Re: Accessing Oracle DB Over Internet

From: GS <>
Date: Tue, 12 Feb 2008 16:50:57 GMT
Message-ID: <R7ksj.7950$FO1.4106@edtnps82>

Mark D Powell wrote:
> On Feb 9, 10:24 am, "Vladimir M. Zakharychev"
> <> wrote:

>> On Feb 9, 6:08 pm, Charles Hooper <> wrote:
>>> On Feb 9, 7:04 am, Michael42 <> wrote:
>>>> Hello,
>>>> Is it possible to connect to an Oracle 10g database over the Internet
>>>> via SQLPlus or Java app from a client system (assuming my local
>>>> firewall permits the listener port I use)?
>>>> If this is possible how can it be made secure?
>>>> Thanks for your comments,
>>>> m42
>>> Yes, it is possible to connect to an Oracle database over the
>>> Internet.  However, it probably is not a good idea to expose the
>>> Oracle database server's listener port directly to the Internet.  A
>>> better approach would be to use the security and data encryption
>>> provided by a VPN to act as a gate keeper to the Oracle database
>>> server's listener port, and to obscure the actual data submitted by
>>> the client and the return data from the database.
>>> You might take a look at the recent thread "Not able to connect to
>>> Oracle database through VPN" in this group for some ideas for how a
>>> VPN server fits into the configuration with firewalls.
>>> Charles Hooper
>>> IT Manager/Oracle DBA
>>> K&M Machine-Fabricating, Inc.
>> Adding to this excellent reply: you can use SSH tunneling for this:
>> SSH will handle authentication, authorization and traffic encryption,
>> similar to what VPNs do. For you it will took as if the database
>> listener is listening on your *local* machine, SSH will forward this
>> local port to the remote side (and this forwarding may even span
>> several hops, depending on configuration.) If the remote listener is
>> on Windows, make sure shared sockets are enabled and active on the
>> listener host (search for USE_SHARED_SOCKET for more details on this
>> feature,) so that all TNS traffic uses single shared port and no port
>> redirects are done by the listener as this will not work (same issue
>> as with VPNs.)
>> Regards,
>>    Vladimir M. Zakharychev
>>    N-Networks, makers of Dynamic PSP(tm)
>> Hide quoted text -
>> - Show quoted text -

> Two good replies. I would just like to add that you should not run
> your applications on the same server as the database but rather you
> should run your applications from an application server. You put one
> set of security measures between the application server and the
> internet and if necessary or desired you put a second set of measures
> between the application server and the database server.
> In a setup like the avove if you want to use sqlplus you generally
> have to be able to sign into the application server and run it from
> there. Or you have to have the ability to connect directly to the
> database server and work from there. Only the DBA's and System
> Administrators should have access to the database server. No one else
> and nothing runs there.
> IMHO -- Mark D Powell --

I have often thought being able to connect directly from a workstation over the internet as well, so this is a timely thread. I like the idea of an SSH tunnel, but have no idea on how to set this up. Is there a tutorial on this on OTN or somewhere else? I am also assuming that once this is set up a person should also be able to add the database(s) to a local install of OEM (or Grid control once we've migrated to 10G) as well? Received on Tue Feb 12 2008 - 10:50:57 CST

Original text of this message