Best Practices from Oracle Development's A‑Team

Analytics Reporting Analytics Reporting
Architecture
Cloud Native
Data Management
Networking
February 9, 2021

Deploying Connection Manager for Private Data Source Access

Dayne Carley

Validated July 26, 2021 with OAC 6.1

Introduction

Oracle Analytics instances may require a proxy to reach data sources for various reasons including security, routing and privacy. For use cases requiring sophisticated functionality, Oracle's Connection Manager provides database transparency, high-availability, protocol conversion and enhanced security, scalability and performance.

This post is a step-by-step guide for deploying Connection Manager on Linux with a simple starter configuration specifically for Oracle Analytics using Private Access Channel. It is part of the Oracle Analytics Private Access Channel Series. Refer here for a post for Oracle Analytics without Private Access Channel.

Refer to Understanding Oracle Connection Manager Architecture for details on the architecture shown below.

Primary Uses

The primary uses of Connection Manager for Oracle Analytics are private egress, transparency, and protocol conversion.

Private Egress provides access to private databases.

Private Access Channel is the preferred method for private egress. This post is for Private Access Channel cases with complex data sources requiring a proxy. Real Application Clusters and Autonomous Databases on dedicated infrastructure are two such cases.

Transparency hides the details of connecting to unsupported databases or those with complex connection criteria. It allows users to think that they are connecting to a single-instance Oracle database using just a host, port, and service name. Connection Manager stores the connection complexities for all users and applications. When it receives a request, it connects to the target database for session creation. The database receives the actual user, application and network address for its session details.

Protocol Conversion converts TCP traffic to TCPS used by Autonomous Databases. This feature along with transparency further simplifies the user experience by hiding the need for Secure Socket Layer wallets and associated networking parameters. Connection Manager stores complex TCPS wallet placement and handshake parameters for all users and applications. When it receives a request, it forwards it on to the SSL-protected database for session creation.

Additional Uses

Additional uses of Connection Manager are access control and anonymity.

Access Control provides solutions for database access when a database subnet allows ingress only from designated application subnets. A Connection Manager instance in such a subnet receives connection requests and connects to the databases on the application's behalf.

Anonymity builds on transparency by hiding the application from the database. The database only receives Connection Manager's proxy user and network address for its session details.

Validations

July 26, 2021 with OAC 6.1
May 25, 2021 with OAC 5.9
February 9, 2021 with OAC 5.9

Topics

Before You Begin

Deploying Required Components

Installing and Configuring Connection Manager

Validating Connection Manager

^℘ Before You Begin and Assumptions ^℘

Acronyms

OAC	Oracle Analytics Cloud
PE	Private Endpoint
CMAN	Connection Manager
DB	Database
DV	Data Visualization
OCI	Oracle Cloud Infrastructure
FQDN	Fully Qualified Domain Name
PAC	Private Access Channel
OSN	Oracle Services Network
RAC	Real Application Clusters
ADB	Autonomous Database
DNS	Domain Name System
VCN	Virtual Cloud Network

Privileges

A user account in an OCI tenancy for managing compute and networking components.
A user account in an OAC instance for creating data visualization connections.

Domain Name System

Domain Name System (DNS) provides a worldwide, distributed directory service for translating a fully qualified domain name (FQDN) to its associated numerical IP address.

The default DNS in OCI provides resolution for resource names within the same VCN. Refer here for a post describing various DNS scenarios and the components necessary to resolve resource names outside of your VCN.

The examples here have CMAN in the same VCN as OAC. Thus no DNS or Gateways are required.

Networking Gateways

A networking gateway is required to connect to a CMAN residing outside of OAC's VCN. Refer here for a post describing various gateway scenarios and the components necessary for network traffic between resources in different VCNs.

OAC

An existing OAC instance with PAC enabled with CMAN's domain defined as a data source.

