Articles specific to Oracle software products, including the former Stellent product line

IOUG Collaborate 08: Day One

I suppose I should start with day zero, and not day one...

Michelle and I landed, but the hotel didn't have our reservations on file. Great... and on the one day we decided to not print out the confirmation letter. Michelle scoured her web-email using the computers behind the reservation desk... in the meantime a few Oracle employees came in and were initially confused as to why she was working behind the counter... Anyway, the clerk looked through their list of who was checking in that day, just to see if our names were spelled incorrectly.

We were there of course: as Brian and Michelle Hugg. Lovely. Yeah. We'll live that down.

Later I had drinks with some folks I hadn't seen in a while (like Dan Norris and Matt Topper), as well as folks I heard of but never met (like Jake Kuramoto and Paul Pedrazzi). The Oracle ACE Director dinner was good. I love finding out what other ACEs are up to, and what technologies they are interested in. The buzz these days seems to be all about Hyperion... just when I started learning about BI Publisher and Real-Time-Decisions!

Keeping up on enterprise technology is a constant struggle...

The first day of IOUG Collaborate 2008 was pretty good... I hung out at the Enterprise Content Management conference-withing-a-conference a lot to chat with other ECM folks. I gave a well-recieved talk about why ECM projects fail, which was essentially an extension of the AIIM list from last year. It wasn't just a rant, it had some practical advice of what typically goes wrong, and what you can do about it. Cliff Cate and Tom Tonkin presented their war stories and advice as well.

Here's a tip: very few enterprise software failures have much to do with bad software... its almost always poor communication.

I wasn't able to attend many sessions after that... not the exhibit hall, not even the keynotes. I did check out the hands-on lab about Oracle Text, hoping for a deep dive... but it was pretty basic. Attending a conference is more fun when you're not a presenter. I had to go to my hotel early to put the finishing touches on my Tuesday presentation... so I skipped all the festivities.

I have another session on day 2, after which I'll be able to relax, attend more sessions, and network more.

Oracle Unbreakable ECM?

After my security posts last week (here, here, and here), I got an interesting email from an Oracle partner out west (David Roe from Ironworks)... one of his customers put Stellent though a battery of automated security tests, and got some surprising results:

Incidentally one of our clients ran through a couple rounds of automated security testing on their UCM instance. They sort of surprised us with it actually, but when they were done sent back some great feedback about how strong the system was and how it passed every check (apparently an uncommon occurrence). I personally don't put a lot of faith in any automated testing, but it's nice to know Stellent will pass one :)

Like the author, I don't put that much faith in automated tests... but many of these security testing companies are batting 1000: some of these firms brag that they always find security holes, but this time they came up empty. Even on an unannounced, surprise, security audit.

Naturally, neither David no myself will reveal the name of the customer... because bragging about an unbreakable system is the surest way to attract the wrong attention... but if a legitimate analyst or existing Oracle customer would like to chat with these folks, Dave could facilitate a connection.

What Should ECM Apps Do About Security?

James responds... to my latest security rant, with a lot of good points. I think this point here is the best:

Have you ever noodled that as data flows from one system to another within an SOA, but the security model doesn't, that this is another attack vector? For example, what if I have access to data in a policy administration system such that I can figure out if you are insuring an auto that your wife doesn't know about but couldn't do the same in a claims administration system? I bet you can envision scenarios when you integrate a BPM engine with an ECM engine that security becomes weaker.

Absolutely... unfortunately, this is an amazingly difficult problem. Its not really the realm of ECM or BPM to solve it... rather, the best thing that we can do is not get in the way. Let the experts solve that one, and then integrate as well as possible with global policy management systems.

My suggestion is this:

  1. Implement a policy-based security model in your application (ECM/BPM).
  2. Loosely couple your application with an identity management system, so you can access a global security policy.
  3. Place extra hooks -- and allow people to "inject" new hooks -- that allow additional security callbacks to arbitrarily re-validate both credentials and access rights.
  4. Optionally, map the global policy and list of access rights to a policy more relevant to your application, and allow access by "local" users not in the global repository.

