Tips & Tricks for Oracle PaaS Admins

Copyright © 2018, eProseed and/or its affiliates. All rights reserved. | Confidential
TIPS & TRICKS FOR
ORACLE PAAS ADMINS
Simon Haslam
Bruno Neves Alves
1
3rd
Edition

INSPIRATION FOR THIS PRESENTATION
I have a note where I keep “tips & tricks” I find as I work…
– This is my current list but is work in progress (I haven’t done
everything possible in PaaS ☺ )
– Some are opinions, mainly with an Ops/Admin focus – YMMV!
– I have perfectionist tendencies (but am in therapy!) and want to
improve each batch of environments I provision
– Oracle Cloud changes all the time (monthly releases) – in future
they may change/become irrelevant
– Oracle Managed / Autonomous services are making these tips
less relevant
– Even if you are not using services like SOA CS or JCS today
hopefully they may be a useful reference for later
3rd
Edition

DIFFERENT TYPES OF PAAS, WITH EXAMPLES
Software as a Service
Infrastructure as a Service
Autonomous
Oracle Integration
Cloud
Oracle Integration
Cloud
Oracle Managed,
Minimal customer config.
Oracle Managed,
Moderate customer config.
Oracle SOA CloudCustomer Managed,
Advanced customer config.
Autonomous
Transaction Processing
Oracle & Auto Managed,
Minimal customer config.
Database Cloud
Service / DBaaS
Oracle Java Cloud
Autonomous
Oracle DIPC
Oracle DIPC
high
level
low
level

5
• Planning: Setup and Identity
• Networking, VPN & Misc
• Operation: SSH and internal access

TIP 1:
KNOW WHETHER YOU WANT OCI OR CLASSIC
6
Sounds obvious but…
• The noise around Oracle Cloud Infrastructure is deafening!
• State of transition (18Q4) – many PaaS services are now provisioning
via PSM on OCI but Classic is still available.
• Very little ‘new’ PaaS yet on OCI (database & load balancers)
NB: there is no migration
between OCI Classic and
OCI – think of them as
completely different
clouds
Both use
IDCS
PSM
Generally use OCI if
you can but, if you are
in a hurry and it’s not
a “forever” platform,
you might be better
with Classic currently
OCI Classic
aka OPC
Mature, around for 3-4 years
Simpler, lower tech
Blogs, discussions & docs mostly
about this
Legacy but not EOL
OCI
aka Next Gen IaaS
New, around for ~2 years
More sophisticated, esp. DR, better
meets enterprise needs
New services & autonomous
are OCI
Info harder to find, e.g. PaaS+OCI
Strategic
C L A S S I C Shiny!

TIP 2:
KNOW YOUR OCI(C) REGIONS
• *com- ones are Classic:
– eucom-*
– gbcom-*
– uscom-*
• <country>- ones are OCI:
– eu-frankfurt-1
– uk-london-1
– us-ashburn-1
– us-phoenix-1
7
If you have an account
created before
~Oct 2017 you may
not have any OCI
regions in the list
C L A S S I C
For PaaS this list is determined by your home region (set during provisioning)
Govt regions are
separate
(2 in US, 1 in EMEA)

TIP 3:
PRACTICE ON A TRIAL ACCOUNT
8
• There’s a lot to learn:
– User management
– How consoles look, what names/naming conventions fit
– Auto-generated names
– ( You usually have one identity domain for both live and test:
how will you manage instances for your organisation?
– You will probably end up with things in the wrong place – usually it’s
easier/quicker to start fresh – more likely to delete stuff in trial account
especially if your org. has multiple admins
– Makes you less nervous about creating stuff that might cost $$$!
• Downside: trial accounts get burnt up - can be hard to get new ones
C L A S S I C

TIP 4:
CHOOSE YOUR DOMAIN NAME CAREFULLY
9
• Name is used a lot in URLs and references
– Since IDCS + PaaS name is in log-in URL too, e.g.
https://myservices-eproseeduk.console.oraclecloud.com
• You may or may not get to choose
– Depends on how cloud was purchased and type – may get choice or maybe just
a123456
– Oracle added feature to rename but that is superficial
• Domains can’t be re-used later AFAIK so think about it carefully
especially if you are a multi-national
– E.g. I created “eproseeduk” in case we want to use “eproseed” globally
– Are there annoying domain squatters out there…?
• This is probably vanity/perfectionism led! Most corporates may be
happy with a123456 ☺
C L A S S I C

TIP 5:
BE AWARE THERE ARE 2 IDENTITY DOMAIN TERMS
• Prior to IDCS, now called “traditional” ID, there was one “Identity Domain”
– a short name you chose, like mycompany, or,
– for a phase Oracle allocated it, e.g. a1234567
• With IDCS (any cloud account provisioned since ~Oct 2017) you have a second “Identity
Domain” or “Identity Service ID” (terms used interchangeably)
– Generated: idcs-*******
(32 hex digits)
10
C L A S S I C
For API calls know which one you need:
it’s usually the idcs-* one but docs may be out of date