Public OAC Initial State

The OAC cluster resides in the Oracle Services Network (OSN) with a public ingress endpoint and PAC private egress endpoints in its VCN.

Private OAC Initial State

The OAC has both a private ingress endpoint and PAC private egress endpoints in its VCN.

^℘ Deploying Required Components ^℘

Note: The appendix contains a complete list of the commands shown in this post.

The following components are required before installing and validating CMAN.

COMPONENT	USE	REFERENCE
SUBNET	Hosts the CMAN instance	Link
COMPUTE INSTANCE	Hosts the CMAN application	Link
ACCESS RULES	Facilitates network traffic between OAC and CMAN	Link
PORT RULES	Allows network traffic to the CMAN listening port	Link

The following tables show components both needed and previously deployed (greyed out).

Virtual Cloud Network

This post uses OAC's VCN named VCN1.

VCN	CIDR
VCN1	10.10.10.0/23

Subnet

Create or use an existing public subnet in the VCN chosen above. This post uses a subnet named APP-Subnet.

VCN	SUBNET	TYPE	CIDR
VCN1	VCN1-APP-SN	PUBLIC	10.10.10.64/27
VCN1	VCN1-OAC-SN	PRIVATE	10.10.10.0/27

CMAN Compute Instance

Create a small Linux instance to initially host CMAN in the APP-Subnet.

VCN	SUBNET	TYPE	FQDN
VCN1	VCN1-APP-SN	LINUX 7	yourinstance.vcn1appsn.vcn1vcn.oraclevcn.com

Prepare an SSH Alias for CMAN.

On your client prepare an SSH alias. If you do not have direct access to the CMAN's private IP address create another Linux instance with a public IP to act as a bastion.

cat <<EOF >>~/.ssh/config Host BASTION User opc IdentityFile /Users/dcarley/privateKey HostName 193.122.137.110 Host CMAN-HOST User opc IdentityFile /Users/dcarley/privateKey HostName 10.0.0.66 ProxyJump BASTION EOF tail CMAN-HOST .ssh/config

Access Control

Define egress and ingress rules for network traffic between OAC and CMAN.

SECURITY LIST	TYPE	CIDR	PROTOCOL	PORT	ATTACHED TO	NOTE
VCN1-APP-SL	INGRESS	10.0.0.0/27	TCP	1521	VCN1-APP-SN	Ingress to CMAN from the OAC SN
VCN1-APP-SL	EGRESS	130.35.2.125/32	TCP	443	VCN1-APP-SN	Egress to YUM Repository for CMAN install
VCN1-OAC-SL	EGRESS	10.0.0.64/27	TCP	1521	VCN1-OAC-SN	Egress to CMAN subnet

Public OAC Enabled State

Private OAC Enabled State

^℘ Installing and Configuring Connection Manager ^℘

Refer to sections two and three in this post to install and configure CMAN.

^℘Validating Connection Manager ^℘

Validating the introductory deployment of CMAN involves starting it and successfully connecting to it from OAC. Start CMAN using the Connection Manager Control Utility.

Connect to CMAN

ssh CMAN-HOST

Start CMAN

cmctl startup

You see something like:

Connect to OAC

https://< your-prefix >.analytics.ocp.oraclecloud.com/ui

Connect to CMAN from OAC

This section validates that CMAN is listening and that OAC can reach the listener. Saving the connection is not possible yet as we have not yet defined a database.

Click Create then Connection from the OAC home screen. Select Oracle Database as the Connection Type. Complete the dialog as shown in the example below.

Enter any Connection Name as this connection is not saved.
Accept Basic as the Connection Type.
Enter your CMAN FQDN as the Host.
Enter your CMAN Port e.g. 1521
Enter any Service Name
Enter any Username and Password

Click Save.

If OAC can reach the CMAN listener you see:

If OAC is unable to reach the CMAN listener you see:

Click Cancel to close the dialog.

^℘ Connection Flows ^℘

Public Connection Flow

PAC sends the connection request to CMAN. PAC's security rules allow the egress on port 1521 and CMAN's allow the ingress.

