Re: Accessing Oracle DB Over Internet

From: Vladimir M. Zakharychev <>
Date: Tue, 12 Feb 2008 10:47:25 -0800 (PST)
Message-ID: <>

On Feb 12, 7:50 pm, GS <> wrote:
> Mark D Powell wrote:
> > On Feb 9, 10:24 am, "Vladimir M. Zakharychev"
> > <> wrote:
> >> On Feb 9, 6:08 pm, Charles Hooper <> wrote:
> >>> On Feb 9, 7:04 am, Michael42 <> wrote:
> >>>> Hello,
> >>>> Is it possible to connect to an Oracle 10g database over the Internet
> >>>> via SQLPlus or Java app from a client system (assuming my local
> >>>> firewall permits the listener port I use)?
> >>>> If this is possible how can it be made secure?
> >>>> Thanks for your comments,
> >>>> m42
> >>> Yes, it is possible to connect to an Oracle database over the
> >>> Internet. However, it probably is not a good idea to expose the
> >>> Oracle database server's listener port directly to the Internet. A
> >>> better approach would be to use the security and data encryption
> >>> provided by a VPN to act as a gate keeper to the Oracle database
> >>> server's listener port, and to obscure the actual data submitted by
> >>> the client and the return data from the database.
> >>> You might take a look at the recent thread "Not able to connect to
> >>> Oracle database through VPN" in this group for some ideas for how a
> >>> VPN server fits into the configuration with firewalls.
> >>> Charles Hooper
> >>> IT Manager/Oracle DBA
> >>> K&M Machine-Fabricating, Inc.
> >> Adding to this excellent reply: you can use SSH tunneling for this:
> >> SSH will handle authentication, authorization and traffic encryption,
> >> similar to what VPNs do. For you it will took as if the database
> >> listener is listening on your *local* machine, SSH will forward this
> >> local port to the remote side (and this forwarding may even span
> >> several hops, depending on configuration.) If the remote listener is
> >> on Windows, make sure shared sockets are enabled and active on the
> >> listener host (search for USE_SHARED_SOCKET for more details on this
> >> feature,) so that all TNS traffic uses single shared port and no port
> >> redirects are done by the listener as this will not work (same issue
> >> as with VPNs.)
> >> Regards,
> >> Vladimir M. Zakharychev
> >> N-Networks, makers of Dynamic PSP(tm)
> >> quoted text -
> >> - Show quoted text -
> > Two good replies. I would just like to add that you should not run
> > your applications on the same server as the database but rather you
> > should run your applications from an application server. You put one
> > set of security measures between the application server and the
> > internet and if necessary or desired you put a second set of measures
> > between the application server and the database server.
> > In a setup like the avove if you want to use sqlplus you generally
> > have to be able to sign into the application server and run it from
> > there. Or you have to have the ability to connect directly to the
> > database server and work from there. Only the DBA's and System
> > Administrators should have access to the database server. No one else
> > and nothing runs there.
> > IMHO -- Mark D Powell --
> I have often thought being able to connect directly from a workstation
> over the internet as well, so this is a timely thread. I like the idea
> of an SSH tunnel, but have no idea on how to set this up. Is there a
> tutorial on this on OTN or somewhere else? I am also assuming that once
> this is set up a person should also be able to add the database(s) to a
> local install of OEM (or Grid control once we've migrated to 10G) as well?

Here's a nice tip: See OpenSSH docs and/or your SSH client docs for more details on tunneling.


   Vladimir M. Zakharychev
   N-Networks, makers of Dynamic PSP(tm) Received on Tue Feb 12 2008 - 12:47:25 CST

Original text of this message