Outsourcing your Oracle E-Business Suite environment - Part IV

In the previous articles in this series about outsourcing E-Business Suite environments I discussed the question why, the more technical aspects and the supporting services. This article will cover the topics availability, disaster recovery and security.

Availability

Load Balancing - Load Balancing techniques are used for two reasons: To increase availability and to increase capacity.

Application Server
On the application server level of E-Business Suite, one can choose to implement two kinds of load balancing: Forms based (11i) and HTTP based (11i and r12). In order to run forms based load balancing, one server needs to be designated as Forms Metrics Server, the remaining servers will be Forms Metrics Clients. On each of the servers the Forms Server needs to be running. All clients will be connected to the Forms Metrics Server, which diverts the connection to either of the forms servers in the application tier. This is a basic form of load balancing, because it is based on a round-robin principle. The alternative is HTTP Load Balancing, which requires Forms Servlet Mode to be in use. In this configuration, the forms server is running through a servlet, which runs under the http server. Therefore, there is no need to use other ports than the port the http server is using. A side effect is increased security. Another requirement is to use a separate load balancer. This load balancer will be configured with a central IP address (resolvable by a DNS name). The connections will be spread over the available application servers. This can be done on a round-robin principle, but can also be based on actual system load, like with Cisco ACE technology. One thing to keep in mind, which is of great importance when implementing load balancing is to ensure that Session Stickiness/Persistence (IP or cookie based) is implemented.
It is also possible to implement DNS based load balancing. In this configuration, the DNS server has got multiple IP addresses for the same hostname and will randomly reply a possible IP address to any DNS request for an application server. This requires some additional configuration on the Application Tier, like JServ load balancing and defining OProcMgr nodes (web nodes) in your environment (using the context editor).
Refer to metalink note 217368.1 for implementing load balancing for E-Business Suite

Database Server
Increasing availability on the database server can be established using Real Applications Cluster technology. Implementing Real Applications Cluster will require Oracle Clusterware, and takes some of the system resources for cluster node intercommunication. However, the increase in availability will more than compensate for this. I do need to say that no matter how much I appreciate RAC, it adds to the complexity of your infrastructure and you will definitely need resources in your team or at your hosting provider (depending on who is going to manage/maintain the E-Business Suite) capable of managing and maintaining Real Applications Cluster environments. Otherwise you may end up with a system with lower uptime compared to a single instance database environment.

Disaster Recovery
Dataguard – This topic adds up to the previous one, availability. If your hosting provider can provide multiple data centers, it might be worthwhile investigating the possibilities of implementing DataGuard. With E-Business Suite you can establish a physical standby database on a remote location that can be switched over to when the primary database fails for whatever reasons. For more information on implementing DataGuard ee Metalink Notes 216212.1 and 403347.1 for Release 11i and Metalink Note 452056.1 for Release 12.

Data Replication – If Dataguard is not feasible, you should at least be given the possibilities for data replication. Make sure your hosting partner is able to replicate your business-critical data to a remote data center, so you, or your hosting partner can rebuild the entire environment on another location in case of a site failure.

For any DR solution, you should be able to quantify the maximum downtime you find acceptable. In order to be able to do this, it may be required to estimate the cost of downtime per time-unit. Take into consideration that your company should have the resources to sustain the damage of this downtime. Make sure your hosting partner can live up to the required level of service. After all, it is your business-critical data.

Security
Talking about business-critical data, you don’t want anyone that is not supposed to be there strolling around in your environment. Therefore it is of greatest importance that your hosting partner can guarantee the highest level of security. The International Standards Organization (ISO) has a certification for this: ISO-27001:2005. Ask for this certification at your partner of choice. This ensures that your partner has been audited on a number of controls dealing with information security.
Various security issues need to be covered when you want to outsource your environment. This can be issues that you as a customer may require, but it can also be issues that are required by your hosting partner. It is essential to work these out before starting your contract, or you may be surprised your partner doesn’t provide a solution you want to be implemented because of their tight security, or you will become personably responsible for security measures your partner can or will not provide.

Hardening – your systems need to be secure enough by themselves. This means that e.g. you don’t want to allow direct root access from a remote location, sudo lists to limit the amount of users that may become root, sudo command lists, to limit the commands that can be run with root privileges, limiting the services to those that are necessary to run the environment.

External Access – Remote OS access should be regulated by an external authentication system like an Active Directory system. If this is not possible, you should require vLANs that separate your environment(s) from others. It can also be arranged with Access Control Lists, but they should be combined with an AD solution.Intrusion Detection – No matter how secure your environment is hosted, it will always be possible for someone to try and attack your environment. For this, it is important to have an Intrusion Detection system in place. This system alarms when it detects uncommon activities on the environment, indicating someone or some program is trying to attack the system.

E-Business Suite Security - Ask your outsourcing partner what they would do to secure your E-Business Suite. It is of great importance. You might have a secure Operating System, but your application that runs on it must be secure as well, because it might be located at a remote site, in a hosting center, along with various other applications from who knows where. Security may very well be the top priority on your list. Refer to Metalink Note 189367.1 - Best practices for securing Oracle E-Business Suite for directions.

I hope to publish a questionnaire to ask a potential outsourcing partner as a conclusion to this series.