Most applications in the Oracle ECM stack follow this methodology... but I can't vouch for all Oracle applications. I like it, because its flexible enough to 'slave' yourself to an identity management system, and yet still have some local control over access rights if you want to 'boost' somebody's credentials.

I think it would be great if Oracle chose to augment this model to add support for a policy auditing standard... but I have no idea if anybody is asking for one, and if so, which one? I'm positive James has an opinion... I'm a fan of just using Business Intelligence to do the reporting, since (again) you can "sneak-in" better security along with the latest buzzword ;-)

Sub-optimal? Of course... but anything that makes security look less like a cost-center is good...

I also like the concept of Oracle's magic black box for identity services. That would make it easier for developers to create policy-based security models, that (in theory) would work with old, new, and emerging standards alike (XACML, CardSpace, OpenID, etc.). It's not that I don't like XACML, its simply that there are other horses in this race... and developers do not have the power to dictate architecture. We can suggest what works best, but in the end, the most sellable product will support them all.

I fully agree that #4 is a possible attack vector, which is why good access auditing and rights auditing tools are important... However, users frequently insist on local control of security rights, because there are many legitimate business cases where it isn't feasible to place all users in a global repository with the proper rights. Sometimes -- especially during mergers and acquisitions -- you want to keep the identities and access rights of these folks as secret as possible. Or, if your IT department has a 3-week waiting period for new users, but you need a contractor NOW for a 2 week project, guess what will happen?

I especially like how Oracle ECM implements #3... some of the more interesting aspects of the future of security involve multiple challenges for access. For example, assume a user has access to both mundane and highly restricted content, but her daily work is usually with the mundane. Now, at 7pm, she's suddenly accessing a ton of highly restricted content. Red flag! Even if her security tokens have not yet expired, a good security system would notice that this behavior is strange, and demand further authentication credentials... maybe the name of her first pet, or the manual-override PIN.

Anyway, Oracle ECM doesn't do any integrations like that as of yet, but it has the flexibility to do it... several identity management systems support that approach, and ECM is being positioned more and more as "infrastructure..." so I'd wager its only a matter of time.

Want Secure Software? Then Pick Your Battles

I don't mind when James throws daggers at me about security... because

  • his aim sucks (just ask his hunting buddies), and
  • hey, free cutlery!

Seriously, I believe we agree on several points... we just have different perspectives.

My point was that creating secure software is extremely difficult... even if you educate your developers about the OWASP top ten (which ain't all that great anyway), and even if you religiously use tools like Ounce Labs or Coverity, you'll always have problems. Those tricks are good checks against developers making brain dead stupid decisions, but they'll never catch the subtler security problems.

The issue is one of complexity... the vast majority of security holes occur in the interfaces between applications and/or concerns. This doesn't just mean cross-site scripting vulnerabilities on the web interface, nor just the sql-injection attacks on the back end... it also includes any time you connect two code bases together in new and novel ways. The very nature of service-oriented architectures and modular code bases exponentially increases the number of things that can go wrong. Even a security-savvy developer that runs Coverity would never have enough time to test every possible permutation... nobody is willing to wait that long for the test cycle to complete, nor would anybody be willing to pay for it.

Thus, some problems will never be noticed until they are "in the wild."

You can yell and scream all you want... but this doesn't change the basic math. Again, don't just listen to me... check out security guru Bruce Schneier and his essay on why insecure products will always win in the marketplace. Its basic economics, called the "market for lemons," which I've covered before.

James seems to need some kind of evidence that the code is at least reasonably safe before putting it into production. Fair enough, but his suggestions suck. I can't think of one single certification that I would be personally willing to trust... penetration tests are OK but flawed. Developer certification courses only teach the basics, and are generally useless. Stamps of approval by "security experts" are nice, but as I've mentioned before, I've found problems that these self proclaimed "experts" missed.

