Create an Oracle Java Cloud Service Instance Attached to a Private Subnet on Oracle Cloud Infrastructure

When you create an Oracle Java Cloud Service instance in an Oracle Cloud Infrastructure region, you can attach the instance to either a private subnet or a public subnet. If you attach the instance to a private subnet, then the nodes of the instance can’t have public IP addresses. They are isolated from the public Internet.

Note:

For the instructions to create an instance attached to a public subnet, see Create an Oracle Java Cloud Service Instance Attached to a Public Subnet on Oracle Cloud Infrastructure.

Create the Required Resources in Oracle Cloud Infrastructure

Before creating an Oracle Java Cloud Service instance attached to a private subnet, you must fulfill certain prerequisites, including creating the required identity, networking, and storage resources in Oracle Cloud Infrastructure.

  1. Generate an SSH key pair.

    See Generate a Key Pair with OpenSSH.

    Note the path and name of the files that contain the private and public keys. You’ll need the keys later.

  2. Complete the following steps from the tutorial Tutorial icon Creating the Infrastructure Resources Required for Oracle Platform Services:
    1. Create a compartment.
      If you want to create the Oracle Cloud Infrastructure resources in an existing compartment, then skip this step.
    2. Create a virtual cloud network (VCN) in the compartment you created or identified.
      If you want to use an existing VCN, then skip this step.
    3. Create a policy to allow Oracle Cloud platform services to use the networking resources in the compartment that you created or identified.
      If the required policy exists for the compartment that you want to use, then skip this step.
    4. Create a bucket in the Object Storage service to store backups of your Oracle Java Cloud Service instance.

      Note:

      The user creating the bucket must be either a local user in Oracle Cloud Infrastructure Identity and Access Management (IAM), or a synchronized user created automatically by a federated identity provider.

      If you’d like to use a bucket that was created previously, then skip this step.

      Note the name of the bucket. You’ll need it later while creating the service instances.

    5. Generate an authentication token for the user who created the bucket.

      If you have the required token already, then skip this step.

      Note the authentication token value. You’ll need it later while creating the service instances.

  3. In the VCN that you created or identified earlier, create the required networking resources:
    1. Create a service gateway.

      The service gateway is required for the Oracle Java Cloud Service instance to access Oracle Cloud Infrastructure Object Storage.

      See Setting Up a Service Gateway in the Oracle Cloud Infrastructure documentation.

    2. Create an internet gateway.

      The internet gateway enables communication between the public Internet and the bastion node.

      See Working with Internet Gateways in the Oracle Cloud Infrastructure documentation.

    3. (Optional) Create a NAT gateway.

      The NAT gateway is required for the nodes of the Oracle Java Cloud Service instance to access the public Internet. Such access would be useful when (for example) you want to allow the nodes to access the Oracle Yum server to download additional packages or OS patches.

      See Setting Up a NAT Gateway in the Oracle Cloud Infrastructure documentation.

    4. Create the following route table:

      See Working with Route Tables in the Oracle Cloud Infrastructure documentation.

      Route Table route.public for the Public Subnets
      Route Rule Destination Target
      To route traffic bound for the public Internet through the internet gateway CIDR: 0.0.0.0/0 Internet gateway
      Route Table route.private for the Private Subnet
      Route Rule Destination Target
      To route traffic bound for the Object Storage service through the service gateway Service: OCI region Object Storage Service gateway
      (Optional) To route traffic bound for the public Internet through the NAT gateway CIDR: 0.0.0.0/0 NAT gateway
    5. Create the following security lists:

      See Working with Security Lists in the Oracle Cloud Infrastructure documentation.

      Security List seclist.bastion for the Bastion Subnet
      Security Rule Source / Destination IP Protocol / Port
      (Ingress) To allow SSH connections to the bastion node Source CIDR: 0.0.0.0/0 SSH / 22
      (Egress) To allow all outbound traffic Destination CIDR: 0.0.0.0/0 All protocols / ports
      Security List seclist.lb for the Load Balancer Subnets
      Security Rule Source / Destination IP Protocol / Port
      (Ingress) To allow traffic from the other compute nodes in the VCN Source CIDR: 10.0.0.0/16 All protocols / ports
      (Egress) To allow all outbound traffic Destination CIDR: 0.0.0.0/0 All protocols / ports
      Security List seclist.private for the Private Subnet
      Security Rule Source / Destination IP Protocol / Port
      (Ingress) To allow traffic from the other compute nodes in the VCN Source CIDR: 10.0.0.0/16 All Protocols
      (Egress) To allow all outbound traffic Destination CIDR: 0.0.0.0/0 All Protocols
    6. Create the following subnets:

      See Working with VCNs and Subnets in the Oracle Cloud Infrastructure documentation.

