Are you using a HTTP server for your ADF applications and for what?
833 views
Skip to first unread message
Chris Muir
Jul 8, 2012, 11:42:07 PM7/8/12
to ADF Enterprise Methodology Group
It seems a while since we've had an actual technical discussion on the
group, what with all the recent announcements. So I wanted to ping
members of the ADF EMG to see what they're using HTTP servers for if
at all in their ADF solutions.
ADF sites with high performance and availability demands may not just
rely on their WLS infrastructure for serving their ADF applications,
but also on separate HTTP servers to offload processing.
Such servers include options such as Oracle HTTP Server (OHS), Apache
Web Server, MS-IIS, Oracle Web Cache (OWC) and (if you're particularly
lucky and own an ExaLogic toaster) Oracle Traffic Director (OTD).
Their functionality can include such things as acting as a reverse
proxy, compressing content, offloading SSL processing, caching static
content and more.
Returning to the original question, as these servers include a wide
array of functionality, some applicable to ADF applications and some
not, I wanted to quiz members if and why they're using these servers?
Is it for just one or two features, it is because your organization
dictates web content must be served via MS-IIS as example, are there
any features you want to use but can't because of the way ADF works?
Keen to hear your thoughts and experiences.
Regards,
CM.
group, what with all the recent announcements. So I wanted to ping
members of the ADF EMG to see what they're using HTTP servers for if
at all in their ADF solutions.
ADF sites with high performance and availability demands may not just
rely on their WLS infrastructure for serving their ADF applications,
but also on separate HTTP servers to offload processing.
Such servers include options such as Oracle HTTP Server (OHS), Apache
Web Server, MS-IIS, Oracle Web Cache (OWC) and (if you're particularly
lucky and own an ExaLogic toaster) Oracle Traffic Director (OTD).
Their functionality can include such things as acting as a reverse
proxy, compressing content, offloading SSL processing, caching static
content and more.
Returning to the original question, as these servers include a wide
array of functionality, some applicable to ADF applications and some
not, I wanted to quiz members if and why they're using these servers?
Is it for just one or two features, it is because your organization
dictates web content must be served via MS-IIS as example, are there
any features you want to use but can't because of the way ADF works?
Keen to hear your thoughts and experiences.
Regards,
CM.
Jean-Marc Desvaux
Jul 9, 2012, 2:26:02 AM7/9/12
to adf-met...@googlegroups.com
Hi Chris,
The choice of Oracle HTTP Server was a "by default" one as it was setup & configured in OC4J/iAS installation.
We configured Oracle web cache because it makes a big difference in performance for ADF applications, specifically on slow links.
Later when we moved to a mixed OC4J and Weblogic setup, we also used the Oracle Webtier (HTTP and web cache) as weblogic proxy (mod_wls_ohs) for Single Sign-on (mod_osso), each single weblogic server machine having its WebTier setup on the same machine.
With the new "preferred Oracle SSO" (webgate & OAM), we also need the WebTier because Webgate is setup per HTTP server to single sign using OAM.
The change I am currently considering is to use a "detached" Oracle HTTP front-end with webgate instead of one per weblogic machine which will be much cleaner.
Basic Load Balancing (round robin) to WLS servers can also be setup for apps deployed on many servers if necessary.
Also we need to setup SSL for all tiers to avoid VPN etc..
For SSL configuration, my first idea was to use some SSL appliance to avoid SSL payloads and additional setups on each server.
We tried using a few appliances but had difficulties to make it work with Oracle OSSO.
We do have an Active Directory domain for desktop and network security and could choose to use one single Directory and integrate WLS with IIS and MS SSO but we decided to have a separate and dedicated Oracle Internet Directory.
One of the main reasons was :
1/. Oracle changes in releases etc.. leading to new setup with probably more problems to integrate with MS than with Oracle itslef
2/. I like the idea of having a dedicated Oracle "block" and maintain our business apps independently to the MS block maintenance.
And 3/. due to licencing/cost, as to what we understand, a "full" IDM licence is required to add other-than-Oracle tiers in the setup.
Regards.
Jean-Marc
Simon Haslam
Jul 9, 2012, 7:50:59 AM7/9/12
to adf-met...@googlegroups.com
This is a very interesting question Chris.
