Oracle through a firewall
Mon, 2006.10.16 - 10:49 — müzso
Until now I thought that SQLNET connections are a nightmare in general. This is because I had been using Oracle on Windows and there the client connects to the TNS Listener of the server, gets a new ("random") port number and opens a new connection to that port of the server. This cannot be easily and securely let through a basic firewall ... it works only if the firewall explicitly supports the SQLNET protocol. However ...
I just read an article on the subject, where the author tells that this is so only in case of Windows servers. On Unix the client initiates a connection to the TNS Listener and uses that for the duration of the Oracle session.
And even in case of Windows it can be turned off on Oracle8i and later using the USE_SHARED_SOCKET=TRUE parameter (but only if your server runs in dedicated server mode). Here's the description from the "Oracle9i Security and Network Integration Guide" of 9iR2:
"USE_SHARED_SOCKET
You can set parameter USE_SHARED_SOCKET to true to enable use of shared sockets. If this parameter is set to true, the network listener passes the socket descriptor for client connections to the database thread. As a result, the client does not need to establish a new connection to the database thread and database connection time improves. Also, all database connections share the port number used by the network listener, which can be useful if you are setting up third-party proxy servers.
This parameter only works in dedicated server mode in a TCP/IP environment. If this parameter is set, you cannot use the 9.0 listener to spawn Oracle7 release 7.x databases. To spawn a dedicated server for an Oracle database not associated with the same Oracle home as the listener and have shared socket enabled, you must also set parameter USE_SHARED_SOCKET for both Oracle homes."
Oracle Net Service first checks for this parameter as an environment variable and uses the value defined. If an environment variable is not defined, it searches for the parameter in the registry (in the "HKEY_LOCAL_MACHINE\SOFTWARE\Oracle" key or in one of its HOME* subkeys). It seems (after some googling) that the USE_SHARED_SOCKET parameter works only on Oracle 8.1.7.1.4 and above.
Another alternative is to use CMAN (Connection Manager), but it's a bit more complicated than just setting an environment variable (or registry key).
You might also experience port redirection problems if you're using MTS (Multi Threaded Server). In this case you can specify the ports for use with MTS dispatchers in you init.ora (or spfile).
I've found a doc on the net that describes the various options you have for letting through SQLNET on your firewall.
I just read an article on the subject, where the author tells that this is so only in case of Windows servers. On Unix the client initiates a connection to the TNS Listener and uses that for the duration of the Oracle session.
And even in case of Windows it can be turned off on Oracle8i and later using the USE_SHARED_SOCKET=TRUE parameter (but only if your server runs in dedicated server mode). Here's the description from the "Oracle9i Security and Network Integration Guide" of 9iR2:
"USE_SHARED_SOCKET
You can set parameter USE_SHARED_SOCKET to true to enable use of shared sockets. If this parameter is set to true, the network listener passes the socket descriptor for client connections to the database thread. As a result, the client does not need to establish a new connection to the database thread and database connection time improves. Also, all database connections share the port number used by the network listener, which can be useful if you are setting up third-party proxy servers.
This parameter only works in dedicated server mode in a TCP/IP environment. If this parameter is set, you cannot use the 9.0 listener to spawn Oracle7 release 7.x databases. To spawn a dedicated server for an Oracle database not associated with the same Oracle home as the listener and have shared socket enabled, you must also set parameter USE_SHARED_SOCKET for both Oracle homes."
Oracle Net Service first checks for this parameter as an environment variable and uses the value defined. If an environment variable is not defined, it searches for the parameter in the registry (in the "HKEY_LOCAL_MACHINE\SOFTWARE\Oracle" key or in one of its HOME* subkeys). It seems (after some googling) that the USE_SHARED_SOCKET parameter works only on Oracle 8.1.7.1.4 and above.
Another alternative is to use CMAN (Connection Manager), but it's a bit more complicated than just setting an environment variable (or registry key).
You might also experience port redirection problems if you're using MTS (Multi Threaded Server). In this case you can specify the ports for use with MTS dispatchers in you init.ora (or spfile).
I've found a doc on the net that describes the various options you have for letting through SQLNET on your firewall.
All of my own contents here (if not noted otherwise) are licensed under the
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 License. My posts reflect my personal opinion and shall not be associated with any of my employers.
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 License. My posts reflect my personal opinion and shall not be associated with any of my employers.
Recent comments
1 year 46 weeks ago
3 years 16 weeks ago
3 years 16 weeks ago
3 years 18 weeks ago
3 years 19 weeks ago
3 years 25 weeks ago
3 years 25 weeks ago
3 years 26 weeks ago
3 years 26 weeks ago
3 years 26 weeks ago