From the Blogosphere

Oracle Faces Growing Price for MySQL

Thu, 03 Dec 2009 16:00:00 EST

The irony is that Oracle has advanced MySQL, lost money in the process, and helped its competitors - all at the same time. When Oracle buys Sun and controls MySQL the gift (other than to Microsoft SQL Server) keeps on giving as the existential threat to RDBs is managed by Redwood Shores. Oracle has uncharacteristically found itself maneuvered (by its own actions).

Upgrading WLS Using the Oracle Smart Update Utility

Wed, 02 Dec 2009 09:15:00 EST

Oracle provides the Smart Update utility to upgrade WebLogic Server installations between versions, or to apply specific patches applied by Oracle Support. This post considers upgrading a 10.3.1 server to 10.3.2, not applying patches. As usual your mileage may vary so be diligent in checking these instructions beforehand.

The Oracle Smart Update utility is documented here.

The general steps to run the Oracle Smart Update utility and upgrade the server are as follows:

1) Ensure your WLS and any managed servers are not running. In turn it would be a good idea to backup your server before running this procedure, in particular if it's a production server.

2) (For whatever reason I couldn't invoke the following utility from Windows Explorer, so I had to invoke it via the command line)

2.1) Under Windows open the command prompt at <wls_home>\utils\bsu

2.2) Execute the bsu.cmd. This displays the Oracle Smart Update dialog to enter your Oracle Support user ID and password:

3) Assuming your login details are correct you'll be presented with the Oracle Smart Update dialog. This can take some time to open as the utility scans your existing WLS patches

4) You may be prompted to "Register for security updates", take your choice, be annoyingly nagged by Oracle, or miss applying security patches in the future:

5) The end result:

6) The Target Installation tree on the left hand side shows you the WLS servers the patch engine will work with. We're not interested in the content on the right. Presumably it includes one off patches to apply as supplied by Oracle Support, or hot security fixes applying to all WLS installations. I've yet to see one of these so can't comment on what you'll actually see.

7) To upgrade your WLS between versions you apply a "Maintenance Pack". Click on the same named menu option followed by the sub-option Update. This launches the BEA Smart Update dialog. On selecting your existing WLS server in the left tree, you'll see the option to apply the Upgrade Option in the right, in this case specifically WebLogic Platform (10.3.2.0):

The Oracle documentation for Maintenance Pack installations is here.

8) Selecting the Ok button will display a download dialog:

9) On the file downloading you'll be presented with the Oracle Installer for WebLogic 10.3.2.0:

10) Again you'll get a chance to "Register for security updates". Be brave and skip it:

11) The next page allows you to specify the download location of any additional files, whether the files should be removed after installation, and the HTTP Proxy options to get through your firewall including username and password:

12) You'll then get another download screen and a chance for a coffee or 2 (make that 4):

If the downloads fails half way through, don't give up as the download utility supports resumes, just wait for it to timeout and then ask it to continue downloading.

13) You'll then be given one last chance to back out:

14) After which there's no backing out:

15) Just click Done on the final page. If the QuickStart dialog shows, close it:

16) In turn the BEA Smart Upgrade dialog will also show detailing the new 10.3.2 upgrade. You'll note in the lower part of the right window, you can downgrade from 10.3.2 to 10.3.1 if necessary. You can close this dialog:

17) Returning to the Oracle Smart Update window it'll misreport the current version which you can ignore.

18) To verify the install the easiest thing is to start your managed servers and then access the console login. At the bottom of the page you'll see the server version:

19) It's probably worth investigating the server logs to see if any unexpected exceptions have been thrown.

Oracle Dynamic Tabs Shell - ADF 11gR1 – UI Shell

Mon, 30 Nov 2009 10:30:00 EST

In the latest release of JDeveloper, specifically 11.1.1.2.0 also known as 11g Release 1 also known as Patch Set 1 also known as 11g build 5536 also known as the Shepherd build (cough cough Oracle), Oracle has included a new built in page template known as the "Oracle Dynamic Tabs Shell". This template is part of Oracle's ADF Functional Patterns and Best Practices efforts, also referred to as the "UI Shell". Complete documentation is available here. I'll leave readers unfamiliar with the UI Shell to read Oracle's documentation to understand the basics.

With my current client we're happy with the inclusion of this new UI Shell and we can actively see ourselves using it in the near future. What I wanted to document is my own thoughts and research which may be of use to others, and I hope to further the discussion on the ADF EMG. Note as usual your mileage may vary so take time out to check the facts listed here:

1) The Create JSF Page dialog presents the "Oracle Dynamic Tabs Shell" page template option:

2) The template and its supporting classes are installed in <jdev_home>/jdeveloper/adfv/jlib/oracle-page-templates-ext.jar, though the JDev IDE takes care of importing the template and classes/libraries into your project for you once selected in the Create JSF Page dialog. As the following picture shows an additional library Oracle Extended Page Templates is added to your project:

Side note: Steve Muench has blogged the location of the UI Shell template and supporting classes as a separate download here. This will allow you to take the default UI Shell template and customise to your needs if required. See further points below for why this may be necessary.

2) Our technical team was already getting bogged down in "discussions" of "standard" web page layouts versus RIA layouts. The technical team knows the standard web page layouts weren't suited to RIA applications, but it was hard to argue our case without actually creating a RIA layout. In turn creating a RIA layout that we were happy with was going to take some time, and we're building applications now. With the UI Shell we can short cut the layout "discussions", say this is what Oracle's provided us, it works well and this is what we'll use, allowing us to focus on the more important matter of hand and that's writing the ADF solution for the business.

3) Our overall application is made up of several subsystems (think Oracle Apps with HR, Procurement, Payroll etc). Within the UI Shell the globalTabs facet provides an ideal location to list the subsystems allowing the user to switch between each module:

4) Each subsystem gets its own page based on the template, as in hr.jspx, procurement.jspx and payroll.jspx based on our example.

5) The rest of the application is made up of a number "Activities" that in essence are bounded task flows using page fragments, or in other words the business processes of your application. Each subsystem is free to make use of as many bounded task flows as it sees fit, and in addition a bounded task flow can be used (shared) by many of the subsystem pages.

6) As per the previous point, if you're using the default UI Shell provided through JDeveloper rather than downloading the UI Shell as per Steve Muench's blog above, and you wish to have a common element in every page using the template, you'll need to code them in every page which isn't ideal. The solution is to download Oracle's template and customise it within your own application (or possibly create a number of declarative page components for repetitive content, though this will still require you to load each page component in each page based on the UI Shell template).

7) A key feature of the UI Shell as described in its other name "Oracle Dynamic Tabs Shell" is it shows under each subsystem how to launch a bounded task flow (aka Activity) one or many times:

This may not be ideal for every application, but my current client has a scenario in an existing Oracle Forms application where users open up to 4 sessions. While we're not sure on building an ADF equivalent with a chance to redesign the users' workflow will they still need to do this, if they do we're envisaging that each session can now be as a separate UI Shell Activity under the subsystem page.

8) As discussed in the following ADF EMG thread the UI Shell makes a great addition to the "Master JDev Application Workspace" proposed by Todd Hill bringing a number of composite ADF bounded task flows together.

9) The demonstration UI Shell application shows a basic mechanism of stopping a user leaving an activity once they've made "it dirty". The analogy to this is in the JDev IDE when the user changes the contents of a source file, the tab control title font becomes italic and the user is warned/prompted to save changes if they attempt to close the tab without saving.

Currently this feature should be considered a demonstration feature only as in the downloadable UI Shell demonstration application it has a number of limitations (it is a demo after all). In particular the isDirty() check is only done within a subsystem's activities. Clicking on a different subsystem tab/page doesn't invoke the isDirty() check with the appropriate warning dialog. It would be my assumption that this check would need to be coded in each specific application, reusing the isDirty() facilities provided.

10) For the logoImagePath attribute you can specify the path of the UI Shell log image, but not the size. In the turn the layout tends to assume a horizontal logo. If corporate branding is important to your organisation and they have a long vertical logo, good luck.

11) The default UI Shell has no consideration of security. For instance what subsystems are available under the globalTabs for the current user is your responsibility

12) The overall template does waste some vertical screen real-estate:

See annotations A, B and C.

A can be trimmed by setting the globalSplitterPosition attribute. At this time it doesn't look like B and C can be set in the default UI Shell. Ideally we'd want something like this:

13) The overall template is extremely small – only 74k – wow, Oracle can create something that doesn't take up an entire CD! ;-)

14) I note in the source code downloadable from Steve Muench's blog that there are a few comments that the implementation will change dependent on later updates to the ADF component set presumably available in later JDev releases (ie. see the TabContext.java REMOVE_ME_WHEN_NAVPANE_SUPPORTS_STAMPING comment).

