Java Best Practices for Developing and - Best Practices for developing and deploying • Best...

download Java Best Practices for Developing and - Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices for High

of 38

  • date post

    20-Mar-2018
  • Category

    Documents

  • view

    235
  • download

    6

Embed Size (px)

Transcript of Java Best Practices for Developing and - Best Practices for developing and deploying • Best...

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    JavaBestPracticesforDevelopingandDeployingAgainstDatabasesintheCloud

    2

    NirmalaSundarappa,PrincipalProductManager,KuassiMensah, DirectorofProductManagement,JeanDeLavarene,DirectorofDevelopmentServerTechnologies,October5th,2017

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    SafeHarborStatementThefollowingisintended tooutline ourgeneralproductdirection. Itisintended forinformationpurposes only,andmaynotbe incorporatedintoanycontract.Itisnotacommitment todeliver anymaterial,code,orfunctionality,andshouldnotberelieduponinmakingpurchasingdecisions. Thedevelopment, release, andtimingofanyfeaturesorfunctionality described forOraclesproductsremainsatthesolediscretion ofOracle.

    3

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    ProgramAgenda

    Whatarewetalkingabout?

    SecuritySettings

    Demos

    JavaBestPractices

    Questions

    1

    2

    3

    4

    5

    4

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    ProgramAgenda

    Whatarewetalkingabout?

    SecuritySettings

    Demos

    JavaBestPractices

    Questions

    1

    2

    3

    4

    5

    5

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    Whatarewetalkingabout? PlainJavastandaloneapps JavaAppContainers ApacheTomcat OracleWebLogicServer IBMWebsphere JBOSS

    JavatoolsorIDEs SQLDeveloper,SquirrelSQL Intellij, Jdeveloper, Eclipse, Netbeans

    AlltheseJavaappsmustbeabletoconnecttoaCloudDatabase

    6

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    Whatarethethingstoconsider?JDBCdriversmustmeetthecloudspecificrequirementsForexample: SupportforTLSv1.2withunlimitedciphersuites Protocolspecificencryptionandchecksumming Supportstrongauthentication Basedoncertificates Kerberosauthentication

    Supportvariouskeystore formats(KSS, JKS,Wallets)

    7

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    Howaboutthese? Propererrormessagesandtracestodebugconnectivity issues Supportkeepalive mechanisms HTTPproxyandwebsocketsIdeally Reconnectonfailureandreplayin-flightwork HowaboutasynchronousAPIs? TheAPIisavailable fordownloadfromOpenJDK at http://www.oracle.com/goto/java-async-db Sendfeedbacktojdbc-spec-discuss@openjdk.java.net

    8

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    ExamplewithOracleCloudDatabaseService

    DatabaseEnvironment DefaultConnectivity

    DatabaseasaService(DBaaS) TCP/IPwithnetworkencryption(Port1521)Toallowdirectconnection, openport1521forspecifictrustedhosts

    ExadataExpressCloudService(EECS)Fullymanaged

    TCPS(Port1522)TLSv1.2andstrongsecurityalgorithmsismandatoryTwo-stagesauthentication:Musthaveclientwalletinadditiontodatabasecredentials

    9

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    ProgramAgenda

    Whatarewetalkingabout?

    SecuritySettings

    Demos

    JavaBestPractices

    Questions

    2

    1

    3

    4

    5

    10

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    SecuritySettings

    JDKversionisimportant Securitybugsinsomeolderreleases Alwaysusethe latestJDKupgrade

    JCEUnlimitedStrengthJurisdictionPolicyfiles JDK9hasJCEbydefault Needtobeinstalled intheJavaruntime forJDK7andJDK8. TLS_RSA_WITH_AES_256_GCM_SHA384 andTLS_RSA_WITH_AES_256_CBC_SHA256ciphersuites useAESwith256bitkeysandhencerequireUnlimited JCEpolicyfiles

    11

    Mandatory:usinglatestJDKwithJCE

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    SecuritySettings

    Additionaljarsareneeded oraclepki.jar ,osdt_core.jar,andosdt_cert.jar AvailableonOracleMavenrepository(maven.oracle.com)

    Makesuretohavewalletsatanaccessiblelocation cwallet.sso (auto-loginformat)or ewallet.p12(PKCS12format)

    Providethelocationofthewallet oracle.net.wallet_location=

    (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/Users/test/wallets/)))

    Enforcemutualauthenticationoracle.net.ssl_server_dn_match=true

    12

    EitherusingOracleWallets

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    SecuritySettings

    ConfiguretrustStore andkeyStore Use javax.net.ssl.trustStore and javax.net.ssl.keyStore systemproperties orconnection properties

    SetthepasswordforJKS Use javax.net.ssl.keyStorePassword andjavax.net.ssl.trustStorePassword

    EnabletheserverDNmatch oracle.net.ssl_server_dn_match=true

    13

    OrusingJavaKeyStore(JKS)

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    ConnectingtotheCloudiseasierthanever

    14

    OracleJDBC18

    DB18relatedcapabilitieswillbeupdatedoncetheDatabase18cisreleased.Pleasestaytuned.