From a non-ADF standpoint I often discuss this question with people
too, especially given that most enterprise sites have a hardware load
balancer (or ADC) in front of the web tier anyway which can do all
sorts of clever things from SSL offload to caching and content
routing. There are one or two big WebLogic sites I am aware of that
don't have a web tier but have load balancers talking straight to
managed servers. The biggest stumbling block for this approach (which
I do rather like as it reduces the number of "moving parts") is
security - with a web tier you can have that in the DMZ and the app
tier in the inside (or another DMZ) zone; without a web tier you need
the app tier in the DMZ. For a properly hardened environment I
personally don't have such a problem with this but I know a lot of
security people do.
Within a "full Oracle" environment Jean-Marc highlights the most
common functional driver for using OHS, namely OAM.
Simon
From a non-ADF standpoint I often discuss this question with people
too, especially given that most enterprise sites have a hardware load
balancer (or ADC) in front of the web tier anyway which can do all
sorts of clever things from SSL offload to caching and content
routing. There are one or two big WebLogic sites I am aware of that
don't have a web tier but have load balancers talking straight to
managed servers. The biggest stumbling block for this approach (which
I do rather like as it reduces the number of "moving parts") is
security - with a web tier you can have that in the DMZ and the app
tier in the inside (or another DMZ) zone; without a web tier you need
the app tier in the DMZ. For a properly hardened environment I
personally don't have such a problem with this but I know a lot of
security people do.
Within a "full Oracle" environment Jean-Marc highlights the most
common functional driver for using OHS, namely OAM.
Simon
Chris Muir
Jul 10, 2012, 3:29:31 AM7/10/12
to adf-met...@googlegroups.com
Thanks for the response Jean-Marc.
In addressing Oracle Web Cache (OWC) and your comment "We configured
specific features you were using within OWC and in turn what was the
advantage to slow links please?
Thanks,
CM.
> --
> You received this message because you are subscribed to the ADF Enterprise
> Methodology Group (http://groups.google.com/group/adf-methodology). To
> unsubscribe send email to adf-methodolo...@googlegroups.com
>
> All content to the ADF EMG lies under the Creative Commons Attribution 3.0
> Unported License (http://creativecommons.org/licenses/by/3.0/). Any content
> sourced must be attributed back to the ADF EMG with a link to the Google
> Group (http://groups.google.com/group/adf-methodology).
In addressing Oracle Web Cache (OWC) and your comment "We configured
Oracle web cache because it makes a big difference in performance for
ADF applications, specifically on slow links", can you comment on what
specific features you were using within OWC and in turn what was the
advantage to slow links please?
Thanks,
CM.
> You received this message because you are subscribed to the ADF Enterprise
> Methodology Group (http://groups.google.com/group/adf-methodology). To
> unsubscribe send email to adf-methodolo...@googlegroups.com
>
> All content to the ADF EMG lies under the Creative Commons Attribution 3.0
> Unported License (http://creativecommons.org/licenses/by/3.0/). Any content
> sourced must be attributed back to the ADF EMG with a link to the Google
> Group (http://groups.google.com/group/adf-methodology).
Chris Muir
Jul 10, 2012, 3:35:47 AM7/10/12
to adf-met...@googlegroups.com
Thanks Simon.
Regarding offloading SSL processing to another dedicated hardware
appliance or server, I've often read that the certificate and
encrypt/decrypt processing is significantly CPU intensive. Yet how
significant an advantage is this to offload this processing? Or in
other words, how do you determine the tipping point for deciding a
dedicated resource is required?
Regards,
CM.
Regarding offloading SSL processing to another dedicated hardware
appliance or server, I've often read that the certificate and
encrypt/decrypt processing is significantly CPU intensive. Yet how
significant an advantage is this to offload this processing? Or in
other words, how do you determine the tipping point for deciding a
dedicated resource is required?
Regards,
CM.
Jean-Marc Desvaux
Jul 10, 2012, 4:09:30 AM7/10/12
to adf-met...@googlegroups.com
Chris,
Without OWC and no implicit caching directives in ADF, the worker behind a slow link (let's say <=128Kbps) has plenty of time for at least 2 cup of coffees before the ADF js and images are completely downloaded.
The only issue is we have to rename manually at redeployment our own cached resource files (very few js and some images) to avoid issues on browser side where cache has not expired yet.
