6 Configuring High Availability for ODI on Oracle Cloud Marketplace

This chapter helps you to configure High Availability (HA) topology for Oracle Data Integrator on Oracle Cloud Marketplace. The sections in this chapter outline the concepts and steps that are important for designing high availability deployment.

It contains the following sections:

• Prerequisites for setting up 2-Node Cluster for High Availability
• Creating and configuring the ODI Domain
• Configuring the Load Balancer
• Enabling Incoming Ports and Services
• Firewall Rules

6.1 Prerequisites for setting up 2-Node Cluster for High Availability

Go through the following prerequisites before setting up 2-Node Cluster for High Availability. Make sure you have the following before setting up 2-Node Cluster for High Availability:

1. OCI Virtual Cloud Network (VCN) setup that supports communication with all the compute instances created in its subnet.
   • All the communication channels are through private IPs.
   • External communication established outside the subnet are through public IPs.
   • Ably configured for Ingress/Egress. For more information, see Enabling Incoming Ports and Services.
2. Autonomous Transaction Processing instance having the following configuration so as to leverage auto scaling and access to the DBMS_CLOUD package:
   • Workload type: Transaction Processing
   • Deployment type: Shared Infrastructure
   • Network Access: Allow secure access from everywhere
3. ADB or DBaaS instance created in the same subnet and VCN as described in Step 1.
4. ODI compute instance 1 created in the same subnet and VCN as described in Step 1.
5. ODI compute instance 2 created in the same subnet and VCN as described in Step 1 but with a different availability domain.
6. Firewall configurations in all the compute instances that are part of the cluster. For more information, see Firewall Rules.

6.2 Creating and configuring the ODI Domain

This section contains the following topics:

• Creating a domain on Node 1
• Setting up the Administration Server on Node 1
• Setting up the ODI agent on Node 1
• Packing the domain on Node 1
• Unpacking the domain on Node 2
• Setting up the Managed Server and Node Manager on Node 2

6.2.1 Creating a domain on Node 1

Follow the below steps to create the domain on Node 1:

1. Navigate to the cd /u01/oracle/mwh/oracle_common/common/bin directory.
2. Execute config.sh to start the Configuration Wizard.
3. In the first screen, click Next.
4. In the Configuration Type screen, specify “/u01/oracle/mwh/user_projects/domains/odi_domain” in the Domain Location field. Click Next to continue.
5. In the Templates screen, select Oracle Data Integrator – Agent [odi] (which will auto-select Oracle Data Integrator – Agent Libraries [odi] and Oracle Data Integrator SDK Shared Libraries Template [odi]), Oracle Data Integrator – Console [odi] and Oracle Enterprise Manager Plugin for ODI [em] (which will auto-select Oracle Enterprise Manager [em]) from the Available Templates field. Click Next to continue.
6. In the Application Location screen, click Next.
7. In the Administrator Account screen, provide the following information and click Next:
   1. Name: Specify weblogic.
   2. Password: Enter the password that you would like to assign to the weblogic user.
8. In the Domain Mode and JDK screen, select Production and click Next.
9. In the Database Configuration Type screen, provide the following information:
   1. URL: If your repository is in DBCS/Exa, specify " jdbc:oracle:thin:@<HOST>:<PORT>/<SERVICE_NAME>" as the URL. If your repository is in ADW/ATP, specify "jdbc:oracle:thin:@(description= (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=<HOST>))(connect_data=(service_name=<SERVICE_NAME>))(security=(ssl_server_cert_dn="CN=adwc.uscom-east-1.oraclecloud.com,OU=Oracle BMCS US,O=Oracle Corporation,L=Redwood City,ST=California,C=US")))" as the URL.
   2. Schema Owner: Specify <ODI_PREFIX>_STB.
   3. Schema Password: Enter the schema owner password.
10. If your repository is in DBCS/Exa, skip this step; if your repository is in ADW/ATP, click Connection Properties and verify that you have the following properties in place (in addition to what is already there):