In short, all of James's proposed solutions are false senses of security. Rely on them at your peril. If he's got a new one I've missed, I'm all ears.

You will always need to patch your applications. Accept it. You will never have a "100% secure" system. Accept it. The best you can hope for is something that gets more and more "defensible" as it matures. Accept it. Patches are a necessary evil. Accept it.

Instead of fighting the security battle -- which you will never win -- pick a battle that will both make your life easier, and have better security as a byproduct. Demand that your vendor:

  1. minimizes the number of required security patches, either through bundling or by educating their developers about security,
  2. thoroughly tests those patches to minimize the side-effects, and
  3. has excellent tools to help deploy, test, and roll-back patches if needed

That's probably the best you can hope for...

UPDATE: James responds, and I continue the dialog.

Take The Oracle Security Survey

Do you use Stellent, or any Oracle technology? Then you should probably take the IOUG Oracle Security Survey:

http://survey.ioug.org/

Select the OSSA Security Survey, and let 'er rip! It's sponsored by Oracle and the Independent Oracle Users Group. The goal is to gather information about your security practices including general processes for vulnerability and patch management, Critical Patch Updates, and the like. IOUG will analyze the results, and issue recommendations to Oracle at Oracle's next Security Customer Advisory Council. IOUG has release a security podcast to explain more about the survey.

I was shocked to discover that fewer than 20% of Oracle customers admit to applying the rolling security patches that Oracle releases... yikes. Back when I was a developer, I always found it extremely frustrating that customers rarely applied patches to known security holes... CERT often says that 99% of security breaches are due to users not applying patches. In other words, 80% of Oracle customers choose to make themselves vulnerable to 99% of the attacks.

WHY???

Unlike James McGovern, I don't believe security problems are entirely due to bad software or clueless developers... I'd argue most security problems are due to improperly configured and improperly maintained software. However, I also believe that blaming the implementation team is a cop-out. Instead, developers need to realize that security is a process, not a product (hat tip Schneier).

Thus, the best thing a developer can do for security is focus on software that can effortlessly evolve to meet tomorrow's security challenges. If you want secure applications, first demand software that is effortless to patch and maintain. This includes software that can easily roll-back patches in case the security fix broke something important... Then fewer people would fear installing the patches, more would use the existing patches, and there would be significantly fewer breaches.

If software were easy to configure and maintain, then security would get better and better the longer you owned it... not to mention you'd have fewer bugs, and generally better software. Stable products are always more secure. Why? If the product is rock solid, with few bugs, then people are less risk-averse to applying critical patches. Better documentation helps as well, as do better patch tools...

With easy patching, easy maintainability, stable software, and a vigilant community, security is a natural by-product. Also, this helps security becomes less of a cost-center... easy patching and configuration is great for ROI, no matter what.

It Just Makes Sense©, so don't expect too many people to press for it any time soon...

Although relatively speaking, I'm pretty impressed with Oracle's patch technology. The new 11g database watches for errors, and can notify you about patches that might fix the problem. Likewise, the Content Management team has a pretty good patch process... unfortunately, it takes forever to get anything out to Metalink, so your best bet is to always contact support for the latest patches.

New Site Studio Contributor Is Released!

Its about time...

Oracle has finally released the much anticipated update to the Site Studio contributor. The old one used an ActiveX control, and only worked in IE. The new one has been in development for about three years now... and works on all browsers and platforms. Free update for 10gr3 users, so have at it!

Update: this contributor will eventually be released for Site Studio 7.7 and Content Server 7.5.1... they have a set of patches to enable it, they just need to finish the testing phase. Stay tuned!

The engineers did a pretty cool job of abstracting the editing layer from the data layer... so its easy to plug in whatever contributor you want. The released version uses the Java-based Ephox editor... but you could use a pure JavaScript one (like the FCKEditor) with a bit of effort... likewise, you could use Adobe Flex to create a desktop version of the contributor app, if one were so inclined...

