Implementing Class of Secure Transport (COST) in Oracle RAC 11.2
Introduction:
Class of Secure Transport (COST) is a security feature introduced in Oracle Database 11g Release 2 (11.2) that enhances the security of network communication within Oracle Real Application Clusters (RAC) environments. By implementing COST, you can protect the integrity and confidentiality of data transmitted between RAC instances, reducing the risk of unauthorized access and tampering. This blog post will guide you through the steps to implement COST in your Oracle RAC 11.2 environment.
Prerequisites:
Oracle Database 11.2 installed and configured in RAC mode.
Appropriate network connectivity and communication between RAC instances.
Sufficient privileges to perform administrative tasks.
1. Create directory and wallet
–Using GRID user
mkdir /u01/app/11.2.0.2/grid/network/admin/cost
orapki wallet create -wallet /u01/app/11.2.0.2/grid/network/admin/cost
2. The new wallet will contain a number of trusted certificates that are installed by default, remove all of these well known trusted certificates from the wallet.
orapki wallet remove -trusted_cert_all -wallet /u01/app/11.2.0.2/grid/network/admin/cost
3. Create a self-signed certificate that will be stored in the wallet.
orapki wallet add -wallet /u01/app/11.2.0.2/grid/network/admin/cost -self_signed -dn “cn=secure_register” -keysize 1024 -validity 3650
4. View the wallet contents to confirm that it has a single trusted and user certificate.
orapki wallet display -wallet /u01/app/11.2.0.2/grid/network/admin/cost -summary
5. Make copies of the finished wallet (ewallet.p12) and place on each node in the same directory location
/u01/app/11.2.0.2/grid/network/admin/cost
6. Using orapki create a unique obfuscated auto-login file “cwallet.sso” on each node. Both PMON and the listener will use the cwallet.sso to establish a secure SSL connection with each other. Once COST parameters restricting registration to TCPS are enabled only instances that have access to the wallet and obfuscated wallet (cwallet.sso) will be able to register with the SCAN listeners.
orapki wallet create -wallet /u01/app/11.2.0.2/grid/network/admin/cost -auto_login_local
7. Modify the permissions of the obfuscated wallet (cwallet.sso) to allow usage by authorized group members.
chmod 640 cwallet.sso
[oracle@rac1]$ ls -al
-rw-r—– 1 oracle oinstall 2493 Jul 11 15:18 cwallet.sso
-rw——- 1 oracle oinstall 2416 Jul 11 15:18 ewallet.p12
8. Update the grid home listener.ora so that it references the wallet location and add the COST parameters that will restrict registration. Do this for each node.
Add the wallet location to listener.ora.
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/11.2.0.2/grid/network/admin/cost)
)
)
At this time also add the COST registration restrictions for the SCAN listeners to the listener.ora. These parameters should be commented now and will be enabled later.
In 11.2 RAC the grid agent uses the IPC protocol to create and manage scan listeners so both IPC and TCPS must be enabled.
#SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN2 = (IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)
Using srvctl modify the SCAN listeners to also include TCPS protocol endpoints, re-start the SCAN listeners.
srvctl config scan_listener
SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521
SCAN Listener LISTENER_SCAN2 exists. Port: TCP:1521
SCAN Listener LISTENER_SCAN3 exists. Port: TCP:1521
srvctl modify scan_listener -p TCP:1521/TCPS:1523
srvctl stop scan_listener
srvctl start scan_listener
srvctl config scan_listener
SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521/TCPS:1523
SCAN Listener LISTENER_SCAN2 exists. Port: TCP:1521/TCPS:1523
SCAN Listener LISTENER_SCAN3 exists. Port: TCP:1521/TCPS:1523
Add the wallet location to the sqlnet.ora of each instance home, i.e., $DB_HOME. If no sqlnet.ora exists create a new file. Registering instances must know the wallet location and have access in order to make the required SSL connection with the SCAN listeners.
[oracle@rac1]$ cat /u01/app/oracle/product/11.2.0/dbhome_2/network/admin/sqlnet.ora
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/11.2.0.2/grid/network/admin/cost)
)
)
Modify instance startup parameters to use TCPS protocol with remote_listener.
The existing remote_listener value uses an ezconnect string value in the form host:port.
show parameter remote_listener
NAME TYPE VALUE
————— ———– ——————————
remote_listener string rac-scan:1521
Associate the three IP addresses assigned to the SCAN listeners with the TCPS port that was added, in this case port 1523.
The SCAN addresses are the same for all instances in the cluster so the remote_listener parameter value can be added from any instance home using the global option sid=’*’. This will update the remote_listener value for all instances.
alter system set remote_listener='(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=(scan-IP-1)(PORT=1523))(ADDRESS=(PROTOCOL=TCPS)(HOST=scan-IP-2)(PORT=1523))(ADDRESS=(PROTOCOL=TCPS)(HOST=scan-IP-3)(PORT=1523)))’ scope=both sid=’*’;
Changing the remote_listener value is a critical stage as it forces registration over TCPS using the wallets and certificates that were created in earlier steps. It is best to stop here and verify that all instances are registering properly with the scan listeners. If not, go back and review each of the previous steps to ensure an item was not overlooked.
If registration using TCP needs to be restored for any reason it is a simple matter to revert to the previously noted ezconnect address. The following command can be performed from any instance in the cluster and will make changes globally for all instances. Do not do this unless it is your intention to revert back to TCP and not enable COST restrictions in the next step.
SQL> alter system set remote_listener=’rac-scan:1521′ scope=both sid=’*’;