Learn How to Onboard Java Management Service to Monitor Java Usage

Learn how to use Java Management Service (JMS) on Oracle Cloud Infrastructure (OCI) to observe and manage Java applications and installations on your Oracle Linux hosts that are deployed in OCI, on-premises, or third-party cloud. JMS helps your enterprise gain critical insights into Java installations, application behavior, compliance, and performance. This solution enables you to get started with JMS basic features and enable Java usage monitoring on your Oracle Linux machines.

JMS equips you to:

• Use the insights to optimize your workloads across your enterprise (desktop, server, cloud).
• Protect your Java SE investments by identifying outdated Java installations, unauthorized applications, and Java runtime and application mismatches.

Before You Begin

Before you begin, ensure you are familiar with the following requirements and technology for a basic deployment:

• Access to Java Management Service requires an Oracle Cloud account. You may use your own cloud account or you can get an OCI Free Tier account.
• Ensure an Oracle Linux machine is setup correctly to allow the communication with OCI services. The following are supported machines:
  • An OCI compute instance that is available in your tenancy. See Create an OCI compute instance if you don't have an instance already setup.
  • Host that is located on-premises or in a third-party cloud that you want to monitor with JMS.
• Review the system requirements and supported platforms at https://docs.oracle.com/en-us/iaas/jms/doc/you-begin.html.
• Familiarize yourself with JMS Key Concepts. See https://docs.oracle.com/en-us/iaas/jms/doc/key-concepts-and-terminology.html.

See the Monitor and manage your Java and Java application installations reference architecture to learn more about the JMS monitoring ecosystem.

Architecture

This architecture shows how to onboard to Java Management Service to monitor Java usage on your Oracle Linux machines that are deployed in OCI, on-premises, or third-party cloud. This solution playbook describes how to setup JMS for basic functionality, enabling you to get started with JMS basic features.

The network diagram below outlines the traffic flows between the JMS agent installed on your host machines (on-premises) and JMS running in OCI. Similar traffic pattern occurs between your host machines in OCI and JMS.

Description of the illustration jms-oci-network-traffic.png

jms-oci-network-traffic-oracle.zip

• The JMS agent always initiates the request by authenticating itself with OCI by using an open port that is allowed by the firewall (443).
• The Management agent and JMS service from OCI don't push any data to the agent.
• The JMS agent polls the service for work requests.
  • JMS agent work requests polling interval can be as low as 30 seconds.
  • JMS agent polling interval is configurable, maximum polling interval is 10 minutes.
• Data transmitted is encrypted using TLS.
• The OCI services then send back the data in response to these request once connection is established.

The architecture has the following components:

• Region

  An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, hosting availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

• Availability domains

  Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain shouldn't affect the other availability domains in the region.

• Compartment

  Compartments are cross-regional logical partitions within an Oracle Cloud Infrastructure tenancy. Use compartments to organize, control access, and set usage quotas for your Oracle Cloud resources. In a given compartment, you define policies that control access and set privileges for resources.

• Dynamic routing gateway (DRG)

  The DRG is a virtual router that provides a path for private network traffic between VCNs in the same region, between a VCN and a network outside the region, such as a VCN in another Oracle Cloud Infrastructure region, an on-premises network, or a network in another cloud provider.

• Instance pool

  An instance pool is a group of instances within a region that are created from the same instance configuration and managed as a group.

• On-premises network

  This is a local network used by your organization.

• Security list

  For each subnet, you can create security rules that specify the source, destination, and type of traffic that is allowed in and out of the subnet.

• Security zone

  Security zones implement key Oracle security best practices by enforcing policies for an entire compartment, such as encrypting data and preventing public access to networks. A security zone is associated with a compartment of the same name and includes security zone policies (a recipe) that applies to the compartment and its sub-compartments. You can't add or move a standard compartment to a security zone compartment.

• Dynamic routing gateway (DRG)

  The DRG is a virtual router that provides a path for private network traffic between VCNs in the same region, between a VCN and a network outside the region, such as a VCN in another Oracle Cloud Infrastructure region, an on-premises network, or a network in another cloud provider.

• Service gateway

  A service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and does not traverse the internet.

• Tenancy

  A tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for Oracle Cloud Infrastructure. You can create, organize, and administer your resources in OCI within your tenancy. A tenancy is synonymous with a company or organization. Usually, a company will have a single tenancy and reflect its organizational structure within that tenancy. A single tenancy is usually associated with a single subscription, and a single subscription usually only has one tenancy.

• Logging
  Oracle Cloud Infrastructure Logging is a highly-scalable and fully-managed service that provides access to the following types of logs from your resources in the cloud:

  • Audit logs: Logs related to events produced by OCI Audit.
  • Service logs: Logs published by individual services such as OCI API Gateway, OCI Events, OCI Functions, OCI Load Balancing, OCI Object Storage, and VCN flow logs.
  • Custom logs: Logs that contain diagnostic information from custom applications, other cloud providers, or an on-premises environment.
• Monitoring

  Oracle Cloud Infrastructure Monitoring actively and passively monitors your cloud resources, and uses alarms to notify you when metrics meet specified triggers.

