CSDN博客

img photnman

internet can't access the oralce server set up in the intranet with firewall(总结自IT_PUB)

发表于2004/10/17 21:03:00  1517人阅读

我用router 组建了一个局域网,局域网里安装了oracle,此oracle只能由内网PC访问,外网PC不能访问,错误提示:TNS连接超时
但是listener.log里却指明外网与数据库的连接已建立
问题:
当 oracle 数据库所在PC暴露在internet上,internet上所有PC经过设置都能访问 oracle
但是当 oracle 数据库所在PC在intranet上, 而intranet 的route只为oracle 开了一个 1521 一个端口
时,外网的 PC 连不到 oracle 数据库上

****************************************************************************
RE1:
现在的问题就是你从外网连Oracle 时port 被firewall block
****************************************************************************
RE2:
有个问题想请教一下:
现有一客户端想访问不在同一网段上的数据库服务器,中间有一防火墙。在防火墙里加上规则限制,需要哪些服务就开哪些端口。打开了1521端口,但是连接数据库失败。如果防火墙不加规则,全部打开,那么连接数据库成功。这就是说,可能有什么端口没打开造成的。请问数据库连接除了1521,还需要打开其他什么端口吗?

reply:1521 port 只是连接listener 的
而listerner需要去启动一个 系统进程来跟用户进程通信
那么实际用户访问数据库的时候使用的并非1521
所以,你如果只打开1521那恐怕是不现实的
****************************************************************************
RE3:
1, open all port to the client's IP address;

2, use Connection Manager;

from Asktom.com
3, If you are on Oracle 8, you can use a WINSOCK V2 API feature called Shared Sockets . This allows a socket to be shared (or passed) between multiple processes. To use this functionality in a single Oracle Home enviroment, set USE_SHARED_SOCKET = TRUE in the HKEY_LOCAL_MACHINE/SOFTWARE/ORACLE section of the registry. If you are using Multiple Oracle Homes, change to the desired Oracle 8 Home and view the oracle.key file in ORACLE_HOME/BIN to find which registry key to add USE_SHARED_SOCKET to.
****************************************************************************
R4:
解决办法:
这属于数据库设置的问题,要把数据库设置成共享服务器模式,打开多路复用就可以了
****************************************************************************
R5:
基本原理就是
A------>firewall--->B------->C

A 在firewal 外, 你在firewall上设置打开port 1610, connection manager 在B 上运行。
A 通过1610 和B 联系, B 和C 间进行listener port rediect, listener 和数据库在C 上。
CMAN.ora在B上。
CMAN serveice 其实是一个listener, 听port 1610。 在A 上的tnsnames.ora里定义你要联B, 和C.
****************************************************************************

附件:
Configuring Oracle Connection Manager
This chapter describes how to configure Oracle Connection Manager features.

This chapter contains these topics:

Oracle Connection Manager Configuration Overview
Configuring Oracle Connection Manager
Enabling Oracle Connection Manager Features


--------------------------------------------------------------------------------
Note:
Oracle Connection Manager is available for installation with Oracle9i Enterprise Edition.

--------------------------------------------------------------------------------
 

See Also:
Chapter 1, "Networking Challenges in the Internet Age" for an introductory level overview of Oracle Connection Manager concepts
Chapter 4, "Architecture of Oracle Net Services" for an architectural overview of Oracle Connection Manager
 

Oracle Connection Manager Configuration Overview
Oracle Connection Manager is a proxy server, an intermediate server that forwards connection requests to the database server or to other proxy servers. It has three primary functions:

Session multiplexing
Access control
Protocol conversion
Session multiplexing--You can quickly configure Oracle Connection Manager to funnel multiple client sessions through a network connection to a shared server destination.

Access control--You can use rule-based configuration to filter out certain client requests and accept others.

Protocol conversion--Oracle Connection Manager accepts connection requests in any protocol that Oracle supports.

Configuring Oracle Connection Manager
Configuring Oracle Connection Manager is a three-part process:

Configure the cman.ora file on the Oracle Connection Manager computer. This file specifies listening endpoints for the server, the route path for Oracle Connection Manager, access control rules, and Oracle Connection Manager performance parameters.
Configure clients with the protocol addresses of Oracle Connection Manager and the listener.
(Optional) Configure the database server for session multiplexing.
This section contains these topics:

Configuring the Oracle Connection Manager Computer
Configuring Clients for Oracle Connection Manager
Configuring the Oracle Database Server for Oracle Connection Manager
Configuring the Oracle Connection Manager Computer

--------------------------------------------------------------------------------
Note:
Oracle Net Manager does not support configuration of the cman.ora file, so changes must be made manually.