This implies the default functionality of the UI Shell could change in the future which could have issues for your existing applications based on the UI Shell and therefore your regression testing and user experience. It may be necessary to source the UI Shell code and baseline in your code repository rather than being subjected to changes in functionality on upgrading to future JDev releases.

15) As per the UI Shell whitepaper, the 7 zillion steps to reproduce the demonstration UI Shell application do look daunting. However if you're familiar with JDev, page templates and constructing JSF pages it only takes about 20-30 minutes to run through most of the steps. In fact most steps are just setting up dummy task flows and page fragments to show some content within the produced template, nothing really to do with the template itself.

16) You'll need to remind users/analysts/managers etc that what the UI Shell gives in preconfigured layouts, saving developers time and boosting productivity, it takes away in customizable layout of the screen. This is a common point of contention in component based frameworks where a super component gives a large array of features, but the component works as the component works and cannot be easily customised without headache.

Oracle Fusion Middleware Deployment Guides

Fri, 13 Nov 2009 10:30:00 EST

Well hello again!

After a week off with H1N1 (don’t get it, you really won’t like it), and another week or two catching up, I’m finally back in the saddle and there’s plenty to talk about – some of it stuff I should have been talking about weeks ago.

Today we’ll discuss the Deployment Guides some smart folks here at F5 have thrown together to go with the Oracle Fusion Middleware Enterprise Deployment guides (that some smart folks at Oracle threw together).

First up, props to Oracle for an astounding document library that you can access sans login. It’s not new, but if you’re not familiar with it, check it out.

What our staff did is take the documents from their library that reference places where BIG-IPs fit in, and created complimentary documents to show how to configure your BIG-IP to fit the Oracle Fusion Ecosystem.

So here is the list of Oracle documents, and F5 complimentary documents. Between them, you can make your Oracle Fusion environment adaptable, reliable, and zippy. At least I claim you can :-).

Oracle Enterprise Deployment Guide	F5 Deployment Guide
Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management 11g Release 1 (11.1.1) http://download.oracle.com/docs/cd/E12839_01/core.1111/e12035/toc.htm (see Section 2.2.1)	Deploying F5 with Oracle Fusion Middleware Identify Management 11gR1 http://www.f5.com/pdf/deployment-guides/oracle-identity-management-big-ip-dg.pdf
Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle SOA Suite 11g Release 1 (11.1.1) http://download.oracle.com/docs/cd/E12839_01/core.1111/e12036/toc.htm (see Section 2.2.2)	Deploying F5 with the Oracle Fusion Middleware SOA Suite 11gR1 http://www.f5.com/pdf/deployment-guides/oracle-soa-big-ip-dg.pdf
Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle WebCenter 11g Release 1 (11.1.1) http://download.oracle.com/docs/cd/E12839_01/core.1111/e12037/toc.htm (see Section 2.2.2)	Deploying F5 with Oracle Fusion Middleware WebCenter 11gR1 http://www.f5.com/pdf/deployment-guides/oracle-webcenter-big-ip-dg.pdf

I’d love to take credit for this chart or any of its contents, but this time I’m just the messenger, other people created all of the content, and the chart is essentially a recreation of one I received via email. If you’re using Fusion Middleware and have F5 gear in-house, they’re worth checking out to see how you can benefit from them.

And that gets me back into the blogging groove… Expect to hear more from me in the near future.

Don.

Reality Check at the Cloud Computing Expo

Mon, 09 Nov 2009 20:30:00 EST

The talk at the Cloud Computing Expo this week in Santa Clara was all about enterprise cloud adoption. Is it real? Is it already happening? If so, who’s doing it, which applications are they running and which clouds are being tested? To a large extent, cloud computing is a victim of its own somewhat out-of-control hype cycle. Since so much has been written and discussed about the cloud in 2009, there is now a growing impatience for actual results. The fact that 2000 people showed up at the Cloud Expo in Santa Clara this week (double the number from last year’s show) suggests that at the very least, interest in enterprise cloud computing remains very real, and the need for practical solutions and use cases is growing more urgent.

Cloud, The New Taste of the Internet

Mon, 09 Nov 2009 19:45:00 EST

Lately there seems to be a minor debate among the clouderati about the semantic differences between the term "the cloud" versus the use of "cloud computing". So I thought I'd jump into the fray.

As someone who spends his days eating, breathing and sometimes drinking cloud computing, it's fun to see how the debate has recently devolved into a debate purely focused upon the finer semantic nuances of the various terminologies. The debate seems to generally focus on the varied usages within the companies that are attempting to "cloud-ify" themselves & their products/services. This cloudification seems to be the trend du'jour within the technology industry, an attempt to augment marketing materials and or product positioning to include cloud related buzz words, whether they make sense or not.

Actually one of the better stated criticism comes from Oracle CEO Larry Ellison who observes that cloud computing has been defined as "everything". It's everything and nothing in particular, a trendy word that is used more to impress than explain a particular problem. I for one completely agree.

As a marketing term, cloud has enabled us to broadly define the movement away from the desktop / server centric past to the cloud [Internet] enabled future. Wikipedia's cloud definition says it well, "it is a paradigm shift where technological details are abstracted from the users who no longer need knowledge of, expertise in, or control over the technology infrastructure "in the cloud" that supports them". Yup, enough said.

This message is to of you -- the ones who are jumping on the cloud bandwagon, let me say this as plainly as possible. Regardless of whether it's "the cloud" or "cloud computing" it all comes back to the fact that it's a buzzword. A way to say we're cool, we're now, we're new, with out saying it directly (a neologism). It's the New Coke of Computing / the new taste of the Internet.

So what is The Cloud? It's the Internet. And what is Cloud Computing? It's the next big thing in computing, it's using the Internet.

ODTUG Down Under – More ACEs than a Pack of Cards

Mon, 02 Nov 2009 19:50:00 EST

Regular readers already know that ODTUG in conjunction with Oracle Technology Network has invited a number of Oracle ACEs and ACE Directors to present down under. ODTUG has teamed with AUSOUG to give these world recognized presenters (in fact in all cases world award winning speakers) full day slots at the conference that starts next week.

HL7 Interface Engines

Thu, 29 Oct 2009 15:00:00 EDT

So what do you really look for in an interface engine? There is more to an IE than just being a pass-through of messages.

Getting Past Gate Keepers

Thu, 29 Oct 2009 11:15:00 EDT

By Tom Hopkins In business situations, when you are trying to reach the person who has the authority to make decisions regarding your product you are very likely to have to go through one or more people before reaching that person. For the sake of efficiency, there will likely be a receptionist and/or assistant who takes the initial calls for the decision-maker. It’s important that you realize most assistants are taught to protect decision-makers. Or, shall we say, screen calls so the decision-makers only speak with the [...]

Working with WLS 10.3.1 SQLAuthenticator Password Algorithms

Tue, 27 Oct 2009 11:15:00 EDT

In the previous post we looked at how to configure the SQLAuthenticator password encryption options. Among other encryption algorithms we discovered that on creating a user from the WLS console, WLS would create the associated user in a database table with password "password" encrypted to:

{SHA-1}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

...when the SHA-1 option was set.

As was mentioned in the previous post, as the database table with its users and passwords may be shared by non-WLS based applications, it's important that those systems can encrypt passwords and compare them to the WLS result. In other words, in the example above, given that WLS generated a SHA-1 encrypted password, if another system uses the same SHA-1 algorithm will it generate the same encrypted password allowing it to compare the database SHA-1 encrypted password against the SHA-1 encrypted password it has?

In order to check we can get the same encrypted results, we'll investigate generating a SHA-1 password using the Oracle database's encryption facilities (so in this case the database acts as the other subsystem), comparing the database's encrypted SHA-1 password to that of WLS.

The following solution owes thanks to Sean at Oracle Support who very patiently led me in the right direction with my findings.

dbms_crypto

Oracle database fans will be familiar with the dbms_crypto package that provides encryption support.

dbms_crypto allows us to generate an encrypted password that we can compare to the WLS result. From table 34-1 of the dbms_crypto link, we note that dbms_crypto supports the following one-way hash algorithms: SHA-1, MD4 and MD5. As WLS via the JCE extensions (see the previous post) supports SHA-1, MD2 and MD5, it's fortunate we picked SHA-1 for this example.

The following anonymous PL/SQL block shows an example using the dbms_crypto package hash function with SHA-1 to produce an encrypted result:


DECLARE
  input_string  VARCHAR2(8);
  raw_input     RAW(128);
  encrypted_raw RAW(2048);
BEGIN
  input_string := 'password';
  raw_input    := utl_raw.cast_to_raw(convert(input_string, 'AL32UTF8','US7ASCII'));

  encrypted_raw := dbms_crypto.hash(src => raw_input, typ => dbms_crypto.hash_sh1);
  dbms_output.put_line('Output: ' || encrypted_raw);
END;
/

Output: 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8

Note the output, a hex value, and doesn't match our WLS output for the same plaintext password "password" encrypted with SHA-1.