It's not a big deal but I can agree it's not clean.
Sorry if I have no much more to say about our OWC usage.
-Jean-Marc
Chris Muir
Jul 10, 2012, 4:23:13 AM7/10/12
to adf-met...@googlegroups.com
On the contrary, hearing that you use it mostly out of the box is appreciated.
Without ignoring the Oracle solution here (shhhh, nobody at Oracle
reads this do they? ;-) have you investigated other caching solutions
and why they may have been a good/bad fit for ADF? What was your main
driver for picking OWC? It came with your licenses, it works out of
the box (in other words it just works?), it magically installed itself
and you can't delete it? ;-)
CM.
Without ignoring the Oracle solution here (shhhh, nobody at Oracle
reads this do they? ;-) have you investigated other caching solutions
and why they may have been a good/bad fit for ADF? What was your main
driver for picking OWC? It came with your licenses, it works out of
the box (in other words it just works?), it magically installed itself
and you can't delete it? ;-)
CM.
Jean-Marc Desvaux
Jul 10, 2012, 5:07:07 AM7/10/12
to adf-met...@googlegroups.com
That's it !
We have no investigated any other caching solutions, OWC came with my licences, it's part of WebTier & it works out of the box.
JM
----
Simon Haslam
Jul 10, 2012, 7:19:42 AM7/10/12
to adf-met...@googlegroups.com
I'm usually talking about a pair of hardware load balancers (Cisco,
F5, Juniper etc). Most organisations above a moderate size have them
and all of the devices I've worked with have SSL acceleration built-in
(some have none or a limited amount as standard but extra performance
from either a plug-in module or sometimes just a licence key).
Regarding performance, even though load balancers aren't cheap,
they're usually an order of magnitude cheaper than Oracle licences.
Therefore any load you can take off your Oracle servers is an easy
win, expecially if you already have the LBs. Whether you terminate on
the LB or have a second SSL connection seems vary between customers.
Finally if you are terminating your SSL on the LB for several systems
you can manage your public certificates and renewals from one place
which some smaller enterprise customers value.
F5, Juniper etc). Most organisations above a moderate size have them
and all of the devices I've worked with have SSL acceleration built-in
(some have none or a limited amount as standard but extra performance
from either a plug-in module or sometimes just a licence key).
Regarding performance, even though load balancers aren't cheap,
they're usually an order of magnitude cheaper than Oracle licences.
Therefore any load you can take off your Oracle servers is an easy
win, expecially if you already have the LBs. Whether you terminate on
the LB or have a second SSL connection seems vary between customers.
Finally if you are terminating your SSL on the LB for several systems
you can manage your public certificates and renewals from one place
which some smaller enterprise customers value.
hasim
Jul 10, 2012, 11:55:37 AM7/10/12
to adf-met...@googlegroups.com
It is good idea to have at least couple of web tier (ohs ,iis ,apache) on two different machine
that will talk to weblogic cluster to achiever best load balancing. Let us say that you have F5
which is redirecting your request to IIS-1 which is Down ,so it will redirect the request to IIS-2
that will eventually redirect request to Cluster that will take care of redirecting to managed server
based on weblogic configured algo.
Hint :- Do not expose your middle-tier directly , have atleast one or both (F5,Webtier).
So it is in best interest to have web-tier , if you cant buy license for OHS + Web Cache
better use Apache. Instead of using hardware load balancer like F5 use software load balancer.
Thanks, Hasim
that will talk to weblogic cluster to achiever best load balancing. Let us say that you have F5
which is redirecting your request to IIS-1 which is Down ,so it will redirect the request to IIS-2
that will eventually redirect request to Cluster that will take care of redirecting to managed server
based on weblogic configured algo.
Hint :- Do not expose your middle-tier directly , have atleast one or both (F5,Webtier).
So it is in best interest to have web-tier , if you cant buy license for OHS + Web Cache
better use Apache. Instead of using hardware load balancer like F5 use software load balancer.
