Create a Standby Environment on Oracle Cloud Infrastructure from an On-Premises Oracle E-Business Suite Release 12.2 Instance with Oracle Database Release 19c or 12.1.0.2 (Commercial Cloud Regions Only)

This chapter covers the following topics:

Overview
Requirements for Creating a Standby Environment
Preparations for Creating a Standby Environment
Create a Standby Environment for Oracle Cloud Infrastructure from an On-Premises Environment

Overview

This chapter describes how you can use Oracle E-Business Suite automation (and in particular, the on-premises Oracle Applications Manager combined with the Oracle E-Business Suite Cloud Manager) to create a standby environment in Oracle Cloud Infrastructure.

Promotion of the standby environment accomplishes a "lift and shift". We refer to this as a "reduced downtime lift and shift", due to the reduction of overall downtime that is required with the more traditional lift and shift method described in Create a Backup of an On-Premises Oracle E-Business Suite Environment on Oracle Cloud Infrastructure.

The standby creation and reduced downtime lift and shift features are available for Oracle E-Business Suite Release 12.2 with Database Releases 19c and 12.1.0.2, with the target of Compute.

Overview of Creating a Standby Environment

the picture is described in the document text

You can create a standby of your on-premises Oracle E-Business Suite installation in Oracle Cloud Infrastructure, and promote that standby to accomplish your lift and shift.

An Oracle Applications Manager standby cloud patch must be applied to your application tier and the Oracle E-Business Suite Cloud Backup module must be installed in your database tier. See My Oracle Support Knowledge Document 2517025.1,Getting Started with Oracle E-Business Suite on Oracle Cloud Infrastructure for more information.

The Oracle E-Business Suite Cloud Backup Module is used to introspect the database tier, create a backup of the Database Oracle Home in Oracle Cloud Infrastructure Object Storage and configure Oracle Data Guard on the source database.

The utility rsync is used to transfer the files on the applications tier, and Oracle Data Guard helps create and maintain the standby database. Once the standby environment is created in OCI using an Oracle Cloud Infrastructure Storage bucket to store its objects in a compartment, Oracle E-Business Suite Cloud Manager can manage the standby.

Once the standby environment is created in OCI, you can promote it to production using Oracle E-Business Suite Cloud Manager. The on-premises environment is then retired.

A Standby Environment Promoted to Production

the picture is described in the document text

Requirements for Creating a Standby Environment

The following are requirements for creating a standby environment.

Oracle E-Business Suite Cloud Manager in Your Tenancy

You must have Oracle E-Business Suite Cloud Manager in your tenancy.

Cloud Services Minimum Resource Recommendations

To create a standby environment, we recommend that you have cloud service resources that match or exceed those specified in the following table.

Table 6-1 Cloud Services Minimum Resource Recommendations
Description	Machine Type	Number of Nodes	OCPUs Allocated	Memory	Storage	External IPs
Oracle Cloud Infrastructure Backup Service	Not applicable	Not applicable	Not applicable	Not applicable	Size of the database Oracle home in the source environment (object)	Not applicable
Oracle E-Business Suite Cloud Manager	VM	1	1	7 GB	Required: 55 GB (block)	1
Application tier	VM	1	1	14 GB per VM	Strictly dependent on your on-premises environment. The minimum requirements are as follows: 170 GB	1
Database tier on Oracle Cloud Infrastructure Compute	VM	1	2	14 GB	Vision demo: 300 GB	1

Preparations for Creating a Standby Environment

Follow the steps below to prepare to create a standby environment.

Set Up Certificates for Oracle E-Business Suite Cloud Manager

Oracle E-Business application tier nodes will invoke web services exposed by the Oracle E-Business Suite Cloud Manager. In order for Oracle E-Business Suite application tier nodes to invoke these REST services, they need to establish secure communication using TLS. The application tier nodes use a Java framework to invoke REST APIs, and the Java toolkit establishes the secure handshake after validating the certificate coming from the Cloud Manager. This validation requires that the Java toolkit recognizes the certificate authority (CA) that issued the Cloud Manager certificate.