The missing bit of information (that I haven't found documented) is that WLS after encrypting the plaintext password, as confirmed by Oracle Support, WLS then converts the output to base 64. In the case of the dbms_crypto hash function, it converts the encrypted result to Hex. In order to get the same result you need to convert the Hex output to base 64.

There's a number of different ways to do this. One is to use a Java routine in the database, converting the dbms_crypto Hex result to a byte array, then byte array to base 64. A suitable algorithm would be:


byte[] bytearray = hexStringToByteArray("5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8");
String base64encoded = new BASE64Encoder().encodeBuffer(bytearray);

...where the hexStringToByteArray function is borrowed from Dave L on StackOverflow.

The end result is: W6ph5Mm5Pz8GgiULbPgzG37mj9g= ... finally matching what WLS wrote to the database (missing the algorithm prefix of course).

Conclusion

Why the WebLogic Server's SQLAuthenticator can make use of different encryption algorithm when writing to the database, it's important to ensure that the results are expected and understood and can be used by other subsystems.

That’s a Lotta Data

Sun, 25 Oct 2009 10:15:00 EDT

Ok, so I am a Software guy but I am posting about hardware devices. Maybe when it comes to hardware I am easily impressed? I promised to post information about interesting products and as someone who owned one of the first 5MB hard drives attached to a personal computer I guess I am in awe [...]

Oracle OpenWorld 2009 Is Done But the Challenge Begins!

Sun, 25 Oct 2009 10:00:00 EDT

What can I say, Oracle OpenWorld 2009 was a great show all around. Professionally run, great companies, great exhibit areas, and exceptional presentations. The big surprise to me was seeing Arnold Schwarzenegger on stage with Larry. Which is a great segue into my first topic for my OOW09 notes on the show. The amazing Exadata 2 and the challenge presented to IBM. After Arnold left the stage, Larry made the comment "IBM, take the [Exadata challenge] and make our day. Oh, that is a different action hero, sorry."

Mike Rowe From Dirty Jobs Could Use This Technology

Sun, 25 Oct 2009 09:30:00 EDT

Voice-Insight (http://www.voice-insight.com ) was at the show and was demonstrating and talking about some of its technology and some of their R&D projects. Voice-Insight is not necessarily focusing on SOA or services; most of their appeal comes from integration to other technologies.Voice-Insight built its own voice language (VQLTM) that attempts to bridge voice with GIS, maintenance, quality control, vehicle navigation and e-Government applications. This is real; they have applications running in most West-European languages as well as Japanese and Chinese (Mandarin). Their approach is to try to make user dialogues are close to natural language as possible and minimize user .”Voice training is not required.” Voice-Insight was at the show because they are a big Oracle partner. They also have partnerships with Motorola Inc, IBM, Thales, Magellan Navigation , IBM , ESRI Inc., Acteos (France), Incas (Italy & Spain), Working Machines (USA), ClearOrbit (USA), Patech (UK), MDS (Greece), CAPINFO (China), NBT (Bulgaria), Geodan (The Netherlands), BASF IT (Germany), GTS (RSA) etc.

Are You Getting Excited About the Cloud Computing Expo in Santa Clara?

Sun, 25 Oct 2009 08:45:00 EDT

Whether you are searching for a Cloud Computing solution for your enterprise or you want to learn about the latest and greatest Cloud Computing technology, The Cloud Computing Expo in Santa Clara, California running from November 2 until November 4 is for you. http://cloudcomputingexpo.com/general/keynotes1109.htm Keynote speakers include Richard Marcello, President, Systems & Technology, Unisys, Shelton Shugar SVP [...]

Get Excited! It's Time for Oracle OpenWorld

Thu, 08 Oct 2009 09:11:00 EDT

In this tough economic environment, your boss might not be open to your trip to SF. Oracle can help you justify your visit to Oracle OpenWorld.

Working with WLS 10.3.1 SQLAuthenticator Password Algorithms - Part 1

Mon, 05 Oct 2009 15:00:00 EDT

WebLogic Server 10.3.1 supports loading user credentials and roles from a number of different sources, such as LDAP or a database, through the concept of "Security Providers". In order to work with a database table structure a "SQL Authenticator" provider is required.

Edwin Biemond has a good example of setting up both the database table structures and configuring the WLS SQL Authenticator against these tables. To keep the example simple, for the password field in the JHS_USERS table Edwin's has set the SQL Authenticator to write raw plain text passwords to the table. This makes it really easy for demonstration purposes to see what's written to the database.

To extend Edwin's post, a common requirement will be that:

a) The password value is written in an encrypted form to the database
b) Other non-WLS applications can generate the same encrypted result such that the encrypted passwords can be compared

The need for point "a" is obvious, unencrypted password in the database is a security weakness. But what about "b", why would you want this?

For many organisations the list of users and roles will be stored in database tables, and that information will be sourced by many different subsystems implemented in different technologies. It's not uncommon for sites to have Oracle Forms, .Net, JEE (and ADF of course!) applications all relying on the database user tables for their authentication and authorisation information.

Each of these subsystems would require users to login. The subsystem would then encrypt the password, retrieve the corresponding password from the database for the identified user, and compare the results. If they compare, we have a valid user; if the encrypted passwords are different, ring the alarm bells, we have an imposter (or at least make them login again ;-)

All things would be well with this solution, until you throw in the fact that each subsystem may support different encryption algorithms that would produce different results, effectively failing the encrypted password comparison each time. It becomes essential therefore that WLS's SQL Authenticator supports different encryption algorithms in order to provide as much flexibility as possible.

Password Settings

On configuring a SQL Authenticator as per Edwin's example, on accessing the Provider Specific information (from the WLS console select Security Realms -> myrealm -> Providers tab -> your named SQL Authenticator -> Configuration tab -> Provider Specific tab), you'll note the following options that influence the generation of encrypted passwords:

* Plaintext Passwords Enabled – true/false – relates how passwords are read from the database table. If true when WLS retrieves the password from the database, and it encounters a non encrypted password, it will undertake a non encrypted comparison between the user's password who is attempting to login against the database retrieved password. If false, WLS will enforce the database password must be encrypted for it to undertake an encrypted password comparison.

The question arises, how does WLS know the database password is encrypted? The answer is derived from the next detailed property Password Style Retained, where WLS when writing a new encrypted password to the database prefixes the encrypted password with the encryption algorithm that was used to encrypt the password. If it's missing, WLS assumes a plaintext password.

If the Plaintext Passwords Enabled property is false, one other side effect is if you attempt to set the Password Style property to PLAINTEXT, then update a user's password in the database, WLS will throw an error stating it doesn't support PLAINTEXT passwords:

[Security:099063]Plaintext password usage was rejected.

Thanks to Ming at Oracle Support for clarifying this property.

* Password Style Retained – true/false – the following properties unlike the Plaintext Passwords Enabled property deal with when updating existing user passwords in the database table, not when the password is read. When WLS writes a password to the table's password field, along with the encrypted text, it prefixes the password with the password algorithm used wrapped in ellipses. For example if the SHA-1 algorithm is used, the password would look like:

{SHA-1}W6PH5MM5PZ8GGIULBPGZG37MJ9G=

If the Password Style Retained property is set to true, and the existing password has a different encryption algorithm to that specified in the Password Algorithm field, WLS will use the latter to update the password. If Password Style Retained is set to false, regardless, WLS will overwrite the password with that specified in the Password Algorithm field.

* Password Algorithm – text field – default SHA-1 – as per the WLS documentation this can be any Java Cryptography Extension (JCE). Questionably what are the allowable values derived from the JCE? These are listed in the JSE 6.0 Java Cryptography Architecture Standard Algorithm Name Documentation.

For password generation we want a hash (aka. message digest or 1-way encryption) algorithm. From the documentation we find that our options are limited to SHA-1 (the default Password Algorithm value), MD2 and MD5.

Note that the JSE documentation states the bit size of the produced message digest (SHA-1 = 160-bit, MD2 = 128-bit, MD5 = 128-bit), which will influence the size of your password field to store the encrypted database value.

The Password Algorithm can be ignored if the Password Style is PLAINTEXT, or, the Password Style Retained is set to true and the password to be updated does not match the current Password Algorithm's specified function.

* Password Style – PLAINTEXT, HASHED, SALTEDHASHED – as guessed the PLAINTEXT option will write the unencrypted password to the database. A value of HASHED implies the Password Algorithm will be used. SALTEDHASHED also produces encrypted passwords though different from HASHED. I'm currently unsure of the difference between HASHED and SALTEDHASHED, the WLS documentation doesn't differentiate between them, though it does result in a different encrypted value.

Testing

Assuming you've configured your SQL Authenticator correctly as per Edwin's post, let's test what the different settings of the properties do.

For our testing let's assume there's always an existing user ALPHA whose password we want to update, as well as new users BETA, CHARLIE and DELTA (and so on) who we want to create with a new password.

