establishing secure connectivity between oracle … · oracle ravello is an overlay cloud service...
Post on 01-Aug-2018
236 Views
Preview:
TRANSCRIPT
Establishing secure connectivity between Oracle Ravello and Oracle Cloud Infrastructure Classic Database Cloud O R A C L E W H I T E P A P E R | D E C E M B E R 2 0 1 7
1 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
Table of Contents
APPLICATION ARCHITECTURE OVERVIEW 2
CONNECTING RAVELLO TO ORACLE DBCS VIA SECURED SQL*NET 3
CHANGES MADE TO THE VMS IN RAVELLO 4
SECURING LISTENER PORT ACCESS ON ORACLE DATABASE CLOUD SERVICE 5
VERIFYING THE USE OF NATIVE ENCRYPTION AND INTEGRITY 7
CONNECTING RAVELLO TO ORACLE DBCS VIA A VPN TUNNEL 8
SETTING UP THE CORENTE GATEWAY FOR ORACLE DATABASE CLOUD 8
SETTING UP THE CORENTE SERVICES GATEWAY FOR THE APP ON RAVELLO 10
VERIFYING THE SIEBEL CRM APPLICATION RUNNING ON RAVELLO 17
LEARN MORE 19
2 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
Oracle Ravello is an overlay cloud service that enables enterprises to run their VMware and KVM
applications, with data-center-like (Layer 2) networking, ‘as-is’ on public clouds without making any
modifications. With Ravello, enterprises don’t need to convert their VMs or change networking. This
empowers businesses to rapidly develop and deploy existing data-center applications on the public
cloud without the associated infrastructure and migration cost and overhead for a variety of use-cases
such as PoC, dev, test, staging, UAT, production, training etc.
Application Architecture Overview
Enterprises looking to move their VMware based applications with large databases to the public cloud
have multiple options. They can move the entire app with database onto Ravello or use a combination
of Ravello (for web & app tier) in conjunction with Oracle PaaS (e.g. DBCS) on Oracle Cloud
Infrastructure - Classic. When used in the latter mode, secure connectivity between the web/app tier
on Ravello and the OCI-Classic Database Cloud Service instance is a key requirement. There are
multiple methods to establish secured connections between an application on Ravello and a database
on Oracle DBCS. Two of them are described in this whitepaper with Siebel CRM as an example.
Figure 1: Siebel CRM architecture distributed between Ravello and DBCS
The app and web tier of Siebel on Ravello consists of 6 VMs of 2 vCPUs and 4 GB of memory each – the Siebel App Server, the Siebel Gateway, the Siebel Web Server, the Siebel file system, the Siebel Tools, and the Siebel Web Client VM.
3 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
Figure 2: Siebel Deployment in Ravello
The Siebel Database is a single instance Oracle Database Cloud Service instance hosted on Oracle Cloud Infrastructure Classic with a configuration of 2 OCPUs and 15GB of memory.
Figure 3: Siebel Database instance in Oracle Database Cloud Service
Connecting Ravello to Oracle DBCS via Secured SQL*Net
To secure connections to Oracle Database Cloud Service databases, native Oracle Net encryption and
integrity capabilities can be used. Encryption of network data provides data privacy so that
unauthorized parties are not able to view data as it passes over the network. In addition, integrity
algorithms protect against data modification and illegitimate replay. Oracle Database provides the
4 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
Advanced Encryption Standard (AES), DES, 3DES, and RC4 symmetric cryptosystems for protecting
the confidentiality of Oracle Net traffic. By default, database deployments on Database Cloud
Service are configured to enable native Oracle Net encryption and integrity.
In the case of the above Siebel deployment, three VMs – Siebel App. Sever, Siebel Gateway, and
Siebel Tools, need a secured connection to the database deployment on Oracle Database Cloud
Service.
Changes made to the VMs in Ravello Port 1521 is used as a listener port for Oracle client connections to the database over Oracle's
SQL*Net protocol. The tnsnames.ora file in the client VMs is used to define the connection to the
Oracle Database and needs to be modified to point to the Oracle DBCS instance.
Follow these steps to check encryption configuration and set up secure connectivity between the app
on Ravello and the Oracle DBCS instance.
1. Connect to the Siebel App Server VM via the console.
2. Change directories to the location of the Oracle Net configuration
files tnsnames.ora and sqlnet.ora.
3. View the sqlnet.ora file and confirm that it does not contain the following parameter settings:
If the client VM has the above parameters set, the connection will fail with the following error:
ORA-12660: Encryption or crypto-checksumming parameters incompatible.
4. Update the tnsnames.ora with the host IP address, the port number, and the service name of
the DBCS instance.
5 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
Figure 4: Relevant DBCS connection information
Figure 5: Example tnsnames.ora file
5. Perform steps 1 to 5 for all the VMs that connect to the Oracle Database Cloud instance. In
this case, the Siebel App Server, Siebel Gateway and Siebel Tools.
Securing listener port access on Oracle Database Cloud Service Follow the given steps to restrict access to the Oracle DBCS instance to only the app VMs on Ravello.
1. Set up elastic IPs for the Siebel App Server VM on Ravello by clicking on the NICs tab. Using
an Elastic IP will allow the app server VM to retain the IP address across multiple restarts.
6 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
Figure 6: Selecting Elastic IPs for the Siebel App Server 2. Repeat Step 1 for the Siebel Gateway and Siebel Tools VMs.
3. In the DBCS Service console, Select Access Rules.
Figure 7: Go to the Access Rules page
4. On the Access Rules page, select “Create Rule” and enter the appropriate information as
described below.
7 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
Figure 8: Create Access Rule
a. Rule name: Give the access rule a descriptive name
b. Source: Select <custom> and add the Elastic IP addresses of the VMs that will communicate with the DB.
c. Destination and Port: Select DB and 1521.
d. Protocol: Select TCP.
e. Create the rule.
5. Access to port 1521 is now restricted to only the VMs running on Ravello.
Verifying the use of Native Encryption and Integrity Connect to the Oracle Database Cloud instance from the Siebel App Server VM and verify the use of
native Oracle Net encryption and integrity by examining the network service banner entries associated
with each connection. This information is contained in the NETWORK_SERVICE_BANNER column of
the V$SESSION_CONNECT_INFO view. The following example shows the SQL command used to
display the network service banner entries associated with current connection:
The following example output shows banner information for the available encryption service and the
crypto-checksumming (integrity) service, including the algorithms in use:
8 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
Connecting Ravello to Oracle DBCS via a VPN tunnel
It is also possible to establish secure connections to the Oracle Database Cloud instance via a VPN
tunnel. A Corente VPN Gateway can be set up at each end to enable an IPSec tunnel. Setting up a
Corente Services Gateway in Ravello includes adding a Corente VPN Gateway VM and routing all
external traffic of the app and web tier through this VM.
Setting up the Corente Gateway for Oracle Database Cloud In order to create a Corente Services Gateway (CSG) for the Cloud Database instance, make sure the
Oracle Database instance is created on a predefined IP network. i.e. create an IP network first, then
instantiate a Database instance on the same IP network.
Follow these steps to create a Corente Gateway in the Cloud.
1. Sign in to the Compute Classic console and click the Network tab.
2. In the left pane, under Shared Network, click IP Reservations and Create an IP reservation.
3. Click the VPN tab in the left pane and then click VPN Gateways.
4. Click Create VPN Gateway.
5. Select or enter the required information:
6. Name: Enter a name for the Corente Services Gateway instance.
7. IP Reservation: Select the IP reservation that was created in Step 2.
8. Image: Select the desired machine image for the instance.
9. Interface Type: Select Dual-homed to use this VPN gateway to connect to instances on an IP
network. All instances that are on the same IP network as the Corente Services Gateway
instance can be accessed using VPN.
10. IP Network: Select the IP network on which the Oracle Database instance is instantiated.
11. IP Network Address and Subnets: These fields are automatically filled when the IP network
is selected. Do not modify or delete the automatically added data.
9 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
Figure 9: Creating a Corente Gateway in the Cloud 12. Add a route to connect the internal subnet of the Siebel app in Ravello to the Gateway created
above.
1. Under IP networks, click on Routes.
2. Select or enter the required information:
3. Name: Enter a name for the route.
4. Administrative Distance: Enter 0, 1, or 2 to specify the administrative distance of
the route. The administrative distance indicates the priority of a route. The highest
priority is 0.
5. IP Address Prefix: Enter the IP address prefix, in CIDR format, of the destination
network, the internal subnet of the app in Ravello, to which the route needs to be
created.
6. Next Hop vNICset: Select the vNICset that was created along with the above
Gateway.
7. Click Create.
10 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
Figure 10: Creating a route from the internal Ravello subnet to DBCS
Setting up the Corente Services Gateway for the app on Ravello In order to create an IPSec tunnel between the app and web tier on Ravello and the Oracle Database
Cloud instance, a Corente Services Gateway VM needs to be added to the Ravello environment and all
external traffic needs to be routed through the Corente VM.
The following steps illustrate the preparation of the Ravello environment to set up a CSG.
1. Add an Oracle Public Cloud's Corente VPN Gateway VM from the Ravello library by dragging it
on to the canvas.
Figure 11: Adding a Corente Services Gateway VM to the Ravello environment.
11 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
2. Open NIC properties of the CSG and configure the public (WAN) and private (LAN) NICs. Configure static IPs for both NICs. For WAN NIC in external access select “Elastic IP” option and assign an elastic IP from the list.
3. For the LAN NIC configure only “Static IP” and “Netmask”. There is no need to fill in the “Gateway” and “DNS” fields. Do not configure external access.
Figure 12: Public and Private network configurations of the CSG.
4. In the Services tab, make sure TCP port 551 is open
Figure 13: Verifying that port 551 is open
12 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
Note: When setting IPSEC tunnel with a 3-d party gateway Corente uses IPSEC UDP ports 500 and 4500. However, when setting VPN tunnel between Corente gateway on both sides only one TCP port 551 is required for IPSEC tunnel.
Next, all external traffic will be routed through the Corente VM.
5. In the NIC tab of the Siebel App Server VM, remove the Gateway and DNS address from the public NIC and in the private NIC, add the internal IP address of the Corente VM as the Gateway and DNS address.
Figure 14: Update the Gateway and DNS addresses of all VMs with external traffic
6. Log into the console of the VM and make similar updates as Step 5 to the interface configuration file for the private and public NICs. The if-cfg files are usually found under /etc/sysconfig/network-scripts/
Figure 15: Update the if-cfg files through the console of the VM
7. Repeat Steps 5 and 6 for the Siebel Gateway and Siebel Tools VMs.
13 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
The next step is to configure the Corente Services Gateway on Ravello. To complete this, App Net
Manager needs to be installed. It can be downloaded from
http://www.oracle.com/technetwork/server-storage/corente/downloads/index.html.
8. Log into App Net Manager using the VPN OPC credentials for the Oracle Cloud account.
9. In the left pane, click on Locations and add a new location that here we named “VPN2DBCSOPC”. Configure general properties of this location.
Figure 16: Configure Location properties of the Corente Gateway on Ravello
10. Click on the Network tab and add a WAN and LAN interface to the new location. Configure it with the appropriate WAN and LAN interface settings of Corente VPN gateway in Ravello (see step 3):
14 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
Figure 17: Configure the WAN and LAN interface of the CSG on Ravello
11. After both LAN and WAN interfaces are added go to File and Save the configuration. Click on Start button to commit all changes.
12. Start Corente VPN gateway VM in Ravello. When the virtual machine starts up, you’ll see the following screen:
Figure 18: Startup Screen on Corente Services Gateway Console in Ravello
13. Select Download Config and press Enter. The network configuration screen is displayed.
14. Set Download site www.corente.com and select Manual Network Configuration. Setup network configuration of WAN interface. Enter IP address, Netmask, Gateway and DNS configured in Ravello on WAN interface just as we did in Step 10.
15 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
15. Click Next. In the next screen, enter the username and password to log into the App Net Manager and the name of the gateway (“VPN2DBCSOPC”) that you have created using App Net Manager in step 4.
Figure 19: Log in screen of the CSG on Ravello via console access
16. The location configuration file created in App Net Manager is downloaded onto the Corente Gateway in Ravello. After the download is complete, the on-premises gateway reboots. It is not possible to log into the CSG due to security reasons. A network administrator should use App Net Manager to start managing the Ravello CSG.
17. Establish an IPSec tunnel between Ravello and OCI Classic gateways. In App Net Manager, open Locations and double click on OPC Corente gateway (VPN2SiebRavello). Open Partners tab and add a new partner. Select Intranet in the Connection to Partner panel and select Ravello gateway in the drop-down menu. Click Add at the bottom of the Tubes pane at the bottom of the Add Partner screen. In both Local Side and Remote side of Tube pane select Default User Group. See the screenshot below:
16 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
Figure 20: Defining partners for the Corente Gateways
18. Repeat Step 17 for the Corente gateway in Ravello (VPN2DBCSOPC). In this case, select VPN2SiebRavello as the partner.
19. Click Save to commit all changes.
20. After a few minutes, when the connection has established, the link between the Ravello and the OCI Classic Cloud gateways will turn green.
Figure 21: Confirmation of established VPN Tunnel on App Net Manager
17 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
21. If the link between Ravello and OPC gateways is not green, check to see if the Corente VPN gateway is running on OCI Classic Cloud and in Ravello. Also check to see if TCP port is open on both sides. In App Net Manager, go to Alarms and Events and check if there is an active alarm or error.
Verifying the Siebel CRM application running on Ravello
1. The Cloud Database instance can now be accessed from any VM on Ravello to confirm that the Siebel database and listener service is up and running.
Figure 22: Checking database and listener status
2. Check connectivity from the Siebel server using ‘srvrmgr’ utility
Figure 23: Siebel server verification
3. Test connectivity to the Siebel Web Server from a browser. The IP address for the Web
Server is located in Summary tab of the VM. For this Siebel CRM deployment, the Call Center
component is enabled, for which is connectivity is shown above using the public IP assigned
to the VM.
18 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
Figure 24: Public IP of Siebel WebServer
Figure 25: Application login
4. Siebel Tools can be verified by connecting to the Tools VM either through RDP or Console
access.
19 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE CLASSIC DATABASE CLOUD
Figure 26: Siebel Tools verification
5. Shutting down the Corente Services Gateway VM in Ravello causes errors while accessing the
Siebel app, proving that the VPN setup is functioning as expected.
Learn more Learn more and sign up for a free trial at https://cloud.oracle.com/ravello
Figure 28: Sign up for a free trial.
Figure 27: Test to prove functioning VPN Tunnel
Oracle Corporation, World Headquarters Worldwide Inquiries 500 Oracle Parkway Phone: +1.650.506.7000 Redwood Shores, CA 94065, USA Fax: +1.650.506.7200
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 1217 Establishing secure connectivity between Oracle Ravello and Oracle Cloud Infrastructure Classic Database Cloud December 2017
C O N N E C T W I T H U S
blogs.oracle.com/oracle
facebook.com/oracle
twitter.com/oracle
oracle.com
top related