OCM is the highest level of Java Certification offered by Oracle. It's aimed at professionals responsible for modeling and architecting Java EE applications with several nonfunctional requirements (NFR), such as security, scalability, maintainability, reliability and availability. For this certification, Oracle expects that Java architects have solid knowledge of the Java EE stack and choose the most suitable technologies when addressing real life problems.

What is OCMEA?

For those who are not familiar with OCMEA, it is composed of three parts, the first of which is an exam with 60 multiple-choice questions that must be finished in  150 minutes or less. In this part, you can expect to see a broad spectrum of questions ranging from best enterprise system decision choices (NFR, risk evaluation and mitigation, communication protocols, etc) to common Java EE architecture choices (Java EE stack, OO best practices and patterns, integration and messaging, deployments, tiers and layers, security, etc).

 The second part is a take-home assignment to be completed within 6 months. Oracle randomly assigns to you one of the many likely real-case scenarios containing the business requirements and the specifications required for the candidate to model and architect an entire solution for the given application. In this part, you have to deliver several UM- compliant diagrams and HTML documents all packaged together in a compressed jar file. Oracle expects at least the following kinds of diagrams: Class diagram, Component diagram, Deployment diagram, and Interaction diagram (Sequence or Collaboration diagram).

 The third and final part of the certification is an essay in which you must answer 8 open-ended questions about your delivered assignment. During this phase, you defend your architecture and the decisions made for the most diversified NFR aspects, such as how you have handled security in your application or how your application can handle scalability.

If it sounds like a lot, that's because it is. Let's break it down step by step. In this post, we'll discuss the first part of the certification in-depth and leave the remaining parts for another post. Ready? Let's get going. 


 In terms of common architecture, you need to understand how an application is organized by layer and tiers. The former represents component relationships within services, whereas the latter represents processing chains across different components. In other words, layers can be thought of as an architecture pattern in which components lean on services at a lower layer. In regular enterprise java architectures, you'll likely see applications being layered in these parts:  the application layer (user and business functionalities), the component API layer (interfaces to the application infrastructure component APIs, such as Servlets), the middleware layer (containers or products for the operation and development of the application, such as application servers), the enterprise services layer (virtualization, Operating Systems and DBMS programs) and physical layer (computers, storages, etc).


 Similarly, tiers are the physical or logical components in the hierarchy of service. In terms of the exam perspective, a multi-tier application should have the following tiers:  Client tier (browser, mobile phone, etc), web or presentation tier (services which manage the user session and route the requests to services, i.e. servlets, front-end controllers), business tier (services which handle the business logic), integration tier (services which integrates with other external services) and resource tier (services which access database, filesystem, active directory users, etc).

 You can expect to see many questions in the exam comparing the advantages and disadvantages of 2-tier against N-tier systems regarding security, availability, maintainability, scalability, etc. As a simple example, a 2-tier system can be easier to secure because it usually has just a single point of access, but at the same time, a single point of entry can decrease the system's availability.

 Moreover, you need to understand in a broader sense what the key NFRs are about. Namely, performance, scalability, reliability, availability, extensibility, maintainability, manageability and security. You'll also need to know how to address each case. For instance, to handle availability, your solution should have mechanisms to mitigate system downtime and long response time. You can absolutely achieve that by clustering the components, but you need to evaluate different scenarios.  You need to determine if an active replication, where all redundant components receive the same requests and process them, is a better fit than a passive replication, where only the primary component processes the request but, if a failure occurs, a redundant component takes place as processor.

 Further, you need to understand the benefits and drawbacks of different kind of clustering: two-node cluster (symmetric and asymmetric), ring cluster, star cluster, N-to-N cluster, etc; and how to load balance clusters in order to guarantee not only high-availability but also fault tolerance and failover.

 Screen Shot 2017-06-13 at 8.32.26 PM.png


The exam will also test your knowledges on web tier technologies. There will be questions on what the MVC pattern is, how it works, and what its benefits are, to major Java EE web tech stack such as Web Containers, Servlets, filters, listeners, JSP, JSTL, EL and JSF. You don't need to know how to implement those technologies in-depth, but you do need to understand the overall point of each technology, its purpose, trade-offs and life-cycle (in the cases of Servlets and JSF). As this is a Java EE6 certification, there will be times when you will be asked for the best technology choice for a rich web application and, when that time comes, don't hesitate to choose JSF over other choices, even if you are a big fan of HTML5 + JQuery.

Oracle expects you to make that kind of choice, so wait for part II to make your own preferred choices part of your architecture, and be ready to support them in part III. In addition, you need to understand the common approaches to store states on the client side of a web based application, such as URL Rewriting or Cookies, and on the server side also, as HTTP Session or HTTP Request. For example, given a scenario where two applications must talk to each other over a WAP protocol, the best fit for that is URL Rewriting, as this protocol doesn't support cookies. The drawback of this approach is that URL Rewriting exposes user's id in the URL and it can easily be intercepted by intruders. Finally, you need to identify the most suitable scenarios to use some emerging web approaches such as server push communication (Java WebSocket) or asynchronous requests (promises, callback methods, etc).

 From the business tier perspective, be prepared to choose EJBs as the best choice for your service components. Again, this is a Java EE6 certification and Oracle will expect you to support its major technologies. Just as with web technologies, you will not be required to know how to implement EJBs in-depth, but you should know the usage of stateless and stateful EJBs, their life-cycles, and in terms of scalability, which is preferable. Also, it's important to understand why MDB is the best fit for asynchronous process and what the best practices are for it. Expect to point out the advantages of using EJBs, such as scalability (EJBs can be clustered), fine-grained transaction and security (declarative or programmatic), highly reusable, etc. There will also be questions about new kinds of EJB, such as Timer Service and Singletons. Finally, you'll need to know how to both expose and consume web-services using the Java EE technologies.

 One important aspect of the certification is system integration. You can expected to see several questions which describe different scenarios and ask you to choose the right integration technology to address it. For instance, given a scenario where you need to integrate a java application with a non-java legacy system with no internet access, which technology should be chosen? To answer that question, you will need to understand and evaluate integration concepts as CORBA, IIOP, RMI, JCA, JDBC, etc. You will also need to comprehend when to use web-services, the main differences between SOAP and Restful, and the usage of JMS. Questions regarding how JCA manages transaction, how to integrate (a)synchronously java to java, java to non-java,  and java to EIS (Enterprise Information Service) are all likely to appear on the exam.


 Another key aspect covered by the exam refers to security constraints. In a real world scenario, security threats can truly jeopardize a company's resources, causing severe damages to its infrastructure. To survive that, an architect must identify, minimize, anticipate and eliminate these threats, avoiding unauthorized use of protected services and assets. You need to distinguish the main possible attacks and to diagnose strategies for mitigating these threats. Here is a non-exhaustive list of some threats that you may want to know:

  •  Main-in-the-Middle: when intruders intercept the messages. Encrypting all network traffic solves this issue.
  • Password cracking: usually when brute force is used to sign in. Requiring complex passwords and setting up maximum login tries can solve this one.
  • Session hijacking: when hackers identify a client session and begin to interact with the server pretending to be the user client. Not exposing any sensitive data in the request parameter, such as session id or URL Rewriting, can solve this threat.
  • SQL injection: when malicious sql statements are injected into an entry field for execution, exploiting a security vulnerability in an application's software. Using prepared statements and escaping characters that have a special meaning in SQL are some techniques to mitigate this threat. 

Additionally, you need to understand how Java Web Start secures an application. Restrictions such as no access to the local disk, network connections can only map to the same domain, and no access to native libraries are inherent to this technology. Similar restricted constraints are applied to unsigned Java Applet programs, whereas when launched via JNLP, applets can have more relaxed restrictions, including the possibility to access printing functions or the shared system-wide clipboard. Furthermore, you need to grasp many security fundamentals such as the differences between declarative and programmatic security, authentication and authorization, or data integrity and confidentiality, or symmetric and asymmetric encryption. Finally, you will need to know the most important practices for security enforcement, including how to use digital signatures and certificates, how to set up firewalls and DMZ, tunneling, etc.

Design Patterns

 Last but not  least, OCMEA uses some questions to ask about design patterns. You can expect to see different scenarios with recurring problems that you need to apply known design patterns in order to address these issues. To properly do that, you need to know the GoF design patterns,  their motivations and benefits. Without a doubt, the best source of knowledge regarding these patters is Design Patterns: Elements of Reusable Object-Oriented Software by Erich Gamma, Richard Helm, Ralph Johnson and John Vlissides. In addition,  there is another gamma of other patterns that you will need to know for integration, web and business tier security, etc. For these patterns, I'd recommend the books Real World Java EE Patterns: Rethinking Best Practices by Adam Bien, and Patterns of Enterprise Application Architecture by Martin Fowler.

You can bet on using these patterns heavily during parts II and III of the certification, which we'll discuss in the next post. See you there! 


Vinicius Kairala

Vinicius has spent the last 16 years working in technology companies with a focus on enterprise applications. He is a senior consultant at Avenue Code and he is currently very interested in Complex Event Processing (CEP) on high available and scalable systems.

Simple JAX-RS Application with CDI using Java EE