|Oracle9i Net Services Administrator's Guide
Release 1 (9.0.1)
Part Number A90154-01
This chapter describes the networking issues that your system faces in the Internet age, and introduces the technology and products that can provide a complete network solution.
This chapter contains the following topics:
The e-business model creates new business requirements. To carry out electronic business successfully, Web sites must provide reliable connectivity and 24 by 7 availability. Corporate Web sites must also address user scalability and performance to simultaneously handle thousands of Internet connections to their data repositories. Solutions are needed as well to provide immediate Web browser access to existing applications and services.
Figure 1-1 shows a typical architecture in which Internet clients connect to a company's databases through an application Web server. The figure also shows the intranet architecture that enables a company's own clients to communicate with the databases. This basic architecture will be examined further to show how Oracle networking technologies are used throughout typical network environments.
Oracle Net Services provide enterprise wide connectivity solutions in distributed, heterogeneous computing environments. Oracle Net Services ease the complexities of network configuration and management, maximize performance, and improve network diagnostic capabilities.
This section introduces the basic networking concepts that come into play in a typical network configuration. The topics discussed include:
Oracle Net, a component of Oracle Net Services, enables a network session from a client application to an Oracle database server. Once a network session is established, Oracle Net acts as the data courier for both the client application and the database server. It is responsible for establishing and maintaining the connection between the client application and database server, as well as exchanging messages between them. Oracle Net is able to perform these jobs because it is located on each computer in the network.
This section discusses the following connectivity topics:
Oracle Net enables connections from traditional client/server applications to Oracle database servers. Figure 1-2 shows how Oracle Net enables a network connection between a client and a database server. Oracle Net is a software component that resides on both the client and the database server. Oracle Net is layered on top of a network protocol--rules that determine how applications access the network and how data is subdivided into packets for transmission across the network. In this illustration, Oracle Net communicates with the TCP/IP protocol to enable computer-level connectivity and data transfer between the client and the database server.
Specifically, Oracle Net is comprised of the Oracle Net foundation layer, which establishes and maintains connections, and Oracle protocol support, which maps the foundation layer's technology to industry-standard protocols.
Java client applications access an Oracle database through a Java Database Connectivity (JDBC) Driver, a standard Java interface for connecting from Java to a relational database. Oracle offers the following drivers:
These drivers use Oracle Net to enable connectivity between a client application and an Oracle database.
Figure 1-3 shows a Java client application using a JDBC OCI driver and an Oracle database server. The Java client application makes calls to the JDBC OCI driver which in turn translates the JDBC calls directly into the Oracle Net layer. The client then uses Oracle Net to communicate with an Oracle database that is also configured with Oracle Net.
Internet connections from client Web browsers to an Oracle database server are similar to client/server applications, except for the architecture.
Figure 1-4 shows the basic architecture for Web client connections, including a client Web browser, an application Web server, and an Oracle database server. The browser on the client communicates with HTTP to a Web server to make a connection request. The Web server sends the request to an application where it is processed. The application then uses Oracle Net to communicate with an Oracle database server that also is configured with Oracle Net.
The basic components have the following characteristics:
HTTP provides the language that enables Web browsers and application Web servers to communicate.
An application Web server manages data for a Web site, controls access to that data, and responds to requests from Web browsers. The application on the Web server communicates with the database and performs the job requested by the Web server.
An application Web server can host Java applications and servlets, as shown in Figure 1-5. Web browsers make a connection request by communicating through HTTP to an application Web server. The application Web server sends the request to an application or a servlet, which in turn uses a JDBC OCI or a JDBC Thin driver to process the request. The driver then uses Oracle Net to communicate with an Oracle database server that also is configured with Oracle Net.
Web clients that do not require an application Web server to access applications can access the Oracle database directly, for example, by using a Java applet. In addition to regular connections, the database can be configured to accept HTTP and Internet Inter-ORB Protocol (IIOP) connections. These protocols are used for connections to Oracle9i JVM in the Oracle9i instance.
Figure 1-6 shows three different Web clients. The first Web client makes an HTTP connection to the database. The second Web client makes an IIOP connection. The third client uses a Web browser with a JDBC Thin driver, which in turn uses a Java version of Oracle Net called JavaNet to communicate with the Oracle database server that is configured with Oracle Net.
Oracle Net Services offer a number of manageability features that enable you to easily configure and manage networking components. These features are described in the following topics:
A company can have several databases, each representing a specific type of service for various client applications. For example, a company may have three databases, which it uses for sales, human resources, and marketing applications. Each database is represented by one or more services. A service is identified by a service name, for example,
sales.us.acme.com. A client uses this service name to identify the database it needs to access. The information about the database service and its location in the network is transparent to the client because the information needed for a connection is stored in a repository.
For example, in Figure 1-7, a company has three databases that clients can access. Each database has a distinct service name:
The repository is represented by one or more naming methods. Oracle Net Services offer several types of naming methods that support localized configuration on each client, or centralized configuration that can be accessed by all clients in the network. Easy-to-use graphical user interfaces enable you to manage data stored in the naming methods.
