This chapter describes how to configure Oracle Connection Manager features.
This chapter contains these topics:
Note:Oracle Connection Manager is available for installation with Oracle Database 10gEnterprise Edition.
Chapter 1, "Networking Challenges in the Internet Age" for an introductory level overview of Oracle Connection Manager concepts
Chapter 5, "Architecture of Oracle Net Services" for an architectural overview of Oracle Connection Manager
Oracle Connection Manager is a proxy server, an intermediate server that forwards connection requests to database servers or to other proxy servers. It has two primary functions:
With session multiplexing, you can quickly enable Oracle Connection Manager to funnel multiple client sessions through a network connection to a shared server destination.
With access control, you can use rule-based configuration to filter out certain client requests and accept others.
To configure Oracle Connection Manager:
cman.ora file on the Oracle Connection Manager computer. This file specifies the listening endpoint for the server, access control rules, and Oracle Connection Manager performance parameters.
Configure clients with the protocol addresses of the Oracle Connection Manager listener.
Optionally Configure the database server for session multiplexing.
This section contains these topics:
Note:Oracle Net Manager does not support configuration of the
cman.orafile, so changes must be made manually.
To configure the machine where Oracle Connection Manager is installed, you can define three types of parameters in the
Listening endpoint (
Access control rule list (
Parameter list (
cman.ora file is located in the
$ORACLE_HOME/network/admin directory on UNIX and in the
\network\admin directory on Windows. Example 11-1 shows an example
cman.ora file file that contains a configuration entry for an Oracle Connection Manager called
CMAN1= (CONFIGURATION= (ADDRESS=(PROTOCOL=tcp)(HOST=proxysvr)(PORT=1521)) (RULE_LIST= (RULE=(SRC=22.214.171.124/27)(DST=sales-server)(SRV=*)(ACT=accept) (ACTION_LIST=(AUT=on)(MCT=120)(MIT=30))) (RULE=(SRC=126.96.36.199)(DST=proxysvr)(SRV=cmon)(ACT=accept))) (PARAMETER_LIST= (MAX_GATEWAY_PROCESSES=8) (MIN_GATEWAY_PROCESSSES=3) (REMOTE_ADMIN=YES)))
One computer can host any number of Oracle Connection Managers, each with its own configuration entry in
cman.ora. When defining more than one Oracle Connection Manager in the file, you can assign a default by giving only one a fully qualified host name.
See Also:The Oracle Database Net Services Reference, Chapter2, "Oracle Connection Manager Control Utility", to learn more about this feature and the
The listening endpoint specifies the protocol address for the Oracle Connection Manager listener. CMON, the Oracle Connection Manager monitoring process, uses this address to register information about gateway processes with the listener. The database server, in turn, uses the address to register service information at the Oracle Connection Manager node.
Note that the Oracle Connection Manager listener always listens on the TCP/IP protocol. The address shown in Figure 11-0 is the default address of TCP/IP, port 1521.
Note:Oracle Connection Manager can connect to the database server using protocols such as TCP/IP and IPC. The protocol TPCS is not supported.
The access control rule list specifies which connections are accepted, rejected, or dropped by the listener.
(RULE=(SRC=188.8.131.52/27)(DST=sales-server)(SRV=*)(ACT=accept) (ACTION_LIST=(AUT=on)(MCT=120)(MIT=30))) (RULE=(SRC=184.108.40.206)(DST=proxysvr)(SRV=cmon)(ACT=accept))
The example shows two rules. The first one is for client connections. The second is for the Oracle Connection Manager Control utility (CMCTL). In the first rule,
src=220.127.116.11/27 designates the IP address of the client, or source.
DST=sales-server designates the destination host name. The abbreviation
ACT stands for "action"—that is, accept, reject, or drop. In the second rule,
DST=proxysvr represent the same server, indicating that Oracle Connection Manager and CMCTL must reside on the same computer.
ACTION_LIST in the first rule sets attributes for a connection if it is accepted. This parameter enables you to override default parameter settings on a connection by connection basis. See "Oracle Connection Manager Parameters" in Oracle Database Net Services Reference for a complete definition of
You can specify multiple rules for both client and CMCTL connections.
You must enter at least one rule for client connections and one rule for CMCTL connections. Omitting one or the other results in the rejection of all connections for the rule type omitted.
If the CMCTL connection is remote, the
REMOTE_ADMIN parameter in
cman.ora must be set to
on, regardless of the rules specified.
If cman.ora does not exist, Oracle Connection Manager cannot start.
Oracle Connection Manager does not support wildcards for partial IP addresses. If you use a wildcard, use it in place of a full IP address. The IP address of the client may, for example, be (SRC=*).
Oracle Connection Manager supports only the /nn notation for subnet addresses. In the first rule in the example, /27 represents a subnet mask that comprises 27 left-most bits. This means that only the first 27 bits in the client's IP address are compared with the IP address in the rule.
A global parameter applies to all Oracle Connection Manager connections, unless a rule-level parameter overrides it. To change a global parameter's default setting, enter it into the
PARAMETER_LIST, together with an allowable value.
See Also:Oracle Database Net Services Reference for a complete list of parameters and their default and allowed values
To route clients to the database server through Oracle Connection Manager, configure the
tnsnames.ora file with a connect descriptor that specifies the protocol address of Oracle Connection Manager. This address enables clients to connect to the Oracle Connection Manager computer. The connect descriptor looks like this:
sales= (DESCRIPTION= (ADDRESS= (PROTOCOL=tcp) (HOST=cman-pc) (PORT=1521)) (CONNECT_DATA= (SERVICE_NAME=sales.com)))
To configure a protocol address for Oracle Connection Manager:
Start Oracle Net Manager.
See Also:"Oracle Net Manager"
In the navigator pane, expand Directory or Local > Service Naming.
Click plus (+) from the toolbar, or choose Edit > Create.
Enter any name in the Net Service Name field.
The Protocol page appears.
Select the protocol on which Oracle Connection Manager is configured to listen on. By default this protocol is TCP/IP.
The Protocol Settings page appears.
Enter the appropriate parameter information for the selected protocol in the fields provided. If you are using TCP/IP, the default port to use is 1521.
See Also:Oracle Database Net Services Reference for protocol parameter settings
The Service page appears.
Select a release, and then enter the name of destination database service.
If the destination service is an Oracle Database 10g, Oracle9i or Oracle8i database, select Oracle8i or later, and enter a service name in the Service Name field. If destination service is an Oracle release 8.0 database, select Oracle8 or Previous, and enter an Oracle System Identifier (SID) for an instance in the Database SID field.
See Also:"About Connect Descriptors" for further information about setting the service name string
Note:Do not click Test, because a connection cannot be tested at this point.
Click Finish to save your configuration and dismiss Net Service Name Wizard.
Configuring the database server is a two-part process that involves registering database information remotely with Oracle Connection Manager and, optionally, configuring the server for multiplexing.
To enable the database server to communicate with Oracle Connection Manager, the initialization parameter file
init.ora must contain a descriptor that specifies the listening address of Oracle Connection Manager. Because this address is TCP, port 1521 but not the default local listening address of TCP, port 1521, you must specify an alias, using the
After the alias is specified, it must be resolved with a service name entry in the
For example, an alias for an Oracle Connection Manager listener located at proxyserver1 might look like this in the
listeners_cman would then be resolved to the following entry in the
listener_cman= (DESCRIPTION= (ADDRESS_LIST= (ADDRESS=(PROTOCOL=tcp)(HOST=proxyserver1)(PORT=1521))))
Once the initialization parameter file is configured with the listening address of Oracle Connection Manager, the PMON process—the database instance background process—can register database information with the Oracle Connection Manager listener. This registration is similar to what occurs on the proxy node, where the CMADMIN (Connection Manager Administration) process—the Oracle Connection Manager background process—registers the location and load of proxy processes with the listener of Oracle Connection Manager.
This section contains these topics:
The first feature is enabled by using the parameter
DISPATCHERS in the initialization parameter file, the second by using the parameter
RULE_LIST in the
Once the attributes
MULTIPLEX have been added to the parameter
DISPATCHERS in the initialization parameter file, enabling session multiplexing is simply a matter of ensuring that
MULTIPLEX is set to
on or to an equivalent value.
See Also:"Enabling Session Multiplexing"
You can set different levels of multiplexing, as Table 11-1 shows.
The network protocol for which the dispatcher generates a listening endpoint.
Used to enable session multiplexing
Note:You can configure the
DISPATCHERSparameter using the Database Configuration Assistant.
As stated in "Configuring the Oracle Connection Manager Computer", you can use the parameter
RULE_LIST to control client access to designated database servers in a TCP/IP environment. By entering filtering rules under this parameter, you can allow or restrict specific clients access to a database server.
To configure access control:
Manually create a
cman.ora file, if one does not already exist.
(RULE_LIST= (RULE=(SRC=source_host) (DST=destination_host) (SRV=service) (ACT=accept | reject | drop)))
Add the following parameters for each rule described in Table 11-2 as needed.
Specify the source host name or IP address of the client. The IP address can be a subnet such as 18.104.22.168/24.
Specify the destination host name or IP address of the database server. The IP address can be a subnet such as 22.214.171.124/24.
Specify the service name of the Oracle Database 10g, Oracle9i, or Oracle8i database (obtained from the
Specify to accept, reject, or drop incoming requests based on the preceding three parameters.
See Also:Oracle Database Net Services Reference for default values and allowed values of Oracle Connection Manager parameters
You can define multiple rules in the
RULE_LIST. The action (
ACT) in the first matched
RULE is applied to the connection request. If no rules are defined, all connections are rejected.
In the following example, client computer
client1-pc is denied access to the service
sales.us.acme.com, but client
126.96.36.199 is granted access to the service
(RULE_LIST= (RULE=(SRC=client1-pc)(DST=sales-server)(SRV=sales.us.acme.com)(ACT=reject)) (RULE=(SRC=188.8.131.52)(DST=184.108.40.206)(SRV=db1)(ACT=accept)))
See Also:Oracle Database Net Services Reference for further information about Oracle Connection Manager parameters
If you want to migrate an Oracle9i cman.ora file to Oracle Database 10g, use the cmmigr tool. Here is the syntax for the tool:
Specifying the file location is optional. If you omit it, cmmigr tries to find the file in the
TNS_ADMIN directory; then it looks in
$ORACLE_HOME/network/admin.When it runs, cmmigr renames the Oracle9i
cman.bak. It names the Oracle Database 10g file
cman.ora. The tool migrates three of the four sections that are in the Oracle9i file:
Address section: cmmigr converts the listener protocol address from the Oracle9i format to the Oracle Database 10g format
Admin section: cmmigr ignores this section.
Profile section: cmmigr translates the parameter names in cman_profile into Oracle Database 10g names. With the exception of log level and trace level, the tool leaves parameter values untouched. Obsolete parameters appear in a commented list in the new file.
Rules section: cmmigr copies existing rules to the new file. It adds a rule that enables CMCTL to contact CMADMIN. If the old file contains no rules, cmmigr adds two rules to the new file: one for the connection between CMCTL and CMADMIN and one for the client connection. See "Access Control Rule List (RULE_LIST)" for examples of these two rules.
The tool throws the messages listed in Table 11–3.
1.4140 -"Migration completed successfully."
This message appears when cman.ora has been migrated successfully.
2.4141-"Unable to find CMAN.ORA."
This message appears when the file location that you specify is incorrect.
3.4142-"CMAN.ORA has an invalid format."
This message appears when the file is in a format that cmmigr cannot understand. Need formatting guidelines
4.4143-"Unable to write the new CMAN.ORA file."
5.4144-"Nothing to migrate."
The tool found nothing in the file that it could migrate.