Connection Load and Security Management with the Oracle Connection Manager Database Proxy

Secure access to your back-end data on Oracle Autonomous Database Serverless to protect the sensitivity and privacy requirements of your end users. Oracle Connection Manager in Traffic Director Mode (CMAN-TDM) is a database proxy solution that enables you to provide secure access to the back-end architecture, without compromising on data security.

Architecture

This architecture shows how you can use CMAN-TDM to connect to Oracle Autonomous Database Serverless on Oracle Cloud.

This architecture describes a basic configuration. There are other advanced connection modes of Proxy Resident Connection Pooling (PRCP) and Threaded modes that increase the performance of CMAN-TDM. These features optimize the usage of database resources through dynamic load balancing and intelligent pool management.

In the following sample architecture, the Oracle Autonomous Database Serverless is located in Oracle Cloud, but the same principle applies to a third-party cloud.


Description of oci-cman-tdm.png follows
Description of the illustration oci-cman-tdm.png

oci-cman-tdm-oracle.zip

This architecture supports the following components:

  • CMAN-TDM

    Oracle Connection Manager (CMAN) is a proxy server that forwards connection requests to databases or other proxy servers. It transfers the connection and data between the database and the client on authentication​. CMAN operates at the session level, and usually resides on a computer separate from the database server and client computers.

    CMAN provides the following:
    • Access control: To use rule-based configuration to filter user-specified client requests and accept others.
    • Session multiplexing: To funnel multiple client sessions through a network connection to a shared server destination.

    Traffic Director Mode (TDM) is an optional intelligence feature of CMAN that acts as the database proxy for the application. TDM adds the extra dimensions of transparent High Availability (HA) through outage support, enhanced security features on the cloud (DoS and fuzzing attack protection, tenant isolation, and so on), and performance tuning capabilities.

    CMAN-TDM enables any client app to connect to Oracle Database (both on-premises and cloud) without exposing the underlying database details to the client. It is interoperable with different versions of Oracle Database.

  • Oracle Call Interface (OCI)

    Oracle Call Interface is a comprehensive, high performance, native C language interface to Oracle Database for custom or packaged applications.

    The APIs provide an interface to Oracle Database to perform database administration tasks. They are the foundation on which other language-specific interfaces are built. For example, Oracle Data Provider for Net-Core (ODP.Net, Unmanaged), Oracle Precompilers (Pro*C), Oracle ODBC, Oracle C++ Call Interface (OCCI) and scripting language drivers for node-oracledb and python-oracledb. CMAN-TDM also works with PHP OCI8, ROracle, Godror, ruby-oci8, rust-oracle, and so on.

  • Java Database Connectivity (JDBC)

    Java Database Connectivity driver provides Java APIs that enable Java programs. It provides a standard way for Java applications to connect to and manipulate data in relational databases and other tabular data sources. JDBC uses a "driver" to facilitate this interaction, with different types of drivers offering varying levels of performance and platform dependency​.

  • JDBC Thin

    The JDBC Thin driver is a pure Java, Type IV driver. The driver provides high performance, comparable to the performance provided by the JDBC Oracle Call Interface driver. The JDBC Thin driver is written entirely in Java, is lightweight, is platform-independent, and doesn't require any additional Oracle software on the client-side.

    The JDBC Thin driver communicates with the server using TTC, a protocol developed by Oracle to access data from Oracle Database. It can be used for application servers as well as for applets. The driver allows a direct connection to the database by providing an implementation of TCP/IP that implements Oracle Net and TTC on top of Java sockets. Both of these protocols are lightweight implementation versions of their counterparts on the server. The Oracle Net protocol runs over TCP/IP only.

    You can use the JDBC Thin driver on the client-side and the server-side. On the client-side, drivers are used in Java applications or Java applets that run either on the client or in the middle tier of a three-tier configuration. On the server-side, this driver is used to access a remote Oracle Database instance or another session on the same database.

  • node-oracledb

    node-oracledb is the Node.js driver for connecting to Oracle Database.

  • python-oracledb

    python-oracledb is the Python driver for connecting to Oracle Database.

  • Oracle Data Provider for .NET (ODP.NET)

    Oracle Data Provider for .NET features optimized ADO.NET data access to the Oracle Database. ODP.NET allows developers to take advantage of advanced Oracle Database functionality, including Oracle Real Application Clusters (Oracle RAC), self-tuning statement cache, Application Continuity, and Fast Connection Failover.

    There are three driver types:
    • ODP.NET Core: Designed for multi-platform .NET (Core) applications
    • ODP.NET, Managed Driver: 100% managed code .NET Framework provider. Developers deploy a single assembly in a deployment package smaller than 10 MB.
    • ODP.NET, Unmanaged Driver: Traditional Oracle ADO.NET provider that uses the Oracle Database Client.
  • Proxy Resident Connection Pooling (PRCP)​

    Proxy Resident Connection Pooling is the pooling feature of CMAN-TDM.

    It uses Oracle Call Interface's session pool feature to multiplex large number of client connections. It allows multiple incoming connections from client processes to use a pool of outgoing connections connected to database processes. These are associated with sessions in the CMAN-TDM layer. PRCP provides a funnel for application connections without database overhead or the need for multi-threaded clients. Different application instances can share sessions.​

About Required Products and Roles

This solution requires the following products and roles:

  • Oracle Cloud Infrastructure

  • Oracle Autonomous Database

  • Oracle Database Client 21c or later on Oracle Linux

  • CMAN-TDM, version 21.3.0.0.0 or higher

  • SQL*Plus client application: Release 21.3 or higher

These are the roles needed for each product or service.

Service Name: Role Required to...
Oracle Autonomous Database: root create the oracle user, base, and home directories for running CMAN. Install the pre-install libraries of the latest version of Oracle Database to set up the oracle user in Linux.

Also required to open the port and add the CMAN-TDM address for the CMAN-TDM server in the $TNS_ADMIN/tnsnames.ora file.

Oracle Autonomous Database: admin check the database connection to CMAN, create the database proxy user, create the database proxy user wallet, create a CMAN-TDM application user for general application access, add the database proxy user tdm privileges to all application users requiring access to Oracle Autonomous Database through CMAN-TDM.
Oracle Autonomous Database: oracle set the TNS_ADMIN environment variable, configure CMAN-TDM to connect to Oracle Autonomous Database
Oracle Cloud Infrastructure: Oracle Cloud Account connect to Oracle Cloud and create services, including Oracle Autonomous Database.
CMAN: app user connect to the database through CMAN-TDM. The app user must be registered with Oracle Autonomous Database.

See Oracle Products, Solutions, and Services to get what you need.