Bpel Admin 10.1.3.1.0

Oracle BPEL Process Manager
Administrators Guide Release 10.1.2

Part No. B25015-01
April 10, 2006
Oracle BPEL Process Manager Administrators Guide, Release 10.1.2 Part No. B25015-01 Copyright 2006, Oracle. All rights reserved. Primary Author: Mark Kennedy Contributor: Muruga Chinnananchi, Francis Ip, Sundari Revanur, Dave Shaffer, Kavitha Srinivasan, Clemens Utschig-Utschig, John Wang The Programs (which include both the software and documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited. The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose. If the Programs are delivered to the United States Government or anyone licensing or using the Programs on behalf of the United States Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the Programs, including documentation and technical data, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement, and, to the extent applicable, the additional rights set forth in FAR 52.227-19, Commercial Computer Software--Restricted Rights (June 1987). Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065 The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and we disclaim liability for any damages caused by such use of the Programs. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. The Programs may provide links to Web sites and access to content, products, and services from third parties. Oracle is not responsible for the availability of, or any content provided on, third-party Web sites. You bear all risks associated with the use of such content. If you choose to purchase any products or services from a third party, the relationship is directly between you and the third party. Oracle is not responsible for: (a) the quality of third-party products or services; or (b) fulfilling any of the terms of the agreement with the third party, including delivery of products or services and warranty obligations related to purchased products or services. Oracle is not responsible for any loss or damage of any sort that you may incur from dealing with any third party.
Contents
Preface ................................................................................................................................................................ vii
Audience...................................................................................................................................................... vii Documentation Accessibility .................................................................................................................... vii Related Documents ................................................................................................................................... viii Conventions ............................................................................................................................................... viii
Oracle BPEL Process Manager Security

Security Overview.................................................................................................................................... 1-1 WS-Security......................................................................................................................................... 1-3 Authentication ................................................................................................................................... 1-3 Authorization ..................................................................................................................................... 1-3 Encryption and Decryption .............................................................................................................. 1-4 Secure Socket Layer .......................................................................................................................... 1-4 Digital Signatures for Integrity and Nonrepudiation................................................................... 1-4 BPEL Security Extensions ................................................................................................................. 1-4 Securing BPEL Processes (Inbound)..................................................................................................... 1-5 Using SSL for Certificate-Based Authentication............................................................................ 1-6 Oracle BPEL Process Manager for OracleAS Middle Tier .................................................... 1-6 Step 1: Configuring OC4J ................................................................................................... 1-7 Step 2: Configuring Oracle BPEL Server .......................................................................... 1-7 Oracle BPEL Process Manager for Developers....................................................................... 1-8 Step 1: Configuring OC4J ................................................................................................... 1-8 Step 2: Configuring Oracle BPEL Server ....................................................................... 1-10 Using J2EE Basic Authentication .................................................................................................. 1-10 Oracle BPEL Process Manager for OracleAS Middle Tier ................................................. 1-10 Oracle BPEL Process Manager for Developers.................................................................... 1-11 Using the Native BPEL Security Extensions ............................................................................... 1-12 Domain and Process Level Security ...................................................................................... 1-13 Java API ..................................................................................................................................... 1-15 HTTP Binding........................................................................................................................... 1-15 SOAP over HTTP Binding ...................................................................................................... 1-15 Invoking Secured Services (Outbound) ........................................................................................... 1-16 Using SSL for Certificate-Based Authentication......................................................................... 1-17 JDeveloper BPEL Designer Design Time.............................................................................. 1-19 Oracle BPEL Server Runtime ................................................................................................. 1-19
iii
HTTP/S with Partner Link Server Certificate Authentication Only......................... HTTP/S with Partner Link Server and Oracle BPEL Server Client Certificate Authentication.................................................................................................................. WS-Security-Compliant Services .................................................................................................. SOAP Binding........................................................................................................................... Configuration .................................................................................................................... Axis Services with Custom Authentication Handlers ............................................................... J2EE Basic Authentication Protected Services (HTTP) .............................................................. HTTP Basic Authentication (10.1.2.0.2) ................................................................................ HTTP Binding (10.1.3) ............................................................................................................. Java and EJB Binding (10.1.3) ........................................................................................................ Default and Custom Validators .......................................................................................................... Using the Default Validator........................................................................................................... Creating a Custom Validator......................................................................................................... Using Oracle Web Services Manager for Authorization, Message Encryption, and Digital Signatures ............................................................................................................................................... Authorization................................................................................................................................... Message Encryption and Decryption ........................................................................................... Digital Signatures............................................................................................................................ Summary .................................................................................................................................................
1-19 1-20 1-20 1-21 1-21 1-22 1-22 1-23 1-23 1-23 1-23 1-24 1-24 1-26 1-27 1-27 1-27 1-28
Oracle BPEL Process Manager Clustering

Oracle BPEL Process Manager Clustering Overview........................................................................ 2-2 Supported Oracle BPEL Process Manager Clustering Environments........................................ 2-2 Oracle BPEL Process Manager Clustering Architecture .............................................................. 2-2 Multiple Oracle BPEL Process Managers for OracleAS Middle Tier Installation ............. 2-3 Load Balancers ............................................................................................................................ 2-4 Dehydration Store Database Configuration............................................................................ 2-4 Step 1: Creating an Oracle BPEL Process Manager Cluster ............................................................. 2-4 Step 1a: Installing Oracle Application Server on Two Separate Hosts ...................................... 2-4 Step 1b: Installing Oracle BPEL Process Manager for OracleAS Middle Tier on Top of Oracle Application Server ............................................................................................................................ 2-5 Step 1c: Creating the Load Balancer for the Oracle BPEL Process Manager Cluster ............... 2-5 Step 1d: Configuring Oracle BPEL Servers on Both Hosts .......................................................... 2-6 Step 1e: Creating the Oracle Application Server Middle Tier Cluster (Optional) .................... 2-7 Step 2: Compiling and Deploying a BPEL Project on the Oracle BPEL Process Manager Cluster ...................................................................................................................................................................... 2-9 Copy the BPEL JAR File from One Cluster Node to Another (Recommended)....................... 2-9 Compile and Deploy the Project from JDeveloper BPEL Designer on a Remote Host or on Host 1 or 2 .................................................................................................................................................... 2-9 Compile and Deploy the Project on Each BPEL Server Locally ............................................... 2-10 Step 3: Testing the Oracle BPEL Process Manager Cluster ........................................................... 2-10 Troubleshooting..................................................................................................................................... 2-11 Summary ................................................................................................................................................. 2-12
Performance Tuning
Performance Tuning Overview.............................................................................................................. 3-1
iv
Domain and Process Configuration Property Settings................................................................. 3-1 Durable and Transient Processes..................................................................................................... 3-2 One-Way and Two-Way Invocations.............................................................................................. 3-2 Idempotent Activities ........................................................................................................................ 3-3 In-Flight Database Storage................................................................................................................ 3-3 JTA Transactions for Two-way Invocations................................................................................... 3-3 BPEL Threading Model ..................................................................................................................... 3-4 Request-Response Invocation ................................................................................................... 3-4 One-Way Invocation................................................................................................................... 3-4 Threading and Connection Pool Relationships ...................................................................... 3-4 Process Level Performance Settings ..................................................................................................... 3-5 completionPersistLevel ..................................................................................................................... 3-5 completionPersistPolicy .................................................................................................................... 3-6 idempotent .......................................................................................................................................... 3-7 inMemoryOptimization .................................................................................................................... 3-8 nonBlockingInvoke ............................................................................................................................ 3-8 Tables Impacted By Instance Data Growth ......................................................................................... 3-9 Domain Level Performance Tuning................................................................................................... 3-10 Oracle BPEL Console Properties That Cannot Be Edited.......................................................... 3-11 auditDetailThreshold...................................................................................................................... 3-11 auditLevel......................................................................................................................................... 3-12 bpelcClasspath................................................................................................................................. 3-12 datasourceJndi ................................................................................................................................. 3-13 deliveryPersistPolicy ...................................................................................................................... 3-13 dspAgentDelay................................................................................................................................ 3-14 dspInvokeAllocFactor .................................................................................................................... 3-14 dspMaxRequestDepth .................................................................................................................... 3-14 dspMaxThreads............................................................................................................................... 3-14 dspMinThreads ............................................................................................................................... 3-15 expirationMaxRetry ........................................................................................................................ 3-15 expirationRetryDelay ..................................................................................................................... 3-16 idempotentThreshold ..................................................................................................................... 3-16 instanceKeyBlockSize ..................................................................................................................... 3-16 instCacheHighWatermark ............................................................................................................. 3-16 instCacheLowWatermark .............................................................................................................. 3-17 instCachePolicy ............................................................................................................................... 3-18 invokerQueueConnectionPoolMinSize ....................................................................................... 3-18 largeDocumentThreshold .............................................................................................................. 3-18 minBPELWait .................................................................................................................................. 3-19 optCacheOn ..................................................................................................................................... 3-19 optIdempotentRouting................................................................................................................... 3-20 optSoapShortcut .............................................................................................................................. 3-20 processCheckSecs............................................................................................................................ 3-20 relaxBpelAssignRules ..................................................................................................................... 3-21 slowPerfThreshold .......................................................................................................................... 3-21 statsLastN ......................................................................................................................................... 3-21 syncMaxWaitTime .......................................................................................................................... 3-22
txDatasourceJndi ............................................................................................................................. validateXML..................................................................................................................................... workerQueueConnectionPoolMinSize ........................................................................................ OC4J Performance Tuning ................................................................................................................... JTA Transaction Timeout ............................................................................................................... Oracle BPEL Server EJB Configuration........................................................................................ WorkerBean .............................................................................................................................. InvokerBean .............................................................................................................................. Data Source Configuration ............................................................................................................ Java Virtual Machine Performance Tuning ...................................................................................... Heap Size.......................................................................................................................................... Dehydration Store Database Performance Tuning ......................................................................... Summary .................................................................................................................................................
3-22 3-22 3-22 3-22 3-23 3-23 3-23 3-24 3-24 3-25 3-25 3-26 3-27
Index
vi
Preface
This manual describes how to use Oracle BPEL Process Manager. This preface contains the following topics:

Audience Documentation Accessibility Related Documents Conventions
Audience
This manual is intended for anyone who is interested in using Oracle BPEL Process Manager.
Documentation Accessibility
Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Accessibility standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For more information, visit the Oracle Accessibility Program Web site at http://www.oracle.com/accessibility/ Accessibility of Code Examples in Documentation Screen readers may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, some screen readers may not always read a line of text that consists solely of a bracket or brace. Accessibility of Links to External Web Sites in Documentation This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.
vii
TTY Access to Oracle Support Services Oracle provides dedicated Text Telephone (TTY) access to Oracle Support Services within the United States of America 24 hours a day, seven days a week. For TTY support, call 800.446.2398.
Related Documents
For more information, see the following Oracle resources:

Oracle BPEL Process Manager Quick Start Guide Oracle BPEL Process Manager Order Booking Tutorial Oracle Adapters for Files, FTP, Databases, and Enterprise Messaging Users Guide Oracle Application Server Adapter Concepts Oracle Application Server Adapter for Oracle Applications Users Guide
Printed documentation is available for sale in the Oracle Store at http://oraclestore.oracle.com/ To download free release notes, installation documentation, white papers, or other collateral, visit the Oracle Technology Network (OTN). You must register online before using OTN; registration is free and can be done at http://www.oracle.com/technology/membership/ To download Oracle BPEL Process Manager documentation, technical notes, or other collateral, visit the Oracle BPEL Process Manager site at Oracle Technology Network (OTN): http://www.oracle.com/technology/bpel/ If you already have a username and password for OTN, then you can go directly to the documentation section of the OTN Web site at http://www.oracle.com/technology/documentation/ See the Business Process Execution Language for Web Services Specification, available at the following URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us /dnbizspec/html/bpel1-1.asp See the XML Path Language (XPath) Specification, available at the following URL: http://www.w3.org/TR/1999/REC-xpath-19991116 See the Web Services Description Language (WSDL) 1.1 Specification, available at the following URL: http://www.w3.org/TR/wsdl
Conventions
The following text conventions are used in this document:
Convention boldface Meaning Boldface type indicates graphical user interface elements associated with an action, or terms defined in text or the glossary.
viii
Convention italic monospace
Meaning Italic type indicates book titles, emphasis, or placeholder variables for which you supply particular values. Monospace type indicates commands within a paragraph, URLs, code in examples, text that appears on the screen, or text that you enter.
ix
1
Oracle BPEL Process Manager Security
It is critical to control access to BPEL processes and to the Web services they use. Preventing unauthorized users from breaking into your system is required to protect both the integrity of your processes and the personal information of your customers. This chapter describes the methods available for securing BPEL processes and invoking secured Web services with Oracle BPEL Process Manager. This chapter contains the following topics:

Security Overview Securing BPEL Processes (Inbound) Invoking Secured Services (Outbound) Default and Custom Validators Using Oracle Web Services Manager for Authorization, Message Encryption, and Digital Signatures Summary
Security Overview
Security in Oracle BPEL Process Manager is implemented as follows:
Securing a BPEL process in which interaction is initiated by an inbound client service request sent to Oracle BPEL Server. The following transport security and authentication methods are available: SSL (HTTP/S) J2EE basic authentication (HTTP) BPEL security extensions
Invoking secured services in which interaction is initiated by an outbound client request sent from Oracle BPEL Server to the server on which the partner link Web service is running. The following transport security and authentication methods are available: SSL (HTTP/S) WS-Security-compliant services Axis services J2EE basic authentication (HTTP) Java and Enterprise Java Bean (EJB) binding
Oracle BPEL Process Manager Security 1-1
Security Overview
Figure 11 provides an overview of these transport security and authentication methods available for securing BPEL processes (inbound) and invoking secured services (outbound):
Figure 11 Inbound and Outbound Transport Security and Authentication Methods
Inbound client service request SSL (HTTP/S)* J2EE Basic Authentication (HTTP)* BPEL Security Extensions
Securing BPEL Processes: Transport Security and Authentication Methods Firewall
Oracle Application Server OC4J Oracle BPEL Process Manager Domain / Process Level Security Java API HTTP Binding SOAP over HTTP Binding
WSIF Layer
SSL (HTTP/S)
WS-Security Compliant Services (SOAP Binding)
Axis Services
J2EE Basic Authentication (HTTP)
Java and EJB Binding Invoking Secured Processes: Transport Security and Authentication Methods Firewall
Outbound Oracle BPEL Server client request
Server on which partner link web service is running * With the Oracle BPEL Process Manager for OracleAS Middle Tier installation type, inbound client service requests that use SSL transport security and J2EE basic authentication are verified by Oracle Application Server. With the Oracle BPEL Process Manager for Developers installation type, inbound client service requests that use SSL transport security and J2EE basic authentication are verified by OC4J.
1-2
Oracle BPEL Process Manager Administrators Guide
Security Overview
This section provides an overview of the following security features in the context of Oracle BPEL Process Manager. References are also provided to sections that describe these features in more detail:

WS-Security Authentication Authorization Encryption and Decryption Secure Socket Layer Digital Signatures for Integrity and Nonrepudiation BPEL Security Extensions
WS-Security
WS-Security provides a mechanism for adding three levels of security to simple object access protocol (SOAP) messages. These security levels are as follows:
Authentication tokens Used for passing user name and password information, as well as X.509 certificates, within the SOAP message headers. XML encryption Used for message confidentiality. XML digital signatures Used for message integrity, source and origin validation, and nonrepudiation.
See Also:

"WS-Security-Compliant Services" on page 1-20 Web Services Security (WS-Security) Specifications available at the following URL:
http://www.oasis-open.org/committees/tc_home.php?wg_ abbrev=wss
Authentication
Authentication is the process of proving the identity of a user. Oracle BPEL Process Manager supports basic authentication (HTTP), certificate-based authentication (HTTP/S), and native BPEL security extension authentication.
See Also: The following sections:
"Securing BPEL Processes (Inbound)" on page 1-5 for instructions on securing a BPEL process "Invoking Secured Services (Outbound)" on page 1-16 for instructions on invoking secured services from BPEL
Authorization
Authorization is the evaluation of security constraints to send a message or make a request. Authorization uses specific criteria to determine whether to permit the request. The criteria are authentication and restriction. Oracle BPEL Process Manager has no current native support for inbound authorization. Oracle Web Services Manager can instead be used to provide this capability.
See Also: "Authorization" on page 1-27
Security Overview
Encryption and Decryption

Encryption is the practice of encoding (encrypting) data in such a way that only an intended recipient can decode (decrypt) and read the data. Oracle BPEL Process Manager has no current native support for XML encryption. Oracle Web Services Manager can instead be used to provide this capability.
See Also: "Message Encryption and Decryption" on page 1-27
Secure Socket Layer

Secure Socket Layer (SSL) is a standard for the secure transmission of documents over the Internet using HTTP/S (secure HTTP). SSL uses digital signatures to prevent data from being tampered.
See Also:
"Using SSL for Certificate-Based Authentication" on page 1-6 for details about using SSL to secure BPEL processes "Using SSL for Certificate-Based Authentication" on page 1-17 for details about using SSL to invoke secured services
Digital Signatures for Integrity and Nonrepudiation

A digital signature is a code attached to an electronic document that reliably identifies the author or sender, and verifies that the document has not been tampered. Oracle BPEL Process Manager has no current native support for digital signatures. Oracle Web Services Manager can instead be used to provide digital signatures and signature verification capabilities.
See Also: "Digital Signatures" on page 1-27
BPEL Security Extensions

BPEL security extensions are fully integrated into Oracle BPEL Process Manager beginning with Oracle Application Server 10g Release 2 (10.1.2.0.2). Regardless of which channel you use to invoke a process (such as HTTP, SOAP, Java API, and so on), the same security constraints apply. However, the way credentials are passed differs amongst channels. BPEL security extensions are intended for BPEL developers who want to enhance the security of Oracle BPEL Process Manager. These extensions are technical and require a good understanding of Oracle BPEL Server, including the various technologies used for invoking processes (for example, SOAP and HTTP). There are also many references to the Oracle BPEL Java API, so a good knowledge of Java is required. Oracle BPEL Process Managers API includes BPEL security extensions that enable developers to create custom security. This is necessary in secure environments where users must be authenticated and authorized to use certain BPEL processes.
1-4
Securing BPEL Processes (Inbound)
See Also:

"Using the Native BPEL Security Extensions" on page 1-12 "Domain and Process Level Security" on page 1-13 "Java API" on page 1-15 "HTTP Binding" on page 1-15 "SOAP over HTTP Binding" on page 1-15 "Java and EJB Binding (10.1.3)" on page 1-23 "Default and Custom Validators" on page 1-23

You can secure a BPEL process in which interaction is initiated by an inbound client service request sent to Oracle BPEL Server. Figure 12 provides a high-level overview of the transport security and authentication methods available for securing BPEL processes (inbound).
Figure 12 Securing BPEL Processes (Inbound)
Inbound client service request SSL (HTTP/S)* J2EE Basic Authentication (HTTP)* BPEL Security Extensions Securing BPEL Processes: Transport Security and Authentication Methods Firewall Certificate-based authentication with Oracle Wallet Manager Oracle Application Server OC4J Oracle BPEL Process Manager Domain / Process Level Security Java API HTTP Binding SOAP over HTTP Binding Certificate-based authentication with keytool
* With the Oracle BPEL Process Manager for OracleAS Middle Tier installation type, inbound client service requests that use SSL transport security and J2EE basic authentication are verified by Oracle Application Server. With the Oracle BPEL Process Manager for Developers installation type, inbound client service requests that use SSL transport security and J2EE basic authentication are verified by OC4J.
This section describes how to provide BPEL process security through the following methods:
Using SSL for Certificate-Based Authentication

Using J2EE Basic Authentication Using the Native BPEL Security Extensions
Note: Oracle recommends that you create an environment in which
one or more instances of a server are dedicated to secure business processes and other instances are set up to host nonsecure processes.

