the OC4J container. The OC4J servlet container looks in the $ORACLE_HOME/j2ee/home/default-web-apps/WEB-INF/classes directory for servlet calss files. 

JSP are web component handled by mod_oc4j, the JSP container is itself a servlet running in the servlet container. JSP code is compiled into class files for execution like a servlet. 

Deploying Applications using Enterprise Manager. 

An entire application can be packaged into one EAR archive that contains all of the JAR, WAR, and other files. Deploying The EAR archive to the application server 10g requires that number of support files be updated 

Let’s deploy the test.ear into OC4J_test container using Oracle  Enterprise Manager: 

1.Start Enterprise Manager using the command-line: emctl start em

2.Navigate to the instance where the application will be deployed and select the J2EE application Link: This will display a list of current applications installed on all OC4J instances.

3.From the status page, select the OC4J_test link. It lists the current EAR files deployed inside this container.

4.Select the deploy EAR files button located in the application section.

5.The deploy Application Wizard starts: Specify the location of the EAR file (testejb.ear), the application’s name (test) and the parent application to default. Select Continue button.

6.The Web component testWAR contained in the testejb.ear file should be mapped to a URL so the browser can access it from OHS. Enter /test this will map the application to http:/localhost:port/test. Select Next

7.The resource reference mappings page let you map a resource reference to an entity such as a data source. Select Next will take to the review page.

8.Select the deploy button will begin the process of deploying the EAR file to the container. 

Top of the document 

Management of OC4J (Oracle Container for J2EE) 

OC4J is the heart of OracleAS 10g and has the following responsabilities: 

§        Hosts customer-developed enterprise applications.

§        Runs Portals, Delegated Administrative Services (DAS), and other components in Business Intelligence.

§        Handles application loading using clustering.

§        Provides a servlet container and a JSP translator.

§        Provides all the required J2EE standard interfaces: support for Enterprise JavaBeans, including standard deployment of EAR and WAR archives.

§        Provides EJB services, including database access, transaction support, security, caching, and concurrency.

§        Provides CMP (container managed persistence) to access persistent storage (databases) through the container without directly coding the JDBC API. This is achieved by the ability to transparently map an entity EJB to the database. 

There are many configuration files used to manage OC4J such as application.xml and web.xml. You should always use Enterprise Manger or dcmctl utility to configure OC4J parameters.  

If you manually update OC4J configuration files, you should update the configuration stored in the infrastructure using the following command: 

                                      dcmctl  -updateConfig –ct oc4j 

OC4J configuration files are grouped into three catgories: 

Serevr Configuration files: 

server.xml

Used to configure OC4J, and identify other configuration files and application names

default-web-site.xml

Used to define web site properties.

http-web-site.xml

Used when OC4J is not part of the application server

application.xml

Defines web and EJB default parameters for components within a J2EE application

J2EE package files: 

server.xml

Used to configure OC4J, and identify other configuration files and application names.

web.xml

Deployment descriptors for JSPs and servlets.

ejb-jar.xml

Deployment descriptors for EJBs within a JAR

application-client.xml

Contains JNDI information

 OC4J deployment files 

orion-web.xml

Deployment descriptors for mapping web settings.

Orion-ejb-web.xml

OC4J-specific deployment descriptor for EJBs in a JAR

orion-application.xml

Configure default application parameters such as data sources, security role mapping and JNDI access rules.

 Managing OC4J using dcmctl/opmnctl 

The recommended way to start and stop OC4J instances is with the opmctl utility:             opmnctl startall 

The dcmctl utility manages only the OHS/OC4J portion of the instance. The following is a list of examples using dcmctl utility: 

dcmctl start –i  test.apptest.localhost.com

Starts the test instance

dcmctl stop –co OC4J_test

Stops the OC4J _test container.

dcmctl updateconfig

Update the repository after manual change in a configuration file.

dcmctl listcomponenttypes

Lists the component types contained in an instance.

dcmctl createcomponent –ct OC4J –co OC4J_test

Create the test OC4J container component.

dcmctl removecomponent –co OC4J_test

Remove the OC4J_test container. All the web and EJBs components contained are also removed.

dcmctl listapplications –co OC4J_test

Lists currently installed applications.

dcmctl deployapplication –file test.ear –a test –co OC4J_test

Deploy the test application.

dcmctl saveInstance –dir /tmp

Saves the instance configuration and any application contained in the instance, including clustering information.