Thanks, Hasim
On Tue, Jul 10, 2012 at 9:05 AM, Zeeshan Baig <shan...@gmail.com> wrote:
Hi,With Weblogic clustering HTTP servers uses plug-ins to distribute load between managed servers. without HTTP server if your managed throws the famous java OutOfMemory exception then your application will stop requesting.Usually i see as common architecture request comes to Load balancer which distributes to multiple HTTP servers and the HTTP server redirects you to weblogic cluster in a round robin fashion.In my opinion HTTP server also provides you a bit security layer instead of directly accessing weblogic instance.Zeeshan Baig
--
Simon Haslam
Jul 10, 2012, 4:39:43 PM7/10/12
to adf-met...@googlegroups.com
I am of course assuming the load balancers have been set up with appropriate health checks/monitors to ensure timely failover. They may too have resource managment measures to ensure new sessions are handed by the least loaded managed server. I am conscious that at some sites the network team and Oracle administration team aren't very close so getting this level of co-operation isn't always easy - hence in my experience a lot of LB end up with sub-optimal configurations (which is also a key driver behind OTD).
I don't think you can say that you must always have a web-tier without providing some supporting evidence - inevitably there are pros and cons. A forum like this is the place to have a scientific debate. So, as a starting point, can anyone think of a vulnerability in WebLogic (presumably now patched) that would have been exposed by a firewall and load balancer but protected by a web-tier of some flavour? For example, here's one I found (http://www.exploit-db.com/exploits/16959/) but it's not obvious to me that Apache or OHS would make an unpatched WebLogic any less vulnerable. There could well be some cross-site scripting exploits that maybe the web tier, by being another hop in the chain, makes them much harder to orchestrate but I'd love to see some examples.
Note: this isn't me being argumentative, I just think we always need to question what might be considered convential wisdom.
Simon
I don't think you can say that you must always have a web-tier without providing some supporting evidence - inevitably there are pros and cons. A forum like this is the place to have a scientific debate. So, as a starting point, can anyone think of a vulnerability in WebLogic (presumably now patched) that would have been exposed by a firewall and load balancer but protected by a web-tier of some flavour? For example, here's one I found (http://www.exploit-db.com/exploits/16959/) but it's not obvious to me that Apache or OHS would make an unpatched WebLogic any less vulnerable. There could well be some cross-site scripting exploits that maybe the web tier, by being another hop in the chain, makes them much harder to orchestrate but I'd love to see some examples.
Note: this isn't me being argumentative, I just think we always need to question what might be considered convential wisdom.
Simon
Mark Robinson
Jul 10, 2012, 12:23:13 PM7/10/12
to adf-met...@googlegroups.com
Hi Chris,
I did some work at a place that used Varnish cache. It did not work at all. Somehow the Varnish, or how it was configured, was munging the session data. So you could bring up a single page but you would not be able to perform an interactions with the page. It was incredibly weird.
In the end, to get it to work we had to get IT to disable the cache completely for the site.
Mark
I did some work at a place that used Varnish cache. It did not work at all. Somehow the Varnish, or how it was configured, was munging the session data. So you could bring up a single page but you would not be able to perform an interactions with the page. It was incredibly weird.
In the end, to get it to work we had to get IT to disable the cache completely for the site.
Mark
Chris Muir
Jul 22, 2012, 7:47:43 AM7/22/12
to adf-met...@googlegroups.com
Why not just use the same load balancers? (OHS or dedicated)
CM.
Interesting topic. We use OHS+OAM as the web tier ourselves. And for load balancing the middletier, we just use OHS(which is apache with oracle plugins if I am not mistaken) although at some point a dedicated load balancer(layer 7, HAProxy maybe?) might come in handy.We do however have something we are currently trying to figure out. Given this setup:WebTier(OHS+OAM) ---> Managed ADF Server(WLS) ---> Stateless WebServices(still WLS, which may or may not be on the same servers as the ADF layer)What is the best way(in terms of ease of implementation, maintenance and cost) to load balance the segment between the ADF servers and the WS Servers?
Chris Muir
Aug 9, 2012, 4:30:58 AM8/9/12
to adf-met...@googlegroups.com
"Does splitting the application and deploying the web tier on a
webserver and business service on an application server with load
balancing make much of improvement ?"
If you're referring to splitting the ADF BC layer from the ADF Faces
layer across servers using the EJB session bean solution, I believe this
option will be removed in the 12c JDev release so I don't recommend
following it.
