|
Oracle® Collaboration Suite On Demand Reference Guide
Release 2.0 Part No. B12301-01 |
|
 Previous |
 Next |
|
Oracle® Collaboration Suite On Demand Reference Guide
Release 2.0 Part No. B12301-01 |
|
|
Previous |
Next |
Oracle Collaboration Suite On Demand Infrastructure is comprised of the following three key components:
Certified Configurations (CC) combine the best practices of integration, configuration, and validation of hardware systems, operating system, and Oracle Application software stack.
The Oracle On Demand Automation Platform (OAP) is a technology framework that is designed to enable a set of services to initialize, administer, and manage Oracle software. This infrastructure is housed in a data center that provides telecommunications, electrical, mechanical, and room specifications.
Certified Configurations for On Demand comprise of three components. These are:
The Oracle Collaboration Suite is a consolidated suite of applications designed to help employees of a corporation or work group communicate and collaborate.The Oracle Collaboration Suite Certified Configuration is designed for quick deployment and provides a Òready-to-implementÓ environment for On Demand. Highlights of this section are:
The Oracle Collaboration Suite Certified Configuration is installed with the latest Oracle Collaboration Suite software and is pre-configured to comply with On Demand rules and policies. Oracle provides a production and non-production environment for Oracle Collaboration Suite On Demand Customers.The Production environment is designed to run the Customer's production Oracle Collaboration Suite system. A Test environment is used for problem diagnostics and resolution and patch verification. Additional non-production environments may be purchased.
|
See Also. : Computer and Administration Services for E-Business Suite and Collaboration Suite Programs Policies athttp://www.oracle.com/policies/compandadminpolicy.html for more information on purchasing additional non-production environments.
|
The Oracle Collaboration Suite Certified Configuration consists of the following components:
Oracle Collaboration Suite Certified Configuration Utility Pack Release 2.3.1
Oracle9iAS Infrastructure 9.0.2.3
Oracle9iAS Metadata Repository with Oracle9i Release 1 (9.0.1.4) database
Oracle Internet Directory (OID) with patch 9.0.2.3
Oracle9iAS Single Sign-On (SSO) with patch 9.0.2.3
Oracle9iAS Containers for J2EE with patch 9.0.2.3
Web Cache with patch 9.0.2.3
Oracle® Server - Enterprise Edition 9.2.0.3
Oracle® Collaboration Suite 9.0.4.1.0
Oracle® Email
Oracle® Files
Oracle® Real-Time Collaboration
Oracle® Calendar
Oracle® Wireless
Oracle® Ultra Search
Oracle® Workflow 2.6.2
As of the writing of this document, the @Oracle Collaboration Suite Certified Configuration was built on an Intel based architecture containing two 2.6 GHz processors and 6 GB of memory. This machine is referred to as Standard Architecture.@Customer hardware configurations are available on Intel platforms. Sun, HP, and IBM platforms are available upon request.
@Oracle Collaboration Suite On Demand has standardized on the enterprise Linux distribution from Red Hat, Inc., the Red Hat Advanced Server Release 2.1. The Certified Configuration contains all the necessary patches for running the Oracle Collaboration Suite Application software stack.@Customer operating systems configurations are available on Intel Red Hat Advanced Server Linux and upon request for Sun Solaris, HP-UX, and IBM AIX. These Oracle Collaboration Suite platforms are validated on a set of On Demand operating system requirements.
This section provides an overview of how Oracle Collaboration Suite is deployed in both @Oracle and @Customer configurations if all available modules are enabled and implemented. The following topics are covered in this section:
The hardware and software components necessary for delivering the service.
The differences in architecture between @Oracle and @Customer deployments.
The following sections describe the various servers required to provide Oracle Collaboration Suite services. A chart at the end of this section indicates the location of each server and who is responsible for acquiring and installing the server. For @Customer, the server requirements are described in each section.
|
Note: Product versions shown here were accurate at the time of publication but are subject to change. |
Each customer utilizes a dedicated database server that provides the information required to offer Oracle Collaboration Suite services. The Email, Voicemail, and Fax message store, the Conferencing store, the Files store, the Directory store, and the Calendar store are each separate databases with their own Oracle homes. This allows Oracle On Demand to service databases individually and facilitates Customers addition of databases and servers. Customers can also grow from small to large without requiring any software reconfiguration. And for even more extensive growth, the message store, files store, and directory store databases can be expanded to multiple servers each using Oracle Real Application Clusters.
The database server contains the following minimum preconfigured elements:
Linux/Intel machine with 2 CPUs, 6 GB RAM,
2 Intel Pro 1000MT NICs
Red Hat Linux Advanced Server 2.1 e.35
Oracle Collaboration Suite 9.0.4.1 Certified Configuration
Each customer utilizes a dedicated protocol server as the direct interface with most of Oracle Collaboration Suite services. Each protocol server is configured identically, providing most of the e-mail and all of the web, directory, files, calendar, and conferencing interfaces. If the requested information is not already cached on the protocol server, this server turns service requests into SQL commands to the databases that supply or update the actual data for the service.