    oracle.net.authentication_service TCPS
    oracle.net.ssl_server_dn_match false
    javax.net.ssl.trustStore <PATH>/cwallet.sso
    javax.net.ssl.keyStoreType SSO
    javax.net.ssl.keyStore <PATH>/cwallet.sso
    javax.net.ssl.trustStoreType SSO
    

    where <PATH> is the path to the wallet directory

11. Click Get RCU Configuration. If the connection is successful, the Next button will be activated. Click Next.
12. In the JDBC Component Schema screen, if your ODI repository is in DBCS/Exa, skip to step 13. If it is in ADW/ATP, select Local SvcTbl Schema. Verify that all the connection information (that is, URL and connection properties) is correct.
13. Deselect Local SvcTbl Schema and select the following schemas:
    • WLS Schema
    • ODI Master Schema
    • ODI Work Schema
    • OPSS Audit Schema
    • OPSS Audit Viewer
    • OPSS Schema

    Verify that all the connection information (that is, URL and connection properties) is correct.

14. When the connection information to all schemas has been verified, click Next.
15. In the JDBC Component Schema Test screen, verification of all schemas will happen. As they pass the verification, a green check mark will appear. When all the schemas show a check mark in the Status column, click Next.
16. In the Credentials screen, provide the following information and click Next:
    1. Username: Specify SUPERVISOR.
    2. Password: Specify the password for the SUPERVISOR.
17. In the Advanced Configuration screen, select Administration Server, Node Manager, Topology and Deployments and Services. Click Next.
18. In the Administration Server screen, provide the following information and click Next:
    1. Listen Address: Specify the private IP address of Node 1.
    2. Listen Port: Specify the port you want (7001/ 13001) for it.
19. In the Node Manager screen, provide the following information and click Next:
    1. Node Manager Type: Select Per Domain Default Location.
    2. Username: Specify weblogic.
    3. Password: Enter the password for the weblogic user.
    4. Confirm Password: Enter the password for the weblogic user.
20. In the Managed Servers screen, add the following information and click Next:
    1. Specify ODI_server1 as the Server Name and the ODI Node 1 Private IP Address as the Listen Address. Assign the Listen Port (8001/15101) and make sure that the Server Groups is (ODI-MGD …).
    2. Specify ODI_server2 as the Server Name and the ODI Node 2 Private IP Address as the Listen Address. Assign the Listen Port (8001/15101) and make sure that the Server Groups is (ODI-MGD …).
21. In the Clusters screen, click Next.
22. In the Server Templates screen, assign the port (7100/13100) for both templates in the Listen Port field. Click Next.
23. In the Dynamic Servers screen, click Next.
24. In the Assign Servers to Clusters screen, assign both servers to "ODI_Cluster1" and click Next.
25. In the Coherence Clusters screen, specify the port (7574/13574) in the Cluster Listen Port field. Click Next.
26. In the Machines screen, select the Unix Machine tab, then click Add to provide the following information:
    1. Specify odi-node1 in the Name field and the private IP Address of ODI Node 1 in the Node Manager Listen Address field. Assign the port for the Node Manager (5556/9556).
    2. Specify odi-node2 in the Name field and the private IP Address of ODI Node 2 in the Node Manager Listen Address field. Assign the port for the Node Manager (5557/9557). Click Next.
27. In the Assign Servers to Machines screen, make sure that “AdminServer” and “ODI_server1” are assigned to “odi-node1” and “ODI_server2” is assigned to “odi-node2”. Click Next.
28. In the Virtual Targets screen, click Next.
29. In the Partitions screen, click Next.
30. In the Deployments Targeting screen, click Next.
31. In the Services Targeting screen, click Next.
32. In the Configuration Summary screen, click Create.
33. In the Configuration Progress screen, a green check will appear as the tasks progress. This indicates that the task finished successfully. Once everything finishes, click Next.
34. In the End of Configuration screen, make a note of the first link as that is your domain path. On clicking the second link, a web browser will appear. Disregard the error message and copy the URL. Click Finish.

6.2.2 Setting up the Administration Server on Node 1

Follow the below steps to set up the administration server on Node 1:

1. If your repository is in DBCS/Exa, skip to step 4. If your repository is in ADW/ATP, navigate to the/u01/oracle/mwh/user_projects/domains/odi_domain/config/fmwconfig directory.
2. Make a backup copy of the jps-config.xml file as follows:
   cp jps-config.xml jps-config.xml.ORIG
3. Edit the file and add the following entries just after the “jdbc url” entry:
   <property name="javax.net.ssl.trustStore" value="/home/opc/.odi/oracledi/userlib/<PATH>/cwallet.sso"/> <property name="oracle.net.authentication_service" value="TCPS"/> <property name="oracle.net.ssl_server_dn_match" value="false"/> <property name="javax.net.ssl.keyStoreType" value="SSO"/> <property name="javax.net.ssl.trustStoreType" value="SSO"/> <property name="javax.net.ssl.keyStore" value="/home/opc/.odi/oracledi/userlib/<PATH>/cwallet.sso"/>
4. Navigate to the /u01/oracle/mwh/user_projects/domains/odi_domain directory.
5. Start the administration server using the following command:
   ./startWebLogic.sh
6. Enter the weblogic admin user and password. Wait for the server to start.
7. Using a web browser, log into Weblogic.
8. Click Lock & Edit available at the top left corner of the screen.
9. Using the left side panel, navigate to Environments > Machines.
10. Drill down on Node 1 (odi-node1).
11. On the right side of the screen, select Configuration and Node Manager.
12. In the Type field, select Plain.
13. Click Save.
14. Repeat steps 9 – 13 to do the same for Node 2 (odi-node2). That is, perform the following steps for Node 2:
    1. Using the left side panel, navigate to Environments > Machines.
    2. Drill down on Node 2 (odi-node2).
    3. On the right side of the screen, select Configuration and Node Manager.
    4. In the Type field, select Plain.
    5. Click Save.
15. Using the left side panel, navigate to Environments > Servers.
16. Drill down on Node 1 (ODI_server1).
17. On the right side of the screen, select Configuration and SSL.
18. Click Advanced available at the bottom of the screen.
19. In the Hostname Verification field, select None.
20. Click Save.
21. On the right side of the screen, select Configuration and Server Start.
22. In the Arguments field, provide the following information:

    -Dtangosol.coherence.localport=8095
    -Doracle.odi.coherence.wka1=<PRIVATE_IP_ADDRESS_NODE1>
    -Doracle.odi.coherence.wka1.port=8095
    -Doracle.odi.coherence.wka2=<PRIVATE_IP_ADDRESS_NODE2>
    -Doracle.odi.coherence.wka2.port=8096
    

23. At the bottom of the screen, provide the following information:
    1. User Name: Specify weblogic.
    2. Password: Enter the password for the weblogic user.
    3. Confirm Password: Enter the password for the weblogic user.
24. Click Save.
25. Repeat steps 15 – 24 to do the same for Node 2. That is, perform the following steps for Node 2:
    1. Using the left side panel, navigate to Environments > Servers.
    2. Drill down on Node 2 (ODI_server2).
    3. On the right side of the screen, select Configuration and SSL.
    4. Click Advanced available at the bottom of the screen.
    5. In the Hostname Verification field, select None. Click Save.
    6. On the right side of the screen, select Configuration and Server Start.
    7. In the Arguments field, provide the following information:

       -Dtangosol.coherence.localport=8096
       -Doracle.odi.coherence.wka1=<PRIVATE_IP_ADDRESS_NODE1>
       -Doracle.odi.coherence.wka1.port=8095
       -Doracle.odi.coherence.wka2=<PRIVATE_IP_ADDRESS_NODE2>
       -Doracle.odi.coherence.wka2.port=8096
       

