Few,if any, concepts are as important to the proper administration of anOracle database as the concept of networking.Connectivity—the ability to makeconnections between clients and databases, as well as betweendatabases—has been a key component of Oracle for over a decade.While some of the terminology and technology has changed, the needfor a clear understanding of networking and how it functions with theOracle framework is at least as critical today as it was whenclient/server was a brand new buzzword.
This chapter discusses networking and how it relates to Oracle. Italso shows you the tools Oracle provides for managing its networkingcomponents and lays out the networking capabilities of the modernOracle database.
The complexity of Oraclenetworking arises to some extent from its basic simplicity. Althoughthat statement appears to contradict itself, it points out a basiccharacteristic of the Oracle networking architecture: it is a simplestructure that can be used to implement complex solutions.Oracle's networking architecture is simple because it isdesigned to allow any Oracle product, running on any supportedplatform, to "talk" to any other Oracle product withoutregard for network topologies or protocols. Figure 5.1 shows several Oracle databases and clientsconnected via a "cloud" with no network identification.
Because Oracle is designed to run on almost any network, using almostany accepted protocol, the configuration of the Oracle componentsthat interface with the network can be very complex, which oftenleads to frustration when the DBA is not sure where to turn in orderto solve a problem. This is because Oracle often hides its underlyingcomplexity. For example, the simple connection shown in Figure 5.1 could, in reality, look more like the morecomplex connection shown in Figure 5.2, where thephysical and logical components of the network can be seen. Thatfigure shows a client and server connected using TCP/IP, 10BaseT, andtoken ring with routers.
Oracleachieves its goal of transparent connectivity between and among itsproducts through the use of a product called SQL*Net.
Simply put, SQL*Net provides all the facilities required for anOracle client (that is, a network machine running a tool that willconnect to the Oracle database) to connect to an Oracle database, tomaintain that connection, and to process transactions on thedatabase. This is done without regard for location(locationtransparency), network protocol(network transparency), host operating system, or anyother factor. SQL*Net also supports the complexities of distributedtransactions, and so is able to:
Determine the location of each server involved in a transaction
Resolve any issues arising from character set differences on the participating nodes
Create and maintain connections to each required node, regardless of network attributes
Handle any network disconnects or other errors
SQL*Net is designed to run on top of an existing network protocol,and is therefore independent of the particular hardware and softwarebeing used to implement a network. As long as SQL*Net on both sidesof the connection is using the same basic protocol (e.g., TCP/IP,LU6.2 or IPX), it won't matter to Oracle how the underlyingnetwork transports the information. Figure 5.3shows the relationship between SQL*Net and the underlying network; itillustrates Oracle, SQL*Net, TCP/IP, and physical transport on bothsides.
The key here is that connectivity to and from the Oracle database andtools is achieved by using SQL*Net, which presents a consistentinterface to Oracle. By utilizing an appropriate protocol adapter (inthis case, TCP/IP) on each side, SQL*Net is able to conform to thenetwork protocol in use. SQL*Net creates data packets using thenative network protocol, and it does not matter how the network isimplemented to actually carry the SQL*Net packets. In fact, SQL*Netdoes not even know if a network exists, and it is possible to useSQL*Net without any network at all by making an internal connectionbetween a client process and a server running on the same machine.
SQL*Net protocol adapters are available to support a variety ofnetwork protocols, including:
Probably the most common universal protocol, TCP/IP originated onUnix systems but is now widely supported by a variety of operatingsystems and network hardware.
This protocol was developed by Novell for use in Netware and isavailable on a variety of operating systems.
This protocol was developed by IBM and is widely used in its SNA(System Network Architecture) strategy.
Named pipes
When Oracle is installed, both SQL*Net and one or more supportedprotocol adapters must be installed. Note that not all protocols aresupported on every host operating system. For example, Oracle forWindows NT does not provide a protocol adapter for LU6.2, since thisis not a protocol normally supported in a Windows environment.
SQL*Netconnections to Oracle databases are made throughservices, which are actually processes runningon the Oracle Server host machine. Each Oracle server maintains oneor more listener processes, which are used to monitor the network forincoming connection requests. When such a request is received, thelistener process is responsible for determining which Oracle instancethe incoming request is seeking a connection with, and establishingan appropriate server process for that connection. The server processmay be established as a dedicated process, or may use theMulti-Threaded Server, depending on how the Oracle instance isconfigured. For more information, see Chapter 10.
