Linux-UNIX: Install and configure the Oracle Connection Manager on the database server

recommended. Cant be directly to data base but all clients connected to OCM.

Procedure

  1. Configure the Oracle Connection Manager (OCM) environment.
    • Configure the Listener for OCM for TCPS and TCP protocols with the remote server hostname or the IP address in the file cman.ora.
    • Configure the file cman.ora with the standard parameter list for OCM and enable_ip_forwarding=yes. The rule list should include the source configured for the Oracle Database hostname or IP and destination to local host.
    • Configure sqlnet.ora in the OCM environment for SSL connections.
    Example of cman.ora file:
    cman= 
    (configuration= 
    (address=(protocol=tcps)(host=<DB_server_hostname/IP>)(port=1552)) 
    (address=(protocol=tcp)(host=<DB_server_hostname/IP>)(port=1551)) 
    (parameter_list = 
    (aso_authentication_filter=off) 
    (connection_statistics=yes) 
    (log_level=off) 
    (enable_ip_forwarding=yes) 
    (max_connections=256) 
    (idle_timeout=0) 
    (inbound_connect_timeout=0) 
    (
    session_timeout=0) 
    (outbound_connect_timeout=0) 
    (max_gateway_processes=16) 
    (min_gateway_processes=2) 
    (remote_admin=on) 
    (trace_level=off) 
    (trace_timestamp=off) 
    (trace_filelen=1000) 
    (tra
    ce_fileno=1) 
    (max_cmctl_sessions=4) 
    (event_group=init_and_term,memory_ops) 
    ) 
    (rule_list= 
    (rule=(src=<DB_server_hostname/IP>)(dst=127.0.0.1)(srv=cmon)(act=accept)) 
    (rule=(src=127.0.0.1)(dst=*)(srv=*)(act=reject))
    (rule=(src=<DB_server_hostname/IP>)(dst=*)(srv=*)(act=reject))
    (rule=(src=*)(dst=*)(srv=*)(act=accept)) 
    ) 
    ) 
    
    
    WALLET_LOCATION = 
    (SOURCE = 
    (METHOD = FILE) 
    (METHOD_DATA = 
    (DIRECTORY = /home/cman/app/cman/produ
    ct/18.0.0/client_1/network/admin/wallet) 
    ) 
    )
  2. Configure the Oracle server.
    • Local Listeners for the database server should be listen only TCP ports for the localhost address.
    • Remote listener should be set with parameters from the file cman.ora in the tnsnames.ora file.
    Example of tnsnames.ora file:
    LISTENER_CMAN = 
    (DESCRIPTION_LIST = 
    (DESCRIPTION = 
    (ADDRESS = (PROTOCOL = TCP)(HOST = <DB_server_hostname/IP>)(PORT = 1551)) 
    (ADDRESS = (PROTOCOL = TCPS)(HOST = <
    DB_server_hostname/IP>)(PORT = 1552)) 
    ) 
    ) 
    LISTENER = 
    (DESCRIPTION_LIST = 
    (DESCRIPTION = 
    (ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1528)) 
    ) 
    )
    LISTENER_CMAN is an alias for your Remote Listener and LISTENER is an alias for your Local Listener in this case.
  3. Configure the Oracle clients.
    • The connection string in Oracle client environments should be set for TCPS protocol with a designated port, set for that protocol in the OCM environment and hostname or IP specified for Remote Listener with the associated SERVICE_NAME.

    This configuration prevents local connections from connecting via CMAN since local traffic should not be encrypted and the S-TAP should be able to capture the UID chain.