First test

Plaintext Passwords Enabled = true
Password Style Retained = true
Password Algorithm = SHA-1
Password Style = HASHED

For the existing user ALPHA the encrypted password doesn't include the algorithm prefix (ie. {SHA-1}), in fact it was created by some other system that doesn't include the prefix. The ALPHA's password will be updated to "password".

For a new user BETA the password will be set to "password".

First result

Updated user ALPHA password = "password"

For the ALPHA users this result occurs because WLS encounters the Plaintext Passwords Enabled set to true, and the original password stored for the ALPHA user is unencrypted (ie. it's missing the algorithm prefix). WLS therefore decides an update to the password must be a plaintext password update.

New user BETA password = {SHA-1}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

In this case the BETA user makes use of the SHA-1 algorithm.

Second test

Plaintext Passwords Enabled = true
Password Style Retained = false
Password Algorithm = SHA-1
Password Style = HASHED

Same as the last test, for the existing ALPHA user the encrypted password doesn't include the algorithm prefix (ie. {SHA-1}), in fact it was created by some other system that doesn't include the prefix. The ALPHA's password will be updated to "password".

For a new user CHARLIE the password will be set to "password".

Second result

Updated user ALPHA password = {SHA-1}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

New user CHARLIE password = {SHA-1}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

In this case the Password Style Retained has overwritten the updated user ALPHA's password style with the new SHA-1 algorithm equivalent as the Password Style Retained = false setting removes the original plaintext algorithm – in other words the SHA-1 algorithm takes precedence. As expected the CHARLIE user's passwords uses the SHA-1 algorithm by default.

Third test

In this test we'll use the existing SHA-1 user ALPHA SHA-1 password, while switching to the MD2 algorithm, while not retaining passwords styles:

Plaintext Passwords Enabled = true
Password Style Retained = false
Password Algorithm = MD2
Password Style = HASHED

Existing ALPHA password = {SHA-1}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

For a new user DELTA the password will be set to "password".

Third result

Existing ALPHA password = {MD2}8DiBqIxuORNfDsxg79YJuQ==

New user DELTA password = {MD2}8DiBqIxuORNfDsxg79YJuQ==

As can be seen WLS switches to the MD2 algorithm in both cases as the Password Style Retained = false property enforces this.

Fourth test

In the last test we'll switch back to the SHA-1 algorithm, and attempt to update the ALPHA user's MD2 password to the SHA-1 equivalent asking WLS not to retain the existing password style:

Plaintext Passwords Enabled = true
Password Style Retained = false
Password Algorithm = SHA-1
Password Style = HASHED

Existing ALPHA password = {MD2}8DiBqIxuORNfDsxg79YJuQ==

Fourth result

Existing ALPHA password = {SHA-1}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

As expected the ALPHA user's password is changed from the MD2 to SHA-1 encrypted password, again as the Password Style Retained = false property takes affect.

Conclusion

At this point we've seen how WLS can generate encrypted passwords using different algorithms down to the database. From here it's important to check the encrypted results in the database are actually "standard". In other words if a competing technology uses the SHA-1 algorithm to encrypt a password for example, will it see the same encrypted result WLS produced. This will be addressed in a following post.

The Neglected Flipside of SOA Security

Tue, 08 Sep 2009 13:00:00 EDT

Joe McKendrick kicks off a thread on the current state of SOA Security. As usual, most discussion of SOA Security applies to "how SOA can be made secure". This is understandable. And, as some commentators have pointed out, there is a body of Best Practice out there on how to secure services in an SOA. For example, Randy Heffner provides lots of good advice on how to secure the services in an SOA)

One-Way SSL with JAX-WS Using JDeveloper 11gR1 and WLS 10.3.1

Wed, 02 Sep 2009 11:00:00 EDT

A while back Gerard Davison blogged some simple examples of using WS-Security Policies. Gerard's specific example dealt with the WLS policy Wssp1.2-2007-Wss1.1-UsernameToken-Plain-X509-Basic256.xml. As Gerard notes the said policy (further documented in the WLS 10.3.1 doco here) implements user name tokens, encryption of the tokens and signing of the whole SOAP payload.

The following post strips back Gerard's example to instead to consider the steps in setting up and testing One-Way SSL for a JAX-WS web service generated via JDeveloper 11gR1 and installed in WLS 10.3.1, using the WLS policy Wssp1.2-2007-Https.xml.

Assumptions

This article assumes the reader has the following basic knowledge:

* HTTPS/SSL
* Digital certificates and trusted/certificate authorities (CAs)
* Oracle's WebLogic Server, WLS managed servers and the WLS console

One-Way SSL vs Two-Way SSL

For those not familiar with either, Oracle's WLS documentation has a good explanation of the implementation of and differences between One-Way SSL and Two-Way SSL in the Understanding Security for Oracle WebLogic Server manual.

Steps

To implement a One-Way SSL example we'll run through the following steps:

1) Create a basic JAX-WS web service with JDeveloper 11gR1
2) Generate the digital certificates required for the WLS server
3) Modify the web service to use the Wssp1.2-2007-Https.xml WLS policy
4) Deploy the running web service to WLS
5) Test the running web service via JDeveloper's HTTP Analyzer
6) Test the running web service via SoapUI
7) Test the running web service via a JAX-WS client
8) Inspect the web service packets on the wire to verify the traffic is indeed encrypted

1) Create a basic JAX-WS web service with JDeveloper 11gR1

This step is documented in a previous blog post Creating JAX-WS web services via a WSDL in JDev 11g. There are also a number of viewlet demonstrations available from Oracle's OTN which show how to construct the WSDL in a drag'n'drop fashion.

The resulting web service we'll demonstrate here is a very simple one. It is comprised of the following solutions:

OneWaySSLExample.xsd


            targetNamespace="http://www.sagecomputing.com.au" elementFormDefault="qualified">

The inputElement and the outputElement will constitute the incoming and outgoing payloads of a simple HelloWorld web service.

OneWaySSLExample.wsdl


             xmlns:tns="urn:OneWaySSLExample.wsdl" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
             xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/"
             xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wsca="http://www.sagecomputing.com.au">

The overall web service comprises of a single operation accepting the inputElement and outputElement strings as specified in the XSD.

OneWaySSLPortTypeImpl.java

package au.com.sagecomputing.ws;

import javax.jws.WebService;

import javax.xml.ws.BindingType;
import javax.xml.ws.soap.SOAPBinding;

@WebService(serviceName = "OneWaySSLService",
            targetNamespace = "urn:OneWaySSLExample.wsdl",
            portName = "OneWaySSLPortTypePort",
            endpointInterface = "au.com.sagecomputing.ws.OneWaySSLPortType",
            wsdlLocation = "/WEB-INF/wsdl/OneWaySSLExample.wsdl")
@BindingType(SOAPBinding.SOAP12HTTP_BINDING)
public class OneWaySSLPortTypeImpl {

  public String oneWaySSLOperation(String part) {
    return "Hello " + part;
  }
}

A very basic JAX-WS web service accepting the inputElement String and returning the outputElement String prefixed with "Hello ".

Example request SOAP payload


   
   
      Chris

Example response SOAP payload



   
      Hello Chris

The overall application/project structure will look as follows in JDeveloper's Application Navigator:

2) Generate the digital certificates required for the WLS server

In order for a client to undertake a SSL connection with our web service on the WLS server, the WLS server must be configured with a valid digital certificate.

Again note from the Oracle documentation how One-Way SSL works at runtime:

With one-way SSL authentication, the target (the server) is required to present a digital certificate to the initiator (the client) to prove its identity. The client performs two checks to validate the digital certificate:

1. The client verifies that the certificate is trusted (meaning, it was issued by the client's trusted CA), is valid (not expired), and satisfies the other certificate constraints.
2. The client checks that the certificate Subject's common name (CN) field value matches the host name of the server to which the client is trying to connect

If both of the above checks return true, the SSL connection is established.

In this section we consider the digital certificates required for the WLS server.

WLS is an interesting application server in that it keeps two separate Java keystores, 1 for storing the digital certificates for such actions as SSL, and another which is typically used for storing CA digital certificates. The former is referred to as the identity keystore, the later the trust keystore.

The WLS manual Securing Oracle WebLogic Server section 11 Configuring Identity and Trust has a detailed explanation of this setup.

By default WLS comes with demonstration identity and trust keystores containing demonstration digital certificates. As the WLS documentation takes great pains to explain these are for development purposes only and should never be used in a production environment. For the purposes of this blog post if you're testing One-Way SSL in a development environment you can in fact skip this entire step as the demonstration WLS keystores will suffice.

To check that the demonstration keystores are currently installed login to your WLS console, select your server, and under the Configurations -> Keystores tab you'll see the following entries:

Your entries for the file locations of the keystore will be different from my example here dependent on where you installed WLS.

