9 Oracle Connection Manager Parameters

This chapter provides a complete listing of the cman.ora file configuration parameters.

• Overview of Oracle Connection Manager Configuration File
  Oracle Connection Manager configuration information is stored in the cman.ora file.
• Oracle Connection Manager Parameters
  This section lists and describes the following cman.ora file parameters:
• Oracle Connection Manager in Traffic Director Mode Parameters
  
• ADR Diagnostic Parameters for Oracle Connection Manager
  The diagnostic data for critical errors is quickly captured and stored in the ADR for Oracle Connection Manager.
• Non-ADR Diagnostic Parameters for Oracle Connection Manager
  This section lists the parameters used when ADR is disabled:
• Oracle Connection Manager Tunneling Parameters
  This section lists the parameters that you must configure to enable tunneling.

9.1 Overview of Oracle Connection Manager Configuration File

Oracle Connection Manager configuration information is stored in the cman.ora file.

Oracle Connection Manager Configuration File

Oracle Connection Manager configuration information consists of the following elements:

• Protocol address of the Oracle Connection Manager listener

• Access control parameters

• Performance parameters

By default, the cman.ora file is located in the ORACLE_HOME/network/admin directory. You can also store the cman.ora file in the following locations:

• The directory specified by the TNS_ADMIN environment variable or registry value.
• On Linux and UNIX operating systems, the global configuration directory. For example, on the Oracle Solaris operating system, this directory is /var/opt/oracle.
• ORACLE_BASE_HOME/network/admin directory.
• ORACLE_HOME/network/admin directory.

Example 9-1 Sample cman.ora File

CMAN=
  (CONFIGURATION=
    (ADDRESS=(PROTOCOL=tcp)(HOST=proxysvr)(PORT=1521))
    (RULE_LIST=
      (RULE=(SRC=192.0.2.32/27)(DST=sales-server)(SRV=*)(ACT=accept))
        (ACTION_LIST=(AUT=on)(MCT=120)(MIT=30)))
      (RULE=(SRC=foo)(DST=hr-server)(SRV=cmon)(ACT=accept)))
    (PARAMETER_LIST=
      (MAX_GATEWAY_PROCESSES=8)
      (MIN_GATEWAY_PRCESSSES=3)
      (DIAG_ADR_ENABLED=ON)
      (ADR_BASE=/oracle/log)))

cman.ora File Sections

• Listening address: Preceded by ADDRESS=, this section contains information pertinent to the listener. The ADDRESS parameter is required.

• Rule list: Preceded by RULE_LIST=, this section contains rule information. TheRULE parameter is listed in the rule list section of the file. The RULE parameter is required.

• Rule Group: Preceded by RULE_GROUP=, this section contains rule_list grouped by service names. You can use either the rule_group syntax or the rule_list syntax.

• Parameter list: Preceded by PARAMETER_LIST=, this section contains all other parameters including those listed in " ADR Diagnostic Parameters for Oracle Connection Manager", and "Non-ADR Diagnostic Parameters for Oracle Connection Manager".

  The following parameters are allowed in the parameter list section of the cman.ora file. The default values are bold. To override the default setting for a parameter, enter the parameter and a nondefault value.

  ASO_AUTHENTICATION_FILTER={off | on}

  CONNECTION_STATISTICS={no | yes}

  EVENT_GROUP={init_and_term | memory_ops | conn_hdlg | proc_mgmt | reg_and_load | wake_up | timer | cmd_proc | relay}

  IDLE_TIMEOUT=0 or greater

  INBOUND_CONNECT_TIMEOUT=0 or greater. The default value is 60.

  LOG_DIRECTORY=log_directory. The default value is ORACLE_HOME/network/log.

  LOG_LEVEL={off | user | admin | support}

  MAX_CMCTL_SESSIONS= Any positive number. The default value is 4.

  MAX_CONNECTIONS= A value between 1 and 1024. The default value is 256.

  MAX_GATEWAY_PROCESSES= Any number greater than the minimum number of gateway processes up to 64. The default value is 16.

  MIN_GATEWAY_PROCESSES= Any positive number less than or equal to 64. Must be less than or equal to the maximum number of gateway processes. The default value is 2.

  OUTBOUND_CONNECT_TIMEOUT=0 or greater

  SESSION_TIMEOUT=0 or greater

  TRACE_DIRECTORY=trace_directory. The default value is ORACLE_HOME/network/trace.

  TRACE_FILELEN= Any positive number. The default value is 0 (zero).

  TRACE_FILENO= Any positive number. The default value is 0 (zero).

  TRACE_LEVEL={off | user | admin | support}

  TRACE_TIMESTAMP={off | on}

Parameter List Section of a cman.ora File

(PARAMETER_LIST= 
      (ASO_AUTHENTICATION_FILTER=ON)
      (CONNECTION_STATISTICS=NO)
      (EVENT_GROUP=INIT_AND_TERM,MEMORY_OPS,PROCESS_MGMT)
      (IDLE_TIMEOUT=30)
      (INBOUND_CONNECT_TIMEOUT=30)
      (LOG_DIRECTORY=/home/user/network/admin/log)   
      (LOG_LEVEL=SUPPORT)
      (MAX_CMCTL_SESSIONS=6)
      (MAX_CONNECTIONS=512)
      (MAX_GATEWAY_PROCESSES=10)
      (MIN_GATEWAY_PROCESSES=4)
      (OUTBOUND_CONNECT_TIMEOUT=30)
      (SESSION_TIMEOUT=60)
      (TRACE_DIRECTORY=/home/user/network/admin/trace)
      (TRACE_FILELEN=100)
      (TRACE_FILENO=2)
      (TRACE_LEVEL=SUPPORT)
      (TRACE_TIMESTAMP=ON)
      (VALID_NODE_CHECKING_REGISTRATION=ON)
      (REGISTRATION_EXCLUDED_NODES = 10.1.26.*)
      (REGISTRATION_INVITED_NODES = 10.1.35.*)
)  

9.2 Oracle Connection Manager Parameters

This section lists and describes the following cman.ora file parameters:

• ADDRESS
  The ADDRESS networking parameter specifies the protocol address of Oracle Connection Manager.
• ASO_AUTHENTICATION_FILTER
  It is a networking parameter for Oracle Connection Manager. It instructs Oracle Connection Manager to check the connection requests for Secure Network Services (SNS).
• BANDWIDTH
  Use the BANDWIDTH parameter to limit all the connections of a service to a specified value in bytes per second.
• CLIENT_DN_RULE_MATCH
  Use this parameter to enable filtering of Transport Layer Security (TLS) connections using DN_LIST in RULE_GROUP.
• COMPRESSION
  
• COMPRESSION_LEVELS
  The COMPRESSION_LEVELS networking parameter of the cman.ora file specifies the CPU usage and compression ratio.
• COMPRESSION_THRESHOLD
  
• CONNECTION_STATISTICS
  CONNECTION_STATISTICS networking parameter of the cman.ora file specifies whether the SHOW_CONNECTIONS command displays connection statistics.
• DN_LIST
  Use this parameter to specify a list of common names (CN) that are allowed to connect to a service using Transport Layer Security (TLS).
• ENABLE_IP_FORWARDING
  Use the cman.ora parameter ENABLE_IP_FORWARDING to forward client IP address to the database server.
• EVENT_GROUP
  EVENT_GROUP networking parameter of the cman.ora file specifies which event groups are logged.
• EXPIRE_TIME
  The EXPIRE_TIME networking parameter of cman.ora file specifies a time interval, in minutes, to send a check to verify that client/gateway connections are active.
• GROUP
  Use the GROUP parameter to specify a rule_list for a service.
• IDLE_TIMEOUT
  
• INBOUND_CONNECT_TIMEOUT
  
• IP_RATE_COUNT
  The IP_RATE_COUNT parameter of the cman.ora file specifies the maximum number of client connections allowed from an IP address in the specified time interval.
• IP_RATE_INTERVAL
  The IP_RATE_INTERVAL parameter of the cman.ora file specifies the number of seconds for which Oracle Connection Manager accepts new connections from a single IP address.
• IP_RATE_BLOCK
  The IP_RATE_BLOCK parameter of the cman.ora file specifies the time duration, in minutes, for which an IP address is blocked after exceeding the defined IP rate limit.
• LOG_DIRECTORY
  
• LOG_FILE_NUM
  LOG_FILE_NUM networking parameter of the cman.ora file specifies the number of log file segments.
• LOG_FILE_SIZE
  LOG_FILE_SIZE networking parameter of thecman.ora file specifies the size of each log file segment.
• LOG_LEVEL
  
• LOG_SUPPRESS_NODES
  Use the cman.ora parameter LOG_SUPPRESS_NODES to specify the addresses for which you want to disable logging of health check errors in the Oracle Connection Manager (CMAN) log file.
• MAX_ALL_CONNECTIONS
  
