Enabling TCPS for Oracle Database Server

You must enable TCPS for the Oracle database before setting up Cloudera Manager. Enabling TCPS establishes a secure channel between the client (Cloudera Manager) and the server (Oracle Database Server).

  1. SSH into the Oracle database server host.
  2. Change to the "oracle" user as follows:
    sudo -su oracle
  3. Append the location of ORACLE_HOME to the PATH environment variable by running the following commands:
    export ORACLE_HOME=/opt/oracle/product/19c/dbhome_1
    export PATH=${PATH}:${ORACLE_HOME}/bin
  4. Create an auto-login wallet by running the following command:
    orapki wallet create -wallet /opt/oracle/product/19c/dbhome_1/wallet -auto_login
    An auto-login wallet uses SSL's single sign-on functionality. The users do not need to specify password each time they open the wallet.
  5. Add a self-signed certificate to this wallet by running the following command:
    orapki wallet add -wallet /opt/oracle/product/19c/dbhome_1/wallet -dn "CN=server" -keysize 4096 -self_signed -validity 365
  6. Export the certificate from the Oracle wallet by running the following command:
    orapki wallet export -wallet /opt/oracle/product/19c/dbhome_1/wallet -dn "CN=server" -cert server_ca.cert
    This exports a certificate with the subject's distinguished name (-dn) (CN=server) from a wallet to the file that is specified by -cert (server_ca.cert).
  7. Add the following lines to the /opt/oracle/product/19c/dbhome_1/network/admin/listener.ora configuration file:
    SSL_CLIENT_AUTHENTICATION = FALSE
    WALLET_LOCATION =
      (SOURCE =
        (METHOD = FILE)
        (METHOD_DATA =
          (DIRECTORY = /opt/oracle/product/19c/dbhome_1/wallet)
        )
      )
    Register a new address in LISTENER:
    (ADDRESS = (PROTOCOL = TCPS)(HOST = [***HOST***])(PORT = 2484))
  8. Add the following lines to the /opt/oracle/product/19c/dbhome_1/network/admin/sqlnet.ora profile configuration file:
    SSL_CLIENT_AUTHENTICATION = FALSE
    WALLET_LOCATION =
      (SOURCE =
        (METHOD = FILE)
        (METHOD_DATA =
          (DIRECTORY = /opt/oracle/product/19c/dbhome_1/wallet)
        )
      )
  9. Add the following lines to the /opt/oracle/product/19c/dbhome_1/network/admin/tnsnames.ora configuration file:
    ORCLPDB1_SSL =
        (DESCRIPTION =
          (ADDRESS = (PROTOCOL = TCPS)(HOST = [***HOST***])(PORT = 2484))
          (CONNECT_DATA =
            (SERVER = DEDICATED)
            (SERVICE_NAME = ORCLPDB1)
          )
          (SECURITY =
            (MY_WALLET_DIRECTORY = /opt/oracle/product/19c/dbhome_1/wallet)
          )
        )
  10. Restart the listener by running the following commands:
    lsnrctl stop
    lsnrctl start
  11. Check the TCPS status by running the following command
    sqlplus cm/cmverystr0ngP4ss@ORCLPDB1_SSL
    SELECT sys_context('USERENV', 'NETWORK_PROTOCOL') as network_protocol FROM dual;
    Sample output:
    NETWORK_PROTOCOL
    --------------------------------------------------------------------------------
    tcps