Oracle SOA -Payload Size threshold

Oracle JCA Adapters are designed to process large payloads but the BPEL engine consumes huge memory when processing large payloads due to XML conversions which can cause well known OutOfMemory(OOM) and jeopardize the whole system.Setting the payload threshold prevents any data burst from the downstream systems ensuring the JCA Adapters process only payloads that are less than the threshold limit and reject others.

Capping the payload size according to  the capacity of the infrastructure in place is always preferred since the servers will take time to recover from OOM error by garbage collection which is a "Stop the World" activity and no requests will be processed by the server during the time.

Maximum Request size for services

The threshold for maximum request size for any exposed service can be set by using this attribute.The value can be set through the EM console by navigating to the service endpoint -> Service/Reference Properties ->Exposed Service. A default value of -1 represents unlimited which can be set in units of bytes,KB,MB or GB to a suitable value that your infrastructure can handle.

This can be restricted at the DMZ level without the requests reaching the web logic servers if the architecture includes any of the below components.

• Oracle API Gateway
• Web Server that can restrict request size
• Load balancer like F5 BIG IP 

payloadSizeThreshold for adapters

Setting the payload threshold ensures that Oracle JCA Adapters rejects payloads greater than the threshold limit. In case of file and FTP adapters when the native size of the payload is not available and if the specific adapter does not use the native translation library, you cannot enforce the payload size threshold limit. For example, in case of xml-debatching, where the Oracle File and FTP Adapters pass a chunk of file content and the actual native size is not known, payload size threshold limit cannot be used.

To set the global property for capping payload size login to the EM console -> soa-infra   -> Administration -> System MBean Browser - > adapter and set the value for DefaultPayloadSizeThreshold . As per the documentation DefaultPayloadSizeThreshold  works only for the inbound adapters.There is no attribute as payloadSizeThreshold which seems to be a bug and DefaultPayloadSizeThreshold works for both inbound and outbound operations.

This threshold can be increased/decreased at adapter service level by overriding the values in composite.xml which takes precedence over the global settings.

 <reference name="insert" ui:wsdlLocation="insert.wsdl">   
 <interface.wsdl interface="http://xmlns.oracle.com/pcbpel/adapter/db/Application3/One2ManyJoining/insert#wsdl.interface(insert_ptt)"/>   
 <binding.jca config="insert_db.jca"/>   
 <property name="payloadSizeThreshold" type="xs:string" many="false" override="may">100</property> </reference>   

Below are some of the options when it is required to process huge data using database  adapter.

• MaxRaiseSize and MaxTransactionSize can be used while using database polling to restrict the number of records returned from the adapter.
• Setting the audit level to minimal can enhance  the processing of large data with a drawback of payload not getting saved to the database
• When processing large payload using XSLT set "streamResultToTempFile" to yes to avoid OutOfMemory error.But assign activities always perform better.
• Parking Lot pattern can be used to throttle the messages processed.See Throttling in SOA Suite via Parking Lot Pattern at http://www.ateam-oracle.com/throttling-in-soa-suite-via-parking-lot-pattern/  for how to implement in SOA.

Other adapters like AQ,MQ,File,FTP etc... have their own parameters that can be tweaked to control the payload size when used for inbound operations.

Zero Sign-On (ZSO) or IWA for IIS 8 applications using OAM11GR2

Both  Zero Sign-On (ZSO) and Single Sign-On (SSO) means that user has one username and password (e.g.Active Directory username and password) for the SSO enabled application but ZSO  authenticates seamlessly without prompting for a username and password using  the desktop credential which is achieved using kerberos protocol.Below are the steps to configure ZSO for .NET websites running on IIS server using Oracle access manager.

Environment

OAM :11.1.2.2.0 

Web server:IIS 8 on Windows Server 2012 R2 

Webgate: 11.1.2.2.0

Prerequisite

• Install Visual C++ Redistribution for Visual Studio 2012 Update 4 or else the files will not be copied properly during installation
• Install a 64-bit Java runtime environment (JRE), 1.6 or higher  
• It is recommended to run the command prompt as administrator and execute all the scripts
• Make sure to provide full access for the middleware home and the webgate instance folders.
• Make sure the site is deployed on IIS server and able to list  using the command. 

      %systemroot%\System32\inetsrv>appcmd.exe list sites 

Installing IIS 11g WebGate

Extract the contents of the webgate.zip file to a directory, Go to the Disk1 and run the below command.

setup.exe -jreLoc 64_bit_jre_location

Click Next to continue.

Click Next to continue.

Specify the Middleware Home and Oracle Home locations.

Click Install to begin the installation.

Click Finish to dismiss the Installer.

To deploy the WebGate instance , Go to the webGate_Oracle_Home\webgate\iis\tools\deployWebGate  directory and run the following command

deployWebGateInstance.bat -w WebGate_Instancedir -oh WebGate_Oracle_Home -ws WebServer

To run the ConfigureIISWebGate.bat tool,go to the WebGate_Home\webgate\iis\tools\ConfigureIISConf and run the below command. 


ConfigureIISWebGate.bat -oh c:\WGHome -w c:\WGInstance -site "mysite"

Make sure the webgate.ini has some entry as below for the registered web gate instance.19 represents the site id protected by the access gate.

Also make sure the ISAPI filters are added pointing to the webgate.dll as below.

Register the WebGate using RREG

The web gate registration can be done from the OAM console or the rreg scripts. For registering using the scripts navigate to OAM_REG_HOME/bin and execute the below command.

$ ./oamreg.sh inband input/test_OAMRequest.xml 

Copy the files generated in the RREG_Home\output\Agent_ID  to the WebGate_Instance_Home\webgate\config directory

Make sure the sso agent is registered as 11g webgate.

Configure OAM to use WNA

• Create a  user in Microsoft Active Directory for example oamuser.

• Run ktpass on the KDC server to create the SPN (service principal name)  and associate it with this user. For example

ktpass -princ HTTP/myhost.mydomain.com@DOMAIN.COM -pass ***** 

-mapuser oamuser -out D:\etc\oam.keytab

where myhost.mydomain.com is the FQDN of the host where access manager is running or the host name of the loadbalancer VIP in case of OAM cluster.

• Edit the /etc/krb5.conf file to include the domain and the KDC server.

• Configure the Kerberos authentication scheme to use WNA by Logging in to the OAM console ->Launch Pad ->Authentication schemes >KerberosScheme and change the challenge method to WNA

Login to the OAM console ->Launch Pad ->Authentication Modules >Kerberos and change the default values to the actual values.

• Configure the application domain protecting the resource to use the Kerberos authentication scheme.

• Register the active directory as the identity store and make this as the primary user identity store for Oracle Access Manager.

After you start the IIS Web Server (iisreset), log in to the site by using the following URL without entering any credentials.

http://myhost.domain.com:port