In this entry I would like to share my experiences using Oracle Java Cloud Service, especially securing the application environment. I will show you some issues that I encountered during standard process of setting up environment. I will also explain some basic concepts that are fundamental to work with cloud services.
Getting started using Oracle Java Cloud Services
From cloud.oracle.com you can request a free trial account, no credit card needed! In order to set up the environment, I have followed Oracle's tutorial which you can find in references below . Good
tip before you start whole process is that you will need to define many credentials so remember all of them. There are some requirements that you have to fulfill with the length and complexity of your
passwords which are unusual. Prepare yourself to wait even a few days for registration of your Oracle services. It happened to me with first services that I've created. Also service instance creation
can take some time, 30 minutes or more, for database and Java service. However, it is free version and we shouldn't expect more. It's enough to have a first experience with all the Oracle services.
After creation of the first instances for Database and Java services, I've decided to set up another pair of instances for both same services. To my surprise it turned out that I have very strict limit to use
storage blocks on IaaS (Infrastructure as a Service). Thus, I couldn't create more than one instance of Java cloud service and database cloud service. Below on Figure 1 and Figure 2 you can see what's the
result. Every time when you try to create new instance, you'll receive email with warning about over limiting usage of a storage.
Figure 1 - View from the dashboard in Oracle Cloud My Services presenting ongoing quota breach communicate.
Figure 2 - Warning informing about usage over limit.
After creation of Oracle Database Cloud as a service instance and Oracle Java Cloud Service instance I couldn't access the WebLogic administration console. It turned out that I need to enable specific
access rules to control network access to service components. Only after enabling ora_p2admin_ahttps rule, I could connect to the WebLogic administration console. As you can see on
the Figure 3 every rule have assigned port for the WebLogic console. The same panel is accessible for other cloud services, for instance database service. We can easily preview this view by clicking small
button placed in the right top corner of the frame for the service (see Figure 4).
Figure 3 - View to manage access rules for Oracle Java Cloud Service.
Figure 4 - Manage service button.
Now I would like to introduce set of concepts that are commonly used in context of using Oracle cloud services. They can be useful to understand further steps of your cloud configuration.
- Cluster consists of multiple interconnected computers or servers that appear as if they are one server to end users and applications.
- Node is a computer system on which an instance resides.
- Instance (Oracle RAC database): each node in a cluster usually has one instance of the running Oracle software that references the database.
- Load balancing is a technique to spread load between alike computers for service availability.
- Oracle RAC (Real Application Clusters) in database computing allows multiple computers to run
- Oracle RDBMS (relational database management system) simultaneously while accessing a single database (providing clustering).
We can also say that cluster is an object and load balancing is a method. In Figure 5 you can find scheme presenting load balancer serving for one cluster placed in oracle cloud.
Figure 5 - Load balancer example in a cloud with one cluster.
A feature that I found very interesting and Oracle cloud offers is REST API that you can access from oracle's services (Figure 6). All the endpoints with documentation are listed there. For instance, when
you select REST APIs for Oracle Java Cloud Service you can create a new instance of Java Cloud Service with POST request and given endpoint (Figure 7). Other services have its own REST APIs.
Figure 6 - Access REST APIs from My Services on Cloud.
Figure 7 - REST endpoints to manage Oracle Java Cloud Service instances.
As an example we can create Oracle Storage Cloud Service Containers via REST API interface by using cURL command-line tool. The storage containers will be used to back up the Oracle Java Cloud
Service and Oracle Database Cloud. After the Replication Policy for the Oracle Storage Cloude Service has been set, we can request an authentication token using our user credentials. Below on Listing 1
you can find cURL command to request authentication token:
curl -i -X GET -H "X-Storage-User: Storage-identityDomain:userEmail" -H "X- Storage-Pass: password" https://identityDomain.storage.oraclecloud.com/auth/v1.0
#result with auth token
HTTP/1.1 200 OK
Listing 1 - cURL command to request an authentication token.
In order to create containers for Java Service Cloud and Database we use following PUT commands:
curl -i -X PUT -H "X-Auth-Token: AUTH_TOKEN_RECEIVED_FROM_PREVIOUS_REQUEST" https://em2.storage.oraclecloud.com/v1/Storage-IdentityDomain/JCSContainer
curl -i -X PUT -H "X-Auth-Token: AUTH_TOKEN_RECEIVED_FROM_PREVIOUS_REQUEST" https://em2.storage.oraclecloud.com/v1/Storage-IdentityDomain/DBContainer
#result with auth token
HTTP/1.1 201 Created
Listing 2 - cURL commands to create Oracle Storage Cloud Service containers named JCSContainer and DBContainer.
For every command we need to specify the header values and REST endpoint URL.
