Provision the Primary Infrastructure

Define the compartments, access requirements, and network topology, then you can use the OCI Console to provision these resources for the primary infrastructure.

About Provisioning the Primary Infrastructure

In this example configuration, the primary region for the PeopleSoft deployment is Ashburn, seen within the Oracle Cloud Infrastructure (OCI) Console as us-ashburn-1 with the abbreviation IAD. The complete PeopleSoft stack is deployed within a single availability domain (AD), in our case AD-2, which contains the following:

  • Oracle Exadata Database Service on Dedicated Infrastructure Quarter Rack
  • Application mid-tier servers
  • Oracle Cloud Infrastructure File Storage, which serves as a shared file system mounted by all application tier servers.

Provisioning all components within the same availability domain keeps network latency between components to a minimum.

This is a typical order of provisioning resources for the primary environment:

  1. Users and groups
  2. Compartments
  3. Policies
  4. Virtual Cloud Network (VCN)
  5. Within the VCN:
    1. Internet gateway
    2. NAT gateway
    3. Service gateway
    4. Route tables for each subnet
    5. Subnets for each zone or tier
    6. Security lists for each subnet
  6. Oracle Exadata Database Service on Dedicated Infrastructure
  7. Compute instances for application mid tiers
  8. OCI File Storage
  9. Load balancer

This solution playbook provides examples, but doesn't go into details for provisioning all of the resources. You don't need to provision all of the resources for every environment – for instance, a unit test environment might be much simpler. However, you must have groups and users, a compartment, the VCN, and at least one subnet.

Create Users, Groups, Compartments, and Policies

After you have designed the compartments that will hold the major components of your implementation, and what privileges different kinds of users should be granted to manage and secure those components, use the OCI Console to create your users, groups, compartments, and policies.

For example, we have two groups:

  • exa-admin-group
  • network-admin-group

Each of the groups can have the same or a different sets of users who manage specific resources. The exa-admin-group will manage Exadata and database resources while the network-admin-group will manage all networking resources such as VCN, route tables, subnets, security lists, and so on.

You must create policies for these groups to manage their respective resources. For the exa-admin-group, create a policy named exa-compartment-policy with the following policy statements:
  • Allow group ebs-exa-admin-group to manage instance-family in compartment psft-exadb-d-compartment
  • Allow group exa-admin-group to manage database-family in compartment psft-exadb-d-compartment
  • Allow group exa-admin-group to manage volume-family in compartment psft-exadb-d-compartment
For the network-admin-group, create a policy named network-compartment-policy with the following statements:
  • Allow group network-admin-group to manage virtual-network-family in compartment psft-network-compartment
  • Allow group psft-cloudadmin-group to use virtual-network-family in compartment psft-network-compartment
  • Allow group exa-admin-group to use virtual-network-family in compartment psft-network-compartment
  1. Create a group for each specific set of privileges that must be granted.
  2. Create a compartment for each resource to be provisioned and for the logical collection of resources to be managed the same way.
  3. Create policies detailing which actions members of each group can take against elements in each compartment.
  4. Define the users who are members of each group.

Provision OCI Network Components

Create the primary VCN, and then the other network components.

Create the Primary Network

Create a virtual cloud network (VCN) from the Oracle Cloud Infrastructure (OCI) Console and define the size of the network (the total number of IP addresses) based on the CIDR block that you specify for the VCN.

  1. Log into the OCI Console.
  2. Open the navigation menu, click Networking, then Virtual Cloud Networks.
  3. Click Create VCN, then complete the following fields:
    1. Name: The name of the VCN.
      For example, cloudmaa-vcn.
    2. Choose a compartment in which to create the VCN.
      This example uses psft-network-compartment.
    3. IPv4 CIDR Blocks: Specify up to five but at least one non-overlapping IPv4 CIDR blocks for the VCN.
      This is where you define the size of the network. This example uses 10.0.0.0/16, which allows up to 65,534 IPv4 addresses.
    4. (Optional) Enable IPv6 CIDR block: If selected, then it will provide a default /56 IPv6 CIDR block.
      IPv6 CIDR block is not selected in this example.
    5. Use DNS hostnames in this VCN: Select DNS Resolution.
    6. DNS Label: You can specify your own DNS label or let the system generate a label based on your VCN name.
  4. Click Create VCN.

The VCN appears on the Virtual Cloud Networks list page in the compartment.

Create the Gateways

All implementations use private subnets and a NAT gateway. If your network will have traffic going to and from the public internet, then create an internet gateway. If you need to reach region-local services, such as OCI Object Storage for backups and the YUM repository, then create a service gateway.

