DMZ Advanced Architectures

8/8/2019 DMZ Advanced Architectures

1/75

This presentation is for informational purposes only and may not be incorporated into a contract or agreement.


2/75

The following is intended to outline our general product direction. It is intended forinformation purposes only, and may not be incorporated into any contract. It is not

a commitment to deliver any material, code, or functionality, and should not be

relied upon in making purchasing decision. The development, release, and timing

of any features or functionality described for Oracles products remains at the sole

discretion of Oracle.


3/75


4/75

Steven Chan

DirectorApplications Technology Group



5/75

Advanced Architectures:Oracle E-Business Suite Release 11i

May 2006


6/756

Architectural Goals

A. Ensure maximum security

B. Ensure maximum performance & scalability

C. Ensure business continuity

D. Provide extra services to end-usersE. Integrate with other applications


7/75

Selected E-Business

Suite References

340178.1OracleAS 10g + SSL

305918.1Portal 10g

313418.1Discoverer 10g

306653.1WebCache

217368.1Load-Balancing

217368.1OracleAS 10g Integration (SSO, OID)

312731.110g RAC + ASM

216212.1Business Continuity

123718.1SSL

287168.1Demilitarized Zones

NoteEDCBAGoal Metalink

Note


8/75

8

Bringing It Together

Challenges for System Architects:

Few resources for quick overviews of options

Each of these Notes are fine in isolation, butits often difficult to get a bigger picture

Oracle technology portfolio continues to

grow rapidly


9/75

E-Business Suite Basic Concepts


10/75

10


11/75

11

Automated Technical

Configuration (AutoConfig) Manual steps to configure the technology stack are

error prone AutoConfig populates configuration file templates with

values you give in Rapid Install

Subsequent patches can update configuration withoutmanual steps

AutoConfig is required for 11.5.8 and later

maintenance packs, for migration to iAS 1.0.2.2, andincreasingly for new features in the E-Business Suite

References: Note 165195.1


12/75

12

AutoConfigGeneratedGenerated

ConfigurationConfigurationFilesFiles

jserv.propertiesjserv.properties

appswebappsweb..cfgcfg

httpd.confhttpd.conf

Rapid InstallRapid Install

configconfig.txt.txt AutoConfigAutoConfig

ApplicationsApplicationsConfigurationConfiguration

TemplatesTemplates

ApplicationsApplicationsContext FileContext File

.xml.xml

OAMOAMContext EditorContext Editor

GeneratedGenerated

DatabaseDatabaseUpdatesUpdates

APPS_WEB_AGENTAPPS_WEB_AGENT

ICX_FORMS_LAUNCHEICX_FORMS_LAUNCHER

TCF:PORTTCF:PORTTCF:HOSTTCF:HOST



13/75

13

Advanced Configuration Wizards


14/75

14

Architectural Goals






15/75

15

Demilitarized Zone (DMZ)

Perimeter network

Portions of a corporate

network between thecorporate intranet and

external networks

Single or multi-segment

DMZ-based servers have

restricted responsibilities

Security breaches remain

contained within DMZ

ProtectedProtected

ZoneZone

DMZDMZ

Attack



16/75

16

NotRecomme

n

Configuration A.1ded!

User

Firewall

9iAS 1.0.2

ebs.acme.comebs.acme.com

Internet Release 11i

DatabaseServer

Disadvantages:

No DMZ

Disadvantages:No DMZ



17/75

17

External

9iAS 1.0.2

Server

DMZDMZ

partners.acme.compartners.acme.compartners.acme.com

Configuration A.2Internal

Users

staff.acme.comstaff.acme.com

Internal

9iAS 1.0.2

Server

External Internet Release 11i

DatabaseUsers

Risk:

Internal users can

attack database

Risk:

Internal users can

attack databaseFirewall Firewall



18/75

18

External

9iAS 1.0.2

Server

DMZ 1

partners.acme.compartners.acme.compartners.acme.com

Configuration A.3Internal

Users

DMZ 2

Internal 9iAS 1.0.2

Server

Release 11i

Database

staff.acme.comstaff.acme.com

External Internet

Users

Firewall Firewall



19/75

19

Reverse Proxy Server

An intermediate server between a

client and a web server

Makes requests to the web server on

behalf of the client

Allows use of standard ports (80, 443)

on external side; higher ports internally Filter requests to web server via rules