The Protocol server contains the following minimum preconfigured elements:
Linux/Intel machine with 2 CPUs, 6 GB RAM
2 Intel Pro 1000MT NICs
Red Hat Linux Advanced Server 2.1 e.35
Oracle Collaboration Suite 9.0.4.1 Certified Configuration
The shared SMTP Relay server acts as the SMTP gateway between the open Internet and all Oracle Collaboration Suite On Demand customer environments. Each incoming and outgoing message is scanned for virus or spam content at this point. This is required for all environments although multiple environments may share a single or set of SMTP Relay Servers.
The shared SMTP Relay server contains the following preconfigured elements:
Linux/Intel machine with 2 CPUs, 6 GB RAM
Red Hat Linux Advanced Server 2.1 e.35
Sendmail, Inc. Sendmail Switch 3.1.4
Sendmail, Inc. Mailstream Attachment Filter Plugin for Sendmail Switch 2.6.0
TrendMicro InterScan Messaging Security Suite 5.5
Brightmail Anti-Spam Enterprise Edition 5.5.2
|
Note: For @Customer deployments, the customer is solely responsible for acquiring and maintaining appropriate licenses and support agreements for, and for the continued operation of, third party products used with the SMTP Relay server. |
Customers that wish to use the voicemail/fax functionality must purchase and physically locate a Voicemail/Fax Computer Telephony (CT) server at the Customer's premise close to each PBX phone switch. The PBX switch routes incoming phone and fax calls to the Voicemail/Fax CT server, which looks up the user, retrieves the appropriate greeting, and then stores or retrieves the incoming message or fax. In most cases, the PBX switch also enables or disables end user telephone Òmessage waitingÓ lights. If a customer has PBX switches in multiple locations, the Voicemail/Fax CT servers must be installed at each PBX switch location. Multiple Voicemail/Fax CT servers can be used for each PBX switch, depending on workload requirements and requirements for fault tolerance. Ongoing maintenance of the Voicemail/Fax CT server is the customer's responsibility.
The Customer-provided Voicemail/Fax CT Server contains the following preconfigured elements:
Intel machine with 2 CPUs, 6 GB RAM
2 Intel Dialogic D41/D82/T1 (dependent on Switch Type)
2 36 GB hard drives (RAID 1)
Intel Dialogic
System release 5.1.1 SP1 for Windows for Intel
1 Intel VFXJCT Fax Card
Microsoft Windows 2000 SP4
Microsoft Windows 2000 Resource Kit
Intel NetMerge CCS 3.0 SP1
Intel NetMerge Patches PTR29924, PTR30122, BZ955877, ANLOGSPP.exe
Intel NetMerge NISList Utility
Java Runtime Environment 1.3.1_03
Oracle Voicemail & Fax 9.0.4
Oracle9iAS Edition 9.0.2.0.0
|
See Also: Appendix A, "Voicemail Switch Support Matrix" for more information on supported Voicemail switches. |
|
Note: The acquisition, installation, and configuration of the Voicemail/Fax CT servers for both @Oracle and @Customer deployment models are the sole responsibility of the Customer.This infrastructure supports inbound fax capability only. |
A dedicated Web Conferencing Conversion Server is required by those Customers wishing to use the document conversion and voice streaming capabilities within Oracle Collaboration Suite's Web conferencing feature. At the protocol server's request, it also converts Microsoft documents to an efficient Web-streamable format.
The Web Conferencing Conversion server contains the following preconfigured elements:
Intel machine with 2 CPUs, 6 GB RAM
Intel Dialogic D24OJCT-T1 Telephony Card
Microsoft Windows 2000 SP4
Oracle Collaboration Suite 9.0.4.1
The Voice Access server is shared by multiple On Demand Customers and connects to a phone switch that provides voice access to text within Oracle Collaboration Suite, converting voice requests to HTML, and then reading the requested HTML page back to the user. This service can be shared by multiple environments and scaled independently.
The shared Voice Access Server contains the following preconfigured elements:
Linux/Intel machine with 2 CPUs, 6 GB RAM
24-port Intel Dialogic Telephony Card
Red Hat Linux Advanced Server 2.1 e.35
VoiceGenie VoiceXML Gateway Server
SpeechWorks OpenSpeech Recognizer
SpeechWorks OpenSpeech DialogModules
SpeechWorks Speechify TTS
Intel Dialogic Voice Portal Reference System
The following table summarizes the location for which the servers should be deployed and who is responsible for the acquisition and installation of hardware and any relevant third party software.