    8. At the bottom of the screen, specify weblogic in the User Name field. Provide the password for the weblogic user in the Password and Confirm Password fields.
    9. Click Save.
26. Click Activate Changes available at the top left corner of your screen.
27. Using the left side panel, navigate to Environments > Servers; on the right side of the screen, select Control and then select AdminServer from the Server field.
28. Click Shutdown and select Force shutdown now from the dropdown menu.
29. To exit the session, click Yes. Leave the web browser open.
30. Start a new terminal and navigate to the /u01/oracle/mwh/user_projects/domains/odi_domain/servers/AdminServer directory.
31. Create a new directory as follows:
    mkdir security
32. Move into that directory using the following command:
    cd security
33. Edit a new file called “boot.properties” under Admin/security using the following command:
    vi boot.properties
34. Add the following content and save the file:

    username=weblogic
    password=<WEBLOGIC_PASSWORD>
    

35. Disable the secure listener. Navigate to the following directory:
    cd /u01/oracle/mwh/user_projects/domains/odi_domain/nodemanager
36. Edit the "nodemanager.properties" file using the following command:
    vi nodemanager.properties
37. Look for the entry “Secure Listener=true” and change it to “Secure Listener=false”. Save the file.
38. If ODI was provisioned before stack release 12.2.1.4.200618, skip to step 17. If it was provisioned with stack release 12.2.1.4.200618 or later, execute the following steps:
    1. Navigate to the following directory:
       cd /u01/oracle/mwh/wlserver/server/bin
    2. Copy the following file:
       cp startNodeManager.sh startNodeManger.sh.OLD
    3. Edit the following file:
       vi startNodeManager.sh
    4. Change line 52 from WL_HOME="/home/opc/oracle/wlserver" to WL_HOME="${MW_HOME}/wlserver" .
39. Return to your first terminal.
40. Start the Weblogic server again and send the process to the backend using the following command:
    nohup ./startWebLogic.sh &
41. Monitor the startup process using the following command:
    tail -100 nohup.out
42. Once the server is up and running, start the Node Manager. Move to the bin directory using the following command:
    cd bin
43. Execute “startNodeManager” and send the process to the background using the following command:
    nohup ./startNodeManager.sh &
44. Monitor the startup process using the following command:
    tail -100 nohup.out
45. Verify the Node Manager. Go back to the web browser and log into the WebLogic Server.
46. Using the left side panel, navigate to Environments > Machines.
47. Drill down on Node 1 (odi-node1).
48. On the right side of the screen, select Monitoring and then Node Manager Status. You can view the current status information for the Node Manager instance configured for the machine.

6.2.3 Setting up the ODI agent on Node 1

Follow the below steps to set up the ODI agent on Node 1:

1. Start ODI Studio.
2. Navigate to the Topology tab.
3. Define a new agent as follows:
   1. Name: Specify OracleDIAgent as the agent name.
   2. Host: Enter the private IP address of the ODI node (Node1).
   3. Port: Specify the port defined for the managed server “ODI_server1” (15101 / 8001).
4. Save the configuration.
5. Define the corresponding logical agent and save it.
6. In the web browser, using the left side panel of the Weblogic Server, navigate to Environments > Servers.
7. On the right side of the screen, select Control and then select ODI_server1.
8. Click Start.
9. In the Server Life Cycle Assistant screen, click Yes.
10. Keep refreshing the page until you see a “RUNNING” status for ODI_server1.
11. Verify the deployment. Navigate to the Deployments screen using the hierarchy pane on the left side of your screen.
12. Test the agent. Using the left side panel of the WebLogic Server, navigate to Environments > Servers.
13. Drill down on Server 1 (ODI_server1).
14. On the right side of the screen, select Deployments.
15. Drill down on the agent (oraclediagent).
16. On the right side of the screen, select Testing.
17. Expand the oraclediagent node.
18. Click the URL available in the Test Point field.
19. Save it for future reference.
20. Go back to ODI Studio.
21. Click Test. You should receive a “Successful test” message.
22. Log out from ODI Studio.