The certificate status of the Oracle E-Business Cloud Manager load balancer will fall into one of these two categories:

A valid certificate issued by a CA with a properly DNS-registered, resolvable name.
A self-signed certificate generated during Cloud Manager configuration and associated with the IP address of the load balancer.

Set Up the Source Application Tier

Ensure that you have set up the certificate as described in Set Up Certificates for Oracle E-Business Suite Cloud Manager.
Ensure that you have applied all required patches listed for "Lift and Shift Oracle E-Business Suite from On-Premises" in My Oracle Support Knowledge Document 2517025.1, Getting Started with Oracle E-Business Suite on Oracle Cloud Infrastructure.
Apply Patch 36272638 to the source application tier using adop.
After completing the adop cycle, run adpreclone.pl on the new run filesystem on the source application tier.

Set Up the Source Database Tier

Ensure that the database is in Archive log mode.

Create wallet and autologin files if the database does not already have them.

For Database Release 12.1.0.2, ensure that the sqlnet.ora file in the context directory is updated with the correct wallet location. For Database 19c, ensure that the sqlnet.ora files of both the multitenant container database (CDB), NATIVE_TNS_ADMIN/sqlnet.ora, and the pluggable database (PDB), TNS_ADMIN/sqlnet.ora, are updated with the correct wallet location.

If your database is Release 12.1.0.2, then sample commands are as follows:

$ sqlplus '/as sysdba'
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '<ORACLE_HOME>/admin/<SID>/<tde_wallet>' IDENTIFIED BY <Wallet_password>;
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <Wallet_password>;
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY <Wallet_password> WITH BACKUP;
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '<ORACLE_HOME>/admin/<SID>/<tde_wallet>' IDENTIFIED BY <Wallet_password>;

If your database is Release 19c, connect to the CDB. The sample commands are as follows:

sqlplus '/as sysdba'
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '<ORACLE_HOME>/admin/<CDB_SID>/<tde_wallet>' IDENTIFIED BY <Wallet_password>;
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY <Wallet_password> CONTAINER=ALL;
SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY <Wallet_password> WITH BACKUP CONTAINER=ALL;
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '<ORACLE_HOME>/admin/<SID>/<tde_wallet>' IDENTIFIED BY <Wallet_password>;

Ensure that the sqlnet.ora files (in $ORACLE_HOME/network/admin and $ORACLE_HOME/network/admin/<context_dir>) have an ENCRYPTION_WALLET_LOCATION entry like below:

ENCRYPTION_WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=<ORACLE_HOME>/admin/<SID>/<tde_wallet>)))

Run adpreclone on the database Oracle home.
1. On the application tier, source the environment file and run:
```
$ $AD_TOP/bin/admkappsutil.pl
```
  This script will create the appsutil.zip file.
2. Copy this zip file to the /tmp directory on the database tier.
3. On the database tier, take a backup and remove the $ORACLE_HOME/appsutil/clone directory.
4. Change to the Oracle directory:
```
$ cd $ORACLE_HOME
```
5. Unzip the file:
```
$ unzip -o /tmp/appsutil.zip
```
6. For Database Release 12.1.0.2, run the script:
```
$ $ORACLE_HOME/perl/bin/perl $ORACLE_HOME/appsutil/scripts/<CONTEXT_NAME>/adpreclone.pl dbTier
```
  For Database 19c, source the PDB_context.env file and then run the script:
```
$ $ORACLE_HOME/perl/bin/perl $ORACLE_HOME/appsutil/scripts/<CONTEXT_NAME>/adpreclone.pl dbTier
```

Perform Maintenance on the Standby Environments

Make sure you delete or promote all existing standby environments before performing maintenance activities on the source environment.

Install the Oracle E-Business Suite Cloud Backup Module

Install the Oracle E-Business Suite Cloud Backup Module on the database tier node. See: Install the Oracle E-Business Suite Cloud Backup Module for more information.

