Homepage 5 Tag: Oracle
Running Oracle SOA Suite on Docker - Part 4: (Quick-)starting an environment

Running Oracle SOA Suite on Docker - Part 4: (Quick-)starting an environment

by | August 13, 2024 | Techblog

Johannes Michler PROMATIS Horus Oracle


Executive Vice President – Head of Platforms & Development

Operating - installing and maintaining - Oracle Fusion Middleware, especially Oracle SOA Suite 12.2.1.4 is quite some work. Not only does installation itself consist of a number of steps, but each quarterly critical patch update also requires applying a number of patches and - especially in simple, single server environments quite some downtime.

This blog post series will cover how to run Oracle Fusion Middleware - especially Oracle SOA Suite on docker. The first post covered the high-level steps of manual installation, Docker and Kubernetes options and has pointers to the relevant Oracle certification documentation. The second post then described how - using OCI and Oracle Linux - a host to run docker containers can be setup up within minutes. After that in the third post we covered provisioning an Oracle Database instance to hold the meta data of Oracle SOA Suite.

In the 4th episode we will cover how we can quickly create a metadata repository, configure and then start a SOA Suite environment in a headless mode.

In the next episode I'll demonstrate an alternative and show how the graphical RCU and config utility can be used within docker. In upcoming episodes we will cover patching and more advanced deployment options.

Creating the SOA Suite docker container

To configure the details of the "to be created" metadata repository create a adminserver.env file as follows:

CONNECTION_STRING=myxe1:1521/freepdb1
RCUPREFIX=SOA2
DB_PASSWORD=Promatis1
DB_SCHEMA_PASSWORD=Promatis1
ADMIN_PASSWORD=Promatis1
DOMAIN_NAME=soainfra
DOMAIN_TYPE=soa
ADMIN_HOST=soaadmin2
ADMIN_PORT=7001
PERSISTENCE_STORE=jdbc

Next, we create the SOA Suite docker container especially used for rcu:

docker volume create soa1_userproject
docker run -d --rm --name soaadmin2 --network soanet1 -v soa1_userprojects:/u01/oracle/user_projects -p 7001:7001 --env-file ./adminserver.env container-registry.oracle.com/middleware/soasuite_cpu:12.2.1.4-jdk8-ol7-240117

Monitor the creation of the metadata repository (through rcu) and of the domain:

docker tail -f soaadmin2

After the AdminServer is started we can start a managed server. For this we prepare a soa_server1_r2.env as follows:

MANAGED_SERVER=soa_server1
DOMAIN_NAME=soainfra
ADMIN_HOST=soaadmin2
ADMIN_PORT=7001
ADMIN_PASSWORD=Promatis1
MANAGED_SERVER_CONTAINER=true
MANAGEDSERVER_PORT=8001

Then we can start the soa_server1 as a separate (but connected) docker container:

docker run -d --rm --name soams1 --network soanet1 -v soa1_userprojects:/u01/oracle/user_projects -p 8001:8001 --env-file ./soa_server1.env container-registry.oracle.com/middleware/soasuite_cpu:12.2.1.4-jdk8-ol7-240117 "/u01/oracle/container-scripts/startMS.sh"

You should now be able to access the SOA Suite environment through a browser.

Some more scenarios are described over there: https://github.com/oracle/docker-images/tree/main/OracleSOASuite/dockerfiles/12.2.1.4.

Summary

By using scripts for automating rcu and domain creation it is possible to create the metadata repository as well as configure the domain for Oracle SOA Suite quickly. In an upcoming blog post we'll cover how a domain can be configured in a fully flexible way, how the docker image can get patched as well as which other options are available to create a SOA Suite environment in OCI.

Running Oracle SOA Suite on Docker - Part 4: (Quick-)starting an environment

Automating Code Signing with multiple E-Business Suite instances - Part 3

by | April 10, 2024 | Techblog

Johannes Michler PROMATIS Horus Oracle


Executive Vice President – Head of Platforms & Development

As you are probably aware by now, since June 1st 2023 all well-known / public Certificate Authorities (CA) no longer provide Code Signing Certificates using pure software based private keys (see https://www.linkedin.com/posts/johannes-michler-099892ab_code-signing-key-storage-requirements-will-activity-7090432157688492032-jGvC).

Since I prefer using such a trusted / public CA to sign Java Applets (that are still crucial for Oracle E-Business Suite or Oracle Forms) I've recently had a look into how we can now sign those Java JAR files. Part 1 of this blog series introduced the topic and an available "Cloud Based" Code Signing Certificate provider: Signing EBS/Forms - Part 1

In a second part I covered how the code signing can be done on an E-Business Suite Application Server running on Oracle Linux 7 on Oracle Cloud Infrastructure (OCI).