--------------------------------------------------------------------------------
 

To configure the Oracle Connection Manager computer, you can define four types of parameters in the cman.ora file:

Listening endpoint list for the CMGW gateway process
Listening endpoint list for the CMADMIN administrative process
Access control rule list
Parameter list
The cman.ora file is located in the $ORACLE_HOME/network/admin directory on UNIX and in the ORACLE_HOME/network/admin directory on Windows NT. Figure 13-1 shows an example cman.ora file.

Figure 13-1 Example cman.ora File
 CMAN=
 (ADDRESS=(PROTOCOL=tcp)(HOST=proxysvr)(PORT=1630))
 (ADDRESS=(PROTOCOL=tcps)(HOST=144.25.22.217)(PORT=2484))
CMAN_ADMIN=
 (ADDRESS=(PROTOCOL=tcp)(HOST=proxysvr)(PORT=1830))
CMAN_RULES=
 (RULE=(SRC=206.62.226.32/27)(DST=sales-server)(SRV=*)(ACT=accept)))
CMAN_PROFILE=
  (PARAMETER_LIST=
 (LOG_LEVEL=2)
 (TRACING=on))


Listening Endpoint Lists (CMAN and CMAN_ADMIN)
The listening endpoint list specifies protocol addresses for the gateway and administrative processes. The gateway process, CMGW, uses the CMAN parameter and the administrative process, CMADMIN, uses the CMAN_ADMIN parameter.

Both processes can be configured with multiple protocol addresses. In Figure 13-1, the CMGW process has two protocol addresses. The first address shown is the default listening protocol address of TCP/IP, port 1630:

(ADDRESS=(PROTOCOL=tcp)(HOST=proxysvr)(PORT=1630))


The second is the protocol address of Oracle Connection Manager if TCP/IP with Secure Sockets Layer (SSL) is used:

(ADDRESS=(PROTOCOL=tcps)(HOST=144.25.22.217)(PORT=2484))

Access Control Rule List (CMAN_RULES)
The access control rule list specifies which connections are accepted, rejected, or dropped.

(RULE=(SRC=206.62.226.32/27)(DST=sales-server)(SRV=*)(ACT=accept)


In the previous example, src=206.62.226.32/27 designates the IP address of the client, or source. DST=sales-server designates the destination host name. The abbreviation ACT stands for "action"--that is, accept, reject, or drop.


--------------------------------------------------------------------------------
Note:
Enter at least one rule; otherwise the default option "reject" is overridden and all connections are accepted.

--------------------------------------------------------------------------------
 

Parameter List (CMAN_PROFILE)
The parameter list set attributes for an Oracle Connection Manager.

See Also:
Oracle9i Net Services Reference Guide for a complete list of parameters and their default and allowed values
 

Configuring Clients for Oracle Connection Manager
To route clients to the database server through Oracle Connection Manager, configure either the tnsnames.ora file or the directory server with a connect descriptor that specifies protocol addresses of Oracle Connection Manager and the listener. Take note of the following:

If using Oracle Names servers, Oracle Connection Manager automatically registers the protocol address for Oracle Connection Manager with the Oracle Names server. In order for Oracle Names servers to send requests to Oracle Connection Manager, USE_CMAN=true must be set in the sqlnet.ora file on computers where each Oracle Names server resides. To set this parameter, follow the procedure in "Routing Connection Requests".
If using a tnsnames.ora file or a directory, the protocol addresses and the SOURCE_ROUTE parameter must be set. To configure the local or directory naming methods for Oracle Connection Manager, perform these tasks:

"Task 1: Configure an Oracle Connection Manager Protocol Address"

"Task 2: Configure a Listener Protocol Address"

Task 1: Configure an Oracle Connection Manager Protocol Address
To configure a protocol address for Oracle Connection Manager:

Start Oracle Net Manager.

See Also:
"Starting Oracle Net Manager"
 

In the navigator pane, expand Directory or Local > Service Naming.
Click plus (+) from the toolbar, or choose Edit > Create.

The Welcome page of the Net Service Name Wizard appears.

Enter any name in the Net Service Name field.
Click Next.

The Protocol page appears.

Select the protocol on which Oracle Connection Manager is configured to listen on. By default this protocol is TCP/IP.
Click Next.

The Protocol Settings page appears.

Enter the appropriate parameter information for the selected protocol in the fields provided. If you are using TCP/IP, the default port to use is 1630.

See Also:
Oracle9i Net Services Reference Guide for protocol parameter settings
 

Click Next.

The Service page appears.

Select a release, and then enter the name of destination database service.

If the destination service is and Oracle9i or Oracle8i database, select Oracle8i or later, and enter a service name in the Service Name field. If destination service is an Oracle release 8.0 database, select Oracle8 or Previous, and enter an Oracle System Identifier (SID) for an instance in the Database SID field.