Optionally allows for content caching

Oracle HTTP Server, WebCache,

Apache, other reverse proxy products

External

Users

Reverse

Proxy

9iAS 1.0.2Server



20/75

20

Configuration A.4

Firewall

Reverse

Proxy

External

9iAS 1.0.2

Server

Release 11iDatabaseDMZ 1 DMZ 2

DMZ 3

Internal

Users

Internal 9iAS 1.0.2

Server

External Internet

Users

Firewall Firewall



21/75

21

Oracle Application Server 10g

Integration for Single Sign-On By default, E-Business Suite has its

own login (AppsLocalLogin) and itsown user directory (FND_USER)

E-Business Suite may be optionally

integrated with OracleAS 10g

Login is delegated to Single Sign-On

10g

User management is delegated to

Oracle Internet Directory 10g

OracleAS 10gOracleAS 10g

InfrastructureInfrastructure

DatabaseDatabase

Single SignSingle Sign--On &On &Oracle InternetOracle Internet

Directory ServerDirectory Server

OracleAS 10gOracleAS 10g

ComponentsComponents

References: Note 233436.1, 261914.1


22/75

22

Configuration A.5

DMZ

Firewall

Release 11iDatabase

Intranet

Firewall

OracleAS 10g ServerExternal

UsersInternal

Users Single Sign-On

Oracle Internet Directory

Internet Router

Oracle9i Application Server 1.0.2.2.2

E-Business Suite 11iApplication Server



23/75

23

11i Integration with OracleAS 10g

Release 11i instance runs Oracle9i

Application Server 1.0.2.2.2

11i is integrated with a stand-alone Oracle

Application Server 10g instance

The existing Release 11i application-tier

server nodes continue to run on Oracle9i

Application Server 1.0.2.2.2


C fi ti A 6


24/75

24

Configuration A.6

Firewall

Reverse

Proxy

Single

Sign-On 10g

Firewall

External

Users

Internet

Firewall

Release 11iDatabase

External

9iAS 1.0.2

Server

OracleAS 10g

Infrastructure

Database

Oracle

Internet

Directory

Server 10g

Internal

Users

Portal

10gInternal 9iAS

1.0.2 Server

Discoverer

10g



25/75

25

Tips

Monitor Oracle Security Technology Center

www.oracle.com/technology/deploy/security

Apply quarterly Critical Patch Updates

Read Best Practices for Securing Oracle E-Business Suite (MetaLink Note 189367.1)

Work with stakeholders and executivesponsors to prioritize security objectives


26/75

26

Architectural Goals






27/75

27

Load-Balancers

Distributes requests from clients

to multiple nodes

Types discussed here

DNS-based

HTTP Layer

Supported but not discussed here

Apache Jserv Layer

Forms Metric Server Concurrent Processing Layer

Database Layer

User1 User2 User3

Node3Node1 Node2



28/75

28

High Availability Terminology

Active-Active

Used for balancing load

& improving scalability

Active-Passive

Used for business

continuity

Node 1(Active)

Node 2(Active)

Client

Requests

Node 1(Active)

Node 2(Passive)

Client

Requests

On

Failover

On

Failover

DNS Based Load Balancing Router


29/75

29

DNS-Based Load Balancing Router

Users query DNS LBR for IP

address of URL, then cache

that address for future queries

DNS LBR supplies different IP

addresses to different users

depending on load of a given

node

Vendor-dependent: may use

heartbeat checks against nodes

and sophisticated algorithms for

load-balancing

User DNS LBR

Q: IP for ebs.acme.com?

A: 10.10.10.10

10.10.10.10 10.10.10.20 10.10.10.30



30/75


31/75

31

HTTP Layer Load-Balancing

Users navigate to Web Entry Point

HTTP Layer LBR routes all

subsequent traffic for a specific userto a specific Web Node

LBR must support persistent

session connections (cookie-basedor IP-based stickiness)

LBRs may use heartbeat checks for

node death detection & restart, and

sophisticated algorithms for load-

balancing

User

HTTP Layer LBR

Web Node 1 Web Node 2 Web Node 3



32/75

32

Configuration B.2

ebs.acme.comebs.acme.com

9iAS 1.0.2

Server 1

User

9iAS 1.0.2

Server 2

Release 11i

Database

HTTP

Layer

LBR



33/75

33

Configuration B.3

Firewall

Reverse

Proxy

DMZ 1

HTTP

LBR1

Firewall

Internet

Firewall

Internal

Users

Release 11i

Database

External

Users

DMZ 2

DMZ 3


Web

Node 2

Web

Node 1

HTTP LBR2

Web

Node 3

Web

Node 4

Configuration B 4


34/75

34

Configuration B.4Internal

Users

Firewall

Reverse

Proxy

Firewall

Internet

External

Users

Firewall

Release 11iDatabase

OracleAS 10g

Infrastructure

Database

Oracle

Internet

Directory

Server 10g

HTTP LBR2

Web

Node 3

Web

Node 4Single

Sign-On

10g

Web

Node 1

HTTPLBR1

Web

Node 2



35/75

35

Real Application Clusters (RAC)