TIP 6:
BE MINDFUL OF OVERLAPPING IDENTITY PROVIDERS
It’s possible to get to funny situations where initial user/password has been provisioned
in two places and password only changed in one
11
Traditional
IDM
Pre-Oct 2017
Post-Oct 2017
OCI
Identity
Federated
ID
IDCS
Classic
Identity
Only
ID store
Most users are here
(or federated, e.g. to AD)

TIP 7:
CREATE A PROVISIONING USER
• The username of user who creates instances & other artefacts ends up in URIs. Default
usernames are email addresses.
• Create a provisioning user – make sure it is only used by scripts, and not for
administration functions
• Create the provisioning user as a name, not an email address
– I like something short, typically just the organisation name
• This concept is valid for:
– IDCS-backed PaaS on Classic since you might be using PSM scripts
– OCI provisioning which need an API key defined for the user in the OCI identity domain
12
C L A S S I C

TIP 8:
CREATE A STORAGE USER
• The domain name is in the storage container name BUT the storage user is what the
PaaS instances use for backup/restore.
• Oracle Cloud user passwords expire after ~4 months – you can’t prevent this
– If you let them expire your backups will break
– If your database backups break you start using more Recovery Area
– If your Recovery Area fills up the database archiver can’t archive the redo log
– If the archiver can’t archive the redo log the db can’t do a log switch
– BANG!
• Oracle Cloud “password change dance” was possible last year – not sure about now
• Create a separate storage user to limit the scope of a password change
13
Practise change of Oracle Cloud storage user password before user expiry!!!

TIP 8 (CONTINUED)
STORAGE USER’S REQUIRED PERMISSIONS
• Needs to have:
(not just ReadWriteGroup – console allows that… then fails later)
14

TIP 9:
CREATE A STORAGE CONTAINER PER INSTANCE
• When you create service instances that are fully managed by Oracle Cloud (i.e. not
Virtual Image service types) you need to supply Storage Cloud container
• It’s tempting to have one big bucket but don’t…
– remember in the future you may have 20 instances but want to delete one including its backups – a
storage container makes this much easier to track
• You now have an option in console and REST API to create a new container at
provisioning time
– I’m not really sure why this isn’t the default
– Not yet the case on OCI – you need to create object containers first
15
C L A S S I C

TIP 10:
CHOOSE YOUR TIMING FOR PROVISIONING
• OOW introduces a lot of change (2017 after, 2018
before & after)
– if not bugs then maybe new ways to do things
• Monthly release cycle
• Put provisioning jobs onto a Build Server & run
weekly to minimise surprises
16

17

TIP 11:
USE AUTONOMOUS / ORACLE MANAGED
• If available & suitable use Autonomous / Oracle Managed
– Positive experience so far (July-) with API Platform, though primarily it’s the Gateway that is critical
(and that’s on our own infra)
– Doesn’t necessarily mean service level is better, but it’s someone else’s problem!
• This is the “direction of travel”, e.g. look at pricing for Integration Cloud
• Time will tell, especially for early adopters
18

TIP 12:
APIP OAUTH DEBUGGING
When troubleshooting APIs that you have configured in Oracle API Platform cloud service
you can use the following tools:
• Oracle API Platform Cloud Service Analytics: shows the type of error
• jwt.io debugger: tool lets you inspect OAuth tokens generated by a provider
• Change Oracle API Platform logging policies so you can you log the content of objects
19
See Lonneke Dikman’s (eProseed NL) blog post at:
http://blog.vennster.nl/2017/12/troubleshooting-oracle-api-platform.html

TIP 13:
BUILD YOURSELF A STOP/START SCHEDULER
• Often we size non-prod environments now based on
part-time usage, e.g. 9 hours, weekday
• There’s no feature in Oracle Cloud Platform to allow you
to simply set up a timetable
•  Create a simple scheduler to do that
– e.g. crontab plus PSM work OK on an IaaS VM or DevCS
20

TIP 14:
USE IP NETWORKS
• “IP Networks” on Oracle Cloud Infrastructure Classic allow you to
choose your own network numbering, and VMs to talk directly to
one another
• “Shared Network” is the original network where every VM is
allocated to a 4-IP subnet… adds all sorts of complexity
• Going forward: IP Networks will dominate:
– No migration path – you have to re-provision
– If you have any choice then set up IP Networks from the start!
21
This relates to Classic – for OCI you
will have to use VCNs anyway
C L A S S I C

TIP 15:
WATCH OUT FOR IP RESERVATIONS ON IP NETWORKS
• Was no method to reserve internal IPs (not public IPs) – depended on VM start-up order
• Critical if you have op-prem firewall rules to specific cloud IP Network addresses
• This was an Enhancement Request but according to recent SR you can now specify IP
reservation at time of provisioning… needs verification though
22
C L A S S I C

