6 Replies Latest reply: Dec 5, 2012 7:25 AM by RobertMetcalf RSS

    Oracle Service Bus Question

    RobertMetcalf
      Hi,
      I have 6 systems that I want to connect using OSB. The first three are DEV, TEST and PROD versions of system A, and the second are DEV, TEST and PROD versions of system B.
      DEV_A needs to connect to DEV_B,
      TEST_A connects to TEST_B
      And PROD_A connects to PROD_B
      I realise that in the standard AIA header of the message there is a Target system element but the security people in my company insist that it must be impossible for a message from DEV_A to be passed to PROD_B by mistake. We would like to enforce this with policies.
      Ideally we would do the following:
      Install a unique security certificate on each system.
      Setup a proxy endpoint in OSB for every service.
      Configure the OSB endpoints to recognise the source system based on the security certificate and forward the messages on to the correct target system.
      Could anyone give me advice saying if this is possible, and if this is the best practice way of doing this?
      Robert
        • 1. Re: Oracle Service Bus Question
          Abhinav
          Robert,
          Configure the OSB endpoints to recognise the source system based on the security certificate and forward the messages on to the correct target system.
          U can try using Service Accounts - User Mapping features of OSB to authenticate the request coming from different source systems.

          http://docs.oracle.com/cd/E13159_01/osb/docs10gr3/consolehelp/serviceAccounts.html

          Hope it helps !!

          Regards,
          Abhinav

          Edited by: Abhinav on Dec 4, 2012 5:32 PM
          • 2. Re: Oracle Service Bus Question
            RobertMetcalf
            I have found that Oracle seem to call this Identity Based Routing
            I am currently evaluating the following:
            http://docs.oracle.com/cd/E23943_01/admin.1111/e15867/modelingmessageflow.htm#OSBAG1436
            • 3. Re: Oracle Service Bus Question
              AbhishekJ
              You can do it at application level based on identity passed in headers, by implementing filters in the services based on identity or consumer application etc.
              But my suggestion is to implement it at infrastructure level rather than at application level by separating test environment from production using firewalls. So even if a service in TEST environment tries to call the service deployed in PROD environment, it will not pass the network layer. In my experience its more safe approach to take than building policies within application.
              • 4. Re: Oracle Service Bus Question
                RobertMetcalf
                Thanks for the response.
                Can I assume from your response that it is best practice to have a seprate OSB instance for Dev, Test and Prod?
                Robert
                • 5. Re: Oracle Service Bus Question
                  AbhishekJ
                  In my personal opinion, it is definitely better to have separate instances for Dev, Test and Prod instead of using same instance for all three. In case the overall infrastructure architecture is small sized, you can consider having VMs running on same physical server.
                  • 6. Re: Oracle Service Bus Question
                    RobertMetcalf
                    Hi,
                    This is one of the options that we have for setup however this leaves us with a remaining problem.
                    In our SOA server the composites have the endpoints of other systems coded into them.
                    Currently as we move from SOADEV -> SOATST -> SOAPROD we have a manual step which is to go into enterprise manager -> HTTP Adapter and manually change the addresses. This needs to be done for more than 10 services.

                    Sometimes our DBA’s need to shuffle systems around. e.g. Our server prj09 may one day be our ICISDEV environment and another day be ICISTST. At the moment this requires our DBA’s to manually adjust the addresses in all services that call the service.

                    Neither AIA’s endpoint Configurator or Configuration plans can address this issue as they are only activated on deployment.

                    The problem isn’t just making sure SOA sends messages to the correct system. We have 3 SOA servers (DEV/TST/PROD) and other systems also need to know the correct one to call. We have resolved this with custom tables and custom PLSQL. This gives the DBA's another maintainance job.
                    To avoid hardcoding addresses weblogic I realise it would be possible to create Java programs to read from simular tables to call the correct system and getting the composites to call the Java code but this is all very complex.

                    I had thought OSB would solve this problem by providing a single endpoint which every system would call. It would then route the message to the correct system, but if you have 3 different OSB’s (DEV, TST, PROD) then it wouldn’t help resolve this problem at all.

                    In fact the high level sales talk stuff led me to believe that this was exactly the sort of problem OSB is designed to address. Maybe I mis-understood.

                    How do you address this issue?

                    Robert