Steps for a Certificate Issued by a Certification Authority (Conditionally Required)

If you have a valid certificate issued by a Certificate Authority (CA) with a properly DNS-registered, resolvable name, then perform the following:

Obtain the certificate from your certificate authority.
Import the certificate to your source application tier nodes:
1. Copy the democert.crt file to each application tier node in your source system.
2. Add the certificate to the keystore following the example commands below, one for each file system:
```
$ keytool -import -trustcacerts -keystore /u01/install/APPS/fs1/EBSapps/comn/util/jdk64/jre/lib/security/cacerts -file democert.crt -alias sample2021webentry  

$ keytool -import -trustcacerts -keystore /u01/install/APPS/fs2/EBSapps/comn/util/jdk64/jre/lib/security/cacerts -file democert.crt -alias sample2021webentry
```
  Note: You might need to grant write permissions to the cacerts file using the command:
```
$ chmod u+w <cacerts_file> 
```
  The write permissions can be revoked after running the above keytool command using:
```
$ chmod u-w <cacerts_file>
```
  If prompted, enter the keystore password. See: The cacerts Certificate File.
  
  For more information on managing the JDK cacerts file, refer to My Oracle Support Knowledge Document 1367293.1, Enabling TLS in Oracle E-Business Suite Release 12.2.
Stop and start the Oracle E-Business Suite instance.

Steps For a Self-Signed Certificate Using the Cloud Manager Administration Utility (Conditionally Required)

Use the Cloud Manager Administration Utility (ebscmadmin) if you are using a self-signed certificate generated during Cloud Manager configuration and you want to use the FQDN as the web entry point. For configuring self-signed certificates for Cloud Manager URLs with IP address, refer to Manual Steps For a Self-Signed Certificate (Conditionally Required).

To learn more about running the ebscmadmin utility to update the FQDN, see: Update the Oracle E-Business Suite Cloud Manager Load Balancer Fully Qualified Domain Name.

Run the ebscmadmin command from the Oracle E-Business Suite Cloud Manager VM to update Oracle E-Business Suite Cloud Manager Load Balancer with a new FQDN. This command also regenerates the load balancer self-signed certificate for the load balancer listener resource in OCI with the same Common Name (CN) as in the user-provided load balancer FQDN.

For example, enter the following:
```
$ sudo su - oracle
$ cd /u01/install/APPS/apps-unlimited-ebs/bin
$ ./ebscmadmin update-load-balancer-fqdn <argument>
```
Import the certificate to your source application tier nodes:
1. Copy the democert.crt file to each application tier node in your source system.
2. Add the certificate to the keystore following the example commands below, one for each file system:
```
$ keytool -import -trustcacerts -keystore /u01/install/APPS/fs1/EBSapps/comn/util/jdk64/jre/lib/security/cacerts -file democert.crt -alias sample2021webentry

$ keytool -import -trustcacerts -keystore /u01/install/APPS/fs2/EBSapps/comn/util/jdk64/jre/lib/security/cacerts -file democert.crt -alias sample2021webentry  
```
  Note: You might need to grant write permissions to the cacerts file using the command:
```
$ chmod u+w <cacerts_file> 
```
  The write permissions can be revoked after running the above keytool command using:
```
$ chmod u-w <cacerts_file>
```
  If prompted, enter the keystore password. See: The cacerts Certificate File.
  
  For more information on managing the JDK cacerts file, refer to My Oracle Support Knowledge Document 1367293.1, Enabling TLS in Oracle E-Business Suite Release 12.2.
Stop and start the Oracle E-Business Suite instance.

Manual Steps For a Self-Signed Certificate (Conditionally Required)

Perform these steps if you are using a self-signed certificate generated during Cloud Manager configuration and associated with the IP address of the load balancer.

Replace the self-signed certificate generated by the Cloud Manager with a new self-signed certificate generated using a common name (CN).