  1. Create a NAT gateway.
    1. Select Networking, then Virtual Cloud Networks in the OCI Console.
    2. Click the VCN that you created earlier to display the VCN Detail page.
    3. Click NAT Gateways, then click Create NAT Gateway.
    4. Enter a name for the NAT gateway.
      For example, maa-ngwy.
    5. Specify the compartment for the NAT gateway.
      For example, psft-network-compartment.
    6. Choose the type of public IP address you want, either Ephemeral or Reserved, for the NAT gateway.
      In either case, OCI generates an IP address and assigns it to this NAT gateway.
    7. Click Create NAT Gateway.
  2. Create an internet gateway.
    1. Click Internet Gateways on the Resources menu, then click Create Internet Gateway.
    2. Enter a name for the internet gateway.
      For example, maa-igwy.
    3. Specify the compartment for the Internet Gateway.
      For example, psft-network-compartment.
    4. Click Create Internet Gateway.
  3. Create an service gateway.
    1. Click Service Gateways on the Resources menu, then click Create Service Gateway.
    2. Enter a name for the service gateway.
      These gateways are specific to a region. In this example, the name includes the "iad" region that is hosting the gateway, maa-iad-sgw.
    3. Specify the compartment for the service gateway.
      For example, psft-network-compartment.
    4. Select All IAD Services in Oracle Services Network.
      This allows access to OCI Object Storage services and the region-local yum repository.
    5. Click Create Service Gateway.

Create the Route Tables

While it is easier to design your route tables and route rules after defining your subnets, it’s simpler to create the route tables and rules before creating the subnets. This example creates the route table db-private-RT, including its local route rules, using the OCI Console.

  1. Select Networking, then Virtual Cloud Networks in the OCI Console.
  2. Click the VCN that you created earlier to display the VCN Detail page.
  3. Click Route Tables, then click Create Route Table.
  4. Enter a name for the route table.
    For example, db-private-RT.
  5. Specify the compartment for the route table.
    For example, psft-network-compartment.
  6. Create a route rule for the NAT gateway:
    1. Click + Add another Route Rule.
    2. Target type: Select NAT Gateway.
    3. Destination CIDR block: Enter 0.0.0.0/0 to allow traffic to go anywhere within the VCN through the NAT gateway.
    4. Compartment: Select the compartment in which the NAT gateway resides.
      For example, psft-network-compartment.
    5. Target NAT Gateway: Select your NAT gateway.
      For example, maa-ngw.
    6. (Optional) Description: Enter a description.
  7. Create a route rule for the service gateway:
    1. Click + Add another Route Rule.
    2. Target type: Select Service Gateway.
    3. Destination Service: Select All IAD Services in Oracle Service Network.
    4. Compartment: Select the compartment in which the service gateway resides from the combo-box.
      For example, psft-network-compartment.
    5. Target Service Gateway: Select your service gateway from the combo-box.
      For example, maa-iad-sgw.
  8. Click Create Route Table.
A list of route tables appears in the OCI Console. Perform similar steps to create all of your route tables and route rules.

Create the Subnets

Create the subnet used for the Oracle Exadata Database Service on Dedicated Infrastructure client network. In this example, the subnet is exadb-private-subnet-ad2.

Note:

Consider the following:
  • All subnets reside in the psft-network-compartment compartment.
  • We appended ad2 at the end of the subnet name in this example to designate which availability domain the subnet resides in.
  • Oracle Exadata Database Service on Dedicated Infrastructure can have two separate subnets: one for the client network and one for the backup to object storage. To create the subnet dedicated to database backups to object storage, follow the steps, but choose a different CIDR block in Step 4d. We used 10.0.108.0/24 for our case study. Use the same route table (db-private-RT) since it has the route rule to the service gateway.
  1. Select Networking, then Virtual Cloud Networks in the OCI Console.
  2. Click the VCN that you created earlier to display the VCN Detail page.
  3. Click Subnets, then click Create Subnet.
  4. Complete the following information:
    1. Name: Enter a name for the subnet.
      For example, exadb-private-subnet-ad2.
    2. Compartment: Specify the compartment for the route table.
      For example, psft-network-compartment.
    3. Subnet Type: select either Regional or Availability Domain-specific.
      This example uses Availability Domain-specific.
    4. CIDR Block: Select the CIDR for the subnet you are configuring.
      This example uses 10.0.101.0/24.
      To create the subnet dedicated to database backups to OCI Object Storage, choose a different CIDR block. For example, 10.0.108.0/24.
    5. Route Table: Select the route table to be used for this subnet.
      This example uses db-private-RT.
    6. Subnet Access: Choose if the subnet is to be Private or Public.
      For security, we chose Private for all subnets except the Bastion Host.
    7. DNS Resolution: The check box is selected by default. If you have a different DNS resolution, then deselect the check box.
    8. DNS Label: Select the system-generated label or enter a specific label.
      The system-generated label is based on the subnet name.
    9. DHCP (Dynamic Host Configuration Protocol) Options: Use the default DHCP options or you can use these to specify a number of different options.
      Since we assigned IP addresses, we left the default DHCP options.
    10. Security Lists: You can specify them now or you can add them after you create the subnet. This example adds them later.
    11. Click Create Subnet.