However using the demonstration keystores avoids the whole learning exercise of configuring your own custom digital certificates in WLS which is an important lesson. The following describes those steps in detail, as based off Gerard's original post.

To install our own digital certificate we followed these general steps:

a) Open a command prompt and set the WLS environment
b) Generate our own trusted certificate authority digital certificate
c) Store the private key and digital certificate and import into the identity keystore
d) Store the same digital certificate into the trust keystore.
e) Configure the new keystores in WLS's identity and trust keystore

The following describes those steps in detail. In order to do this we've used WLS utilities to do as much of the work as possible.

a) Open a command prompt and set the WLS environment

Under Windows open a command prompt on the same machine as where WLS is installed, create a temporary directory in your favourite place and cd to that directory, and run your WLS server's setDomainEnv.cmd command. Something like:

"C:\\setDomainEnv.cmd"

Once run ensure you're still in your new directory.

b) Generate our own trusted certificate authority digital certificate

java utils.CertGen -certfile ServerCACert -keyfile ServerCAKey -keyfilepass ServerCAKey -selfsigned -e somebody@xxxx.com.au -ou FOR-DEVELOPMENT-ONLY -o XXXX -l PERTH -s WA -c AU

This generates 4 files: ServerCACert.der, ServerCACert.pem, ServerCAKey.der, ServerCAKey.pem

The utils.CertGen utility is useful for development purposes, but as per the WLS documentation, should not be used for production purposes. Alternatively OpenSSL could be used instead.

Note the use of selfsigned flag. This implies this digital certificate will be used both as the CA in the trust keystore and the served digital certificate in the identity keystore. This is not what we'd do for a production environment using commercial Certificate Authorities, but is sufficient for demonstration purposes in this post.

More information on:

* the WLS CertGen utility can be found here.
* .der vs .pem files can be found here and here.
* WLS provides two utilities der2pem and pem2der can be used to convert between the two file types.

Under Windows you can double click on the ServerCACert.der file to show its contents:

If you have access to the openSSL command line tool you can use it to query the certificate we just created:

openssl x509 -text -inform der -in ServerCACert.der

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0d:a9:d1:4a:0f:0b:b2:61:13:90:89:f5:40:4d:4f:e2
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=AU, ST=WA, L=PERTH, O=SAGECOMPUTING, OU=FOR-DEVELOPMENT-ONLY, CN=/emailAddress=somebody@sagecomputing.com.au
        Validity
            Not Before: Jul  9 07:06:49 2009 GMT
            Not After : Jul 10 07:06:49 2029 GMT
        Subject: C=AU, ST=WA, L=PERTH, O=SAGECOMPUTING, OU=FOR-DEVELOPMENT-ONLY, CN=/emailAddress=somebody@sagecomputing.com.au
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:df:cb:6c:ed:86:75:4c:5b:66:cd:aa:3d:34:8f:
                    
                    73:f6:9c:b5:ed:82:9c:c3:15
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
    Signature Algorithm: md5WithRSAEncryption
        b7:fa:1b:8f:c4:ee:af:6b:1d:f0:dc:f4:cf:35:20:f1:df:eb:
        
        0c:fe
-----BEGIN CERTIFICATE-----
MIIC8zCCAlygAwIBAgIQDanRSg8LsmETkIn1QE1P4jANBgkqhkiG9w0BAQQFADCB

i7Pd63d03mWkI85tvsr5Q+40yitOL5JnLsbyHSrM+1aK8kkY7Qz+
-----END CERTIFICATE-----

This identifies information that maybe useful later if we make a mistake, such as the encryption algorithm used (RSA), the size of the keys (1024bit), the serial number of the certificate (a hex number).

c) Store the private key and the digital certificate in the identity keystore

java utils.ImportPrivateKey -certfile ServerCACert.der -keyfile ServerCAKey.der -keyfilepass ServerCAKey -keystore ServerIdentity.jks -storepass ServerCAKey -alias identity -keypass ServerCAKey

d) Store the same digital certificate into the trust keystore
Import the certificate generated in step b into a trust keystore.

keytool -import -v -trustcacerts -alias identity -file ServerCACert.der -keystore ServerTrust.jks -storepass ServerTrustStorePass

e) Configure the new keystores in WLS's identity and trust keystore

To configure the keystores in WLS enter the WLS console, select the managed server you're interested in, then make the following changes under the following tabs:

Configuration tab -> General subtab

SSL Listed Port Enabled = checkbox
SSL Listen Port = 7102 (and different from the Listen Port)

Configuration tab -> Keystores subtab

Keystores = Custom Identity and Custom Trust
Custom Identity Keystore = \ServerIdentity.jks, such as c:\temp\ServerIdentity.jks
Custom Identity Keystore Type = jks
Custom Identity Keystore Passphrase = ServerCAKey
Confirm Custom Identity Keystore Passphrase = ServerCAKey

Custom Trust Keystore = \ServerTrust.jks, such as c:\temp\ServerTrust.jks
Custom Trust Keystore Type = jks
Custom Trust Keystore Passphrase = ServerTrustStorePass
Confirm Custom Trust Keystore Passphrase = ServerTrustStorePass

Configuration tab -> SSL subtab

Identify and Trust Locations = Keystores
Private key alias = identity
Private Key Passphrase = ServerCAKey
Confirm Private Key Passphrase = ServerCAKey

Then save.

After this restart your WLS server and you should see similar messages to the following in the WLS logs:

Alternatively is you see the following messages you have made a mistake in your configuration:

10/07/2009 4:08:30 PM WST>     
<10/07/2009 4:08:30 PM WST>     
<10/07/2009 4:08:30 PM WST>

3) Modify the web service to use the Wssp1.2-2007-Https.xml WLS policy

This can be done in a number of ways in JDeveloper, the easiest of which for this blog post at least is just to insert the @Policy annotation into the JAX-WS endpoint as follows:

(Note if you're using earlier versions of JDeveloper or Eclipse, this mechanism wont work, you must manually add the policies to the WSDL).

package au.com.sagecomputing.ws;

import javax.jws.WebService;

import javax.xml.ws.BindingType;
import javax.xml.ws.soap.SOAPBinding;

import weblogic.jws.Policy;

@WebService(serviceName = "OneWaySSLService",
            targetNamespace = "urn:OneWaySSLExample.wsdl",
            portName = "OneWaySSLPortTypePort",
            endpointInterface = "au.com.sagecomputing.ws.OneWaySSLPortType",
            wsdlLocation = "/WEB-INF/wsdl/OneWaySSLExample.wsdl")
@BindingType(SOAPBinding.SOAP12HTTP_BINDING)
@Policy(uri = "policy:Wssp1.2-2007-Https.xml") 
public class OneWaySSLPortTypeImpl {

  public String oneWaySSLOperation(String part) {
    return "Hello " + part;
  }
}

4) Deploy the running web service to WLS

Within JDeveloper to deploy and run from the integrated WLS, it's simply a case of right clicking on the JAX-WS file and selecting Run.

If you click on the hyperlink provided in the log window, this will open the HTTP Analyzer. From the HTTP Analyzer you can open the WSDL at the top of the window:

Note on deployment to WLS you can see that the Wssp1.2-2007-Https.xml policy has been added to the binding to enforce One-Way SSL, and in addition the service address now runs from HTTPS, not HTTP, on the now enabled SSL port.

5) Test the running web service via JDeveloper's HTTP Analyzer

JDeveloper out of the box includes HTTP Analyzer for testing your web services. It's particularly useful as you don't have to leave the confines of your IDE to test your web services.

In order to run the HTTP Analyzer with SSL'ed web service traffic, you need to make some changes to the configuration of JDeveloper. Selecting the Tools->Preferences menu option, followed by Https and Truststore Settings, you can configure the Client and Server keystores HTTP Analyzer needs to run with SSL.

If you followed my exact instructions on setting up a selfsigned CA into the WLS identity and trust keystores, you need to enter the following options in the Preferences Https and Trusting Settings page:

Client Trusted Certificate Keystore: c:\temp\ServerTrust.jks
Client Trusted Keystore Password: ServerTrustStorePass

Server Keystore: c:\temp\ServerIdentity.jks
Server Keystore Password: ServerCAKey
Server Private Key Password: ServerCAKey

When you run your web service you can access the HTTP Analyzer by clicking on the URL of your served web service in the JDev IDE log window, among other methods.

This presents the following HTTP Analyzer screens:

In the top of the screen you'll see the HTTP Analyzer has formed a dummy request for you to send out based on the web service's WSDL. In my example picture I've filled out the part field and pressed Send Request, of which you can see the reply from the web service on the right hand side.

At the bottom of the screen you can the individual request/responses that were generated in order to service the request.

