11 Using an Oracle Database Firewall with Oracle RAC

You can configure an Oracle Database Firewall to work with Oracle Real Application Clusters (Oracle RAC) so that it can block and substitute statements using Database Policy Enforcement (DPE) proxy mode, or log SQL statements and raise alerts using Database Activity Monitoring (DAM) inline and out-of-band mode.

Topics:

11.1 Configuring a Database Firewall with Oracle RAC for DPE Mode

Topics:

11.1.1 About Configuring a Database Firewall with Oracle RAC for DPE Proxy Mode

To use Database Policy Enforcement (DPE) mode in an Oracle Database Firewall with Oracle RAC, Oracle recommends that you perform the configuration proxy mode.

The procedures in this section assume that you have one Oracle Database Firewall and one Oracle Audit Vault Server, but you can easily include more Database Firewalls by following the examples shown. The Database Firewall will be configured in proxy mode, in which the following takes place:

  1. SQL client connects to Database Firewall.
  2. Database Firewall connects to SCAN Listener.
  3. SCAN Listener redirects the connection to a RAC node.
  4. Database Firewall handles the redirection, makes a outbound connection to the re-directed RAC node.
  5. The response from Oracle RAC node is passed to the client.

All components must be in the same subnet. If the client and the SCAN Listener are in different subnets, then 2 Network Interface Cards are needed (one in the client subnet and the other in SCAN Listener subnet).The internal Database Firewall routing must be adjusted if the client, Database Firewall, and database server reside in a different subnet.

Figure 11-1 shows the setup environment that will be used in the procedure that this chapter covers.

Figure 11-1 Oracle Database Firewall and Oracle RAC SCAN VIP Architecture


Description of Figure 11-1 follows
Description of "Figure 11-1 Oracle Database Firewall and Oracle RAC SCAN VIP Architecture"

A typical request flow is as follows:

  1. An application issues a request to SCAN to find the least loaded instance for the database service (for example, soe.mlg.example.com).

  2. SCAN returns the connection information of the least loaded instance, in the form of node_id_fqdn:node_id_local_port. Traditionally SCAN will return node_vip_ip:node_id_local_port. However, for the procedure that is described here, the IP address is replaced with the corresponding fully qualified domain name.

  3. The application looks up and resolves node_id_fqdn into the Database Firewall proxy interface IP using a separate local DNS service.

  4. The request is forwarded to the respective enforcement point in the Database Firewall, and assuming the proxy in the Database Firewall has already been created using the same port as node_id_local_port, the connection takes place.

  5. The user then is able to connect to the Database Firewall using the appropriate management interface.

  6. When the user makes this connection, the Oracle RAC node is available as a secured target.

11.1.2 Step 1: Configure the Listeners for Each Oracle RAC Node

  1. On each Oracle RAC node that you plan to use for with the Oracle Database Firewall, create and start a local listener.

    For example:

    srvctl add listener  -l NODE1LISTENER –p 15777
srvctl start listener -l NODE1LISTENER –n rac1
srvctl add listener  -l NODE2LISTENER –p 15999
srvctl start listener -l NODE2LISTENER –n rac2

    Replace the values NODE1LISTENER, 15777, rac1, NODE2LISTENER, 15999, and rac2 with your respective environment values. These example values will be used in this procedure.

    For more information about using the srvctl utility, see Oracle Real Application Clusters Administration and Deployment Guide.

  2. Log in to SQL*Plus on each node as a user who has the ALTER SYSTEM system privilege.

    For example:

    sqlplus system
Enter password: password
  3. Run the ALTER SYSTEM SQL statement to dynamically register each listener in the nodes.

    For example, to register the listeners on the Oracle SIDs flavia1 and flavia2:

    ALTER SYSTEM SET LOCAL_LISTENER="(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=rac1-vip.mlg.example.com)(PORT=15777))))" SCOPE=BOTH SID='flavia1;

ALTER SYSTEM SET LOCAL_LISTENER="(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=rac2-vip.mlg.example.com)(PORT=15999))))" SCOPE=BOTH SID='flavia2';
  4. From the command line, run the following srvctl commands to verify the local listeners in the Oracle RAC clusters: 
    srvctl status listener    //check listener location
srvctl config listener    //check TCP ports

    For example:

    [oracle@rac1 bin]$srvctl status listener
Listener LISTENER is enabled
Listener LISTENER is running on node(s): rac2, rac1
Listener NODE1LISTENER is enabled
Listener NODE1LISTENER is running on node(s): rac1
Listener NODE2LISTENER is enabled
Listener NODE2LISTENER is running on node(s): rac2

[oracle@rac1 bin]$srvctl config listener
Name: LISTENER
Network: 1, Owner: oracle
Home: <CRS home>
End points: TCP:15888
Name: NODE1LISTENER
Network: 1, Owner:oracle
Home: <CRS home>
End points: TCP:15777
Name: NODE2LISTENER
Network: 1, Owner: oracle
Home: <CRS home>
End points: TCP:15999
  5. On each node, in SQL*Plus, run the SHOW PARAMETER LISTENER command to show the local listener on the nodes.

    For example:, on node rac1:

    SHOW PARAMETER LISTENER

NAME                TYPE     VALUE
------------------  -------  ----------------------------------------------
listener_networks   string   
local_listener      string   ((DESCRIPTION=(ADDRESS_LIST=(ADDRESS= 
                             (PROTOCOL=TCP)(HOST=rac1-vip.mlg.example.com)
                             (PORT=15777)))) 
remote_listener     string   mlg-rac-scan:1521

    For node rac2:

    SHOW PARAMETER LISTENER

NAME                TYPE     VALUE
------------------  -------  ----------------------------------------------
listener_networks   string   
local_listener      string   ((DESCRIPTION=(ADDRESS_LIST=(ADDRESS= 
                             (PROTOCOL=TCP)(HOST=rac2-vip.mlg.example.com)
                             (PORT=15999)))) 
remote_listener     string   mlg-rac-scan:1521
  6. Modify the local DNS on the application site to resolve the database virtual IP fully-qualified domain name into the Database Firewall IP address.

    For example, to edit the /etc/hosts file in the client, you would add the following settings.

    192.0.2.201 rac1-vip.mlg.example.com
192.0.2.201 rac2-vip.mlg.example.com

    A full-fledged DNS service is required if there are more than one Database Firewalls and you want to do load balancing across the servers.

11.1.3 Step 2: Configure the Proxies in the Oracle Database Firewall Console

  1. Log in to the Oracle Database Firewall console.
  2. Configure the proxy.

    After you complete the configuration, the Management Interface page should appear similar to the following:


    Description of GUID-1789CB2C-05EA-4BD6-A78A-930C81A9FDF0-default.png follows
    Description of the illustration GUID-1789CB2C-05EA-4BD6-A78A-930C81A9FDF0-default.png

  3. Configure enforcement points.

    When you complete this configuration, the Enforcement Points page should appear similar to the following:


    Description of GUID-8B435D3B-CA52-4399-8088-129F721EC1E1-default.png follows
    Description of the illustration GUID-8B435D3B-CA52-4399-8088-129F721EC1E1-default.png

    You can find details about each enforcement point by clicking its name in the Name column. For example, the enforcement point for the rac1 node could appear as follows:


    Description of GUID-23A193A2-F7C7-4757-A995-5367073E76D8-default.png follows
    Description of the illustration GUID-23A193A2-F7C7-4757-A995-5367073E76D8-default.png

  4. Test the connection.

    Log in to each Oracle RAC node that you configured, and then try running a simple command to see if the connection works.

    For example:

    sqlplus system
Enter password: password

SELECT SYSDATE FROM DUAL;

    See Also:

11.1.4 Step 3: Test the Audit Reports to Ensure That They Can Collect Oracle RAC Node Data

After the configuration is complete, you should ensure that it can collect data from the various Oracle RAC nodes.

  1. Log in to the Audit Vault Server console.
  2. Check the reports to ensure that audit data has been collected from the Oracle RAC nodes that you configured.

    For example, the following Data Access report shows that audit data has been collected from the rac2 node.


    Description of GUID-D0C3DF56-A348-41D5-B7FA-4AA576E5923B-default.png follows
    Description of the illustration GUID-D0C3DF56-A348-41D5-B7FA-4AA576E5923B-default.png

    See Also:

    Logging in to the Audit Vault Server Console UI

11.2 Configuring a Database Firewall with Oracle RAC for DAM Mode

You can configure an Oracle Database Firewall with Oracle RAC to use Database Activity Monitoring (DAM) inline and out-of-band mode. This type of configuration is the most straightforward (that is, it works out of the box).

To accomplish this, you must ensure that all the IP addresses for the Oracle RAC nodes are included in the secured target configuration. This can be a single secured target configuration with multiple IPs for each Oracle RAC node. Alternatively, it can be a separate secured target for each node.