| Server Type | @Oracle | @Customer |
|---|---|---|
| Database Server | OracleFoot 1 | Customer |
| Protocol Server | OracleFoot 2 | Customer |
| SMTP Relay Server | OracleFoot 3 | Customer |
| Voicemail/Fax Computer Telephony Server | Customer | Customer |
| Web Conferencing Voice/Document
Conversion Server |
OracleFoot 4 | Customer |
| Voice Access Server | OracleFoot 5 | Customer |
The following text and associated figures describe the high-level architecture for implementing Oracle Collaboration Suite @Oracle, such as the full On Demand infrastructure, network configuration, servers, and storage configuration required to enable all available suite functionality.
|
Note: The acquisition, installation, and configuration of the Voicemail/Fax CT servers for both @Oracle and @Customer deployment models are the sole responsibility of the Customer. |
Figure 6-1 details the following:
Within the Customer Wide Area Network (WAN), users have access to all available Oracle Collaboration Suite protocols via hardware VPN (Virtual Private Network). From the open Internet, users have access to HTTPS (encrypted with SSL).
Wireless access, a feature of the Oracle Collaboration Suite can be enabled on request of the Customer for access via the Customer's wireless carrier. The carrier's WAP servers convert wireless requests to the internet WAP protocol so that individuals may have access to information from an appropriately enabled device (for example, cellphone) .
Figure 6-2 details the following:
The network configuration in the Oracle On Demand data center provides secure access only to the components and protocols that are necessary for the service. While all of these services are present in the Internet-accessible zone (DMZ), the firewall allows SMTP or SMTPS, and HTTPS to be visible from the open Internet. The servers in the DMZ are stateless, redundant, and load-balanced, providing access to the Oracle Collaboration Suite services. These servers, in turn, file and request data to and from the database servers that are stored in the more secure private database network.
Servers in the private database network are made redundant by using identically configured standby servers, and in some cases using Oracle Real Application Clusters. All storage is provided by configurable and available network-attached storage.
Network interfaces, wiring, switches, routers, and firewalls are physically redundant to enhance availability.
|
Note: Even for a company with a small number of users, Oracle recommends deploying services in this two-tier model, providing a single, easily expandible configuration. While the middle-tier protocol server and end-tier database server are each dedicated to a single Customer, most of the other services (storage, network, SMTP relay, Voice Access) can be provided via a scalable infrastructure common to all Collaboration Suite On Demand Customers. |
The Oracle Collaboration Suite On Demand @Customer architecture consists of systems and infrastructure deployed at the Customer site.
Figure 6-3 describes the high-level architecture for implementing Oracle Collaboration Suite @Customer, such as the On Demand infrastructure, network configuration, servers, and storage configuration required for the full range of functionality. The only components deployed at the Oracle On Demand data center in this configuration are a VPN device and monitoring and management servers.
The design concepts are identical to the @Oracle model.
For an @Customer deployment, the Customer must acquire the following core components as the foundation for the installation:
Sendmail Inc. Switch software
TrendMicro InterScan Virus Wall 3.7 software
SMTP Relay server
Protocol server
Voicemail/Fax CT server (optional)
Voice access server (optional)
Web Conference Conversion server (optional)
Database server
Disk storage
Network equipment
Backup equipment
Brightmail Anti-Spam software
|
Note: The costs associated with acquiring, installing, and maintaining this equipment are solely the Customer's responsibility. |
The On Demand Automation Platform (OAP) is a technology framework that is built around a Certified Configuration. The key components of the OAP are:
This section provides information on backup and recovery for the @Oracle and @Customer models.
For @Oracle Customers, Oracle performs full online backups of the database, code tree, and archive logs. With the exception of Oracle Express Server, Oracle does not require that the system be unavailable in order to perform the backup. Oracle does not encrypt the backups on tape.
Table 6-1 details the Oracle standard online backup policy frequency and retention period and Table 6-2 specifies the online backup windows for specific regions.
Table 6-1 Online Backup Policy
| System Component | Production Systems Online BackupFoot 1 | Non-Productions System Online BackupFoot 2 |
|---|---|---|
| Database and Code Tree (Code Tree includes CEMLI's and third party software for Oracle Technology On Demand) | Disk Backup: Daily and retained for one day.
Tape Backup: Twice per week and retained at an offsite facility for five weeks. |
Disk Backup: Daily and retained for one day.
Tape Backup: Once per week and retained at an offsite facility for five weeks. |
| Archive logs | Tape Backup: Daily and retained at an offsite facility for five weeks. | Tape Backup: Daily and retained at an offsite facility for five weeks. |
| Operating System | Disk Backup: Daily and retained for one day. | Disk Backup: Daily and retained for one day. |
Table 6-2 Online Backup Windows
| Region | Backup Windows |
|---|---|
| Europe | All backups will run from 9:00 p.m. to 6:00a.m. Mainland Europe Time. |
| All other regions | 9:00 p.m. to 6:00 a.m. Pacific Time. |
For backups that are not specific to the Oracle On Demand LifeCycle, Table 6-3 details the Oracle backup policy frequency and retention periods for special backups.
