Monitor and Manage Your Java and Java Application Installations

You can use Java Management Service (JMS) to monitor and manage your Java and Java application installations in your environments (Java and application installation on Oracle Cloud Infrastructure (OCI), on-premises, and third-party cloud). JMS provides basic capabilities such as viewing details of the Java Runtime Environment (JRE) installed in your managed instance, viewing Java versions in use by application in your managed or JRE in your managed instance below security baseline. When you have an Oracle Java SE subscription, you can use JMS advanced capabilities such as manage your Oracle Java installations, run the Java Development Kit (JDK) flight recorder, evaluate migration of your applications to another JRE, and scan for Java libraries used by the running application.

Before You Begin

This reference architecture assumes that you have successfully onboarded to OCI.

JMS is an OCI native service that you can deploy in commercial and restricted realms. It is accessible through the API (OCI Software Development Kit (SDK) for JMS) or the JMS console.

You'll create JMS fleets within a compartment of your tenancy. You can have multiple JMS fleets and resources across one or more geographies. Use fleets to control the access to the associated resource and assign them to departments in your enterprise. With this approach, each department in the customer enterprise can control its own fleet and resources.

Perform the following to complete JMS on-boarding:

1. Set up Oracle Cloud Infrastructure for JMS (either manually manage policies or use a wizard).
2. Creates a JMS fleet.
3. Deploy an agent or configure the agent and enable JMS plugin.
4. Monitor the Java installations and applications in your managed instance.
5. Perform Advanced Feature operations, as needed.

See Java Management service in the OCI Documentation for more information.

Architecture

This architecture shows how you can use JMS to gather insights into Java installations and Java applications running in your managed instance environments. JMS uses agents to monitor the JDK/JRE in your environment. You can take ownership of installing, configuring and enabling these JMS agents.

JMS agent is installed on the managed instances to collect Java usage telemetry and Java usage metadata. The telemetry data is emitted to and stored in your tenancy for privacy protection.

The Java usage metadata is exfiltrated from your tenancy by the agent installed in your tenancies. JMS uses this metadata to generate insights such as Java version, Security Baseline and upcoming Java Updates, and Application Usage; which is presented when you log onto the OCI Console. There is no Oracle access beyond processing the exfiltrated metadata.

Using the advanced features available in JMS, you can analyze usage of Java application servers, identify potential vulnerabilities in the Java libraries used by applications running in your environment, use Java flight recorder for performance and crypto analysis and mange Oracle Java Runtimes (JDK versions) in your environment. You can use the advanced feature to manage Java running in your environment.

The following diagram illustrates the topology of the JMS service in production. The diagram shows agents deployed to track Java running on OCI, your on-premises desktops, laptops and servers, and third-party cloud services. These agents are deployed in your managed instances and are associated with your created resources (fleets) in your tenancies.

The following diagram illustrates this reference architecture.

Description of the illustration jms-oci-topology.png

jms-oci-topology-oracle.zip

At a high level, the following illustrates how data flows between the JMS agent installed on your managed instance and the JMS service on OCI:

• You install the agent on the Managed Instance, and the agent registers with OCI.
• You configure or enable the JMS plugin (passing the JMS fleet as parameter). The JMS agent is now associated with the desired JMS fleet.
• The registered JMS agent polls JMS for work. JMS will respond to the poll with appropriate work requests, if any.
• The JMS agent periodically scans the managed instance for Java installations or entries in the usage tracker and send the Java metrics and Java metadata to OCI.

The data flow between the JMS agent and OCI service is shown in the illustration below.

Description of the illustration jms-oci-workflow.png

jms-oci-workflow-oracle.zip

The data flow between the JMS agent and OCI service is as follows:

1. User: Installs the agent on the JMS Agent and a request is sent to the JMS Agent (request).
2. JMS Agent: Sends a Registration request to OCI Services (request).
3. OCI Services: Validates the key and returns metadata and auth tokens and sends a response to the JMS Agent (response).
4. JMS Agent: Agent is started and sends a response to the User (response).
5. JMS Agent: Installs requested plugins to OCI Services (request).
6. JMS Agent: Polls OCI Services as a request for work (request).
7. OCI Services: Sends a request for work (response).
8. JMS Agent: Agent gets plugin bundle and installs (request).
9. JMS Agent: Polls periodically and sends inventory to OCI Services on customer tenancy (request).

The network diagram below outlines the traffic flows between the JMS agent installed on your host machines (on-premises) and JMS running in OCI. Similar traffic pattern occurs between your host machines in OCI and JMS.

Description of the illustration jms-oci-network-traffic.png

jms-oci-network-traffic-oracle.zip

• The JMS agent always initiates the request by authenticating itself with OCI by using an open port that is allowed by the firewall (443).
• The Management agent and JMS service from OCI don't push any data to the agent.
• The JMS agent polls the service for work requests.
  • JMS agent work requests polling interval can be as low as 30 seconds.
  • JMS agent polling interval is configurable, maximum polling interval is 10 minutes.
• Data transmitted is encrypted using TLS.
• The OCI services then send back the data in response to these request once connection is established.

The architecture has the following components:

• Region

  An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

• Availability domains

  Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain shouldn't affect the other availability domains in the region.

• Compartment

  Compartments are cross-regional logical partitions within an Oracle Cloud Infrastructure tenancy. Use compartments to organize, control access, and set usage quotas for your Oracle Cloud resources. In a given compartment, you define policies that control access and set privileges for resources.

• Dynamic routing gateway (DRG)

  The DRG is a virtual router that provides a path for private network traffic between VCNs in the same region, between a VCN and a network outside the region, such as a VCN in another Oracle Cloud Infrastructure region, an on-premises network, or a network in another cloud provider.

• Instance pool

  An instance pool is a group of instances within a region that are created from the same instance configuration and managed as a group.

• On-premises network

  This network is the local network used by your organization. It is one of the spokes of the topology.

• Security list

  For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.

• Security zone

  Security zones ensure Oracle's security best practices from the start by enforcing policies such as encrypting data and preventing public access to networks for an entire compartment. A security zone is associated with a compartment of the same name and includes security zone policies or a "recipe" that applies to the compartment and its sub-compartments. You can't add or move a standard compartment to a security zone compartment.

• Dynamic routing gateway (DRG)

  The DRG is a virtual router that provides a path for private network traffic between VCNs in the same region, between a VCN and a network outside the region, such as a VCN in another Oracle Cloud Infrastructure region, an on-premises network, or a network in another cloud provider.

• Service gateway

  The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and does not traverse the internet.

• Tenancy

  A tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for Oracle Cloud Infrastructure. You can create, organize, and administer your resources in Oracle Cloud within your tenancy. A tenancy is synonymous with a company or organization. Usually, a company will have a single tenancy and reflect its organizational structure within that tenancy. A single tenancy is usually associated with a single subscription, and a single subscription usually only has one tenancy.

• Logging
  Logging is a highly scalable and fully managed service that provides access to the following types of logs from your resources in the cloud:

  • Audit logs: Logs related to events emitted by the Audit service.
  • Service logs: Logs emitted by individual services such as API Gateway, Events, Functions, Load Balancing, Object Storage, and VCN flow logs.
  • Custom logs: Logs that contain diagnostic information from custom applications, other cloud providers, or an on-premises environment.
• Monitoring

  Oracle Cloud Infrastructure Monitoring service actively and passively monitors your cloud resources using metrics to monitor resources and alarms to notify you when these metrics meet alarm-specified triggers.

• Policy

  An Oracle Cloud Infrastructure Identity and Access Management policy specifies who can access which resources, and how. Access is granted at the group and compartment level, which means you can write a policy that gives a group a specific type of access within a specific compartment, or to the tenancy.

• Oracle Cloud Infrastructure Vault

  Oracle Cloud Infrastructure Vault enables you to centrally manage the encryption keys that protect your data and the secret credentials that you use to secure access to your resources in the cloud. You can use the Vault service to create and manage vaults, keys, and secrets.

  OCI Vault also offers a rich set of Rest APIs to manage vaults and keys.

• Workflow

  Oracle Cloud Infrastructure Workflow service is a serverless workflow engine with a graphical flow designer for developers and architects. It accelerates the creation and execution the orchestration of OCI services, such as OCI Functions, AI/ML, to perform enterprise logic, IT tasks, and data jobs.

• Virtual cloud network (VCN) and subnets

  A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

• API Gateway

  Oracle Cloud Infrastructure API Gateway enables you to publish APIs with private endpoints that are accessible from within your network, and which you can expose to the public internet if required. The endpoints support API validation, request and response transformation, CORS, authentication and authorization, and request limiting.

• Autonomous Database

  Oracle Autonomous Database is a fully managed, preconfigured database environment that you can use for transaction processing and data warehousing workloads. You do not need to configure or manage any hardware, or install any software. Oracle Cloud Infrastructure handles creating, backing up, patching, upgrading, and tuning the database.

• Bastion host

  The bastion host is a compute instance that serves as a secure, controlled entry point to the topology from outside the cloud. The bastion host is provisioned typically in a demilitarized zone (DMZ). It enables you to protect sensitive resources by placing them in private networks that can't be accessed directly from outside the cloud. The topology has a single, known entry point that you can monitor and audit regularly. So, you can avoid exposing the more sensitive components of the topology without compromising access to them.

• Compute

  With Oracle Cloud Infrastructure Compute, you can provision and manage compute hosts in the cloud. You can launch compute instances with shapes that meet your resource requirements for CPU, memory, network bandwidth, and storage. After creating a compute instance, you can access it securely, restart it, attach and detach volumes, and terminate it when you no longer need it.

• DNS

  Oracle Cloud Infrastructure Domain Name System (DNS) service is a highly scalable, global anycast domain name system (DNS) network that offers enhanced DNS performance, resiliency, and scalability, so that end users connect to internet applications quickly, from anywhere.

• Kafka Streams

  Kafka Streams is a client library for building applications and microservices, where the input and output data are stored in Kafka clusters. It combines the simplicity of writing and deploying standard Java and Scala applications on the client side with the benefits of Kafka's server-side cluster technology.

• Object storage

  Oracle Cloud Infrastructure Object Storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can scale storage without experiencing any degradation in performance or service reliability. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.

• Oracle Management Agent

  Oracle Management Agent is a service that provides low latency interactive communication and data collection between Oracle Cloud Infrastructure and on premise managed instances. Management agents collects data from sources that you want to monitor. Management Agent Service, an Oracle Cloud Service, manages the lifecycle of the management agent and the plug-ins for the services.

• Oracle Cloud Agent

  Oracle Cloud Agent is a lightweight process that manages the lifecycle of plugins running on compute instances on OCI. The JMS Plugins collect Java metadata from your environment deployed on the managed instance in OCI. The JMS plugin exfiltrates this Java metadata to the JMS service in OCI.

• Kiev as a Service (KaaS)

  KaaS is a fully managed data platform service used primarily by Control Plane services on OCI. KaaS provides high-level NoSQL APIs for easy integration, serializable scans, change-feed streaming, and other features. KaaS is a service built on top of Kiev. Kiev is a "NoSQL key-value store" that also supports mini-transactions for convenience. To prevent concurrency bugs in applications, Kiev's mini-transactions have strong isolation which provides stronger guarantees than the weaker isolation levels that are commonly used in Oracle and MySQL. Kiev has an availability SLA of 99.9%.

Recommendations

Use the following recommendations as a starting point. Your requirements might differ from the architecture described here.

• VCN

  When you create a VCN, determine the number of CIDR blocks required and the size of each block based on the number of resources that you plan to attach to subnets in the VCN. Use CIDR blocks that are within the standard private IP address space.

  Select CIDR blocks that don't overlap with any other network (in Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) to which you intend to set up private connections.

  After you create a VCN, you can change, add, and remove its CIDR blocks.

  When you design the subnets, consider your traffic flow and security requirements. Attach all the resources within a specific tier or role to the same subnet, which can serve as a security boundary.

  Use regional subnets.

• Security

  Use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure proactively. Use security zones for maximum security.