For example, say you are using the IP address of the load balancer as your web entry point. Log in to the Cloud Manager VM and run the command as in the following example:
```
$ openssl req -x509 -newkey rsa:4096 -sha256 -days 356 -nodes -keyout democert.key -out democert.crt -subj '/CN=192.0.2.254' -extensions san -config <( echo '[req]'; echo 'distinguished_name=req'; echo '[san]'; echo 'subjectAltName=IP:192.0.2.254') 
```
Add the newly-created certificate where needed:
1. Add the certificate to the target OCI; for example, sample2021-ebscm-instance-prov-vm-lbaas
2. Select the corresponding load balancer in the OCI Console. Under Resources, click Certificates. From the Certificate Resource list, select the Load Balancer Managed Certificate certificate resource type. Click Add Certificate.
3. Add democert.crt to the SSL certificate section and democert.key to the private key section.
Update the listener. For example, update the listener in sample2021-ebscm-instance-prov-vm-lbaas to select the newly-created certificate.
Import the certificate to your source application tier nodes:
1. Copy the democert.crt file to each application tier node in your source system.
2. Add the certificate to the keystore following the example commands below, one for each file system:
```
$ keytool -import -trustcacerts -keystore /u01/install/APPS/fs1/EBSapps/comn/util/jdk64/jre/lib/security/cacerts -file democert.crt -alias sample2021webentry 

$ keytool -import -trustcacerts -keystore /u01/install/APPS/fs2/EBSapps/comn/util/jdk64/jre/lib/security/cacerts -file democert.crt -alias sample2021webentry
```
  Note: You might need to grant write permissions to the cacerts file using the command:
```
$ chmod u+w <cacerts_file> 
```
  The write permissions can be revoked after running the above keytool command using:
```
$ chmod u-w <cacerts_file>
```
  If prompted, enter the keystore password. See:The cacerts Certificate File.
  
  For more information on managing the JDK cacerts file, refer to My Oracle Support Knowledge Document 1367293.1, Enabling TLS in Oracle E-Business Suite Release 12.2.
Stop and start the Oracle E-Business Suite instance.

Set Up Networking

Reserved Public IP Addresses

For information on managing public IP addresses, see: Public IP Addresses.

Create public IP reservations for the application tier and database tier using the OCI Console. Use the same compartment as the Oracle E-Business Suite compartment of the network profile.
Provide the created IPs in Standby Configuration page in Oracle Applications Manager for the target application and database tier IPs.

Opening Ports

The network access described below is required at the seclist level. For the source database, the same needs to be opened at the iptables level as well. The target iptables would be updated automatically.

If the source and target belong to the same network (same virtual cloud network), then communication between the source and the target occurs using private IPs; otherwise, communication uses public IPs. The reservation IPs for the target must be secured accordingly.

From the Target application tier, access the Source application tier: SSH connectivity (port 22)
From the Target database tier, access the Source database tier: TNS connectivity (port 1521)

From the Source database tier, access the Target database tier: TNS connectivity (port 1521)

The following are example commands to open the local firewall for Standby (Oracle Linux 7). The command could vary depending on the operation system version.

sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=<standby-oci-db-reserved-ip> port port=<active db listener port, eg. 1521> protocol=tcp accept' --permanent

sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=<standby-oci-db-reserved-ip> port port=<active db listener port, eg. 1521> protocol=tcp accept

From the Source application tier, access the Oracle E-Business Suite Cloud Manager URL.

Reserved Private IP Addresses

Creating a reservation is unnecessary in this scenario.

Ensure the IPs entered for the target application and database tiers are within the application tier and database tier subset CIDR respectively, and that these IPs are not already assigned to instances.

Create a Standby Environment for Oracle Cloud Infrastructure from an On-Premises Environment

Important: Before configuring a standby environment, ensure that there is an ingress rule defined in the Oracle E-Business Suite Cloud Manager LBaaS security list that allows connectivity from the on-premises Oracle E-Business Suite application tier node IP address. Otherwise, validation will not occur.