6.2.4 Packing the domain on Node 1

Follow the below steps to pack the domain on Node 1:

1. Shut down ODI_server1 and go back to your browser.
2. Using the left side panel of the Weblogic Server, navigate to Environments > Servers.
3. On the right side of the screen, select Control and then select ODI_server1.
4. Click Shutdown and then select Force shutdown now from the drop-down list.
5. Click Yes in the Server Life Cycle Assistant screen.
6. Shut down the Node Manager. In the terminal screen, navigate to the following directory:
   cd /u01/oracle/mwh/user_projects/domains/odi_domain/bin
7. Stop the Node Manager. Execute the following command:
   ./stopNodeManager.sh.
8. Navigate to the following directory:
   cd /u01/oracle/mwh/oracle_common/common/bin
9. Pack the domain information. Execute the following command:
   ./pack.sh -domain=/u01/oracle/mwh/user_projects/domains/odi_domain -template=odiclusterdomain.jar -template_name=odiclusterdomain -managed=true

6.2.5 Unpacking the domain on Node 2

Follow the below steps to unpack the domain on Node 2:

1. Copy the file from Node 1 to Node 2. The method shown here uses the "scp" command. If you prefer to use a different method (for example, a third party tool like WinSCP or Firezilla), skip this step. From node 1, execute the following command:
   scp -i <PRIVATE_KEY_FILE_PATH> odiclusterdomain.jar opc@<IP_ADDRESS_NODE2>:/<PATH>
2. In Node 2, navigate to the following directory:
   cd /u01/oracle/mwh/oracle_common/common/bin
3. Unpack the domain. Execute the following command:
   ./unpack.sh -domain=/u01/oracle/mwh/user_projects/domains/odi_domain -template=<PATH>/odiclusterdomain.jar
4. If ODI was provisioned with stack release 12.2.1.4.200618 or later, execute the following steps:
   1. Navigate to the following directory:
      cd /u01/oracle/mwh/wlserver/server/bin
   2. Copy the following file:
      cp startNodeManager.sh startNodeManger.sh.OLD
   3. Edit the following file:
      vi startNodeManager.sh
   4. Change line 52 from WL_HOME="/home/opc/oracle/wlserver" to WL_HOME="${MW_HOME}/wlserver".

6.2.6 Setting up the Managed Server and Node Manager on Node 2

Follow the below steps to set up the managed server and node manager on Node 2:

1. Navigate to the following directory:
   cd /u01/oracle/mwh/user_projects/domains/odi_domain/nodemanager
2. Edit the nodemanager.properties file. Execute the following command:
   vi nodemanager.properties
3. Verify that the value for the “ListenAddress” entry shows the Node 2 private IP address, and the value for the "ListenPort” entry shows the Node 2 node manager listen port (5557/9557).
4. Restart Node Manager in both nodes. Navigate to the following directory:
   cd /u01/oracle/mwh/user_projects/domains/odi_domain/bin
5. Execute “startNodeManager” and send the process to the background using the following command:
   nohup ./startNodeManager.sh &
6. Monitor the startup process using the following command:
   tail -100 nohup.out
7. Verify both the Node Managers. In the web browser, log into the WebLogic Server.
8. Using the left side panel, navigate to Environments > Machines.
9. Drill down on Node 1 (odi-node1).
10. On the right side of the screen, select Monitoring and then Node Manager Status. You can view the current status information for the Node Manager instance configured for the machine.
11. Repeat steps 7 to 10 but now with Node 2 (odi-node2).
12. Start both the ODI servers.
13. Using the left side panel of the WebLogic server, navigate to Environments > Servers.
14. On the right side of the screen, select Control and then select ODI_server1.
15. Click Start.
16. Click Yes in the Server Life Cycle Assistant screen.
17. Keep refreshing the page until you see a “RUNNING” status for ODI_server1.
18. Repeat steps 12 to 14 but now with Node 2 (ODI-server2).
19. In Node 2, start ODI Studio.
20. Click No in the Confirm Import Preferences screen.
21. From the welcome screen, click Connect to Repository.
22. If you want to create a wallet to store ODI passwords, select Store passwords in secure wallet in the New Wallet Password screen and provide the password. Otherwise, select Store passwords without secure wallet. Click OK.
23. Click the "+" sign in the Oracle Data Integrator Login screen.
24. In the Repository Connection Information screen, provide the following information:
    1. Login Name: This will be the name of the connection to repository. Assign any name you deem appropriate. We recommend using the same name you used in Node 1.
    2. User: Specify SUPERVISOR.
    3. Password: Specify the password for the SUPERVISOR.
    4. User: Specify the owner of the repository, which is DEV_ODI_REPO in this case.
    5. Password: Specify the password for DEV_ODI_REPO.
    6. Driver List: Select Oracle JDBC Driver.
    7. URL: Specify the JDBC database URL as follows:
       jdbc:oracle:thin:@<SERVER>:<PORT>/<SERVICE>
25. Click Test. You will receive a confirmation of the connection. Click OK in the Information screen.
26. Select Work Repository and then click on the magnifying glass on the far right.
27. In the Select Repository screen, select WORKREP and click OK.
28. If everything is fine, a successful connection message will be sent. Click OK in the Information screen.
29. Click OK in the Repository Connection Information screen.
30. Click OK again to log into ODI Studio.
31. Navigate to the Topology tab.
32. Open OracleDIAgent.
33. Change the Host field to point to the Node 2 private IP Address.
34. Save the configuration.
35. Click Test. You should receive a success message.

