Home -> Usenet -> c.d.o.server -> Re: Accessing Oracle DB Over Internet

Re: Accessing Oracle DB Over Internet

From: GS <GS_at_GS.com>
Date: Tue, 12 Feb 2008 16:50:57 GMT
Message-ID: <R7ksj.7950$FO1.4106@edtnps82> 





Mark D Powell wrote:


> On Feb 9, 10:24 am, "Vladimir M. Zakharychev"

> <vladimir.zakharyc..._at_gmail.com> wrote:


>> On Feb 9, 6:08 pm, Charles Hooper <hooperc2..._at_yahoo.com> wrote:
>>
>>
>>
>>
>>
>>> On Feb 9, 7:04 am, Michael42 <melliot..._at_yahoo.com> wrote:
>>>> Hello,
>>>> Is it possible to connect to an Oracle 10g database over the Internet
>>>> via SQLPlus or Java app from a client system (assuming my local
>>>> firewall permits the listener port I use)?
>>>> If this is possible how can it be made secure?
>>>> Thanks for your comments,
>>>> m42
>>> Yes, it is possible to connect to an Oracle database over the
>>> Internet.  However, it probably is not a good idea to expose the
>>> Oracle database server's listener port directly to the Internet.  A
>>> better approach would be to use the security and data encryption
>>> provided by a VPN to act as a gate keeper to the Oracle database
>>> server's listener port, and to obscure the actual data submitted by
>>> the client and the return data from the database.
>>> You might take a look at the recent thread "Not able to connect to
>>> Oracle database through VPN" in this group for some ideas for how a
>>> VPN server fits into the configuration with firewalls.
>>> Charles Hooper
>>> IT Manager/Oracle DBA
>>> K&M Machine-Fabricating, Inc.
>> Adding to this excellent reply: you can use SSH tunneling for this:
>> SSH will handle authentication, authorization and traffic encryption,
>> similar to what VPNs do. For you it will took as if the database
>> listener is listening on your *local* machine, SSH will forward this
>> local port to the remote side (and this forwarding may even span
>> several hops, depending on configuration.) If the remote listener is
>> on Windows, make sure shared sockets are enabled and active on the
>> listener host (search for USE_SHARED_SOCKET for more details on this
>> feature,) so that all TNS traffic uses single shared port and no port
>> redirects are done by the listener as this will not work (same issue
>> as with VPNs.)
>>
>> Regards,
>>    Vladimir M. Zakharychev
>>    N-Networks, makers of Dynamic PSP(tm)
>>    http://www.dynamicpsp.com- Hide quoted text -
>>
>> - Show quoted text -




> 

> Two good replies.  I would just like to add that you should not run

> your applications on the same server as the database but rather you

> should run your applications from an application server.  You put one

> set of security measures between the application server and the

> internet and if necessary or desired you put a second set of measures

> between the application server and the database server.

> 

> In a setup like the avove if you want to use sqlplus you generally

> have to be able to sign into the application server and run it from

> there.  Or you have to have the ability to connect directly to the

> database server and work from there.  Only the DBA's and System

> Administrators should have access to the database server.  No one else

> and nothing runs there.

> 

> IMHO -- Mark D Powell --

> 

> 

> 




I have often thought being able to connect directly from a workstation 
over the internet as well, so this is a timely thread. I like the idea 
of an SSH tunnel, but have no idea on how to set this up. Is there a 
tutorial on this on OTN or somewhere else? I am also assuming that once 
this is set up a person should also be able to add the database(s) to a 
local install of OEM (or Grid control once we've migrated to 10G) as well?
Received on Tue Feb 12 2008 - 10:50:57 CST












Original text of this message