This third post will look how we can further automate this by installing the Certum tools onto the E-Business Suite Cloud Manager VM. First, we'll cover the latest changes from Certum, then we'll look into some scripts that can be used on multiple E-Business Suite Application servers to send the .jar files for signing to that central signing instance.

Certum Tool updates (April 2024)

Back in the previous post, I've complained about the incomplete translation of the Certum tools still revealing a lot of polish error messages. While it seems this is fixed at least partially, I realized that the 2.9.9 versions available over there https://files.certum.eu/software/SimplySignDesktop/Linux-RedHat/ leads to fatal crashes (segmentation fault). That is why for now I stuck with the 2.9.8 release.

Installing Certum SimplySignDesktop as a non-root user

When installing the SimplySignDesktop tool according to the official documentation it is necessary to do so globally/as the root user. Since I didn't like the tool to modify my cloud manager VM in that massive way, I've investigated what the installer actually does. With that I was able to get the tool running with a way less privileged user (that I call certum). Run the following as root:

yum install https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/s/stalonetray-0.8.3-15.el8.x86_64.rpm
yum install libxslt.x86_64 pulseaudio-libs-glib2.x86_64 libwebp.x86_64 xkeyboard-config
useradd certum
sudo su – certum
mkdir .ssh
vi .ssh/authorized_keys
# add the SSH public key(s) of your oracle@ebs-appserver
chmod 700 .ssh
chmod 600 .ssh/authorized_keys

Then connect a SSH Session with X-Forwarding as certum:

wget https://files.certum.eu/software/SimplySignDesktop/Linux-RedHat/2.9.8-9.1.6.0/SimplySignDesktop-2.9.8-9.1.6.0-x86_64-prod-centos.bin
sh SimplySignDesktop-2.9.8-9.1.6.0-x86_64-prod-centos.bin --target /home/certum/
cp /home/certum/SSD-2.9.8-dist/SimplySignDesktop.xml /home/certum/

Create a /home/certum/provider_simplysign.cfg file as follows:

name=SimplySignDesktop/SimplySignPKCS
library=/home/certum/SSD-2.9.8-dist/SimplySignPKCS_64-MS-1.0.20.so
slot=-1

Furthermore, create a script startGUI.sh as follows:

export LD_LIBRARY_PATH=/home/certum/SSD-2.9.8-dist/
export QT_QPA_PLATFORM_PLUGIN_PATH=/home/certum/SSD-2.9.8-dist/plugins
export OPENSSL_CONF=/etc/ssl/
stalonetray &
/home/certum/SSD-2.9.8-dist/SimplySignDesktop

Finally start the Script and sign in with a one-time-token.

Do a test as follows (in new SSH Session):

/home/certum/SS-9.1.6.0-dist/jre/bin/keytool -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerArg /home/certum/provider_simplysign.cfg -v

This will provide an alias, in our case: 4F4F410D1234A9110B16DA9C83BD6F59

Furthermore, create a /home/certum/mychain.pem file as described in the previous episode.

Passing the jars

On the E-Business Apps-Server first create a ~/sign_1.sh script as follows:

folderstamp=$(date +%Y-%m-%d-%H:%M)
mkdir -p /home/oracle/sign_bkp/${folderstamp}
jar=$1
# Remove Signature from jar files created through ADADMIN in EBS
echo " ** Removing EBS signature from: ${jar} "
cp -i ${jar} /home/oracle/sign_bkp/${folderstamp}/
zip -d ${jar} 'META-INF/*.SF' 'META-INF/*.RSA'
scp ${jar} certum@10.1.2.199:/tmp/signing-dummy.jar

ssh certum@10.1.2.199 "/home/certum/SS-9.1.6.0-dist/jre/bin/jarsigner -keystore NONE -tsa \"http://time.certum.pl\" -certchain /home/certum/mychain.pem -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /home/certum/provider_simplysign.cfg -storepass 12345 /tmp/signing-dummy.jar 4F4F410D1234A9110B16DA9C83BD6F59"

scp certum@10.1.2.199:/tmp/signing-dummy.jar ${jar}

The script first creates a backup of the jar, then un-signs the .jar files and copies it to the cloud-manager VM (in my case with IP 10.1.2.199). There the jar is signed and finally the signed .jar is copied back to the E-Business Suite Apps Tier.