Table 6-3 Additional Backup Policy
| Special Backups | Description | Notice and Fees |
|---|---|---|
| Baseline Backups | Upon Customer request, Oracle will provide one copy of a Customer's complete environment (Database, Code Tree, Archive Logs, Operating System), that Oracle retains on tape for a period of three months at an offsite facility. | Requires 48-hour notice. Oracle deducts storage for the baseline backup from the Customer's total storage allocation. |
| Additional Backups | Upon Customer's request, additional backups of the Database, Code Tree, and Archive Logs can be performed. Such backups will be retained for up to three months at an offsite facility.
Upon Customer's request, additional backups may be sent directly to the Customer. Additional backups sent directly to the Customers are the sole responsibility of the Customer and are not retained by Oracle. |
Requires 48-hour notice. Before Oracle starts each backup, the Customer must agree in writing to pay Oracle the fees identified in the Oracle Computer and Administration Services for E-Business Suite and Collaboration Suite Programs Policies. |
| Data Export | Upon Customer's request, Oracle will ship to the Customer a tape copy of Customer's production data (data export). The data export will not include Oracle RDBMS code, Oracle Application code, environmental configuration files, or environmental setting information. | Upon Customer's request, Oracle will provide one data export of the production data annually at no charge. If Customer would like an additional data export from any other environment, the Customer shall first agree in writing to pay Oracle the fees indicated in the Oracle Computer and Administration Services for E-Business Suite and Collaboration Suite Programs Policies. |
@Oracle Customers may not purge any production data from their environment.
Oracle will work with customer to facilitate data recovery from backup media in the event of a system failure or urgent data restoration request. Data restoration times will vary depending on the severity of the problem and backup tape location. It is the Customer's responsibility to provide the tape media from which oracle will restore the database.
Oracle will work with Customer to facilitate data recovery from disk or backup media in the event of a system failure or urgent data restoration request. The ability to recover to a point in time is limited by the retention times in Table 6-1. Data restoration times will vary depending on the severity of the problem and the location of the backup tape.
Oracle will provide a nightly, online backup of the Oracle database files to a standard location on a disk. These Oracle Database backups include the Oracle data files,control files, redo logs, and any necessary archive logs. These files are necessary for recovery of the Oracle database. Oracle backups do not include Oracle code tree,operating system, and any other code or files. Backups of these files are a Customer responsibility.
Customer is solely responsible for copying the Oracle database backups, Oracle code tree, operating system, customer-specific application files, and any other relevant files daily to a backup tape. Customer is solely responsible for all aspects of backup media management, offsite storage, archival, and retrieval.
Oracle On Demand may provide an Architecture Review Service prior to completing the On Demand agreement between Oracle and the Customer. The review will determine capacity and performance requirements based on the Customer's implementation of the Oracle Collaboration Suite.Oracle On Demand uses a 2:1 ratio to calculate the Named users to Active users. Based on this calculation, the standard architecture can support 5,000 Named users. Large enterprise Customers that have a user load beyond 5,000 Named users or have complex Collaboration Requirements requiring additional capacity will receive additional standard architecture in a multi-tier environment to support the Customer's workload.
With Certified Configurations, support time is reduced through proactive application of product updates.Oracle On Demand will perform a Production Assessment during transition to validate the changes made meet all Oracle On Demand Policies. Oracle On Demand manages these documents once the environment is approved for production.
Internet connectivity and network connections are provided by Oracle for two connectivity options:
For @Oracle, Oracle provides data center hosting facilities and manages the server(s) housing the Customer's database and applications. Oracle defines the hosting services network.
For @Customer, where the server(s) housing the database and applications reside at the Customer's data center, or a third party hosting site, a VPN link between Oracle and the Customer's servers is created to facilitate delivery of On Demand services.
A shared link is a connection between the Customer and Oracle that utilizes the Customer's existing ISP connection. The connection is used for Oracle traffic and the Customer's normal Internet activity.
A dedicated link is a connection between the Customer and Oracle that utilizes a dedicated ISP connection. The connection is used only for Oracle traffic. The Customer's other Internet activity uses a separate connection. A dedicated link can use an Authorized Network Provider (ANP) or another dedicated ISP circuit.
The Oracle Authorized Network Provider Program focuses on providing Customers with a list of authorized vendors who provide a T1 or E1 Internet circuit.
Each Customer must contract directly with an ANP for installation and initialization of the circuit. Currently, ANP circuits are available in the US and Europe. After the circuit is installed, Oracle provides support for the circuit by routing all services requests to an Oracle Network Engineer for initial troubleshooting. If the problem is determined to be with the ANP circuit, the Oracle Network Engineer engages the ANP to facilitate resolution.
While Oracle does not guarantee the products or services of any ANP, Oracle endeavors to select ANPs who can commit to the delivery of network services at a defined service level. Information about each ANP and its service level should be provided by the ANP during network initialization. Typically, ANPs offer circuits with the following features:
ANP provided Cisco routers
Clear channel T-1 or E-1 circuit and local loop, including provisioning and installation
24x7x365 management and monitoring
Provide reliable and deterministic Service Level Agreement (SLA)
Guaranteed latency
Less than 0.01% packet loss
ANP Network availability 99.9%
Provisioning of routable address space necessary for service implementation Oracle requires each ANP to offer the same minimum SLA. Information on each ANP's SLA guarantee are provided by the ANP during network initialization.
