Linux-UNIX: Install and configure the Oracle Connection Manager on a remote server

There are transfers of unencrypted data between the OCM and the actual database server. Install and configure the Oracle Connection Manager (OCM) on a separate server between the public network and the trusted (private) network when required for security reasons.

Procedure

  1. Configure the Oracle Connection Manager (OCM) environment:
    • Configure the Listener for OCM for TCPS and TCP protocols with the remote server hostname or the IP address in the file cman.ora.
    • Configure the file cman.ora with the standard parameter list for OCM and enable_ip_forwarding=yes. The rule list should include the source configured for the remote server Hostname or IP and the destination to the Oracle Database hostname or IP.
    • In the file cman.ora set the parameter REGISTRATION_INVITED_NODES with the Database(s) hostname(s) or IP(s). This parameter also accepts a wildcard as a value for group of IPs.
    • Configure sqlnet.ora in the OCM environment for SSL connections.
    Example of cman.ora file:
    cman= 
    (configuration= 
    (address=(protocol=tcps)(host=<Remote_hostname/IP>)(port=1552)) 
    (address=(protocol=tcp)(host=<Remote_hostname/IP>)(port=1551)) 
    (parameter_list=(aso_authentication_filter=off) 
    (connection_statistics=yes) 
    (log_level=off) 
    (enable_ip_forwarding=yes) 
    (max_connections=256) 
    (idle_timeout=0) 
    (inbound_connect_timeout=0) 
    (session_timeout=0) 
    (outbound_connect_timeout=0) 
    (max_gateway_processes=16) 
    (min_gateway_processes=2) 
    (remote_admin=on) 
    (trace_level=off) 
    (trace_timestamp=off) 
    (trace_filelen=1000) 
    (trace_fileno=1) 
    (max_cmctl_sessions=4) 
    (event_group=init_and_term,memory_ops) 
    (REGISTRATION_INVITED_NODES = DB_server_hostname/IP) 
    ) 
    (rule_list=(rule=(src=<Remote_hostname/IP>)(dst=*)(srv=cmon)(act=accept))
    (rule=(src=<DB_server_hostname/IP>)(dst=*)(srv=*)(act=reject))
    (rule=(src=*)(dst=*)(srv=*)(act=accept))) 
    ) 
    WALLET_LOCATION = 
    (SOURCE = 
    (METHOD = FILE) 
    (METHOD_DATA = 
    (DIRECTORY = /home/cman/app/cman/product/18.0.0/client_1/network/admin/wallet)) 
  2. Configure the Oracle server.
    • Local Listeners for the database server should be only listen TCP ports with DB_server_hostname/IPaddress
    • Remote listener should be set with parameters from cman.ora file in the tnsnames.ora file
    Example of tnsnames.ora file:
    LISTENER_CMAN = 
    (DESCRI
    PTION_LIST = 
    (DESCRIPTION = 
    (ADDRESS = (PROTOCOL = TCP)(HOST = =<Remote_hostname/IP>)(PORT = 1551)) 
    (ADDRESS = (PROTOCOL = TCPS)(HOST = =<Remote_hostname/IP>)(PORT = 1552)) 
    ) 
    ) 
    LISTENER = 
    (DESCRIPTION_LIST = 
    (DESCRIPTION = 
    (ADDRESS = (PROTOCOL = TCP)(HOST = DB_server_hostname/IP)(PORT = 1528)) 
    ) 
    )

    LISTENER_CMAN is alias for your Remote Listener, and LISTENER is alias for your Local Listener in this case.

  3. Configure Oracle clients.
    • The connection string in Oracle client environments should be set for TCPS protocol with designated port set for that protocol in OCM environment and hostname or IP specified for Remote Listener with associated SERVICE_NAME.

    Ports in the Inspection Engine for Oracle should match the values set for Local Listener only.