6) Test the running web service via SoapUI

SoapUI is a popular web service testing tool. I wanted to show how to configure it here to show similar results to the HTTP Analyzer. The following steps were built with SoapUI v3.0.

a) Create a new Project via File -> New soapUI Project
b) In the New SoapUI Project dialog, enter a custom project name, then your WSDL, leave the rest of the fields as default.

c) In the Project list expand your new project to the last Request 1 node, and double click it.
d) This will open the Request 1 window, showing on the left handside the outgoing request payload, where you can modify the inputElement XML element with your name.
e) Pressing the green arrow executes the request against the webservice, you'll now hopefully see the SOAP response on the right handside of the window.
f) Note at the bottom right of the right handside of the window you have the text SSL Info. Clicking on this shows another sub-window with the SSL certificate information that was swapped with the WLS server to undertake the SSL communications.

7) Test the running web service via a JAX-WS client

Assuming under JDeveloper you know how to create a Java Proxy for the deployed web service, you'll end up with the following code:

import clientexamples.SSLUtilities;

import javax.xml.ws.WebServiceRef;

public class OneWaySSLPortTypePortClient
{
  @WebServiceRef
  private static OneWaySSLService oneWaySSLService;

  public static void main(String [] args)
  {
    oneWaySSLService = new OneWaySSLService();
    OneWaySSLPortType oneWaySSLPortType = oneWaySSLService.getOneWaySSLPortTypePort();

    SSLUtilities.trustAllHttpsCertificates(); 

    System.out.println(oneWaySSLPortType.oneWaySSLOperation("Chris"));
  }
}

Note SSLUtilities is a handy class written by Srgjan Srepfler that includes a number of methods for handling and modifying the default SSL behaviour. In our case in writing a simple test client we're not overly concerned about trusting the server's CA, so we can use SSUtilities.trustAllHttpsCertificates to stop the required checking.

8) Inspect the web service packets on the wire to verify the traffic is indeed encrypted

What neither JDeveloper's HTTP Analyzer nor SoapUI can do is actually confirm for you that the traffic on the network was actually encrypted. To check this we can use a wire sniffing tool called WireShark.

Warning: at some sites using wire sniffing tools like WireShark can be a dismissible offence because you can see private data on the network. Be careful to check your organisation policies before doing this.

Note if you're running the JAX-WS web services via the integrated WLS on the same localhost as SoapUI, you're most likely running through the localhost address. For various technical reasons WireShark cannot sniff packets through localhost or the MS loopback adapter in Windows. Instead we must separate our WLS and SoapUI installations, and place them on different hosts. Let's call them Box1 and Box2, with WLS and SoapUI installed respectively

Once you have both up and running, determine the IP address of Box2. Let's say that IP address was: 101.102.103.104

a) Start WireShark. In the filter box top left enter: ip.addr == 101.102.103.104
b) Select the filter Apply button.
c) Select the Capture -> Interfaces
d) Select the Start button for your ethernet card
e) WireShark is now sitting listening for traffic from the other ip.address of Box2.

f) Now in SoapUI execute the request.
g)In WireShark you should see the incoming requests:

As WireShark works at the network level it sees the individual packets, several of which will comprise the request/response between SoapUI and WLS, effectively an incredible amount of detail. You can select each packet and look at the data contained within in the bottom window of the display. This window shows the data in both hex and raw text, so you'll need to carefully look to see the data contained within. Obviously if the traffic is encrypted you wont see much meaning at all which is what we want! To see the unencrypted traffic, remove the policy from your web service, redeploy it and run the same scenario again.

Thanks

I must aim my very strong thanks to Gerard Davison from Oracle UK with assistance with this article, Gerard's help has been invaluable. Any mistakes in this post are of course mine however, of which I'm sure there will be a few in such a long post.

Net-Centricity: SOA in Battle

Thu, 20 Aug 2009 05:45:00 EDT

As the DoD and their contractors hammered out the details of Net-Centricity, it became increasingly clear that Net-Centricity required a broad, architectural approach to achieving agile information sharing in the context of a complex, siloed organization. At that point, SOA entered the Net-Centricity picture, providing essential best practices for sharing information resources to support business process needs. In the military context, such business processes are operational processes, where the operation at hand might be fueling airplanes or deploying ground troops or spying on suspected terrorists with a satellite. When battlefield commanders say that they want the warfighting resources at their disposal to be available as needed to achieve their mission objectives, they are essentially requiring a Service-Oriented approach to Net-Centricity.

The Cloud, SaaS, and IT PPM

Fri, 31 Jul 2009 05:10:00 EDT

In the same vein as the article on BPMS, have you considered a SaaS based IT PPMS (Project and Portfolio Management Systems) tool for your next project? If you are in that process now, you're in luck as Gartner has recently released their review of those tools. The report can be [...]

The Inter-Cloud of Clouds: Computing in a Multicloud World

Mon, 27 Jul 2009 22:00:00 EDT

I admit it, it's taken me a while to come around to the term inter-cloud, a concept being primarily promoted by Cisco as part of their Unified Computing platform. Lately the term seems to have been picking up some steam so I thought I'd take a moment to examine it a bit further.

My interpretation of the so called "inter-cloud" is the abstract ability to exchange information between distinct computing clouds (storage, compute, messaging etc) be it public or private in a uniform/unified way. I've come to think of it like a higher level inter-connected network atop the current world wide web via linked API's and data sources. Greg Papadopoulos from Sun calls it a Cloud of Clouds.

In one of the more thought provoking posts I've read in a long time, Vint Cerf (the father of the Internet & Google's Chief Internet Evangelist) compares the emergence of cloud computing and more specifically the inter-cloud to "the networks of the 1960s -- each network was typically proprietary. These networks were specific to each manufacturer and did not interconnect nor even have a way to express the idea of connecting to another network." Exactly the same problem we now face with the current generation of cloud infrastructure and services.

Cerf goes on to state the problem with the current inter-cloud is that "each cloud is a system unto itself. There is no way to express the idea of exchanging information between distinct computing clouds because there is no way to express the idea of “another cloud.” Nor is there any way to describe the information that is to be exchanged. Moreover, if the information contained in one computing cloud is protected from access by any but authorized users, there is no way to express how that protection is provided and how information about it should be propagated to another cloud when the data is transferred."

Interestingly he points to work being done by another father of the Internet, Sir Tim Berners-Lee (the inventor the World Wide Web) who has been pursuing ideas that may solve these so-called “inter-cloud” problems. According to Cerf, Tim Berners-Lee's idea is that by semantically linking data, we are able to create "the missing part of the vocabulary needed to interconnect computing clouds. The semantics of data and of the actions one can take on the data, and the vocabulary in which these actions are expressed appear to constitute the beginning of an inter-cloud computing language."

I understand this next statement may cause some lively debate, but I will say it anyway. If I am interpreting his assertion correctly, what the world needs is not yet another API to control the finer nuances of a physical or virtual infrastructure but instead a way for that infrastructure to communicate with other clouds around it regardless of what it is. The biggest hurdle to cloud interoperability appears to have very little to do with a willingness for cloud vendors to create open cloud API's but instead the willingness to provide the ability for these clouds to effectively inter-operate with one another. More simply the capability to work along side other cloud platforms in an open way.

Ever the visionary, Cerf says it best. The Cloud represents a "new layer in the Internet architecture and, like the many layers that have been invented before, it is an open opportunity to add functionality to an increasingly global network.." Amen brotha.

Is a Private Cloud Worthwhile?

Mon, 27 Jul 2009 17:00:00 EDT

Much discussion in the cloud computing world has focused on a simple question: Is a private cloud infrastructure worthy of the name? It's been posed in many ways, with some going so far as claiming that there is no such thing as a private cloud. Although discussions like these are all too common in many areas, the question really amounts to little more than counting angels dancing on pin heads. The key issue is whether private cloud-style infrastructure can deliver real benefits like public clouds can.

Then What Does Make Someone an Architect?

Mon, 20 Jul 2009 17:45:00 EDT

"Historically, the architect has been the coordinator of all other disciplines involved in the building process. According to training and licensing exams, architects must be able to integrate all building disciplines to protect the overall health, safety, and welfare of a project. We are responsible for not only this integration and the accessibility of structures and their surroundings for human use and habitation, but also for the end result in terms of use, quality, composition, and appearance; engineers are responsible for the application of mathematical and physical sciences, within an area of expertise, and the related health, safety, and welfare. While architects are tested in engineering systems [structures, electrical, mechanical, and site design], building construction materials and methods, codes, contracts, programming, spatial relations, history, and theory, engineers are tested only for specific systems and disciplines. Engineers have a narrow focus; architects bridge the gap between the systems [what engineers design] and what the community needs."

