Java Best Practices for Developing and - oracle.com · • Mandates SSL connection using TLSv1.2...
Transcript of Java Best Practices for Developing and - oracle.com · • Mandates SSL connection using TLSv1.2...
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
JavaBestPracticesforDevelopingandDeployingAgainstDatabasesintheCloud
2
NirmalaSundarappa,PrincipalProductManager,KuassiMensah, DirectorofProductManagement,JeanDeLavarene,DirectorofDevelopmentServerTechnologies,October5th,2017
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
SafeHarborStatementThefollowingisintended tooutline ourgeneralproductdirection. Itisintended forinformationpurposes only,andmaynotbe incorporatedintoanycontract.Itisnotacommitment todeliver anymaterial,code,orfunctionality,andshouldnotberelieduponinmakingpurchasingdecisions. Thedevelopment, release, andtimingofanyfeaturesorfunctionality described forOracle’sproductsremainsatthesolediscretion ofOracle.
3
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
ProgramAgenda
Whatarewetalkingabout?
SecuritySettings
Demos
JavaBestPractices
Questions
1
2
3
4
5
4
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
ProgramAgenda
Whatarewetalkingabout?
SecuritySettings
Demos
JavaBestPractices
Questions
1
2
3
4
5
5
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
Whatarewetalkingabout?• PlainJavastandaloneapps• JavaAppContainers– ApacheTomcat– OracleWebLogicServer– IBMWebsphere– JBOSS
• JavatoolsorIDEs– SQLDeveloper,SquirrelSQL– Intellij, Jdeveloper, Eclipse, Netbeans
• AlltheseJavaappsmustbeabletoconnecttoaCloudDatabase
6
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
Whatarethethingstoconsider?JDBCdriversmustmeetthecloudspecificrequirementsForexample:• SupportforTLSv1.2withunlimitedciphersuites• Protocolspecificencryptionandchecksumming• Supportstrongauthentication– Basedoncertificates– Kerberosauthentication
• Supportvariouskeystore formats(KSS, JKS,Wallets)
7
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
Howaboutthese?• Propererrormessagesandtracestodebugconnectivity issues• Supportkeepalive mechanisms• HTTPproxyandwebsocketsIdeally• Reconnectonfailureandreplayin-flightwork• HowaboutasynchronousAPIs?– TheAPIisavailable fordownloadfromOpenJDK at– http://www.oracle.com/goto/java-async-db– [email protected]
8
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
ExamplewithOracleCloudDatabaseService
DatabaseEnvironment DefaultConnectivity
DatabaseasaService(DBaaS) TCP/IPwithnetworkencryption(Port1521)Toallowdirectconnection, openport1521forspecifictrustedhosts
ExadataExpressCloudService(EECS)Fullymanaged
TCPS(Port1522)TLSv1.2andstrongsecurityalgorithmsismandatoryTwo-stagesauthentication:Musthaveclientwalletinadditiontodatabasecredentials
9
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
ProgramAgenda
Whatarewetalkingabout?
SecuritySettings
Demos
JavaBestPractices
Questions
2
1
3
4
5
10
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
SecuritySettings
• JDKversionisimportant– Securitybugsinsomeolderreleases– Alwaysusethe latestJDKupgrade
• JCEUnlimitedStrengthJurisdictionPolicyfiles– JDK9hasJCEbydefault– Needtobeinstalled intheJavaruntime forJDK7andJDK8.– TLS_RSA_WITH_AES_256_GCM_SHA384 andTLS_RSA_WITH_AES_256_CBC_SHA256ciphersuites useAESwith256bitkeysandhencerequireUnlimited JCEpolicyfiles
11
Mandatory:usinglatestJDKwithJCE
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
SecuritySettings
• Additionaljarsareneeded– oraclepki.jar ,osdt_core.jar,andosdt_cert.jar– AvailableonOracleMavenrepository(maven.oracle.com)
• Makesuretohavewalletsatanaccessiblelocation– cwallet.sso (auto-loginformat)or ewallet.p12(PKCS12format)
• Providethelocationofthewallet– oracle.net.wallet_location=
(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/Users/test/wallets/)))
• Enforcemutualauthenticationoracle.net.ssl_server_dn_match=true
12
EitherusingOracleWallets
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
SecuritySettings
• ConfiguretrustStore andkeyStore– Use javax.net.ssl.trustStore and javax.net.ssl.keyStore systemproperties orconnection properties
• SetthepasswordforJKS– Use javax.net.ssl.keyStorePassword andjavax.net.ssl.trustStorePassword
• EnabletheserverDNmatch– oracle.net.ssl_server_dn_match=true
13
OrusingJavaKeyStore(JKS)
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
ConnectingtotheCloudiseasierthanever
14
OracleJDBC18
DB18relatedcapabilitieswillbeupdatedoncetheDatabase18cisreleased.Pleasestaytuned.