I like the Ephox editor... it has a ton of cool new features, and I think everybody will be pleased with this change. My favorite feature is the styles drop-down: it shows you what the CSS styles look like in the name, and breaks them down into block- and inline-styles. That way, people unfamiliar with using styles to pick colors/fonts/sizes/etc, can use the preview as a guide. With a good web designer, that can give the site a highly polished look...

Oracle is hosting a web content management conference on April 16th. They should be demo-ing the new editor... so sign up if you'd like to see it in action.

Since browsing Oracle Metalink for patches is a baffling ordeal, Alan Baer kindly put together a table with the names of all the patches you'll need... You're required to install 3 or 4 patches, depending on which version of the content server you have:

10.1.3.3.2 10.1.3.3.1
Site Studio 10.1.3.3.3 (Build 225) 6907097 6907097
Content Server Update Bundle 6907073 6050990
Native Update Package 6899660 6899685
Content Access Update Package Not Required 6899823

"Disks Have Become Tapes"

A lot of software performance is IO limited... meaning the bottleneck is how fast data can be read or written. This bottleneck is usually in the network layer, but its also in hard-disk speeds, as well as access time from memory.

But what some folks found interesting is the speed at which improvements are being made in defeating this IO bottleneck. The random-access speed

  • Reading randomly located data from a disk is improving in speed by about 5% per year
  • Transferring data out of the disk -- to the bus or the network -- is improving in speed by about 20% per year

In other words... the best way to improve IO performance in the long term is to treat your disk drive as if its a sequentially-accessed tape, then move it to another node where it can be processed.

This has some pretty interesting implications for the future of high-performance software... soon, the "right way" would be to have multiple nodes with small hard drives, and an infrastructure focused on moving discrete chunks of data around... instead of working on them in-place. It also means databases like Coherence have a better long-term high-performance strategy, when compared to other databases that focus on tables, and random-access on disks.

The bugaboo is, of course, latency...

IOUG Collaborate Presentations

Just a reminder... I'll be attending the IOUG Collaborate 2008 conference (April 13-17), and sitting on the panel about Making your Project Successful, also featuring Cliff Cate. I'll also be giving my popular Introduction to Integrating Oracle ECM talk... which you might have seen before...

Why am I giving the same dang presentation I gave at Crescendo and Open World? Because its topical, and its a good companion piece to my next book. Folks doing Stellent integrations with Oracle apps needs to understand what their options are... I'll have something fresh and clean for Open World 2008, I promise!

There's rumors about a mini Crescendo at Collaborate... that may or may not pan out... I'll keep you informed.

If you're looking for Stellent talks at Collaborate, you might want to also check out Eric Marcoux's presentation comparing Oracle Portal, Web Center Suite, and Stellent / Site Studio...

When Software Standards Fail

Its refreshing to see James McGovern blog about when "standards" become a bad idea. I've said numerous times that every enterprise content management standard to date was a bad idea... We have five already. The idea of yet another one makes me groan.

Haven't we learned our lesson yet?

Look... if you bought Stellent because it kicks ass at solving your problem, then no ECM standard would satisfy you. Likewise, if you bought Documentum because it kicks ass at solving your specific problem, a dumbed-down ECM standard would drive you nuts. Interoperability is a great goal... but a standard?

Enterprise Content Management is a marketing buzzword, not a specification. Its not a relational database. Its not an identity management system. Its a mix of software, solutions, and tools that try to help you manage that which -- by definition -- is barely manageable... Everybody does it in different ways, because each focuses on solving a subtlety different problem...

I'm pretty comfortable saying that Documentum and Stellent are the only decent ECM solutions available. Alfresco and Sharepoint are more "point" solutions that grow virally, and cause more content management problems than they solve. Interwoven is ok, if all you care about is one single web site, and you never ever ever care to reuse your content anywhere else. Unfortunately Interwoven's web-centric market space is being continuously attacked by both cheaper and better open source / hosted solutions... so I don't see Interwoven lasting too long.

What about IBM you say? Dear lord, please stop the insanity... Lets set aside the fact that that they believe content management is the same thing as managing scanned paper... and lets just focus on the fact that IBM is a consulting company, not a software company. They have a very strong financial incentive to release very crappy software and charge you hefty consulting fees to make it work. Have you heard stories of IBM projects that cost 10 times more than initially promised, and still didn't work? So have I... If you use any piece of their ECM stack you'll probably become a similar statistic...

Rule of thumb: if you use IBM Global Services, make sure that they never install any software products made by IBM -- even for free -- any you'll probably be happy with the result.

The wild card -- at least for me -- is Open Text. Its rated highly by the analysts, but I've never kicked it around enough to analyze its strengths. However, I have heard stories by at least 4 Stellent employees, where Open Text tried to hire them away at nearly double their Stellent salary... and every single one rejected the offer. That says enough to me...

So, what's all this got to do with ECM standards? Simple... Why bother wasting cycles on an ECM standard, when half the players won't exist by the time the standards are decent? I've said it before and I'll say it again, I doubt a decent standard will be worth creating until 2009.

Now, what about organizations that already own 4 content management systems? Wouldn't a standard help them? Not really, because when you consider market forces, odd are only 2 of the 4 systems would bother to implement the latest buzzword (like JSR170 or JSR283). Do you honestly believe Microsoft will jump on the bandwagon for a Java-centric standard? Keep dreaming. Microsoft uses crap-tacular WebDAV and shows no signs of a desire to change... any standard that excludes .NET and PHP based solutions is doomed from the start.

My money is on lightweight web services, something that's simple and easy to add. A simple standard that misses 20-30% of the functionality is always better than an over-engineered monstrosity. Its better to be approximately correct, than exactly wrong.

You best bet in the short term is to focus on consolidation and findability... if consolidation doesn't make sense for business reasons, then plunk down something like Oracle Secure Enterprise Search, or a Google appliance. That gets you part of the way there... using something like Oracle Universal Records Management gets you even more...

I got a dozen more ideas, but I don't want to turn this into an ad ;-)

Want Oracle ECM Training? Join me in Chicago March 18th!

Hey folks... Oracle's a bit short on ECM resources at the moment, so I'll be teaching their ECM Partner Training course -- aka "boot camp" -- for a while. We already had a packed event in Atlanta. The next one is in Chicago, the week of March 18th. You can register for it online via Tesserae.

Yep... that's the day after St Patrick's day. We wisely decided to start at noon on the 18th...

The agenda will be geared mainly for partners who want to get up to speed on what content management is, and how to sell it. The first half day will be an intro to the main ECM products, and installation of the software on your laptops. The second day is all about configuring the core content server (security, metadata, workflows, etc). The third day will be web content management (Site Studio), the ECM roadmap, and some help on positioning and sales. The fourth day will be advanced topics: records management, performance tuning, integrating with app servers, and whatever else I can cram in!

Its a lot of ground to cover... but it will be a thorough overview, plus some deep-dive on the final day.

We're also planning a class in Redwood Shores some time in May... we're still hammering out the details with Oracle. I'll let you know when the date is set.

Oracle ECM: InfoWorld's Best Technology Of 2008

This feels good... Info World has given Oracle's Universal Content Management the 2008 Technology of the Year Award.

I'm especially proud because Michelle was the one who put together the VM Ware image, and spent time making sure all the nifty gizmos were all front-and-center.

It looks like Oracle is starting a new ad campaign around it as well... ECM and the SOA Suite both won 'best' awards from InfoWorld, and the marketing group has decided to milk it a bit. Click on the ad below to see what ran in a full-page ad in the Wall Street Journal last week.

