java best practices for developing and - · pdf filejava best practices for developing and...

38

Upload: trinhxuyen

Post on 20-Mar-2018

267 views

Category:

Documents


6 download

TRANSCRIPT

Page 1: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices
Page 2: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

JavaBestPracticesforDevelopingandDeployingAgainstDatabasesintheCloud

2

NirmalaSundarappa,PrincipalProductManager,KuassiMensah, DirectorofProductManagement,JeanDeLavarene,DirectorofDevelopmentServerTechnologies,October5th,2017

Page 3: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

SafeHarborStatementThefollowingisintended tooutline ourgeneralproductdirection. Itisintended forinformationpurposes only,andmaynotbe incorporatedintoanycontract.Itisnotacommitment todeliver anymaterial,code,orfunctionality,andshouldnotberelieduponinmakingpurchasingdecisions. Thedevelopment, release, andtimingofanyfeaturesorfunctionality described forOracle’sproductsremainsatthesolediscretion ofOracle.

3

Page 4: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

ProgramAgenda

Whatarewetalkingabout?

SecuritySettings

Demos

JavaBestPractices

Questions

1

2

3

4

5

4

Page 5: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

ProgramAgenda

Whatarewetalkingabout?

SecuritySettings

Demos

JavaBestPractices

Questions

1

2

3

4

5

5

Page 6: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

Whatarewetalkingabout?• PlainJavastandaloneapps• JavaAppContainers– ApacheTomcat– OracleWebLogicServer– IBMWebsphere– JBOSS

• JavatoolsorIDEs– SQLDeveloper,SquirrelSQL– Intellij, Jdeveloper, Eclipse, Netbeans

• AlltheseJavaappsmustbeabletoconnecttoaCloudDatabase

6

Page 7: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

Whatarethethingstoconsider?JDBCdriversmustmeetthecloudspecificrequirementsForexample:• SupportforTLSv1.2withunlimitedciphersuites• Protocolspecificencryptionandchecksumming• Supportstrongauthentication– Basedoncertificates– Kerberosauthentication

• Supportvariouskeystore formats(KSS, JKS,Wallets)

7

Page 8: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

Howaboutthese?• Propererrormessagesandtracestodebugconnectivity issues• Supportkeepalive mechanisms• HTTPproxyandwebsocketsIdeally• Reconnectonfailureandreplayin-flightwork• HowaboutasynchronousAPIs?– TheAPIisavailable fordownloadfromOpenJDK at– http://www.oracle.com/goto/java-async-db– [email protected]

8

Page 9: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

ExamplewithOracleCloudDatabaseService

DatabaseEnvironment DefaultConnectivity

DatabaseasaService(DBaaS) TCP/IPwithnetworkencryption(Port1521)Toallowdirectconnection, openport1521forspecifictrustedhosts

ExadataExpressCloudService(EECS)Fullymanaged

TCPS(Port1522)TLSv1.2andstrongsecurityalgorithmsismandatoryTwo-stagesauthentication:Musthaveclientwalletinadditiontodatabasecredentials

9

Page 10: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

ProgramAgenda

Whatarewetalkingabout?

SecuritySettings

Demos

JavaBestPractices

Questions

2

1

3

4

5

10

Page 11: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

SecuritySettings

• JDKversionisimportant– Securitybugsinsomeolderreleases– Alwaysusethe latestJDKupgrade

• JCEUnlimitedStrengthJurisdictionPolicyfiles– JDK9hasJCEbydefault– Needtobeinstalled intheJavaruntime forJDK7andJDK8.– TLS_RSA_WITH_AES_256_GCM_SHA384 andTLS_RSA_WITH_AES_256_CBC_SHA256ciphersuites useAESwith256bitkeysandhencerequireUnlimited JCEpolicyfiles

11

Mandatory:usinglatestJDKwithJCE

Page 12: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

SecuritySettings

• Additionaljarsareneeded– oraclepki.jar ,osdt_core.jar,andosdt_cert.jar– AvailableonOracleMavenrepository(maven.oracle.com)

• Makesuretohavewalletsatanaccessiblelocation– cwallet.sso (auto-loginformat)or ewallet.p12(PKCS12format)

• Providethelocationofthewallet– oracle.net.wallet_location=

(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/Users/test/wallets/)))

• Enforcemutualauthenticationoracle.net.ssl_server_dn_match=true

12

EitherusingOracleWallets

Page 13: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

SecuritySettings

• ConfiguretrustStore andkeyStore– Use javax.net.ssl.trustStore and javax.net.ssl.keyStore systemproperties orconnection properties

• SetthepasswordforJKS– Use javax.net.ssl.keyStorePassword andjavax.net.ssl.trustStorePassword

• EnabletheserverDNmatch– oracle.net.ssl_server_dn_match=true

13

OrusingJavaKeyStore(JKS)

Page 14: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

ConnectingtotheCloudiseasierthanever

14

OracleJDBC18

DB18relatedcapabilitieswillbeupdatedoncetheDatabase18cisreleased.Pleasestaytuned.