Cloud Services Interest Erupts in Groundswell

Sun, 19 Jul 2009 16:30:00 EDT

The anticipated benefits from adopting managed cloud services have reached the executives suites of many corporations. Proactive CEOs and CFOs are pushing their IT leadership team to seek out actionable information and guidance. There's also a constant stream of service providers announcing new offerings -- and the momentum is becoming a global phenomenon. As a result, Forrester Research has witnessed an expanding number of client inquiries around cloud computing. The acceleration in market development has been building for some time now. Forrester analysts responded to more than 264 client inquiries about cloud computing between January 2008 and April 1, 2009 from companies of all sizes and industries.

Top Performing Vendors in CRM Suites Revealed

Sat, 18 Jul 2009 13:00:00 EDT

The research showcases which vendors enabled client success based on the value delivered and the ability of the vendor to support and service its clientele. According to John Pearson, VP Competitive Intelligence Products for Aberdeen, "The 32-page vendor assessment is based on two key dimensions: first, Aberdeen aggregated top performance of companies in the target marketplace based on 1114 primary surveys conducted typically over the past eighteen months; and second, Aberdeen conducts a vendor readiness assessment which includes evaluation of responses to a standardized vendor questionnaire, analyst briefings, public records and customer interviews."

Why Microsoft Should Finally Buy Citrix

Fri, 17 Jul 2009 10:30:00 EDT

I’ve written a good bit here about the various ways Microsoft and Citrix overlap in the hypervisor space, ranging from topics like shared code base through competition for the desktop space. To me, these two players have always been the underdogs battling for the right to go head-to-head against VMware in the main enterprise (and now cloud) virtual data center event. I’ve long said here that I think Microsoft is in the best position to make that move, but to be honest, Citrix currently has better technology. In other words, Microsoft has a better strategic play, Citrix a better tactical play. The announcements that came of out Synergy last week prove that. Citrix knows what it’s doing and they know how to build virtualization products to compete with VMware.

The Impact of Making Product Choices

Fri, 17 Jul 2009 09:45:00 EDT

As part of my job, I help customers to select the appropriate software to either fulfill a need or as a component of a larger solution. Fulfilling this role means comparing similar software offerings and selecting the best fit. The challenge in this goal is to map the vendor offering into a subjective requirement, such [...]

Cloud Computing Is the Next Great Land Rush and It Is Happening Now

Thu, 16 Jul 2009 16:00:00 EDT

In theory, migration to the Cloud makes business sense; you’re enabling companies to rent computing power that would cost them too much to buy. I won’t bore you with yet another blog post on the ‘what is it’ topic. There is a great synopsis of Cloud Computing published by Mache Creeger and I recommend checking it out. In our model, we’re allowing companies to pool their resources on the supply side of Cloud Computing and leverage a much bigger, better shared infrastructure on the demand side of the equation.

Cloud Interoperability: Haven't We Danced Before?

Wed, 15 Jul 2009 17:15:00 EDT

It amuses me when people start throwing about phrases like “interoperability” and “federation” in a space still hopping in the middle of the hype cycle. You would think that with our long and growing history, we in IT could be realistic about the prospects of any early implementers putting interoperability high on the list above functionality, wouldn’t you?

Oracle Has Made a Big Commitment to Java

Sun, 05 Jul 2009 12:45:00 EDT

Today, Chuck Phillips, president of Oracle, said that Oracle was committed to provide “A Single Stack of Technology to Simplify Enterprise IT”. In order for a “Single Stack” to successfully simplify IT, Enterprise Software practitioners must commit their entire Enterprise Architecture to a single vendor.

Oracle Fusion Middleware 11g Launched

Wed, 01 Jul 2009 18:30:00 EDT

Today is the day we officially launch Oracle Fusion Middleware 11g. The major areas of investment have been the completion of the integration between Oracle and BEA products into unified suites. This matches to the month the schedule that we had committed to publicly when announcing the BEA Strategy last June. This continues our excellent track record of buying best-of-breed software and integrating it together into a common environment.

Oracle Adds Zest to SQL Developer with Standalone Data Modeling Tool

Mon, 29 Jun 2009 13:45:00 EDT

The whole SQL databases and associated tools and modeling ecosystem is ripe for tumult. My best guess is that Oracle's pending Sun Microsystems purchase will provide offense via MySQL, and the associated community, to target the Microsoft SQL Server franchise.

Q&A With Grant Ronald

Tue, 09 Jun 2009 13:45:00 EDT

(This is a reprint of an article published in the UKOUG's Select magazine early this year)

When talking about Oracle Forms and JDeveloper, one Oracle personality stands out among others - long time blogger Grant Ronald from Oracle Corporation UK. Grant has for a long time “pimped” Oracle Forms and its big brother JDeveloper at Oracle events and user groups events around the world. His popularity is shown by his blog receiving on average 2000 hits per day. Lately, to reassure Oracle customers that Oracle intends to keep on supporting Oracle Forms and show that Forms has a future inline with JDeveloper, Grant has been responsible for the Oracle’s Forms Modernization message.

Chris Muir from SAGE Computing Services Australia conducted the following Q&A session with Grant to get the low down and latest on Forms and JDeveloper, as well as a little about Grant himself.

CM: What role do you currently play at Oracle and what does your day job entail?

Grant Ronald: Well, my title says “Group Product Manager” and the products I cover are Oracle Forms and Oracle JDeveloper. As a Product Manager you are responsible for the success of the products in your area. That encompasses everything from working with developers on features, the marketing department on campaigns or delivering presentations at events like Oracle World. In the morning you can be rolling your sleeves up and getting into code with a developer, and in the afternoon you can be meeting with the CTO. It’s that varied.

CM: How did you get into this Oracle gig anyhow? What’s your background at Oracle and computing in general?

Grant Ronald: Back in the early ’80s, home computing was slowly starting to take off with computers like the Sinclair Spectrum, Vic20 and BBC home computers, and it seemed like a new an innovative field to get involved in when I left school. So I got my degree in Computing Science then joined a small IT outfit in the UK that eventually got consumed by EDS. It was a pretty typical development role for about seven years, mainly focused on military applications, and my last job was designing, developing and leading the team for the development of the user interface for a military email system.

This took me up to 1996 when I fancied a change, and Oracle was looking for people with development experience on Unix and Motif in their support organization. So I joined Oracle Support where I eventually headed up the group who supported the local EMEA (Europe, Middle East, Africa) teams in Forms, Reports and Discoverer. Given that I was working closely with the Oracle Product Management team in this role, I was eventually persuaded to make the jump into Oracle Development!

CM: Ok, now for some tough questions worthy of any Q&A: You’re currently known via your blog for discussions on Oracle development including Forms and SOA, and presentations in Oracle Developer Days around the world. Previously you were also known for you work on JDeveloper. Why the change? Has Oracle internally panicked about the impression (my emphasis) customers are getting that Oracle has killed Forms, and now the need for Forms advocates?

Grant Ronald: There has not really been a change. The thing is, we’ve never stopped talking about Forms. I’ve got the air miles and passport stamps to show that we were still presenting Forms at Oracle World, ODTUG (Oracle Development Tools User Group), UKOUG (UK Oracle User Group), DOAG (German Oracle User Group) and dozens of other events covering EMEA, APAC and the Americas.

The Forms OTN page is still a hive of activity: news, events, whitepapers and how-to’s. Maybe people thought we had stopped talking about Forms because we were also talking about other technologies as well. Ten years ago if you developed on an Oracle database then you pretty much used Forms, simple as that. But the world has changed and there are other things to talk about now. Which makes sense, if you think about it; there is more need and more demand to be talking about the “new” stuff, especially when it is evolving at such a rate.

CM: On discussing Forms and considering that some Oracle customers are confused on the future of Forms, can you outline Oracle’s commitment to Forms in terms of existing versions and Oracle Support?

Grant Ronald: I think the strongest statement we have is the fact that we published a statement of direction five years ago and that statement remains true today. We’ve always said that we are committed to Forms and that there have been no plans to desupport it. That line has never changed. Regarding support, we’ve recently just extended the support date for 10.1.2 (the latest release of Oracle Forms) and Forms 11g is in development, having already had positive reviews from our beta testers. So we are lengthening the support dates, we are working on the next release and we are also discussing enhancements and features for post 11g. I think that’s all good news.

CM: Could the problem with Oracle Forms just be an image problem? It’s never been known for sexy development (a’la grey screens of boredom), and especially now that the web world, web rich clients, AJAX etc have taken off.

Grant Ronald: The sweet spot for Oracle Forms has always been the ability to rapidly develop rich, transactional business applications. So you see Oracle Forms applications in your government offices, airlines and bank back-offices etc. The need for visual “bells and whistles” is less at the fore than, for example, an online shopping application where a user makes a snap decision, often based on visual aesthetics, as to whether they will use the site.

But there is nothing to stop you pushing the boundaries of the visual aspects of Oracle Forms. We have customers who are using some of the features of Oracle Forms, like PJCs and Java beans, to really push the boundaries of the Forms UI. Like this story. So there is nothing to stop you modernizing your Forms application, starting with an update of the user interface.