  Managing OC4J using Enterprise Manager 

To create an OC4J instance, use the following procedure: 

§        Log onto EM, select the link for the instance you are working on, go the instance status page.

§        In the system components. Select the link create OC4J instance, this will start the wizard, enter a name (OC4J_test) and select create.

§        The container just created is not running, select the container’s radio button then select start.

§        The container just started doesn’t have components depolyed, except for transtrace which is an EJB that interfaces with opmn to provide status and performance statistics. 

The OC4J home page has an administration section where you will find almost all the OC4J configuration parameters: 

§        Server Properties Page defines the properties of the OC4J container: Server Root, Configuration file, default application name, default application Path, etc. The application Directory field specifies the location of the .ear components while the deployment Directory contains all the deployment descriptor files. You can increase the number of processes to add fault tolerance to the OC4J container

§        Website Properties Page Correlates directly to the application/URL mapping in the Website Properties page for the container (default-web-site.xml, global-web-application.xml).

§        JSP Configuration Page Contains parameters that apply to all JSPs executed in this container (global-web-application.xml).

§        Advanced Properties allows direct editing of the configuration files within EM (global-web-application.xml, jms.xml, server.xml, rmi.xml, default-web-site.xml)

§        Data Sources can be defined at the application level to support a specific application or at the container level, available to any application running in that container. The EAR file contains also a data-source.xml file that defines the required data sources. Here you can define a new data source using create or create like buttons.

§        Security defines security through Users, Groups, and Roles (jazn-xml, jazn-data.xml).

§        JMS Providers Allows to define or remove Java Message Service provider. You can also implement third-party JMS support.

§        Global Web Module defines and configures parameters that apply ao all web applications, for example how the web component will handle certain types of files (global-web-application.xml, orion-web.xml).

Top of the document 

Database connections and TopLink 

The J2EE sepcification provides several methods to directly or indirectly connect an application  to a database: JDBC or using entity Enterprise JavaBean (EJB). EJBs can manage the database interactions using JDBC (bean managed persistence), or allow the container to manage the database interactions (container managed persistence).  

§        Bean Managed Persistence (BMP): EJB uses JDBC to connect directly to the database, generates dynamic SQl or SQLJ to interact with the database, and is responsible that the database is updated.

§        Container Managed Persistence(CMP): The container generates the required code to access the database identified by the data source and responsible for managing the storage and retrieval of data from the database. If the database is changed from Oracle to DB2, the container will generate code needed to access the DB2 database when the EJB is deployed. 

Java Database Connectivity (JDBC) 

Oracle provides a set of Java class files for implementing the JDBC specification with almost all their product (database, Application server, Jdeveloper). Newer versions of JDBC driver supports advanced capabilities such as connection pooling and transaction failover. The JDBC drivers are located in $ORACLE_HOME/jdbc/lib directory, they must be specified in the CLASSPATH or packaged with the Java application. 

Oracle provides three JDBC drivers for accessing Oracle Database: 

§        Thin driver is a pure Java Driver that can connect locally or across the network to an Oracle database without installing the Oracle client. This driver can be used with applets downloaded from the internet to connect back to the database.

§        OCI Driver uses the Oracle Client to connect to a database and cannot be used in all situations, such as with a program downloaded across the internet.

§        Server-Side driver Used to connect Java programs running on the database server or in the database itself. This driver allow access also to remote databases. 

