X

Best Practices from Oracle Development's A‑Team

Deploying Connection Manager as a Proxy for Fusion Applications Warehouse and Oracle Analytics

Validated February 2, 2021 with FAW 5.8 and OAC 5.9

Introduction

Fusion Applications Warehouse and native Oracle Analytics instances may require a proxy to reach data sources for various reasons including security, routing and privacy. For use cases requiring sophisticated functionality, Oracle's Connection Manager provides database transparency, high-availability, protocol conversion and enhanced security, scalability and performance.

This post is a step-by-step guide for deploying Connection Manager on Linux with a simple starter configuration specifically for Oracle Analytics unable to use Private Access Channel. It is part of the Oracle Analytics Private Endpoint SeriesRefer here for a post for Oracle Analytics using Private Access Channel.

Refer to Understanding Oracle Connection Manager Architecture for details on the architecture shown below.

 

Primary Uses

The primary uses of Connection Manager for Oracle Analytics are private egress,  transparency,  and protocol conversion.

Private Egress provides access to private databases.

Private Access Channel is the preferred method for private egress. This post if for Analytics instances unable to use it.

Transparency hides the details of connecting to unsupported databases or those with complex connection criteria. It allows users to think that they are connecting to a single-instance Oracle database using just a host, port, and service name. Connection Manager stores the connection complexities for all users and applications. When it receives a request, it connects to the target database for session creation. The database receives the actual user, application and network address for its session details.

Protocol Conversion converts TCP traffic to TCPS used by Autonomous Databases (ADB). This feature along with transparency further simplifies the user experience by hiding the need for Secure Socket Layer wallets and associated networking parameters. Connection Manager stores complex TCPS wallet placement and handshake parameters for all users and applications. When it receives a request, it forwards it on to the SSL-protected database for session creation.

Additional Uses

Additional uses of Connection Manager are access control and anonymity.

Access Control provides solutions for database access when a database subnet allows ingress only from designated application subnets. A Connection Manager instance in such a subnet receives connection requests and connects to the databases on the application's behalf.

Anonymity builds on transparency by hiding the application from the database. The database only receives Connection Manager's proxy user and network address for its session details.

Validations

February 2, 2021 with FAW 5.8 and OAC 5.9 

Topics

Before You Begin

Deploying Required Components

Installing Connection Manager

Configuring Connection Manager

Validating Connection Manager

 Before You Begin and Assumptions 

Acronyms

FAW Fusion Applications Warehouse
OAC Oracle Analytics Cloud
PE Private Endpoint
CMAN Connection Manager
DB Database
DV Data Visualization
OCI Oracle Cloud Infrastructure
FQDN Fully Qualified Domain Name
PAC Private Access Channel
OSN Oracle Services Network
   

 

Naming Convention

In this post FAW refers to both FAW and Native OAC using a public endpoint without PAC. OAC-PE refers to OAC using a private endpoint without PAC.

Privileges

A user account in an OCI tenancy for managing compute and networking components.
A user account in an OAC instance for creating data visualization connections.

OAC

An existing FAW or OAC-PE instance

FAW Initial State

FAW resides in the Oracle Services Network (OSN) with a public endpoint and a NAT Gateway.

OAC-PE Initial State

OAC-PE has a private endpoint in a Virtual Cloud Network (VCN) with its cluster residing in OSN with a NAT Gateway.

 

 Deploying Required Components 

The following components must exist before installing and validating CMAN.

COMPONENT USE REFERENCE
VCN Hosts the CMAN subnet Link
INTERNET GATEWAY Routes network traffic from CMAN to FAW and OAC-PE Link
SUBNET Hosts the CMAN instance Link
COMPUTE INSTANCE Hosts the CMAN application Link
ROUTE RULES Facilitates network traffic between OAC and CMAN Link
ACCESS RULES Facilitates network traffic between OAC and CMAN Link
PORT RULES Allows network traffic to the CMAN listening port Link

 

Virtual Cloud Network

For OAC-PE use its VCN otherwise create or choose an existing one. This post uses a VCN named VCN1 in its examples.

VCN CIDR
VCN1 10.10.10.0/23

 

Subnet

Create or use an existing public subnet in the VCN chosen above. This post uses a subnet named APP-Subnet in its examples.

VCN SUBNET TYPE CIDR
VCN1 VCN1-APP-SN PUBLIC 10.10.10.64/27

 

CMAN Compute Instance

Create a small Linux instance to initially host CMAN in the APP-Subnet.

VCN SUBNET TYPE Public IP
VCN1 VCN1-APP-SN LINUX 7 129.146.243.111

 

Prepare an SSH Alias for CMAN

On your client prepare an SSH alias. Windows users may either install SSH or use PuTTY.