See Also:
"About Connect Descriptors" for further information about setting the service name string
 

Click Next.


--------------------------------------------------------------------------------
Note:
Do not click Test, because a connection cannot be tested at this point.

--------------------------------------------------------------------------------
 

Click Finish to save your configuration and dismiss Net Service Name Wizard.

The new net service name and the Oracle Connection Manager protocol address is added to the Service Naming folder.

Task 2: Configure a Listener Protocol Address
After the Oracle Connection Manager protocol address is specified, create an address for the listener, so that the Oracle Connection Manager can connect to the server.

To configure the protocol address for the listener:

In the Oracle Net Manager, select the net service name that you created in "Task 1: Configure an Oracle Connection Manager Protocol Address".

Notice that the Oracle Connection Manager protocol address is displayed in the Address 1 tab:

 
Text description of the illustration cman1.gif

In the Address Configuration box, click plus (+).

A new Address tab displays.

Select a protocol configured for the listener, and then enter the appropriate parameter information for that protocol. If you are using TCP/IP, the default port number to use is 1521:


Text description of the illustration cman2.gif

See Also:
Oracle9i Net Services Reference Guide for further information about protocol addresses and parameters
 

In the Address Configuration box, click Advanced.

The Address List Options dialog box appears:

 
Text description of the illustration cman3.gif

Select Use each address in order until destination reached, and then click OK.

This option sets SOURCE_ROUTE=on. It tells the client to connect to the first protocol address, the Oracle Connection Manager, and from the first protocol address to the second protocol address, the listener.

Choose File > Save Network Configuration.


--------------------------------------------------------------------------------
Note:
If you specify the addresses of two or more Oracle Connection Managers in the connect descriptor, you can manually include parameters for load balancing and connect-time failover. See the Oracle9i Net Services Reference Guide for examples of how to configure multiple listeners for load balancing and failover.

--------------------------------------------------------------------------------
 

Figure 13-2 shows a comparison of a typical tnsnames.ora file and a tnsnames.ora file with an entry to use Oracle Connection Manager. Oracle Connection Manager entries are shown in boldface text.

Figure 13-2 tnsnames.ora File with and without Oracle Connection Manager
sales=
   (DESCRIPTION=
      (ADDRESS=
         (PROTOCOL=tcp)
         (HOST=sales-server)
         (PORT=1521))
      (CONNECT_DATA=
             (SERVICE_NAME=sales.us.acme.com)))


 sales=
   (DESCRIPTION=
      (SOURCE_ROUTE=yes)
      (ADDRESS=
         (PROTOCOL=tcp)
         (HOST=cman-server)
         (PORT=1630))
      (ADDRESS=
         (PROTOCOL=tcp)
         (HOST=sales-server)
         (PORT=1521))
      (CONNECT_DATA=
         (SERVICE_NAME=sales.us.acme.com)))

 
tnsnames.ora File Element Description
SOURCE_ROUTE=yes

 This entry creates a source route of protocol addresses through an Oracle Connection Manager to the destination database.
 
(ADDRESS=
   (PROTOCOL=tcp)
   (HOST=cman-server)
   (PORT=1630))
(ADDRESS=
   (PROTOCOL=tcp)
   (HOST=sales-server)
   (PORT=1521))

 The first protocol address enables the client to connect to Oracle Connection Manager. From here, the Oracle Connection Manager connects to the database service through a second protocol address.
 

Figure 13-3 depicts a client using TCP/IP to connect to Oracle Connection Manager, and Oracle Connection Manager using TCP/IP with SSL to connect to a database server.

Figure 13-3 tnsnames.ora File Configured for Protocol Conversion Support
sales=
   (DESCRIPTION=
      (SOURCE_ROUTE=yes)
      (ADDRESS=
            (PROTOCOL=tcp)
            (HOST=cman-server)
            (PORT=1521))
      (ADDRESS=
            (PROTOCOL=tcps)
            (HOST=sales-server)
            (PORT=1521))
      (CONNECT_DATA=
            (SERVICE_NAME=sales.com)))

Configuring the Oracle Database Server for Oracle Connection Manager
Configuring the database server involves optionally configuring the server for session multiplexing.

To enable Connection Manager to take advantage of session multiplexing, set the DISPATCHERS parameter in the initialization parameter file with the attributes PROTOCOL and MULTIPLEX.

DISPATCHERS="(PROTOCOL=tcp)(MULTIPLEX=on)"

See Also:
"Enabling Session Multiplexing" for configuration details.
Chapter 14, "Configuring Shared Server" for more information about configuring shared server.
 