Connection via SSH
In order to connect via SSH you need to use pair of keys (public and private) that you generate to create Oracle service. Having the pair of keys, you can establish connection with VM (Virtual
Machine) via SSH protocol. More you can find in documentation  which contains Oracle's tutorial with instructions how to create an SSH Tunnel to a port in the Virtual Machine. Below on Listing 3,
you can see how to log in to an instance as a default user (opc) with sudo privileges. You can also get some handy system information with below unix commands.
ssh -v -i rsa-key.ssh -L 9001:ip_addr:9001 opc@ip_addr
ps -ef | grep Weblogic
ps -ef | grep Java
Listing 3 - Create SSH tunnel for Oracle's VM and getting system details.
After successful connection through 9001 port you can try to connect with administration console from your pc typing following address in your web browser: localhost:9001/console. In order to connect through SSL to either Administration Server or Load Balancer VM use following command:
ssh -i rsa-key.ssh opc@ip_addr
sudo su - oracle
Listing 4 - Connect with Java Cloud Service via SSH.
We switch to oracle VM user to have regular OS user permissions. Then, you can use WebLogic Administration Console to perform many actions such as managing Managed servers or starting
Administration Server. For instance, in order to start the Administration Server you can use the WebLogic Scripting Tool (WLST) to connect into the Node Manager where you can start the Administration Server
# check if the Node Manager is running
ps -ef | grep NodeManager
# check the directory to where environment setup is located
#set up the environment
#connect to Node Manager
#start administration server
Listing 5 - WLST script to connect into Node Manager and start Administration Server.
It's good to know that only in free trial version we have access to all the services offered by Oracle Cloud. For the regular account user have to pay separately for access to IaaS (Infrastructure as a
Service), PaaS (Platform as a Service) and SaaS (Software as a Service). IaaS is also referred to as "on-demand software" and is an application that we can access via a web browser or a thin client. PaaS
represents WebLogic and IaaS is a virtual machine in case of Oracle Java Cloud. More about Accessing a VM through a Secure Shell (SSH) and WLST you can find in the references [3,4,5].
The configuration process of setting up SSO and SAML2 for your managed servers is the same as for the one create on your local machine. However, remember to prepare all the managed servers in
your cluster configuring them exactly the same. In order to use CERN SSO you have to tunnel a connection from your cloud into a server that is register under cern.ch domain. The other steps to
configure SSO with SAML2 that concern certificates, keys, and configuration of managed server as service provider on WebLogic are the same as for Weblogic that is run on local machine. You can find
more about it in the Oracle's documentation .
From my experience, I'd like to give you some advice how to deal with certificates, keys and metadata file in Oracle Cloud which are required for SSO/SAML2 configuration. After you have all the
files and you have generated keys and certificates (from https://ca.cern.ch/ca/) you can copy all of them to your WLS on VM through SSH protocol. On the Listing 6 you have a command to copy a file
to the Cloud instance using scp utility from your local machine into VM.
scp -i private_key /path/to/file username@vm_ip_addr:/path/to/destination
Use the same private key that you generated at the begging of creation process of all the oracle service instances. Move files from VM into WebLogic instance and access them from WebLogic
administration console. You will need sudo privileges for the user to move files from VM's folder to WebLogic domain folder in order to see them from admin console. In Oracle's documentation 
you'll find how to create an SSH-enabled user on an Oracle Compute Cloud Service Instance and enable sudo privileges.
For OAuth 2.0 protocol configuration you can use OAuth Administration panel (Figure 8) where you register client and manage its access to Oracle Cloud APIs. I didn't complete this process because I
don't have any experience with Oracle Cloud before and the whole process of OAuth2 configuration seems to me quite complex. Moreover, I couldn't find any basic tutorial with an example for OAuth
client configuration. I have read about whole process and it requires a few steps such as configuration of OAuth client, OAuth Resource Server and registration of resources and I don't have
enough time to investigate how it works during my summer program at CERN. However, it seems very promising and don't hesitate to send me a feedback about how it works for you.
Figure 8 - OAuth protocol administration panel.
To sum up, I had an access to 30 days trial version to test Oracle Cloud and I was working with two Oracle Cloud Services i.e. Java and Database. My overall evaluation is very positive, I see a great
potential in using this powerful tool. However, there is one issue that I have experienced while working with Oracle Cloud Services. Every time I have been changing something on the instance I had
to wait until all the changes will be applied with a Maintenance status (Fig. 8). For example, once I've restarted WebLogic Server I had to wait more than 2 hours to continue working with instance. I've
struggled also with WebLogic server and in a few cases I had to manually start NodeManager, Admin and Managed Server.
On Figure 9 you can see example error that I've received once. In order to solve it, I had to start Admin Server from Load Balancer console again. Registration process itself was also very long,
however after expiration of my previous trail account process of registration for the new one was very fast and smooth.
Concluding, free trial version offered by Oracle is very useful to get familiar with all the services. I encourage you to give it a try and share your experiences!
Have a nice and cloudy day!