Java Naming and Directory Interface (JNDI)

JNDI is an API that provides a method of defining parameters and allows other elements to find and use them. It is used by the EJB to locate other EJBs or data sources. JNDI can be used to find users, computers on a network, objects and services.

When OC4J container starts, it creates JNDI context for each application deployed in it by reading configurations files. Once the application is started, it can look up other components using the container’s JNDI context to locate other objects. 

Data Sources and OC4J 

There are three ways to create a data source: using a OracleDataSource object, adding the definition to the datasource.xml file, and using the Enterprise Manager web site. 

§        OracleDataSource: the programmatic method creates an OracleDataSource object and bind it to a JNDI context object.

§        Datasource.xml file is located in $ORACLE_HOME/j2ee/OC4J_test/config/data-sources.xml

§        EM by opening the OC4J container page, select the Data Sources link under Application Defaults. 

The data-source.xml file sould be deployed with the application when it is deployed into the OC4J container as part of the EAR file. 

OracleAS TopLink10g 

TopLink allows you to quickly generate the relationship between the relational data in a database and a Java object. TopLink supports Java Objects and EJB entity beans with both CMP and BMP.

The mapping Workbench is the graphical interface used to connect to the database, create or update the schema, or generate the schema DDL. Toplink can automatically generate an object model from the database schema, a database schema from an object model. 

To start TopLink, use the following command:                   $ORACLE_HOME/toplink/workbench/workbench.sh 

Top of the document 

OracleAS 10g security 

The application has to ensure that only authorized users gain access and that the application only returns information that the user has privileges to see. OracleAS 10g implements security features in each component, from the Web Cache to the back-end database. If the user has to access a suite of applications, the first application can return an identity object(cookie) that is validated once. Then as the user moves from application to application, the cookie acts as his identity. This is the basis of Oracle’s Single Sign-On: a user signs once and is automatically validated as he moves from applocation to application.

Most OracleAS 10g components are tied to Oracle Internet Directory services (OID), except Oracle Web Cache. 

Web Cache 

When the application server serves a page containig personnal content, Web Cache stores the content and the cookie/URL parameter with the content and will only reserve that content to a request that returns the cookie/URL parameter. If the user’s browser does not accept or return the cookie, Web Cache will submit the request to the origin server because it can’t identify the requester. 

Oracle HTTP server 

OHS main function is to serve static content. OHS performs basic rule-based authentication to determine what content to serve. These rules are defined in the Directory Container sections of the httpd.conf file or .htaccess files. OHS uses the HTTP header information sent with the request to determine whether the requester has access to the static information, and either serves the content or returns an error message. If the request is for dynamic content, OHS passes the request to one of its modules for processing (mod_oc4j if the request is a JSP, servlet, or J2EE application).

OHS ensures the security of exchanged data through its implementation of Secure Sockets Layer (SSL) and Public Key Infrastructure (PKI). An SSL port is defined the ssl.conf file, to use the secure connection, you should log on to the server using the following URL: https://localhost/4446 

The SSL implementation in the user’s browser interacts with SSL in OHS to provide a secure connection. The two SSL implementations negotiate the encryption scheme used to encrypt  connection. Most SSL implemntations uses PKI to securly exchange a single encryption key and then encrypt/decrypt all data using single key. These keys are only valid for a session, and each session generates different keys. Since the keys are constantly changing, any given key will have changed long before someone could break the encryption.

OracleAS 10g SSL virtual host is configured in ssl.conf file, which contain directives to create the virtual host and all the default directives for any other virtual host that implements SSL. 

Oracle Container For Java 

OC4J implements two J2EE JAAS API (Java Authentication and Authorization Service) to facilitate security within the J2EE application: JAZN-LDAP and JAZN-XML.  

§        JAZN-LDAP is an implmentation of the JAAS API that retrieves user and authorization information securely from Oracle Internet Directory. It’s useful for application that have a large user community, for which scalability is a strong requirement.