Create Security Lists

Create your security lists from the OCI Console. This example creates a security list named db-private-seclist with two stateful ingress rules and one stateful egress rule.

  1. Log into the OCI Console. Click Networking, then Virtual Cloud Networks.
  2. Click the VCN that you created to display the VCN Detail page.
  3. Click Security Lists.
  4. Click Create Security List.
  5. Define the security list.
    1. Enter a name for the security list.
      For example, db-private-seclist.
    2. Specify in which compartment the subnet should be by using the combo-box selection.
      For example, psft-network-compartment.
  6. Add an ingress rule.
    1. Under Allow Rule for Ingress, click + Another Ingress Rule.
    2. For Source Type, select CIDR (default) from the combo-box
    3. For Source CIDR, enter the CIDR block for this rule.
      For example, 10.0.101.0/24.
    4. For IP Protocol, select TCP from the combo-box
    5. For Source Port Range, enter All.
      Alternatively, you can enter a specific port number or port range.
    6. For Destination Port Range, enter All.
      Alternatively, you can enter a specific port number or port range.
    7. (Optional) Enter a description.
  7. Add a second ingress rule for the application private subnet (app-private-subnet-ad2).
    1. Click + Another Ingress Rule.
    2. For Source Type, select CIDR (default) from the combo-box
    3. For Source CIDR, enter the CIDR block for this rule.
      For example, enter the CIDR of the app-private-subnet-ad2: 10.0.103.0/24
    4. For IP Protocol, select TCP from the combo-box
    5. For Source Port Range, enter All.
      Alternatively, you can enter a specific port number or port range.
    6. For Destination Port Range, enter 1521.
    7. (Optional) Enter a description.
  8. Add an egress rule for CIDR.
    1. Under Allow Rule for Egress, click + Another Egress Rule.
      Leave the Stateless check box unchecked, as all egress rules in our implementation will be stateful.
    2. Destination Type: Select CIDR (default).
    3. Destination CIDR: Enter the CIDR block for this rule.
      For example, 10.0.101.0/24.
    4. IP Protocol: Select TCP.
    5. Source Port Range: EnterAll.
      Alternatively, you can enter a specific port number or port range.
    6. Destination Port Range: Enter All.
      Alternatively, you can enter a specific port number or port range.
    7. (Optional) Enter a description.
  9. Click Create Security List.
  10. (Optional) You can add a second egress rule to allow ICMP (ping).
    1. Under Allow Rule for Egress, click + Another Egress Rule.
      Leave the Stateless check box unchecked, as all egress rules in our implementation will be stateful.
    2. Destination Type: Select CIDR (default).
    3. Destination CIDR: Enter the CIDR block for this rule.
      For example, 10.0.101.0/24.
    4. IP Protocol: Select ICMP.
    5. Source Port Range: EnterAll.
      Alternatively, you can enter a specific port number or port range.
    6. Destination Port Range: Enter All.
      Alternatively, you can enter a specific port number or port range.
    7. (Optional) Enter a description.

Add the Security List to the Subnet

Attach the security list db-private-seclist to the exadb-private-subnet-ad2 subnet.

  1. Select Networking, then Virtual Cloud Networks in the OCI Console.
  2. Click the VCN that you created earlier to display the VCN Detail page.
  3. Click Subnets, then click the subnet in the table.
    For example, click exadb-private-subnet-ad2.
  4. Click Add Security List.
  5. Security List Compartment: Select the compartment that the security list resides in. In our
    For example, psft-network-compartment.
  6. Select the security list from the combo-box.
    For example, db-private-seclist.
  7. Click Add Security List.

Once the security list is added, it takes effect immediately and replaces the default security list. Any changes made to a security list also take effect immediately.

Provision the Target Infrastructure

Provisioning an Oracle Exadata Database Service on Dedicated Infrastructure is done in two steps:

  1. Provision your target infrastructure

    Select the Oracle Exadata model and shape, and specify the availability domain. Complete and submit the provisioning request and wait until the infrastructure provisioning has completed. You can scale the compute and storage capacity up after provisioning, if needed.

  2. Provision the VM cluster

    Once the Oracle Exadata infrastructure is provisioned, you will provision the VM cluster onto the infrastructure. Select the Grid Infrastructure version, starter database version, OCPU count for the cluster, and ASM disk group storage properties. If you plan to store your backups on the region-local object storage, then you should not select local storage for backups. When deselecting local backups, the Oracle Exadata Database Service on Dedicated Infrastructure dialog presents additional fields for specifying the backup subnet and the compartment that subnet resides in.

Provision Oracle Exadata Database Service on Dedicated Infrastructure

Use the Oracle Cloud Infrastructure (OCI) Console to provision your target environment.

This example architecture uses the following Oracle Exadata model and shape: Oracle Exadata Cloud X6-2 Quarter Rack with two compute nodes (domUs) and three storage cells. The availability domain is AD-2.

  • Use the OCI Console to create your Oracle Exadata Cloud Infrastructure resource.
    See Creating an Exadata Cloud Infrastructure Instance in Oracle Cloud Exadata Database Service on Dedicated Infrastructure for how to prepare and get started with an Exadata Cloud Infrastructure deployment, and for steps to complete and submit your request.
    Select the Oracle Exadata model and shape, and specify the availability domain. You can scale the compute and storage capacity up after provisioning, if needed.
After you submit the provisioning request to create the Oracle Exadata Cloud Infrastructure, the status appears in the Exadata Infrastructure list with a status of Provisioning. Wait until the infrastructure provisioning has completed before proceeding.

Provision the VM Cluster

After your Oracle Exadata Database Service on Dedicated Infrastructure is successfully provisioned, you can provision the VM cluster onto the infrastructure.

  • Go to Creating an Exadata Cloud Infrastructure Instance for steps to use the OCI Console to provision your VM Cluster.

    The architecture for this VM cluster uses the following:

    Field Name Value
    Exadata VM Cluster Name IAD-Exa-VMCluster-1
    Compartment psft_exa_compartment
    Host name prefix iadexadb
    Subnet for Oracle Exadata Database Service on Dedicated Infrastructure client network exadb_private_subnet-ad2
    Subnet for Oracle Exadata Database Service on Dedicated Infrastructure backups exadb-backup_private_subnet-ad2
    OCPU count 22
    Grid Infrastructure version 19c RU 19 (19.19.0.0.0)
    Database version 19c RU 19 (19.19.0.0.0)
    Local storage for backup No – Backups will be stored on region-local object storage
    SPARSE ASM Disk Group No for production, potentially yes for test databases

The Exadata VM Cluster is completely up, running, and accessible within a few hours. The following components are fully configured.

  • Two domU compute VM nodes
  • Oracle Clusterware and Oracle Grid Infrastructure
  • SCAN name with three IP addresses on the client subnet
  • SCAN and grid VIPs with their respective listeners
  • High redundancy ASM disk groups
Disk Group Name Redundancy Total Size (MB) Useable (MB)
DATAC1 High 161,206,272 48,055,638
RECOC1 High 53,747,712 16,376,564

Other small disk groups are created to support Oracle Advanced Cluster File System (Oracle ACFS).

Provision Compute Instances

The compute instances are your application and middle tier servers. They are used for PeopleSoft application and PeopleSoft Internet Architecture (PIA) web servers.

When provisioning compute instances, select the shape that best supports your workload. OCI provides several shapes to choose from as well as a choice between Intel or AMD based processors. Both Oracle Linux and Microsoft Windows are supported. When provisioning the application tier compute nodes, specify the compartment (psft-app-compartment) to hold the compute instance resources and specify the subnet for the application tiers (app-private-subnet-ad2). The application servers will host:

  • Tuxedo application server domain
  • Tuxedo batch process server domain
  • MicroFocus COBOL compiler and run-time facility

You can provision and place the PIA web servers into the same compartment and use the same subnet as the application servers. They will host the following:

  • WebLogic Web servers to host the PIA servers
  • Coherence*Web cache servers (optional)
  1. Go to Working with Instances.
  2. Follow the steps to provision a compute instance.

    We provisioned four compute instances for the PeopleSoft application and web tiers: two to host the application server and process scheduler, and two to host the PIA web server and Coherence*Web. The table below provides the characteristics of these compute instances.

