⚡ Technical Architecture

How TuneVault sees your Oracle stack
without an agent on the DB server.

A security-first breakdown of the proxy model, the polling mechanism, and how 11 live status cards stay current in your browser — without WebSockets, without inbound ports, and without touching your Oracle binaries.

01 — Data Flow
End-to-end in one diagram.
Everything starts at the Oracle host. A Python proxy you control polls the OS and DB every 30 seconds, bundles the results into a small JSON payload, and pushes it outbound over HTTPS. TuneVault stores the latest payload and streams updates to your browser via SSE. No inbound ports. No Oracle listener exposure.
Customer network
Oracle DB / EBS host On-premises or cloud VM
OS + DB poll
 
Python proxy Runs as oracle user, polls every 30s
HTTPS outbound
TuneVault cloud
TuneVault API Node.js · stores latest payload
SSE stream
Your browser
Dashboard 11 live status cards repaint on each payload
30s Poll interval on customer host
~2 KB JSON payload per cycle (outbound)
~200ms Total CPU time per poll cycle on host
02 — What the Proxy Actually Does
Three probe types. One JSON bundle.
The proxy is a single Python script (~400 KB). It has no persistent state, no open sockets between polls, and no access to Oracle binaries. Every 30 seconds it runs three probe categories, bundles the results, and POSTs them to TuneVault over HTTPS with your connection's API key.
💻

OS-Level Probes

Process and port state at the OS level. No Oracle credentials required for these — runs as the oracle OS user.

  • ps -ef | grep NodeManager → WLS status + PID
  • netstat -tlnp → OPMN (7200), WLS Admin (7001), Forms, OACore port detection
  • ls -la $INST_TOP/logs/* → heartbeat mtime check
  • uptime → load average, uptime seconds
🗄

DB-Level Probes

SQL against EBS schema views. Read-only. SELECT_CATALOG_ROLE only. No DML, no DDL, no locks.

  • FND_CONCURRENT_QUEUES → CM running_processes vs max
  • FND_SVC_COMPONENTS → Workflow Mailer component_status
  • FND_CONCURRENT_PROCESSES → OPP active process count
  • V$SESSION → DB health signal + active sessions
🌐

Transport

All results from both probe categories are bundled into a single JSON payload and pushed outbound. One HTTPS POST per cycle. No persistent connection kept open.

  • POST https://tunevault.app/api/proxy/ingest
  • Auth: per-connection API key (header)
  • Direction: outbound only — proxy initiates
  • Firewall change: none required
03 — Why Polling, Not Push from Oracle
Oracle EBS doesn't have webhooks.
The most common question from evaluators: "Why doesn't Oracle push events to you directly?" Short answer: it can't. Here's the full answer.

No native webhook surface Why polling

Oracle EBS has no event stream for the 11 status surfaces we monitor — Concurrent Manager state, Workflow Mailer health, OPMN/WLS process counts, port liveness. These are operational metrics you can only observe by querying them. Polling is the only mechanism that works across every EBS version and configuration.

30s is the right tradeoff Interval

Fast enough to catch a CM stall or Mailer flameout within one alerting window. Light enough to be invisible to the database — every query uses SELECT_CATALOG_ROLE, no DML, no locks. At 30s cadence, TuneVault occupies <0.01% of typical EBS database I/O.

Predictable load Performance

~200ms total CPU time per poll cycle on the customer host. ~2 KB JSON outbound per cycle. The proxy has no memory growth, no open socket held between polls, and no background threads. It runs, pushes, and exits. Zero persistent footprint between cycles.

Auditable and replaceable Control

The proxy is a single Python script provided directly to you. You install it. You review it. You can kill it any time with no impact on your Oracle instance. It is not a daemon with persistent state — it's a cron job that runs a script.

04 — How the Dashboard Stays Live
SSE: one HTTP stream, no WebSocket overhead.
When you open the EBS Live Monitor tab, your browser opens a single long-lived HTTP connection to the TuneVault API. Every time a new proxy payload arrives, the API pushes it down that connection. The 11 status cards repaint in place. No polling from the browser. No WebSocket handshake. Works through corporate proxies.
SSE stream — GET /api/live-status/:connectionId/stream
1

Proxy POSTs payload to TuneVault API (every 30s)

The Python proxy on your Oracle host POSTs a JSON bundle: OS process state, port map, DB metrics. API stores latest payload per connection_id. Validates API key, logs receipt timestamp.

2

Browser subscribes via Server-Sent Events

When you open the Live Monitor panel, your browser GETs a streaming endpoint. TuneVault keeps this connection open with a Content-Type: text/event-stream response. Standard HTTP — works through corporate proxies and load balancers, unlike WebSockets.

3

API fans out on each new payload

When a new proxy payload lands, the API emits an event: update down every open SSE connection subscribed to that connection_id. Multiple browser tabs get the update simultaneously.

4

11 status cards repaint in the browser

The dashboard parses the incoming JSON and updates each of the 11 status cards: Concurrent Manager (running / max), Workflow Mailer state, WLS AdminServer, OACore ports, Forms ports, OPMN, OPP, Apache/OHS, DB health signal, uptime, and last-seen timestamp. No full page reload required.

05 — Security
The question every infosec reviewer asks next.
Every enterprise evaluation includes: "What access does this have? What can it do? What if it gets compromised?" These are the right questions. Here are the exact answers.
🔒

Read-only Oracle role

SELECT_CATALOG_ROLE only. No DDL (CREATE/ALTER/DROP). No DML (INSERT/UPDATE/DELETE). No data is exfiltrated — only aggregated metrics and counts. Full grant list at tunevault.app/trust.

💬

No agent on Oracle binaries

The proxy is a standalone Python script that runs as the Oracle OS user. It does not modify, patch, inject into, or hook Oracle executables. It has no persistent daemon, no shared memory interface, and no kernel module.

🔐

AES-256-GCM credentials at rest

Oracle credentials stored in TuneVault's database are encrypted with AES-256-GCM before write. The proxy API key is also encrypted at rest. Keys are never logged or transmitted in plaintext.

Outbound HTTPS only

The proxy initiates all connections. TuneVault never connects inbound to your network. No firewall rules to open. No inbound ports required on the Oracle host. The proxy's only outbound destination is tunevault.app over port 443.

📄

Proxy source is auditable

The Python proxy script is provided directly to you at installation. Your security team can review it line by line before it runs. No compiled binary, no obfuscation. What you see is what runs.

Kill switch is just kill

Stopping the proxy is pkill -f oracle-proxy.py or removing the cron entry. The Oracle instance is unaffected. TuneVault's dashboard shows "proxy offline" within one polling interval.

See the Live Monitor in action.

See an anonymized report from a representative Oracle EBS deployment. No sign-up required. Full setup guide walks through proxy installation in under 5 minutes.

View Sample Report → Full Setup Guide →