To manage large networking environments, administrators have to be able to easily access a centralized repository to specify and modify the network configuration. For this reason, the Oracle Net Services configuration can be stored in a LDAP-compliant directory server.
Support of LDAP-compliant directory servers provides a centralized vehicle for managing and configuring a distributed Oracle network. The directory can act as a central repository for all information on database network components, user and corporate policies, and user authentication and security, thus replacing clientside and serverside localized configuration files.
All computers on the heterogeneous network can refer to the directory for information. Figure 1-8 shows clients, other servers (such as application Web servers) and Oracle database servers connecting to a centralized directory server.
"Directory Server Support" for an in-depth overview of directory server concepts
Oracle Net Services install quickly and easily. Networking elements for the Oracle database server and clients are preconfigured for most environments. Information about an Oracle database service is populated in one or more naming methods. As a result, clients and servers are ready to immediately connect when installed, giving users the benefits of distributed computing.
Oracle Net provides scalability features that enable you to maximize system resources and improve performance. These features are described in the following topics:
Oracle's shared server architecture increases the scalability of applications and the number of clients that can be simultaneously connected to the database. The shared server architecture also enables existing applications to scale up without making any changes to the application itself.
When using shared server, clients do not communicate directly with a database's server process--a database process that handles a client's requests on behalf of a database. Instead, client requests are routed to one or more dispatchers. The dispatchers place the client requests on a common queue. An idle shared server process from the shared pool of server processes picks up and processes a request from the queue. This means a small pool of server processes can serve a large number of clients.
Figure 1-9 and Figure 1-10 show the basic difference between the shared server connection model and the traditional dedicated server connection model. In the shared server model, a dispatcher can support multiple client connections concurrently. In the dedicated server model, there is one server process for each client. Each time a connection request is received, a server process is started and dedicated to that connection until completed. This introduces a processing delay.
Shared server is ideal in configurations with a large number of connections because it reduces the server's memory requirements. Shared server is well suited for both Internet and intranet environments.
Utilization of server resources can be further enhanced with Oracle Net Services features that are configurable through shared server. These features are discussed in the following sections:
When thousands of clients are running interactive Web applications, many of these sessions may be idle at a given time. Connection pooling enables the database server to timeout an idle session and use the connection to service an active session. The idle logical session remains open, and the physical connection is automatically reestablished when the next request comes from that session. Therefore, Web applications can allow larger numbers of concurrent users to be accommodated with existing hardware.
Figure 1-11 shows how connection pooling works. In this example, the Oracle database server has been configured with 255 connections. One of the clients has been idle past a specified amount of time. Connection pooling makes this connection available to an incoming client connection, which is the 256th connection. When the idle client has more work to do, the connection is reestablished for that client with another client's idle connection.
Session multiplexing reduces the demand on resources needed to maintain multiple network sessions between two processes by enabling the server to use fewer network connection endpoints for incoming requests. This enables you to increase the total number of network sessions that a server can handle. With multiple Oracle Connection Managers, thousands of concurrent users can connect to a server.
Figure 1-12 shows how session multiplexing can be used in a Web architecture. When Oracle Connection Manager is run on the same computer as an application Web server, the application Web server can route multiple client sessions through Oracle Connection Manager to ensure that those sessions have continuous access to an Oracle database server. This functionality is especially useful for Web applications where session availability and response time are major concerns.
The Virtual Interface (VI) protocol reduces the overhead of TCP/IP by eliminating intermediate replication of data and transferring most of the messaging burden away from the CPU and onto the network hardware. The result is a low-latency, high-throughput interconnect protocol that reduces the amount of CPU cycles dedicated to network processing.
In an environment with an application Web server, the VI protocol can be used in place of TCP/IP between the application Web server and the database server. This configuration is shown in Figure 1-13.
Data access and secure transfer of data are important considerations when deploying Oracle. Network security is enhanced with features described in the following topics:
Granting and denying access to a database is crucial for a secure network environment. Oracle Net Services enable database access control using features described in the following topics:
Oracle Connection Manager can be configured to grant or deny client access to a particular database service or a computer. By specifying filtering rules, you can allow or restrict specific client access to a server, based on the following criteria:
Figure 1-14 shows an Oracle Connection Manager positioned between three Web clients and an Oracle database server. Oracle Connection Manager is configured to allow access to the first two Web clients and to deny access to the third. In order for this configuration to work, clients require the JDBC Thin driver.
Oracle Connection Manager functionality is also offered by some firewall vendors through a software component called Oracle Net Firewall Proxy. A host computer, called an application gateway, runs the Oracle Connection Manager software.
Figure 1-15 shows an application gateway controlling traffic between internal and external networks and providing a single checkpoint for access control and auditing. As a result, unauthorized Internet hosts cannot directly access the database inside a corporation, but authorized users can still use Internet services outside the corporate network. This capability is critical in Internet environments to restrict remote access to sensitive data.
The database server can be configured with access control parameters in the
sqlnet.ora configuration file. These parameters specify whether clients are allowed or denied access based on the protocol.
Oracle Advanced Security provides network security through the features described in the following topics:
Sensitive information that travels over the Internet can be protected by encryption. Encryption is the mutation of information into a form readable only with a decryption key.