TIP 16:
NO OVERLAPPING NETWORKS ON VPNAAS
Example:
i.e. not how you’d expect with normal routing
VCN/IP network planning – liaise with all your network teams to choose global network
23
On-premises
10.5.0.0/16
IP Network
10.5.1.0/8
IP Network
10.6.1.0/8
VPNaaS tunnel VPNaaS tunnel
✓

24

TIP 17:
CREATE SSH USERS FOR VM ADMINS
• Have centralised, secret OPC SSH key-pairs
– Don’t be lazy… I typically have one for each env type (prod, acceptance, test, etc)
– You may choose to have a super-user keypair per instance (if you are fully scripted and have good key)
• Don’t give out the OPC private key for admin use – if admins need to access the VMs
create local accounts for them
• You probably should re-generate your opc keypair periodically
• Medium term – I’d like to authenticate against LDAP or IDCS
25
RELATED
Cloud Ops/Admins should have their own Oracle Cloud users with appropriate privs
(easy to revoke etc – remember Oracle Cloud console is available outside the corporate
firewall)

TIP 18:
CREATE AT LEAST 3 VM UNIX USER GROUPS
• It’s pretty rare for users to need SSH access to PaaS VMs their roles might be:
– Non-privileged user - not too much use but possibly for tunnelling SQL*net if you don’t have VPN
– Admin user allowed to sudo to oracle <= most common
– Admin user allowed to sudo to root
• Oracle Support expects you to have root, e.g. to fix backup issues. (even though they are often just writing to an Oracle
owned filesystem or calling RMAN)
26

TIP 19:
CREATE UNIX USERS ONLY USING SCRIPTS
• Only specific users are allowed to SSH in (hard-coded list in sshd_config)
• SSH is used for ALL low level access to the VM
– Your admins
– The OPC admin account
– Oracle Cloud tooling
• If you break the SSH login configuration you will not be able to log in!
– The VM boot attempts to make sure oracle and opc keys are correct
– Oracle SM can try to push in a new OPC key only if cloud tooling access is working
• Built-in opc user setup/repair scripts are different in JCS as to DBaaS (and probably
others)!
• You only really find out for sure after an instance restart
27
Excellent idea from audience at DOAG: Configure a second SSH daemon just for support users

TIP 20:
ALLOCATE TIME FOR TLS CONFIGURATION
• Oracle doesn’t do much for you on TLS (SSL)
– JCS/SOACS use demo certificates with Cert Gen CA (i.e. easy to forge)
– Uses Key Store Service in database (new with 12.1.2)
• You can re-use all your old WLST etc for TLS config though ☺
– But if you have an internal CA some of the Cloud Monitoring (if you use that) breaks
28
With any luck Oracle will build (or buy) its own Certificate
Authority – then it could set up TLS automatically

29
Summary

SUMMARY
• Customer-managed Oracle PaaS experience is very similar to what
you’re used to for on-prem systems ☺
• Classic & Oracle Cloud Infrastructure are in a state of transition
• Cloud is heading to Oracle Managed / Autonomous
• You still need to plan your environments
• Support is about the same as before
• Follow the tips & tweet us with any new ones ☺
30

ABOUT EPROSEED
• Focussed only on Oracle technology
• Globally distributed with centralised delivery
management and local resources
• 5 active ACE Directors, 2 Dev Champions, 8 OCM
• 19 Oracle Excellence Awards in 8 years
25 Oracle Specializations… and counting.
Local offices in UK, NL, PT…
& Head Office in Luxembourg

ABOUT US
Simon Haslam
• Platform / Infrastructure
Architect
• Focus includes HA, DR,
security, automation
Bruno Neves Alves
• Integration Specialist
• SOACS & Oracle Integration
Cloud tech lead
Relevant to this session
• Researching JaaS/JCS from
Spring 2015; OTN
webcasts Autumn 2015
• Built SOA & DB CS in May
2016 (first production SOA
CS in EMEA), inc Corente
• Designed & built SOA CS
integration platform for
global use since Oct 2017,
inc VPNaaS
@simon_haslam
@b_alves

3 Membership Tiers
• Oracle ACE Director
• Oracle ACE
• Oracle ACE Associate
bit.ly/OracleACEProgram
500+ Technical Experts
Helping Peers Globally
Connect:
Nominate yourself or someone you know: acenomination.oracle.com
@oracleace
Facebook.com/oracleaces
oracle-ace_ww@oracle.com

IF YOU LIKED THIS YOU MIGHT LIKE…
Monday
WednesdayWednesday
TODAY

Tips & Tricks for Oracle PaaS Admins

Tips & Tricks for Oracle PaaS Admins

More Related Content

What's hot (20)

Similar to Tips & Tricks for Oracle PaaS Admins (20)

More from Simon Haslam (20)

Recently uploaded (20)

Tips & Tricks for Oracle PaaS Admins