Tridion won best web content management solution... but I'm not too worried. The future is in content management is as an infrastructure. Which means flexibility, security, and performance are key. If all you do is solve the easy problems -- like Web 2.0 gadgets -- while ignoring the hard problems, you'll get into trouble. Some say the non-platform players like Interwoven will be absorbed... I say they'll be crushed by a hosted solution, or open source, or both.

Anyway, congrats to the 10gr3 dev team!

Free Samples For Oracle ECM

Oracle recently created a web page for their 'supported' samples and tutorials:

http://www.oracle.com/technology/products/content-management/ucm/samples/index.html

At present it has the following components up for 10gr3:

And a small handful for 7.5:

Notably absent are the blogs and wiki samples for 10gr3... I have older versions at the Bezzotech library, or you can just wait until Oracle updates them, and published them to the above page...

UPDATE: I added the RSS Feeds sample for 7.5 to this list... plus I heard that the Sample Blogs and Sample Wikis might be released in a patch in the near term. Fingers crossed!

Collaborate 2008: Now Cheaper, and With More Me!

If you're thinking of attending IOUG Collaborate to see some Oracle ECM goodness, then you should register by March 13th so you can save $400. Just use the promotion code: EM01 when you register... and save some coin. Maybe rent a clown with the extra cash...

IOUG put together a small ECM landing page, as well as an ECM session guide. I'll be presenting there... although I'm a bit sheepish that they called me President of Bezzotech... I only use that on tax forms. I prefer the title Chief Software Architect.

As an added bonus, you can sign up for one-on-one sessions with some Stellent heavyweights. Frank Radichel (VP R&D for all of Oracle ECM), Andy MacMillan & Roel Stalman (heads of product management), Cliff Cate (head of ECM solution architect group), and yours truly.

Hope to see you there...

ECM And Security

It looks like James McGovern is back at it again... criticizing ECM bloggers for not caring enough about security...

I do blog about security a bit... just check my security topic feed for some examples... but I intentionally limit the number of times I do so.

Why? Firstly, my wife thought I was attracting the wrong element with my posts about how Phishers could use anti-spam technology to hack URLs to look like they came from Amazon or Google. That attracted some unwanted attention.

Secondly, I'm keenly aware that the security of the application is secondary to the security of the solution. ECM is one piece of the puzzle... I've been privy to three separate reports from security firms who did penetration tests against Stellent solutions. Two from government agencies, and one from a major financial institution. Of the dozens of holes they found, only one was due to a problem in the core product (now patched)... the rest were problems with the configuration and design choices by the implementation team. I also felt proud that afterwards I tracked down two security holes that three specialist firms failed to find... one esoteric SQL injection vector, and another cross-site scripting attack with improperly-encoded URLs that only worked in IE... because IE was trying to be 'helpful.' Both have been patched for some time...

Thirdly, perhaps because of my disappointment with implementation teams, I've addressed a lot of these security risks and countermeasures in my Stellent book, and my Stellent security presentation from Crescendo 2006... and I find it a bit dull to repeat myself...

I would agree that the OWASP Top Ten are important for everybody to know, but then again, so are the fallacies of distributed computing. If you ignore the former, your solution might not be secure... but if you ignore the latter, your solution won't work at all.

Personally, the I think the OWASP top ten is a bit off... I doubt even Bruce Schneier would put 'cryptography' in the top ten, while leaving out such monsters as input validation, improper UTF8/URL decoding, configuration management, and denial of service. Cross Site Request Forgery is almost exactly the same attack vector as cross site scripting, so calling it out as a separate issue is kind of silly...

Anyway, I restrict myself to one security post per month... so I'm categorizing this as an "Oracle" post so I can sneak in two for February 2008 ;-)

Exit Interview From Oracle

I like Oracle... although I never worked directly for them: I worked for Stellent, and left slightly before the takeover... so I can't really comment on what its like to work there. All I know is that they have great software... and no I'm not biased!

Anyway, Emily here does work for Oracle... Or at least she did until recently... She left her job as a consultant, and as part of the resignation process, she was asked to fill out an exit interview web form. After finishing, and clicking the check spelling button, this is the page that was returned:

woah...

My complements to you Oracle consultants... you are indeed a patient breed...

(Hat tip: The Daily WTF)

New Oracle Social Site: oraclecommunity.net

We got yet another Web 2.0 site for networking with Oracle experts: oraclecommunity.net.

Its based on Ning, an open network for creating social software communities. I've created a few Ning communities myself... but never liked any of them enough to do the proper care and feeding ;-)

Check it out if you'd like to interact with web-savvy Oracle experts. Or, if you have a suggestion for Oracle, you should check out mix.oracle.com. You need to be an Oracle customer to join mix, but you get some pretty decent interaction with developers and project managers inside Oracle.

(Hat Tip Jake)

Oracle ECM Web 2.0 Goodies: Blogs, Wikis, And RSS Feeds

I've been hearing quite a few complaints from people who can't find Stellent's old sample components on MetaLink... thus many folks are unaware of their existence... so I thought I'd post several of them to my library, and make this clear:

Oracle Enterprise Content Management has Blogs, Wikis, and RSS Feeds built in!

I put those features together for Stellent about two years ago... lots of folks contributed, including Andy MacMillian, Kyle Hatlestad, and Alan Baer... These may need a bit of extra polish to be fully 10gr3 compliant, but they come with source code, so have at it! All three are a natural extension of what Oracle ECM does, so they were pretty easy for me to create... I can't imagine you'd have much trouble tweaking them.

Oracle ECM also has Mashups, although the samples I put together are not formalized. They're from a presentation that demonstrates how to do ECM mashups using SOAP over JavaScript. I also did a more advanced example of Google Maps mashed up with arbitrary database tables published dynamically with Schema. It got lots of oooohs and aaaaahs from the crowd ;-)

Please note: the blogs and wikis are meant to be samples that you integrate into an existing Site Studio web site. You'll probably want to modify the colors and styles. If you enable wiki pages to be written in Microsoft Word, then you may want to modify the dynamic converter templates as well. That's right: you can even author Wikis in Microsoft Word! Try doing that anywhere else.

So, what's the difference between the "Web 2.0" stuff in Oracle ECM, versus the stuff in Web Center Suite? Simple:

  • Web Center is a framework for creating Web 2.0 solutions
  • Oracle ECM is a product with Web 2.0 features

In other words... Oracle ECM has mature out-of-the-box Web 2.0 gizmos, as do several Oracle products. Web Center is a pile of tools that allows you to build a custom Web 2.0 application from scratch. Another option would be to use JRuby and Rails for all your Web 2.0 needs... just like the Oracle Apps Labs folks did for mix.oracle.com, which generated a huge buzz on the web. Also, Oracle recently bought BEA, which probably increases your Web 2.0 framework options yet again!

Confused yet?

Also note: despite the fact that ECM's wikis may have fewer features, at least ECM's Wiki supports the Oracle database! Web center's bundled wiki apparently uses file-based HSQLDB for its database... that shocker is courtesy of Paul Gallagher, who advocates a wait-and-see approach with Web Center.

Enjoy!

BPEL Workflow Integration For Stellent

Oracle has recently released a plug-in to enable Business Process Execution Language (BPEL) support for the Stellent content server.

This means that you can visually design your workflows using a BPEL designer -- like JDeveloper -- and run it on a remote server running Oracle BPEL Process Manager. This allows you to easily integrate Stellent workflows with anything else that speaks BPEL... such as an enterprise service bus, or enterprise applications such as PeopleSoft. It also makes it easier to visually design workflows of moderate complexity. If you use workflow a lot, offloading the workflows effort to a another server through BPEL will also improve performance and scalability of your content server...

The BPEL integration was released with little fanfare back in December (patch #6668869)... despite being sought after by hundreds of customers, the only "official" word about it seems to be on the Oracle Forums. If you're signed up with Oracle Metalink, use the link below to download the integration:

Please note: the documentation for it is a bit thin at the moment... it should be easy for somebody familiar with JDeveloper and BPEL, but existing Stellent customers may need an extra hand. One helpful soul put out some extra BPEL documentation on RapidShare. I'd suggest downloading it if you need a step-by-step BPEL example.

Also, keep reminding yourself that there is no silver bullet! BPEL is cool, and visual workflows are cool, and they are extremely useful when properly used... but BPEL can't do everything. So keep your wits about you, make sure your workflow processes aren't too rigid, and you'll be fine.

Oracle Acquires Captovation Too!

Buried in the chaos of the BEA acquisition news was the Oracle acquisition of Captovation: a scanning software company.

People always asked me what scanning solutions integrate well with Stellent Content Management. I've pointed them to several companies, including both Captovation and Kofax. Both are excellent scanning solutions... the general consensus was that Kofax was the leader, but it cost more. However, I guess the new official line is to recommend Captovation ;-)

This blend is definitely A Good Thing. I see a ton of opportunity here, especially for line-of-business scanning solutions. Its a problem almost everyone has, there is clear return-on-investment, and its a quick sale.

Then of course, once the scanning solution is working, people start playing with the Content Server a bit more... they notice cool things like web content management, digital asset management, wikis, folios, all in the same repository. Heck, they might not even need to install any new software! They start using advanced features more and more, and finally "get" the value of true Enterprise Content Management.

Or, they decide to integrate their process at a higher level... after scanning the document, they use the Stellent BPEL Integration to push the document into an enterprise-wide workflow process. Using BPEL, they can integrate with hundreds of ERP or CRM systems, and create complex process flows to integrate everything and everyone they need. Then they will finally "get" the value of Enterprise 2.0.

Or, it just remains a line-of-business app... it does one thing, and does it well... never to become part of a larger whole. That would be a shame, but at least the customer is happy!

Holy Crap: Oracle Just Bought BEA!

It's official... Oracle purchased BEA for $7.85 billion dollars... that's a 24% premium over BEA's stock price. Not bad... although they paid a higher premium to purchase Stellent ;-)

They made the same offer in October for a 25% premium... but in the past 3 months BEA's stock price rose a bit. So Oracle has to pay $19.375 per share instead of the previously offered $17.

People have been analyzing this for months... there's not much reason for Oracle to purchase BEA: there's limited synergy between their product lines. In fact a lot of them are in direct competition. However, BEA has a lock on middleware for the financial services industry. Its probably worth it for Oracle to take out their #1 competitor, and increase their customer base.

I doubt most of BEA's customer base would be willing to switch off the Weblogic application server in favor of OC4J... however I can see how Oracle Coherence would be a big seller. Not to mention Oblix identity management, and of course their database. Other than that, its probably on a case-by-case basis...

What's this mean for Content Management? Not much... other than the fact that Oracle now owns BEA's patents on JSR170 and JSR283 extensions. Yep, BEA wisely decided that those Content management "standards" were pretty sucky, and decided to make them work. They did the same for J2EE back in the day... but, as Pie Guy noted, a Java centric API standard for content management is doomed from the start. People want coherent services, not complex standards... so I doubt much will come of it.

(Hat tip Cordell)

UPDATE: Conflicting reports... some news outlets say $7.2 billion, others say $8.5 billion. I blame that wacky dollar fluctuation...

UPDATE 2: Just an observation... BEA is almost entirely middleware. Oracle's Middleware sales in 2007 were projected to be $1.5 billion. So, Oracle spent over five times their current middleware revenue to purchase their main middleware competitor. I'm very curious to see how this pans out...

Recent comments