The ANP program enables Customers to work directly with the ANP provider to order a circuit. After the circuit is installed, Oracle provides full support for the circuit using the standard support procedures. All ANP Service Requests are routed to an Oracle Network Engineer for initial troubleshooting. If the problem is determined to be with the ANP circuit, the Oracle Network Engineer engages with the ANP until the problem is resolved.
For more information, including a current list of ANPs, consult your Oracle sales representative.
In the @Oracle model, Oracle provides data center hosting facilities and manages the server(s) housing the Customer's Oracle database and applications. A network link between Oracle's data center and the Customer site supports the transmission of application transaction traffic from the end user to the hosted servers. The basic offering contains one link (VPN) from a Customer location to the Oracle Data Center. Additional VPNs can be purchased.
|
See Also: Computer and Administration Services for E-Business Suite and Collaboration Suite Programs Policies for more information regarding additional VPNs. |
The network link supports transaction traffic between end users and servers hosted at Oracle. An end user's experience will be affected by three network metrics: bandwidth, latency, and packet loss. Oracle's experience has shown that the following performance metrics can be used as a starting point for the Customer's network designs.
Throughput equivalent to 2-12 kbps per user (see below for more details)
Roundtrip latency less than 300 ms between Oracle and the Customer premise
Packet Loss less than .1%
Oracle's ANPs can provide circuits with guaranteed latency to Oracle's Austin Data Center of < 100ms in the US and < 250ms from Europe.
Bandwidth requirements for the Oracle Collaboration Suite On Demand service will vary depending on which applications are used. Oracle's experience shows that the following metrics are a good starting point for network design. Actual network usage will vary depending on the Customers business and workflows.
Oracle Email - 1-2 kbps per user
Oracle Files Online - 10-12 kbps per user
Oracle voicemail/fax - 10-12 kbps per user
Oracle Web Conferencing - 18kbps per host, 6 kbps per user
The standard network connection is an Internet connection, which can be provided by an Oracle Authorized Network Provider (ANP) or an Internet Services Provider (ISP). Regardless of which connection option is chosen, Oracle requires the use of IPSec compliant VPN hardware to secure the data transmission over the network link.
The standard configurations for the VPN hardware are shown below. Although other configurations are technically feasible, Oracle has chosen these configurations to enhance security, performance and manageability.
|
Note: A globally unique publicly routable IP address is required for the VPN remote interface in all cases. |
Figure 6-4 illustrates an ANP link between Oracle and the Customer's premise. The ANP link uses a dedicated Internet connection for the VPN tunnel. The Oracle provided VPN device's remote interface is connected to the ANP provided router, and the local interface is connected to the Customer's external or DMZ firewall interface. The Customer configures their network to route application traffic for Oracle to the Oracle provided VPN device, which in turn sends the traffic through the VPN tunnel to Oracle. The Customer's normal Internet traffic uses the Customers existing Internet circuit.
Figure 6-5 illustrates a shared link connection using both interfaces on the Oracle provided VPN device. The remote interface is connected to the subnet between the Customers border router and firewall external interface. The local interface is connected to the Customers DMZ subnet. The Customer configures their network to route application traffic for Oracle to the Oracle provided VPN device local interface, which in turn sends the traffic through the VPN tunnel to Oracle. The Customer's normal Internet traffic bypasses the VPN device and is routed over the same Internet circuit.
Figure 6-6 illustrates a shared link connection using only the remote interface on the Oracle provided VPN device. The remote interface is connected to the subnet between the Customers border router and firewall external interface. The local interface is not used. The Customer configures their network to route application traffic for Oracle to the Oracle provided VPN device remote interface, which in turn sends the traffic through the VPN tunnel to Oracle. The Customer's normal Internet traffic bypasses the VPN device and is routed over the same Internet circuit.
To eliminate the risks associated with IP addressing conflicts, Oracle requires the use of globally unique public IP addresses registered through one of the following regional Internet registry organizations:
Asia Pacific Network Information Center (APNIC)
Réseaux IP Européens (RIPE)
American Registry for Internet Numbers (ARIN)
Oracle will not support the use of private IP addresses in the following ranges:
Class A: 10.0.0.0 - 10.255.255.255
Class B: 172.16.0.0 - 172.31.255.255
Class C: 192.168.0.0 - 192.168.255.255
For cases where a private IP addressing strategy has been implemented, the Customer is required to map private IP addresses to registered globally unique IP addresses.
For devices that the hosted servers will initiate a connection with (for example, printers, SMTP servers, and so on), NAT must be configured on a one-to-one basis using static Network Address Translation.