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    ProgramAgenda

    Whatarewetalkingabout?

    Securityrequirementsandsettings

    Demos

    JavaBestPractices

    Questions

    3

    2

    1

    4

    5

    15

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    DBCSConnectivity Overview

    TCPconnections allowed Port1521needstobeunblocked beforeusage

    Fullcontroloverthedatabase. HRschemaisavailable,butneedstobeunlocked Createmoreusersorschemasortablesbyconnectingtothecomputenode

    SSHaccess tothecomputenode

    16

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    JavaconnectivitytoOracleDatabaseCloudService(DBCS)

    17

    Createtheserviceandunblockport1521

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    JavaConnectivitytoDBCS

    18

    Unblocktheport1521

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved.

    JavaConnectivitytoDBCSusingTomcat

    19

    Samplecontext.xml

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    ScreenshotoftheServletconnectingtodatabaseservice

    20

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    EECSConnectivity Overview

    TCPSconnectionsrequired MandatesSSLconnectionusingTLSv1.2 JavaKeyStoreFiles orOracleWallets

    PDB_ADMINistheusercreatedbydefault Createyourownuser

    RequiresJavaCryptographyExtension(JCE)intheJDK/JRE.

    21

    AFullyManagedexperienceforhands-freeclouddatabaseoperation

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    Exadata ExpressCloudServiceConnectivity

    22

    Download client_credentials.zip

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    Exadata ExpressCloudService(EECS)Connectivity

    23

    Choosewalletorkeystore password

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    Exadata ExpressConnectivity

    24

    client_credentials.zip contents

    Filename Descriptiontnsnames.ora andsqlnet.ora

    Networkconfigurationfilesstoringconnectdescriptors andSQL*Net clientsideconfiguration

    cwallet.sso andewallet.p12

    Auto-openSSOwalletandPKCS12file.PKCS12file isprotectedbythewalletpasswordprovided intheUI.

    truststore.jksandkeystore.jks

    JKSTruststoreandKeystore.ProtectedbythewalletpasswordprovidedintheUI.

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    Exadata ExpressCloudService(EECS)Connectivity

    25

    Pre-requisites

    ForThinJDBC Unziptheclient_credentials.zip filetoanylocation UpdateJDKpath tousethelatest JDK8/JDK7withtherequiredJCEpolicyfiles Passtruststore orwalletrelatedparametersasconnection/system properties Connectusingtheconnection stringjdbc:oracle:thin:@dbaccesswithdbaccess beingtheTNSalias.

    Detailed steps are documented in Exadata Express Service Console links

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    Exadata ExpressCloudServiceConnectivity

    java-Doracle.net.tns_admin=/home/myuser/cloud\-Doracle.net.ssl_server_dn_match=true\-Djavax.net.ssl.trustStore=/home/myuser/cloud/truststore.jks \-Djavax.net.ssl.trustStorePassword=welcome1\-Djavax.net.ssl.keyStore=/home/myuser/cloud/keystore.jks \-Djavax.net.ssl.keyStorePassword=welcome1\

    DataSourceSample

    26

    Samplescripttorun

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    ProgramAgenda

    Whatarewetalkingabout?

    SecuritySettings

    Demos

    JavaBestPractices

    Questions

    4

    2

    1

    3

    5

    27

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    JavaBestPracticesfordevelopinganddeploying

    BestPracticesforPerformance BestPracticesforSecurity BestPracticesforHighAvailability AlternativeapproachforAccessibility Troubleshootingtips

    28

    ConnectingtoDatabaseservicesonCloud

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    BestPracticesforPerformance

    UseConnectionPooling(Example:UCP) OptimizeMinPoolSize,MaxPoolSizeandtimeouts

    Bindvariables Preventsre-parsingoffrequentlyexecuted statements Re-execute thesamePreparedStatement withdifferentbinds

    Arrayoperationsinsteadofsinglerowoperations DMLBatchingandRowPrefetch preparedStatement.addBatch()andpreparedStatement.sendBatch()

    29

    Reduceroundtrips,optimizesessions anddatatransfer

  • Copyright2017, Oracleand/oritsaffiliates.Allrightsreserved. |

    BestPracticesforPerformance

    Prefetching Prefetch anumberofrows(configurable)preparedStatement.setFetchSize(20)

    StatementCaching Cachesmostrecentlyusedstatements oracleDataSource.setImplicitCachingEnabled(true)and connection.setStatementCacheSize(10)

    ClientQueryResultCac