Linux-UNIX: Install and configure the Oracle Connection Manager on the database server
recommended. Cant be directly to data base but all clients connected to OCM.
Procedure
-
Configure the Oracle Connection Manager (OCM) environment.
- Configure the Listener for OCM for TCPS and TCP protocols with the remote server hostname or the IP address in the file cman.ora.
- Configure the file cman.ora with the standard parameter list for OCM and enable_ip_forwarding=yes. The rule list should include the source configured for the Oracle Database hostname or IP and destination to local host.
- Configure sqlnet.ora in the OCM environment for SSL connections.
Example of cman.ora file:cman= (configuration= (address=(protocol=tcps)(host=<DB_server_hostname/IP>)(port=1552)) (address=(protocol=tcp)(host=<DB_server_hostname/IP>)(port=1551)) (parameter_list = (aso_authentication_filter=off) (connection_statistics=yes) (log_level=off) (enable_ip_forwarding=yes) (max_connections=256) (idle_timeout=0) (inbound_connect_timeout=0) ( session_timeout=0) (outbound_connect_timeout=0) (max_gateway_processes=16) (min_gateway_processes=2) (remote_admin=on) (trace_level=off) (trace_timestamp=off) (trace_filelen=1000) (tra ce_fileno=1) (max_cmctl_sessions=4) (event_group=init_and_term,memory_ops) ) (rule_list= (rule=(src=<DB_server_hostname/IP>)(dst=127.0.0.1)(srv=cmon)(act=accept)) (rule=(src=127.0.0.1)(dst=*)(srv=*)(act=reject)) (rule=(src=<DB_server_hostname/IP>)(dst=*)(srv=*)(act=reject)) (rule=(src=*)(dst=*)(srv=*)(act=accept)) ) ) WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /home/cman/app/cman/produ ct/18.0.0/client_1/network/admin/wallet) ) )
- Configure the Oracle server.
- Local Listeners for the database server should be listen only TCP ports for the localhost address.
- Remote listener should be set with parameters from the file cman.ora in the tnsnames.ora file.
Example of tnsnames.ora file:LISTENER_CMAN = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = <DB_server_hostname/IP>)(PORT = 1551)) (ADDRESS = (PROTOCOL = TCPS)(HOST = < DB_server_hostname/IP>)(PORT = 1552)) ) ) LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1528)) ) )
LISTENER_CMAN is an alias for your Remote Listener and LISTENER is an alias for your Local Listener in this case. - Configure the Oracle clients.
- The connection string in Oracle client environments should be set for TCPS protocol with a designated port, set for that protocol in the OCM environment and hostname or IP specified for Remote Listener with the associated SERVICE_NAME.
This configuration prevents local connections from connecting via CMAN since local traffic should not be encrypted and the S-TAP should be able to capture the UID chain.