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
ProgramAgenda
Whatarewetalkingabout?
Securityrequirementsandsettings
Demos
JavaBestPractices
Questions
3
2
1
4
5
15
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
DBCSConnectivity– Overview
• TCPconnections allowed– Port1521needstobeunblocked beforeusage
• Fullcontroloverthedatabase. – HRschemaisavailable,butneedstobeunlocked– Createmoreusersorschemasortablesbyconnectingtothecomputenode
• SSHaccess tothecomputenode
16
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
JavaconnectivitytoOracleDatabaseCloudService(DBCS)
17
Createtheserviceandunblockport1521
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
JavaConnectivitytoDBCS
18
Unblocktheport1521
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
JavaConnectivitytoDBCSusingTomcat
19
Samplecontext.xml
<Context><Resource name="jdbc/orcldriver_dbcs" auth="Container"type="javax.sql.DataSource"driverClassName="oracle.jdbc.OracleDriver"username="hr"password="hr"url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(HOST=140.86.xx.yy)(PORT=1521)(PROTOCOL=tcp))(CONNECT_DATA=(SERVICE_NAME=PDB1.xxxxxx.oraclecloud.internal)))” />
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
ScreenshotoftheServletconnectingtodatabaseservice
20
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
EECSConnectivity– Overview
• TCPSconnectionsrequired• MandatesSSLconnectionusingTLSv1.2– JavaKeyStoreFiles orOracleWallets
• PDB_ADMINistheusercreatedbydefault– Createyourownuser
• RequiresJavaCryptographyExtension(JCE)intheJDK/JRE.
21
AFullyManagedexperienceforhands-freeclouddatabaseoperation
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
Exadata ExpressCloudServiceConnectivity
22
Download client_credentials.zip
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
Exadata ExpressCloudService(EECS)Connectivity
23
Choosewalletorkeystore password
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
Exadata ExpressConnectivity
24
client_credentials.zip contents
Filename Descriptiontnsnames.ora andsqlnet.ora
Networkconfigurationfilesstoringconnectdescriptors andSQL*Net clientsideconfiguration
cwallet.sso andewallet.p12
Auto-openSSOwalletandPKCS12file.PKCS12file isprotectedbythewalletpasswordprovided intheUI.
truststore.jksandkeystore.jks
JKSTruststoreandKeystore.ProtectedbythewalletpasswordprovidedintheUI.
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
Exadata ExpressCloudService(EECS)Connectivity
25
Pre-requisites
• ForThinJDBC• Unziptheclient_credentials.zip filetoanylocation• UpdateJDKpath tousethelatest JDK8/JDK7withtherequiredJCEpolicyfiles• Passtruststore orwalletrelatedparametersasconnection/system properties• Connectusingtheconnection string“jdbc:oracle:thin:@dbaccess”withdbaccess beingtheTNSalias.
Detailed steps are documented in Exadata Express Service Console links
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
Exadata ExpressCloudServiceConnectivity
• java-Doracle.net.tns_admin=/home/myuser/cloud\-Doracle.net.ssl_server_dn_match=true\-Djavax.net.ssl.trustStore=/home/myuser/cloud/truststore.jks \-Djavax.net.ssl.trustStorePassword=welcome1\-Djavax.net.ssl.keyStore=/home/myuser/cloud/keystore.jks \-Djavax.net.ssl.keyStorePassword=welcome1\
DataSourceSample
26
Samplescripttorun
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
ProgramAgenda
Whatarewetalkingabout?