 

Internet Gateway

Create or use an existing Internet Gateway in the CMAN VCN for return traffic from CMAN to OAC.

VCN NAME
VCN1 VCN1-IG

 

Route Rules

Create or use an existing route table for these rules.

ROUTE TABLE VCN DESTINATION CIDR TARGET ATTACHED TO NOTE
VCN1-APP-RT VCN1 147.154.104.165/32 Internet Gateway VCN1-APP-SN Response to OAC-OSN
VCN1-APP-RT VCN1 130.35.2.125/32 Internet Gateway VCN1-APP-SN Yum Repository

 

Access Control

Define egress and ingress rules for network traffic between OAC and CMAN.

SECURITY LIST TYPE CIDR PROTOCOL PORT ATTACHED TO NOTE
VCN1-APP-SL INGRESS 147.154.104.165/32 TCP 1521 VCN1-APP-SN Ingress to CMAN from the OAC OSN NAT gateway
VCN1-APP-SL EGRESS 130.35.2.125/32 TCP 443 VCN1-APP-SN Egress to YUM Repository

 

FAW Enabled State

 

OAC-PE Enabled State

     

            

 Installing Connection Manager 

The commands used below may be browsed and copied in the appendix.

Connection Manager Download

Download the appropriate CMAN software from here e.g. LINUX.X64_193000_client.zip. Copy the file to the compute instance if necessary.

Connect to the CMAN host

Prepare the CMAN host

Open the CMAN Port

Install an Oracle Installer Prerequisite Package

Note: This package also creates an oracle user.

Grant sudo Privilege to Oracle

Change to the Oracle User

Unzip the CMAN Download

Install CMAN

Create a response file e.g. cman.rsp  to be used with silent installation mode.

Run the Installer

Post-Install Steps

Set the ORACLE_BASE, ORACLE_HOME, TNS_ADMIN and PATH Environment Variables

Run the Root Scripts

 

 Configuring Connection Manager 

This section configures a starter CMAN instance. Refer here for complete documentation. 

Create a Starter Configuration File

The CMAN configuration file cman.ora format is based on an Oracle Database Listener configuration file listener.ora format with additional options. Each CMAN instance defined in the file includes the following components:

Instance Name
Listening Endpoint
Access Rule List
Parameter List

The minimum required components are an instance, listening endpoint and an access rule. The parameter list is omitted here as the defaults are sufficient to start with. The access rule is set to allow all traffic. Modify this if necessary after a successful installation.

 

 

℘ Validating Connection Manager 

Validating the introductory deployment of CMAN involves starting it and successfully connecting to it from OAC. Start CMAN using the Connection Manager Control Utility

Start CMAN

You see:

Connect to OAC

Connect to CMAN from OAC

This section validates that CMAN is listening and that OAC can reach the listener. Saving the connection is not possible yet as we have not yet defined a database.

Click Create then Connection from the OAC home screen. Select Oracle Database as the Connection Type. Complete the dialog as shown in the example below.

Enter any Connection Name as this connection is not savable.
Accept Basic as the Connection Type.
Enter your CMAN Public IP Address as the Host.
Enter your CMAN Port e.g. 1521
Enter any Service Name
Enter any Username and Password

Click Save.

If OAC can reach the CMAN listener you see:

If OAC is unable to reach the CMAN listener you see:

Click Cancel to close the dialog.

 Connection Flows  

FAW Connection Flow

FAW sends the connection request through its NAT Gateway to CMAN. CMAN's security list allows the traffic on port 1521. 
CMAN's route rule routes the response to FAW's NAT Gateway though CMAN's internet gateway on port 1521.

 

OAC-PE Connection Flow

OAC-PE's cluster in the OSN sends the connection request through the OSN NAT Gateway to CMAN. CMAN's security list allows the traffic on port 1521. 
CMAN's route rule routes the response to the OAC-PE's cluster's NAT Gateway though CMAN's internet gateway on port 1521.

Note: The OAC-PE without PAC is for ingress only. Thus, it does nothing in this traffic flow. The private endpoint is just that - a private address that OAC can be reached on. The real OAC in the OSN provides public egress for the private endpoint instance.

 Summary 

This post provided a step-by-step guide for deploying Oracle Connection Manager on Linux with a simple starter configuration. You are now ready to create a connection to a private data source using Connection Manager.

For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley

⁂ Appendix ⁂

Below are scrollable lists of commands used in this post. Send them to your clipboard by clicking in the text area and then clicking the copy button.

Below is a scrollable list of all commands run on the CMAN host. Send them to your clipboard using the copy button.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha