on A enabling the adaptive enterprise About us Oracle Platinum Partner Microsoft Gold Partner 280 Employees Privately-Owned Corporation Cross-Industry Non-Proprietary Founded 1994 33 Mio. Euro Revenue in 2018 > Your Partner for Digital Change Individual IT Solutions from a Singl About me § Niels de Bruijn, Business Unit Manager Low-Code § Dutch guy, born in 1977, married, three daughters, living in R § Responsible for all Low-Code activity in the company § Knowledge Portal: apex.mt-ag.com § Track record with APEX since its inception § Oracle APEX 18 Developer Certified Professional § DOAG e.V. - Director Development Community § DOAG e.V. - Initiator & Conference Chair of the 3-day confere Visit knowledgebase.mt-ag.com https://knowledgebase.mt-ag.com/q/a APEX archit Why build yourself? Get Cloudy! (< 10 m For everybody that don‘t want to setup the APEX environ (and can live with the fact that their data is residing outside their own Options of hosting services: § apex.oracle.com - free, but not for production; limitations like access to DB, no backup § Oracle Cloud Free Tier § apex.oracle.com/autonomous § 2 databases with each 20 GB of uncompressed user data (minu § You need to implement a backup plan yourself § No activity within 7 days? Your instance will be stopped! § See excellent blog post series by Dimitri Gielis for more info: ht § Valid alternatives for reliable, hosted APEX environments: maxapex.com, revion.com, skillbuilders.com, AMI on aws.com, en Installing yourself? Warm-up o Laptop Installation (+/- 2 hours in total) Browser Li n Client 1. Install Oracle Database 18c Express Edition (XE)* 2. Install the latest APEX version in the PDB 3. Load the static files of APEX in the PDB 4. Configure RMAN & test backup/recover process *) - Great blog post from Johannes Ahrends about XE 18c: https://www.carajandb.com/en/ - No official support from Oracle, but with the next XE version, you could transfer the PD Warmed up? Let’s take it to Minimal Server Installation (+/- 8 hours Browser Li n Server Oracle REST Data Services Tomcat Client 1. Get your Oracle Linux server with root access (buy HW yourse • Alternatively, install CentOS and convert to Oracle Linux (see: htt 2. Install Oracle RDBMS, APEX, Tomcat, configure & deploy OR 3. Configure RMAN & test backup/recover process 4. Install SSL certificate in Tomcat HTTPS Recommended Server Installation (+/- 9 Browser Li n Data Oracle REST Data Services Tomcat Linux/Windows Server Client 1. Same steps as seen on previous slide 2. Install proxy server in front of ORDS 3. Install SSL certificate on the proxy server 4. Disable direct communication with Tomcat HTTPS JDBC Proxy Server like Apache Web Server, NGINX or IIS AJP or HTTP Adding Single Sign-On for my APEX apps For the sake of § Security § Productivity Alternative 1: Adding SSO using OAuth2 Browser Li n Data Oracle REST Data Services Tomcat Linux/Windows Server Proxy Server like Apache Web Server, NGINX or IIS Client ie. Azure AD / ADFS • Azure AD as authentication provider gets more and more ado • Users are already familiar with Azure AD because of Office 365 • Azure AD has some great features like application proxy, self-re • Step-by-step guide on https://knowledgebase.mt-ag.com/q/a HTTPS JDBC AJP or HTTP Alternative 2: Adding SSO using Kerbero Browser Li n Data Oracle REST Data Services Tomcat Linux/Windows Server Apache Web Server or IIS Client Apache: mod_auth_kerb Windows Domain Controller with AD • For internal APEX environments with Windows AD accounts a • Step-by-step guide on https://knowledgebase.mt-ag.com/q/a HTTPS JDBC AJP or HTTP Alternative 3: Adding SSO using SAML2 Browser Li n Data Oracle REST Data Services Tomcat Linux/Windows Server Apache Web Server Client ie. Azure AD / ADFS • It works, but I would prefer using OAuth2 • Step-by-step guide on https://knowledgebase.mt-ag.com/q/a HTTPS JDBC App registered o Apache: mod_auth_mellon AJP or HTTP OAuth2/OpenID Connect, Kerberos or SA Here are my recommendations (in this order): 1. OAuth2/OpenID Connect authentication provider available • Use Social Login in APEX 18.1+ • Easy to get extra data during authentication (ie. cost center, • Authentication provider can be both inside as well as outside • Supports changing authentication method in runtime (ie. if som 2. Kerberos as authentication method available? • Use a proxy server like IIS or Apache Web Server • Beware of Kerberos tickets getting too big 3. SAML2 • Works with Apache Web Server (with mod_auth_mellon) • Cumbersome to setup; OAuth2 is getting more adopted About High Availability Storage (RAID) Browser Kubernetes Cluster RDBMS In RDBMS Instance Liste Listener Pod Service „Web“ DB Node 1 DB Node 2 Oracle RAC (mirror this for disaster recovery) Clusterware load balancer: ie. DNS, NGINX, FabioLB/Consul*, H Client Device Pod Service „Tom Docker Image Web Server Docker Im ORDS on To *) http://krisrice.io/2019-04-17-ORDS-Consul-Fabio Linux distribution used: CoreOS Ingress (ie. NGINX/Traefik) – exposes Services Pod Docker Image Web Server Pod Docker Image Web Server load balancer: ie. DNS, NGINX, FabioLB/Consul*, H Master 1 Master 2 Some random thoughts… § Important internet facing environments should consider usin § ie. Cloudfare § Consider using Oracle Data Guard (requires Enterprise Edition § Have a look at another great presentation from Adrian Png a § https://insum.ca/portfolio/whos-who-in-apex § Recommended APEX@home presentations with focus on arch § Bring the Light into Your Always FREE Autonomous Cloud, Dimi § Social Login while Social Distancing, Martin Giffy D‘Souza § APEX Security Checklist, Scott Spendolini Contact @niels nielsd linked xing.c apex.