Allows multiple database servers

to access the same data in

parallel

Improves scalability & fault-

tolerance

Supported with 9i & 10gR1Databases

Supports Automatic Storage

Management (ASM), Cluster

Ready Services (CRS), Parallel

Concurrent Processing (PCP)Shared Filesystem

RAC

Instance 1

RAC

Instance 2

Private

Interconnect

Application Server



36/75

Configuration B.5

Shared 11i

Filesystem

RAC 1 RAC 2

Firewall

Reverse

Proxy

External

9iAS 1.0.2

Server

DMZ 1 DMZ 2

Firewall

Internet

Firewall

Internal

Users

DMZ 3

Internal 9iAS 1.0.2

Server

External

Users



37/75

Shared 11i

Filesystem

RAC 1 RAC 2

Configuration B.6

Firewall

Reverse

Proxy

DMZ 1

HTTP

LBR1

Firewall

Internet

Firewall

Internal

Users

HTTP LBR2

DMZ 3

External

Users

DMZ 2

References: Note 217368.1, 287176.1, 312731.1

Web

Node 2

Web

Node 1

Web

Node 3

Web

Node 4

Configuration B.7


38/75

Configuration B.7Internal

Users

Shared 11i

Filesystem

RAC 1 RAC 2

Firewall

Reverse

Proxy

HTTPLBR1

LBR1

Firewall

External

Users

Internet

Firewall

OracleAS 10g

Infrastructure

Database

Oracle

Internet

Directory

Server 10g

HTTP LBR2

References: Note 233436.1, 217368.1, 287176.1, 312731.1

Web

Node 3

Web

Node 4

SSO

Node 1

SSO

Node 2

Web

Node 1

Web

Node 2


39/75

39

OracleAS Web Cache

Content-aware server accelerator

Can act as a:

Reverse-proxy server Web caching

Load-balancer & failover detection

Fully certified with the E-BusinessSuite

Caches static & dynamic content,

but not user-specific secure content

User

OracleAS Web Cache

Web Node 1 Web Node 2 Web Node 3

References: OracleAS Web Cache Administrators Guide (10.1.2.0.2), Note 306653.1


40/75

40

OracleAS Clusters

Clusters of multiple Web

Cache instances

Single logical cache

Cluster members

communicate with each other

Coordinated & distributed

content caching

Coordinated node deathdetection & failure

management

User

Web

Cache 1

Web Node 2 Web Node 3

Web

Cache 2

Web Node 1

References: OracleAS Web Cache Administrators Guide (10.1.2.0.2), Note 306653.1

W b C h Effi i M it i


41/75

41

Web Cache Efficiency Monitoring

Internal

Users

C fi ti B 9


42/75

42

Configuration B.9

Firewall

DMZ 1

HTTP

LBR

Firewall

Internet Web

Cache

Firewall

Release 11iDatabase

External

Users

DMZ 2

DMZ 3

References: Note 217368.1, 287176.1, 306653.1

Web

Node 2

Web

Node 1

Web

Cache

Web

Node 3

Web

Node 4

Ti


43/75

43

Tips

Examine cost-effectiveness of SMP vs Linux-

based commodity servers on the middle-tier

Minimize 11i administration overhead via:

Oracle Applications Manager

Oracle Enterprise Manager Grid Control AutoConfig

Shared ORACLE_HOMEs

A hit t l G l


44/75

44

Architectural Goals


B. Ensure maximum performance & scalabilityC. Ensure business continuity


B i C ti it


45/75

45

Business Continuity

A.k.a. Disaster Recovery

Planning for catastrophic site failures

Not just tape backups: operational failover

Can also be used for managing planned outages

Requires decisions about operational priorities

(e.g. Should all E-Business Suite services be fully

operational after a disaster? Or just a subset?)

Potentially expensive, but what are the costs of total

system failure?