      Subnet Purpose (Suggested Name) Availability Domain Attributes
      For the bastion host (subnet.bastion) AD1 Example CIDRFoot 1: 10.0.1.0/24

      Route table: route.public

      Subnet access: Public

      Security list: seclist.bastion

      For the primary load balancer node (subnet.lb1) AD1 Example CIDR: 10.0.2.0/24

      Route table: route.public

      Subnet access: Public

      Security list: seclist.lb

      (Relevant only if the region has multiple availability domains) For the standby load balancer node (subnet.lb2) AD2 Example CIDR: 10.0.3.0/24

      Route table: route.public

      Subnet access: Public

      Security list: seclist.lb

      For the service instances (subnet.private) AD1 Example CIDR: 10.0.4.0/24

      Route table: route.private

      Subnet access: Private

      Security list: seclist.private

      Footnote 1 Assuming the VCN’s CIDR is 10.0.0.0/16

      Note:

      Make a note of the OCIDs of the subnets. You’ll need them later while creating the bastion host and the service instances.
  4. Create a compute instance and attach it to the public subnet that you created for the bastion host.

    Through this node, administrators can access the administration console of the Oracle Java Cloud Service instance, and they can connect using ssh to the compute nodes of the instance.

    See Creating an Instance in the Oracle Cloud Infrastructure documentation.

    After creating the bastion compute instance, note its public IP address.

You’ve created the required resources in Oracle Cloud Infrastructure. You can now create the Oracle Cloud Infrastructure Database and Oracle Java Cloud Service instances.

Create an Oracle Cloud Infrastructure Database System Attached to a Private Subnet

Create an Oracle Cloud Infrastructure Database system that's attached to the private subnet that you plan to use for the Oracle Java Cloud Service instance.

  1. Create a DB system by following the steps in Managing Bare Metal and Virtual Machine DB Systems in the Oracle Cloud Infrastructure documentation.
    Note the following:
    • Select the required private subnet in the network settings.
    • You can use an Oracle Database 12.2 system as the infrastructure schema database for only an Oracle Java Cloud Service instance running WebLogic Server 12.2.1 or later.
    • The PDB name field is optional. If you enter a name, then make a note of it. You'll need it in the next step.
  2. Wait for the DB system to be created. When the status displayed in the web console is AVAILABLE, construct the connection string. You'll need this string while creating the Oracle Java Cloud Service instance.
    The connection string is in the following format:
    • VM DB system: //hostNamePrefix-scan.hostDomainName:1521/pdbName.hostDomainName
    • Bare metal DB system: //hostNamePrefix.hostDomainName:1521/pdbName.hostDomainName

    hostNamePrefix and hostDomainName are the values displayed in the Hostname Prefix and Host Domain Name fields, respectively, in the Oracle Cloud Infrastructure web console.

    pdbName depends on the DB version and the DB shape.
    • 12c (any shape): The PDB name that you entered while creating the DB system (for example, PDB1).

      If you didn't enter a PDB name, then use dbName_PDB1, where dbName is the database name you specified (for example, dbforjcs_PDB1).

    • 11g (VM or bare metal): Database Unique Name displayed in the web console (for example, dbforjcs_yyz17v).
    • 11g (Exadata): The database name you specified (for example, dbforjcs).

    The following is an example of a connection string for a 12c VM DB system with the PDB name, pdb1:

    //dbforjcs-scan.privatesubnet.paasvcn.oraclevcn.com:1521/pdb1.privatesubnet.paasvcn.oraclevcn.com

Create an Oracle Java Cloud Service Instance Attached to a Private Subnet

Use the REST API to create an Oracle Java Cloud Service instance attached to a private subnet.

  1. Create a request body in JSON format by using the following template, and save it in a plain-text file (for example, create-jcs-instance-on-oci.json).

