Cloudera Docs

Enabling TCPS for Oracle Database Server

You must enable TCPS for the Oracle database before setting up Cloudera Manager. Enabling TCPS establishes a secure channel between the client (Cloudera Manager) and the server (Oracle Database Server).

  1. SSH into the Oracle database server host.
  2. Change to the "oracle" user as follows: 
    sudo -su oracle
  3. Append the location of ORACLE_HOME to the PATH environment variable by running the following commands: 
    export ORACLE_HOME=/opt/oracle/product/19c/dbhome_1
export PATH=${PATH}:${ORACLE_HOME}/bin
  4. Create an auto-login wallet by running the following command: 
    orapki wallet create -wallet /opt/oracle/product/19c/dbhome_1/wallet -auto_login
    An auto-login wallet uses SSL's single sign-on functionality. The users do not need to specify password each time they open the wallet.
  5. Add a self-signed certificate to this wallet by running the following command: 
    orapki wallet add -wallet /opt/oracle/product/19c/dbhome_1/wallet -dn "CN=server" -keysize 4096 -self_signed -validity 365
  6. Export the certificate from the Oracle wallet by running the following command: 
    orapki wallet export -wallet /opt/oracle/product/19c/dbhome_1/wallet -dn "CN=server" -cert server_ca.cert
    This exports a certificate with the subject's distinguished name (-dn) (CN=server) from a wallet to the file that is specified by -cert (server_ca.cert).
  7. Add the following lines to the /opt/oracle/product/19c/dbhome_1/network/admin/listener.ora configuration file: 
    SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /opt/oracle/product/19c/dbhome_1/wallet)
    )
  )
Register a new address in LISTENER:
(ADDRESS = (PROTOCOL = TCPS)(HOST = [***HOST***])(PORT = 2484))
  8. Add the following lines to the /opt/oracle/product/19c/dbhome_1/network/admin/sqlnet.ora profile configuration file: 
    SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /opt/oracle/product/19c/dbhome_1/wallet)
    )
  )
  9. Add the following lines to the /opt/oracle/product/19c/dbhome_1/network/admin/tnsnames.ora configuration file: 
    ORCLPDB1_SSL =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCPS)(HOST = [***HOST***])(PORT = 2484))
      (CONNECT_DATA =
        (SERVER = DEDICATED)
        (SERVICE_NAME = ORCLPDB1)
      )
      (SECURITY =
        (MY_WALLET_DIRECTORY = /opt/oracle/product/19c/dbhome_1/wallet)
      )
    )
  10. Restart the listener by running the following commands: 
    lsnrctl stop
lsnrctl start
  11. Check the TCPS status by running the following command 
    sqlplus cm/cmverystr0ngP4ss@ORCLPDB1_SSL
SELECT sys_context('USERENV', 'NETWORK_PROTOCOL') as network_protocol FROM dual;
    Sample output: 
    NETWORK_PROTOCOL
--------------------------------------------------------------------------------
tcps