Figure 1-16 shows how encryption works. To ensure the security of the transaction, the buyer wishes to purchase a company's product over the Internet using a credit card. The buyer's credit card number is encrypted with an encryption key. The encrypted credit number is sent across the network to the database. Encryption scrambles the message, rendering it unreadable to anyone but the recipient. The server decrypts the message with a decryption key and reads the credit card number.
Authentication is used to prove the identity of the user. Passwords are the most common means of authentication. Oracle Advanced Security allows for enhanced authentication through Oracle authentication adapters that support various third-party authentication services.
Figure 1-17 shows user authentication with an Oracle database configured with an authentication server. This architecture provides high confidence in the identity of users in distributed environments. Having a central facility to authenticate all members of the network (clients to servers, servers to servers, users to both clients and servers) is one effective way to address the threat of network nodes falsifying their identities.
Centralized authentication also provides the benefit of single sign-on for users. Single sign-on enables users to access multiple accounts and applications with a single password. A user only needs to log on once and can then automatically connect to any other service without having to give a user name and password again. Single sign-on eliminates the need for the user to remember and administer multiple password, and reduces the time spent logging into multiple services.
Authentication is provided through the following third-party services:
A centralized directory server can be used to store user, administration, and security information. This centralized configuration enables the administrator to modify information in one location, the directory. It also lowers the cost of administration and makes the enterprise more secure.
Figure 1-18 shows how a directory server can be used to provide centralization of user account, user role, and password information.
2. - 4. Once authenticated, a user can access the databases, which are configured for enterprise user security.
The connectivity, manageability, scalability, and security features described in this chapter are provided by the following components and products, which are discussed in the following topics:
This section describes the following components:
Oracle Net is a software layer that resides on the client and the Oracle database server. It is responsible for establishing and maintaining the connection between the client application and server, as well as exchanging messages between them, using industry-standard protocols. Oracle Net is comprised of two software components:
On the client side, applications communicate with Oracle Net foundation layer to establish and maintain connections. The Oracle Net foundation layer, in turn, uses Oracle protocol support that is able to communicate with an industry-standard network protocol, such as TCP/IP, to communicate with the Oracle database server.
Figure 1-19 illustrates the communication stack on the client.
The Oracle database server side is similar to the client side as illustrated in Figure 1-20. A network protocol sends client request information to an Oracle protocol support layer, which then sends information to the Oracle Net foundation layer. The Oracle Net foundation layer then communicates with the Oracle database server to process the client request.
The Oracle Net foundation layer uses Oracle protocol support to communicate with the following industry-standard network protocols:
Oracle protocol support maps Oracle Net foundation layer functionality to industry-standard protocols used in client/server connections.
The one operation unique to the Oracle database server side is the act of receiving the initial connection through a process called the listener. The listener brokers a client request, handing off the request to the server. The listener is configured with a protocol address. Clients configured with the same protocol address can send connection requests to the listener. Once a connection is established, the client and Oracle database server communicate directly with one another.
Figure 1-21 shows a listener accepting a connection request from a client and forwarding that request to an Oracle database server.
Oracle Connection Manager is a software component that resides on its own computer, separate from a client or an Oracle database server. It proxies requests destined for the database server. You can also configure Oracle Connection Manager to multiplex sessions, control access, or convert protocols.
In its session multiplexing role, Oracle Connection Manager funnels multiple sessions through a single transport protocol connection to a particular destination. This reduces the demand on resources needed to maintain multiple sessions between two processes by enabling the Oracle database server to use fewer connection end points for incoming requests.
As an access control filter, Oracle Connection Manager controls access to Oracle databases.
As a protocol converter, Oracle Connection Manager enables a client and an Oracle database server that have different networking protocols to communicate with each other.
Oracle Connection Manager functionality is also offered by some firewall vendors through Oracle Net Firewall Proxy. A host computer, or application gateway, runs the Oracle Connection Manager proxy software. An application gateway looks and acts like a real server from the client's point of view, and a real client from the server's point of view. The application gateway sits between the Internet and a company's internal network and provides middleman services to users on either side.
Oracle Net Services provide graphical user interface tools and command-line utilities that enable you to easily configure, manage, and monitor the network.
Oracle Net Manager combines configuration abilities with component control to provide an integrated environment for configuring and managing Oracle Net Services. With Oracle Net Manager, you can fine-tune the listener and naming method configuration created with Oracle Net Configuration Assistant. In addition, Oracle Net Manager offers built-in wizards and utilities that enable to you to test connectivity, migrate data from one naming method to another, and create additional network components.
The command-line control utilities enable you to configure, administer, and monitor network components, such as listeners and Oracle Connection Managers.
Oracle Advanced Security is a separately licensable product that provides a comprehensive suite of security features for the Oracle environment. This suite of security features protects enterprise networks and securely extends corporate networks to the Internet. It provides a single source of integration with network encryption and authentication solutions, single sign-on services, and security protocols. Oracle Advanced Security integrates industry standards and delivers unparalleled security to the Oracle network and other networks.