Enabling Oracle Connection Manager Features
This section contains these topics:

Enabling Session Multiplexing
Enabling Access Control
Enabling Protocol Conversion Support
The first feature is enabled using the parameter DISPATCHERS in the initialization parameter file, the second and third using the parameters RULE_LIST and CMAN parameters in the cman.ora file.

Enabling Session Multiplexing
Once the attributes PROTOCOL and MULTIPLEX have been added to the parameter DISPATCHERS in the initialization parameter file, enabling session multiplexing is simply a matter of ensuring that MULTIPLEX is set to on or to an equivalent value.

See Also:
"Enabling Session Multiplexing"
 

You can set different levels of multiplexing, as Table 13-1 shows.

Table 13-1  Session Multiplexing Parameters
Attribute Description
PROTOCOL (PRO or PROT)
 The network protocol for which the dispatcher generates a listening endpoint.
 
MULTIPLEX (MUL or MULT)
 Used to enable session multiplexing

If 1, on, yes, true, or both is specified, then multiplexing is enabled for both incoming and outgoing network sessions.

If in is specified, then multiplexing is enabled for incoming network sessions from the client.

If out is specified, then multiplexing is enabled for outgoing network sessions.

If 0, no, off, or false is specified, then multiplexing is disabled for both incoming and outgoing network sessions.
 


--------------------------------------------------------------------------------
Note:
You can configure the DISPATCHERS parameter using the Database Configuration Assistant.

--------------------------------------------------------------------------------
 

Enabling Access Control
Oracle Connection Manager includes a feature that enables you to control client access to designated database servers in a TCP/IP environment. By specifying certain filtering rules, you can allow or restrict specific clients access to a database server.

To configure access control:

Manually create a cman.ora file, if one does not already exist.
Add the parameter CMAN_RULES with the following subparameters:
     (CMAN_RULES=
       (RULE_LIST=
        (RULE=(SRC=source_host)
              (DST=destination_host)
              (SRV=service)
              (ACT=accept | reject | drop))))


Add the following parameters for each rule described in Table 13-2 as needed.
Table 13-2  Per-Rule Parameters
Parameter Description
SRC
 Specify the source host name or IP address of the client.
 
DST
 Specify the destination host name or IP address of the database server.
 
SRV
 Specify the service name of the Oracle9i or Oracle8i database (obtained from the SERVICE_NAME parameter in the initialization parameter file) or SID value of the pre-release 8.1 database (obtained from the ORACLE_SID environment variable or registry value).
 
ACT
 Specify to accept, reject, or drop incoming requests based on the preceding three parameters.
 

See Also:
Oracle9i Net Services Reference Guide for default values and allowed values of Oracle Connection Manager parameters
 

You can define multiple rules in the RULE_LIST. The action (ACT) in the first matched RULE is applied to the connection request. If no rules are defined, all connections are accepted.

In the following example, client computer client1-pc is denied access to the service sales.us.acme.com, but client 144.25.23.45 is granted access to the service db1.

(RULE_LIST=
  (RULE=(SRC=client1-pc)(DST=sales-server)(SRV=sales.us.acme.com)(ACT=reject))
  (RULE=(SRC=144.25.23.45)(DST=144.25.187.200)(SRV=db1)(ACT=accept)))

Enabling Protocol Conversion Support
Oracle Connection Manager provides support for protocol conversion, enabling clients and a database server configured with different network protocols to communicate with each other. An Oracle Connection Manager can listen on any protocol that Oracle supports.

Without this kind of support, a client that uses Named Pipes cannot connect to a database server that uses TCP/IP. If Oracle Connection Manager is configured for TCP/IP, the client can connect to Oracle Connection Manager using Named Pipes, and Oracle Connection Manager can connect to the database server using TCP/IP.

As the following example shows, the cman.ora must be configured with a protocol address for each protocol that the client uses. Sample addresses for three protocols are shown--TCP/IP, Named Pipes, and TCP/IP with SSL.

(CMAN=
  (ADDRESS=(PROTOCOL=tcp)(HOST=proxysvr1)(PORT=1630)))
  (ADDRESS=(PROTOCOL=nmp)(SERVER=proxysvr_pc)(PIPE=cmanpipe)))
  (ADDRESS=(PROTOCOL=tcps)(HOST=144.25.22.217)(PORT=2484)))


By default, Oracle Connection Manager accepts client connection requests at the following default protocol address:

CMAN=(ADDRESS=(PROTOCOL=tcp)(HOST=anyhost)(PORT=1630))


To configure protocol conversion:

Manually create a cman.ora file, if one does not already exist.
Add protocol addresses for each of the protocols that the client uses in the CMAN parameter:
CMAN=
 (ADDRESS=(protocol_address_information))
 (ADDRESS=(protocol_address_information))






 

阅读全文
0 0

相关文章推荐

img
取 消
img