SecuritySettings
Demos
JavaBestPractices
Questions
4
2
1
3
5
27
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
JavaBestPracticesfordevelopinganddeploying
• BestPracticesforPerformance• BestPracticesforSecurity• BestPracticesforHighAvailability• AlternativeapproachforAccessibility• Troubleshootingtips
28
ConnectingtoDatabaseservicesonCloud
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
BestPracticesforPerformance
• UseConnectionPooling(Example:UCP)– OptimizeMinPoolSize,MaxPoolSizeandtimeouts
• Bindvariables– Preventsre-parsingoffrequentlyexecuted statements– Re-execute thesamePreparedStatement withdifferentbinds
• Arrayoperationsinsteadofsinglerowoperations– DMLBatchingandRowPrefetch– preparedStatement.addBatch()andpreparedStatement.sendBatch()
29
Reduceroundtrips,optimizesessions anddatatransfer
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
BestPracticesforPerformance
• Prefetching– Prefetch anumberofrows(configurable)preparedStatement.setFetchSize(20)
• StatementCaching– Cachesmostrecentlyusedstatements– oracleDataSource.setImplicitCachingEnabled(true)and connection.setStatementCacheSize(10)
• ClientQueryResultCache– CachesSQLqueryresultsonclienttier– Oracletransparentlymaintains cacheconsistencywithserversidechanges
30
Reduceroundtrips,optimizesessions anddatatransfer
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
BestPracticesforPerformance
• Co-locateapplicationserversanddatabaseservers(ifpossible)inordertoreducelatency– Runpingortraceroute tolookatlatency
• TunetheSessionDataUnit(SDU)forlargeLOBs,XMLs, largeresultSets– Max:2MB(12c),64K(11.2),32K(pre-11.2)– Setonbothserverandclientside(sqlnet.ora(DEFAULT_SDU_SIZE), tnsnames.ora orURL)
– jdbc:oracle:thin:@(DESCRIPTION=(SDU=11280)(ADDRESS=(PROTOCOL=tcp)(HOST=myhost-vip)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=myorcldbservicename)))
• Sharded databaseforscalability31
Reduceroundtrips,optimizesessions anddatatransfer
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
• Forcorporateenvironment,useVPN• Ifyouwanttoenabledirectconnection– Enableaccess toDatabase listeners fromonlyspecific setoftrustedIPaddresses
• SetupLogonStormHandlertolimittheconnectionrate– RATE_LIMIT parameterforListener
• Protectthewalletorkeystore– Ensurethatthefilesareprotectedthroughfilesystempermissions, backedupsecurely,andonlyreadaccess isgrantedtotheusersrunningapplications atrun-time
32
BestPracticesforSecurity
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
BestPracticesforHighAvailability• LeveragemostadvancedHAfeatures byusinglatestDBclient– Timeoutandretryinconnectstring– ApplicationContinuity– ReplayDriver– Atmostoncecommit– Inflighttransactions aretransparentlyreplayedincaseoffailure– FastApplicationNotification– Morereliable andpredictable thantheuglyTCPtimeout– Inbandnotifications arepreferred
33
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
OracleBestPracticesforHighAvailabilityGracefullyhandleservicetemporaryunavailability
(DESCRIPTION_LIST =
(DESCRIPTION=
(ENABLE=BROKEN)
(TRANSPORT_CONNECT_TIMEOUT=10)
(RETRY_COUNT=10)(RETRY_DELAY=5)(ADDRESS_LIST=(ADDRESS = . . .)(ADDRESS= . . .))(CONNECT_DATA=(SERVICE_NAME=hr_svc)))
(DESCRIPTION=
(RETRY_COUNT=10)(RETRY_DELAY=5)(ADDRESS_LIST=(ADDRESS = . . .)(ADDRESS=. . .)) (CONNECT_DATA=(SERVICE_NAME=hr_svc2))))
TCP/IPleveltimeout
34
EnableTCPKeepAlive
Retrywhileserviceisunavailable
Connection String:
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
ExposeyourCloudDatabaseasanOData feedOpenProtocolforqueryable andinteroperableRESTful APIs
• StartedbyMicrosoftin2007• OASISStandardsinceFeb2014• RESTful APIsinsteadofSQL• Allowsrapiddevelopment
35
OData:• Filtering• Ordering• Joining• Paging• Transactions
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
TroubleshootingTips• Commoncause–Firewallsblockingconnections• Troubleshooting–Runtraceroute,e.g.• traceroute -T-p1521<IPofDBaaS host>(forDBaaS)(YoucanfindDBaaS hostPublic IPfromDBaaS ServiceConsole)
• traceroute -T-p1522<public hostnameforyourExadata ExpressCloudService>(Youcanfindthepublichostnamefromthetnsnames.ora file,whichisincluded inthezipfiledownloadedfromServiceConsole.Example:dbaccess.us2.oraclecloudapps.com)
– Identifywhereitisfailingandtakeappropriateactions
36
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |
ProgramAgenda
Whatarewetalkingabout?
SecuritySettings
Demos
JavaBestPractices
Questions5
2
1
3
4
37