For devices that will initiate connection to the hosted servers (user PC's), static or dynamic NAT is acceptable
In the @Customer model, the server(s) housing the Customer's Oracle database and applications reside in the Customer's data center or a third party hosting site. A management link between the Customer's server and Oracle provides the connection for Oracle On Demand services. Oracle uses the management link to deliver remote monitoring and diagnostic services of Oracle systems by way of the Oracle Continuous Connection Network (OCCN).
The Oracle Continuous Connection Network (OCCN) is the foundation for the delivery of Oracle online support services. The OCCN comprises of access, tools, and connectivity solutions in a management framework that enables Oracle online support, consulting, and development organizations to provide remote support services and diagnostic capabilities to Customers for their Oracle databases and applications.
The standard network connection is an Internet connection, which an Oracle Authorized Network Provider (ANP) or an Internet Services Provider (ISP) can provide. Regardless of which connection option is chosen, Oracle requires the use of IPSec compliant VPN hardware to secure the data transmission over the network link.
The following figures illustrate the standard configurations for the VPN hardware. Although other configurations are technically feasible, Oracle chose these configurations to enhance security, performance, and manageability.
|
Note: A globally unique publicly routable IP address is required for the VPN remote interface in all cases. |
Figure 6-7 illustrates an ANP link between Oracle and the Customer's premise. The ANP link uses a dedicated Internet connection for the VPN tunnel. The Oracle provided VPN device's remote interface is connected to the ANP provided router, and the local interface is connected to the Customer's external or DMZ firewall interface. The Customer configures their network to route Oracle management traffic to the Oracle provided VPN device, which in turn sends the traffic through the VPN tunnel to Oracle. The Customer's normal Internet traffic uses the Customers existing Internet circuit.
Figure 6-8 illustrates a shared link connection using both interfaces on the Oracle provided VPN device. The remote interface is connected to the subnet between the Customers border router and firewall external interface. The local interface is connected to the Customers DMZ subnet. The Customer configures their network to route Oracle management traffic to the Oracle provided VPN device local interface, which in turn sends the traffic through the VPN tunnel to Oracle. The Customer's normal Internet traffic bypasses the VPN device and is routed over the same Internet circuit.
Figure 6-9 illustrates a shared link connection using only the remote interface on the Oracle provided VPN device. The remote interface is connected to the subnet between the Customers border router and firewall external interface. The local interface is not used. The Customer configures their network to route Oracle management traffic to the Oracle provided VPN device remote interface, which in turn sends the traffic through the VPN tunnel to Oracle. The Customer's normal Internet traffic bypasses the VPN device and is routed over the same Internet circuit.
To eliminate the risks associated with IP addressing conflicts, Oracle requires the use of globally unique public IP addresses registered through one of the following regional Internet registry organizations:
Oracle will not support the use of private IP addresses in the following ranges:
Class A: 10.0.0.0 - 10.255.255.255
Class B: 172.16.0.0 - 172.31.255.255
Class C: 192.168.0.0 - 192.168.255.255
For cases where a private IP addressing strategy has been implemented, the Customer is required to map private IP addresses to registered globally unique IP addresses on a one to one basis using static Network Address Translation (NAT). NAT must be configured to operate bi-directionally since outbound session setup (for example, FTP and certain OEM processes) will be initiated from the managed servers.
For Oracle to effectively provide remote support services, the internet circuit (ANP or ISP) must be able to support the following performance metrics for the management link between Oracle and the Customer's servers:
Throughput equivalent to T1 (1.54Mbps) in the US, or E1 (2.0Mbps) in Europe with 256Kbps of available bandwidth.
Roundtrip latency less than 300ms to or from Oracle or Customer premises
Packet Loss less than 0.1%
Customers may need more bandwidth depending on the number of servers, databases, and applications that Oracle will be concurrently reacting to, supporting, or both.
The Oracle Collaboration Suite security architecture is based on access grants defined by a default deny set of rules. This means that access, which is not specifically allowed, is denied. The following sections describe the components of this architecture.
The default deny rules sets are enforced by Firewall Security Policy. Any potential violations of the predefined rules are monitored by a production quality Intrusion Detection System (IDS). In addition, periodic assessments of the environment are performed by an external assessment vendor. The results and recommendations provided are implemented where appropriate.
The IDS system in use is designed to recognize intrusions in a number of ways such as identifying attack signatures as well as recognition of anomalous ports and protocols being accessed within the environment. Alerts, when generated, are routed to a 24x7 response desk that performs appropriate levels of triage and response, escalating to senior security engineers when necessary.