In order to identify the Oracle instance to connect with, the SQL*Netconnection request specifies the name of a service (sometimes calleda database alias), which in turn corresponds toa particular Oracle instance on a specific host machine. Therelationships between service names and specific instances and hostsare typically maintained in the filetnsnames.ora (discussed in more detail later inthis chapter). For example, the service name "test" mightactually refer to an Oracle database instance with an SID of TST23,which is accessible via TCP/IP at address 123.234.210.001 using port1526. It is certainly simpler to refer to"test"!
In addition to the standard functionality provided by SQL*Net andNet8, Oracle now offers the AdvancedNetworking Option (ANO) as an extra-cost option. This option providesadditional security-related functionality to Oracle connectivity.Among the capabilities of the Advanced Networking Option are:
Network security
Single sign-on
DCE integration
Improvednetwork security is provided through the following security features:
Encryption
Thetransformation of data so that it is unreadable by anyone without a(secret) decryption key. Encryption ensures the confidentiality ofinformation by keeping its content hidden from anyone for whom it isnot intended, even those who can see the encrypted data. The AdvancedNetworking Option also utilizes public key encryption. In thisscheme, each person receives a pair of keys: a public key and aprivate key.
Each person's public key is published, while the private key isconfidential. Messages encrypted with a public key can only bedecrypted with the corresponding private key. Messages encrypted witha private key can only be decrypted with the corresponding publickey. Keys may not be deduced from each other. The sender and receiverof an encrypted message do not share confidential information, sinceall communications involve only public keys. Private keys are neithertransmitted nor shared.
Digital signature
Anon-forgeable way of authenticating the sender of a message thatsupports non-repudiation of messages. Use of a digital signatureensures that only the purported sender of a message could actuallyhave sent the message. The sender cannot later claim that someoneimpersonated her or him.
Digital certificate
A mechanismused to establish confidence in the identity associated with a publickey by incorporating public keys. A digital certificate is a bindingof a public key to a user by a trusted third party known as aCertificate Authority (CA). The public key and useridentity, together with other information such as the certificateexpiration date, are digitally signed by the CA. CAs serve aselectronic notaries, attesting to the identity of users and thevalidity of their public keys.
The single sign-on feature allows users toaccess multiple accounts and applications with a single password.This feature eliminates the need for multiple passwords for users andsimplifies management of user accounts and passwords for systemadministrators. Authentication adapters provide centralized, secureauthentication services that confirm the identity of users, clients,and servers in distributed environments. Network authenticationservices also can provide the benefit of single sign-on for users.The following authentication adapters are supported:
Kerberos
CyberSAFE
SecurID
Biometric (Identix)
DistributedComputing Environment (DCE) integration enables users totransparently use Oracle tools and applications to access Oracleservers in a DCE environment. The Oracle DCE integration productconsists of two major components:
DCE communications/security adapter
DCE CDS (cell directory service) naming adapter
The DCE communications/security adapter provides:
Authenticated remote procedure call (RPC)
RPCis the transport mechanism that enables multivendor interoperabilityfor DCE integration. RPC also uses additional DCE services, includingdirectory and security services, to provide location transparency andsecure distributed computing.
Integrated security
DCE integration works with the DCE security service to providesecurity within DCE cells. It enables a user logged onto DCE tosecurely access any Oracle application without specifying a usernameor password. This function is referred to as externalauthentication to the database. In addition, clients andservers not running DCE authentication services can interoperate withsystems that have DCE security by specifying an Oracle password.
Data privacy and integrity
DCE integration usesmultiple levels of security to ensure data authenticity, privacy, andintegrity. Users are provided with a range of choices, from noprotection to full encryption for each connection, with a guaranteethat no data has been modified in transit.
The DCE CDS naming adapter offers adistributed, replicated repository service for the names, addresses,and attributes of objects across the network. Because serversregister their name and address information in the DCE CDS namingadapter, Oracle clients can make location-independent connections toOracle servers. An Oracle utility is provided to load the Oracleservice names with corresponding connect descriptors into the DCE CDSnaming adapter. After the names are loaded, Oracle connectdescriptors can be viewed from a central location with standard DCEtools, and services can be relocated without any changes to theclient configuration.
聯(lián)系客服