References: http://www.oracle.com/technology/deploy/availability/htdocs/maa.htm

Active Passive Architectures


46/75

46

Active-Passive Architectures

Database9iAS

San Francisco

Production

Database9iAS

Austin, TX

Standby

Data &

ConfigurationSynchronization

Completely standalone, self-contained sites

Data and configurations synchronizedconstantly between sites via Oracle

DataGuard and physical standby


Configuration C.1


47/75

g

User

9iAS Node 2

11iDB

HTTP

LBR 1

9iAS Node 1

Production

9iAS Node 4

11i

DB

HTTP

LBR 2

9iAS Node 3

Standby

DNS LBR

Traffic rerouted to

offsite HTTP Layer

LBR in event of

disaster

Traffic rerouted to

offsite HTTP Layer

LBR in event of

disaster


Supported Architectures


48/75

48

Supported Architectures

All standard architectures supported via

failover (e.g. RAC, DMZs, load-balancers,

OracleAS 10g integration)

Failover site architectures may be:

Exact duplicates of production sites Reduced in scale (e.g. fewer web nodes)

Reduced in scope (e.g. support internal employees

but not external users)

Not a Weekend Project


49/75

49

Not a Weekend Project

1. Work closely with users, stakeholders,

executive sponsors

2. Prioritize disaster recovery needs carefully

3. Research options, check references

4. Work with platform hardware vendors,experienced consultants and partners

5. Deploy proof-of-concept testbeds

6. Test thoroughly

Architectural Goals


50/75

50

Architectural Goals




Optional E-Business Suite Services


51/75

51

Optional E-Business Suite Services

Integration with Oracle Portal 10g

Multidimensional OLAP analysis oftransactional data via Oracle Discoverer 10g

Oracle Portal 10g


52/75

g

Customise different Portal pages forPublic and Authenticated users Click to Log On to Single Sign-On Directly

Access 11i via custom Portals


53/75

53

Access 11i via custom Portals

Oracle Portal 10g E-Business Suite 11i

Access one or more E-Business Suite 11i instances from a

single Oracle Portal instance

Add 11i portlets to custom Portal pages Display data in 11i portlets based on 11i responsibilities

Release 11i Portlets


54/75

54

Release 11i Portlets

Applications NavigatorAccess Applications menus based on user responsibilities

Applications FavoritesBookmark specific Applications links for quick access

Applications Worklist

Summary of current workflow notifications Oracle Balanced Scorecard

Display status of strategic and tactical business objectives

Performance Management ViewerDisplay business intelligence key performance indicators in graphical and

tabular format

Access the E-Business Suite from Portal


55/75

Selecting any of these links invokes either aForms-based form or the Oracle Applications

Framework

Configuration D.2


56/75

56

Firewall

Reverse

Proxy

Single

Sign-On 10g

Firewall

ExternalUsers

Internet

Firewall

Portal

10g

Release 11i

Database

OracleAS 10g

Infrastructure

Database

Oracle

Internet

Directory

Server 10g

Internal

Users

Internal 9iAS 1.0.2

Server

External9iAS 1.0.2

Server

References: Note 233436.1, 261914.1, 305918.1

Configuration D.3Internal


57/75

Internal

Users DMZ 3

Shared 11i

Filesystem

RAC 1 RAC 2

Firewall

Reverse

Proxy

DMZ 1

Single

Sign-On

10g

Portal

10g

Firewall

External

Users

Internet

Firewall

OracleAS 10g

Infrastructure

Database

Oracle

Internet

Directory

Server 10g

HTTP LBR2

References: Note 233436.1, 217368.1, 287176.1, 312731.1, 305918.1

HTTP

LBR1

Web

Node 1

Web

Node 3

Web

Node 4

Web

Node 2

DMZ 2

Analyse 11i with Discoverer


58/75

58

Analyse 11i with Discoverer

User

Discoverer10g E-Business SuiteEnd-User Layer

Access APPS_MODE End-User Layer via Business Intelligence SystemDiscoverer workbooks secured by Applications responsibilities

Provide powerful end-user reporting via ad hoc queries

Drill-down into data via tabular & graphical analytical tools

Run Discoverer on separate cluster for enhanced scalability, widedeployment

Optional: Integration with Single Sign-On 10g


Discoverer Integration


59/75

59

UserDiscoverer

10gE-Business Suite

End-User Layer

Discoverer 10g End-User Layer resides in 11i database

APPS_MODE option enforces Applications security for all

Discoverer users Easy migration from Discoverer 4i

Installation upgrades a copy of 4i End-User Layer to 10g

Run 4i and 10g side-by-side for User Acceptance Tests

TIP: Run Discoverer 4i and 10g on different physical servers toavoid Visibroker conflicts


