Establishing secure connectivity between Oracle Ravello ... Siebel App Server, the Siebel Gateway, the Siebel Web Server, the Siebel file system, the Siebel Tools, and the Siebel Web

Establishing secure connectivity between Oracle Ravello and Oracle Cloud Infrastructure Classic Database Cloud O R A C L E W H I T E P A P E R | D E C E M B E R 2 0 1 7

1 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD

Table of Contents

APPLICATION ARCHITECTURE OVERVIEW 2

CONNECTING RAVELLO TO ORACLE DBCS VIA SECURED SQL*NET 3

CHANGES MADE TO THE VMS IN RAVELLO 4

SECURING LISTENER PORT ACCESS ON ORACLE DATABASE CLOUD SERVICE 5

VERIFYING THE USE OF NATIVE ENCRYPTION AND INTEGRITY 7

CONNECTING RAVELLO TO ORACLE DBCS VIA A VPN TUNNEL 8

SETTING UP THE CORENTE GATEWAY FOR ORACLE DATABASE CLOUD 8

SETTING UP THE CORENTE SERVICES GATEWAY FOR THE APP ON RAVELLO 10

VERIFYING THE SIEBEL CRM APPLICATION RUNNING ON RAVELLO 17

LEARN MORE 19


Oracle Ravello is an overlay cloud service that enables enterprises to run their VMware and KVM

applications, with data-center-like (Layer 2) networking, ‘as-is’ on public clouds without making any

modifications. With Ravello, enterprises don’t need to convert their VMs or change networking. This

empowers businesses to rapidly develop and deploy existing data-center applications on the public

cloud without the associated infrastructure and migration cost and overhead for a variety of use-cases

such as PoC, dev, test, staging, UAT, production, training etc.

Application Architecture Overview

Enterprises looking to move their VMware based applications with large databases to the public cloud

have multiple options. They can move the entire app with database onto Ravello or use a combination

of Ravello (for web & app tier) in conjunction with Oracle PaaS (e.g. DBCS) on Oracle Cloud

Infrastructure - Classic. When used in the latter mode, secure connectivity between the web/app tier

on Ravello and the OCI-Classic Database Cloud Service instance is a key requirement. There are

multiple methods to establish secured connections between an application on Ravello and a database

on Oracle DBCS. Two of them are described in this whitepaper with Siebel CRM as an example.

Figure 1: Siebel CRM architecture distributed between Ravello and DBCS

The app and web tier of Siebel on Ravello consists of 6 VMs of 2 vCPUs and 4 GB of memory each – the Siebel App Server, the Siebel Gateway, the Siebel Web Server, the Siebel file system, the Siebel Tools, and the Siebel Web Client VM.


Figure 2: Siebel Deployment in Ravello

The Siebel Database is a single instance Oracle Database Cloud Service instance hosted on Oracle Cloud Infrastructure Classic with a configuration of 2 OCPUs and 15GB of memory.

Figure 3: Siebel Database instance in Oracle Database Cloud Service

Connecting Ravello to Oracle DBCS via Secured SQL*Net

To secure connections to Oracle Database Cloud Service databases, native Oracle Net encryption and

integrity capabilities can be used. Encryption of network data provides data privacy so that

unauthorized parties are not able to view data as it passes over the network. In addition, integrity

algorithms protect against data modification and illegitimate replay. Oracle Database provides the


Advanced Encryption Standard (AES), DES, 3DES, and RC4 symmetric cryptosystems for protecting

the confidentiality of Oracle Net traffic. By default, database deployments on Database Cloud

Service are configured to enable native Oracle Net encryption and integrity.

In the case of the above Siebel deployment, three VMs – Siebel App. Sever, Siebel Gateway, and

Siebel Tools, need a secured connection to the database deployment on Oracle Database Cloud

Service.

Changes made to the VMs in Ravello Port 1521 is used as a listener port for Oracle client connections to the database over Oracle's

SQL*Net protocol. The tnsnames.ora file in the client VMs is used to define the connection to the

Oracle Database and needs to be modified to point to the Oracle DBCS instance.

Follow these steps to check encryption configuration and set up secure connectivity between the app

on Ravello and the Oracle DBCS instance.

1. Connect to the Siebel App Server VM via the console.

2. Change directories to the location of the Oracle Net configuration

files tnsnames.ora and sqlnet.ora.

3. View the sqlnet.ora file and confirm that it does not contain the following parameter settings:

If the client VM has the above parameters set, the connection will fail with the following error:

ORA-12660: Encryption or crypto-checksumming parameters incompatible.

4. Update the tnsnames.ora with the host IP address, the port number, and the service name of

the DBCS instance.


Figure 4: Relevant DBCS connection information

Figure 5: Example tnsnames.ora file

5. Perform steps 1 to 5 for all the VMs that connect to the Oracle Database Cloud instance. In

this case, the Siebel App Server, Siebel Gateway and Siebel Tools.

Securing listener port access on Oracle Database Cloud Service Follow the given steps to restrict access to the Oracle DBCS instance to only the app VMs on Ravello.