CM: So what plans do Oracle have in addressing Forms customers?

Grant Ronald: We are continuing to present at all the major events and user groups. In addition, we’ve launched a focus page. This includes recorded webcasts on Forms strategy, calling web services from Forms and Forms new features. There are also white papers and customer stories as well. This is also being backed up by a roadshow which to date has hit nearly 20 countries.

For those Forms customers who are taking a step into the Java world, we have a dedicated site on OTN as well as dedicated developers guides, books and Oracle University courses.

CM: Consider an Oracle shop with a large legacy Oracle Forms application that is running well but in a desupported version of Forms. Should they have any intentions of upgrading their Forms installs and what are the risks if they don’t?

Grant Ronald: Our roadmap for Forms customers is “upgrade and integrate”. So the first point to consider is upgrade. There are, of course, benefits of upgrading but you also have to consider the risk of not upgrading: running your business applications on desupported software that is neither security nor bug patched, or being certified on newer OS or database versions. Are you managing the risk that some piece of this stack may change and destabilise your applications (e.g. a forced O/S upgrade), or are you just hoping that this software tower will hold up with no means of support. It’s your call.

Which takes us to the next point: integration. By web deploying your Forms on the application server, you are positioning yourself on a platform on which you can integrate both your legacy applications, and new services and applications.

By following the “upgrade and integrate” roadmap, you can limit the risk to your business applications while still positioning yourself for your long-term strategic goals.

CM: Consider an Oracle shop with a large amount of SQL and PL/SQL programmers who are cognisant in Forms. Which Oracle development technology should they pick for maintenance and extension of the existing system: Forms, Apex or JDeveloper/ADF?

Grant Ronald: The simplest answer is really to pick the technology/tool that suits you best. If you are extending your existing Forms application it may be that you build new business logic in the database that could be shared between Forms, Java and Apex applications. Or you might decide that you really want to exploit the power of Java and so JDeveloper and ADF would be a natural choice. Many customers are closely aligned with Oracle’s business applications and so the Oracle Fusion technology stack may drive the choice of development tool. I try to discourage customers to think in binary terms when choosing tools. The reality is that you will probably have a mix.

CM: You mention that JDeveloper and ADF would be the natural choice for an Oracle developer. Why?

Grant Ronald: As I mentioned earlier, I look after Oracle Forms and Oracle JDeveloper. One reason for this split in roles is to bring my 4GL Forms experiences into JDeveloper and Oracle ADF. When I first joined the JDeveloper team I was amazed how developers were willing to write lines of code for common actions that I set with the click of a checkbox in Forms. Part of my job is to ensure that the kind of rich features a Forms developer takes for granted are implemented in JDeveloper and Oracle ADF.

JDeveloper and Oracle ADF is also a natural choice because it’s the route our own Applications Division is taking. Our next generation Fusion applications are being built using JDeveloper and ADF. So, as the technology choice for Oracle’s own Fusion Applications, the technology is built with the Forms/Database and PL/SQL developers in mind. No other tool or framework can make this claim.

CM: What skills do you see a Forms developer needing in moving to ADF, and what approach do you suggest to a development team in minimising this learning curve?

Grant Ronald: There is a learning curve in moving to any new technology but with JDeveloper and ADF we are really smoothing out that learning curve and lowering the barrier at which you can start to become productive.

Of course, the bottom line is that you will need some Java knowledge, but how much depends on how far you want to get below the covers and customize the behaviour of the framework.

With an overview of ADF and some basic Java language skills, you can go a long way: building business services, validation, page flow, rich UI interaction, LOVs, graphs – stuff that you couldn’t even consider if you weren’t using ADF.

But if you have made a strategic choice to develop on the Java platform, I’d expect you to still have some members of your team who have a more advanced knowledge of the platform so they can make architectural decisions and set up best practices. We are also working on giving you the learning aids to get up to speed. We have developed a number of Oracle University courses specifically targeted at the Forms audience moving to Java. There are a number of books already published and more in the pipeline that are aimed at opening up the platform. And of course, we have a dedicated focus page on OTN and the essential ADF developer guides for 4GL developers.

CM: Recently you’ve been focusing on SOA technology integration with Forms. Why advantages do you see this combination providing? What challenges do Forms programmers face with integration?

Grant Ronald: The benefits of a service based approach are already well documented: loosely coupled, reusable implementations of business processes gives a more flexible, agile architecture that is better aligned to the business.

Much of the work we are doing with Oracle Forms now is to allow your existing Forms application to hook into the SOA world. The ability to call out to web services and for those services to call back asynchronously is one example.

CM: Grabbing your crystal ball, given your long-term experience in development, where do you see Oracle development in 10 years time?

Grant Ronald: I think the clearest view of the future can be seen in Oracle’s own business applications. Oracle’s Applications Division have upgraded to the most recent version of Forms, while looking to exploit the benefits of a services oriented architecture and a standards based platform. Using JDeveloper and Oracle ADF, they are taking developers from a background including Forms, PL/SQL and Peopletools, and making them productive on the Java platform.

I think this gives the clearest indication of where Oracle development is heading and I think there is a great comfort in knowing that the technology choices you are making are the ones Oracle is betting its business applications on as well.

CM: Finally, moving out of the Oracle arena, what keeps you kicking out of work? I know you play in a band.

Grant Ronald: I play a bit of keys in a band, and that mixed with a few weekends out biking helps balance out all the fun I have at Oracle!

Finding New Life For SOA in the Cloud

Thu, 28 May 2009 07:45:00 EDT

We’ve been having quite a few discussions with analysts over the past few months on the subject of “cloud”. The interesting thing about these discussions is the vast array of points of view from which those analysts are viewing “cloud”. Some are focused on the network aspects, others on pricing/differentiation, and some are even very focused on what “cloud” means to applications – and the organizations that will, allegedly, take advantage of the cloud as a means of application deployment. One such analyst is Daryl Plummer of Gartner. Daryl has always been very application focused so it’s always a pleasure to speak with him and, of late, read what he has to say via his blog. (Daryl is also a cartoonist, and has turned his interests in that area on the cloud, resulting in “G-Men”. If you haven’t yet, take a gander. He’s quite talented.) The last time we spoke to Daryl he asked “What can you do to help an organization move a monolithic application into the cloud?” That’s a fairly straightforward answer for F5, unless you specify that the organization wants to move workload into the cloud, not necessarily the entire application.

Oracle on Sun Java, MySQL, OpenOffice, and Linux

Tue, 19 May 2009 12:14:00 EDT

If you are lucky, and curious enough, Oracle can be the best place to learn the enterprise software market. I have worked at Oracle for about seven years and, in my entire career, it is where I have learned the most about enterprise software. When Oracle announced it was buying Sun, [...]

It's the End of Sun, Only Oracle Survives: Charles Fitzgerald

Wed, 22 Apr 2009 07:00:00 EDT

Charles Fitzgerald suspects IBM is going to regret not acquiring Sun, and letting Oracle do so instead. "They regretted giving Microsoft control of the software crown jewels for the PC; they may face similar situation now on the server." Fitzgerald knows whereof he speaks, having been Microsoft's former general manager of platform strategy until early last year.

Oracle Wants To Be The Apple Of The Enterprise, But It Just Became IBM

Mon, 20 Apr 2009 04:00:00 EDT

Larry Ellison has always wanted to be the Steve Jobs of the enterprise. With this morning’s announcement that Oracle will buy Sun Microsystems for $7.4 billion, he took a big step towards making Oracle more of a soup-to-nuts provider of enterprise technology. With Sun, he will now be able to build and package together everything from chips and servers to operating systems, Java middleware, databases, and enterprise applications.

Examining Cloud Computing Mergers & Acquisitions

Mon, 06 Apr 2009 06:00:00 EDT

One topic that keeps reoccurring in my various conversations is the sudden interest in cloud centric M&A activities thanks in part to the recent IBM / Sun rumors. Being that I continuously find myself in the midst of a lot of the back room, off the record type conversations I thought I'd share some of my recent insights into cloud m&a.

The Coming Cloud Computing Wars

Sat, 21 Feb 2009 00:00:00 EST

The cloud computing meme continues to billow as Juniper and IBM announce a cloud management partnership rumors swirl about heavy petting between VMware and shareholder/partner Cisco. A few months ago it seemed like every cloud discussion included Google and/or Amazon; now it appears that “the network infrastructure issue” has finally reared its head and ushered in networking and management leaders into the cloud conversation.

Red Hat Named "Platinum Sponsor" of Virtualization Conference & Expo

Thu, 29 May 2008 14:30:00 EDT

Red Hat is a trusted open source provider. Red Hat offers enterprise customers a long-term plan for building infrastructures on the quality and innovation of open source. Combining open source operating system platform, Red Hat Enterprise Linux, together with applications, management, and Services Oriented Architecture (SOA) solutions, including the JBoss Enterprise Middleware Suite.