Monday 15 January 2018

Step 9 - Oracle DBCS : Manage Network Security

Network access to the Compute Node associated with Oracle Database Cloud Service is primarily provided by SSH connections on port 22. By default SSH port 22 is opened to allow access to the tools, utilities and other resources on the Compute Node associated with the Oracle Database Cloud Services. You can use SSH client software such as PuTTY on Windows to establish a secure connection and log in as "opc" or "oracle" user.

To access network protocols and services on a compute node by using a port other than port 22, require additional configuration:
  • Enable network access to the port: Use the Oracle Database Cloud Service console to enable access to a port on a compute node.
  • Create an SSH tunnel to the port: Create SSH tunnel enables you to access a specific compute node port by using an SSH connection as the transport mechanism.

To provide network access to the compute node, the following Oracle Compute Cloud Service networking resources are created:
  • A permanent IP reservation named ipreservation is created and associated with the Compute Cloud Service instance (VM).
  • A security list named ora_db is created and associated with the compute node. 
  • The following security applications (port specifications) are created so that they can be used in security rules to enable access to specific ports on the compute node:
    • ora_dbconsole provides TCP access using port 1158
    • ora_dbexpress provides TCP access using port 5500
    • ora_dblistener provides TCP access using the listener port that you specified when you created the database deployment (default 1521)
    • ora_http provides TCP access using port 80
    • ora_httpssl provides TCP access using port 443
  • The following rules are created when a database deployment is created. They are set to disabled by default:
    • ora_p2_ssh: Controls access to port 22 and this port is used by SSH client to connect to the compute node. 
    • ora_p2_dbconsole: Controls access to port 1158 and this port is used by Enterprise Manager 11g Database Control.
    • ora_p2_dbexpress: Controls access to port 5500 and this port is used by Enterprise Manager Database Express 12c.
    • ora_p2_dblistener: Controls access to port 1521 and this port is used by SQL*Net.
    • ora_p2_http: Controls access to port 80 and this port is used for HTTP connections.
    • ora_p2_httpssl: Controls access to port 443 and this port is used for HTTPS connections, including Oracle REST Data Services (ORDS), Oracle Application Express (APEX), and Oracle DBaaS Monitor.

Oracle Database Cloud Service uses access rules to provide secure network access to database deployments. You can use the Oracle Database Cloud Service console to perform network access operations such as enabling and disabling access rules and creating new access rules. 

You can create an access rule to enable ports not associated with a predefined rule, or to restrict access to ports to only permit connections from specific IP addresses. The security list is used in security rules to enable access to specific security applications (port specifications) on the compute node.

In this article we will demonstrate how to create custom Security List and Rules to enable access to specific security applications (VNC application and port range 5901 - 5905) on the compute node.

  • Open a web browser and enter the URL you received in the Welcome email to login to Oracle Cloud Account

https://myservices-xxxxx-xxxxxxxxxxef4b21bb7ee3b2cf4123d1.console.oraclecloud.com/mycloud/faces/dashboard.jspx

  • Enter your username and password

  • On the home page, Click "Menu" under "Compute Classic" Cloud Service as shown below

  • Click "Open Service Console"

  • Click on "Network"

  • Expand "Shared Network"

  • Click "Security Applications" and then "Create Security Application"

  • Enter a Security Application Name, Port Type, Port Range Start, Port Range End and a Description and click Create. In our scenario we are enabling access to VNC application on the ports between 5901 and 5905

  • Make sure the Security Application is created by searching it

  • Click "Security Lists" and then "Create Security List"

  • Enter Security List Name and leave Inbound Policy and Outbound Policy to DEFAULT value and click Create

  • Make sure the Security List is created by searching it

  • Click "Security Rules" and then "Create Security Rule"

  • Enter the details as show below:
Name: Any desired meaningful name
Status: Enabled to enable the rule
Security Application: we create above
Source: Security IP List -> public-internet
Destination: select security list created above from drop down 
Click Create

  • Make sure the Security Rule is created by searching it


  • Click "Instances"

  • Select your Instance and scroll down

  • Click "Add Security List"

  • Select "Security List" create above from the drop down list

  • Make sure the Security List added to your Instance

  • Open VNC on your desktop/Laptop and enter the IP address of your Database Deployment

  • Enter VNC password used at the time of starting VNC server software on the compute node

  • Enter Oracle user password to connect to the Compute node

  • We are now connected to the compute node using VNC




Conclusion

In this article we have learned how to create custom Security List and Rules to enable access to specific security applications (VNC application and port range 5901 - to 5905) on the compute node. Oracle Compute Cloud Service networking create resources to provide network access to the compute node.


No comments:

Post a Comment

Comparing Oracle Database Appliance X8-2 Model Family

September 2019 Oracle announced Oracle Database Appliance X8-2 (Small, Medium and HA). ODA X8-2 comes with more computing resources com...