Private Connection Flow

PAC'S flow is the same for both public and private OAC.

^℘ Summary ^℘

This post provided a step-by-step guide for deploying Connection Manager on Linux with a simple starter configuration specifically for Oracle Analytics using Private Access Channel. You are now ready to create a connection to a private data source using Connection Manager.

For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley

⁂ Appendix ⁂

Below are scrollable lists of commands used in this post. The client commands may be downloaded here or send them to your clipboard by clicking in the text area and then clicking the copy button.

#Run on Client #Prepare an SSH Alias cat <<EOF >>~/.ssh/config Host BASTION User opc IdentityFile < your privateKey > HostName < Bastion Public IP > Host CMAN-HOST User opc IdentityFile < your privateKey > HostName < CMAN Private Key > ProxyJump BASTION EOF tail CMAN-HOST .ssh/config #Connection Manager Download scp < Path to LINUX.X64_193000_client.zip > CMAN-HOST:/tmp #Connect to the CMAN host ssh CMAN-HOST

Below is a scrollable list of all commands run on the CMAN host. The commands may be downloaded here.

# Run on the CMAN-HOST #Open the CMAN Port sudo firewall-cmd --zone=public --permanent --add-port=1521/tcp sudo firewall-cmd --reload #Install an Oracle Installer Prerequisite Package sudo yum -y install oracle-database-preinstall-19c.x86_64 #Grant sudo Privilege to Oracle sudo echo -e "oracle ALL=(ALL) NOPASSWD: ALL" >/etc/sudoers.d/020_oracle #Change to the Oracle User sudo su - oracle #Unzip the CMAN Download unzip /tmp/LINUX.X64_193000_client.zip #Create a response file e.g. cman.rsp to be used with silent installation mode cat <<EOF >~/cman.rsp oracle.install.responseFileVersion=/oracle/install/rspfmt_clientinstall_response_schema_v19.0.0 UNIX_GROUP_NAME=oinstall INVENTORY_LOCATION=/home/oracle/oraInventory SELECTED_LANGUAGES=en ORACLE_HOME=/home/oracle/CMAN/product/cman1930 ORACLE_BASE=/home/oracle/CMAN oracle.install.client.installType=Custom oracle.install.client.customComponents="oracle.sqlplus:19.0.0.0.0","oracle.network.client:19.0.0.0.0",oracle.network.cman:19.0.0.0.0","oracle.network.listener:19.0.0.0.0" EOF cat ~/cman.rsp #Run the Installer client/runInstaller -silent -responseFile ~/cman.rsp ?| ORACLE_HOME_NAME=cman1930 #Post-Install Steps # Set the ORACLE_BASE, ORACLE_HOME, TNS_ADMIN?| and PATH Environment Variables echo export ORACLE_BASE=/home/oracle/CMAN >>~/.bash_profile echo export ORACLE_HOME=\$ORACLE_BASE/product/cman1930 >>~/.bash_profile echo export TNS_ADMIN=\$ORACLE_HOME/network/admin >>~/.bash_profile echo export PATH=\$ORACLE_HOME/bin:\$PATH >>~/.bash_profile cat ~/.bash_profile #Run the Root Scripts: . .bash_profile sudo $ORACLE_BASE/../oraInventory/orainstRoot.sh sudo $ORACLE_HOME/root.sh #Create a Starter Configuration File cat <<EOF >$TNS_ADMIN/cman.ora CMAN_$(hostname -A)= (CONFIGURATION= (ADDRESS=(PROTOCOL=TCP)(HOST=$(hostname))(port=1521)) (rule_list= (rule= (src=*)(dst=*)(srv=*)(act=accept)) ) ) EOF cat $TNS_ADMIN/cman.ora #Start CMAN cmctl startup

Be the first to comment

Comments ( 0 )

Recent Content

Oracle