    Host Name Shape Type OCPU Memory (GB) Block Storage Size (GB) Tier Subnet Components
    iad-psft-hcm-app01 VM.Standard2.4 4 60 128 Application app-private-subnet-ad2 Tuxedo: application server, Process scheduler
    iad-psft-hcm-app02 VM.Standard2.2 4 60 128 Application app-private-subnet-ad2 Tuxedo: application server, Process scheduler
    iad-psft-hcm-web01 VM.Standard2.4 2 30 128 Web app-private-subnet-ad2 WebLogic: Pure Internet Application server, Coherence*Web
    iad-psft-hcm-web02 VM.Standard2.2 2 30 128 Web app-private-subnet-ad2 WebLogic: Pure Internet Application server, Coherence*Web

Create OCI Compute Instances

Provision the compute instances in Oracle Cloud Infrastructure (OCI).

The configuration of our middle tier servers was simple and standard, with only the sizes of the boot, root, and swap file systems needing adjustment. At the time we provisioned ours, the default size of the boot volume was 46.6GB. This default size contains the basic required Linux file systems, including:

  • A /boot file system (200MB)
  • A root (/) file system (39GB)
  • A swap volume (8GB)

For both the application and web tier servers, we needed to increase the boot file system to 128GB, the root file system to 100GB, and the total swap size to 16GB.

  1. Open the navigation menu on the OCI Console.
  2. Click Compute, then click Instances.
  3. Click Create Instance, then enter a name for the instance.
    You can add or change the name later. The name doesn't need to be unique, because an Oracle Cloud Identifier (OCID) uniquely identifies the instance. Avoid entering confidential information.
  4. Select the compartment to create the instance in and complete the fields.
  5. Click Create.
    The provisioning process creates the compute instances.
  6. Increase the root partition and root file system sizes.
    See My Oracle Support document 2445549.1: How to Create a Linux instance with Custom Boot Volume and Extend the Root Partition in OCI to increase the root partition then the root file system size by 61GB.

    Note:

    The process OCI follows to provision the larger boot volume is to create a 39GB root partition then attach a paravirtualized block volume for the requested increase.
  7. Add an 8GB swap partition.
    See My Oracle Support document 2475325.1: How to Increase Swap Memory on Linux OCI Instances to add an 8GB swap partition, resulting in a total of 16GB swap space.

Provision OCI File Storage

Oracle Cloud Infrastructure File Storage provides the shared file systems for all application and PIA servers. These servers will use NFS to mount the shared file systems. When you provision OCI File Storage from the OCI Console, ensure that the file storage is in the same availability domain as the application and PIA servers.

  1. Select Storage, then File Systems under File Storage in the OCI Console.
  2. Select the compartment where you want the file system to be placed.
    For example, psft-app-compartment.
  3. Click Create File System.
  4. Select File System for NFS.
  5. Click Edit Details under File System Information.
    1. Change the default name to a name of your choosing.
      For example, IAD_PSFT_APP_INSTALL or IAD_PSFT_APP_INTERFACE.
    2. Change the availability domain to the availability domain where the compute instances are provisioned.
      For example, US-ASHBURN-AD2.
    3. Select the compartment where you want the file system.
      For example, psft-app-compartment.
    4. Select an encryption option.
      For example, Oracle Managed Keys.
  6. Click Edit Details under Export Information.
    1. Provide an export path.
      For example, /export/psftapp or /export/psftinterface.
    2. If required, select the check box for secure exports.
      See the information icon next to this option for details.
  7. Click Edit Details under Mount Target Information.
    1. Select either the Select an existing mount target or Create a new mount target option.
    2. Click Enable Compartment Selection.
      This enables you to select the compartment that the VCN and subnets reside in.
    3. Select the compartment that the mount target will either be created in or already exists in from Create in the Compartment drop-down combo box.
    4. Select the compartment that the VCN resides in from the Virtual Cloud Network drop-down combo box.
    5. If you're creating a new mount target, then enter a name.
    6. If you're using an existing mount target, then select the compartment that the mount target was provisioned onto from the Subnet drop-down combo box.
  8. Click Create.

Find the Security Ingress and Egress Rules

Find the required security ingress and egress rules to add to the appropriate security lists and the commands you need to issue on each application and PeopleSoft Internet Architecture (PIA) server. After provisioning the file system, perform the following steps:

  1. Log in to the OCI Console.
  2. Under File Storage, select Storage, then File Systems.
  3. Select the compartment that contains the file system.
  4. Select the name of the file system you provisioned.
  5. Click Export Target.
  6. Click Mount Commands.
    A window displays the ingress and egress rules and the commands used to mount the file system.
  7. Highlight and click Copy to copy the mount commands for use later.
  8. Edit the security list associated with the subnet that you'll use to mount OCI File Storage to add the ingress and egress rules.