Page 15: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

ProgramAgenda

Whatarewetalkingabout?

Securityrequirementsandsettings

Demos

JavaBestPractices

Questions

3

2

1

4

5

15

Page 16: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

DBCSConnectivity– Overview

• TCPconnections allowed– Port1521needstobeunblocked beforeusage

• Fullcontroloverthedatabase. – HRschemaisavailable,butneedstobeunlocked– Createmoreusersorschemasortablesbyconnectingtothecomputenode

• SSHaccess tothecomputenode

16

Page 17: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

JavaconnectivitytoOracleDatabaseCloudService(DBCS)

17

Createtheserviceandunblockport1521

Page 18: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

JavaConnectivitytoDBCS

18

Unblocktheport1521

Page 19: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.

JavaConnectivitytoDBCSusingTomcat

19

Samplecontext.xml

<Context><Resource name="jdbc/orcldriver_dbcs" auth="Container"type="javax.sql.DataSource"driverClassName="oracle.jdbc.OracleDriver"username="hr"password="hr"url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(HOST=140.86.xx.yy)(PORT=1521)(PROTOCOL=tcp))(CONNECT_DATA=(SERVICE_NAME=PDB1.xxxxxx.oraclecloud.internal)))” />

Page 20: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

ScreenshotoftheServletconnectingtodatabaseservice

20

Page 21: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

EECSConnectivity– Overview

• TCPSconnectionsrequired• MandatesSSLconnectionusingTLSv1.2– JavaKeyStoreFiles orOracleWallets

• PDB_ADMINistheusercreatedbydefault– Createyourownuser

• RequiresJavaCryptographyExtension(JCE)intheJDK/JRE.

21

AFullyManagedexperienceforhands-freeclouddatabaseoperation

Page 22: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

Exadata ExpressCloudServiceConnectivity

22

Download client_credentials.zip

Page 23: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

Exadata ExpressCloudService(EECS)Connectivity

23

Choosewalletorkeystore password

Page 24: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

Exadata ExpressConnectivity

24

client_credentials.zip contents

Filename Descriptiontnsnames.ora andsqlnet.ora

Networkconfigurationfilesstoringconnectdescriptors andSQL*Net clientsideconfiguration

cwallet.sso andewallet.p12

Auto-openSSOwalletandPKCS12file.PKCS12file isprotectedbythewalletpasswordprovided intheUI.

truststore.jksandkeystore.jks

JKSTruststoreandKeystore.ProtectedbythewalletpasswordprovidedintheUI.

Page 25: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

Exadata ExpressCloudService(EECS)Connectivity

25

Pre-requisites

• ForThinJDBC• Unziptheclient_credentials.zip filetoanylocation• UpdateJDKpath tousethelatest JDK8/JDK7withtherequiredJCEpolicyfiles• Passtruststore orwalletrelatedparametersasconnection/system properties• Connectusingtheconnection string“jdbc:oracle:thin:@dbaccess”withdbaccess beingtheTNSalias.

Detailed steps are documented in Exadata Express Service Console links

Page 26: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

Exadata ExpressCloudServiceConnectivity

• java-Doracle.net.tns_admin=/home/myuser/cloud\-Doracle.net.ssl_server_dn_match=true\-Djavax.net.ssl.trustStore=/home/myuser/cloud/truststore.jks \-Djavax.net.ssl.trustStorePassword=welcome1\-Djavax.net.ssl.keyStore=/home/myuser/cloud/keystore.jks \-Djavax.net.ssl.keyStorePassword=welcome1\

DataSourceSample

26

Samplescripttorun

Page 27: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

ProgramAgenda

Whatarewetalkingabout?

SecuritySettings

Demos

JavaBestPractices

Questions

4

2

1

3

5

27

Page 28: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

JavaBestPracticesfordevelopinganddeploying

• BestPracticesforPerformance• BestPracticesforSecurity• BestPracticesforHighAvailability• AlternativeapproachforAccessibility• Troubleshootingtips

28

ConnectingtoDatabaseservicesonCloud

Page 29: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

BestPracticesforPerformance

• UseConnectionPooling(Example:UCP)– OptimizeMinPoolSize,MaxPoolSizeandtimeouts

• Bindvariables– Preventsre-parsingoffrequentlyexecuted statements– Re-execute thesamePreparedStatement withdifferentbinds

• Arrayoperationsinsteadofsinglerowoperations– DMLBatchingandRowPrefetch– preparedStatement.addBatch()andpreparedStatement.sendBatch()

29

Reduceroundtrips,optimizesessions anddatatransfer

Page 30: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

BestPracticesforPerformance

• Prefetching– Prefetch anumberofrows(configurable)preparedStatement.setFetchSize(20)

• StatementCaching– Cachesmostrecentlyusedstatements– oracleDataSource.setImplicitCachingEnabled(true)and connection.setStatementCacheSize(10)

• ClientQueryResultCache– CachesSQLqueryresultsonclienttier– Oracletransparentlymaintains cacheconsistencywithserversidechanges

30

Reduceroundtrips,optimizesessions anddatatransfer

Page 31: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

BestPracticesforPerformance

• Co-locateapplicationserversanddatabaseservers(ifpossible)inordertoreducelatency– Runpingortraceroute tolookatlatency

• TunetheSessionDataUnit(SDU)forlargeLOBs,XMLs, largeresultSets– Max:2MB(12c),64K(11.2),32K(pre-11.2)– Setonbothserverandclientside(sqlnet.ora(DEFAULT_SDU_SIZE), tnsnames.ora orURL)

– jdbc:oracle:thin:@(DESCRIPTION=(SDU=11280)(ADDRESS=(PROTOCOL=tcp)(HOST=myhost-vip)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=myorcldbservicename)))

• Sharded databaseforscalability31

Reduceroundtrips,optimizesessions anddatatransfer

Page 32: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

• Forcorporateenvironment,useVPN• Ifyouwanttoenabledirectconnection– Enableaccess toDatabase listeners fromonlyspecific setoftrustedIPaddresses

• SetupLogonStormHandlertolimittheconnectionrate– RATE_LIMIT parameterforListener

• Protectthewalletorkeystore– Ensurethatthefilesareprotectedthroughfilesystempermissions, backedupsecurely,andonlyreadaccess isgrantedtotheusersrunningapplications atrun-time

32

BestPracticesforSecurity

Page 33: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

BestPracticesforHighAvailability• LeveragemostadvancedHAfeatures byusinglatestDBclient– Timeoutandretryinconnectstring– ApplicationContinuity– ReplayDriver– Atmostoncecommit– Inflighttransactions aretransparentlyreplayedincaseoffailure– FastApplicationNotification– Morereliable andpredictable thantheuglyTCPtimeout– Inbandnotifications arepreferred

33

Page 34: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

OracleBestPracticesforHighAvailabilityGracefullyhandleservicetemporaryunavailability

(DESCRIPTION_LIST =

(DESCRIPTION=

(ENABLE=BROKEN)

(TRANSPORT_CONNECT_TIMEOUT=10)

(RETRY_COUNT=10)(RETRY_DELAY=5)(ADDRESS_LIST=(ADDRESS = . . .)(ADDRESS= . . .))(CONNECT_DATA=(SERVICE_NAME=hr_svc)))

(DESCRIPTION=

(RETRY_COUNT=10)(RETRY_DELAY=5)(ADDRESS_LIST=(ADDRESS = . . .)(ADDRESS=. . .)) (CONNECT_DATA=(SERVICE_NAME=hr_svc2))))

TCP/IPleveltimeout

34

EnableTCPKeepAlive

Retrywhileserviceisunavailable

Connection String:

Page 35: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

ExposeyourCloudDatabaseasanOData feedOpenProtocolforqueryable andinteroperableRESTful APIs

• StartedbyMicrosoftin2007• OASISStandardsinceFeb2014• RESTful APIsinsteadofSQL• Allowsrapiddevelopment

35

OData:• Filtering• Ordering• Joining• Paging• Transactions

Page 36: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

TroubleshootingTips• Commoncause–Firewallsblockingconnections• Troubleshooting–Runtraceroute,e.g.• traceroute -T-p1521<IPofDBaaS host>(forDBaaS)(YoucanfindDBaaS hostPublic IPfromDBaaS ServiceConsole)

• traceroute -T-p1522<public hostnameforyourExadata ExpressCloudService>(Youcanfindthepublichostnamefromthetnsnames.ora file,whichisincluded inthezipfiledownloadedfromServiceConsole.Example:dbaccess.us2.oraclecloudapps.com)

– Identifywhereitisfailingandtakeappropriateactions

36

Page 37: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices

Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. |

ProgramAgenda

Whatarewetalkingabout?

SecuritySettings

Demos

JavaBestPractices

Questions5

2

1

3

4

37

Page 38: Java Best Practices for Developing and - · PDF fileJava Best Practices for developing and deploying • Best Practices for Performance • Best Practices for Security • Best Practices