This allows signing a single .jar file; the script may be helpful when applying a patch with "options=nojarsigning". Then in there should be a file such as /u01/install/APPS/fs_ne/EBSapps/log/adop/176/20240327_132920/apply/mastebsapp01/36177213/log/jarlist.txt containing all the .jar files that require re-signing.

For the initial signing the procedure in the previous episode can be combined with the copying of the .jar to the Cloud Manager VM.

Verifying and patching

As an alternative to signing "just" the files in $NE_BASE/EBSapps/log/adadmin/log/jarlist.txt I found it useful to just sign all .jar files under $JAVA_TOP. For this the following script proved helpful:

folderstamp=$(date +%Y-%m-%d-%H:%M)
mkdir -p /home/oracle/sign_bkp/${folderstamp}
# Select the jar files from jarlist.txt
for jar in $(find $JAVA_TOP/oracle/apps -name \*.jar)
do
# Remove Signature from jar files created through ADADMIN in EBS
echo " ** Removing EBS signature from: ${jar} "
cp -i ${jar} /home/oracle/sign_bkp/${folderstamp}/
zip -d ${jar} 'META-INF/*.SF' 'META-INF/*.RSA'
scp ${jar} certum@10.1.2.199:/tmp/signing-dummy.jar
ssh certum@10.1.2.199 "/home/certum/SS-9.1.6.0-dist/jre/bin/jarsigner -keystore NONE -tsa \"http://time.certum.pl\" -certchain /home/certum/mychain.pem -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /home/certum/provider_simplysign.cfg -storepass 12345 /tmp/signing-dummy.jar 4F4F410D1234A9110B16DA9C83BD6F59"
scp certum@10.1.2.199:/tmp/signing-dummy.jar ${jar}
done

It is helpful to first to a check if the $jar is already signed as follows:

result=`jarsigner -verify -certs ${jar}| tr -d '[:space:]'`
if [[ "jarverified." != "$result" ]]
then
echo ${jar} needs re-sign; $result
# put the signing here
fi

Summary

Using above scripts, it is amazingly easy to sign all .jar files both initially as well as after applying a patch. The version using a "find" on $JAVA_TOP may sign "a bit more than needed", but in my experience that does not do any harm.

I am still hoping that Oracle will provide a way to "Hook" a script such as sign_1.sh into the signing process called during patching or through adadmin. This would probably be announced in "Signing EBS Jar Files With HSM (Hardware Security Module) - (Doc ID 2806640.1)".

First impression on E-Business Suite Cloud Manager 23.1.1

First impression on E-Business Suite Cloud Manager 23.1.1

by | April 28, 2023 | Techblog

Johannes Michler PROMATIS Horus Oracle


Executive Vice President – Head of Platforms & Development

This week, the Oracle E-Business Suite on OCI team released the latest release 23.1.1 of E-Business Suite Cloud manager: “Getting Started with Oracle E-Business Suite on Oracle Cloud Infrastructure (Doc ID 2517025.1)”.

Let’s have a quick look at the new features.

New Compute and Database Shapes

Finally, E-Business Suite Cloud Manager is supporting the latest AMD E4.Flex and Intel E3.Flex shapes not only for running the application server or the database tier “on compute” but also with the PaaS service for the database. This is especially important in situations where no / not enough tech licenses for the Database EE are available.

While still with the database PaaS service it is not possible to flexibly scale up and down the available memory as those new shapes have way better performance/price ratio than the previous VM.Standard.2 shapes. Furthermore, typically there is a little bit more memory available which comes in handy especially for small dev/test environments.

For performance measurements on the relevant CPU cores, see the article  Benchmarking CPUs for Oracle E-Business Suite (Database).

The new shapes are nicely integrated into the provisioning flow:

Hopefully, in the future it will be possible to change the memory assigned flexibly there as well – this is something the Database team will need to implement first though.

Furthermore, the new release allows to use VM.Standard3.Flex for Compute instances (Apps- or Database tier). However I still think that E4.Flex provides the better performance/price ratio, so that is not so important for me and my customers so far.

More features

    Beside those new shapes, with the new release the regions Madrid and Chicago can be used.

    Finally, when running the database on Exadata Database Service Dedicated it is now possible to do cloning using snapshots.

    Summary

    Especially the new database service shapes come in very handy for some upcoming projects of ours. I’m looking forward to using those services and will blog again on some insights during that usage soon.

    From a stability point of view the 23.1.1 release luckily so far caused no new regression issues. ?