• Cloud Guard

  Clone and customize the default recipes provided by Oracle to create custom detector and responder recipes. These recipes enable you to specify what type of security violations generate a warning and what actions are allowed to be performed on them. For example, you might want to detect Object Storage buckets that have visibility set to public.

  Apply Cloud Guard at the tenancy level to cover the broadest scope and to reduce the administrative burden of maintaining multiple configurations.

  You can also use the Managed List feature to apply certain configurations to detectors.

• Security Zones

  For resources that require maximum security, Oracle recommends that you use security zones. A security zone is a compartment associated with an Oracle-defined recipe of security policies that are based on best practices. For example, the resources in a security zone must not be accessible from the public internet and they must be encrypted using customer-managed keys. When you create and update resources in a security zone, Oracle Cloud Infrastructure validates the operations against the policies in the security-zone recipe, and denies operations that violate any of the policies.

• Network security groups (NSGs)

  You can use NSGs to define a set of ingress and egress rules that apply to specific VNICs. We recommend using NSGs rather than security lists, because NSGs enable you to separate the VCN's subnet architecture from the security requirements of your application.

• Load balancer bandwidth

  While creating the load balancer, you can either select a predefined shape that provides a fixed bandwidth, or specify a custom (flexible) shape where you set a bandwidth range and let the service scale the bandwidth automatically based on traffic patterns. With either approach, you can change the shape at any time after creating the load balancer.

Considerations

Consider the following points when deploying this reference architecture.

• Performance
  Consider the following items when implementing the reference architecture to detect and manage Java installations and java applications in managed instances that are on-premises.

  • JMS uses Agent for exfiltrating the Java metadata (network traffic and careful firewall configuration is a consideration).
  • The agent requires the latest JRE 8 version to execute on the managed instance.
  • The agent requires 512 MB of heap memory free on the managed instance.
  • The agent will compete with the application for CPU on the managed instance.

  The exfiltrated metadata is available on your log object. JMS processes the metadata to generate insights. These insights and metrics are stored in the service-owned Oracle Autonomous Transaction Processing database. You can use the API to query the service for historic insights on Java deployed in your environment. JMS is not a real time system. There can be latency providing current and historic insights due to loading of the service by numerous other customer queries.

• Security

  Use policies to restrict who can access the Oracle Cloud Infrastructure (OCI) resources in your enterprise, and how they can access them. The Java metadata exfiltrated from your environment into a log object that is owned by your enterprise. JMS processes this metadata and the insights are presented to you. The insights are stored in the Oracle Autonomous Transaction Processing database. Reports that you generate are stored in your OCI Object Storage.

  Encryption is enabled for OCI Object Storage by default and can’t be turned off.

• Availability

  JMS has been designated as a category 10 service with a published service level objective of 3'9s (99.9).

• Cost

  JMS is a free service. The basic features for monitoring and querying insights to Java in your environment is available to everyone. The advanced features that involve management of Java in your environment is only available to Java SE subscribers running on-premises managed instances. The full feature version of JMS is also available to you when you run your entire workload on OCI.

  If you have on-premises managed instances and use minimal Java workloads, then you might find it acceptable to work JMS within the limits of the OCI free tier (avoiding the minimal monthly cost of compute, storage and network egress cost).

Explore More

To learn more, see the following resources:

Go to Set up Java Management Service to monitor Java usage on an Oracle Linux host to set up and enable Java usage monitoring on your Oracle Linux machines.

• Well-architected framework for Oracle Cloud Infrastructure

• Oracle Cloud Cost Estimator
• Oracle Cloud Infrastructure Software Development Kit (SDK) for JMS (GitHub)

Review the following sections of the Oracle Cloud Infrastructure Documentation:

• Oracle Cloud Infrastructure Cloud Adoption Framework
• Autonomous Database
• Oracle Cloud Infrastructure Identity and Access Management
• Java Management Service
• Oracle Cloud Agent
• Management Agent
• Service Level Objectives for Oracle PaaS and IaaS Public Cloud Services
• Oracle Cloud Free Tier account

Acknowledgments

• Authors: Atiq Ahamad
• Contributors: Amit Naik, Teck Kian Choo, Laura Hartman, Cindy Church