§        JAZN-XML is a fast, lightweight implementation of the JAAS API that is based on XML as an encoding mechanism. It allows Java developers to retrieve user and role information securely from operating system-files. 

Authentication establishes a network entity’s identity. Entities (users or applications) are asked for password, which the application verifies against a user directory. Once the entity authenticated, it is granted a role or roles that allow it to access the necessary parts of the application. These authorizations can be cenrally managed in OID or in XML. With delegation, an EJB runs with the privileges of a certain user, this is usefull because you don’t give direct access to some components of your Application Server, for example, if the servlets needs information from OID, send the request to DAS instead of OID. 

Oracle Identity Management 

OracleAS 10g infrastructure provides a single location for the complete management of users and network entities. You use a single location for modifying application and system privileges to include account creation and suspension, privilege modification, and attribute management.

The main components of Identity Management are OID (Oracle Internet Directory) and SSO (Single Sign-On): 

Oracle Internet Directory is the repository for usernames and passwords. It is a complete directory service based on the lightweight Directory Access Protocol (LDAP), which is an efficient method of storing and retrieving all types of lookup data, even PKI keys. OracleAS 10g infrastructure instance contains an instance of an OID application, which listens for directory requests. The OID application handles the security requirements, while the repository database handles the information storage. OID uses SSL to ensure that data is not modified or intercepted during transmission. An example, Oracle Net Services can access OID to resolve database services. OID is maintained using a Java-based GUI called oidadmin, when started it will ask you to connect to a server (server=localhost,username=orcladmin, password of ias_admin, port=389). 

 Delegated Administration Services (DAS) is a set of utilities that act as intermediaries to the information in OID. Each application server component will actually request directory information from DAS, which will then retrieve the information from OID. An example of a DAS is the password verifier. One advantage of using DAS is increased security access to OID. The user access a servlet or application to get results, if the application or servlets needs information from OID, it will send the request to DAS, which will in turn retrieve the required informationfrom OID and return it. This adds a layer to the process , but it ensures that a malicious user never access OID directly. 

Oracle Internet Directory Self Service Console is a web-based tool oiddas is part of DAS and is much easier to use when managing a user. To access OID Self Service Console (SSC), use the following URL: http://localhost:7777/oiddas/ , to log on select the login link, the administrator username is orcladmin, the password is the ias_admin password. 

Single Sign-On allows users to provide their credentials once and then automatically authenticates them as they switch between applications. The first time users enter their username/password, SSO creates an encrypted cookie that contains the identity information. This cokkie has a timestamp and is only valid during that time. When the users are log out of SSO, SSO will log them out of all SSO partner applications. If the user log off without logging out of SSO, when she returns, the cookie will be invalid. OHS uses a module called mod_osso to handle SSO actions, this module is used to integrate SSO transparently into an application, accepting requests for authentication and providing the appropriate header parameters. SSO is an application that runs in the infrastructure tier, handling authentication for both partner and external applications. Partner application runs in OracleAS 10g and implements SSO to authenticate a user through mod_osso (an example of partner application is portal). External applications doesn’t implement SSO for user authentication and in fact may not even run on the application server. To administer SSO, start the OID using the following command, and log on as cn=orcladmin:               $ORACLE_HOME/bin/oidamin 

Top of the document

References
Oracle Application server 10g Administration Handbook (Oracle Press by John Garmany and Donald K.Burleson)
Oracle Database 10g Installation Guide for UNIX Systems
Oracle Database 10g Release 1 (10.1) Documentation

[i] Copyright Notice
This article may not be published, sold, reproduced or copied in whole or in part without obtaining permission from Itsys Consulting. But you are welcome to put links from your site to the article.
The information provided in this article shows how to install, configure and administer Oracle products and Legato Networker. Every effort has been made to provide the information as accurate as possible, but no warranty or fitness is implied. The use of this information described herein is your responsibility, and to use it in your own environments do so at your own risk.
Comments?