    First impression on E-Business Suite Cloud Manager 23.1.1

    Exposing NULL values and Booleans in JSON/REST with Oracle SOA Suite

    by | March 10, 2023 | Techblog

    Johannes Michler PROMATIS Horus Oracle


    Executive Vice President – Head of Platforms & Development

    Recently we had a couple of projects where we needed to expose data extracted from an Oracle Database through a simple SQL query as a REST service producing JSON. Let’s have a look at how it is possible to control the JSON produced in such a scenario.

    Implementation

    The composite is very, very trivial:


    Composite in SOA Suite

    It just maps two URL query parameters to the WHERE condition of the SQL query:


    REST Service Configuration

    When the service is invoked, unfortunately, the JSON returned is not really “optimal”:

    {
"XxisBlanketMatkoV" : [ {
"lineId" : 278000,
"shipSiteAddress1" : "PROMATIS software GmbH",
"shipSiteAddress2" : "Pforzheimer Str. 160",
"shipSiteAddress3" : {
"@nil" : "true"
},
"shipSiteAddress4" : {
"@nil" : "true"
},
"shipSiteCountry" : "DE",
"shipSitePlz" : "76275",
"bulkFlag" : "N"
} ]
}

    Issues with initial version

    This is ugly for two reasons:

    • One usually does not describe NULL values in JSON like that. It would be better to either “omit” the element “shipSiteAddress3” or have them set to “shipSiteAddress3”: null.
    • bulkFlag is a boolean, it would be better to have this as “bulkFlag” : false.

    Of course, there is an obvious solution to this: Just add a mediator or even a BPEL process and do an XSLT transformation from the data from the Database Adapter to an explicit schema, and one can map Y/N to true/false over an xsl:if and is additionally able to e.g. omit the NULL elements based on xsl:if.

    However, this is “one more thing” to maintain, and if the base SELECT changes, this transformation has to be adapted as well.

    Producing better “null” values

    Obviously, SOA Suite first extracts the data from the database column SHIP_SITE_ADDRESS4 (which in NULL) to an xml representation of

    <shipSiteAddress3 xsi:nil=”true”/> and then translates that attribute into a json child “@nil”=true.

    Luckily in the meantime, SOA Suite got a patch 31926382 (which is part of SOA Bundle Patch 12.2.1.4.221122). With that patch, according to 2764402.1, one is able to modify the XSD that defines the XML elements that in the end are converted to JSON as follows:


    Modified XML Schema

    just add:

    xmlns:nxsd="http://xmlns.oracle.com/pcbpel/nxsd" nxsd:version="JSON" nxsd:encoding="UTF-8" nxsd:isNillableSupported="true"

    and the @nil will be converted to “proper” null values.

    true and false

    Unfortunately, pure (Oracle) SQL does not support boolean data types in the database so far. This also makes it a bit difficult to produce true/false when fetching data through the JCA Database adapter of SOA Suite. I managed to fix this by doing the following:

    1. Returning 0 for false and 1 for true in the SQL field of “bulk_flag,
    2. modifying the or-mappings.xml to:
    <attribute-mapping xsi:type="direct-mapping"
<attribute-name>bulkFlag</attribute-name>
<field table="XXIS_BLANKET_MATKO_V" name="BULK_FLAG" xsi:type="column"/>
<attribute-classification>java.lang.Boolean</attribute-classification>
</attribute-mapping>>

    (Thus changing it from java.lang.Decimal to java.lang.Boolean.)

    Summary: Prettier JSON

    By implementing these two tiny changes:

    • Add nxsd:isNillableSupported=”true” to schema,
    • modify the or-mappings.xml to have <attribute-classification>java.lang.Boolean</attribute-classification> to

    The REST service gives us:

    {
"XxisBlanketMatkoV" : [ {
"lineId" : 278000,
"shipSiteAddress1" : "PROMATIS software GmbH",
"shipSiteAddress2" : "Pforzheimer Str. 160",
"shipSiteAddress3" :null,
"shipSiteAddress4" : null,
"shipSiteCountry" : "DE",
"shipSitePlz" : "76275",
"bulkFlag" : false
} ]
}

    Which is way better JSON ?

    Oracle Named a Leader in Gartner® Magic Quadrant™ for Integration Platform as a Service, Worldwide

    by | February 2, 2023 | PROMATIS recommends

    Oracle Cloud Infrastructure integration services accelerate innovation and connect data ecosystems across distributed cloud environments

    Oracle has been named a Leader and positioned highest for ‘Ability to Execute’ and the second position for ‘Vision of Completeness’ by Gartner in the 2023 “Magic Quadrant for Integration Platform as a Service (iPaaS), Worldwide.” The report recognized Oracle as a Leader for the sixth consecutive time.

    To the report