Ensure that the proxy values are set in the context file accordingly, run AutoConfig, and stop and start the application tier services.

If the proxy is used, set values for s_proxyhost, s_proxyport, s_proxybypassdomain, s_nonproxyhosts in the context file. If the proxy is not used, ensure these context values are cleared. To remove any proxy settings and also retain the null values for the proxy settings, set the following context variables as described below and run AutoConfig:

<proxyhost oa_var="s_proxyhost"></proxyhost>
<proxyport oa_var="s_proxyport" customized="yes"></proxyport>
<proxybypassdomain oa_var="s_proxybypassdomain" customized="yes"></proxybypassdomain>
<nonproxyhosts oa_var="s_nonproxyhosts"></nonproxyhosts>

To run AutoConfig:

cd $ADMIN_SCRIPTS_HOME ; ./adautocfg.sh

Ensure that the Resource Owner option is selected under Allowed Grant Types in the registration of Oracle E-Business Suite Cloud Manager as an application in Oracle Identity Cloud Service (IDCS). This configuration is required to allow REST calls from Oracle E-Business Suite. See Register Oracle E-Business Suite Cloud Manager as a Confidential Application.

Perform these steps to configure a standby environment in Oracle Applications Manager.

Access the Standby Environment Pages in Oracle Applications Manager

Log in to Oracle E-Business Suite on-premises environment as a user with access to Oracle Applications Manager. For example, log on as a user with the out-of-box System Administration responsibility.
Select the Oracle Applications Manager responsibility in the Navigator in the home page, then select Cloud Standby.
The Oracle Cloud Infrastructure page shows details for the OCI account: Tenancy, Account, and EBS Cloud Manager name. Any configurations for existing standby environments are also shown.

Edit the Oracle Cloud Infrastructure Account

You can edit some of the settings for Oracle E-Business Suite Cloud Manager here.

Click on Edit Oracle Cloud Infrastructure Account to edit the account details.
Enter a new Oracle Cloud Username.
Enter the Oracle Cloud Password.
Choose to define a new Cloud Manager Definition, or use an existing one.

If you choose a new definition, enter the following:
- EBS Cloud Manager Name
- EBS Cloud Manager URL: Select the IP address that you use to connect to the Cloud Manager, including the port if needed.
  
  For example, https://192.0.2.254
If you choose to use an existing definition, select it in the Cloud Manager field.
Click Validate to validate your settings.
The Oracle Cloud Infrastructure Tenancy Details are shown but cannot be edited:
- Tenancy Name
- Tenancy OCID
- Username
- User OCID
Click Save.

Enter Standby Environment Information and Introspect the Application Tier

On the main Oracle Cloud Infrastructure page, click Configure Standby Environment in the Standby Environments region.
Enter a Standby Environment Name.
Select a Network Profile. We recommend you choose a Network Profile enabled for the File Storage service. See Create a Network Profile for instructions.
The Region and Compartment are displayed.
Optionally select your operating system time zone. This is the operating system time zone for your application and database tier nodes.

Oracle E-Business Suite Cloud Manager will validate your selection for the server time zone, unless you check the box Bypass Server Timezone Profile Validation.

Warning: If you choose to override the time zone defined in the source environment, then the operating system for the new standby environment across all Compute instances and cloud services will be configured to use the selected time zone. After you provision your environment, and prior to starting any database and application tier services, you must set the TZ environment variable to match the Server Timezone profile option. Failure to do so could lead to data corruption. See: Time Zone Support in the Oracle E-Business Suite Setup Guide.

For more information on time zone support, see: Time Zone Support in Oracle E-Business Suite Cloud Manager.
Specify a Source IP address.

This IP address is used to establish communication from the application tier node running in OCI. Ensure that the IP address you enter meets this purpose.
Click Introspect Apps Tier to submit a concurrent request to introspect the application tier.
The new standby environment configuration appears in the Standby Environments list.