1. Set up elastic IPs for the Siebel App Server VM on Ravello by clicking on the NICs tab. Using

an Elastic IP will allow the app server VM to retain the IP address across multiple restarts.


Figure 6: Selecting Elastic IPs for the Siebel App Server 2. Repeat Step 1 for the Siebel Gateway and Siebel Tools VMs.

3. In the DBCS Service console, Select Access Rules.

Figure 7: Go to the Access Rules page

4. On the Access Rules page, select “Create Rule” and enter the appropriate information as

described below.


Figure 8: Create Access Rule

a. Rule name: Give the access rule a descriptive name

b. Source: Select <custom> and add the Elastic IP addresses of the VMs that will communicate with the DB.

c. Destination and Port: Select DB and 1521.

d. Protocol: Select TCP.

e. Create the rule.

5. Access to port 1521 is now restricted to only the VMs running on Ravello.

Verifying the use of Native Encryption and Integrity Connect to the Oracle Database Cloud instance from the Siebel App Server VM and verify the use of

native Oracle Net encryption and integrity by examining the network service banner entries associated

with each connection. This information is contained in the NETWORK_SERVICE_BANNER column of

the V$SESSION_CONNECT_INFO view. The following example shows the SQL command used to

display the network service banner entries associated with current connection:

The following example output shows banner information for the available encryption service and the

crypto-checksumming (integrity) service, including the algorithms in use:


Connecting Ravello to Oracle DBCS via a VPN tunnel

It is also possible to establish secure connections to the Oracle Database Cloud instance via a VPN

tunnel. A Corente VPN Gateway can be set up at each end to enable an IPSec tunnel. Setting up a

Corente Services Gateway in Ravello includes adding a Corente VPN Gateway VM and routing all

external traffic of the app and web tier through this VM.

Setting up the Corente Gateway for Oracle Database Cloud In order to create a Corente Services Gateway (CSG) for the Cloud Database instance, make sure the

Oracle Database instance is created on a predefined IP network. i.e. create an IP network first, then

instantiate a Database instance on the same IP network.

Follow these steps to create a Corente Gateway in the Cloud.

1. Sign in to the Compute Classic console and click the Network tab.

2. In the left pane, under Shared Network, click IP Reservations and Create an IP reservation.

3. Click the VPN tab in the left pane and then click VPN Gateways.

4. Click Create VPN Gateway.

5. Select or enter the required information:

6. Name: Enter a name for the Corente Services Gateway instance.

7. IP Reservation: Select the IP reservation that was created in Step 2.

8. Image: Select the desired machine image for the instance.

9. Interface Type: Select Dual-homed to use this VPN gateway to connect to instances on an IP

network. All instances that are on the same IP network as the Corente Services Gateway

instance can be accessed using VPN.

10. IP Network: Select the IP network on which the Oracle Database instance is instantiated.

11. IP Network Address and Subnets: These fields are automatically filled when the IP network

is selected. Do not modify or delete the automatically added data.


Figure 9: Creating a Corente Gateway in the Cloud 12. Add a route to connect the internal subnet of the Siebel app in Ravello to the Gateway created

above.

1. Under IP networks, click on Routes.

2. Select or enter the required information:

3. Name: Enter a name for the route.

4. Administrative Distance: Enter 0, 1, or 2 to specify the administrative distance of

the route. The administrative distance indicates the priority of a route. The highest

priority is 0.

5. IP Address Prefix: Enter the IP address prefix, in CIDR format, of the destination

network, the internal subnet of the app in Ravello, to which the route needs to be

created.

6. Next Hop vNICset: Select the vNICset that was created along with the above

Gateway.

7. Click Create.


Figure 10: Creating a route from the internal Ravello subnet to DBCS

Setting up the Corente Services Gateway for the app on Ravello In order to create an IPSec tunnel between the app and web tier on Ravello and the Oracle Database

Cloud instance, a Corente Services Gateway VM needs to be added to the Ravello environment and all

external traffic needs to be routed through the Corente VM.

The following steps illustrate the preparation of the Ravello environment to set up a CSG.

1. Add an Oracle Public Cloud's Corente VPN Gateway VM from the Ravello library by dragging it

on to the canvas.

Figure 11: Adding a Corente Services Gateway VM to the Ravello environment.


2. Open NIC properties of the CSG and configure the public (WAN) and private (LAN) NICs. Configure static IPs for both NICs. For WAN NIC in external access select “Elastic IP” option and assign an elastic IP from the list.

3. For the LAN NIC configure only “Static IP” and “Netmask”. There is no need to fill in the “Gateway” and “DNS” fields. Do not configure external access.

Figure 12: Public and Private network configurations of the CSG.

4. In the Services tab, make sure TCP port 551 is open

Figure 13: Verifying that port 551 is open


Note: When setting IPSEC tunnel with a 3-d party gateway Corente uses IPSEC UDP ports 500 and 4500. However, when setting VPN tunnel between Corente gateway on both sides only one TCP port 551 is required for IPSEC tunnel.

Next, all external traffic will be routed through the Corente VM.

5. In the NIC tab of the Siebel App Server VM, remove the Gateway and DNS address from the public NIC and in the private NIC, add the internal IP address of the Corente VM as the Gateway and DNS address.

