Oracle Connection Manager (CMAN) is used to proxy connections between clients and databases. It listens for connections from clients and application servers, and establishes connections to databases. CMAN uses rules defined in its configuration file to determine whether to accept or drop incoming connection requests based on source/destination IP addresses and ports. It also supports encryption and checksumming of connections using settings in the sqlnet.ora file.

1. Oracle
CMAN
CMAN
Port
Firewall
Rule
Oracle Connect ion Manager (CMAN)
Client
Config (cman.ora)
Listener
CMAN
Listen
CMAN
Firewall
Application
Server
(Layer 3)
TNS-1521
HTTP/HTTPS
-
HTTP/HTTPS
Firewall
TNS-1521
Firewall
``
HTTP/HTTPS
Connection
Manager
(Layer 2)
TNS-1521
TNS-1521
TNS-1521
Database
Server
(Layer 1)

2. CMAN
Listener
CMAN
Register CMAN
Register
Initialization Parameters
Remote Listener
CMAN
a
Listener
CMAN
Listener
b
SQLNET
# Configure TNS firewall to loopback and local IP address only
TCP.VALIDNODE_CHECKING = YES
TCP.EXCLUDED_NODES = (*.*.*.*)
TCP.INVITED_NODES = (127.0.0.1, 172.20.5.31,172.20.5.51,……)
SQLNET
INVITEND_NODES
IP
STOP/START
external procedure
Listener
Listener
listener.ora
Oracle Advanced Security (ASO)
ASO
SQLNET.ORA
Encryption
Application Server
Encrypt
Client
c
# Settings for when a client is connecting to this server.
# Incoming connections to database must be checksum'd and encrypted.
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA1)
SQLNET.CRYPTO_CHECKSUM_SERVER = required
SQLNET.ENCRYPTION_TYPES_SERVER= (AES256)
SQLNET.ENCRYPTION_SERVER = required
# Settings for when this client is connecting to a server.
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (SHA1)
SQLNET.CRYPTO_CHECKSUM_CLIENT = required
SQLNET.ENCRYPTION_TYPES_CLIENT= (AES256)
SQLNET.ENCRYPTION_CLIENT = required
# Seed needs to be randomly generated consisting of between
# 10 and 70 characters. This seed should be different for each host.
SQLNET.CRYPTO_SEED = somerandomalphanumericstringofabout70characters
CMAN
Listen
Oracle Client
Port Number
IP Address
CMAN
CMAN
rule

3. N1=
(configuration=
(address=(protocol=tcp)(host=x.x.x.x)(port=1821))
(parameter_list =
(connection_statistics=yes)
(log_directory=/u01/oracle/product/11.2.0/client_1/network/log)
(log_level=off)
(idle_timeout=0)
(inbound_connect_timeout=0)
(session_timeout=0)
(outbound_connect_timeout=0)
(max_gateway_processes=16)
(min_gateway_processes=2)
(remote_admin=on)
(trace_directory=/u01/oracle/product/11.2.0/client_1/network/trace)
(trace_level=off)
(trace_timestamp=off)
(trace_filelen=1000)
(trace_fileno=1)
(max_cmctl_sessions=4)
(event_group=init_and_term,memory_ops)
)
(rule_list=
# INBOUND RULES
# = Application Server 1
(rule=(src=x.x.x.x)(dst=172.18.1.67)(srv=*)(act=accept))
# = DBA workstations
(rule=(src=172.21.2.0/24)(dst=*)(srv=*)(act=accept))
#
# OUTBOUND RULES
# = Remote DB Server
(rule=(src=172.20.5.0/24)(dst=172.18.1.67)(srv=*)(act=accept))
#
# Local Connections
(rule=(src=172.18.1.67)(dst=127.0.0.1)(srv=*)(act=accept))
(rule=(src=172.18.1.67)(dst=127.0.0.1)(srv=cmon)(act=accept))
#
# All other source IPs
(rule=(src=*)(dst=*)(srv=*)(act=drop))
)
Connection Manager
Client & Application Server
Application Server
Client

IPV6