6.3 Configuring the Load Balancer

Load balancer created can either be private or public. For more information on load balancers, refer to Overview of Load Balancing. Persistence should not be enabled on the load balancer.

Follow the below steps to create and configure the load balancer:

1. Open the navigation menu. Under the Core Infrastructure group, go to Networking and click Load Balancers.
2. Choose a Compartment you have permission to work in under Scope, and then click Create Load Balancer.
3. Specify the attributes of the load balancer as follows:
   1. Load Balancer Name: Specify a name for your load balancer.
   2. Choose Visibility Type: Select Private.
   3. Choose the Maximum Total Bandwidth: Select Medium.
   4. Choose Networking: Select the same VCN and subnet where your ODI nodes are located.
4. Click Next located at the left bottom corner of the screen.
5. Click Add Backends to select resources from a list of available Compute instances.
6. Select the two ODI nodes and click Add Selected Backends located at the bottom of the screen.
7. Change the port of both nodes to point to the ODI Managed Servers “ODI_server1” and “ODI_server2” (8001 / 15101).
8. In the Specify Health Check Policy section, provide the following information:
   1. Port: Provide the ODI Managed Servers port (8001/15101).
   2. URL Path (URl): Specify /oraclediagent/.
9. Click Next located at the left bottom corner of the screen.
10. In the Configure Listener section, provide the following information:
    1. Specify the type of traffic your listener handles: Select HTTP.
    2. Specify the port your listener monitors for ingress traffic: Specify 80.
11. Click Show Advanced Options located at the bottom of the screen to access additional options.
12. Specify 3600 in the Specify the Maximum Timeout in Seconds field.
13. Click Submit located at the left bottom corner of the screen. This starts the provisioning process for the load balancer.
14. Once the Load Balancer is provisioned, it will be shown as “Active” in the screen. Make a note of the private IP Address.
15. At this time, start ODI Studio (in any node) and navigate to the Topology tab.
16. Modify the agent “OracleDIAgent” as follows:
    1. Host: Specify the Load Balancer Private IP Address.
    2. Port: Specify 80.
17. Click Test. The ODI Information dialog box should say, "Agent Test Successful".

6.3.1 Updating the Load Balancer Health Check

Follow the below steps to change the health check information for the load balancer:

1. Drill down in the Load Balancer name.
2. Click the Backends hyperlink available on the left panel.
3. Drill down in the backend set name.
4. Click the Backends hyperlink available on the left panel.
5. Click Update Health Check located at the top of the screen.
6. Modify the check information and click Save Changes located at the bottom of the screen. You will receive a message about the information being accepted.
7. Test the ODI agent multiple times.

6.4 Enabling Incoming Ports and Services

For establishing communication between the instances, you need to ensure that the underlying Security List (associated with VCN), has all the IP protocols enabled.

The following is an example of security list that enables communication within the instances participating in High Availability (HA) cluster:

Note:

All the instances participating either directly or indirectly should be following the below ingress and egress rules.

Table 6-1 Ingress and Egress Rules Table

Stateless	Source	IP Protocol	Source Port Range	Destination Port Range	Type and Code	Allows	Comments
No	0.0.0.0/0	TCP	All	22	Nil	TCP traffic for ports: 22 SSH Remote Login Protocol	For SSH communication, we need to open port # 22.
No	0.0.0.0/0	ICMP	Nil	Nil	3,4	ICMP traffic for: 3, 4 Destination Unreachable: Fragmentation Needed and Don't Fragment was Set	ICMP is a supporting protocol and at the minimum, ingress rules should allow for type 3, 4 and 8. For more information on ICMP protocols, refer to the IANA list.
No	10.0.0.0/16	ICMP	Nil	Nil	3	ICMP traffic for: 3 Destination Unreachable	ICMP is a supporting protocol and at the minimum, ingress rules should allow for type 3, 4 and 8. For more information on ICMP protocols, refer to the IANA list.
No	0.0.0.0/0	ICMP	Nil	Nil	8	ICMP traffic for: 8 Echo	ICMP is a supporting protocol and at the minimum, ingress rules should allow for type 3, 4 and 8. For more information on ICMP protocols, refer to theIANA list.
No	0.0.0.0/0	TCP	All	1521	Nil	TCP traffic for ports: 1521	Port 1521 is for database traffic.
No	0.0.0.0/0	TCP	All	443	Nil	TCP traffic for ports: 443 HTTPS	Port 443 is the SSL traffic.
No	0.0.0.0/0	TCP	All	7001	Nil	TCP traffic for ports: 7001	WLS Admin Server communication port.
No	0.0.0.0/0	TCP	All	8001	Nil	TCP traffic for ports : 8001	Managed Server communication port for all nodes.
No	0.0.0.0/0	TCP	All	5556	Nil	TCP traffic for ports : 5556	Node Manager Port in Node1.
No	0.0.0.0/0	TCP	All	5557	Nil	TCP traffic for ports : 5557	Node Manager Port in Node2.
No	0.0.0.0/0	UDP	All	7574	Nil	UDP traffic for ports : 7574	WLS Cluster port
No	0.0.0.0/0	TCP	All	8095	Nil	TCP traffic for ports : 8095	Oracle Coherence port on Node1.
No	0.0.0.0/0	TCP	All	8096	Nil	TCP traffic for ports : 8096	Oracle Coherence port on Node2.
No	10.0.17.0/24	TCP	All	8001	Nil	TCP traffic for ports : 8001	Oracle ODI Agents both nodes
No	0.0.0.0/0	TCP	All	7	Nil	TCP traffic for ports : 7 ECHO	Coherence TCP Ring/IP Monitor death detection feature.
No	10.0.17.0/24	TCP	All	80	Nil	TCP traffic for ports : 80	OCI Load balancer

6.5 Firewall Rules

Even after setting the ingress and egress rules, in some cases the instances may not allow the incoming traffic. This is because of the firewall associated with the instance. Ensure to enable all the communication ports by configuring the firewall.

The following is an example of firewall commands for the ingress/egress ports (that has enabled port communication) :

Firewall command to enable port communication between the nodes (run on both machines):

sudo firewall-cmd --permanent --new-service=odiwls
sudo firewall-cmd --permanent --service=odiwls --set-description="ODI WLS server"
sudo firewall-cmd --permanent --service=odiwls --add-port=7001/tcp
sudo firewall-cmd --permanent --add-service=odiwls
sudo firewall-cmd --reload

sudo firewall-cmd --permanent --new-service=odimanagedwls
sudo firewall-cmd --permanent --service=odimanagedwls --set-description="ODI WLS Managed Server"
sudo firewall-cmd --permanent --service=odimanagedwls --add-port=8001/tcp
sudo firewall-cmd --permanent --add-service=odimanagedwls
sudo firewall-cmd --reload

sudo firewall-cmd --permanent --new-service=odiwlsnodemgr1
sudo firewall-cmd --permanent --service=odiwlsnodemgr --set-description="ODI WLS Node Manager1"
sudo firewall-cmd --permanent --service=odiwlsnodemgr --add-port=5556/tcp
sudo firewall-cmd --permanent --add-service=odiwlsnodemgr1
sudo firewall-cmd --reload