BPEL processes are usually invoked using SOAP over HTTP. While basic authentication ensures that only authenticated users access BPEL processes, user names and password are prone to identification by network packet sniffers. Therefore, the need exists for securing the network connection through use of HTTP/S instead of HTTP. Using HTTP/S as the authentication schema, both the client and server can be configured to exchange certificates. A successful SSL handshake confirms authentication. The following types of certification authentication can be used:
Server certificate authentication In this scenario, the client asks the server for the certificate and authenticates the trustworthiness of the server. The client does not present its certificate unless it is requested by the server to do so. The type of server presenting the certificate is based upon the Oracle BPEL Process Manager installation type you are using: For Oracle BPEL Process Manager for OracleAS Middle Tier, the server is Oracle Application Server (and its version of OC4J) For Oracle BPEL Process Manager for Developers, the server is the standalone OC4J in which Oracle BPEL Process Manager is deployed.
Server and client certificate authentication In this scenario, both the client and server exchange certificates and a successful SSL handshake confirms authentication. This is called client authentication mode. The server (either the standalone OC4J in which Oracle BPEL Process Manager is deployed or Oracle Application Server (and its version of OC4J)) must be configured to request the client's certificate during the SSL handshake and authenticate the trustworthiness of the client. In the context of securing BPEL processes, this means that a client invoking a service presents a valid certificate issued by a mutually-trusted certificate authority. Server and client certificate authentication is not as frequently used.
The following sections describe the SSL configuration method to use based on the Oracle BPEL Process Manager installation type you are using:

Oracle BPEL Process Manager for OracleAS Middle Tier Oracle BPEL Process Manager for Developers
Oracle BPEL Process Manager for OracleAS Middle Tier

SSL configuration for Oracle BPEL Process Manager for OracleAS Middle Tier is a two-step process:

Step 1: Configuring OC4J Step 2: Configuring Oracle BPEL Server
1-6
Step 1: Configuring OC4J Use Oracle Wallet Manager to enable certificate-based authentication with the Oracle BPEL Process Manager for OracleAS Middle Tier installation type. (See Figure 12 on page 1-5.) Oracle Wallet Manager is an application for managing and editing security credentials in Oracle wallets. A wallet is a password-protected container that stores authentication and signing credentials, including private keys, certificates, and trusted certificates, all of which are used by SSL for strong authentication.
Note: Do not use the default certificate included with Oracle Wallet
(named test). The default certificate does not use the proper server host name. Instead, obtain a certificate from a certificate authority. This certificate must contain the proper server host name in the CN entry.
See Also:
Oracle Application Server Administrators Guide, which is available by clicking View Library > System Management under the Oracle Application Server 10g Release 2 (10.1.2.0.2) header at http://www.oracle.com/technology/documentation/appse rver101202.html, for the following SSL configuration details: Setting up a wallet and using Oracle Wallet Manager Obtaining a certificate from a certificate authority
Step 2: Configuring Oracle BPEL Server Oracle BPEL Server must be configured with the SOAP server URL and SOAP callback URL.
1.
Go to Oracle BPEL Console:
On Windows operating systems, select Start > Programs > Oracle - Home_ Name > Oracle BPEL Process Manager 10.1.2 > BPEL Console. On Unix operating systems, log on to the URL for your installation, which can be found in bpelsetupinfo.txt.
2. 3. 4.
Select Go to BPEL Admin at the bottom of the console login window. Log in to Oracle BPEL Admin Console. Set the following two parameters under the Configuration tab:
Description The BPEL SOAP server endpoint URL of a process The BPEL SOAP callback URL of a process Example http://hostname:port http://hostname:port
Parameter soapServerUrl soapCallbackUrl
5.
Delete the default .bpel_TaskManager_1.0.jar and .bpel_ TaskActionHandler_1.0.jar directories under Oracle_ Home\integration\orabpel\domains\domain_name\tmp. where domain_name is the name of the domain in which the BPEL process to secure is located.
6.
Restart Oracle BPEL Server.
This recreates the correct service bindings and WSDL files for the TaskManager and TaskActionHandler processes and makes them available from HTTP/S-based endpoints. Processes deployed into Oracle BPEL Process Manager are now securely hosted at the new HTTP/S endpoint.
Oracle BPEL Process Manager for Developers

SSL configuration for Oracle BPEL Process Manager for Developers is a two-step process:

Step 1: Configuring OC4J Step 2: Configuring Oracle BPEL Server
Step 1: Configuring OC4J This section provides an overview of configuration procedures described in the Oracle Application Server Containers for J2EE Standalone User's Guide. See that guide for specific details. Use keytool to enable certificate-based authentication with the Oracle BPEL Process Manager for Developers installation type. (See Figure 12 on page 1-5.) This tool generates a keystore and a self-signed certificate. A keystore is a protected database that holds keys and certificates for an enterprise. Access to a keystore is guarded by a password. The password is defined at the time the keystore is created by the user who creates the keystore, and is changeable only when providing the current password. In this example, D:\OraBPEL represents the Oracle home directory.
Note: The procedures in this chapter describe using keytool and
the certificate configuration files installed with Oracle BPEL Process Manager in Oracle_Home\jdk. You can also use the configuration tools and files available in your own Java Developer Kit installation.
1.
Provide answers to each question when prompted.

D:\OraBPEL\integration\orabpel\system\appserver\oc4j\j2ee>d:\OraBPEL\jdk\bin\ keytool -genkey -keyalg "RSA" -keystore mykeystore -storepass 123456 -validity 21 What is your first and last name? [Unknown]: Test User What is the name of your organizational unit? [Unknown]: STgtm What is the name of your organization? [Unknown]: Oracle What is the name of your City or Locality? [Unknown]: Redwood Shores What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN=Test User, OU=STgtm, O=Oracle, L=Redwood Shore, ST=CA, C=US correct? [no]: yes Enter key password for <mykey> (RETURN if same as keystore password):
2.
Configure OC4J to use SSL:
1-8
a.
Go to D:\OraBPEL\integration\orabpel\system\appserver\oc4j\j2ee\ home\config. If secure-web-site.xml does not exist, copy http-web-site.xml to secure-web-site.xml. Change the port number (ensure that there are no port conflicts by running netstat or a different tool) and add secure=true.
<web-site port="9443" display-name="Oracle9iAS Containers for J2EE HTTP Web Site" secure="true">
b. c.
3.
Add the following section to secure-web-site.xml (refer to the Note below) after ensuring that mykeystore is in D:\OraBPEL\integration\orabpel\system\appserver\oc4j\j2ee (directory in which you created this file in Step 1):
 <ssl-config factory="com.evermind.ssl.JSSESSLServerSocketFactory" keystore="../../mykeystore" keystore-password="123456" needs-client-auth="false"> <property name="keyStore.password.obfuscated" value="123456" /> <property name="provider" value="com.sun.net.ssl.internal.ssl.Provider" /> </ssl-config>
Note: If you did not have the secure-web-site.xml file, then edit
Oracle_ Home\integration\orabpel\system\appserver\oc4j\j2ee\ home\config\server.xml to point to the secure-web-site.xml file.

1.
Uncomment or add the following line so that the secure-web-site.xml file is read.
<web-site path="./secure-web-site.xml" />
When complete, OC4J listens for SSL requests on one port and non-SSL requests on another. You can disable either SSL requests or non-SSL requests by commenting out the appropriate *web-site.xml in the server.xml configuration file. However, leave both HTTP and HTTP/S enabled on the OC4J server on which Oracle BPEL Process Manager is deployed. HTTP is required for enabling connections between JDeveloper BPEL Designer and Oracle BPEL Server.
4.
Shut down and restart OC4J:
On Windows operating systems, select Start > Programs > Oracle - Home_ Name > Oracle BPEL Process Manager 10.1.2 > Stop BPEL PM Server. On Unix operating systems, run the following script:
$Oracle_Home/integration/orabpel/bin/shutdownorabpel.sh
5.
Access https://localhost:9443/BPELConsole. The following message appears because it is not signed by a certificate authority.
do you want to accept this certificate
Note: Instead of a selfsigned certificate for production
environments, use a certificate from a trusted certificate authority like Verisign/Thawte by submitting a certificate request generated by keytool.
See Also:
Oracle Application Server Containers for J2EE Standalone User's Guide, which is available by clicking View Library > J2EE, Web Services, & Internet Apps under the Oracle Application Server 10g Release 2 (10.1.2.0.2) header at http://www.oracle.com/technology/documentation/appse rver101202.html, for the following details: Using keytool Configuring the http-web-site.xml file Troubleshooting common HTTP/S problems
Step 2: Configuring Oracle BPEL Server The steps to configure Oracle BPEL Server for the Oracle BPEL Process Manager for Developers installation type are the same as with the Oracle BPEL Process Manager for OracleAS Middle Tier installation type. See "Step 2: Configuring Oracle BPEL Server" on page 1-7 for instructions on configuring Oracle BPEL Server.
Using J2EE Basic Authentication

J2EE basic authentication involves authentication through unsigned tokens, namely a user name and password. Table 11 describes the supported features of this method.
Table 11 J2EE Basic Authentication Supported Features Service Access Protocols HTTP only User Repository Oracle Application Server JAZN repository types:

Authentication Schemas Basic authentication (user name and password)
Customization Permitted JAAS custom authorization plug-in
Granularity Individual process level security
OID JAZN XML JAAS custom plug-in
The following sections describe the configuration method to use based on the Oracle BPEL Process Manager installation type:

Oracle BPEL Process Manager for OracleAS Middle Tier Oracle BPEL Process Manager for Developers
Oracle BPEL Process Manager for OracleAS Middle Tier

J2EE basic authentication with the Oracle BPEL Process Manager for OracleAS Middle Tier installation type involves delegating authentication to Oracle Application Server. (See Figure 12 on page 1-5.) The following steps describe this process.
1. 2.
Oracle HTTP Server receives a service request. Oracle HTTP Server forwards the request to OC4J.
1-10
3.
OC4J validates the user name and password received in the HTTP headers against the configured identity service user repository:

Oracle Internet Directory (OID) Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider (JAZN) XML Custom JAAS plug-in
4.
If the user name and password are authenticated, the request is sent to Oracle BPEL Server for servicing.
See Also:
The Oracle Application Server Containers for J2EE Security Guide, which is available by clicking View Library > J2EE, Web Services, & Internet Apps under the Oracle Application Server 10g Release 2 (10.1.2.0.2) header at http://www.oracle.com/technology/documentation/appse rver101202.html, for configuration instructions
Oracle BPEL Process Manager for Developers

J2EE basic authentication with the Oracle BPEL Process Manager for Developers installation type involves delegating authentication to the OC4J in which Oracle BPEL Process Manager is deployed. (See Figure 12 on page 1-5.) The following steps describe this process.
1.
Set up new users and roles in the JAZN repository: For example, for users in JAZN XML, configure a new user and role in Oracle_ Home\integration\orabpel\system\appserver\oc4j\j2ee\home\conf ig\jazn-data.xml as follows:
<user> <name>jsmith</name> <credentials>{903}9XRK6pyPRTVYN7bW5dkG1Z06C2pkBRW6</credentials> </user> . . . . . . <role> <name>jsmithrole</name> <members> <member> <type>user</type> <name>jsmith</name> </member> </members> </role>
2.
Configure the Oracle_ Home\integration\orabpel\system\appserver\oc4j\j2ee\home\appl ication-deployments\orabpel\orion-application.xml file. Map the physical security roles maintained in OC4J (for example, JAAS principals and realms) to logical J2EE groups and users by adding the following sections:
<security-role-mapping name="jsmithrole"> <group name=" jsmithrole" /> </security-role-mapping>
3.
Configure the Oracle_ Home\integration\orabpel\system\appserver\oc4j\j2ee\home\appl ications\orabpel_ear\startup_war\WEB-INF\web.xml file to protect the BPEL service endpoint URLs. A code segment from web.xml protecting an endpoint URL http://localhost/orabpel/default/HelloWorld/1.0) is as follows:
<security-constraint> <web-resource-collection> <web-resource-name>Default Domain Pages</web-resource-name> <description>These pages are only accessible by authenticated users.</description> <url-pattern>*/orabpel/default/HelloWorld/1.0</url-pattern> <url-pattern>*/orabpel/default/HelloSecureWorld/1.0</url-pattern> </web-resource-collection> <auth-constraint> <role-name>jsmithrole</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>jazn.com</realm-name> </login-config> <security-role> <description>BPEL PM User</description> <role-name>jsmithrole</role-name> </security-role>
Using the Native BPEL Security Extensions

Native BPEL security extensions code can also handle authentication. (See Figure 12 on page 1-5.) The following steps describe this process.
1. 2. 3.
Oracle HTTP Server receives a service request. Oracle HTTP Server forwards the request, part of which is intercepted by Oracle BPEL Process Manager. The BPEL security extension code of Oracle BPEL Process Manager validates the message received against the configured identity service user repository:

OID JAZN XML Custom JAAS plug-in
4.
If the user name and password are authenticated, Oracle BPEL Server services the request.
Table 12 describes the supported features of this method.
1-12
Table 12
Native BPEL Security Extensions Supported Features Service Access Protocols HTTP User Repository Oracle Application Server JAZN repository types:

Authentication Schemas Basic authentication (user name and password)
Customization Permitted Granularity Custom user repository using the custom validator class See Also: "Creating a Custom Validator" on page 1-24
Fine grained:
OID JAZN XML Database-based repository Custom
Individual process level security (for example, service1 with username1/passwo rd1 and service2 with username2/passwo rd2) Supports domain level protection and all services in that domain with one user name and password
Normalized message properties
Java API Remote method invocation (RMI)
WS-Security (in accordance with the WS-Security Web Services Security Specification)
SOAP
This section contains the following topics:

Domain and Process Level Security Java API HTTP Binding SOAP over HTTP Binding
Domain and Process Level Security

Within Oracle BPEL Server, a message handler framework is used to control and modify inbound (calls to Oracle BPEL Server) and outbound (calls from Oracle BPEL Server) message flows. One of these plug-in handlers is the security interceptor. The security interceptor provides two levels of security:
Domain level security If only this level is set, enables you to secure all processes running in a specific domain.
Process level security If this level is also set, enables you to specify which processes to secure, and which not to secure, in a specific domain.
Note: The following section only explains the configuration of the
security interceptor, and not the framework itself.
By default, domain and process security is not enabled. However, both security levels can be easily enabled by modifying the Oracle_ Home\integration\orabpel\domains\domain_ name\config\message-handlers.xml file.
1.
If you want to enable domain level security, remove the comment markers shown in bold from around the security attribute (for this example, the domain is named default):
<inbound-flow> <message-handler id="default" />  </inbound-flow>
This enables the security chain:

<message-handler id="security"> <classname>com.collaxa.cube.security.Authenticator</classname> <comment> <![CDATA[This is the handler for security interception]]> </comment> <property id="ACLManager"> <value>com.oracle.bpel.security.validator.bpmid. BPMIdentityValidator</value> <comment>BPMIdentityValidator uses the server configured security such as JAAS to validate the user against</comment> </property> <!-<property id="SecuredProcesses"> <value>CreditRatingService</value> <comment>Processes can be secured explicitely without having effect on the whole domain, put their names in here and comma separate them </comment> </property> --> </message-handler> 2.
If you also want to enable security at the process level, remove the comment markers shown in bold from around the SecuredProcesses attribute in the same file. The section contains a value element that consists of a comma-separated list of process names:
<!-<property id="SecuredProcesses"> <value>CreditRatingService</value> <comment>Processes can be secured explicitely without having effect on the whole domain, put their names in here and comma separate them </comment> </property> --> </message-handler>
3.
Specify the processes to secure in the value element of the SecuredProcesses section. For example:
<value>CreditRatingService, HelloWorldService</value>
1-14
Any other processes in this domain that are not specified in the value element are not secured.
4.
Restart Oracle BPEL Server. This enables the default validator bridge to be used for authentication and authorization.
See Also: "Using the Default Validator" on page 1-24 for information
about the validator bridge
Java API
For invocation of a process, use the DeliveryService. However, the normalized message (com.oracle.bpel.client.NormalizedMessage) needs the following properties (through NormalizedMessage:setProperty(key, value)) added:
secured = username username = password
where username equals the user name that is sent, and the second pair consists of the username and the desired credential. For example:
secured = Clemens Clemens = pwForClemens
Note:
You can also send an empty password; in this case, add only the first pair:
secured = Clemens
HTTP Binding
When you use direct HTTP binding to invoke a process, there are multiple ways of specifying the credentials:
As HTTP request parameters:

<input type="hidden" name="bpelUser" value="clemens"> <input type="hidden" name="bpelCredential" value="clemens">
As basic authentication HTTP headers (base64-encoded):

Authentication=BASIC <BASE64-HASH>
As normal name-value HTTP header pairs, where the key for the user is bpelUser and the key for the password is bpelCredential
SOAP over HTTP Binding