Figure 14: Update the Gateway and DNS addresses of all VMs with external traffic

6. Log into the console of the VM and make similar updates as Step 5 to the interface configuration file for the private and public NICs. The if-cfg files are usually found under /etc/sysconfig/network-scripts/

Figure 15: Update the if-cfg files through the console of the VM

7. Repeat Steps 5 and 6 for the Siebel Gateway and Siebel Tools VMs.


The next step is to configure the Corente Services Gateway on Ravello. To complete this, App Net

Manager needs to be installed. It can be downloaded from

http://www.oracle.com/technetwork/server-storage/corente/downloads/index.html.

8. Log into App Net Manager using the VPN OPC credentials for the Oracle Cloud account.

9. In the left pane, click on Locations and add a new location that here we named “VPN2DBCSOPC”. Configure general properties of this location.

Figure 16: Configure Location properties of the Corente Gateway on Ravello

10. Click on the Network tab and add a WAN and LAN interface to the new location. Configure it with the appropriate WAN and LAN interface settings of Corente VPN gateway in Ravello (see step 3):


Figure 17: Configure the WAN and LAN interface of the CSG on Ravello

11. After both LAN and WAN interfaces are added go to File and Save the configuration. Click on Start button to commit all changes.

12. Start Corente VPN gateway VM in Ravello. When the virtual machine starts up, you’ll see the following screen:

Figure 18: Startup Screen on Corente Services Gateway Console in Ravello

13. Select Download Config and press Enter. The network configuration screen is displayed.

14. Set Download site www.corente.com and select Manual Network Configuration. Setup network configuration of WAN interface. Enter IP address, Netmask, Gateway and DNS configured in Ravello on WAN interface just as we did in Step 10.


15. Click Next. In the next screen, enter the username and password to log into the App Net Manager and the name of the gateway (“VPN2DBCSOPC”) that you have created using App Net Manager in step 4.

Figure 19: Log in screen of the CSG on Ravello via console access

16. The location configuration file created in App Net Manager is downloaded onto the Corente Gateway in Ravello. After the download is complete, the on-premises gateway reboots. It is not possible to log into the CSG due to security reasons. A network administrator should use App Net Manager to start managing the Ravello CSG.

17. Establish an IPSec tunnel between Ravello and OCI Classic gateways. In App Net Manager, open Locations and double click on OPC Corente gateway (VPN2SiebRavello). Open Partners tab and add a new partner. Select Intranet in the Connection to Partner panel and select Ravello gateway in the drop-down menu. Click Add at the bottom of the Tubes pane at the bottom of the Add Partner screen. In both Local Side and Remote side of Tube pane select Default User Group. See the screenshot below:


Figure 20: Defining partners for the Corente Gateways

18. Repeat Step 17 for the Corente gateway in Ravello (VPN2DBCSOPC). In this case, select VPN2SiebRavello as the partner.

19. Click Save to commit all changes.

20. After a few minutes, when the connection has established, the link between the Ravello and the OCI Classic Cloud gateways will turn green.

Figure 21: Confirmation of established VPN Tunnel on App Net Manager


21. If the link between Ravello and OPC gateways is not green, check to see if the Corente VPN gateway is running on OCI Classic Cloud and in Ravello. Also check to see if TCP port is open on both sides. In App Net Manager, go to Alarms and Events and check if there is an active alarm or error.

Verifying the Siebel CRM application running on Ravello

1. The Cloud Database instance can now be accessed from any VM on Ravello to confirm that the Siebel database and listener service is up and running.

Figure 22: Checking database and listener status

2. Check connectivity from the Siebel server using ‘srvrmgr’ utility

Figure 23: Siebel server verification

3. Test connectivity to the Siebel Web Server from a browser. The IP address for the Web

Server is located in Summary tab of the VM. For this Siebel CRM deployment, the Call Center

component is enabled, for which is connectivity is shown above using the public IP assigned

to the VM.


Figure 24: Public IP of Siebel WebServer

Figure 25: Application login

4. Siebel Tools can be verified by connecting to the Tools VM either through RDP or Console

access.


Figure 26: Siebel Tools verification

5. Shutting down the Corente Services Gateway VM in Ravello causes errors while accessing the

Siebel app, proving that the VPN setup is functioning as expected.

Learn more Learn more and sign up for a free trial at https://cloud.oracle.com/ravello

Figure 28: Sign up for a free trial.

Figure 27: Test to prove functioning VPN Tunnel

Oracle Corporation, World Headquarters Worldwide Inquiries 500 Oracle Parkway Phone: +1.650.506.7000 Redwood Shores, CA 94065, USA Fax: +1.650.506.7200

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 1217 Establishing secure connectivity between Oracle Ravello and Oracle Cloud Infrastructure Classic Database Cloud December 2017

C O N N E C T W I T H U S

blogs.oracle.com/oracle

facebook.com/oracle

twitter.com/oracle

oracle.com

Documents

Establishing secure connectivity between Oracle Ravello ... Siebel App Server, the Siebel Gateway, the Siebel Web Server, the Siebel file system, the Siebel Tools, and the Siebel Web