sudo firewall-cmd --permanent --new-service=odiwlsnodemgr2
sudo firewall-cmd --permanent --service=odiwlsnodemgr --set-description="ODI WLS Node Manager2"
sudo firewall-cmd --permanent --service=odiwlsnodemgr --add-port=5557/tcp
sudo firewall-cmd --permanent --add-service=odiwlsnodemgr2
sudo firewall-cmd --reload

sudo firewall-cmd --permanent --new-service=odiwlscluster
sudo firewall-cmd --permanent --service=odiwlscluster --set-description="ODI WLS cluster"
sudo firewall-cmd --permanent --service=odiwlscluster --add-port=7574/udp
sudo firewall-cmd --permanent --add-service=odiwlscluster
sudo firewall-cmd --reload

sudo firewall-cmd --permanent --new-service=odiwlscoherencewk1
sudo firewall-cmd --permanent --service=odiwlscoherencewk1 --set-description="ODI WLS coherence WKA1"
sudo firewall-cmd --permanent --service=odiwlscoherencewk1 --add-port=8095/tcp
sudo firewall-cmd --permanent --add-service=odiwlscoherencewk1
sudo firewall-cmd --reload

sudo firewall-cmd --permanent --new-service=odiwlscoherencewk2
sudo firewall-cmd --permanent --service=odiwlscoherencewk2 --set-description="ODI WLS coherence WKA2"
sudo firewall-cmd --permanent --service=odiwlscoherencewk2 --add-port=8096/tcp
sudo firewall-cmd --permanent --add-service=odiwlscoherencewk2
sudo firewall-cmd --reload

TCP Ring port 32783 – Coherence Cluster

If you run a firewall, you need to configure it to enable the specified addresses and ports. Firewalls are not typically set up between cluster members. If a solution requires the use of a firewall, then ensure the following:

• The cluster port (7574 by default) is open for both UDP and TCP for both multicast and unicast configurations.
• TCP port 7 is open for the Coherence TCP Ring/IP Monitor death detection feature.
• The unicast port range is open for both UDP and TCP traffic. Ensure that the unicast listen port range is explicitly set rather than relying upon a system assigned ephemeral port.

Cluster member unicast ports are automatically assigned from the operating system's available ephemeral port range. This ensures that Coherence cannot accidentally cause port conflicts with other applications. However, if a firewall is required between cluster members (an atypical configuration), then the port must be manually configured.

You can specify the unicast port using the -D arguments as shown below:

-Dcoherence.localport=9000 -Dcoherence.localport.adjust=9200

The coherence.localhost, coherence.localport, and coherence.localport.adjust system properties are used to specify the unicast port and automatic port adjustment settings instead of using the operational override file. The coherence.localport.adjust value is the upper limit to auto adjust the local ports. In the above example, the port range values used are 9000 and 9200. You can use any other port range.

You need to add the following firewall rule on both the nodes:

sudo firewall-cmd --permanent --new-service=odicoherencecluster
sudo firewall-cmd --permanent --service=odicoherencecluster --set-description="ODI Coherence Cluster TCP Ring"
sudo firewall-cmd --permanent --service=odicoherencecluster --add-port=32783/tcp
sudo firewall-cmd --permanent --add-service=odicoherencecluster
sudo firewall-cmd --reload

TCP Port 7 – Coherence Death Detect

You need to add the following firewall rule on both the nodes:

sudo firewall-cmd --permanent --new-service=odicoherencedeathdetect
sudo firewall-cmd --permanent --service=odicoherencedeathdetect --set-description="ODI Coherence Cluster TCP Ring"
sudo firewall-cmd --permanent --service=odicoherencedeathdetect --add-port=7/tcp
sudo firewall-cmd --permanent --add-service=odicoherencedeathdetect
sudo firewall-cmd –reload

sudo firewall-cmd --list-all

Load Balancer HTTP Traffic to both nodes

You need to add the following firewall service on both the nodes:

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --reload