Alternatively you may be referring to introducing Oracle Web Cache or a
CDN. Overall these would be a good approach as well as compression via
your HTTP server. The WebCenter team talked about some of these
optimisations recently:
https://blogs.oracle.com/ATEAM_WEBCENTER/entry/improving_webcenter_performance
https://blogs.oracle.com/ATEAM_WEBCENTER/entry/adf_faces_11g_ps5_new
Sorry but I can't comment on your Citrix question.
CM.
On 9/08/12 4:02 PM, Saif Kamaal wrote:
> All,
>
> I just managed to configure Apache Websever to act as load balancer for
> 2 weblogic servers. Results of testing still awaiting but i had a couple
> of questions
>
> 1) Does splitting the application and deploying the web tier on a
> webserver and business service on an application server with load
> balancing make much of improvement ?
> 2) For applications that are accessed via Citrix, what hardware setup
> needs to be done as the performance is always a matter of concern here.
>
> thnks
> SK
>
> On Wednesday, July 25, 2012 6:23:48 PM UTC+4, Hyangelo wrote:
>
> If you are talking about this setup:
>
> WebTier(OHS+OAM) --> ADF_SERVER --> (OHS) --> WS_SERVER
>
> then yes we've thought about it and we are considering it but we
> were wondering if there was a way for WLS itself to do the
> loadbalancing for WebServices deployed on a cluster. I know OSB can
> do load balancing but it is kind of an overkill to deploy OSB just
> to do load balancing.
webserver and business service on an application server with load
balancing make much of improvement ?"
If you're referring to splitting the ADF BC layer from the ADF Faces
layer across servers using the EJB session bean solution, I believe this
option will be removed in the 12c JDev release so I don't recommend
following it.
Alternatively you may be referring to introducing Oracle Web Cache or a
CDN. Overall these would be a good approach as well as compression via
your HTTP server. The WebCenter team talked about some of these
optimisations recently:
https://blogs.oracle.com/ATEAM_WEBCENTER/entry/improving_webcenter_performance
https://blogs.oracle.com/ATEAM_WEBCENTER/entry/adf_faces_11g_ps5_new
Sorry but I can't comment on your Citrix question.
CM.
On 9/08/12 4:02 PM, Saif Kamaal wrote:
> All,
>
> I just managed to configure Apache Websever to act as load balancer for
> 2 weblogic servers. Results of testing still awaiting but i had a couple
> of questions
>
> 1) Does splitting the application and deploying the web tier on a
> webserver and business service on an application server with load
> balancing make much of improvement ?
> 2) For applications that are accessed via Citrix, what hardware setup
> needs to be done as the performance is always a matter of concern here.
>
> thnks
> SK
>
> On Wednesday, July 25, 2012 6:23:48 PM UTC+4, Hyangelo wrote:
>
> If you are talking about this setup:
>
> WebTier(OHS+OAM) --> ADF_SERVER --> (OHS) --> WS_SERVER
>
> then yes we've thought about it and we are considering it but we
> were wondering if there was a way for WLS itself to do the
> loadbalancing for WebServices deployed on a cluster. I know OSB can
> do load balancing but it is kind of an overkill to deploy OSB just
> to do load balancing.
>
> On Sunday, July 22, 2012 7:47:43 AM UTC-4, Chris Muir wrote:
>
> Why not just use the same load balancers? (OHS or dedicated)
>
> CM.
>
> On 16/07/2012, at 9:09 PM, Hyangelo <hyan...@gmail.com
> On Sunday, July 22, 2012 7:47:43 AM UTC-4, Chris Muir wrote:
>
> Why not just use the same load balancers? (OHS or dedicated)
>
> CM.
>
> On 16/07/2012, at 9:09 PM, Hyangelo <hyan...@gmail.com
> <javascript:>> wrote:
>
>> Interesting topic. We use OHS+OAM as the web tier ourselves.
>> And for load balancing the middletier, we just use OHS(which
>> is apache with oracle plugins if I am not mistaken) although
>> at some point a dedicated load balancer(layer 7, HAProxy
>> maybe?) might come in handy.
>>
>> We do however have something we are currently trying to figure
>> out. Given this setup:
>>
>>
>> WebTier(OHS+OAM) ---> Managed ADF Server(WLS) ---> Stateless
>> WebServices(still WLS, which may or may not be on the same
>> servers as the ADF layer)
>>
>> What is the best way(in terms of ease of implementation,
>> maintenance and cost) to load balance the segment between the
>> ADF servers and the WS Servers?