When using SOAP binding, the only currently supported method for passing a user name credential is as a WS-Security compliant SOAP header. For example:
<wsse:Security soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next" soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401wss-wssecurity-secext-1.0.xsd" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
Invoking Secured Services (Outbound)
wss-wssecurity-utility-1.0.xsd"><wsse:Username>Clemens </wsse:Username><wsse:Password Type= "http://docs.oasis-open.org/wss/2004/01/oasis-200401wss-username-token-profile-1.0#PasswordText">pwForClemens </wsse:Password> </wsse:UsernameToken> </wsse:Security>
When using Java to call a service endpoint through SOAP, the class com.oracle.bpel.client.util.WSSecurityUtils can generate a header element of the namespace. For example:
/** * Create a WSSecurity compliant token from username and password UsernameToken!! * @throws javax.xml.soap.SOAPException in case the element cannot be constructed * @return the headerElement needed for the header of the call * @param pCredential the credential * @param pUsername the username */ public static SOAPHeaderElement createWSSecurityHeader (String pUsername, String pCredential)
Note that createWSSecurityHeader represents the older Java standard. Since the change to the WS-Security standard in 2004, you must apply the new namespace or else it defaults to the http://schemas.xmlsoap.org/ws/2002/07/secext namespace. To create a WSSE header element with the new namespace, use this method located in the WSSecurityUtils class:
public static SOAPHeaderElement createOASISWSSecurityHeader (String pUsername, String pCredential, boolean pIsWSPolicyCompliant) throws SOAPException {

You can invoke secured services in which interaction is initiated by an outbound client request sent from Oracle BPEL Server to the server on which the partner link Web service is running. The configuration procedures for invoking secured services are the same for either Oracle BPEL Process Manager installation type:

Oracle BPEL Process Manager for Developers Oracle BPEL Process Manager for OracleAS Middle Tier
Figure 13 provides an overview of the transport security and authentication methods available for invoking secured services (outbound):
1-16
Figure 13 Invoking Secured Services (Outbound)

Oracle Application Server OC4J Oracle BPEL Process Manager (Client)
WSIF Layer
SSL (HTTP/S) Certificate-based authentication with keytool
WS-Security Compliant Services (SOAP Binding)
Axis Services
J2EE Basic Authentication (HTTP)
Java and EJB Binding Invoking Secured Processes: Transport Security and Authentication Methods Firewall
Outbound Oracle BPEL Server client request
Server on which partner link web service is running

Using SSL for Certificate-Based Authentication WS-Security-Compliant Services Axis Services with Custom Authentication Handlers J2EE Basic Authentication Protected Services (HTTP) Java and EJB Binding (10.1.3)

If a partner exposes an HTTP/S-based service, the WSDL of that service contains the information in the service binding. You can invoke services from Oracle BPEL Process Manager that have a SOAP or HTTP binding. Oracle BPEL Process Manager support for SSL is Java Secure Socket Extension (JSSE)-standards based and relies on the default SunJSSE provider for cryptographic services. For configuring the keystore and truststore, Oracle BPEL Process Manager relies on standard JSSE keytool and JSSE mechanisms. (See Figure 13 on page 1-17.) The following types of certification authentication can be used:
Server certificate authentication During the SSL handshake process, Oracle BPEL Process Manager, which acts as a client to the secured service of the partner link server, is required to verify the trustworthiness of the partner link (server authentication). Verifying the certificate presented by the partner link server satisfies this requirement. To do this, the default SunJSEE functionality is used by Oracle BPEL Process Manager and the
truststore used in the process must contain the appropriate certificate entries. If the partner link server uses a self-signed certificate, this certificate must be placed as a trusted entry in the truststore. If the partner link server presents a certificate chain, then the root certificate of that chain must be part of the truststore.
Server and client certificate authentication During the handshaking process, a partner link server can sometimes require that the client (in this scenario, Oracle BPEL Process Manager) present its certificate for verification. This is called client authentication mode. For these situations, you must also set up a certificate for Oracle BPEL Process Manager. The certificate can be self-signed or provided by a certificate authority. The keytool can be used to save that certificate and keys in the keystore and truststore. Note that it is not possible to know from the WSDL of the service if the partner link service requires this. This requirement is not in wide practice.
It is beneficial to set up a truststore in which trusted certificate entries are placed. This is different from the keystore, in which private and public key entries are present. The default keystore and truststore files located in the jre\lib\security directory for your JDK installation are used:

The cacerts file is the default keystore The jssecacerts file (if present) is the truststore file. If jssecacerts is not present, cacerts also serves as the truststore.
Keystore and truststore files are created and managed with JDKs keytool. This tool is useful for performing operations such as the following:

Creating new keystores and truststores Reading and listing information present in the stores Updating and deleting existing entries in keystores and truststore
Notes:
Do not use Oracle Wallet Manager to create a security certificate for communication between the client Oracle BPEL Server and the server on which the partner link Web service is running. No Oracle BPEL Server configuration is required when invoking secured services. This is because Oracle BPEL Server is the client in this type of interaction.
1-18
See Also:
http://java.sun.com/j2se/1.4.2/docs/guide/security/ jsse/JSSERefGuide.html for details about SSL, such as understanding how SSL works, creating keystores and truststores to use with JSSE, and debugging and troubleshooting issues http://java.sun.com/products/jsse/ for JSSE details http://java.sun.com/j2se/1.4.2/docs/tooldocs/tools. html#security for details about using keytool Oracle Application Server Containers for J2EE Standalone User's Guide, which is available by clicking View Library > J2EE, Web Services, & Internet Apps under the Oracle Application Server 10g Release 2 (10.1.2.0.2) header at http://www.oracle.com/technology/documentation/ap pserver101202.html, for details about using keytool
JDeveloper BPEL Designer Design Time

To access secured WSDLs, JDeveloper BPEL Designer must be configured at design time just like Oracle BPEL Server.
Oracle BPEL Server Runtime

This section describes how to configure HTTP/S with the partner link Web service server and the Oracle BPEL Server client side certificates. HTTP/S with Partner Link Server Certificate Authentication Only Follow these steps to configure Oracle BPEL Process Manager for this environment:
1.
Ensure that the keystore is configured appropriately to invoke the mutually-trusted certificate or the server certificate of the partner link.
a.
Connect through the Web browser to the endpoint URL of the service to invoke. After connecting to the server, a pop-up window displays the following message (if you have not already updated your browser's store with this certificate):
Security Alert: Do you trust this certificate or not?
b.
Enter yes because you trust this server certificate. After the page is loaded on Internet Explorer, a lock displays in the status bar in the bottom right corner of your browser window.
c. d. e. f.
Click the lock to display a window that provides details about the certificate. Click the Details tab and copy the certificate to a file (for example, named TestServiceServerCert.cer). You can use the base64-encoded format. Use that file to import the server certificate to your default truststore. You can use keytool to help with this process. If the default truststore and keystore are the same, the command to import this certificate into the default cacerts keystore is as follows:
Oracle_Home\jdk\bin\keytool -import -v -file TestServiceServerCert.cer -keypass keystore_password -keystore cacerts
g.
If you do not want to store the server certificate of the partner link server, you can ensure that a mutually-trusted root and certificate authority certificate is in your truststore or keystore.
2.
Ensure that the correct keystore is used by OC4J and Oracle BPEL Process Manager: If your keystore is the default cacerts file keystore located in Oracle_ Home\jdk\jre\lib\security directory, no changes are required. If not, then edit obsetenv.bat (or obsetenv.sh for UNIX installations) to include the following lines:
Djavax.net.ssl.keyStore=path_to_your_certificate_store -Djavax.net.ssl.keyStorePassword=your_keystore_password
Note: While you can also edit the startorabpel.bat file (or
startorabpel.sh file for UNIX installations) to include these lines, Oracle recommends that you instead edit the obsetenv.* file for your operating system.
3.
If you are using a different truststore from the default, you should enter the following:
-Djavax.net.ssl.trustStore=path_to_truststore -Djavax.net.ssl.trustStorePassword=your_truststore_password
See Also:
http://java.sun.com/j2se/1.4.2/docs/tooldocs/tools.h tml#security for details about using keytool HTTP/S with Partner Link Server and Oracle BPEL Server Client Certificate Authentication This section describes how to configure the Oracle BPEL Server client. The steps to configure the client to invoke partner links that require client authentication are similar to the steps to invoke partner links with only server side authentication enabled. The difference is the keystore that BPEL uses for this environment has the following certificates in the following locations:

Its own (that is, the host OC4J server certificate in the keystore) The client certificate or a mutually-trusted CA certificate in the keystore and truststore
The high level steps involved are as follows:

1. 2. 3.
Set up OC4J to use SSL, as described in "Step 1: Configuring OC4J" on page 1-8. Ensure that a mutually-trusted certification authority certificate is in the truststore and keystore. Ensure that the correct keystore and truststore are used by OC4J and BPEL, as described in Step 2 of "HTTP/S with Partner Link Server Certificate Authentication Only" on page 1-20.
WS-Security-Compliant Services
If a partner link expects WS-Security-compliant authentication tokens, BPEL can be configured to invoke the partner link with these. (See Figure 13 on page 1-17.) Table 13 shows the relevant properties. These properties are configurable at the individual partner link level.
1-20 Oracle BPEL Process Manager Administrators Guide
Table 13
Properties Description Creates a WS-Security UsernameToken with the following values:
Property Name wsseHeaders
On Change Takes effect immediately
propagate If the process has been invoked securely, these credentials are also used for the outbound direction.
credentials Passes credentials from the descriptor
wsseUsername wssePassword
The user name for the token (required) The password for the token (optional)
Takes effect immediately Takes effect immediately
See Also: Web Services Security (WS-Security) Specifications
available at the following URL:

http://www.oasis-open.org/committees/tc_home.php?wg_ abbrev=wss
SOAP Binding
When using SOAP binding, there are four possible cases:
Case 1 Propagation of the credentials over a partner link (if the process is invoked securely over any API) for WS-Security headers
Case 2 Propagation of the credentials over a partner link (if the process is invoked securely over any API) for basic authentication
Case 3 Static definition of a user name and password put into a WS-Security compliant user name token, and sent out
Case 4 Static definition of a user name and password that is used for http-basic-authentication, and sent out
Configuration By default, Oracle BPEL Server does not propagate any credentials, even if the process is invoked securely. All partner links that are used within a BPEL process are defined in bpel.xml (found in the BPEL suitcase).
<partnerLinkBindings> <partnerLinkBinding name="client"> <property name="wsdlLocation">CreditRatingService.wsdl</property> </partnerLinkBinding> </partnerLinkBindings>
For case 1, add the following property (which causes BPEL to add the process-credentials to the outgoing call):
<property name="wsseHeaders">propagate</property>
For case 2, add the following (attached to the SOAP call(setUsername, setPassword)):
<property name="basicHeaders">propagate</property>
For case 3, add the following (which builds a WS-Security Header):

<property name="wsseHeaders">credentials</property> <property name="wsseUsername">your_user</property> <property name="wssePassword">your_password</property>
For case 4, add the following (attached to the SOAP call(setUsername, setPassword)):
<property name="basicHeaders">credentials</property> <property name="basicUsername">your_user</property> <property name="basicPassword">your_password</property>
Note: All these properties are on a per partner link basis, so they do
not affect any other partner links as long as they are not specified on this specific binding. Since the change to the WS-Security standard in 2004, you need to apply the new namespace or else it defaults to the http://schemas.xmlsoap.org/ws/2002/07/secext namespace. To apply the new namespace, add the following property:
<property name="wsseOASIS2004Compliant">true</property>
Axis Services with Custom Authentication Handlers

Table 14 shows the configurable properties at the partner link level for Axis services.
Table 14 Properties Description Creates a WS-Security UsernameToken with the following values:
Property Name basicHeaders
On Change Takes effect immediately
propagate If the process has been invoked securely, these credentials are also used for the outbound direction.
credentials Passes credentials from the descriptor
basicUsername basicPassword
The user name for the token (required) The password for the token (optional)
Takes effect immediately Takes effect immediately
J2EE Basic Authentication Protected Services (HTTP)

This section describes HTTP basic authentication. The section contains the following topics:

HTTP Basic Authentication (10.1.2.0.2) HTTP Binding (10.1.3)
1-22
Default and Custom Validators
HTTP Basic Authentication (10.1.2.0.2)

Table 15 shows the deployment descriptor properties configurable at the partner link level. These properties can be set to authenticate services that use HTTP headers for authentication in 10.1.2.0.2.
Table 15 Properties Description This is used for HTTP user name/password authentication This is used for HTTP user name/password authentication On Change Takes effect immediately Takes effect immediately
Property Name httpUsername httpPassword
HTTP Binding (10.1.3)

Starting with Oracle BPEL Process Manager release 10.1.3, all partner link properties are automatically propagated into the HTTP header. However, when outbound HTTP binding is used, credentials can be used for basic authentication, if configured:
<property name="httpBasicHeaders">credentials</property> <property name="httpBasicUsername">your_username</property> <property name="httpBasicPassword">your_password</property>
Or they can simply be propagated from the process instance:

<property name="httpBasicHeaders">propagate</property>
Java and EJB Binding (10.1.3)

Starting with Oracle BPEL Process Manager release 10.1.3, partner link properties can be propagated into the implementing class or EJB by implementing this interface:
com.oracle.bpel.client.wsif.IjavaEjbPlnkBindingInfo
It contains the following method:

/** * This method will be called immediately after the new instance * of the class/bean has been created * * @param pProperties the map containing name/value pairs */ public void setPlnkProperties(HashMap pProperties);
This method is called directly after the class or bean has been created, and the map contains all partner link properties.

Two types of identity store validators are available for authenticating users:

Using the Default Validator Creating a Custom Validator
Using the Default Validator

Oracle BPEL Process Manager provides a bridge to your identity store through the BPEL Identity Service. For example, in Oracle Application Server you can use JAZN, Oracle Internet Directory (OID), or a custom repository plug-in as your identity store. If you want to invoke a BPEL process, your user name must be in the configured store, or, in the case of JAZN, created in Oracle_ Home\integration\orabpel\system\appserver\oc4j\j2ee\home\config\ jazn-data.xml (for the Oracle BPEL Process Manager for OracleAS Middle Tier installation type). For example:
<user> <name>Clemens</name> <credentials>!yourpassword</credentials> </user>
BPEL security validation is evaluated in the following order:
If the BPEL suitcase contains the credentials within the configurations tag in bpel.xml. For example:
<property name="user">Clemens</property> <property name="pw">your_password</property>
If a role is specified in the BPEL suitcase, the user specified in the request must exist in the identity management store and must belong to that group.
<property name="role">administrators</property>
This method is useful when many processes are used and identity management cannot be reconfigured with a new role for each process.
If neither of the security validators described above are found, BPEL concatenates the process name and ExecutionRole and expects the supplied user to belong to a role of that name. For example, if user Clemens invokes the CreditRatingService process, he must belong to a group named CreditRatingServiceExecutionRole as defined in your identity store (for example, jazn-data.xml if you are using JAZN):
<role> <name>CreditRatingServiceExecutionRole</name> <members> <member> <type>user</type> <name>Clemens</name> </member> </members> </role>
See Also: Oracle BPEL Process Manager Developers Guide for additional details about BPEL identity services
Creating a Custom Validator

It is sometimes necessary to implement a custom validator when the default does not meet your requirements. To accomplish this, the following interface must be implemented and the message handler reconfigured.
/** * This source is proprietary to ORACLE CORPORATION * 2005, All rights reserved
1-24
*/ package com.oracle.bpel.security; import com.oracle.bpel.client.ServerException; import com.oracle.bpel.client.NormalizedMessage; import com.oracle.bpel.client.BPELProcessId; /** * Public abstract class that has to be implemented * for having a valid ACLManager that is used by the BPEL server * for authentication & authorization * * @version 1.1 */ public abstract class ACLManager extends BaseACLManager { /** * Public constructor that should use a cache for connections * and care about other stuff. * @throws com.oracle.bpel.client.ServerException * @since 1.0 */ public ACLManager() throws ServerException { } /** * Checks if a user is valid in the context of a secured Process * * @return valid or not * @param pMessage the message will hold all information, including * the domain information and headers * @throws ServerException in case something breaks */ public abstract boolean validateUser (BPELProcessId pProcessID, NormalizedMessage pMessage) throws ServerException; /** * Checks if a user is allowed to execute (=invoke) a certain revision * (if given) of a process. * * @return true if he is otherwise false * @param pProcessId the name, domain and revision of the process * @param pMessage the message will hold all information, including * the domain information and headers * @throws ServerException in case something breaks */ public abstract boolean isAllowedToExecuteProcess (BPELProcessId pProcessID, NormalizedMessage pMessage) throws ServerException; /** * Checks if a user is allowed to execute (=invoke) a certain activity * of a process. * * @return true if he is otherwise false * @param pProcessId the name, domain and revision of the process * @param pActivityName the name of the Activity
Using Oracle Web Services Manager for Authorization, Message Encryption, and Digital Signatures
* @param pMessage the message will hold all information, including * the domain information and headers * @throws ServerException in case something breaks */ public abstract boolean isAllowedToExecuteActivity (BPELProcessId pProcessID, NormalizedMessage pMessage, String pActivityName) throws ServerException; /** * Checks if a user is allowed to lookup a certain revision * (if given) of a process. * * @return true if he is otherwise false * @param pMessage the message will hold all information, including * the domain information and headers * @param pProcessId the name, domain and revision of the process * @throws ServerException in case something breaks */ public abstract boolean isAllowedToLookupProcess (BPELProcessId pProcessID, NormalizedMessage pMessage) throws ServerException; /** * Checks if a user is allowed to lookup a certain activity of a process. * * @return true if he is otherwise false * @param pActivityName the name of the Activity * @param pProcessId the name, domain and revision of the process * @throws ServerException in case something breaks */ public abstract boolean isAllowedToLookupActivity (BPELProcessId pProcessID, NormalizedMessage pMessage, String pActivityName) throws ServerException; }
After implementation, the class must reside in Oracle_ Home\integration\orabpel\system\classes to be reached by the class loader. The second step is to reconfigure the following property in message-handlers.xml:
<property id="ACLManager"><value> com.oracle.bpel.security.validator.bpmid.BPMIdentityValidator</value> <comment>BPMIdentityValidator uses the server configured security such as JAAS to validate the user against </comment> </property>
where value must point to the classname (including the package) of the implemented validator class.
There are several security features for which Oracle BPEL Process Manager does not currently provide native support. For those features, Oracle Web Services Manager can be used. Oracle Web Services Manager provides sophisticated authentication capabilities. Oracle Web Services Manager supports authentication using HTTP basic authentication, COREid, Netegrity, LDAP, and X.509 Certificates, and WS-Security.
1-26

Authorization Message Encryption and Decryption Digital Signatures

See Also: The following URLs for additional details about Oracle
Web Services Manager:
For documentation downloads, which are available by clicking View Library > Identity Management & Security > Oracle COREid and Web Services Manager under the Oracle Application Server 10g Release 2 (10.1.2.0.2) header at:
http://www.oracle.com/technology/documentation/appserv er101202.html
For white papers and additional technical details:

www.oracle.com/technology/products/webservices_manager
Authorization
Outbound authorization in the context of BPEL invoking a service is within the responsibility of the service provider and its implementation of authorization. While Oracle BPEL Process Manager has no current native support for inbound authorization, Oracle Web Services Manager provides the following capabilities to let authorized users access BPEL processes:
Supports authorization based on the information contained in any part of the XML message or body Provides the following fine-grained access control: Access control at the service level Access control at the SOAP method level
Supports WS-Security
Message Encryption and Decryption

This section describes the actual message encryption. XML encryption is covered by the WS-Security profile. While Oracle BPEL Process Manager has no current native support for XML encryption, Oracle Web Services Manager provides the following encryption and decryption features:

WS-security compliant message and content encryption and decryption Full or partial message encryption, enabling you to specify an XPath expression to the part of the message that requires encryption.
Digital Signatures
While Oracle BPEL Process Manager has no current native support for digital signatures, Oracle Web Services Manager provides digital signatures and signature verification capabilities. When a client invokes a service, Oracle Web Services Manager performs the following tasks:
Intercepts this request
Summary
Checks if the service has a digital signature verification policy to be honored Verifies the signature Passes this request to BPEL to be serviced
Similarly, when BPEL invokes a partner link, Oracle Web Services Manager attaches a digital signature to the SOAP header of the message.
Summary
This chapter describes how to perform the following procedures:
Secure a BPEL process in which interaction is initiated by an inbound client service request sent to Oracle BPEL Server. The following security methods are described: SSL authentication, J2EE basic authentication, and native BPEL security extension authentication. Invoke secured services in which interaction is initiated by an outbound client request sent from Oracle BPEL Server to the server on which the partner link Web service is running. The following security methods are described: SSL authentication, WS-Security-compliant services, HTTP basic authentication protected services, Axis services with custom authentication handlers, and native BPEL security extensions.
This chapter also provides details about the default and custom identity store providers available with Oracle BPEL Process Manager. An overview of Oracle Web Service Manager is also provided. Oracle Web Service Manager can be used to provide authorization, message encryption and decryption, and digital signature support with Oracle BPEL Process Manager.
1-28
2
Oracle BPEL Process Manager Clustering
Oracle BPEL Process Manager performs tasks such as sending requests to and receiving responses from Web services, storing processes for future use (dehydration), retrieving stored processes (rehydration), and performing logic on incoming data. If a single Oracle BPEL Server fails while BPEL processes are running, those processes are lost. This loss is preventable by setting up a cluster of release 10.1.2.0.2 Oracle BPEL Process Managers to improve reliability. Clustering also improves throughput and performance. This chapter provides information on how to create and configure a cluster of 10.1.2.0.2 Oracle BPEL Process Managers (both with and without a cluster of Oracle Application Server middle tiers) to provide faster and more reliable performance. This chapter contains the following topics:

Oracle BPEL Process Manager Clustering Overview Step 1: Creating an Oracle BPEL Process Manager Cluster Step 2: Compiling and Deploying a BPEL Project on the Oracle BPEL Process Manager Cluster Step 3: Testing the Oracle BPEL Process Manager Cluster Troubleshooting Summary
Note: This chapter does not describe how to configure Oracle BPEL
Process Manager in a high availability Real Application Clusters (RAC) database environment. See the Oracle BPEL Process Manager Release Notes for details about where to obtain information about this type of environment.
See Also: Oracle Application Server High Availability Guide, which is
accessible by clicking View Library > System Management under the Oracle Application Server 10g Release 2 (10.1.2.0.2) header at http://www.oracle.com/technology/documentation/appse rver101202.html. This guide provides an overview of the following Oracle BPEL Process Manager high availability configurations:

Active-active high availability configurations Active-passive high availability configurations Running with adapters in high availability configurations
Oracle BPEL Process Manager Clustering 2-1
Oracle BPEL Process Manager Clustering Overview

An Oracle BPEL Process Manager cluster is a collection of instances with identical configuration and deployment. Clusters enforce homogeneity between member instances so that a cluster of Oracle BPEL Process Manager instances can appear and function as a single instance. With appropriate front-end load balancing, any instance in an Oracle BPEL Process Manager cluster can serve requests. This simplifies configuration and deployment across multiple instances and enables fault tolerance among clustered instances. This section provides an overview of Oracle BPEL Process Manager clustering. This section contains the following topics:

Supported Oracle BPEL Process Manager Clustering Environments Oracle BPEL Process Manager Clustering Architecture
Supported Oracle BPEL Process Manager Clustering Environments

Oracle BPEL Process Manager supports two types of clustering environments. Examples of how to configure both types are described later in this chapter.
Oracle BPEL Process Manager clustering without application server middle tier clustering In this environment, only Oracle BPEL Process Manager is clustered. The underlying application server middle tier on which Oracle BPEL Process Manager is installed is not clustered. Oracle BPEL Process Manager clustering does not require application server middle tier clustering in order to run.
Oracle BPEL Process Manager clustering with application server middle tier clustering In this environment, both Oracle BPEL Process Manager and the underlying application server middle tier are clustered. For the example in this chapter, Oracle Application Server is the underlying application server. Oracle BPEL Process Manager clustering is independent of clustering the underlying applications server; both components can be clustered, but Oracle BPEL Process Manager clustering is not dependent on application server middle tier clustering.
Note: You cannot create an Oracle BPEL Process Manager 10.1.2.0.2
cluster on top of a pre-existing application server middle tier cluster. Instead, you must first create an Oracle BPEL Process Manager cluster and then create an application server middle tier cluster. Instructions for configuring this type of environment are described later in this chapter.
Oracle BPEL Process Manager Clustering Architecture

Oracle BPEL Server uses a stateless architecture to execute what are logically stateful processes. The following components are sufficient for Oracle BPEL Process Manager clustering:
Multiple Oracle BPEL Servers (installed as part of the Oracle BPEL Process Manager for OracleAS Middle Tier installation type) on different nodes A load balancer to proxy all communication between clients and Oracle BPEL Server
2-2
A dehydration store database shared by all Oracle BPEL Server installations
In case of server failure, the next available Oracle BPEL Server running on another server resumes the process from the last dehydration point. All Oracle BPEL Servers share the same database resource and SOAP URLs. As long as a front end load balancer and dispatcher are available, the BPEL processes are shared among the Oracle BPEL Servers in the cluster. If any Oracle BPEL Servers are down, the remaining Oracle BPEL Servers in the cluster pick up and continue processing the uncompleted BPEL processes of the disabled Oracle BPEL Server. Figure 21 provides an overview of this Oracle BPEL Process Manager clustering layout. In this example, each component runs on its own host.
Figure 21 Oracle BPEL Process Manager in a Cluster Environment
Host #1 Host #2 Oracle BPEL Process Manager for OracleAS Middle Tier
BPEL-Optimized SOAP Stack Oracle Application Server ( J2EE and Web Cache) Load Balancer Host #3 Stateless Architecture Clustering Fail Over Oracle BPEL Process Manager for OracleAS Middle Tier
Host #4 Dehydration Store (Database)
BPEL-Optimized SOAP Stack
Oracle Application Server ( J2EE and Web Cache)
Binary DOM Lazy Loading Smart Partitioning W3C DOM Interface Support for Large Documents
Host 2 and host 3 in Figure 21 each include Oracle BPEL Process Manager for OracleAS Middle Tier installations and Oracle Application Server middle tier installations. The Oracle BPEL Process Manager for OracleAS Middle Tier installations on host 2 and host 3 are clustered. If you want, you can also cluster the Oracle Application Server middle tier installations on host 2 and host 3, though this is not a requirement. Both configuration environments are described later in this chapter.
Multiple Oracle BPEL Process Managers for OracleAS Middle Tier Installation
To prevent a single point of failure, install Oracle BPEL Process Manager for OracleAS Middle Tier on multiple hosts as a cluster, as shown in Figure 21. In this cluster, all installations are using the same database as the dehydration store. Clustering provides load balancing, availability, and backup capability in case of failover.
Step 1: Creating an Oracle BPEL Process Manager Cluster
Load Balancers
Oracle BPEL Process Manager can be configured to work with any hardware or software load balancer. However, a hardware load balancer normally provides better performance. Select a load balancer based on its features and the reliability requirements for the implementation. Load balancing is relevant to many software applications, especially server-based applications like clusters. Basically, if one server starts to receive more requests than it can efficiently handle, incoming transactions can be forwarded to the next available server (the one that has the lowest load average, memory usage, user logins, network connections, and so on) or distributed evenly to all servers. It is also known as load sharing. Clustering can be achieved by effective load balancing.
Dehydration Store Database Configuration

The dehydration store database enables the states of long-running processes to be automatically persisted. See the Oracle BPEL Process Manager Installation Guide for instructions on configuring the Oracle Database as a dehydration store.
Note: Oracle recommends that you only use the Oracle Database Lite
included with the Oracle BPEL Process Manager for Developers installation type as a dehydration store in development environments. It is not suitable for production use, especially in a clustering production environment (or for performance or stress testing).

This section describes how to create an Oracle BPEL Process Manager 10.1.2.0.2 cluster and, if you want, an Oracle Application Server 10.1.2.0.2 middle tier cluster. The standard LoanFlowPlus demonstration included with Oracle BPEL Process Manager is used as an example. This section contains the following tasks:

Step 1a: Installing Oracle Application Server on Two Separate Hosts Step 1b: Installing Oracle BPEL Process Manager for OracleAS Middle Tier on Top of Oracle Application Server Step 1c: Creating the Load Balancer for the Oracle BPEL Process Manager Cluster Step 1d: Configuring Oracle BPEL Servers on Both Hosts Step 1e: Creating the Oracle Application Server Middle Tier Cluster (Optional)
Step 1a: Installing Oracle Application Server on Two Separate Hosts

This step provides an overview of the procedures documented in the Oracle Application Server Installation Guide for your operating system:
1.
Install the Oracle Application Server J2EE and Web Cache release 10.1.2.0.2 installation type into a directory on host 1.
C:\OraBPELMT
2.
Repeat these steps to install the same Oracle Application Server J2EE and Web Cache installation type into a directory of the same name on host 2.
C:\OraBPELMT
2-4
See Also: Oracle Application Server installation documentation
located under the Oracle Application Server 10g Release 2 (10.1.2.0.2) Documentation link at
http://www.oracle.com/technology/documentation/appserver1 01202.html
Step 1b: Installing Oracle BPEL Process Manager for OracleAS Middle Tier on Top of Oracle Application Server
This step provides an overview of the installation steps documented in the Oracle BPEL Process Manager Installation Guide for your operating system:
1.
Disable Oracle Application Server Web Cache on both hosts:

cd Oracle_Home\opmn\bin prompt> opmnctl stopproc ias-component=WebCache
This is required because Oracle BPEL Process Manager must use the HTTP request and response port number instead of the Oracle Application Server Web Cache port number during installation. If Oracle Application Server Web Cache is running, its port number is incorrectly used.
2.
Install Oracle BPEL Process Manager for OracleAS Middle Tier release 10.1.2.0.2 into the same Oracle home directory as the J2EE and Web Cache installation type on host 1:
C:\OraBPELMT
3.
Repeat these steps to install Oracle BPEL Process Manager for OracleAS Middle Tier into the same Oracle home directory as the J2EE and Web Cache installation type on host 2.
C:\OraBPELMT
4.
Ensure that you point to the same dehydration store database during both Oracle BPEL Process Manager for OracleAS Middle Tier installations.
Note: This demonstration only describes clustering two Oracle BPEL
Process Manager for OracleAS Middle Tiers. If you want to install additional Oracle BPEL Process Manager for OracleAS Middle Tiers, repeat these installation steps.
Step 1c: Creating the Load Balancer for the Oracle BPEL Process Manager Cluster
Note: This example uses Oracle Application Server Web Cache as the
load balancer. This is just for demonstration purposes. Use a load balancer appropriate to your environment. These instructions provide an overview of the steps documented in the Oracle Application Server Web Cache Administrators Guide:
1.
Create the load balancer by using Oracle Application Server Web Cache on host 1 or host 2. Oracle Application Server Web Cache was installed with the J2EE and Web Cache installation type in "Step 1a: Installing Oracle Application Server on Two Separate Hosts" on page 2-4.
2.
Start Oracle Application Server Web Cache on both hosts:

opmnctl startproc ias-component=WebCache
The load balancer points to the Oracle HTTP Servers on both hosts.
See Also: Oracle Application Server Web Cache Administrators Guide,
which is accessible by clicking View Library > Caching under the Oracle Application Server 10g Release 2 (10.1.2.0.2) header at http://www.oracle.com/technology/documentation/appse rver101202.html
Step 1d: Configuring Oracle BPEL Servers on Both Hosts

1.
Stop Oracle BPEL Server on both host 1 and host 2:
On Windows operating systems, select Start > Programs > Oracle - Home_ Name > Oracle BPEL Process Manager 10.1.2 > Stop BPEL PM Server. On Unix operating systems, run the following script:
$Oracle_Home/integration/orabpel/shutdownorabpel.sh
2.
Obtain the load balancer URL of Oracle Application Server Web Cache. This URL consists of the following:
Name or Internet Protocol (IP) address of the host on which Oracle Application Server Web Cache is installed. The port number (for example, 7777 on UNIX or 80 on Windows if using HTTP). The port number can be obtained from the following tools: The Web Cache home page of Oracle Enterprise Manager 10g Application Server Control Console, by selecting Administration tab > Ports. The Oracle Application Server Web Cache Manager, by selecting Ports.
3.
Modify the values for the following two parameters on host 1 and host 2 in the Oracle_ Home\integration\orabpel\system\config\collaxa-config.xml file to point to the load balancer URL.
<property id="soapServerUrl"> <name>BPEL soap server URL</name> <value>http://host:port</value> . . . . . . . . <property id="soapCallbackUrl"> <name>BPEL soap callback URL</name> <value>http://host:port</value>
Note: You can also edit these parameters under the Configuration
tab of Oracle BPEL Admin Console. For example:

<property id="soapServerUrl"> <name>BPEL soap server URL</name> <value>http://myhost.us.oracle.com:80</value>
2-6
. . . . . . . . <property id="soapCallbackUrl"> <name>BPEL soap callback URL</name> <value>http://myhost.us.oracle.com:80</value> 4.
Delete the following directory:

ORACLE_HOME\integration\orabpel\domain\default\tmp
5. 6.
Restart the Oracle BPEL Servers on host 1 and host 2. See the following section based on whether you want to cluster your application server middle tier:
Do You Want to Cluster the Application Server Middle Tier? No Yes
See... "Step 2: Compiling and Deploying a BPEL Project on the Oracle BPEL Process Manager Cluster" on page 2-9 "Step 1e: Creating the Oracle Application Server Middle Tier Cluster (Optional)" on page 2-7
Step 1e: Creating the Oracle Application Server Middle Tier Cluster (Optional)
Note: This step is only required if you are clustering both Oracle
BPEL Process Manager and the underlying application server middle tier (for this example, Oracle Application Server). You cannot create an Oracle BPEL Process Manager 10.1.2.0.2 cluster on top of a pre-existing application server middle tier cluster. Instead, you must first create an Oracle BPEL Process Manager cluster and then create an application server middle tier cluster (as described in this chapter). This step provides an overview of the farm repository creation procedures documented in the Oracle Application Server Installation Guide for your operating system and in the Oracle Application Server High Availability Guide.
Note: The Oracle BPEL Process Manager cluster repositories that
you create in this section cannot be the same repository with which you associated the Oracle Application Server J2EE and Web Cache middle tier in "Step 1a: Installing Oracle Application Server on Two Separate Hosts" on page 2-4 and the Oracle BPEL Process Manager for OracleAS Middle Tier in "Step 1b: Installing Oracle BPEL Process Manager for OracleAS Middle Tier on Top of Oracle Application Server" on page 2-5.
1. 2.
Stop Oracle BPEL Server on both host 1 and host 2. Set the following property to false in Oracle_ Home\config\ias.properties on host 1 and host 2:
Orabpel.LaunchSuccess=false
3.
Create a file-based or database-based farm repository on host 1. Ensure that you make note of the farm repository ID that appears during installation.
4. 5.
Create a file-based or database-based farm repository on host 2 by using the same host 1 file-based or database-based farm repository ID information. Create an OC4J container cluster for the instance on host 1 and the instance on host 2 in Oracle Enterprise Manager 10g Application Server Control Console:
6.
Change the JMS port number in Oracle BPEL Server on either host 1 or host 2 to eliminate port conflict errors. For example, on host 1:
a. b. c.
Stop Oracle BPEL Server on host 1. Open the Oracle_Home\opmn\conf\opmn.xml file. Change the port range from:
<process-type id="OC4J_BPEL" module-id="OC4J"> . . . <port id="jms" range="12601-12700"/>
to:
<process-type id="OC4J_BPEL" module-id="OC4J"> . . . <port id="jms" range="12602-12700"/> d. 7.
Restart Oracle BPEL Server on host 1.
Reset the following property to true in Oracle_ Home\config\ias.properties on host 1 and host 2:
Orabpel.LaunchSuccess=true
Note: If the cluster hosts are in a different time zone, the wait activity
in a BPEL process on the cluster fails because Oracle BPEL Server uses a local system. Set the system clocks in the cluster hosts to use the same time zone and time.
8.
Go to "Step 2: Compiling and Deploying a BPEL Project on the Oracle BPEL Process Manager Cluster".
2-8
Step 2: Compiling and Deploying a BPEL Project on the Oracle BPEL Process Manager Cluster
See Also: Oracle Application Server installation documentation and
Oracle Application Server High Availability Guide located under the Oracle Application Server 10g Release 2 (10.1.2.0.2) Documentation link at
http://www.oracle.com/technology/documentation/appserver1 01202.html
Step 2: Compiling and Deploying a BPEL Project on the Oracle BPEL Process Manager Cluster
Note: If you do not follow this step, some processes are marked as
stale when you shut down one of the Oracle BPEL Servers.
1. 2.
Ensure that all WSDL location URLs in the bpel.xml deployment descriptor file point to the load balancer URL. Use one of the following methods to compile and deploy the project:

Copy the BPEL JAR File from One Cluster Node to Another (Recommended) Compile and Deploy the Project on Each BPEL Server Locally Compile and Deploy the Project on Each BPEL Server Locally
Notes: Note the following issues that impact BPEL projects. Both these issues also impact this LoanFlowPlus example.
If a BPEL project has any host name and port number dependencies for Enterprise Java Bean (EJB) Binding, JMS, RMI, and so on, you cannot directly copy the BPEL JAR file from one host to another. Instead, you must copy the JAR file to a temp directory, extract it, modify the hostname and port number, and regenerate it. (See Step 7 on page 2-11.) If a BPEL project needs any EJB JAR and application user interface that you already deployed on host 1, you must redeploy them on host 2. (See Step 8 on page 2-11.)
Copy the BPEL JAR File from One Cluster Node to Another (Recommended)
1. 2. 3.
Stop Oracle HTTP Server and Oracle BPEL Server on host 2. Compile and deploy the project with an appropriate tool (bpelc, obant, or JDeveloper BPEL Designer) to Oracle BPEL Server on host 1. Manually copy the BPEL JAR file from Oracle_ Home\integration\orabpel\domain\default\deploy on host 1 to Oracle_Home\integration\orabpel\domain\default\deploy on host 2. Restart Oracle HTTP Server and Oracle BPEL Server on host 2.
4.
Compile and Deploy the Project from JDeveloper BPEL Designer on a Remote Host or on Host 1 or 2
1.
Start JDeveloper BPEL Designer from a remote location (for example, on host 3).
Step 3: Testing the Oracle BPEL Process Manager Cluster
2. 3. 4. 5. 6. 7. 8.
Create a BPEL Process Manager Server connection to the load balancer URLs. Stop Oracle HTTP Server and Oracle BPEL Server on host 2. Compile and deploy the project, which deploys to Oracle BPEL Server on host 1. Stop Oracle HTTP Server and Oracle BPEL Server on host 1. Restart Oracle HTTP Server and Oracle BPEL Server on host 2. Compile and deploy the project, which deploys to Oracle BPEL Server on host 2. Restart Oracle HTTP Server and Oracle BPEL Server on host 1.
Compile and Deploy the Project on Each BPEL Server Locally

1.
If the project is located in a local file system on each host, ensure that the project on host 1 is the same as the project on host 2. This means the project on the two hosts must include the same BPEL suitcase files (that is, the same contents and size of the XSD, XML, WSDL, and BPEL files, and so on) Stop Oracle HTTP Server and Oracle BPEL Server on host 2. Compile and deploy the project on host 1 using an appropriate tool (bpelc, obant, or JDeveloper BPEL Designer). Stop Oracle HTTP Server and Oracle BPEL Server on host 1. Restart Oracle HTTP Server and Oracle BPEL Server on host 2. Compile and deploy the project on host 2 using an appropriate tool (bpelc, obant, or JDeveloper BPEL Designer). Restart Oracle HTTP Server and Oracle BPEL Server on host 1.
2. 3. 4. 5. 6. 7.
Step 3: Testing the Oracle BPEL Process Manager Cluster

1.
Change the WSDL location URL to point to the load balancer URL in:
Oracle_Home\integration\orabpel \samples\demos\LoanDemoPlus\LoanFlowPlus\bpel.xml Oracle_Home\integration\orabpel \samples\utils\AsyncLoanService\StarLoan\bpel.xml
2. 3.
Stop Oracle HTTP Server and Oracle BPEL Server on host 2. Compile and deploy LoanFlowPlus by running obant.bat (for Windows) or obant.sh (for Unix) in the Oracle_Home\integration\orabpel \samples\demos\LoanDemoPlus\LoanFlowPlus directory on host 1. Restart Oracle HTTP Server and Oracle BPEL Server on host 2. Copy the following BPEL JAR files in Oracle_ Home\integration\orabpel\domains\default\deploy from host 1 to the same directory on host 2:
bpel_AmericanLoan_1.0.jar bpel_CreditRatingService_1.0.jar bpel_StarLoan_1.0.jar bpel_UnitedLoan_1.0.jar
4. 5.
6.
Copy bpel_LoanFlowPlus_1.0.jar in Oracle_ Home\integration\orabpel\domains\default\deploy from host 1 to a temp directory on host 2 (for example, C:\temp).
2-10
Troubleshooting
7.
Regenerate bpel_LoanFlowPlus_1.0.jar because it had an EJB Binding WSDL file, CustomerService.wsdl, which includes the host name for host 1:
a.
Set the path as follows:

Set PATH=Oracle_Home\jdk\bin;%PATH%
b.
Perform the following steps:

mkdir C:\temp\newJar cd C:\temp\newJar jar xvf ..\bpel_LoanFlowPlus_1.0.jar
c. d.
Modify the host name in CustomerService.wsdl from host 1 to host 2. Recreate the JAR file:
jar cvfm ..\new_bpel_LoanFlowPlus_1.0.jar META-INF\MANIFEST.MF *
e.
Copy C:\temp\new_bpel_LoanFlowPlus_1.0.jar to Oracle_ Home\integration\orabpel\domains\default\deploy\bpel_ LoanFlowPlus_1.0.jar on host 2.
8.
Perform the following steps to redeploy the EJB JAR and application user interface on host 2.
cd Oracle_Home\integration\orabpel\samples\demos\LoanDemoPlus\LoanFlowPlus obant.bat CustomerService obant.bat LoanFlowPlusUI obant.bat ExceptionDashboardUI cd Oracle_Home\integration\orabpel\samples\utils\AsyncLoanService obant.bat StarLoanUI
9.
Open the BPEL cluster console:

http://load_balancer_hostname:port/BPELConsole
10. Invoke LoanFlowPlus from the console or from http://load_balancer_
hostname:port/LoanFlowPlusUI.
11. View the Oracle_Home\opmn\logs\OraBPEL~OC4J_BPEL~default_
island~1 log file to see that one of the Oracle BPEL Servers is processing the request (for example, Oracle BPEL Server on host 1 is processing the request).
12. Shut down Oracle BPEL Server on host 1. 13. Complete the user tasks from the StarLoanUI and LoanFlowPlusUI.
At this point, Oracle BPEL Server on host 2 picks up the uncompleted LoanFlowPlus BPEL process and continues processing uncompleted work.
Troubleshooting
There can be exceptions to the reliable execution of BPEL process code of which to be aware. For example, if you use Java Exec to execute Java code that has side effects, such as a change to some external state. To avoid this situation, use one of the following approaches:
Make sure your Java code is idempotent, meaning multiple executions give the same end result or
Summary
Use Encapsulated Java Beans in your Java code so that they can also participate in the Java Transaction API (JTA) transaction.
Note that adapters that can participate in a JTA transaction, like the J2EE Connector Architecture (JCA) adapter, automatically gain this same transactionality and retain full reliability.
Summary
This chapter provides an example of how to create an Oracle BPEL Process Manager cluster, thereby preventing the failure of one server from disrupting running BPEL processes. Configuring a cluster requires a load balancer and a common dehydration store database for all the Oracle BPEL Process Manager installations. Two types of clustering are supported:
Oracle BPEL Process Manager clustering without application server middle tier clustering Oracle BPEL Process Manager clustering with application server middle tier clustering
2-12
3
Performance Tuning
Oracle BPEL Process Manager provides a number of property settings that can be configured to optimize performance at the process, domain, applications server, Java Virtual Machine (JVM), and dehydration store database levels. This chapter describes these property settings and provides recommendations on how to use them. This chapter contains the following topics:

Performance Tuning Overview Process Level Performance Settings Tables Impacted By Instance Data Growth Domain Level Performance Tuning OC4J Performance Tuning Java Virtual Machine Performance Tuning Dehydration Store Database Performance Tuning Summary
Performance Tuning Overview

This section provides an overview of key BPEL tuning concepts. Review this section before attempting to configure any property settings. This section contains the following topics:

Domain and Process Configuration Property Settings Durable and Transient Processes One-Way and Two-Way Invocations Idempotent Activities In-Flight Database Storage JTA Transactions for Two-way Invocations BPEL Threading Model
Domain and Process Configuration Property Settings

Domain and process configuration properties can be set at two different levels in Oracle BPEL Process Manager:
Domain level
Performance Tuning 3-1
Enables you to configure all processes deployed in a specific domain
Process level Enables you to specify which processes to configure, and which not to configure, in a specific domain. If a setting at the domain level conflicts with the same setting at the process level, the process level setting take priority.
Durable and Transient Processes

Oracle BPEL Process Manager uses the dehydration store database to maintain long-running asynchronous processes and their current state information in a database while they wait for asynchronous callbacks. Storing the process in a database preserves the process and prevents any loss of state or reliability if a system shuts down or a network problem occurs. There are two types of processes in Oracle BPEL Process Manager. These processes impact the dehydration store database in different ways.
Transient This type does not incur any intermediate dehydration points during process execution. If there are unhandled faults or there is system downtime during process execution, the instances of a transient process do not leave a trace in the system. Instances of transient processes cannot be saved in-flight (whether they complete normally or abnormally). Transient processes are typically short-lived, request-response style processes. The synchronous process you design in JDeveloper BPEL Designer is an example of a transient process.
Durable This type incurs one or more dehydration points in the database during execution because of the following activities: Receive activity OnMessage branch in a pick activity OnAlarm branch in a pick activity Wait activity
Instances of durable processes can be saved in-flight (whether they complete normally or abnormally). These processes are typically long-living and initiated through a one-way invocation. Because of out-of-memory and system downtime issues, durable processes cannot be memory-optimized. The asynchronous process you design in JDeveloper BPEL Designer is an example of both transient and durable processes.
One-Way and Two-Way Invocations

There are two types of invocations into BPEL process instances:
A one-way invocation a request-only operation and has only an inbound message. A two-way invocation a request-and-response operation. The caller thread is blocked until a response is ready.
Table 31 describes the use of these invocations.
3-2
Table 31 Use WSDL file definition
One-Way and Two-Way Invocations One-Way Invocation <operation name="oneway"> <input message="in"/> </operation> <receive operation="oneway" variable="in"/> Two-Way Invocation <operation name="twoway"> <input message="in"/> <output message="out"/> </operation> <receive operation="twoway" variable="in"/> ... <reply operation="twoway" variable="out"/> The request is delivered into Oracle BPEL Server and the targeted BPEL instance. The caller thread is blocked until the response is ready.
Variable declarations in BPEL activities
Through-delivery service
The request is saved in the delivery service. The caller thread does not block until the message is delivered to the targeted instance.
Idempotent Activities
An idempotent activity is an activity that can be retried (for example, an assign activity or an invoke activity). Oracle BPEL Server saves the instance after a nonidempotent activity.
See Also: "idempotent" on page 3-7 for additional details
In-Flight Database Storage

Over its life cycle, a BPEL instance in its current state of execution can be saved multiple times in the dehydration store database. There are two cases in which this occurs:
When the instance is waiting for an event. It can be either an alarm or an invocation message. This happens when one of the following BPEL activities is being executed: Wait activity OnAlarm branch of a pick activity Receive activity OnMessage branch of a pick activity
When a BPEL instance is saved to the dehydration store database, the instance is known as being dehydrated. When the event later occurs (the alarm expires or the message comes in), the instance is read from the database and resumes execution.
After a nonidempotent activity. Instance storage is necessary here if you want to retry the steps. The retry occurs from the steps after the nonidempotent activity.
JTA Transactions for Two-way Invocations

For two-way invocations, if the process being called is a transient process, Oracle BPEL Server honors the caller's Java Transaction API (JTA) transaction. If the process being called is a durable process, meaning an in-flight database save can be occurring, Oracle BPEL Server creates a new transaction.
BPEL Threading Model

Review the BPEL threading model details in this section before attempting to configure any property settings. Figure 31 shows thread usage during a request-response and one-way process instance invocation.
Figure 31 Thread Usage
Application Server
Dehydration Store (Database) C1 (T1)
Request-Response Invocation Client
(T1)
(T1)
Oracle BPEL Server
WorkerBean
(T3)
C1 (T3)
One-way Invocation Client
(T2)
Queue Connection Pool
Request-Response Invocation
In Figure 31, the client is running in thread T1. When the caller initiates a process instance, the same thread is used during processing. Eventually, when database operations must be performed, the thread obtains a database connection (C1 in Figure 31) from the connection pool.
One-Way Invocation
In Figure 31, the one-way invocation client is running in thread T2. When the client initiates a process instance, the invocation request is placed in a queue. At this point, thread T2 is released by Oracle BPEL Server and the caller can continue its own processing. Inside Oracle BPEL Server, a message-driven bean (MDB), WorkerBean, monitors the queue for invocation requests. When a message is dequeued, Oracle BPEL Server allocates a separate thread (T3) to process the message. This thread is used by Oracle BPEL Process Manager to process the instance. When database operations must be performed, the thread obtains a database connection from the connection pool.
See Also: "Oracle BPEL Server EJB Configuration" on page 3-23 for additional details about WorkerBean
Threading and Connection Pool Relationships

From Figure 31 and the previous sections, some important relationships can be derived for properly setting the threading and connection pooling parameters. The number of concurrent instances being processed is determined by the number of request-response client requests and the number of WorkerBean threads allocated. The following relationship can be stated.
Maximum DB Connections >= (WorkerBean listener threads) + (Maximum concurrent request-response invocations)
3-4
Process Level Performance Settings
The dspMaxThreads property allocates WorkerBean threads to various domains. This leads to the following relationships:
domains dspMaxThreads = (WorkerBean listener threads) Maximum DB Connections >= (domains dspMaxThreads) + (Maximum concurrent request-response invocations)
If only one domain exists, these formulas can be simplified further:

dspMaxThreads = (WorkerBean listener threads) Maximum DB Connections >= (dspMaxThreads) + (Maximum concurrent request-response invocations)

This section describes process level performance tuning properties. Process level performance properties are set in the bpel.xml file for a specific BPEL process. This file is in the same directory as the processs .bpel file. After modifying the settings in the Oracle_ Home\integration\jdev\jdev\mywork\workspace_name\process_ name\bpel.xml file, the process must be redeployed for the new settings to take effect.
Note: You can also set these properties in the Deployment Descriptor
Properties window of JDeveloper BPEL Designer.

See Also: "Domain and Process Configuration Property Settings" on
page 3-1
completionPersistLevel
This property controls the type (and amount) of data to save after instance completion. When process instances complete, Oracle BPEL Server by default saves the final state (for example, the variable values) of the process. If you do not need to save these values after completion, you can set this property to save only instance metadata (completion state, start and end dates, and so on). This property is applicable to transient BPEL processes. This property is used only when the inMemoryOptimization performance property is set to true. Use the completionPersistLevel property in conjunction with the completionPersistPolicy property. This property can greatly impact database growth (in particular, the cube_instance, cube_scope, and work_item tables). It can also impact throughput (due to reduced I/O).
See Also:

"completionPersistPolicy" on page 3-6 "inMemoryOptimization" on page 3-8 Table 32 on page 3-10 for additional details about the cube_ instance, cube_scope, and work_item tables
Values This property has the following values:
all (default) Oracle BPEL Server saves the complete instance, including the final variable values, work item data, and audit data. This setting causes the database to grow in size. instanceHeader The Oracle BPEL Process Manager saves only the instance metadata.
Example In the following example, only faulted instances are persisted (completionPersistPolicy=faulted). For the faulted instances, all variable values associated with the instance are saved (competionPersistLevel=All).
<BPELSuitcase> <BPELProcess src="HelloWorld.bpel" id="HelloWorld"> ... <configurations> <property name="inMemoryOptimization">true</property> <property name="completionPersistPolicy">faulted</property> <property name="completionPersistLevel">All</property> </configurations> </BPELProcess> </BPELSuitcase>
completionPersistPolicy
This property controls if and when to persist instances. If an instance is not saved, it does not appear in Oracle BPEL Console. This property is applicable to transient BPEL processes. This property is only used when inMemoryOptimization is set to true. If you set completionPersistPolicy to a value other then off, you can then set completionPersistLevel to more finely tune the persistence data to save. This parameter strongly impacts the amount of data stored in the database (in particular, the cube_instance, cube_scope, and work_item tables). It can also impact throughput.
See Also:

"completionPersistLevel" on page 3-5 "inMemoryOptimization" on page 3-8

on (default): Completed instances are saved normally. deferred Completed instances are saved with a different thread and in another transaction. If a server fails, some instances may not be saved. faulted Only faulted instances are saved. off No instances (and their data) are saved.
Example In the following example, completionPersistPolicy is set to deferred:

<BPEL Suitcase> <BPELProcess src="HelloWorld.bpel" id="HelloWorld"> . . . <configurations> <partnerLinkBinding name="PartnerService"> <property name="inMemoryOptimization">true</property> <property name="completionPersistPolicy">deferred</property> </partnerLinkBinding> </configurations> </BPELProcess> </BPEL Suitcase>
idempotent
A BPEL invoke activity is by default an idempotent activity, meaning that the BPEL process does not dehydrate instances immediately after invoke activities. Therefore, if idempotent is set to true and Oracle BPEL Server fails right after an invoke activity executes, Oracle BPEL Server performs the invoke again after restarting. This is because no record exists that the invoke activity has executed. This property is applicable to both durable and transient processes. If idempotent is set to false, the invoke activity is dehydrated immediately after execution and recorded in the dehydration store. If Oracle BPEL Server then fails and is restarted, the invoke activity is not repeated, because Oracle BPEL Process Manager sees that the invoke already executed. When idempotent is set to false, it provides better failover protection, but at the cost of some performance, since the BPEL process accesses the dehydration store much more frequently. This setting can be configured for each partner link in the bpel.xml file. Setting this parameter to true can significantly improve throughput. However, as mentioned previously, you must ensure that the partner's service can be safely retried in the case of a server failure. Some examples of where this property can be set to true are read-only services (for example, CreditRatingService) or local EJB/WSIF invocations that share the instance's transaction. Values This property has the following values:
false activity is dehydrated immediately after execution and recorded in the dehydration store true (default) If Oracle BPEL Server fails, it performs the activity again after restarting. This is because the server does not dehydrate immediately after the invoke and no record exists that the activity executed.
Example The following bpel.xml file example shows the idempotent property. This example shows a one-way invocation message being saved to the dehydration store database. This property can be set for each partner link.
<BPELSuitcase> <BPELProcess src="Invoke.bpel" id="Invoke"> <partnerLinkBindings> . . . <partnerLinkBinding name="PartnerService"> <property name="wsdlLocation"> partner-wsdl
</property> <property name="idempotent">false</property> </partnerLinkBinding> </partnerLinkBindings> </BPELProcess> </BPELSuitcase>
inMemoryOptimization
This property indicates to Oracle BPEL Server that this process is a transient process and dehydration of the instance is not required. When set to true, Oracle BPEL Server keeps the instances of this process in memory only during the course of execution. This property can only be set to true for transient processes (that is, those that do not contain any middle process receive, pick, or wait activities). The default for this property is false, which means that instances are persisted completely and recorded in the dehydration store database for a synchronous BPEL process. When inMemoryOptimization is set to true, dehydration is deactivated, and Oracle BPEL Process Manager keeps instances in memory only. The settings for the completionPersistPolicy and completionPersistLevel properties are also examined to determine persistence behavior. The inMemoryOptimization property can improve throughput when set to true and, in conjunction with these two other properties, can minimize database growth.
See Also:

"completionPersistLevel" on page 3-5 "completionPersistPolicy" on page 3-6
false (default) instances are persisted completely and recorded in the dehydration store database for a synchronous BPEL process. true Oracle BPEL Process Manager keeps instances in memory only.
Example The following bpel.xml file example shows the inMemoryOptimization property for the synchronous Hello World BPEL process:
<BPEL Suitcase> <BPELProcess src="HelloWorld.bpel" id="HelloWorld"> . . . <configurations> <property name="inMemoryOptimization">true</property> </configurations> </BPELProcess> </BPEL Suitcase>
nonBlockingInvoke
This property can improve performance when executing multiple branches of a flow or flowN activity. By default, Oracle BPEL Process Manager executes in a single thread, executing the branches sequentially instead of in parallel. When this property is set to true, Oracle BPEL Process Manager creates a new thread to perform each
3-8
Tables Impacted By Instance Data Growth
branchs invoke activity in parallel. This setting can be configured for each partner link in the bpel.xml file. This property is applicable to both durable and transient processes. Consider setting this parameter to true if you have invoke activities in multiple flow or flowN branches. This is especially effective if the parallel invoke activities are two-way, but some benefits can be realized for parallel one-way invokes as well. Values This property has the following values:
true Oracle BPEL Server spawns a new thread to execute the invocation. This thread is essentially the InvokerBean message driven bean thread. If the process has additional nonblocking invoke activities, increase the InvokerBean thread value. You may also need to increase the connection pool maximum size:
connection pool size >= (InvokerBean listener threads + WorkerBean listener threads + maximum concurrent request-response invocations
false (default) Oracle BPEL Server executes the invoke activity in the single process thread.
See Also: "InvokerBean" on page 3-24 for instructions on
configuring the InvokerBean Example The following bpel.xml file example enables the nonBlockingInvoke property:
<BPELSuitcase> <BPELProcess src="Invoke.bpel" id="Invoke"> <partnerLinkBindings> . . . <partnerLinkBinding name="PartnerService"> <property name="wsdlLocation"> partner-wsdl </property> <property name="nonBlockingInvoke">true</property> </partnerLinkBinding> </partnerLinkBindings> </BPELProcess> </BPELSuitcase>
Tables Impacted By Instance Data Growth

Instance data occupies space in Oracle BPEL Process Manager schema tables. Table 32 describes the tables that are impacted by instance data growth. A brief description is provided of each table. The values to which you can set some domain level performance properties described in "Domain Level Performance Tuning" on page 3-10 impact the growth of these tables.
Domain Level Performance Tuning
Table 32 Table Name
Oracle BPEL Process Manager Tables Impacted By Instance Data Growth Table Description Stores audit details that can be logged through the API. Activities such as an assign activity log the variables as audit details by default. You can set this behavior through the auditLevel property in Oracle BPEL Console under Manage BPEL Domain > Configuration. Audit details are separated from the audit_trail table due to their large size. To view a detail, click a link on the Audit tab for a specific instance in Oracle BPEL Console and load the detail separately. The auditDetailThreshold property in Oracle BPEL Console under Manage BPEL Domain > Configuration is used by this table. If the size of a detail is larger than the value specified for this property, it is placed in this table. Otherwise, it is placed in the audit_trail table. See Also: "auditDetailThreshold" on page 3-11 and "auditLevel" on page 3-12
audit_details
audit_trail
Stores the audit trail for instances. The audit trail viewed in Oracle BPEL Console is created from an XML document. As an instance is processed, each activity writes events to the audit trail as XML. Stores process instance metadata (for example, the instance creation date, current state, title, and process identifier) Stores the scope data for an instance (for example, all variables declared in the BPEL flow and some internal objects that help route logic throughout the flow). Stores callback messages upon receipt. This table only stores the metadata for a message (for example, current state, process identifier, and receive date).
cube_instance cube_scope dlv_message
dlv_message_bin Stores the callback message payload. This table stores the payload as a binary large object (BLOB). This separation allows the metadata to change frequently without being impacted by the size of the payload (which is stored here and never modified). dlv_ subscription document Stores delivery subscriptions for an instance. Whenever an instance expects a message from a partner (for example, the receive or onMessage activity) a subscription is written out for that specific receive activity. Stores large XML variables. If a variable grows larger than the size configured through the largeDocumentThreshold property in Oracle BPEL Console under Manage BPEL Domain > Configuration, it is stored in this table to prevent it from loading into the cube_scope table. Stores incoming (invocation) messages (messages that result in the creation of an instance). This table only stores the metadata for a message (for example, current state, process identifier, and receive date).
invoke_message
invoke_message_ Stores the incoming message payload. This table serves the same purpose as the dlv_ bin message_bin table does for dlv_message. schema_md task work_item Stores metadata about columns defined in the Oracle BPEL Process Manager schema (orabpel). Stores tasks created for an instance. The TaskManager process keeps its current state in this table. Stores activities created by an instance. All activities in a BPEL flow have a work_item table. This table includes the metadata for the activity (current state, label, and expiration date (used by wait activities)).

This section describes domain level performance tuning properties. Oracle recommends that you modify these settings in Oracle BPEL Console under Manage BPEL Domain > Configuration. Oracle BPEL Console checks the existing settings and any new settings entered, and validates them without requiring a restart. Domain level performance settings are located in the Oracle_
3-10
Home\integration\orabpel\domains\domain_name\config\domain.xml file. If you directly edit the domain.xml file, you must restart Oracle BPEL Server for the new settings to take effect.
See Also: "Domain and Process Configuration Property Settings" on
page 3-1
Oracle BPEL Console Properties That Cannot Be Edited

The following properties display in Oracle BPEL Console under Manage BPEL Domain > Configuration. These properties have empty Name and Comment columns in the Configuration tab. Do not modify these properties; this has no impact on system performance tuning.

cbCacheHighWatermark cbCacheLowWatermark cbCachePolicy cbCacheUnits completionPersistLevel (Must be set in the bpel.xml deployment descriptor file.) completionPersistPolicy (Must be set in the bpel.xml deployment descriptor file.) instCacheUnits invCacheHighWatermark invCacheLowWatermark invCachePolicy invCacheUnits subCacheHighWatermark subCacheLowWatermark subCachePolicy subCacheUnits
Instead, see the following subsections for details about properties that can be set to optimize performance.
auditDetailThreshold
This property sets the maximum size (in kilobytes) of an audit trail details string before it is stored separately from the audit trail. If an audit trail details string is larger than the threshold setting, it is not immediately loaded when the audit trail is initially retrieved; a link is displayed with the size of the details string. Strings larger than the threshold setting are stored in the audit_details table, instead of the audit_ trail table. This property is applicable to durable processes. The details string typically contains the contents of a BPEL variable. In cases where the variable is very large, performance can be severely impacted by logging it to the audit trail.
Values The default value is 50 kilobytes.

See Also: Table 32 on page 3-10 for additional information about
the audit_trail and audit_details tables
auditLevel
This property sets the audit trail logging level. This process is applicable to both durable and transient processes. This property controls the amount of audit events logged by a process. This setting greatly impacts performance because more audit events means more database inserts into the audit_trail table. This audit information is used only for viewing the state of the process from Oracle BPEL Console. Use this property if you do not want to store all audit information. Choose the level according to your business requirement. Auditing information has a significant impact on database growth and throughput. For optimal performance, set this property to the lowest acceptable level.
See Also: Table 32 on page 3-10 for additional information about
audit level details and the audit_trail table Values This property has the following values:
off No audit events (activity execution information) are persisted and no logging is performed; this can result in a slight performance boost for processing instances. minimal all events are logged; however, no audit details (variable content) are logged. This setting is recommended for larger payload processes. production all events are logged. The audit details for assign activities are not logged; the details for all other activities are logged. This setting is recommended for smaller payload processes. development (default) all events are logged; all audit details for all activities are logged.
bpelcClasspath
This property sets the BPEL process compiler classpath. This is the server-side BPEL process compiler classpath. Any user-specific classes and libraries used by a BPEL Java exec activity (that have not been packaged in the BPEL archive) must be specified in this classpath. This enables the server-side BPEL process compiler to successfully compile the BPEL process. This process is applicable to both durable and transient processes. Values The default value is:
Oracle_Home\integration\orabpel\system\classes; Oracle_Home\integration\orabpel\lib\j2ee_1.3.01.jar
3-12
datasourceJndi
This property sets the domain data source JNDI name. This data source can refer to any data source (JTA is not required). This process is applicable to both durable and transient processes. Values The default value is jdbc/BPELServerDataSourceWorkflow.
deliveryPersistPolicy
WARNING: Oracle recommends that this property remain set to the default value of on. If you set this property to off and your system fails, you lose messages. Exercise extreme care if changing this property setting from the default value.
This property enables and disables database persistence of messages entering Oracle BPEL Server. By default, incoming requests are saved in the following delivery service database tables:

dlv_message dlv_message_bin invoke_message invoke_message_bin
These requests are later acquired by Oracle BPEL Server worker threads and delivered to the targeted BPEL process. In the case where performance is preferred over reliability, persisting the incoming messages in the database can be skipped. This property persists delivery messages and is applicable to durable processes. One-way invocation messages are stored in the delivery cache until delivered. If the rate at which one-way messages arrive is much higher than the rate at which Oracle BPEL Server delivers them or if the server fails, some messages can get lost. In Oracle BPEL Console (under Manage BPEL Domain >Threads), you can monitor the size of the delivery cache by viewing the New Instance Requests and Callback Requests statistics in the Pending Requests section. The Scheduled column indicates the number of cached messages.
See Also: Table 32 on page 3-10 for additional details about the
delivery service database tables Values This property has the following values:

on (default) delivery messages are persisted in the database off incoming delivery messages are kept only in the in-memory cache. If more messages are delivered, the system can become overloaded (messages become backlogged in the Scheduled queue) and you receive out-of-memory errors. Tune the number of WorkerBean threads to accommodate the number of incoming messages.
See Also: "WorkerBean" on page 3-23
dspAgentDelay
This property sets the number of seconds between triggers of the dispatcher agent. This agent cleans up any messages in the dispatcher layer that have not been processed due to a failure in the JMS layer. This process is applicable to durable processes. Values The default value is 120 seconds.
dspInvokeAllocFactor
This property sets the percentage of active threads to be tasked to process incoming invocation messages. After a thread has finished processing a message, it can be tasked again to process an Oracle BPEL Server or invocation message, depending upon the current thread allocation situation. This process is applicable to durable processes. Values The default value is 0.4 (40%).
dspMaxRequestDepth
This property sets the maximum number of in-memory activities to process within the same request. After processing an activity request, Oracle BPEL Process Manager attempts to process as many subsequent activities as possible without jeopardizing the transactionality of the request. Once the activity processing chain has reached this depth, the instance is dehydrated and the next activity is performed in a separate transaction. If the request depth is too large, the total request time can exceed the application server transaction timeout limit. This process is applicable to durable processes. Values The default value is 600 activities.
dspMaxThreads
This property sets the maximum number of active dispatcher threads that process messages during peak load times. This property is applicable to durable processes and is dependent on the application server configuration. This is the simplest way to improve the performance and scalability of the domain. Oracle BPEL Server uses MDB threads to process Oracle BPEL Server messages. The maximum value for this property is dependent upon the Oracle BPEL Server's MDB J2EE listener threads setting. For Oracle Application Server, this count is configured in the orion-ejb-jar.xml deployment descriptor file. For example, if the total number of MDB J2EE listener threads is 120, the value of dspMaxThreads can be set to 120 or less. If you have configured multiple domains, the sum of the dspMaxThreads settings for all domains must not exceed the MDB J2EE listener threads setting.
3-14
If the CPU utilization of your application server and database hosts are well below capacity, try increasing this value and the MDB J2EE listener threads setting when necessary. If the CPUs are still not fully utilized, then consider running multiple Oracle BPEL Server instances.
Note: MDB J2EE listener threads configuration is specified in the
following file:
For the Oracle BPEL Process Manager for Developers installation type, this file is located at Oracle_ Home\system\appserver\oc4j\j2ee\home\applicationdeployments\orabpel\ejb_ob_ engine.jar\orion-ejb-jar.xml under WorkerBean. For the Oracle BPEL Process Manager for OracleAS Middle Tier installation type, this file is located at Oracle_ Home\j2ee\OC4J_ BPEL\application-deployments\orabpel\ejb_ob_ engine.jar\orion-ejb-jar.xml under WorkerBean.
See Also:

"BPEL Threading Model" on page 3-4 for complete details "Oracle BPEL Server EJB Configuration" on page 3-23 for MDB J2EE listener thread details
Values The default value is 100 threads.
dspMinThreads
This property sets the minimum number of active dispatcher threads that process messages during peak load times. If the current number of active threads is under this number, the load factor is not taken into consideration when determining whether or not to allocate a new thread. This process is applicable to durable processes. Values The default value is 5 threads.
expirationMaxRetry
This property sets the maximum number of times a failed expiration call (in a wait activity or an onAlarm branch of a pick activity) is retried before failing. If the activity or instance targeted by the expiration call cannot be found, the call is rescheduled again. The retry count does not include the first (original) attempt by the expiration call. This process is applicable to durable processes. Values The default value is 5.
expirationRetryDelay
This property sets the amount of time (in seconds) between failed attempts to execute an expiration call. If the activity or instance targeted by the expiration call cannot be found, the next call is rescheduled for this number of seconds in the future. This process is applicable to durable processes. Values The default value is 120 (2 minutes).
idempotentThreshold
This property sets the maximum time (in seconds) in which an idempotent service must successfully complete an activity. If an idempotent service takes longer than this time to complete, the service is considered nonidempotent and the current transaction is committed to the database. This feature prevents lengthy services from having to redo work in case another service in the idempotent chain fails. Values The default value is 30 seconds.
See Also: "Idempotent Activities" on page 3-3
instanceKeyBlockSize
This property controls the instance ID range size. Oracle BPEL Server creates instance keys (a range of process instance IDs) in batches using this number. After creating this range of in-memory IDs, the next range is updated and saved in the ci_id_range table. For example, if instanceKeyBlockSize is set to 100, Oracle BPEL Server creates a range of instance keys in-memory (100 keys, which are later inserted into the cube_ instance table as cikey).If the block size is smaller then the number of updates to the ci_id_range table, this may cause performance issues.
cube_instance table Values The default value is 100.
instCacheHighWatermark
Note: Oracle recommends that you do not change this parameter.
Only change this parameter if you fully understand JVM issues. This property sets the maximum number of in-flight instances that can be placed in the cache before pruning occurs. Once the high watermark is reached, the cache removes (prunes) enough older instances from cache to reach the low watermark value (set with the instCacheLowWatermark property). Pruned instances can be retrieved as needed from the dehydration store. This property is applicable to durable processes. This value is only used when the instCachePolicy property is set to lru or hybrid. Consider the following factors when setting this property:
3-16
The number of in-flight instances Oracle BPEL Process Manager is expected to handle at any point in time The amount of memory each process instance takes. The memory usage can be determined using a Java Profiler.
You can run a single instance through the system and measure the corresponding increase in memory utilization. If this property is set too high, your system can encounter OutOfMemoryException error messages. The system can also actually slow down if this value is set too high because the garbage collector runs more frequently. To monitor the garbage collector, use Sun's visual garbage collection (GC) tool (http://java.sun.com/performance/jvmstat).
See Also:

"instCacheLowWatermark" on page 3-17 "instCachePolicy" on page 3-18
Values The default value is 3000; zero implies no limit.
instCacheLowWatermark
Only change this parameter if you fully understand JVM issues. This property sets the number of in-flight instances to which the cache is pruned when pruning occurs. This property is applicable to durable processes. When the high watermark in the cache is reached, the cache removes enough instances to reach this level. Cache pruning occurs when the cache size grows to the high watermark value (set with the instCacheHighWatermark property). This instCacheLowWatermark property controls how much pruning occurs. The default value is 75% of the high watermark setting. This indicates the cache is reduced to 75% of the high watermark value when pruning occurs. This value is only used when the instCachePolicy property is set to lru or hybrid. Monitor instance cache statistics by going to Manage BPEL Domain > Threads in Oracle BPEL Console. In the Server cache statistics section at the bottom of this page is the instance cache entry. You can view the cache size and hit percentage. If the hit percentage is quite low, consider increasing your cache size or the low watermark value. If this property is set too high, your system can encounter OutOfMemoryException errors. The system can also actually slow down if this value is set too high. This is because the garbage collector must run more frequently. To monitor the garbage collector, use Sun's visual GC tool (http://java.sun.com/performance/jvmstat).
See Also:

"instCacheHighWatermark" on page 3-16 "instCachePolicy" on page 3-18

Values The default value is 2250 (75%).
instCachePolicy
This property sets the eviction policy to use when removing in-flight instances from the cache. This property is applicable to durable processes. This property takes effect only when the optCacheOn property is set to true. If you want to fine tune cache management, use this property. If the number of process instances that must be kept in memory is well known, Oracle recommends the lru setting. When using the lru setting, the instCacheHighWatermark and instCacheLowWatermark properties must also be set.
Note: Some JVM implementations have been observed to display an
OutOfMemoryException error message when cache values are set to auto. This happens because the auto caching setting relies on JVM soft references. If you encounter this error, set the caching value to lru.
See Also:

"instCacheHighWatermark" on page 3-16 "instCacheLowWatermark" on page 3-17 "optCacheOn" on page 3-19
lru least recently used; this setting first removes those instances that have not been accessed for the longest period of time. This setting is recommended. auto (default) delegates the removal decision to the JVM. Instances are removed when the garbage collector reaps soft references. soft-lru combination of lru and auto.
invokerQueueConnectionPoolMinSize
This property sets the invoker queue connection pool minimum size. This value must match the number of invoker threads. If the invoker threads are set to 200, this value can be set to 200 to avoid JMS warm up. This property is applicable to both durable and transient processes. Values The default value is 25.
See Also: "InvokerBean" on page 3-24 for details about invoker
threads
largeDocumentThreshold
This property sets the large XML document persistence threshold. This is the maximum size (in kilobytes) of a BPEL variable before it is stored in a separate location (the document table) from the rest of the instance scope data.
This property is applicable to both durable and transient processes. Large XML documents impact the performance of the entire Oracle BPEL Server if they are constantly read in and written out whenever processing on an instance must be performed. By writing the variable to the document table, the performance impact is limited to times when the variable is explicitly used in a BPEL activity. Values The default value is 50 kilobytes.
document table
minBPELWait
This property sets the minimum BPEL activity wait. If the wait time for a wait activity or an onAlarm branch of a pick activity is less than the value defined here, the wait is ignored. This property is applicable to durable processes. Values The default value is 2 seconds.
optCacheOn
This property sets the in-memory cache for in-flight instances. This property is applicable to durable processes. If set to true, Oracle BPEL Process Manager attempts to load active instances from in-memory cache rather than looking them up from the database. To disable optimization, specify a value other than true. Set this property to false if your process is long running and the subprocesses do not immediately call back. Consider this if you are dealing with shorter processes, which expect many callbacks. Setting this property to true necessitates setting the following caching-related settings:

instCacheHighWatermark instCacheLowWatermark instCachePolicy
If you can meet your performance goals without using the cache, Oracle recommends leaving this setting as false to simplify administration and tuning.
Note: Enabling the cache may adversely impact performance. This
can happen if cache values are set too high, causing the JVM garbage collector to run at frequent intervals. Use Sun's visual GC tool (http://java.sun.com/performance/jvmstat) to monitor the garbage collector. Values This property has the following values:
true Oracle BPEL Server attempts to load active instances from in-memory cache rather than looking them up from the database. false (default) Oracle BPEL Server loads the instance from the database every time.
See Also:

"instCacheHighWatermark" on page 3-16 "instCacheLowWatermark" on page 3-17 "instCachePolicy" on page 3-18
optIdempotentRouting
This property sets a routing shortcut for idempotent services. If set to true, Oracle BPEL Server attempts to process as many activities as possible within the same transaction if the activity services are idempotent. This property is applicable to durable processes. The default value is true. To disable optimization, specify a value other than true. Values The default value is true.
optSoapShortcut
This property sets a short-cut for a local SOAP request. Local SOAP calls are normally performed with an internal call instead of sending a message through the SOAP stack. The default behavior for the Oracle BPEL Process Manager is to optimize all by bypassing the SOAP stack. To disable optimization, specify a value other than true. This property is applicable to both durable and transient processes. Values true (default) Local SOAP calls bypass the SOAP stack. false Local SOAP calls go through the SOAP stack.
processCheckSecs
This property sets the number of seconds to wait since the last time Oracle BPEL Server checked the BPEL archive before checking it again. Checking means to check the last modified time stamp on the BPEL archive for a particular process. If the specified number of seconds has passed and the BPEL archive file has been modified since the last time checked, the process is refreshed from the new archive. If not
3-20
enough time has passed since the last time the stale check was performed, the currently-loaded process classes are used. This property is applicable to both durable and transient processes. To disable process checking, use a value of -1. In this case, once a process has been loaded, Oracle BPEL Server never checks if a newer version of the same process has been deployed. Values The default value is 1 second.
relaxBpelAssignRules
Note: Oracle recommends that you do not use this property. This
property has been deprecated and is being removed from Oracle BPEL Process Manager for release 10.1.3. This property relaxes enforcement of the Business Process Execution Language for Web Services Specification Version 1.1 assign rules. If set to true, Oracle BPEL Process Manager does not apply rules while assigning BPEL variables. For example, Oracle BPEL Process Manager does not display an error about null assignments (which are not allowed in the BPEL specifications). This property is applicable to both durable and transient processes. Values This property has the following values:

false (default) does not relax assignment rules. true relaxes assignment rules.
slowPerfThreshold
This property sets the maximum time (in seconds) for a service to successfully complete an activity. If a service takes longer than this time to complete, the service is considered slow. Oracle BPEL Process Manager collects statistics on slow services. This property is applicable to durable processes. Values The default value is 1 second.
statsLastN
This property sets the size of the most-recently processed request list. After each request is finished, statistics for the request are kept in a list. A value less than or equal to zero disables statistics gathering. This property is applicable to both durable and transient processes. You can view statistics from the Oracle BPEL Console under Manager BPEL Domain > Statistics.
OC4J Performance Tuning
Values The default value is 1000.
syncMaxWaitTime
This property sets the maximum time the process result receiver waits for a result before returning. Results from asynchronous BPEL processes are retrieved synchronously by a receiver that waits for a result from Oracle BPEL Server. This property is applicable to transient processes. Values The default value is 45 seconds.
txDatasourceJndi
This property sets the domain transactional data source JNDI name. This data source must be configured for JTA support. This property is applicable to both durable and transient processes. Values The default value is jdbc/BPELServerDataSource.
validateXML
This property validates incoming and outgoing XML documents. If set to true, the Oracle BPEL Process Manager applies schema validation for incoming and outgoing XML documents. This property is applicable to both durable and transient processes. Values The default value is false.
workerQueueConnectionPoolMinSize
This property sets the worker queue connection pool minimum size. This value must match the number of worker threads. if the number of worker threads is 200, this value can be set to 200 to avoid JMS warm up. This property is applicable to durable processes. Values The default value is 25.
See Also: "WorkerBean" on page 3-23

The parameters described in this section are set at the Oracle Application Server level. You must restart the OC4J instance for these parameters to take effect. This section contains the following topics:
JTA Transaction Timeout
3-22
Oracle BPEL Server EJB Configuration Data Source Configuration

See Also:
Oracle Application Server Administrators Guide, which is available by clicking View Library > System Management under the Oracle Application Server 10g Release 2 (10.1.2.0.2) header at http://www.oracle.com/technology/documentation/appse rver101202.html, for instructions on starting and stopping Oracle Application Server
JTA Transaction Timeout

Oracle BPEL Server uses JTA to achieve atomicity. The transaction timeout value is set by default to 60000 milliseconds in the server.xml file. For the Oracle BPEL Process Manager for OracleAS Middle Tier installation type, this file is located in Oracle_ Home\j2ee\OC4J_BPEL\config. You can sometimes experience transaction rollback errors due to timeouts, especially when Oracle BPEL Server is under stress. The timeout can happen for many reasons:
Insufficient resources (for example, not enough database connections in the connection pool, the server thread waits for 60 seconds and displays a timeout error, and so on). Large document manipulation (for example, database writes of very large documents can take longer than 60 seconds).
Change this value according to your process. The following example sets the timeout to 120 seconds:
<transaction-config timeout="120000" />
If your process invokes partners that take longer than the specified timeout threshold, call them using a one-way request or set the nonBlockingInvoke partner link property to true in the bpel.xml deployment descriptor file.
See Also: "nonBlockingInvoke" on page 3-8
Oracle BPEL Server EJB Configuration

To increase performance, Oracle recommends removing the max-instances attribute for all of Oracle BPEL Server's EJBs in the orion-ejb-jar.xml file. For the Oracle BPEL Process Manager for OracleAS Middle Tier installation type, this file is located in Oracle_Home\j2ee\OC4J_BPEL\application-deployments\orabpel\ejb_ ob_engine.jar. This enables the application server to allocate more resources to heavily-used beans.
WorkerBean
Oracle BPEL Server uses an MDB called WorkerBean to perform processing. Therefore, it is important to allocate enough threads to this MDB. Otherwise, resource utilization is not optimal. The following code from the orion-ejb-jar.xml file shows an allocation of 70 threads.
<message-driven-deployment name="WorkerBean" destination-location="jms/collaxa/BPELWorkerQueue" connection-factory-location="jms/collaxa/BPELWorkerQueueFactory" listener-threads="70" min-instances="100"> <ejb-ref-mapping name="ejb/local/DispatcherLocalBean" />
.. .. </message-driven-deployment>
InvokerBean
The invoker bean is used only for nonblocking invoke activities. If you set some invokes to be nonblocking, increase the number of threads allocated to the InvokerBean. The following orion-ejb-jar.xml code shows an allocation of 30 threads.
<message-driven-deployment name="InvokerBean" destination-location="jms/collaxa/BPELInvokerQueue" connection-factory-location="jms/collaxa/BPELInvokerQueueFactory" listener-threads="30" min-instances="100"> <ejb-ref-mapping name="ejb/local/ProcessManagerLocalBean" /> </message-driven-deployment>
Note: The sum of the InvokerBean and WorkerBean threads must
be greater than or equal to the value specified for the dspMaxThreads domain property in Oracle BPEL Console under Manage BPEL Domain > Configuration. If you configured multiple domains, add the dspMaxThreads property for all your domains and compare that sum to the MDB total thread count.
See Also:

"nonBlockingInvoke" on page 3-8 "dspMaxThreads" on page 3-14
Data Source Configuration

Oracle BPEL Server obtains database connections using an application server JTA data source. Oracle BPEL Server by default is configured to use the Oracle Database Lite dehydration store. For stress testing and production, Oracle recommends that you use Oracle Database 10g. Oracle Database Lite is designed for lightweight devices and is only packaged to ease the initial developer experience. It does not perform well in stress tests. Be aware of the following issues when configuring the Oracle BPEL Server data source entry. For the Oracle BPEL Process Manager for OracleAS Middle Tier installation type, the data source entry is located in the Oracle_Home\j2ee\OC4J_ BPEL\config\data-sources.xml file.
When configuring the data source, ensure that the connection pool has enough free connections to serve Oracle BPEL Server. The connection pool size must be greater than or equal to the sum of the dspMaxThreads property value in Oracle BPEL Console. If you have configured multiple domains, add all dspMaxThreads property values and compare that value with the data source's max-connections value. For Oracle Database 10g, the data source must also use the thin driver. For the Oracle9i Database, Oracle Call Interface (OCI) performs slightly better.
3-24
Java Virtual Machine Performance Tuning
The following data source has been configured to use an Oracle Database and support up to 125 connections.
<data-source class="com.evermind.sql.DriverManagerDataSource" name="BPELServerDataSource" location="jdbc/BPELServerDataSource" xa-location="BPELServerDataSource" ejb-location="jdbc/BPELServerDataSource" connection-driver="oracle.jdbc.OracleDriver" max-connections="125" min-connections="50" connection-retry-interval="30" max-connect-attempts="10" url="jdbc:oracle:thin:username/password@hostname:port:SID "/>
See Also:

"dspMaxThreads" on page 3-14 Oracle BPEL Process Manager Installation Guide for instructions on configuring an Oracle Database as the Oracle BPEL Process Manager dehydration store
Java Virtual Machine Performance Tuning

JVM parameters can also impact Oracle BPEL Server performance. The major factors that impact performance relate to the heap size. The following parameters are valid for JVM version 1.4.2. See your JVM documentation if you are using a different version. With the Oracle BPEL Process Manager for OracleAS Middle Tier installation type, JVM parameters are specified in the Oracle_Home\opmn\conf\opmn.xml file.
Heap Size
The heap size controls the amount of memory the JVM uses. If your BPEL process instance runs on a dedicated host, set this value as high as possible. This number is limited to the operating system's addressable memory space.

For Solaris and Linux 32-bit operating systems, the limit is 4 GB. For Windows 32-bit operating systems, the limitation is 2 GB (due to operating system limitations).
The following line in opmn.xml highlights the use of a 2 GB heap.

set MEM_ARGS=-Xms2048m -Xmx2048m -Xmn1228m
where:

-Xms specifies the initial heap size -Xmx specifies the maximum heap size
For the Solaris operating system, Sun recommends setting the -Xms and -Xmx values to be equal. Another important heap configuration is the garbage collector's generational settings. The garbage collector optimizes collection by classifying objects by how long they live. Most of Oracle BPEL Server objects are short-lived; thus they live in the Eden space. Oracle recommends sizing the Eden space to be 60 to 70 percent of the total heap size. The -Xmn setting in the following line in opmn.xml highlights a 60% Eden sizing:
set MEM_ARGS=-Xms2048m -Xmx2048m -Xmn1228m
Dehydration Store Database Performance Tuning
If you are using two or more CPUs, Oracle recommends using the -XX:+AggressiveHeap JVM option. The -XX:+AggressiveHeap option inspects the system resources (size of memory and number of processors) and attempts to set various parameters to be optimal for long-running, memory allocation-intensive jobs. This option does not impact Windows performance. The following line in opmn.xml specifies the use of this option:
set MEM_ARGS=-Xmn1228m -XX:+AggressiveHeap
For Linux operating systems, Oracle recommends also setting the -Xms and -Xmx parameters:
set MEM_ARGS=-Xmn1228m -XX:+AggressiveHeap -Xms2048m -Xmx2048m
Dehydration Store Database Performance Tuning

Oracle BPEL Server performance is related to the dehydration store's capacity. Oracle recommends the following:

Moving the redo logs into a separate RAID 1+0 disk Increasing the size of each redo log file to a large value (for example, 1 GB) Creating a separate database tablespace for Oracle BPEL Server
The database parameters shown in Table 33 impact Oracle BPEL Process Manager performance. The specific values to use depend on your hardware configuration.
Table 33 Database Parameters Impacting Oracle BPEL Process Manager Performance Sample Value 1048576 400M 1 1000M 8 0 300 100
Parameter Name log_buffer shared_pool_size job_queue_processes db_cache_size db_file_multiblock_read_count undo_retention processes session_cached_cursors
3-26
Summary
See Also: Oracle Database Tuning and Oracle Database Reference for
your Oracle Database release:
For Oracle Database 10g Release 2 (10.2)

http://www.oracle.com/technology/documentation/databas e10gr2.html
For Oracle Database 10g Release 1 (10.1)

http://www.oracle.com/technology/documentation/databas e10g.html
For Oracle Database 9i Release 2 (9.2)

http://www.oracle.com/technology/documentation/oracle9 i.html
Summary
This chapter describes how to configure Oracle BPEL Process Manager property settings to optimize performance at the process, domain, applications server, Java Virtual Machine (JVM), and dehydration store database levels. This chapter describes these property settings and provides recommendations on how to use them.
Summary
3-28
Index
A
active threads setting the percentage of threads to be tasked to process incoming threads, 3-14 activities idempotent, 3-3 impacted by durable processes, 3-2 impacted by in-flight database storage, 3-3 setting the maximum amount in memory within the same request, 3-14 setting the maximum completion time for an idempotent service, 3-16 setting the maximum time for a service to successfully complete an activity, 3-21 architecture clustering, 2-2 archive setting a time for checking the BPEL archive, 3-21 audit events controlling the amount, 3-12 audit trail setting, 3-12 setting details, 3-11 setting the logging level, 3-12 audit_details table definition, 3-10 for storing strings larger than the threshold setting, 3-11 audit_trail table controlling the amount of audit events logged by a process, 3-12 definition, 3-10 for storing strings within the threshold setting, 3-11 auditDetailThreshold property definition, 3-11 values, 3-12 auditLevel property controlling the amount of audit events logged by a process, 3-12 definition, 3-12 values, 3-12 authentication definition, 1-3 authorization definition, 1-3 Oracle Web Services Manager, 1-27 Axis services with custom authentication handlers basicHeaders, 1-22 basicPassword, 1-22 basicUsername, 1-22 invoking secured services, 1-22
B
basicHeaders Axis services with custom authentication handlers, 1-22 basicPassword Axis services with custom authentication handlers, 1-22 basicUsername Axis services with custom authentication handlers, 1-22 BPEL archive setting a time for checking, 3-21 BPEL JAR files copying from one cluster node to another, 2-9 BPEL processes securing, 1-5 using J2EE basic authentication, 1-10 using native BPEL security extensions, 1-12 using SSL for certificate-based authentication, 1-6 BPEL security extensions definitions, 1-4 BPEL threading model overview, 3-4 .bpel_TaskActionHandler_1.0.jar deleting, 1-7 .bpel_TaskManager_1.0.jar deleting, 1-7 bpelcClasspath property definition, 3-12 values, 3-12 bpel.xml file, 1-21 for setting process level performance properties, 3-5
C
cacerts file, 1-18, 1-20
Index-1
cache high water mark, 3-16 low water mark, 3-17 monitoring cache statistics in Oracle BPEL Console, 3-17 removing in-flight instance from, 3-18 warning about impacting performance, 3-19 cached messages viewing the number of, 3-13 ci_id_range table saving the instance ID range, 3-16 clustering architecture, 2-2 compiling and deploying a BPEL project, 2-9 compiling and deploying a BPEL project from JDeveloper BPEL Designer on a remote host, 2-9 compiling and deploying the project on each Oracle BPEL Server locally, 2-10 configuring Oracle BPEL Server, 2-6 copying BPEL JAR files from one node to another, 2-9 creating, 2-4 creating a load balancer, 2-5 creating the middle tier cluster, 2-7 installing Oracle Application Server on two separate hosts, 2-4 installing Oracle BPEL Process Manager for OracleAS Middle Tier, 2-5 limitations, 2-2 multiple Oracle BPEL Process Manager for OracleAS Middle Tiers, 2-3 overview, 2-2, 2-3 supported environments, 2-2 testing the cluster, 2-10 troubleshooting, 2-11 with application server middle tier clustering, 2-2 without application server middle tier clustering, 2-2 collaxa-config.xml file, 2-6 compiling a BPEL project in a clustering environment, 2-9 completionPersistLevel property definition, 3-5 example of use, 3-6 values, 3-6 completionPersistPolicy property definition, 3-6 example of use, 3-6 values, 3-6 connection pooling relationship with threading, 3-4 setting the invoker queue minimum size, 3-18 setting the worker queue minimum size, 3-22 size must be greater than or equal to sum of dspMaxThreads property value, 3-24 CPUs optimizing use of, 3-15 cube_instance table definition, 3-10
growth impacted by completionPersistLevel property, 3-5 growth impacted by completionPersistPolicy property, 3-6 cube_scope table definition, 3-10 growth impacted by completionPersistLevel property, 3-5 growth impacted by completionPersistPolicy property, 3-6
D
data source configuration, 3-24 data sources configuring the data-sources.xml file, 3-25 database parameters db_cache_size, 3-26 db_file_multiblock_read_count, 3-26 job_queue_processes, 3-26 log_buffer, 3-26 processes, 3-26 session_cached_cursors, 3-26 shared_pool_size, 3-26 tuning, 3-26 undo_retention, 3-26 database tables audit_details, 3-11 audit_trail, 3-12 ci_id_range, 3-16 cube_instance, 3-5, 3-6 cube_scope, 3-5, 3-6 dlv_message, 3-13 dlv_message_bin, 3-13 document, 3-18, 3-19 growth impacted by completionPersistLevel property, 3-5 growth impacted by completionPersistPolicy property, 3-6 impacted by instance data growth, 3-9 invoke_message_bin, 3-13 work_item, 3-5, 3-6 datasourceJndi property definition, 3-13 values, 3-13 data-sources.xml file configuring the data source entry, 3-24 location of, 3-24 db_cache_size parameter tuning, 3-26 db_file_multiblock_read_count parameter tuning, 3-26 dehydration store database configuration, 2-4 database parameters tuning, 3-26 in-flight database storage, 3-3 performance tuning, 3-26 redo logs performance tuning, 3-26 tablespace tuning, 3-26 delivery cache
Index-2
for storing one-way invocations, 3-13 monitoring the size of, 3-13 delivery service database tables dlv_message, 3-13 dlv_message_bin, 3-13 invoke_message, 3-13 invoke_message_bin, 3-13 deliveryPersistPolicy property definition, 3-13 values, 3-13 warning about changing this property, 3-13 deploying a BPEL project in a clustering environment, 2-9 digital signatures definition, 1-4 Oracle Web Services Manager, 1-27 dispatcher agent setting the number of second between triggers of, 3-14 dispatcher threads setting the maximum number of, 3-14 setting the minimum number of, 3-15 dlv_message table definition, 3-10 for saving incoming requests, 3-13 dlv_message_bin table definition, 3-10 for saving incoming requests, 3-13 dlv_subscription table definition, 3-10 document persistence threshold setting, 3-18 document table definition, 3-10 storing large XML documents, 3-18 documents validating, 3-22 domain configuration property settings definition, 3-1 domain data source JNDI name setting, 3-13 domain level performance properties, 3-10 performance properties that cannot be edited, 3-11 domain level security, 1-13 domain properties auditDetailThreshold, 3-11 auditLevel, 3-12 bpelcClasspath, 3-12 datasourceJndi, 3-13 deliveryPersistPolicy, 3-13 dspAgentDelay, 3-14 dspInvokeAllocFactor, 3-14 dspMaxRequestDepth, 3-14 dspMaxThreads, 3-14 dspMinThreads, 3-15 expirationMaxRetry, 3-15 expirationRetryDelay, 3-16 idempotentThreshold, 3-16
instanceKeyBlockSize, 3-16 instCacheHighWatermark, 3-16 instCacheLowWatermark, 3-17 instCachePolicy, 3-18 invokerQueueConnectionPoolMinSize, 3-18 largeDocumentThreshold, 3-18 minBPELWait, 3-19 optCacheOn, 3-19 optIdempotentRouting, 3-20 optSoapShortcut, 3-20 processCheckSecs, 3-20 relaxBpelAssignRules, 3-21 slowPerfThreshold, 3-21 statsLastN, 3-21 syncMaxWaitTime, 3-22 txDatasourceJndi, 3-22 validateXML, 3-22 workerQueueConnectionPoolMinSize, 3-22 domain transaction data source JNDI name setting, 3-22 domains improving performance and scalability, 3-14 domain.xml file for setting domain level performance properties, 3-10 dspAgentDelay property definition, 3-14 values, 3-14 dspInvokeAllocFactor property definition, 3-14 values, 3-14 dspMaxRequestDepth property definition, 3-14 values, 3-14 dspMaxThreads property allocates WorkerBean threads, 3-5 connection pooling size must be greater than or equal to the sum of, 3-24 definition, 3-14 sum of InvokerBean and WorkerBean threads related to dspMaxThreads property value, 3-24 values, 3-15 dspMinThreads property definition, 3-15 values, 3-15 durable processes activities that impact, 3-2 definition, 3-2
E
EJB configuration InvokerBean threads, 3-24 Oracle BPEL Server, 3-23 WorkerBean threads, 3-23 encryption definition, 1-4 Oracle Web Services Manager, eviction policy
1-27
Index-3
setting, 3-18 expiration calls setting the amount of time between failed attempts, 3-16 setting the maximum number of, 3-15 expirationMaxRetry property definition, 3-15 values, 3-15 expirationRetryDelay property definition, 3-16 values, 3-16
G
garbage collection monitoring with the visual garbage collection (VC) tool, 3-17, 3-19
H
HTTP basic authentication httpPassword, 1-23 httpUsername, 1-23 invoking secured services, 1-23 HTTP binding invoking secured services, 1-23 native BPEL security extensions, 1-15 httpPassword HTTP basic authentication, 1-23 httpUsername HTTP basic authentication, 1-23
I
idempotent activity definition, 3-3 idempotent property definition, 3-7 example of use, 3-7 values, 3-7 idempotent services setting a routing shortcut for, 3-20 setting the maximum completion time, idempotentThreshold property definition, 3-16 values, 3-16 inbound supported security methods, 1-1 inbound security definition, 1-1, 1-5 incoming messages saving, 3-13 tuning the WorkerBean threads, 3-13 incoming requests saving to database tables, 3-13 in-flight database storage activities that impact, 3-3 definition, 3-3 pick activity, 3-3 receive activity, 3-3 wait activity, 3-3 Index-4
3-16
in-flight instances removing from the cache, 3-18 setting the in-memory cache, 3-19 setting the maximum number to place in the cache before pruning, 3-16 setting the number to which the cache is pruned, 3-17 in-memory activities setting the maximum amount within the same request, 3-14 in-memory cache setting for in-flight instances, 3-19 inMemoryOptimization property definition, 3-8 example of use, 3-8 improving throughput, 3-8 values, 3-8 instance cache monitoring cache statistics in Oracle BPEL Console, 3-17 instance data impacting database table growth, 3-9 instance IDs controlling the instance ID range size, 3-16 instanceKeyBlockSize property definition, 3-16 values, 3-16 instCacheHighWatermark property definition, 3-16 values, 3-17 warning about changing, 3-16 instCacheLowWatermark property definition, 3-17 values, 3-18 warning about changing, 3-17 instCachePolicy property definition, 3-18 values, 3-18 invocations descriptions of, 3-3 one-way, 3-2, 3-4 request-response, 3-4 two-way, 3-2 invoke activities using the nonBlockingInvoke property, 3-9 invoke_message table definition, 3-10 for saving incoming requests, 3-13 invoke_message_bin table definition, 3-10 for saving incoming requests, 3-13 invoker queue connection pooling setting the minimum size of, 3-18 InvokerBean threads configuring, 3-24 invokerQueueConnectionPoolMinSize property definition, 3-18 values, 3-18
J
J2EE basic authentication for BPEL processes, 1-10 Oracle BPEL Process Manager for Developers, 1-11 Oracle BPEL Process Manager for OracleAS Middle Tier, 1-10 J2EE basic authentication protected services (HTTP) HTTP basic authentication, 1-23 HTTP binding, 1-23 invoking secured services, 1-22 Java and EJB binding invoking secured services, 1-23 Java API native BPEL security extensions, 1-15 Java Virtual Machine (JVM) performance tuning, 3-25 Java Virtual Machine (JVM) performance tuning heap size, 3-25 jazn-data.xml file, 1-11 JMS port number eliminating port conflicts, 2-8 job_queue_processes parameter tuning, 3-26 jssecacerts file, 1-18 JTA transactions reasons for transactions timing out, 3-23 timeout value, 3-23 two-way invocations, 3-3
logging level setting, 3-12
M
message-handlers.xml file, minBPELWait property definition, 3-19 values, 3-19 1-14
N
native BPEL security extensions domain and process lever security, 1-13 for BPEL processes, 1-12 HTTP binding, 1-15 Java API, 1-15 SOAP over HTTP binding, 1-15 nonBlockingInvoke property definition, 3-8 example of use, 3-9 setting if you have invoke activities in multiple flow or flowN branches, 3-9 values, 3-9
O
OC4J performance tuning data source configuration, 3-24 InvokerBean threads configuration, 3-24 JTA transaction timeout, 3-23 Oracle BPEL Server EJB configuration, 3-23 WorkerBean thread configuration, 3-23 onAlarm branch setting the minimum wait time, 3-19 one-way invocations definition, 3-2 stored in the delivery cache, 3-13 opmn.xml file configuring JVM parameters, 3-25 heap size tuning, 3-25 optCacheOn property definition, 3-19 values, 3-19 optIdempotentRouting property definition, 3-20 values, 3-20 optSoapShortcut property definition, 3-20 do not change, 3-20 values, 3-20 Oracle Application Server creating a clustering environment, 2-4 creating the middle tier cluster, 2-7 Oracle Application Server Web Cache starting, 2-6 Oracle BPEL Console domain level performance properties that cannot be edited, 3-11 for setting domain level performance properties, 3-10 Index-5
K
keystore, 1-20 keytool for certificate-based authentication of BPEL processes, 1-8 running, 1-8, 1-18
L
large XML documents impact on performance, 3-19 largeDocumentThreshold property definition, 3-18 values, 3-19 limitations on clustering, 2-2 listener threads configuring, 3-14, 3-15 lists setting the size of request lists, 3-21 load balancer clustering, 2-2 creating in a clustering environment, 2-5 Oracle Application Server Web Cache, 2-6 overview, 2-4 local SOAP requests setting a shortcut for, 3-20 log_buffer parameter tuning, 3-26
monitoring cache statistics, 3-17 monitoring instance cache statistics, 3-17 viewing statistics, 3-21 Oracle BPEL Process Manager clustering See clustering, 2-1 Oracle BPEL Process Manager for OracleAS Middle Tier certificate-based authentication for Oracle BPEL Server, 1-7 certificate-based authentication with Oracle Wallet Manager, 1-7 installing in a clustering environment, 2-5 Oracle BPEL Server configuring in a clustering environment, 2-6 EJB configuration, 3-23 enabling certificate-based authentication for Oracle BPEL Process Manager for OracleAS Middle Tier, 1-7 InvokerBean threads configuration, 3-24 WorkerBean threads configuration, 3-23 Oracle Database recommended for stress testing and production environments, 3-24 Oracle Database Lite recommended only for development environments, 2-4 Oracle Wallet Manager cannot use the default certificate with Oracle BPEL Process Manager for OracleAS Middle Tier, 1-7 enabling certificate-based authentication for Oracle BPEL Process Manager for OracleAS Middle Tier, 1-7 situations when not to use, 1-18 Oracle Web Services Manager authorization, 1-27 digital signatures, 1-27 encryption, 1-27 security features of, 1-26 orion-ejb-jar.xml file configuring MDB J2EE listener threads, 3-14 outbound supported security methods, 1-1 outbound security definition, 1-1, 1-16
branch, 3-19 process configuration property settings definition, 3-2 process level performance properties, 3-5 process level security, 1-13 processCheckSecs property definition, 3-20 values, 3-21 processes durable, 3-2 transient, 3-2 processes parameter tuning, 3-26 pruned instances, 3-17 retrieving, 3-16
R
receive activity impacting durable processes, 3-2 in-flight database storage, 3-3 redo logs tuning, 3-26 relaxBpelAssignRules property definition, 3-21 do not use this property, 3-21 values, 3-21 request lists setting the size of, 3-21
S
schema_md table definition, 3-10 secure socket layer (SSL) certificate-based authentication for BPEL processes, 1-6 Oracle BPEL Process Manager for Developers, 1-8 Oracle BPEL Process Manager for OracleAS Middle Tier, 1-6 certificate-based authentication for invoking secured services, 1-17 design time, 1-19 HTTP/S with partner link and Oracle BPEL Server client certificate authentication, 1-20 HTTP/S with partner link server certificate authentication, 1-19 runtime, 1-19 definition, 1-4 secured services Axis services with custom authentication handlers, 1-22 invoking, 1-16 J2EE basic authentication protected services (HTTP), 1-22 Java and EJB binding, 1-23 using SSL for certificate-based
P
performance properties completionPersistLevel, 3-5 completionPersistPolicy, 3-6 idempotent, 3-7 inMemoryOptimization, 3-8 nonBlockingInvoke, 3-8 performance tuning See tuning, 3-1 pick activity impacting durable processes, 3-2 in-flight database storage, 3-3 setting the minimum wait time with the onAlarm
Index-6
authentication, 1-17 WS-Security-compliant services, 1-20 secure-web-site.xml file, 1-9 security Axis services with custom authentication handlers, 1-22 custom validator, 1-24 default validator, 1-24 inbound methods supported, 1-1 invoking secured services, 1-16 J2EE basic authentication, 1-10 J2EE basic authentication protected services (HTTP), 1-22 Java and EJB binding, 1-23 native BPEL security extensions, 1-12 outbound methods supported, 1-1 overview, 1-1 securing BPEL processes, 1-5 SSL for certificate-based authentication, 1-6, 1-17 validators, 1-23 WS-Security-compliant services, 1-20 server.xml file setting the transaction timeout value, 3-23 session_cached_cursors parameter tuning, 3-26 shared_pool_size parameter tuning, 3-26 slow services collecting statistics on, 3-21 slowPerfThreshold property definition, 3-21 values, 3-21 SOAP binding WS-Security-compliant services, 1-21 SOAP over HTTP binding native BPEL security extensions, 1-15 SOAP requests setting a shortcut for local requests, 3-20 soapCallbackURL property setting for certificate-based authentication, 1-7 soapCallbackUrl property configuring in a clustering environment, 2-6 soapServerUrl property configuring in a clustering environment, 2-6 setting for certificate-based authentication, 1-7 statistics viewing from Oracle BPEL Console, 3-21 statsLastN property definition, 3-21 values, 3-22 syncMaxWaitTime property definition, 3-22 values, 3-22
T
tables audit_details, 3-11 audit_trail, 3-12 ci_id_range, 3-16
cube_instance, 3-5, 3-6 cube_scope, 3-5, 3-6 dlv_message, 3-13 dlv_message_bin, 3-13 document, 3-18, 3-19 growth impacted by completionPersistLevel property, 3-5 growth impacted by completionPersistPolicy property, 3-6 impacted by instance data growth, 3-9 invoke_message_bin, 3-13 work_item, 3-5, 3-6 tablespaces tuning, 3-26 task table definition, 3-10 testing a cluster, 2-10 threading model one-way invocation, 3-4 overview, 3-4 relationship with connecting pooling, 3-4 request-response invocation, 3-4 threads InvokerBean threads configuration, 3-24 setting the maximum number of dispatcher threads, 3-14 setting the minimum number of dispatcher threads, 3-15 setting the percentage of active threads to be tasked to process incoming threads, 3-14 sum of InvokerBean and WorkerBean threads related to dspMaxThreads property value, 3-24 WorkerBean configuration, 3-23 throughput improving with the inMemoryOptimization property, 3-8 transactions reasons for transactions timing out, 3-23 setting the timeout value, 3-23 transient processes definition, 3-2 troubleshooting clustering, 2-11 truststore, 1-20 tuning dehydration store database performance tuning, 3-26 Java Virtual Machine (JVM) performance tuning, 3-25 JVM heap size, 3-25 OC4J performance tuning, 3-22 two-way invocations definition, 3-2 JTA transactions, 3-3 txDatasourceJndi property definition, 3-22 values, 3-22
Index-7
U
undo_retention parameter tuning, 3-26
X
XML document persistence threshold setting, 3-18 XML documents impact of large documents on performance, validating, 3-22
V
validateXML property definition, 3-22 values, 3-22 validating incoming and outgoing documents, 3-22 validation setting, 3-22 validators creating a custom validator, 1-24 custom, 1-24 default, 1-24 overview, 1-23 visual garbage collection (GC) tool monitoring garbage collection, 3-17, 3-19
3-19
W
wait activity configuring in a clustering environment, 2-8 impacting durable processes, 3-2 in-flight database storage, 3-3 setting the minimum wait time, 3-19 wait time setting the maximum time to wait for a result before returning, 3-22 web.xml file, 1-12 work_item table definition, 3-10 growth impacted by completionPersistLevel property, 3-5 growth impacted by completionPersistPolicy property, 3-6 worker queue connection pool setting the minimum size, 3-22 WorkerBean threads, 3-4 configuring, 3-23 tuning for incoming messages, 3-13 workerQueueConnectionPoolMinSize property definition, 3-22 values, 3-22 WS-Security definition, 1-3 WS-Security-compliant services invoking secured services, 1-20 SOAP binding, 1-21 wsseHeaders, 1-21 wssePassword, 1-21 wsseUsername, 1-21 wsseHeaders WS-Security-compliant services, 1-21 wssePassword WS-Security-compliant services, 1-21 wsseUsername WS-Security-compliant services, 1-21
Index-8

Bpel Admin 10.1.3.1.0

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bpel Admin 10.1.3.1.0

Uploaded by

Copyright:

Available Formats

Oracle BPEL Process Manager

Administrators Guide Release 10.1.2

April 10, 2006

Oracle BPEL Process Manager Security

Oracle BPEL Process Manager Clustering

Audience Documentation Accessibility Related Documents Conventions

Convention italic monospace

Oracle BPEL Process Manager Security 1-1

Securing BPEL Processes: Transport Security and Authentication Methods Firewall

WS-Security Compliant Services (SOAP Binding)

J2EE Basic Authentication (HTTP)

Outbound Oracle BPEL Server client request

Oracle BPEL Process Manager Administrators Guide

Encryption and Decryption

Secure Socket Layer

Digital Signatures for Integrity and Nonrepudiation

BPEL Security Extensions

Oracle BPEL Process Manager Administrators Guide

Securing BPEL Processes (Inbound)

Securing BPEL Processes (Inbound)

Using SSL for Certificate-Based Authentication

Securing BPEL Processes (Inbound)

Using SSL for Certificate-Based Authentication

Oracle BPEL Process Manager for OracleAS Middle Tier

Step 1: Configuring OC4J Step 2: Configuring Oracle BPEL Server

Oracle BPEL Process Manager Administrators Guide

Securing BPEL Processes (Inbound)

Go to Oracle BPEL Console:

Parameter soapServerUrl soapCallbackUrl

Restart Oracle BPEL Server.

Oracle BPEL Process Manager Security 1-7

Securing BPEL Processes (Inbound)

Oracle BPEL Process Manager for Developers

Step 1: Configuring OC4J Step 2: Configuring Oracle BPEL Server

Provide answers to each question when prompted.

Configure OC4J to use SSL:

Oracle BPEL Process Manager Administrators Guide

Securing BPEL Processes (Inbound)

Oracle_ Home\integration\orabpel\system\appserver\oc4j\j2ee\ home\config\server.xml to point to the secure-web-site.xml file.

Shut down and restart OC4J:

Oracle BPEL Process Manager Security 1-9

Securing BPEL Processes (Inbound)

Note: Instead of a selfsigned certificate for production

Using J2EE Basic Authentication

Authentication Schemas Basic authentication (user name and password)

Customization Permitted JAAS custom authorization plug-in

Granularity Individual process level security

OID JAZN XML JAAS custom plug-in

Oracle BPEL Process Manager for OracleAS Middle Tier

Oracle BPEL Process Manager Administrators Guide

Securing BPEL Processes (Inbound)

Oracle BPEL Process Manager for Developers

Oracle BPEL Process Manager Security 1-11

Securing BPEL Processes (Inbound)

Using the Native BPEL Security Extensions

OID JAZN XML Custom JAAS plug-in

Table 12 describes the supported features of this method.

Oracle BPEL Process Manager Administrators Guide

Securing BPEL Processes (Inbound)

Authentication Schemas Basic authentication (user name and password)

OID JAZN XML Database-based repository Custom

Normalized message properties