Sample Discoverer Workbook


60/75

60


61/75

Configuration D.6


62/75

62

Firewall

Reverse

Proxy

Firewall

ExternalUsers

Internet

Firewall

Release 11i

Database

OracleAS 10g

Infrastructure

Database

Oracle

Internet

Directory

Server 10g

Internal

Users

Single

Sign-On 10gInternal 9iAS 1.0.2

Server

Discoverer 10gExternal9iAS 1.0.2

Server

References: Note 233436.1, 261914.1, 313418.1

Publish Discoverer Workbooks on Portal


63/75

63

Configuration D.7


64/75

64

Firewall

Reverse

Proxy

Single

Sign-On 10g

Firewall

ExternalUsers

Internet

Firewall

Release 11i

Database

OracleAS 10gInfrastructure

Database

Oracle

Internet

Directory

Server 10g

Internal

Users

Portal

10gInternal 9iAS 1.0.2

Server

Discoverer10gExternal9iAS 1.0.2

Server

References: Note 233436.1, 261914.1, 305918.1, 313418.1

Configuration D.8Internal

U


65/75

Users

Shared 11i

Filesystem

RAC 1 RAC 2

Firewall

External

Users

Internet Reverse

Proxy

HTTP

LBR1

SSO

Node 1

LBR2

Firewall

HTTP LBR4

OracleAS 10g

Infrastructure

Database

Oracle

Internet

Directory

Server 10g

References: Note 233436.1, 217368.1, 287176.1, 312731.1, 305918.1

Web

Node 3

Web

Node 4

Web

Node 1

Web

Node 2

LBR3 LBR5

SSO

Node 2

Portal

Node 1 No

Portal

de 2Disc.

Node 1 No

Disc.

de 2

Architectural Goals


66/75

66



D. Provide extra services to end-users

E. Integrate with other applications

Integration With Other Applications


67/75

67

The E-Business Suite supports integration with:

1. Other applications via Oracle Integration

2. PeopleSoft, Oracle Collaboration Suite using a

common enterprise OracleAS 10g instance for:

Single Sign-On & Oracle Internet Directory 10g

Portal 10g

3. Other authentication systems & LDAP directoriesvia OracleAS 10g Identity Management

Integrate 11i with


68/75

68

Legacy Application Oracle Integration Release 11i

Over 250 adapters for Enterprise Application Integration with

third-party applications J2EE and open standards-based integration, including:

E-Business Suite, third-party applications, database sources

XML, JMS, JCA

Web Services: SOAP, WSDL, UDDI

B2B Protocols: RosettaNet, HIPAA, EDI

Configuration E.1 E-Business


69/75

69

DB

PeopleSoft

OracleAS

10g Server

11iDB

9iASServer

OracleAS 10g

Infrastructure

Database

Oracle

Internet

Directory

Server 10g

DBOracleAS

10g Server

CollabSuite

Users

Single

Sign-On

10g

Portal

10g

Configuration E.2 E-Business


70/75

70

DBOracleAS

10g Server

CollabSuite

11iDB

9iASServer

DB

PeopleSoft

OracleAS

10g Server

OracleAS 10g

Infrastructure

RAC 1 RAC 2

OID 10g

Node 1

OID 10g

Node 2

LBR3SSO

Node 1LBR1

SSO

Node 2

Users

Portal

Node 1LBR2

Portal

Node 2


71/75

Configuration E.3Third-Party Integration: Logical Architecture


72/75

72

Release 11iRelease 11i

9iAS 1.0.2.2.29iAS 1.0.2.2.2

FND_USERFND_USER

ApplicationsApplications

11i Database11i Database

ProfileProfile

OID 10gOID 10g

ProfileProfile

OID UserOID User

RepositoryRepository

SingleSingle

SignSign--OnOn

10g10g

ThirdThird--PartyParty

LDAPLDAP

Authenticates

user against

Logs

on toEnd

User

ThirdThird--PartyParty

AccessAccess

ManagerManager

Delegates

SSO to

DirectoryDirectory

IntegrationIntegration

Platform 10g

Portal 10gPortal 10g

Platform 10g

Delegates

SSO to


If you already have an

Enterprise User Directory


73/75

73

Enterprise User Directory

Oracle products integrate with OID directly, so it must beinstalled and populated

OID must be synchronized with external directories viaDirectory Integration & Provisioning Platform:

Microsoft Active Directory

Sun ONE / iPlanet

Any LDAP directory via LDIF files

Any other directory via custom DIP agent

OID must synchronize user info with Release 11i (FND_USER)

Planned for OracleAS 10.1.4 Identity Management:Novell eDirectory, OpenLDAP

Prepackaged OID Connectors


New E-Business Suite

Technology Stack Blog


74/75

74

Technology Stack Blog

http://blogs.oracle.com/schan

Certification and desupport announcements

Discussions about architectures, advanced configurations

Early Adopter Programs and Statements of Direction

Other E-Business Suite technology stack topics, presentations

Supports RSS feedreaders

Cut through the noise -- get the news directly from Development


75/75

DMZ Advanced Architectures

Documents

Transcript of DMZ Advanced Architectures