Review Your Standby Environment Configuration In Progress in Oracle Applications Manager

Click the name of your new standby environment the Standby Environments list in Oracle Applications Manager.
The details of your standby environment configuration are shown, including the following:
- Standby Environment Name
- Network Profile
- Region
- Compartment Status
- Standby Status
The Configuration Stages are also shown in a table. A concurrent request is submitted for each stage. Click on the Request ID link to view the log file of the concurrent request.
Information on the Application Tier is also shown, including:
- Oracle E-Business Suite Version
- OS User
- Application Top directory
- Middleware Licensing model
- File System Type
  
  For a shared file system, the File Storage Mount Target and Mount Options are shown.
Information for the local node and the standby node are given in a table.
Perform Database Tier Introspection as described below.

Perform Database Tier Introspection

If not done already, install the Oracle E-Business Suite Cloud Backup Module on the database tier node. See: Install the Oracle E-Business Suite Cloud Backup Module.
Run the db-introspect.sh script. For example:
```
$ RemoteClone/bin/db-introspect.sh --action introspect --context-file <context file, for example: /u01/install/APPS/12.1.0/appsutil/demosid_demo1221ccomp1db.xml> --standby-name <standby environment name given in the Introspect Application Tier page> --standby-reserved-ip <standby reserved IP or private IP depending on the --standby-reserved-ip-type> --standby-reserved-ip-type <Public or Private> --active-db-ip <active database IP reachable from target network> --oci-private-key-file <absolute path to key file> --ebs-username <for example: SYSADMIN> --listener-port <for example, 1521> --session-dir <absolute path session log directory, for example: /home/oracle/session>
```
Note the following for the parameters for the script:
- For the parameter --oci-private-key-file <absolute path to key file>, this value should be the API signing key of the user that was used to set the Oracle Cloud Infrastructure credentials. See: Edit Oracle Cloud Infrastructure Account.
- If the --standby-reserved-ip-type value is Public, then the --standby-reserved-ip value must be a Public IP reservation created in OCI. If --standby-reserved-ip-type value is Private, then the --standby-reserved-ip value must be a Private IP that belongs to the DB Subnet CIDR Block and is not already assigned.
- For -active-db-ip <active database IP reachable from target network>: This IP is used to connect to the active database from standby and also this IP is used to open local firewall on the standby database. Depending on the network configuration (Public or Private), use the active DB IP that is reachable from the standby to active and also for the successful communication from active to standby when this IP is allowed in the local firewall of the standby.

Enter Configuration Information for the Standby Application and Database Tiers

In the Standby Environment Configuration on Oracle Cloud Infrastructure page, add the following information:

Enter the reserved public or private IP for the application tier.
Enter the shape for the standby application and database tiers.

Flexible shapes are supported for both application and database tiers. Flexible shapes allow you to customize the number of OCPUs and the amount of memory when launching or resizing your VM.
Choose a middleware licensing model, either BYOL or UCM. If you choose BYOL, you are indicating that you have purchased or transferred the perpetual licenses required for customized Oracle E-Business Suite Applications. If you choose UCM, you are adopting the Universal Credits subscription-based model, and paying for usage as you go. Make sure you understand the cost associated with this choice.
For Storage, choose the File System Type: Non-Shared or Shared.

If you choose Shared, then you are prompted for the File Storage Mount Target. Select a mount target from the list shown; this list of values is dependent on the network profile you selected during application tier introspection.

You can also specify Mount Options. Default parameters are shown. You can edit these options, but specifying a mount option or parameter that is not supported or recommended for a shared storage file system deployment may result in a provisioning failure. Exercise extreme caution when editing these parameters; options are not validated in this page.
Click Submit.

Review Standby Environment Configuration in Oracle Applications Manager

If the configuration has failed, click Retry in its configuration review page to try configuring the standby environment again.

If the configuration has completed with a Successful or Failed status, you can click Remove Standby to remove the standby configuration.

You can review your standby environment in Oracle E-Business Cloud Manager. See: Review Standby Environment Details.

From Oracle E-Business Cloud Manager, you can also: