Wednesday, June 1, 2016

MFT-4223 Encryption algorithm or key length is restricted under the java policy

If you are handling encrypted files with MFT, encryption algorithms/strength of public keys (key sizes) are critical components which require attention from a security standpoint. Algorithms such as RSA, DSA etc  and  keys with lengths greater than 2048 bits are usually considered secure. 

MFT 12c provides command line tools to generate PGP key pair, however as per Oracle MFT documentation,

“Our PGP generation tool is basic and intended for development. For production, you should generate PGP key pairs externally using some other tools and import it in MFT. By Default the PGP Generator of MFT uses the Bouncy Castle API with hard coded parameters, i.e 1024 Bytes, Expiry Date as Unlimited. The MFT PGP Generator has very limited functionality.”

So if you are using PGP keys generated from an external tool with key sizes 2048/4096 bits there is a likelihood that your MFT transfer (decryption pre processing action) has failed with below exception

Cause
Encryption algorithm or key length is restricted.
Action
Make sure algorithms and key used is not restricted under java security policy.
Error Description
MFTException [threadName=JCA-work-instance:JMSAdapter-7, errorID=3e8d5a86-a2db-4a80-b548-00c0edb4a37c, errorDesc=MFT-4223_Encryption algorithm or key length is restricted under the java policy., cause=Illegal key size or default parameters

 In order to get rid of this exception, you will have to follow below steps:

Tuesday, May 17, 2016

A look at Oracle SOA Cloud Service

Oracle has been rapidly moving most of their products to the Cloud and offering them under 3 broad categories of SaaS, PaaS and IaaS. One of the PaaS offerings is the SOA Cloud service. This pretty much provides most of Oracle's on-premise middleware products like SOA Suite, OSB, MFT, B2B, Technology adapters and API Manager on the cloud. 

PS: Oracle ICS, the other integration offering on cloud is slightly different from SOA CS in terms of its positioning as an iPaaS offering from Oracle (similar to Dell Boomi, Mulesoft and other pure play iPaaS products). 

But with ICS and SOA CS, Oracle has definitely offered various hybrid cloud solutions to customers. Below diagram shows various ways in which integrations can happen between SaaS applications and On-Premise applications using either ICS/SOA CS or using both.


Some of the key advantages of using SOA CS are:
  • Drastic reduction in provisioning time for SOA environments. 
    • In a typical IT environment, in order to setup a simple clustered SOA environment we need days or maybe weeks . The process starts with procuring the hardware, necessary software (+patches), installing and configuring the software. 
    • SOA CS eliminates all of the above by providing self-provisioning tools which can be filled by developers/architects. We just need to have the right subscriptions in place for the Storage, DB, Compute and Platform services as pre-requisite. A simple clustered SOA environment can be up and running within few hours using SOA CS.
  • Infrastructure worries handled by Oracle
    • No longer OS admins/Sys admins/Network admins/DBAs are required to setup infrastructure before developers can get a working environment. 
    • All infrastructure worries handled by Oracle including patching, backup/recovery etc
  • Faster time to market
    • Since environments (single node/cluster) can be provisioned quickly, the focus of the IT team is on developing integrations rather than worrying about the underlying platform's maintenance.
  • Cost Savings
    • The most obvious advantage with all the above is significant cost savings for customers as subscription costs for pay-per-use PaaS offerings is far lesser than the cost of owning and maintaining your own infrastructure in-house.
  • Gateway to Cloud
    • Large enterprise which have made significant investments over the years on their on-premise architecture will take time to adopt cloud. SOA CS is a way for them to gradually move their middleware platform to the cloud and adopt a hybrid solution in the meantime i.e combination of cloud and on-premise.

    In the below section I would like to cover the steps to setup a 2 node SOA+OSB cluster using SOA CS. 

    Step1: Get the required subscriptions for the PaaS offerings. I requested for a 30 day trial of Java Cloud service (cloud.oracle.com) which when approved by Oracle comes with below services.

    Step2: Configure the Storage cloud service and create the necessary storage containers for backup purpose. (SOA CS requires underlying DB CS which in turn requires Storage CS for backup/recovery). You can use the Cloudberry tool for OpenStack storage for connecting to StorageCS and creating the containers. The other option is to use Curl to invoke REST APIs for doing same task.













    Step3: Use Puttygen.exe tool for creating a pair of SSH Public/Private key pair which will be used for the creation of DBCS and SOACS instances.

    Step4: Configure the DBCS to create an instance of database which will be used by SOA CS for creating the RCU schemas of SOAInfra etc.


















    I have shown backup destination as none below, but SOA CS requires that DB should have backup destination set to "Both Cloud Storage and Local Storage". So set up your DB accordingly by specifying the storage container details. I created a 2nd one named subsdb1 which I have used for SOA CS configuration.








    As you can see there is an hour glass icon next to the DB instance name, basically it takes around 30-40 minutes for the DB to be configured and be ready for use. You can keep track of status by clicking on instance name and looking at the provisioning messages in next page. Once active the hour glass icon will be removed.





    Step5: Finally we can configure the SOA CS instance using above details of Storage CS and DB CS.





    Once the SOA CS instance is created it takes about 1.5 to 2 hours for the instance to be ready for use. Again you can track the status in between along with % completion.
















    After the SOA CS is active, you should see the service consoles getting ready for use. Deployment of code into the SOA CS and other console usage is similar to what we do on premise. No changes there.










    And that's it. Entire environment provisioning was done on Cloud console with minimal backend work and you have a running SOA+OSB cluster ready in just few hours.