All accesses into the environments must traverse a firewall that validates the appropriateness of the communications being attempted. It performs this validation through recognition of protocols being used as well as verifying the acceptability of ranges of source and destination IP addresses. Oracle utilizes Virtual Private Network (VPN) devices in a site-to-site, or more accurately stated network-to-network topology leveraging the most ubiquitous transport technology available today, the public Internet. Oracle requires the implementation of IPSec as part of an overall VPN strategy for securing data between endpoints on the management link, employing tunneling and encryption to facilitate data privacy.IPSec is a framework of open standards developed by the Internet Engineering Task Force (IETF) to, as the name implies, provide security for IP datagrams. It is a robust standard that withstood extensive peer review and emerged as the clear industry standard for Internet VPNs.Oracle pre-configures VPN devices to provide the following levels of encryption and authentication per the IPSec standard:
Data is encrypted using 168-bit Triple Des
The VPN is configured using Hashed Message Authentication Codes (HMAC) with a SHA-1 algorithm
The standard connection from the Customer to the Oracle data center is through an Oracle provided hardware VPN.
The Power Broker product from Symark Technologies is used to control, log, and audit all access to production systems by all Oracle personnel so that any changes or modifications to the Customer environment are strictly controlled. Power Broker is based on its policy configurations that allows or disallows the processing of programs on the system. The policy configuration file controls accesses via defined variables such as time of day, user id and system being accessed.
Oracle On Demand implements Oracle Enterprise Manager to manage and monitor hardware services, operating system services, and Oracle Collaboration Suite software services. Alerts have been set in all areas to proactively manage possible impending issues within the environments. Oracle On Demand tracks service requests through the Internet Technical Service Request system (iSR). iSRs are automatically created when an alert is raised and an appropriate Oracle representative addresses and manages the alert.
The Oracle Computer and Administration Services for Collaboration Suite server configuration is designed to deliver optimal performance to each Customer.
The base configuration has 200 usable Gigabytes of disk storage allocated among the Customer's environments. All disk storage supports a variety of applications and applications/business development life cycle requirements (for example, database files, archive files, concurrent manager output, applications code, database code, and support for enhanced backup and restoration processes).
Additional storage is available at no extra cost based on the amount of fees the Customer pays for Computer and Administration Services for Collaboration Suite Programs.
|
See Also: http://www.oracle.com/policies/compandadminpolicy.html for more information on Computer and Administration Services for Collaboration Suite Programs.
|
In an @Oracle environment, Oracle On Demand provides the physical data center infrastructure in which the applications are hosted. The Oracle data centers are buildings specifically built to provide ample floor space, world-class environmental conditioning, redundant power, physical security, and state-of-the-art redundant LAN infrastructure and WAN access. Some of the standards employed by Oracle are listed in the following paragraphs.In an @Customer environment, the Customer or Customer's agent provides the data infrastructure and all equipment is hosted at the Customer or HSP site. An HSP site is typically a third party data center. In these environments, the Customer is responsible for providing adequate floor space in a suitable building. Oracle highly recommends that the @Customer facilities comply with all the codes and standards listed in the following paragraphs. If circumstances do not permit the implementation of all the recommendations, then at least the @Customer data center - "Must Have Requirements"outlined at the end of this section must be met. The quality of service and application availability may be affected if all listed requirements are not met. Also, networking infrastructure as outlined for the @Customer model must be provided.
The different codes and compliances that need to be followed are listed below:
Local Carriers, Inter-Exchange Carriers, and the Telecommunications Industry
At the Federal Level in the United States, the Federal Communications Commission's (FCC) Part 68 Rule provides regulations for connecting telecommunications wiring and Customer-provided equipment to the regulated networks
Building codes and standards encompass most, if not all, aspects of the construction industry. Installation methods and electrical products must conform to local code requirements in the construction of telecommunication facilities.
ASHRAE – American Society of Heat, Refrigeration, and Air Conditioning Engineers
BICSI – Building Industry Consulting Service International
CEC – Canadian Electrical Code
CSA – Canadian Standards Association
ISO/IEC 11801 International Standard – Information Technology – Generic cabling for Customer location
NEC – National Electrical Code
NFPA – National Fire Protection Association
TIA/EIA – Telecommunications Building Wiring Standards
UL – Underwriters Limited
Air Plenums – Prohibit open wiring (except with listed low-smoke, flame retardant insulation) in spaces used for transport of environmental air in buildings
Fire Stops – Properly seal all penetrations through fire-rated walls and floors with approved materials to reduce the chance of fire and smoke spread.
Separation of Systems – Stipulate separation of system components and wiring between different classes of voltages. Adherence is important to help reduce the risk of accidental shock due to contact with dangerous voltage levels.
Voltage Hazards – Provide outside protection from voltage hazards caused by contact between communications circuit elements and electrical system elements such as lighting strikes and induced voltage from close proximity to power circuits.
Working Clearances – Provide clear space to safely service wiring and equipment throughout a building.
A Telecommunications Equipment Room is a special-purpose room that provides space and maintains a suitable operating environment for telecommunications and/or computer equipment. Equipment Rooms may be connected to cable backbone pathways that run both within and between buildings. The equipment room must be dedicated solely to telecommunications and related equipment. Do not allow equipment that does not support the equipment room (for example, pipes, duct work, and distribution of building power) to be located in or pass through the equipment room.