• MAX_CMCTL_SESSIONS
  
• MAX_BANDWIDTH_GROUP
  Use the MAX_BANDWIDTH_GROUP parameter to specify the maximum number of services that can be configured.
• MAX_CONNECTIONS
  
• MAX_GATEWAY_PROCESSES
  
• MAX_REG_CONNECTIONS
  
• MIN_GATEWAY_PROCESSES
  
• NEXT_HOP
  The NEXT_HOP parameter provides static routing of client connections from Oracle Connection Manager (Oracle CMAN).
• OUTBOUND_CONNECT_TIMEOUT
  
• REGISTRATION_EXCLUDED_NODES
  The Oracle Connection Manager parameter file (cman.ora) REGISTRATION_EXCLUDED_NODES specifies the list of nodes that cannot register with the listener.
• REGISTRATION_INVITED_NODES
  The Oracle Connection Manager parameter file (cman.ora) REGISTRATION_EXCLUDED_NODES parameter specifies the list of node that can register with the listener.
• REST_ADDRESS
  Use the REST_ADDRESS parameter to configure REST endpoint hostname and port. Oracle CMAN listens to tcps endpoint based on the specified hostname and port.
• RULE
  
• SDU
  
• SERVICE_RATE
  The SERVICE_RATE parameter of cman.ora file specifies incoming connection rate that is allowed per service for an instance.
• SESSION_TIMEOUT
  
• SSL_CIPHER_SUITES
  Use the SSL_CIPHER_SUITES parameter to control the combination of authentication, encryption, and data integrity algorithms used by Transport Layer Security (TLS).
• SSL_CLIENT_AUTHENTICATION
  Use the SSL_CLIENT_AUTHENTICATION parameter to specify whether the database client is authenticated using Transport Layer Security (TLS).
• SSL_VERSION
  Use the SSL_VERSION parameter to define valid Transport Layer Security (TLS) versions to be used for connections.
• TRACE_FILE
  
• TRACE_FILELEN
  
• TRACE_FILENO
  
• TRACE_LEVEL
  
• TRACE_TIMESTAMP
  
• USE_SERVICE_AS_TNSNAMES_ALIAS
  Use this parameter for static routing of client connections from Oracle connection manager based on client’s service name.
• USE_SID_AS_SERVICE
  The USE_SID_AS_SERVICE Oracle Connection Manager parameter enables the system identifier (SID) in the connect descriptor to be interpreted as a service name when a user attempts a database connection.
• VALID_NODE_CHECKING_REGISTRATION
  
• WALLET_LOCATION
  Use the WALLET_LOCATION parameter to specify the location of Oracle wallets.

9.2.1 ADDRESS

The ADDRESS networking parameter specifies the protocol address of Oracle Connection Manager.

Purpose

To specify the protocol address of Oracle Connection Manager.

Syntax

(ADDRESS=(PROTOCOL=protocol)(HOST=host_name)(PORT=port_number)

Usage Notes

You can tag Oracle Connection Manager addresses as admin endpoints. This is helpful in cases where you do not want to close all listening endpoints, so that Oracle Connection Manager Control utility continues to run admin commands using tagged listening endpoints. To do so, set the value of the ADMIN parameter to YES using the following syntax:

(ADDRESS=(PROTOCOL=protocol)(HOST=host_name)(PORT=port_number)(ADMIN=YES))

Example

(ADDRESS=(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521)

9.2.2 ASO_AUTHENTICATION_FILTER

It is a networking parameter for Oracle Connection Manager. It instructs Oracle Connection Manager to check the connection requests for Secure Network Services (SNS).

Purpose

To specify whether Oracle Database security authentication settings must be used by the client.

Usage Notes

The global setting can be overridden by a rule-level setting in ACTION_LIST.

Values

• on to instruct Oracle Connection Manager to reject connection requests that are not using Secure Network Services (SNS). SNS is part of Oracle Database security.

• off to instruct Oracle Connection Manager not to check for SNS between the client and server. This is the default.

9.2.3 BANDWIDTH

Use the BANDWIDTH parameter to limit all the connections of a service to a specified value in bytes per second.

Usage Notes

Specify a limit on the number of bytes transmitted per second. You must include this parameter in the parameter_list section of the cman.ora file.

Example

BANDWIDTH = 524288

9.2.4 CLIENT_DN_RULE_MATCH

Use this parameter to enable filtering of Transport Layer Security (TLS) connections using DN_LIST in RULE_GROUP.

Purpose

A TLS connection is allowed only if there is a GROUP specified in RULE_GROUP for the requested service. This GROUP must be configured with DN_LIST.

Values

ON, OFF. By default the value is set to OFF.

Example

CLIENT_DN_RULE_MATCH=ON

9.2.5 COMPRESSION

Purpose

To enable or disable data compression. If both the Oracle Connection Manager and the other end (server or client or Oracle Connection Manager) have this parameter set to ON, then compression is used for the connection.

Default

off

Values

• on to enable data compression.

• off to disable data compression.

Example

COMPRESSION=on

9.2.6 COMPRESSION_LEVELS

The COMPRESSION_LEVELS networking parameter of the cman.ora file specifies the CPU usage and compression ratio.

Purpose

To specify the compression level.

Usage Notes

The compression levels are used at the time of negotiation to verify which levels are used at both ends, and select one level.

Default

low

Values

• low for low CPU usage and a low compression ratio.

• high for high CPU usage and a high compression ratio.

Example 9-2 Example

COMPRESSION_LEVELS=high,low

9.2.7 COMPRESSION_THRESHOLD

Purpose

To specify the minimum data size, in bytes, for which compression is required.

Usage Notes

Compression is not be done if the size of the data to be sent is less than this value.

Default

1024 bytes

Example

COMPRESSION_THRESHOLD=1024

9.2.8 CONNECTION_STATISTICS

CONNECTION_STATISTICS networking parameter of the cman.ora file specifies whether the SHOW_CONNECTIONS command displays connection statistics.

Purpose

To specify whether the SHOW_CONNECTIONS command displays connection statistics.

Usage Notes

The global setting can be overridden by a rule-level setting in ACTION_LIST.

Values

• yes to display statistics.

• no to not display statistics. This is the default.

9.2.9 DN_LIST

Use this parameter to specify a list of common names (CN) that are allowed to connect to a service using Transport Layer Security (TLS).

Purpose

An incoming TLS connection is allowed only if the string provided in common name (CN) of the distinguished name (DN) matches with at least one value in the list of values provided in the DN_LIST parameter.

Usage Notes

DN_LIST is a comma separated list of common names. The values in the DN_LIST parameter is matched only when the client_dn_rule_match parameter is set to ON.

You must configure DN_LIST inside DESCRIPTION of the GROUP parameter.

Example

(GROUP =
     (DESCRIPTION = (NAME = service_name)(DN_LIST = phx,blr))
     (RULE_LIST =
     (RULE=...)
)

9.2.10 ENABLE_IP_FORWARDING

Use the cman.ora parameter ENABLE_IP_FORWARDING to forward client IP address to the database server.

Purpose

When set to ON, Oracle Connection Manager (CMAN) forwards the client source address as seen by it to the database server.

Usage Notes

In addition to the ENABLE_IP_FORWARDING parameter, you must set the TCP.ALLOWED_PROXIES parameter in the server-side sqlnet.ora file. The TCP.ALLOWED_PROXIES parameter specifies a list of the CMAN instances that can forward client address.

You can use the SYS_CONTEXT ('USERENV','IP_ADDRESS') function to query the forwarded client address details.

Values

• ON | TRUE | YES | 1: To enable client address forwarding

• OFF | FALSE | NO | 0: To disable client address forwarding

Default

OFF

Example

ENABLE_IP_FORWARDING=ON

9.2.11 EVENT_GROUP

EVENT_GROUP networking parameter of the cman.ora file specifies which event groups are logged.

Purpose

To specify which event groups are logged.

Usage Notes

Multiple events may be designated using a comma-delimited list.

Values

• alert for alert notifications.

• cmd_proc for command processing.

• conn_hdlg for connection handling.

• init_and_term for initialization and termination.

• memory_ops for memory operations.

• proc_mgmt for process management.

• reg_and_load for registration and load update.

• relay for events associated with connection control blocks.

• timer for gateway timeouts.

• wake_up for events related to Connection Manager Administration (CMADMIN) wake-up queue.

Note:

The event group ALERT cannot be turned off.

9.2.12 EXPIRE_TIME

The EXPIRE_TIME networking parameter of cman.ora file specifies a time interval, in minutes, to send a check to verify that client/gateway connections are active.

Purpose

To specify a time interval, in minutes, to send a check to verify that client/server connections are active.

Usage Notes

Setting a value greater than 0 ensures that connections are not left open indefinitely, due to an unusual client termination. If the system supports TCP keepalive tuning, then Oracle Net Services automatically uses the enhanced detection model, and tunes the TCP keepalive parameters

If the probe finds a terminated connection, or a connection that is no longer in use, then it returns an error, causing the server process to exit.

This parameter is primarily intended for the database server, which typically handles multiple connections at any one time.

Limitations on using this terminated connection detection feature are:

• It is not allowed on bequeathed connections.

• Though very small, a probe packet generates additional traffic that may downgrade network performance.

• Depending on which operating system is in use, the server may need to perform additional processing to distinguish the connection probing event from other events that occur. This can also result in degraded network performance.

Values

• 0: To disable terminated connection detection.

• Any number greater than 0: To enable terminated connection detection. The number equals the time interval in minutes.

Default

0

Example 9-3 Example

EXPIRE_TIME=10

9.2.13 GROUP

Use the GROUP parameter to specify a rule_list for a service.

Purpose

This parameter is listed in the RULE_GROUP section of the cman.ora file preceded by RULE_GROUP= .

Syntax

 (GROUP =
       (DESCRIPTION = (NAME = service_name))
       (RULE_LIST =
         (RULE=...)
       )

Usage Notes

The service name (SRV =) in the rule should match the service_name specified in the NAME parameter. Alternatively, you can specify the service name using an asterisk *.

You can configure a DEFAULT_GROUP in RULE_GROUP. The rules that you specify in this section applies to those services that do not have an explicit GROUP. You do not need to specify DESCRIPTION inside a DEFAULT_GROUP.

Example

(RULE_GROUP=
     (GROUP =
       (DESCRIPTION = (NAME = sales.us.example.com))
       (RULE_LIST =
         (RULE=
         (SRC=client1-pc)
         (DST=sales-server)
         (SRV=*)
         (ACT=reject))
       )
     )
     (GROUP =
       (DESCRIPTION = (NAME = hr.us.example.com))
       (RULE_LIST =
         (RULE=
           (SRC=192.0.2.45)
           (DST=192.0.2.200)
           (SRV=*)
           (ACT=accept))
       )
     )
     (DEFAULT_GROUP =
       (RULE_LIST=
         (RULE=(SRC=*)(DST=*)(SRV=cmon)(ACT=accept)))
      )
   )

9.2.14 IDLE_TIMEOUT

Purpose

To specify the amount of time that an established connection can remain active without transmitting data.

Usage Notes

The global setting can be overridden by a rule-level setting in ACTION_LIST.

Values

• 0 to disable the timeout. This is the default.

• Any number greater than 0 to enable the timeout. The number equals the timeout period in seconds.

9.2.15 INBOUND_CONNECT_TIMEOUT

Purpose

To specify how long in seconds the Oracle Connection Manager listener waits for a valid connection from a client or another instance of Oracle Connection Manager.

Values

• 60 sec is the default. Use value 0 to disable timeout.

• Any number greater than 0 to enable the timeout. The number equals the timeout period in seconds.

9.2.16 IP_RATE_COUNT

The IP_RATE_COUNT parameter of the cman.ora file specifies the maximum number of client connections allowed from an IP address in the specified time interval.

Purpose

To enforce IP rate limit on the number of client connections allowed to Oracle Connection Manager (CMAN) from a single IP address. This security feature enables you to protect your database against potential denial-of-service (DoS) attacks.

Usage Notes

Use the IP_RATE_COUNT parameter under the PARAMETER_LIST section of the CMAN configuration. When set to a value greater than 1, the specified IP rate limit is enforced at the CMAN endpoint level.

You can use this parameter along with the optional IP_RATE_INTERVAL and IP_RATE_BLOCK parameters. IP_RATE_INTERVAL allows you to specify the number of seconds for which IP_RATE_COUNT connections are accepted. IP_RATE_BLOCK allows you to specify the duration for which the IP address is blocked after exceeding the defined IP_RATE_COUNT per IP_RATE_INTERVAL limit.

Default

None

Value

Any number greater than 1

Example

CMAN=
    (CONFIGURATION= 
        (ADDRESS=(PROTOCOL=tcp)(HOST=proxysvr)(PORT=1521))
        (PARAMETER_LIST=(IP_RATE_COUNT=512)))

9.2.17 IP_RATE_INTERVAL

The IP_RATE_INTERVAL parameter of the cman.ora file specifies the number of seconds for which Oracle Connection Manager accepts new connections from a single IP address.

Purpose

To specify the number of seconds for which IP_RATE_COUNT connections are accepted. This security feature enforces IP rate limit on client connections and thus protects your database against potential denial-of-service (DoS) attacks.

Usage Notes

This is an optional parameter. You can use it under the PARAMETER_LIST section along with the IP_RATE_COUNT parameter. IP_RATE_COUNT allows you to specify the number of connections allowed from an IP address.

You can also set the optional IP_RATE_BLOCK parameter to specify the duration for which the IP address is blocked after exceeding the defined IP_RATE_COUNT per IP_RATE_INTERVAL limit.

Default

1 second

Value

Any number less than or equal to 60. The number equals the time duration in seconds.

Example

CMAN= 
    (CONFIGURATION= 
        (ADDRESS=(PROTOCOL=tcp)(HOST=proxysvr)(PORT=1521))
        (PARAMETER_LIST=(IP_RATE_INTERVAL=5)))

9.2.18 IP_RATE_BLOCK

The IP_RATE_BLOCK parameter of the cman.ora file specifies the time duration, in minutes, for which an IP address is blocked after exceeding the defined IP rate limit.

Purpose

To specify the time duration for which an IP address is blocked from establishing new connections. This security feature enforces IP rate limit on client connections and thus protects your database against potential denial-of-service (DoS) attacks.

Usage Notes

This is an optional parameter. You can use it under the PARAMETER_LIST section along with the IP_RATE_COUNT parameter. IP_RATE_COUNT allows you to specify the number of connections allowed from an IP address.

You can also set the optional IP_RATE_INTERVAL parameter to specify the number of seconds for which IP_RATE_COUNT connections are accepted. The IP address is blocked after exceeding the defined IP_RATE_COUNT per IP_RATE_INTERVAL limit.

Default

15 minutes

Value

Any number greater than 0. The number equals the time duration in minutes.

Example

CMAN= 
    (CONFIGURATION= 
        (ADDRESS=(PROTOCOL=tcp)(HOST=proxysvr)(PORT=1521))
         (PARAMETER_LIST=(IP_RATE_BLOCK=30)))

9.2.19 LOG_DIRECTORY

Purpose

To specify the directory for the Oracle Connection Manager log files.

Default

ORACLE_BASE_HOME/network/log

9.2.20 LOG_FILE_NUM

LOG_FILE_NUM networking parameter of the cman.ora file specifies the number of log file segments.

Purpose

To specify the number of log file segments. At any point of time there can be only n log file segments where n is LOG_FILE_NUM and if the log grows beyond this number, then the older segments are deleted.

Default

No default. Number of segments grow indefinitely, if not specified or set to zero.

Values

Any integer value.

Example 9-4 Example

LOG_FILE_NUM=3

9.2.21 LOG_FILE_SIZE

LOG_FILE_SIZE networking parameter of thecman.ora file specifies the size of each log file segment.

Purpose

To specify the size of each log file segment. The size is in MB.

Default

300 MB

Values

Any integer value.

Example 9-5 Example

LOG_FILE_SIZE=10

9.2.22 LOG_LEVEL

Purpose

To specify the level for log messages.

Values

• off for no logging. This is the default.

• user for user-induced errors log information.

• admin for administration log information, such as installation-specific.

• support for Oracle Support Services information.

9.2.23 LOG_SUPPRESS_NODES

Use the cman.ora parameter LOG_SUPPRESS_NODES to specify the addresses for which you want to disable logging of health check errors in the Oracle Connection Manager (CMAN) log file.

Purpose

A CMAN frontend component, such as a load balancer, may perform periodic health checks by connecting to CMAN endpoint at the backend followed by immediately disconnecting from it. These health check operations generate error entries in the CMAN log file and are logged as connect failures. You can set this parameter to disable logging of such errors.

Usage Notes

Set this parameter in the PARAMETER_LIST section of the cman.ora file.

The list of addresses can include host names or CIDR notation for IPv4 and IPv6 addresses. The wildcard format (*) is supported for IPv4 addresses.

The presence of a host name in the list results in the inclusion of all IP addresses mapped to the host name. The host name must be consistent with the public network interface.

Value

LOG_SUPPRESS_NODES=(list of load balancer addresses)

list of load balancer addresses specifies valid nodes, subnet IP addresses, or names for which you want to disable logging.

Default

None

Example

LOG_SUPPRESS_NODES=(10.1.35.*, 10.1.34.0/24, 2001:DB8:fe38:7303, node1)

9.2.24 MAX_ALL_CONNECTIONS

Purpose

To specify the maximum number of concurrent registration and client connection sessions that can be supported by Oracle Connection Manager.

Usage Notes

This number includes registration connections from databases, and ongoing client connection establishment requests. After a connection is established, the clients do not maintain a connection to the listener. This limit only applies to client connections that are in the initial connection establishment phase from a listener perspective.

Default

Operating system-specific

Example

MAX_ALL_CONNECTIONS=40

9.2.25 MAX_CMCTL_SESSIONS

Purpose

To specify the maximum number of concurrent local or remote sessions of the Oracle Connection Manager control utility allowable for a given instance.

Usage Notes

One of the sessions must be a local session.

Values

Any number of sessions can be designated.

9.2.26 MAX_BANDWIDTH_GROUP

Use the MAX_BANDWIDTH_GROUP parameter to specify the maximum number of services that can be configured.

Usage Notes

Configure this parameter to a value of maximum services that your system supports. Add this parameter in the parameter section of the cman.ora file.

You can also configure this parameter with an additional 20% to 100% buffer, depending upon how often the services are created and destroyed in the system.

Example

MAX_BANDWIDTH_GROUP = 100

9.2.27 MAX_CONNECTIONS

Purpose

To specify the maximum number of connection slots that a gateway process can handle.

Values

Any number in the range of 1 to 1024.

9.2.28 MAX_GATEWAY_PROCESSES

Purpose

To specify the maximum number of gateway processes that an instance of Oracle Connection Manager supports.

Values

The number designated must be greater than the minimum number of gateway processes. The maximum is 64.

9.2.29 MAX_REG_CONNECTIONS

Purpose

To specify the maximum number of concurrent registration connection sessions that can be supported by Oracle Connection Manager.

Default

512

Example

MAX_REG_CONNECTIONS=20

9.2.30 MIN_GATEWAY_PROCESSES

Purpose

To specify the minimum number of gateway processes that an instance of Oracle Connection Manager supports.

Values

Any number of sessions can be designated up to 64.

9.2.31 NEXT_HOP

The NEXT_HOP parameter provides static routing of client connections from Oracle Connection Manager (Oracle CMAN).

Purpose

To specify a fixed address for Oracle CMAN to connect and to relay all client connection requests.

Usage Notes

This parameter contains the next hop address to which Oracle CMAN should connect to, whenever there is a client connection to it. This parameter provides static routing of client connections from Oracle CMAN and does not require service registration.

Values

You must specify this parameter in the CONFIGURATION section. Use description or address list to specify multiple addresses along with other characteristics such as load_balance and failover.

Default

Not enabled.

Example

CMAN=
(CONFIGURATION=
	(ADDRESS=(PROTOCOL=tcp)(HOST=proxysvr)(PORT=4555))
	(rule_list=(rule=(src=*)(dst=*)(srv=*)(act=accept)))     
	(PARAMETER_LIST=
	  (MAX_GATEWAY_PROCESSES=8)
	  (MIN_GATEWAY_PRCESSSES=3))
	(NEXT_HOP=(ADDRESS=(PROTOCOL=tcps)(HOST=proxysvr1)(PORT=1555)) 
     )

9.2.32 OUTBOUND_CONNECT_TIMEOUT

Purpose

To specify the length of time in seconds that the Oracle Connection Manager instance waits for a valid connection to be established with the database server or with another Oracle Connection Manager instance.

Values

• 60 to disable the timeout. This is the default.

• Any number greater than 0 to enable the timeout. The number equals the timeout period in seconds.

9.2.33 REGISTRATION_EXCLUDED_NODES

The Oracle Connection Manager parameter file (cman.ora) REGISTRATION_EXCLUDED_NODES specifies the list of nodes that cannot register with the listener.

Purpose

To specify the list of nodes that cannot register with the listener.

Usage Notes

The list can include host names or CIDR notation for IPv4 and IPv6 addresses. The wildcard format (*) is supported for IPv4 addresses. The presence of a host name in the list results in the inclusion of all IP addresses mapped to the host name. The host name should be consistent with the public network interface.

If the REGISTRATION_INVITED_NODES parameter and the REGISTRATION_EXCLUDED_NODES parameter are set, then the REGISTRATION_EXCLUDED_NODES parameter is ignored.

Values

Valid nodes and subnet IP addresses or names.

Example

REGISTRATION_EXCLUDED_NODES = 10.1.26.*, 10.16.40.0/24, \
                                       2001:DB8:3eff:fe38, node2

9.2.34 REGISTRATION_INVITED_NODES

The Oracle Connection Manager parameter file (cman.ora) REGISTRATION_EXCLUDED_NODES parameter specifies the list of node that can register with the listener.

Purpose

To specify the list of node that can register with the listener.

Usage Notes

The list can include host names or CIDR notation for IPv4 and IPv6 addresses. The wildcard format (*) is supported for IPv4 addresses. The presence of a host name in the list results in the inclusion of all IP addresses mapped to the host name. The host name should be consistent with the public network interface.

If the REGISTRATION_INVITED_NODES parameter and the REGISTRATION_EXCLUDED_NODES parameter are set, then the REGISTRATION_EXCLUDED_NODES parameter is ignored.

Values

Valid nodes and subnet IP addresses or names.

Example

REGISTRATION_INVITED_NODES = 10.1.35.*, 10.1.34.0/24, \
                                      2001:DB8:fe38:7303, node1

9.2.35 REST_ADDRESS

Use the REST_ADDRESS parameter to configure REST endpoint hostname and port. Oracle CMAN listens to tcps endpoint based on the specified hostname and port.

Usage Notes

Add the REST_ADDRESS attribute under the parameter_list of the cman.ora file.

Syntax

REST_ADDRESS=host name:port

Example

REST_ADDRESS=cman_host:1524

9.2.36 RULE

Purpose

To specify an access control rule list to filter incoming connections.

Usage Notes

A rule list specifies which connections are accepted, rejected, or dropped.

If no rules are specified, then all connections are rejected.

The source and destination can be a host name, IP address, or subnet mask.

There must be at least one rule for client connections and one rule for CMCTL connections. Omitting one or the other results in the rejection of all connections for the rule type omitted. The last rule in the example that follows is a CMCTL rule.

Oracle Connection Manager does not support wildcards for partial IP addresses. If you use a wildcard, then use it in place of a full IP address. The IP address of the client may, for example, be (SRC=*).

Oracle Connection Manager supports only the /nn notation for subnet addresses. In the first rule in Example “Sample cman.ora File”, /27 represents a subnet mask that comprises 27 left-most bits.

Values

This parameter is listed in the rule list section of the cman.ora file preceded by RULE_LIST=.

Syntax

(RULE_LIST=
  (RULE=
    (SRC=host)
    (DST=host)
    (SRV=service_name)
    (ACT={accept|reject|drop})
    (ACTION_LIST=AUT={on|off}
    ((CONN_STATS={yes|no})(MCT=time)(MIT=time)(MOCT=time)))
  (RULE= ...))

Additional Parameters

The RULE parameter filters a connection or group of connections using the following parameters:

SRC: The source host name or IP address of the client.

DST: The destination server host name or IP address of the database server.

SRV: The database service name of Oracle Database obtained from the SERVICE_NAME parameter in the initialization parameter file.

ACT: The action for the connection request. Use accept to accept incoming requests, reject to reject incoming requests, or drop to reject incoming requests without sending an error message.

ACTION_LIST: The rule-level parameter settings for some parameters. These parameters are as follows:

• AUT: Oracle Database security authentication on client side.

• CONN_STATS: Log input and output statistics.

• MCT: Maximum connect time.

• MIT: Maximum idle timeout.

• MOCT: Maximum outbound connect time.

Rule-level parameters override their global counterparts.

Example

(RULE_LIST=
  (RULE=
    (SRC=client1-pc)
    (DST=sales-server)
    (SRV=sales.us.example.com)
    (ACT=reject))
  (RULE=
    (SRC=192.0.2.45)
    (DST=192.0.2.200)
    (SRV=db1)
    (ACT=accept))
  (RULE=
    (SRC=sale-rep)
    (DST=sales1-server)
    (SRV=cmon)
    (ACT=accept)))

9.2.37 SDU

Purpose

To specify the session data unit (SDU) size, in bytes, to connections

Usage Notes

Oracle Connection Manager can negotiate large SDU with client and server when configured. When the configured values of client, database server, and Oracle Connection Manager do not match for a session, the least value of all the three values is used.

Default

8192 bytes (8 KB)

Values

512 to 2097152 bytes

Example

SDU=32768

9.2.38 SERVICE_RATE

The SERVICE_RATE parameter of cman.ora file specifies incoming connection rate that is allowed per service for an instance.

Purpose

To specify incoming connection rate that is allowed per service for an instance.

Usage Notes

Any user-specified value greater than 0 sets the maximum limit on the number of new connections per service-instance handled by the proxy listener every second. Listener rejects connections after it reaches the maximum limit. Client side connection failure is reported with “TNS:listener: rate limit reached”.

Values

• 0 to disable service rate limit. This is the default.

• Any number greater than 0 to enable service rate limit.

Example 9-6 Example

SERVICE_RATE=10

9.2.39 SESSION_TIMEOUT

Purpose

To specify the maximum time in seconds allowed for a user session.

Usage Notes

The global setting can be overridden by a rule-level setting in ACTION_LIST.

Values

• 0 to disable the timeout. This is the default.

• Any number greater than 0 to enable the timeout. The number equals the timeout period in seconds.

9.2.40 SSL_CIPHER_SUITES

Use the SSL_CIPHER_SUITES parameter to control the combination of authentication, encryption, and data integrity algorithms used by Transport Layer Security (TLS).

Purpose

To control the combination of authentication, encryption, and data integrity algorithms used by TLS. By default, the strongest protocol and cipher are negotiated between the database client and server. Setting this parameter will override the default behavior. You must use this parameter only if you have internal security controls that dictate the usage of certain protocol versions.

Usage Notes

Starting with Database 23ai, the use of Transport Layer Security protocol versions 1.0 and 1.1 are desupported.

In most cases, this change will not have any impact, because the database client and server will negotiate the use of the most secure protocol and cipher algorithm. However, if TLS 1.0 or 1.1 has been specified, then you must either remove it to allow the database server and client to pick the most secure protocol, or you must specify either TLS 1.2, or TLS 1.3, or both, for the protocol. Oracle recommends using the latest, most secure protocol. That protocol is TLS 1.3, which is introduced with Oracle Database 23ai.

Enclose the SSL_CIPHER_SUITES parameter value in parentheses. Otherwise, the cipher suite setting does not parse correctly.

Default

None

Values

Approved ciphers compatible with TLS 1.3:

• TLS_AES_256_GCM_SHA384

• TLS_CHACHA20_POLY1305_SHA256 (non-FIPS only)

• TLS_AES_128_CCM_SHA256

• TLS_AES_128_GCM_SHA256

Approved ciphers compatible with TLS 1.2:

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Deprecated ciphers compatible with TLS 1.2:

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

• TLS_RSA_WITH_AES_256_GCM_SHA384

• TLS_RSA_WITH_AES_256_CBC_SHA256

• TLS_RSA_WITH_AES_256_CBC_SHA

• TLS_RSA_WITH_AES_128_GCM_SHA256

• TLS_RSA_WITH_AES_128_CBC_SHA256

• TLS_RSA_WITH_AES_128_CBC_SHA

• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

• TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Examples

SSL_CIPHER_SUITES=(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)

SSL_CIPHER_SUITES=(TLS_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)

9.2.41 SSL_CLIENT_AUTHENTICATION

Use the SSL_CLIENT_AUTHENTICATION parameter to specify whether the database client is authenticated using Transport Layer Security (TLS).

Purpose

To enable client authentication in a TLS connection. The connection can be one-way or two-way (mutual TLS or mTLS).

Usage Notes

When set to TRUE, a two-way TLS connection is initiated. Both the client and server (including the listener) authenticate each other. For example, if you set this parameter to TRUE in the server configuration (server-side sqlnet.ora), then the server attempts to authenticate the client. If you set it to TRUE in the listener configuration (listener.ora), then the listener attempts to authenticate the client.

When set to FALSE, only the client authenticates the server and listener as a one-way TLS connection. For example, if you set this parameter to FALSE in the server configuration, then the server does not authenticate the client. If you set it to FALSE in the listener configuration, then the listener does not authenticate the client.

When set to OPTIONAL, the server behaves as follows:

• If the client sends a certificate, then the connection is completed as a two-way TLS connection after authenticating the client.

• If the client does not send a certificate, then the connection is completed as a one-way TLS connection.

Ensure that this parameter setting is consistent for the server or listener (on one side) and the client (on the other). Otherwise, the connection may fail. For example, if you enable client authentication in the server or listener configuration, then you must enable it in the client configuration.

Default

TRUE

Values

• TRUE | ON | YES | 1: To enable mTLS

• FALSE | OFF | NO | 0: To enable one-way TLS

• OPTIONAL: To enable both TLS and mTLS

Example

SSL_CLIENT_AUTHENTICATION=FALSE

9.2.42 SSL_VERSION

Use the SSL_VERSION parameter to define valid Transport Layer Security (TLS) versions to be used for connections.

Purpose

To define the version of TLS that must run on the systems with which the database server communicates. By default, the database server and client negotiate the strongest security protocol. Oracle does not recommend modifying this parameter, unless your security requirements mandate the usage of certain protocol versions.

Usage Notes

• Clients, listeners, and database servers must use compatible versions. Modify this parameter only when necessary to enforce the use of the more secure TLS protocol and not allow clients that only work with the older TLS protocols. The current default uses TLS 1.3, which is the version required for multiple security compliance requirements. If you need to specify TLS 1.2, then also include TLS 1.3 to allow more secure connections.

• In addition to sqlnet.ora, listener.ora, and cman.ora, you can specify this parameter under the SECURITY section of tnsnames.ora or directly as part of the connect string. The parameter value specified in the connect string takes precedence over the other specified values.

• Starting with Database 23ai, the use of Transport Layer Security protocol versions 1.0 and 1.1 are desupported.

  In most cases, this change will not have any impact, because the database client and server will negotiate the use of the most secure protocol and cipher algorithm. However, if TLS 1.0 or 1.1 has been specified, then you must either remove it to allow the database server and client to pick the most secure protocol, or you must specify either TLS 1.2, or TLS 1.3, or both, for the protocol. Oracle recommends using the latest, most secure protocol. That protocol is TLS 1.3, which is introduced with Oracle Database 23ai.

• Starting with Oracle Database 23ai, the Secure Socket Layer v3 protocol (SSLv3) is no longer supported for database server-client connections, and the sqlnet.ora parameter ADD_SSLV3_TO_DEFAULT has been removed.

  SSLv3 is a much less secure protocol to secure the database server-to-client connection. Instead of using SSLv3, allow the database server and client to negotiate the most secure protocol that is common between the server and the client. Oracle Database 23ai provides TLS 1.2 and TLS 1.3 protocols for certificate-based network encryption.

• If you set SSL_VERSION to undetermined, then the most secure TLS protocol version is used. You can also use the SSL_VERSION=undetermined setting in the connect string for a specific connection to override the SSL_VERSION value configured in the sqlnet.ora, listener.ora, or cman.ora file.

• If you do not set SSL_VERSION to any value, then all the supported TLS protocol versions are tried starting with the most secure version. This is typically the most common configuration, ensuring that the strongest protocol is chosen during TLS negotiation.

Values

undetermined | TLSv1.2 | TLSv1.3

Default

undetermined

Syntax and Examples

• To specify a single protocol version:

  SSL_VERSION=TLS_protocol_version

  For example:

  SSL_VERSION=TLSv1.3

• To specify multiple protocol versions, use a comma-separated string of values, enclosed in parenthesis:

  SSL_VERSION=(TLS_protocol_version1,TLS_protocol_version2)

  For example:

  SSL_VERSION=(TLSv1.2,TLSv1.3)

  Note:

  Do not enclose protocol versions in parenthesis while specifying this parameter in the tnsnames.ora file or as part of the connect string, otherwise the setting will not parse correctly. For example:

  net_service_name=
    (DESCRIPTION=
       (ADDRESS=(PROTOCOL=tcps)(HOST=salesserver)(PORT=1522))
       (SECURITY=(SSL_VERSION=TLSv1.2,TLSv1.3)) 
    )
  

9.2.43 TRACE_FILE

Purpose

To specify the directory for Oracle Connection Manager trace files.

9.2.44 TRACE_FILELEN

Purpose

To specify the size of the trace file in KB.

Usage Notes

When the size is reached, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO parameter.

9.2.45 TRACE_FILENO

Purpose

To specify the number of trace files.

Usage Notes

When this parameter is set along with the TRACE_FILELEN parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, the first file is reused, and so on.

9.2.46 TRACE_LEVEL

Purpose

To specify the level for trace messages.

Values

• off for no tracing. This is the default.

• user for user-induced errors trace information.

• admin for administration trace information, such as installation-specific.

• support for Oracle Support Services information.

9.2.47 TRACE_TIMESTAMP

Purpose

To specify the use of a timestamp for the tracing logs.

Usage Notes

If the TRACING parameter is enabled, then a time stamp in the form of dd-mmm-yyyy hh:mi:ss:mil for every trace event in the trace file.

Values

• off for no timestamp to be included in the file.

• on for timestamp to be included in the file.

9.2.48 USE_SERVICE_AS_TNSNAMES_ALIAS

Use this parameter for static routing of client connections from Oracle connection manager based on client’s service name.

Usage Notes

Oracle connection manager uses the service name specified by the client as an alias. You must configure alias in tnsnames.ora file of CMAN home. If an alias is not configured for a service, then the NEXT_HOP parameter in cman.ora acts as a default connect string.

Values

OFF and ON. The default is OFF.

Example

Configuration in CMAN home:

cman.ora

USE_SERVICE_AS_TNSNAMES_ALIAS=ON

tnsnames.ora

sales= 
 (DESCRIPTION= 
   (ADDRESS=(PROTOCOL=TCP)(HOST=sales-server)(port=1521))
   (CONNECT_DATA=(SERVICE_NAMES=sales)))

Note:

DESCRIPTION_LIST is not supported in the tnsnames.ora file of CMAN home.

Configuration in client home:

tnsnames.ora

sales_cman= 
 (DESCRIPTION= 
   (ADDRESS=(PROTOCOL=TCP)(HOST=cman-server)(port=1523))
   (CONNECT_DATA=(SERVICE_NAMES=sales)))

In this example, the client is connecting to service sales. CMAN will use the sales alias in tnsnames.ora of the CMAN home for connecting to the next hop.

9.2.49 USE_SID_AS_SERVICE

The USE_SID_AS_SERVICE Oracle Connection Manager parameter enables the system identifier (SID) in the connect descriptor to be interpreted as a service name when a user attempts a database connection.

Purpose

To enable the system identifier (SID) in the connect descriptor to be interpreted as a service name when a user attempts a database connection.

Usage Notes

Database clients with earlier releases of Oracle Database that have hard-coded connect descriptors can use this parameter to connect to a container or pluggable database.

For an Oracle container database, the client must specify a service name in order to connect to it. Setting this parameter to on instructs the Oracle Connection Manager listener to use the SID in the connect descriptor as a service name and connect the client to the specified database.

Values

• off (default value)

• on

Example 9-7 Example

USE_SID_AS_SERVICE=on

9.2.50 VALID_NODE_CHECKING_REGISTRATION

Purpose

To determine whether valid node checking registration is performed, and if the subnet is allowed.

Usage Notes

When set to on, valid node checking registration is performed at the listener for any incoming registration request, and only local IP addresses are allowed.

Default

on

Values

• off | 0 to specify valid node checking registration is off, and no checking is performed.

• on | 1 | local to specify valid node checking registration is on, and all local IP addresses can register. If a list of invited nodes is set, then all IP addresses, host names, or subnets in the list as well as local IP addresses are allowed.

• subnet | 2 to specify valid node checking registration is on, and all machines in the local subnets are allowed to register. If a list of invited nodes is set, then all nodes in the local subnets as well as all IP addresses, host names and subnets in the list are allowed.

Example

VALID_NODE_CHECKING_REGISTRATION = on

9.2.51 WALLET_LOCATION

Use the WALLET_LOCATION parameter to specify the location of Oracle wallets.

Purpose

To specify the directory path where you want to create and store an Oracle wallet. Wallets securely contain certificates, secrets, private keys, and trust points used by Oracle Database.

Usage Notes

• Deprecation of the server-side setting:

  The parameter WALLET_LOCATION is deprecated for use with Oracle Database 23ai for the Oracle Database server. It is not deprecated for use with the Oracle Database client.

  For Oracle Database server, Oracle recommends that you use the WALLET_ROOT system parameter instead of using WALLET_LOCATION.

• Where to set this parameter:

  You can set WALLET_LOCATION in the sqlnet.ora file to specify a common wallet location for all connections. You can also set it in the connect string or tnsnames.ora file to specify a different wallet location for a particular connection.

  Use of WALLET_LOCATION in the connect string or tnsnames.ora overrides the sqlnet.ora WALLET_LOCATION setting for the specific tnsnames.ora service. The tnsnames.ora WALLET_LOCATION setting enables a client to initiate multiple TLS sessions using different TLS certificates in the same client process.

• Setting to use the system default certificate store instead of a client-side wallet:

  The Linux and Windows database clients can use the system default certificate store to validate the Oracle Database server certificate, instead of creating a local wallet with root certificate. The default certificate store is located in /etc/pki/tls/cert.pem on Linux and Microsoft Certificate Store (MCS) on Windows.

  If you set WALLET_LOCATION=SYSTEM in the connect string (in tnsnames.ora or directly to the command line), then the database client uses the default certificate store to validate the server certificate. In this case, the server certificate needs to be signed by a trusted root certificate that is already installed in the default certificate store.

  For example:

  net_service_name=
      (DESCRIPTION =
         (ADDRESS=(PROTOCOL=tcps)(HOST=sales-svr)(PORT=1234))
         (SECURITY=(WALLET_LOCATION=SYSTEM))
         (CONNECT_DATA=(SERVICE_NAME=sales.us.example.com))
       )

• Order in which the database client searches for a client wallet:

  1. The database client first tries to use a wallet from the WALLET_LOCATION directory specified in the connect string.

  2. If no wallet is present, then the client searches for the WALLET_LOCATION parameter value in the sqlnet.ora file.

  3. If no wallet is present, then the client searches for a wallet in the $TNS_ADMIN environment variable directory.

  4. If no wallet is present, then the client searches in the default wallet location, that is, /etc/ORACLE/WALLETS/username on Linux and C:\Users\username\\ORACLE\WALLETS on Windows.

  5. If no wallet is present, then the client uses the wallet from the system default certificate store.

  You can specify WALLET_LOCATION as SYSTEM in the connect string to ignore all the wallet configurations and use the system default certificate store instead.

• Setting for walletless TLS connections:

  The WALLET_LOCATION parameter is optional for TLS connections that do not use a client wallet. If you do not include WALLET_LOCATION in the connect string, tnsnames.ora, or sqlnet.ora, then the driver automatically picks up common root certificates from the system default certificate store (if the system is Windows or Linux).

  However, you may need to perform additional steps in the following cases:

  • If WALLET_LOCATION is set in sqlnet.ora for all connections, then you can override this setting for a specific connection that does not need a client wallet (using WALLET_LOCATION=SYSTEM in the connect string).

  • If a wallet is present in the $TNS_ADMIN environment variable directory, then the database client uses the $TNS_ADMIN path as the default wallet location. In this case, you can either override the WALLET_LOCATION setting (using WALLET_LOCATION=SYSTEM in the connect string) or remove that wallet.

• Storage of wallet files:

  The password-protected wallet is stored in an ewallet.p12 file. The auto-login and local auto-login wallets are stored in a cwallet.sso file.

  For example, if an Oracle wallet is stored in the Microsoft Windows registry and the wallet's key (KEY) is SALESAPP, then the storage location of the password-protected wallet is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\EWALLET.P12. The storage location of the auto-login and local auto-login wallets is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\CWALLET.SSO.

Additional Parameters

Use SOURCE to specify the type of storage and storage location for wallets, as follows:

• METHOD: Type of storage

• METHOD_DATA: Storage location:

  • DIRECTORY: Location of wallet on the file system

  • KEY: Wallet type and location in the Microsoft Windows registry

Syntax and Examples

The syntax depends on the wallet as follows:

• Wallet on the file system:

  WALLET_LOCATION=
    (SOURCE=
      (METHOD=file)
      (METHOD_DATA=
         (DIRECTORY=directory)))

  For example:

  WALLET_LOCATION=  
    (SOURCE=
        (METHOD=file)
        (METHOD_DATA=  
           (DIRECTORY=/etc/oracle/wallets/databases)))

• Microsoft certificate store:

  WALLET_LOCATION=
    (SOURCE=
       (METHOD=mcs))

  The key-value pair for MCS omits the METHOD_DATA parameter because MCS does not use wallets. Instead, Oracle PKI (public key infrastructure) applications obtain certificates, trust points and private keys directly from a user's profile.

• Wallet in the Microsoft Windows registry:

  WALLET_LOCATION=
     (SOURCE=
        (METHOD=reg)
        (METHOD_DATA=
           (KEY=registry_key)))

  For example:

  WALLET_LOCATION=
     (SOURCE=
       (METHOD=reg)
       (METHOD_DATA=
          (KEY=SALESAPP)))

Default

None

9.3 Oracle Connection Manager in Traffic Director Mode Parameters

This section lists and describes the following cman.ora file parameters:

• SERVICE_AFFINITY
  Use the cman.ora parameter SERVICE_AFFINITY to modify the default load distribution mechanism for Oracle Connection Manager in Traffic Director Mode.
• TDM
  
• TDM_BIND_THREAD
  
• TDM_DATATYPE_CHECK
  
• TDM_PERPDB_PRCP_CONNFACTOR
  Use the cman.ora parameter TDM_PERPDB_PRCP_CONNFACTOR to configure per-PDB Proxy Resident Connection Pooling (PRCP).
• TDM_PRCP_MAX_CALL_WAIT_TIME
  
• TDM_PRCP_MAX_TXN_CALL_WAIT_TIME
  
• TDM_SHARED_THREADS_MAX
  
• TDM_SHARED_THREADS_MIN
  
• TDM_STATS_FREQUENCY
  Use the cman.ora parameter TDM_STATS_FREQUENCY to configure the frequency at which usage statistics are uploaded to PDB for per-PDB Proxy Resident Connection Pooling (PRCP) connections.
• TDM_THREADING_MODE
  

9.3.1 SERVICE_AFFINITY

Use the cman.ora parameter SERVICE_AFFINITY to modify the default load distribution mechanism for Oracle Connection Manager in Traffic Director Mode.

Purpose

To configure load distribution mechanism for Oracle Connection Manager in Traffic Director Mode. By default, Oracle Connection Manager in Traffic Director Mode uses service affinity to select a gateway for routing incoming connection requests. All new connection requests are routed to the gateways associated with database services.

Usage Notes

If you set this parameter to ON, then all new connection requests are routed to the gateways associated with database services.

If you set this parameter to OFF, then all new connection requests are routed to the least-loaded gateways.

When using Proxy Resident Connection Pooling (PRCP), Oracle recommends that you set the SERVICE_AFFINITY parameter to OFF for better performance and resource utilization of gateway processes.

Values

ON | OFF

Default

ON

Example

SERVICE_AFFINITY = {ON | OFF}

9.3.2 TDM

Purpose

To configure Oracle Connection Manager to act as Oracle Connection Manager in Traffic Director Mode.

Default

FALSE

Values

• TRUE

• FALSE

Example

tdm = TRUE

9.3.3 TDM_BIND_THREAD

Purpose

To make the application connection hold on to the TDM thread and has different implications with and without PRCP. This parameter only applies when TDM_THREADING_MODE is set to SHARED.

Usage Notes

Without PRCP, setting this parameter to yes makes the application connection hold on the TDM worker thread as long as there is a transaction in progress.

With PRCP, setting this parameter to yes makes the application connection hold on to the TDM thread from the time OCISessionGet is done by the application till it does an OCISessionRelease.

Default

no

Values

• yes

• no

Example

TDM_BIND_THREAD = yes

9.3.4 TDM_DATATYPE_CHECK

Purpose

To validate all the inbound data to the database, of the data type NUMBER, DATE, TIMESTAMP, TIMESTAMP WITH LOCAL TIMEZONE, TIMESTAMP WITH TIMEZONE, BLOB, CLOB, BFILE, UROWID and REF. The following error is received by the application if there is any problem with the data sent to the Oracle Connection Manager in Traffic Director Mode.

ORA-03137: malformed TTC packet from client rejected: [3101]

Usage Notes

Turning ON/OFF this parameter enables or disables the data validation.

Default

OFF

Values

• ON

• OFF

Example

tdm_datatype_check={ON | OFF}

9.3.5 TDM_PERPDB_PRCP_CONNFACTOR

Use the cman.ora parameter TDM_PERPDB_PRCP_CONNFACTOR to configure per-PDB Proxy Resident Connection Pooling (PRCP).

Purpose

To configure per-PDB PRCP. This parameter value sets a connection factor, which helps in dynamically determining the maximum size of every per-PDB PRCP pool.

Usage Notes

• The per-PDB PRCP setting determines the maximum size of a per-PDB PRCP pool based on the TDM_PERPDB_PRCP_CONNFACTOR parameter value and the Oracle Compute Unit (OCPU) count allocated to each PDB automatically.

  A background process automatically fetches these values and resizes the pool. This derived maximum size value overrides the <session_pool> MAX_SIZE parameter configured in the oraaccess.xml file.

• PRCP dynamically rereads the TDM_PERPDB_PRCP_CONNFACTOR value and accordingly refreshes the maximum size of a per-PDB pool, if needed. You can change this parameter value using the Oracle Connection Manager Control utility (CMCTL) RELOAD command. There is no need to restart Oracle Connection Manager in Traffic Director Mode for the changes to take effect.

• In addition to TDM_PERPDB_PRCP_CONNFACTOR, you must set the sqlnet.ora parameter TCP.ALLOWED_PROXIES on the database server. Otherwise, the connection request fails. TCP.ALLOWED_PROXIES specifies the CMAN instance (IP address or host name) that can fetch the OCPU count from the database server.

Values

• 0 to disable per-PDB PRCP

• Any number equal to or greater than 1 to enable per-PDB PRCP

  Note:

  Ensure that you specify a connection factor value within the maximum connections limit defined by the cman.ora parameter MAX_CONNECTIONS.

Default

0

Example

TDM_PERPDB_PRCP_CONNFACTOR=10

9.3.6 TDM_PRCP_MAX_CALL_WAIT_TIME

Purpose

To record the maximum time of inactivity, in seconds, for a client after obtaining a session from the PRCP pool. This parameter is applicable when the Oracle Connection Manager in Traffic Director Mode is configured to have Proxy Resident Connection Pool.

Usage Notes

After obtaining a session from the PRCP pool, if the client application does not issue a database call for the time specified by TDM_PRCP_MAX_CALL_WAIT_TIME parameter, then the PRCP session is freed and the client connection is terminated. As a result, if the client application attempts a round trip call on such a connection, then it receives an ORA-3113 or ORA-3115 error.

Default

30 seconds

Values

Any non negative value. However, Oracle recommends not to use a value of 0 as that implies that a connection can acquire a PRCP session for an indefinite amount of time

9.3.7 TDM_PRCP_MAX_TXN_CALL_WAIT_TIME

Purpose

To record the maximum time of inactivity, in seconds, for a client after it obtains a session from the Proxy Resident Connection Pool and starts a transaction. This parameter is applicable when the Oracle Connection Manager in Traffic Director Mode is configured to have PRCP.

Usage Notes

If the client application does not issue a database call for the time specified by TDM_PRCP_MAX_TXN_CALL_WAIT_TIME parameter while in a transaction, the PRCP session is freed, the transaction is rolled back, and the client connection is terminated. As a result, if the client application attempts a round trip call on such a connection, then it receives an ORA-3113 or ORA-3115 error.

Default

0

Values

Any nonnegative value. However, it is recommended not to use a value of0 as it implies that a connection can acquire a PRCP session for an indefinite amount of time.

9.3.8 TDM_SHARED_THREADS_MAX

Purpose

To configure the maximum number of threads that an Oracle Connection Manager process in Traffic Director Mode should have, when tdm_threading_mode is set to SHARED.

Values

Any number can be designated for the maximum number of threads. For DEDICATED mode, the maximum number of threads is same as the maximum number of connections. In SHARED mode, though there is no fixed upper bound, it should ideally be proportional to the load.

9.3.9 TDM_SHARED_THREADS_MIN

Purpose

To configure the minimum number of threads that an Oracle Connection Manager process in Traffic Director Mode should have, when tdm_threading_mode is set to SHARED.

Values

Any number can be designated for the minimum number of threads. For SHARED mode, there is no limit enforced. However, the number of threads should be proportional to the load.

9.3.10 TDM_STATS_FREQUENCY

Use the cman.ora parameter TDM_STATS_FREQUENCY to configure the frequency at which usage statistics are uploaded to PDB for per-PDB Proxy Resident Connection Pooling (PRCP) connections.

Purpose

To specify the time interval, in minutes, at which usage statistics for Oracle Connection Manager in Traffic Director Mode should be uploaded to PDB if per-PDB PRCP is enabled.

These usage statistics help in monitoring the behavior of your connection pools. PDB administrators can query the dynamic database view V$TDM_STATS to view this statistical data.

Values

• 0 to disable statistics upload.

• Any number equal to or greater than 1 (up to the maximum value) to enable statistics upload. This value depends on your runtime load and connection pool usage.

Default Value

0

Minimum Value

0

Maximum Value

2800

Example

TDM_STATS_FREQUENCY=300

9.3.11 TDM_THREADING_MODE

Purpose

To configure the usage of threads by the Oracle Connection Manager in Traffic Director Mode.

Usage Notes

If this parameter is set to DEDICATED, then a worker thread is spawned for each inbound connection and the maximum number of threads is determined by the max_connections parameter

If this parameter is set to SHARED, then a shared pool of worker threads handle all inbound connections. The minimum number of worker threads is specified by the tdm_shared_threads_min setting and the maximum number of worker threads is specified by the tdm_shared_threads_max setting. The thread pool is internally managed within these bounds.

Default

DEDICATED

Values

• DEDICATED

• SHARED

Example

tdm_threading_mode={DEDICATED | SHARED}

tdm_shared_threads_min = 4

tdm_shared_threads_max = 5

9.4 ADR Diagnostic Parameters for Oracle Connection Manager

The diagnostic data for critical errors is quickly captured and stored in the ADR for Oracle Connection Manager.

Since Oracle Database 11g, Oracle Database includes an advanced fault diagnosability infrastructure for preventing, detecting, diagnosing, and resolving problems. The problems are critical errors such as those caused by database code bugs, metadata corruption, and customer data corruption.

When a critical error occurs, it is assigned an incident number, and diagnostic data for the error, such as traces and dumps, are immediately captured and tagged with the incident number. The data is then stored in the Automatic Diagnostic Repository (ADR), a file-based repository outside the database.

This section describes the parameters used when ADR is enabled. ADR is enabled by default. Non-ADR parameters listed in the cman.ora file are ignored when ADR is enabled.

• ADR_BASE
  It is a diagnostic parameter in the cman.ora file and it specifies the base directory to store tracing and logging incidents when ADR is enabled.
• DIAG_ADR_ENABLED
  DIAG_ADR_ENABLED diagnostic parameter of the cman.ora file indicates whether ADR tracing is enabled.
• LOG_LEVEL
  
• TRACE_LEVEL
  
• TRACE_TIMESTAMP
  

9.4.1 ADR_BASE

It is a diagnostic parameter in the cman.ora file and it specifies the base directory to store tracing and logging incidents when ADR is enabled.

Purpose

To specify the base directory to store tracing and logging incidents when ADR is enabled.

Default

The default is ORACLE_BASE, or ORACLE_HOME/log if ORACLE_BASE is not defined.

Values

Any valid directory path to a directory with write permission.

Example 9-8 Example

ADR_BASE=/oracle/network/trace

9.4.2 DIAG_ADR_ENABLED

DIAG_ADR_ENABLED diagnostic parameter of the cman.ora file indicates whether ADR tracing is enabled.

Purpose

To indicate whether ADR tracing is enabled.

Usage Notes

When the DIAG_ADR_ENABLED parameter is set to OFF, then non-ADR file tracing is used.

Values

on | off

Example 9-9 Example

DIAG_ADR_ENABLED=on

9.4.3 LOG_LEVEL

Purpose

To specify the level of logging performed by Oracle Connection Manager.

Usage Notes

This parameter is also applicable when non-ADR logging is used.

The following log files are used with Oracle Connection Manager:

• instance-name_pid.log for the listener.

• instance-name_cmadmin_pid.log for CMADMIN.

• instance-name_cmgw_pid.log for the gateway processes.

The log files are located in the ORACLE_HOME/network/log directory.

Default

off or 0

Values

• off or 0 for no log output.

• user or 4 for user log information.

• admin or 10 for administration log information.

• support or 16 for Oracle Support Services log information.

Example

LOG_LEVEL=admin

9.4.4 TRACE_LEVEL

Purpose

To specify the trace level for the Oracle Connection Manager instance.

Usage Notes

This parameter is also applicable when non-ADR tracing is used.

The following trace files are used with Oracle Connection Manager:

• instance-name_pid.trc for the listener.

• instance-name_cmadmin_pid.trc for CMADMIN.

• instance-name_cmgw_pid.trc for the gateway processes.

The log files are located in the ORACLE_HOME/network/log directory.

Default

off

Values

• off for no trace output.

• user for user trace information.

• admin for administration trace information.

• support for Oracle Support Services trace information.

Example

TRACE_LEVEL=admin

9.4.5 TRACE_TIMESTAMP

Purpose

To add a time stamp in the form of dd-mmm-yyyy hh:mi:ss:mil to every trace event in the trace file for the listener.

Usage Notes

This parameter is used with the TRACE_LEVEL parameter. This parameter is also applicable when non-ADR tracing is used.

Default

on

Values

• on or true

• off or false

Example

TRACE_TIMESTAMP=true

9.5 Non-ADR Diagnostic Parameters for Oracle Connection Manager

This section lists the parameters used when ADR is disabled:

• LOG_DIRECTORY
  
• TRACE_DIRECTORY
  
• TRACE_FILELEN
  
• TRACE_FILENO
  

9.5.1 LOG_DIRECTORY

Purpose

To specify the location of Oracle Connection Manager log files.

Usage Notes

Use this parameter when ADR is not enabled.

Default

ORACLE_BASE_HOME/network/log

Values

Any valid directory path to a directory with write permission.

Example

LOG_DIRECTORY=/oracle/network/log

9.5.2 TRACE_DIRECTORY

Purpose

To specify the location of the Oracle Connection Manager trace files.

Usage Notes

Use this parameter when ADR is not enabled.

Default

ORACLE_BASE_HOME/network/trace 

Values

Any valid directory path to a directory with write permission.

Example

TRACE_DIRECTORY=/oracle/network/admin/trace

9.5.3 TRACE_FILELEN

Purpose

To specify the size, in KB, of the trace file.

Usage Notes

When the size is met, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO parameter. Any size can be designated. Use this parameter when ADR is not enabled.

Default

Unlimited

Example

TRACE_FILELEN=100

9.5.4 TRACE_FILENO

Purpose

To specify the number of trace files for Oracle Connection Manager tracing.

Usage Notes

When this parameter is set along with the TRACE_FILELEN parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, the first file is reused, and so on. Any number of files can be designated.

The trace file names are distinguished from one another by their sequence number. For example, if this parameter is set to 3, then the gateway trace files would be named instance-name_cmgw1_pid.trc, instance_name_cmgw2_pid.trc and instance_name_cmgw3_pid.trc.

In addition, trace events in the trace files are preceded by the sequence number of the file. Use this parameter when ADR is not enabled.

Default

1

Example

TRACE_FILENO=3

9.6 Oracle Connection Manager Tunneling Parameters

This section lists the parameters that you must configure to enable tunneling.

• TUNNELING
  Set this parameter to start Oracle Connection Manager as server in tunneling mode.
• TUNNEL_CAPACITY
  Use this parameter to specify the number of reverse connections that can be multiplexed over a tunnel.
• MAX_TUNNELS
  Use this parameter to specify the number of tunnels that a client connection manager in tunneling mode can create.
• TUNNEL_PROBE_INTERVAL
  Use this parameter in server connection manager to keep the tunnel connection open.
• NON_TUNNEL_GATEWAYS
  Use this parameter to specify the number of regular gateways that will not be used for tunneling.
• TUNNEL_ADDRESS
  Set this parameter on the client CMAN to point to the server CMAN that you want to connect to.
• GATEWAY_PROCESSES
  Use this parameter to specify the number of gateway processes.

9.6.1 TUNNELING

Set this parameter to start Oracle Connection Manager as server in tunneling mode.

Purpose

Set this parameter to ON to start Oracle Connection Manager in tunneling mode. You must set this parameter on the server CMAN. When this parameter is set, the CMAN starts processing and accepts tunnel requests.

Usage Notes

Use this parameter with PARAMETER_LIST.

Default

OFF

Example

(PARAMETER_LIST=
      (TUNNELING=ON))
 

9.6.2 TUNNEL_CAPACITY

Use this parameter to specify the number of reverse connections that can be multiplexed over a tunnel.

Purpose

You must set this parameter on the server CMAN. Only the number of connections that you specify for this parameter will be allowed per tunnel.

Usage Notes

Use this parameter with PARAMETER_LIST.

Example

(PARAMETER_LIST=
      (TUNNELING_CAPACITY=25))
 

9.6.3 MAX_TUNNELS

Use this parameter to specify the number of tunnels that a client connection manager in tunneling mode can create.

Purpose

This parameter creates the specified number of tunnels by each connection manager gateway. You must set this parameter on the client CMAN.

Usage Notes

Use this parameter with PARAMETER_LIST.

Example

(PARAMETER_LIST=
      (MAX_TUNNELS=4))
 

9.6.4 TUNNEL_PROBE_INTERVAL

Use this parameter in server connection manager to keep the tunnel connection open.

Purpose

Specify a time interval in minutes to send small probe packets to keep the tunnel connection open and avoid time out. You must set this parameter on the server CMAN.

Usage Notes

Use this parameter with PARAMETER_LIST.

Example

(PARAMETER_LIST=
      (TUNNEL_PROBE_INTERVAL=7))
 

9.6.5 NON_TUNNEL_GATEWAYS

Use this parameter to specify the number of regular gateways that will not be used for tunneling.

Purpose

Set this parameter at both the server CMAN and the client CMAN to specify the number of regular gateways. Regular gateways handle regular and forward connections. In tunneling mode, all gateways are tunnel gateways by default.

Usage Notes

Use this parameter with PARAMETER_LIST.

Default

0 when tunneling is enabled.

Example

(PARAMETER_LIST=
  (NON_TUNNEL_GATEWAYS=2))

9.6.6 TUNNEL_ADDRESS

Set this parameter on the client CMAN to point to the server CMAN that you want to connect to.

Purpose

The gateways connect to the specified server address to create tunnels. You can configure single or multiple addresses using address_list and description.

Usage Notes

Put this parameter under CONFIGURATION.

Example

(CONFIGURATION=
  (TUNNEL_ADDRESS=
  (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=host_name)(PORT=port_number))
  (CONNECT_DATA=(TUNNEL_ID=tunnel_id)))))
 

9.6.7 GATEWAY_PROCESSES

Use this parameter to specify the number of gateway processes.

Usage

Use this parameter with PARAMETER_LIST.

gateway_processes=value

Example

(PARAMETER_LIST=
           (gateway_processes=8))

Note:

MIN_GATEWAY_PROCESSES parameter and MAX_GATEWAY_PROCESSES parameter are not supported with tunneling option.