    Note:

    This request-body template includes only the minimum set of fields required to create an instance of Oracle Java Cloud Service running Oracle WebLogic Server 12.2.1.3 Enterprise Edition. For information about all the supported fields, see Create a Service Instance in REST API for Oracle Java Cloud Service.
    {
      "serviceName"          : "name",
      "region"               : "region",
      "availabilityDomain"   : "ad",
      "subnet"               : "privateSubnetOCID",
      "vmPublicKeyText"      : "publicKey",
      "components": {
        "WLS": {
          "adminUserName"               : "user",
          "adminPassword"               : "password",
          "sampleAppDeploymentRequested": "true",
          "clusters": [
            {
              "clusterName"             : "name",
              "serverCount"             : "number",
              "shape"                   : "shape",
              "type"                    : "APPLICATION_CLUSTER"
            }
          ],
          "connectString"               : "dbConnectString",
          "dbaName"                     : "SYS",
          "dbaPassword"                 : "password"
        }
      },
      "configureLoadBalancer"           : true
      "loadbalancer": {
        "subnets": [
          "subnetOCID_primaryLBnode",
          "subnetOCID_standbyLBnode"
        ],
        "loadBalancingPolicy"           : "policy"
      },
      "cloudStorageContainer": "https://swiftobjectstorage.region.oraclecloud.com/v1/namespace/bucket",
      "cloudStorageUser"     : "OCIuser",
      "cloudStoragePassword" : "authToken"
    }
    • serviceName: A name that starts with a letter, includes only letters and numbers, and has not more than 30 characters.

    • region: The Oracle Cloud Infrastructure region in which you want to create the Oracle Java Cloud Service instance (for example, us-ashburn-1).

    • availabilityDomain: The Oracle Cloud Infrastructure availability domain in which you want the Oracle Java Cloud Service instance to be created (for example, QnsC:US-ASHBURN-AD-1).

    • subnet: The OCID of the private subnet to which you want to attach the Oracle Java Cloud Service instance.

    • vmPublicKeyText: The SSH public key that you want to use for the nodes of the instance.

    • adminUserName: The user name for the Oracle WebLogic Server administrator.

      The name must be between 8 and 128 characters long. It must not contain any of the following characters: tabs, brackets, parentheses, left angle bracket (<), right angle bracket (>), ampersand (&), pound sign (#), pipe symbol (|), and question mark (?).

    • adminPassword: The password for the Oracle WebLogic Server administrator.

      The password must start with a letter. It can contain from 8 to 30 characters, and must include at least one number.

    • sampleAppDeploymentRequested: true

    • clusterName: The name of the Oracle WebLogic Server cluster.

      The name must start with a letter and have not more than 50 characters. It can contain only alphabetical characters, underscores (_), and dashes (-).

    • serverCount: 1, 2, 4, or 8

    • shape: Any VM.Standard or BM.Standard shape that's available in the availability domain that you specified. Check the service limits displayed in the Oracle Cloud Infrastructure web console.

    • type: APPLICATION_CLUSTER

    • connectString: The connection string for the Oracle Cloud Infrastructure Database system that you created earlier.

    • dbaName: A database user with the SYSDBA privilege. For instances based on Oracle WebLogic Server 12c (any version), you can use the database user SYS.

    • dbaPassword: The password that you specified for the database administrator while creating the Oracle Cloud Infrastructure Database system.

    • configureLoadBalancer: true

      Note:

      If you need the ability to configure the load balancer (add or modify listeners, use your own certificates, and so on), then don't include this field in the request body. Don't include the fields under loadbalancer either. Create an instance of Oracle Cloud Infrastructure Load Balancing manually. See Set Up an Oracle Cloud Infrastructure Load Balancer.
    • loadbalancer.loadBalancingPolicy: Specify one of the following:
      • LEAST_CONN: Each new request is routed to the server with the least number of active connections.

      • IP_HASH: Requests from the same client are always routed to the same server, if the server is available.

      • ROUND_ROBIN: The load balancer selects the next server for each request by cycling through the available servers in a fixed order.

    • loadbalancer.subnets: The OCIDs of the subnets for the load-balancer nodes. If the region you've selected has only one availability domain, then specify only one subnet.

    • cloudStorageContainer: The URL of the Oracle Cloud Infrastructure Object Storage bucket (for example, https://swiftobjectstorage.us-ashburn-1.oraclecloud.com/v1/mynamespace/jcs_bucket).

    • cloudStorageUser: The user name of the user who created the bucket or has access to it.

    • cloudStoragePassword: The authentication token that you generated.

    The following example shows a completed request body.
    {
      "serviceName"          : "myJCS",
      "region"               : "us-ashburn-1",
      "availabilityDomain"   : "QnsC:US-ASHBURN-AD-1",
      "subnet"               : "ocid1.subnet.oc1.iad.aaaaaaaamgxfkk5... (truncated)",
      "vmPublicKeyText"      : "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA... (truncated)",
      "components": {
        "WLS": {
          "adminUserName"               : "adminuser",
          "adminPassword"               : "password",
          "sampleAppDeploymentRequested": "true",
          "clusters": [
            {
              "clusterName"             : "myJCScluster",
              "serverCount"             : "2",
              "shape"                   : "VM.Standard2.1",
              "type"                    : "APPLICATION_CLUSTER"
            }
          ],
          "connectString"               : "//dbforjcs-scan.privatesubnet.paasvcn.oraclevcn.com:1521/pdb1.privatesubnet.paasvcn.oraclevcn.com",
          "dbaName"                     : "SYS",
          "dbaPassword"                 : "password"
        }
      },
      "configureLoadBalancer"           : true
      "loadbalancer": {
        "subnets": [
          "ocid1.subnet.oc1.iad.aaaaaaaa6j5... (truncated)",
          "ocid1.subnet.oc1.iad.aaaaaaaaj4t... (truncated)"
        ],
        "loadBalancingPolicy"           : "LEAST_CONN"
      },
      "cloudStorageContainer": "https://swiftobjectstorage.us-ashburn-1.oraclecloud.com/v1/mynamespace/jcs_bucket",
      "cloudStorageUser"     : "john.smith@example.com",
      "cloudStoragePassword" : "sometoken"
    }
  2. Send the REST API request.
    curl -X POST rest_endpoint/paas/api/v1.1/instancemgmt/identityServiceID/services/jaas/instances \
    -u user:password \
    -H 'X-ID-TENANT-NAME: identityServiceID' \
    -H 'Content-Type: application/json' \
    -d @requestBodyFile
    • restEndpoint: The REST endpoint URL of Oracle Java Cloud Service.

    • identityServiceID: The identity service ID of your Oracle Cloud account. See Find Your Oracle Identity Cloud Service Tenant Name in Administering Oracle Identity Cloud Service.

    • user: Your Oracle Cloud user name.

    • password: Your Oracle Cloud password.

    • requestBodyFile: The path and name of the file containing the request body.

    The following is an example of a REST API request to create an Oracle Java Cloud Service instance.
    curl -X POST https://jaas.oraclecloud.com/paas/api/v1.1/instancemgmt/idcs-33e8886d2e6666e7777d14ffa9999e83/services/jaas/instances \
    -u john.smith@example.com:password \
    -H 'X-ID-TENANT-NAME: idcs-33e8886d2e6666e7777d14ffa9999e83' \
    -H 'Content-Type: application/json' \
    -d @create-jcs-instance-on-oci.json
    A message similar to the following is displayed, indicating that the request was accepted.
    {
      "details": {
        "message": "Submitted job to create service [myJCS] in domain [idcs-33e8886d2e6666e7777d14ffa9999e83].",
        "jobId": "50572730"
      }
    }
  3. In the message, note the value in the jobId field.
  4. Wait for the instance to be created.

    You can check the status in the Oracle Java Cloud Service web console.

    Alternatively, you can send the following REST API request to find out the status of the job.

    curl rest_endpoint/paas/api/v1.1/activitylog/identityServiceID/job/ID \
    -u user:password \
    -H 'X-ID-TENANT-NAME: identityServiceID'
    • restEndpoint: The REST endpoint URL of Oracle Java Cloud Service.

    • identityServiceID: The identity service ID of your Oracle Cloud account.

    • ID: The job ID that you noted in the previous step.

    • user: Your Oracle Cloud user name.

    • password: Your Oracle Cloud password.

    The following is an example of a REST API request to check the status of a request to create an Oracle Java Cloud Service instance.
    curl https://jaas.oraclecloud.com/paas/api/v1.1/activitylog/idcs-33e8886d2e6666e7777d14ffa9999e83/job/50572730 \
    -u john.smith@example.com:password \
    -H 'X-ID-TENANT-NAME: idcs-33e8886d2e6666e7777d14ffa9999e83'

    In the output, look for the status field. It shows ready after the instance is created.

Note:

The compute nodes of Oracle Java Cloud Service instances that are attached to private subnets in Oracle Cloud Infrastructure have private IP addresses. So you can’t ssh to the nodes or access the administration consoles of such instances from the public Internet.

You can access the administration consoles and connect to the nodes of such instances through a bastion host attached to a public subnet.