• Policy

  An Oracle Cloud Infrastructure Identity and Access Management policy specifies who can access which resources, and how. Access is granted at the group and compartment level, which means you can write a policy that gives a group a specific type of access within a specific compartment or to the tenancy.

• Oracle Cloud Infrastructure Vault

  Oracle Cloud Infrastructure Vault enables you to create and centrally manage the encryption keys that protect your data and the secret credentials that you use to secure access to your resources in the cloud. The default key management is Oracle-managed keys. You can also use customer-managed keys which use OCI Vault. OCI Vault offers a rich set of REST APIs to manage vaults and keys.

• Workflow

  Oracle Cloud Infrastructure Workflow is a serverless workflow engine with a graphical flow designer for developers and architects. It accelerates the creation, running, and orchestration of OCI services such as OCI Functions or AI/ML.

• Virtual cloud network (VCN) and subnets

  A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

• API Gateway

  Oracle Cloud Infrastructure API Gateway enables you to publish APIs with private endpoints that are accessible from within your network, and which you can expose to the public internet if required. The endpoints support API validation, request and response transformation, CORS, authentication and authorization, and request limiting.

• Autonomous Database

  Oracle Autonomous Database is a fully-managed, preconfigured database environment that you can use for transaction processing and data warehousing workloads. You do not need to configure or manage any hardware, or install any software. Oracle Cloud Infrastructure handles creating, backing up, patching, upgrading, and tuning the database.

• Bastion host

  The bastion host is a compute instance that serves as a secure, controlled entry point to the topology from outside the cloud. The bastion host is provisioned typically in a demilitarized zone (DMZ). It enables you to protect sensitive resources by placing them in private networks that can't be accessed directly from outside the cloud. The topology has a single, known entry point that you can monitor and audit regularly. So, you can avoid exposing the more sensitive components of the topology without compromising access to them.

• Compute

  With Oracle Cloud Infrastructure Compute, you can provision and manage compute hosts in the cloud. You can launch compute instances with shapes that meet your resource requirements for CPU, memory, network bandwidth, and storage. After creating a compute instance, you can access it securely, restart it, attach and detach volumes, and terminate it when you no longer need it.

• DNS

  Oracle Cloud Infrastructure Domain Name System (DNS) service is a highly scalable, global anycast domain name system (DNS) network that offers enhanced DNS performance, resiliency, and scalability, so that end users connect to internet applications quickly, from anywhere.

• Kafka Streams

  Kafka Streams is a client library for building applications and microservices, where the input and output data are stored in Kafka clusters. It combines the simplicity of writing and deploying standard Java and Scala applications on the client side with the benefits of Kafka's server-side cluster technology.

• Object storage

  OCI Object Storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store data directly from the internet or from within the cloud platform. You can scale storage without experiencing any degradation in performance or service reliability.

  Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.

• Oracle Management Agent

  Oracle Management Agent is a service that provides low latency interactive communication and data collection between Oracle Cloud Infrastructure and on premise managed instances. Management agents collects data from sources that you want to monitor. Management Agent Service, an Oracle Cloud Service, manages the lifecycle of the management agent and the plug-ins for the services.

• Oracle Cloud Agent

  Oracle Cloud Agent is a lightweight process that manages the lifecycle of plug-ins running on compute instances on OCI. The JMS plug-ins collect Java metadata from your environment deployed on the managed instance in OCI. The JMS plug-in exfiltrates this Java metadata to the JMS service in OCI.

• Kiev as a Service (KaaS)

  KaaS is a fully managed data platform service used primarily by Control Plane services on OCI. KaaS provides high-level NoSQL APIs for easy integration, serializable scans, change-feed streaming, and other features. KaaS is a service built on top of Kiev. Kiev is a "NoSQL key-value store" that also supports mini-transactions for convenience. To prevent concurrency bugs in applications, Kiev's mini-transactions have strong isolation which provides stronger guarantees than the weaker isolation levels that are commonly used in Oracle and MySQL. Kiev has an availability SLA of 99.9%.

About Required Services and Roles

This solution requires the following services and roles:

JMS integrates with Oracle Cloud Infrastructure Monitoring and Logging service for basic features.

• Java Management Service (JMS)
• Oracle Cloud Infrastructure (OCI)
• OCI Monitoring
• OCI Logging
• A dynamic group of managed instances (comprising of OCI compute instances and management agents). The dynamic group allows for policies to be applied collectively for communication with other OCI resources.

To better manage the resources, create the following groups:

• JMS Fleet Manager User Group: A user group to use and manage JMS related resources.
• Managed Instance Dynamic Group: A dynamic group of managed instances (consisting of OCI compute instances and management agents). The dynamic group allows you to apply policies collectively for communication with other OCI resources.
• JMS server-components: A resource group of JMS backend components to interact with other OCI resources.

These are the roles needed for each service.

Service Name: Role	Required to...
OCI OCI Identity and Access Management: administrator	create dynamic groups and govern access to OCI resources.
OCI: user administrator	manage users, groups, and group memberships for an identity domain.

See Oracle Products, Solutions, and Services to get what you need.