Equipment rooms typically have the following (Recommended):
Demarcation for Telecommunication Service Providers
Termination point for telephone/data station wiring
PBX Switch Equipment
Voice Mail Equipment
Inter-Building backbone cross-connects
Horizontal and Vertical cross-connects
Communications station racks and cabinets
Network LAN/WAN
Workstation(s) for telecommunications personnel
Equipment rooms typically do not have the following:
White Noise generating systems
Paging Systems
Security Equipment
General Office Storage
Equipment rooms should not have the following (not recommended):
Boiler Room Equipment
Drains and Clean Outs
Electrical Transformers and switch gear
Food and Drinks
Hydraulic equipment and other heavy machinery that causes vibration
Janitor's Closets
Loading Docks
Sources of excessive EMI and RFI
Steam Pipes
Storage Rooms
Washrooms
Physical Characteristics
The square footage allocated for this room shall be in proportion to the square feet of usable office space and the telecommunications/computer equipment required.
In general, telecommunications racks are preferred over equipment cabinets in dedicated telecommunications rooms. Designs should consider the types of equipment planned for the room, and future equipment requirements. Space should be allocated to accommodate (24Ó width by 30" depth) equipment cabinets installed in rows. It is recommended that equipment racks meet ANSI/EIA 310-D-1992: racks, panels and associated equipment.
It is recommended, that in a slab floor environment, Anti-Static Vinyl Coated Tile (VCT) flooring be installed.
Entry into telecommunications rooms should be secure, and auditable via a means as a card reader, or electronic key system
Heating, Ventilation, and Air Conditioning (HVAC)
Telecommunications Racks will generate from 2500 to 5000 BTU each.
The HVAC shall maintain an ambient temperature between 65 & 75 degrees Fahrenheit, 24 hours per day 365 per year, and a relative humidity of 20% to 80%.
It is recommended that each telecommunications room have its own HVAC unit with alarm monitoring and reporting capability.
Wall Fields/ Cable Termination
A cable system is a part of the telecommunication distribution system that provides connection between telecommunications service entrance facilities, equipment rooms, telecommunication, server and storage equipment. Typical and recommended distribution cable shall be Category 5, 4 pair, 24 AWG, unshielded, solid conductor twisted pair and above.
It is recommended that all telecommunication wiring be installed by a Registered Communications Distribution Designer (RCDD), or BiCSi qualified cable installer.
It is recommended that all Category 5 distribution cables use 110 termination type blocks, and that all jumper cables use RJ-45 type terminating connectors.
Horizontal and Jumper Cable - The cable shall meet or exceed all requirements for Category 5 cable specified in ANSI/TIA/EIA-568-A of the CSA T529.
T1 Cable – It is recommended that each T1 circuit use conventional, 2 pair 22 to 24 AWG twisted shielded pairs, encapsulated in one dielectric sheath, to minimize the risk of electromagnetic interference (EMI) and radio frequency interference (RFI).
Wallfield/Rack Field/Distribution Frame – It is recommended that all building type telecommunications cable use a centralized point of termination. The centralized point of termination allows for cable to be terminated according to services and application. The point of cable termination may be attached to: a fire retardant piece of plywood attached to the wall, a cable distribution field located in an equipment rack, or free standing cable distribution frame.
Electrical
Telecommunications equipment is sensitive to power fluctuations. Because of this sensitivity, provisions should be made for: dedicated power feeds, individual branch circuits, back up power, grounding and bonding.
It is recommended that the equipment room have its own dedicated electrical sub-panel, but not required.
Power installed under raised floors should have e minimum of 6 ft. flexible conduit to allow for movement.
It is recommended that power be mounted on the cable trays/racks when installed above equipment. Typically each equipment rack requires a dedicated 20 amp duplex receptacle.
It is recommended that four convenience outlets be installed around the room (one on each wall).
Grounding and bonding provides safeguards for personnel, property, and equipment from foreign electrical voltages and currents. It is important for construction, electrical and cable contractors to provide proper grounding and bonding throughout the entire construction of a facility. At a minimum, all equipment racks, and telecommunication equipment must be grounded to prevent risk of electrocution to personnel.
@Customer data center - "Must Have Requirements"
Equipment room
A special-purpose room or location that provides adequate space, and maintains a suitable operating environment for telecommunications racks and/or computer equipment.
A suitable equipment rack or equipment cabinet, with a writing shelf provided for VPN equipment placement.
An HVAC system that maintains an ambient temperature between 65 & 75 degrees Fahrenheit, 24 hours per day 365 per year, and a relative humidity of 20% to 80%.
Enforceable process by which entry into the telecommunications room shall be secure, and restricted to authorized personnel.
Cable, Termination/Electrical
A centralized point, and ease of access to cable termination for Service Provider Products (T1)
All equipment racks, and telecommunication equipment grounded to prevent risk of electrocution to personnel.
Two dedicated 20 amp duplex receptacles.
