Upload
mohsen-b
View
119
Download
0
Embed Size (px)
Citation preview
Oracle Connect ion Manager (CMAN)
ClientFirewall CMANOracle
ListenerConfig (cman.ora)PortCMAN
ListenCMANRule
CMAN
Firewall
-
``
Application Server
(Layer 3)
Connection Manager (Layer 2)
Database Server
(Layer 1)
Firewall Firewall
HTTP/HTTPSHTTP/HTTPS
TNS-1521
HTTP/HTTPS
TNS-
15
21
TNS-
15
21
TNS-1521
TNS-1521
CMAN
a Initialization Parameters
Remote ListenerRegisterListener
CMAN
Listener CMAN CMANRegister
CMAN
b Listener
SQLNET
# Configure TNS firewall to loopback and local IP address only
TCP.VALIDNODE_CHECKING = YES
TCP.EXCLUDED_NODES = (*.*.*.*)
TCP.INVITED_NODES = (127.0.0.1, 172.20.5.31,172.20.5.51,……)
SQLNET
IPINVITEND_NODES
ListenerSTOP/START
Listenerexternal procedure
listener.ora
c Oracle Advanced Security (ASO)
ASOEncrypt
SQLNET.ORAClient
Application ServerEncryption
# Settings for when a client is connecting to this server. # Incoming connections to database must be checksum'd and encrypted. SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA1) SQLNET.CRYPTO_CHECKSUM_SERVER = required SQLNET.ENCRYPTION_TYPES_SERVER= (AES256) SQLNET.ENCRYPTION_SERVER = required # Settings for when this client is connecting to a server. SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (SHA1) SQLNET.CRYPTO_CHECKSUM_CLIENT = required SQLNET.ENCRYPTION_TYPES_CLIENT= (AES256) SQLNET.ENCRYPTION_CLIENT = required # Seed needs to be randomly generated consisting of between # 10 and 70 characters. This seed should be different for each host. SQLNET.CRYPTO_SEED = somerandomalphanumericstringofabout70characters
CMAN
CMANOracle Client
CMANIP AddressPort Number Listen
rule
N1= (configuration= (address=(protocol=tcp)(host=x.x.x.x)(port=1821)) (parameter_list = (connection_statistics=yes) (log_directory=/u01/oracle/product/11.2.0/client_1/network/log) (log_level=off) (idle_timeout=0) (inbound_connect_timeout=0) (session_timeout=0) (outbound_connect_timeout=0) (max_gateway_processes=16) (min_gateway_processes=2) (remote_admin=on) (trace_directory=/u01/oracle/product/11.2.0/client_1/network/trace) (trace_level=off) (trace_timestamp=off) (trace_filelen=1000) (trace_fileno=1) (max_cmctl_sessions=4) (event_group=init_and_term,memory_ops) )
(rule_list= # INBOUND RULES # = Application Server 1 (rule=(src=x.x.x.x)(dst=172.18.1.67)(srv=*)(act=accept)) # = DBA workstations (rule=(src=172.21.2.0/24)(dst=*)(srv=*)(act=accept)) # # OUTBOUND RULES # = Remote DB Server (rule=(src=172.20.5.0/24)(dst=172.18.1.67)(srv=*)(act=accept)) # # Local Connections (rule=(src=172.18.1.67)(dst=127.0.0.1)(srv=*)(act=accept)) (rule=(src=172.18.1.67)(dst=127.0.0.1)(srv=cmon)(act=accept)) # # All other source IPs (rule=(src=*)(dst=*)(srv=*)(act=drop)) )
Client & Application Server
ClientApplication ServerConnection Manager
IPV6