>>
>> --
>> You received this message because you are subscribed to the
>> ADF Enterprise Methodology Group
>> (http://groups.google.com/group/adf-methodology
>> <http://groups.google.com/group/adf-methodology>). To
>
>> Interesting topic. We use OHS+OAM as the web tier ourselves.
>> And for load balancing the middletier, we just use OHS(which
>> is apache with oracle plugins if I am not mistaken) although
>> at some point a dedicated load balancer(layer 7, HAProxy
>> maybe?) might come in handy.
>>
>> We do however have something we are currently trying to figure
>> out. Given this setup:
>>
>>
>> WebTier(OHS+OAM) ---> Managed ADF Server(WLS) ---> Stateless
>> WebServices(still WLS, which may or may not be on the same
>> servers as the ADF layer)
>>
>> What is the best way(in terms of ease of implementation,
>> maintenance and cost) to load balance the segment between the
>> ADF servers and the WS Servers?
>>
>> --
>> You received this message because you are subscribed to the
>> ADF Enterprise Methodology Group
>> (http://groups.google.com/group/adf-methodology
>> unsubscribe send email to adf-methodolo...@googlegroups.com
>> <javascript:>
>>
>> All content to the ADF EMG lies under the Creative Commons
>> Attribution 3.0 Unported License
>> (http://creativecommons.org/licenses/by/3.0/
>> <http://creativecommons.org/licenses/by/3.0/>). Any content
>> All content to the ADF EMG lies under the Creative Commons
>> Attribution 3.0 Unported License
>> (http://creativecommons.org/licenses/by/3.0/
>> sourced must be attributed back to the ADF EMG with a link to
>> the Google Group
>> (http://groups.google.com/group/adf-methodology
>> <http://groups.google.com/group/adf-methodology>).
>> the Google Group
>> (http://groups.google.com/group/adf-methodology
Leon Dorfling
Aug 10, 2012, 2:20:35 AM8/10/12
to adf-met...@googlegroups.com
Hi
I am busy investigating the various options and can hopefully give some feedback soon. For now I am specifically focusing on;
- JavaScript compression
- Gzip
- Static content delivery
- Caching
On the topic of HTTP servers is there any preference amongst members using them between Apache and OHS?
Leon Dorfling
Aug 10, 2012, 11:09:17 AM8/10/12
to adf-met...@googlegroups.com
Hi
That is my understanding as well. I am going to include both in my research, but was wondering if members had experience wrt stability etc.
On Fri, Aug 10, 2012 at 3:16 PM, Hyangelo <hyan...@gmail.com> wrote:
Hi Leon,Oracle Http Server is actually based on Apache. If I am not mistaken, OHS is basically Apache+Oracle's proprietary plugins(mod_weblogic, mod_plsql, etc).
--
Andreas Koop
Aug 10, 2012, 11:48:34 AM8/10/12
to adf-met...@googlegroups.com
Hi *,
if you have the need to go with SSO, OAM, etc. then you should go with OHS.
Having just a simple ADF App with no special requirements I often use the preinstalled Apache on e.g. Oracle Linux with the mod_wls Plugin. It is easy to setup. Further I would always recommend to use mod_wls in front of the actual WLS managed servers. Beside the mentioned pros It has some great advantage
- Provide welldefined HTML page in times of maintenance or unexpected downtime (ErrorPage Parameter)
- Well-defined point of entry. The ports of your WLS could change from time to time
- Seamless 'out-of-place' Upgrade. Just install you new WLS/ADF/App version on same machine (yes, you can do that if enough space and mem/cpu power), test internally by accessing the directly. If everything is fine just switch to the new WLS. Shutdown the old domain servers ;)
Regards,
Andreas
Chris Muir
Aug 11, 2012, 9:21:13 AM8/11/12
to adf-met...@googlegroups.com, adf-met...@googlegroups.com
Other advantages of OHS over Apache include monitoring from Fusion Middleware Control, end to end logging through ODL, and enhanced WLS mod_wl_ohs with support for 2 way SSL and more. A nice reference:
http://www.oracle.com/technetwork/middleware/ias/ohs11gr1-131852.pdf
Oh, & you get the privilege of paying us for it too.
CM.
Reply all
Reply to author
Forward
0 new messages