establishing secure connectivity between oracle ravello … · 1 | establishing secure connectivity...

Establishing secure connectivity between Oracle Ravello and Oracle Cloud Infrastructure Database Cloud O R A C L E W H I T E P A P E R | D E C E M B E R 2 0 1 7

1 | ESTABLISHING SECURE CONNECTIVITY BETWEEN ORACLE RAVELLO AND ORACLE CLOUD INFRASTRUCTURE DATABASE CLOUD

Table of Contents

APPLICATION ARCHITECTURE OVERVIEW 2

CONNECTING RAVELLO TO ORACLE DBCS VIA SECURED SQL*NET 3

CHANGES MADE TO THE VMS IN RAVELLO 4

SECURING LISTENER PORT ACCESS ON ORACLE DATABASE CLOUD SERVICE 5

VERIFYING THE USE OF NATIVE ENCRYPTION AND INTEGRITY 7

CONNECTING RAVELLO TO ORACLE DBCS VIA A VPN TUNNEL 8

SETTING UP THE DYNAMIC ROUTING GATEWAY IN OCI 8

SETTING UP THE PFSENSE VPN GATEWAY FOR THE APP TIER IN RAVELLO 11

VERIFYING THE SIEBEL CRM APPLICATION RUNNING ON RAVELLO 17

LEARN MORE 20


Oracle Ravello is an overlay cloud service that enables enterprises to run their VMware and KVM

applications, with data-center-like (Layer 2) networking, ‘as-is’ on public clouds without making any

modifications. With Ravello, enterprises don’t need to convert their VMs or change networking. This

empowers businesses to rapidly develop and deploy existing data-center applications on the public

cloud without the associated infrastructure and migration cost and overhead for a variety of use-cases

such as PoC, dev, test, staging, UAT, production, training etc.

Application Architecture Overview

Enterprises looking to move their VMware based applications with large databases to the public cloud

have multiple options. They can move the entire app onto Ravello on Oracle Cloud Infrastructure (OCI)

or use a combination of Ravello on OCI (for web & app tier) in conjunction with Oracle PaaS (e.g.

DBCS) on OCI. When used in the latter mode, secure connectivity between the web/app tier on

Ravello on OCI and the Database Cloud Service instance on OCI is a key requirement. There are

multiple methods to establish secured connections between an application on Ravello and a single

instance database on Oracle DBCS. Two of them are described in this whitepaper with Siebel CRM as

an example.

Figure 1: Siebel CRM architecture distributed between Ravello and DBCS

This paper assumes that the Siebel app and web tier have been moved from the customer datacenter

to Ravello and the database has been migrated to Oracle Database Cloud Service – Classic. The app

and web tier of Siebel on Ravello consists of 6 VMs of 2 vCPUs and 4 GB of memory each – the


Siebel App Server, the Siebel Gateway, the Siebel Web Server, the Siebel file system, the Siebel

Tools, and the Siebel Web Client VM.

Figure 2: Siebel Deployment in Ravello

The Siebel Database is a single instance Oracle Database Cloud Service instance hosted on Oracle

Cloud Infrastructure with a configuration of 2 OCPUs and 14 GB of memory.

Figure 3: Siebel Database instance in Oracle Database Cloud Service

In the case of the above Siebel deployment, three VMs – Siebel App. Sever, Siebel Gateway, and

Siebel Tools, need a secured connection to the database deployment on Oracle Database Cloud

Service.

Connecting Ravello to Oracle DBCS via Secured SQL*Net


To secure connections to Oracle Database Cloud on OCI, native SQL*Net encryption and integrity

capabilities can be used. Encryption of network data provides data privacy so that unauthorized parties

are not able to view data as it passes over the network. In addition, integrity algorithms protect against

data modification and illegitimate replay. Oracle Database provides the Advanced Encryption Standard

(AES), DES, 3DES, and RC4 symmetric cryptosystems for protecting the confidentiality of SQL*Net

traffic. By default, database deployments on Database Cloud Service are configured to enable native

SQL*Net encryption and integrity.

Changes made to the VMs in Ravello Port 1521 is used as a listener port for Oracle client connections to the database over Oracle's

SQL*Net protocol. The tnsnames.ora file in the client VMs is used to define the connection to the

Oracle Database and needs to be modified to point to the Oracle DBCS instance.

Follow these steps to check encryption configuration and set up secure connectivity between the app

on Ravello and the Oracle DBCS instance.

1. Connect to the Siebel App Server VM via the console.

2. Change directories to the location of the SQL*Net configuration

files tnsnames.ora and sqlnet.ora.

3. View the sqlnet.ora file and confirm that it does not contain the following parameter settings:

If the client VM has the above parameters set, the connection will fail with the following error:

ORA-12660: Encryption or crypto-checksumming parameters incompatible.

4. Update the tnsnames.ora with the host IP address, the port number, and the service name of

the DBCS instance. Alternatively, you can also update definethe hostname of the DB in the

/etc/hosts file and use host name instead of the host IP address in the tnsnames.ora file.


Figure 4: Relevant DBCS connection information

Figure 5: Example tnsnames.ora file

5. Perform steps 1 to 5 for all the VMs that connect to the Oracle Database Cloud instance. In

this case, the Siebel App Server, Siebel Gateway and Siebel Tools.

Securing listener port access on Oracle Database Cloud Service Follow the given steps to restrict access to the Oracle DBCS instance to only the app VMs on Ravello.

1. Set up elastic IPs for the Siebel App Server VM on Ravello by clicking on the NICs tab. Using

an Elastic IP will allow the app server VM to retain the IP address across multiple restarts.


Figure 6: Selecting Elastic IPs for the Siebel App Server 2. Repeat Step 1 for the Siebel Gateway and Siebel Tools VMs.

3. In the OCI console, Select Networking and Virtual Cloud Networks.

4. Choose the VCN to which your DBCS instance is connected.

5. Select Security Lists from the left pane and open the security list associated with the subnet

to which the DBCS instance is connected.

Figure 7: Select Security Rules from your VCN page.

6. On the Security Lists page, select Edit All Rules and enter the appropriate information as

described below.


Figure 8: Create Access Rule for VMs in Ravello

a. Source CIDR: Add the Elastic IP address of the VMs that will communicate with the DB (E.g: 85.190.179.173/32)

b. Protocol: Select TCP.

c. Source Port Range: Leave blank.

d. Destination Port Range: Enter 1521.

7. Delete any other rules that allow access to port 1521.

8. Click Save Security List Rules.

9. Access to port 1521 is now restricted to only the VMs running on Ravello.

Verifying the use of Native Encryption and Integrity Connect to the Oracle Database Cloud instance from the Siebel App Server VM and verify the use of

native SQL*Net encryption and integrity by examining the network service banner entries associated

with each connection. This information is contained in the NETWORK_SERVICE_BANNER column of

the V$SESSION_CONNECT_INFO view. The following example shows the SQL command used to

display the network service banner entries associated with current connection:

The following example output shows banner information for the available encryption service and the

crypto-checksumming (integrity) service, including the algorithms in use:


Connecting Ravello to Oracle DBCS via a VPN tunnel

Another way to establish secure connections to the Oracle Cloud Infrastructure Database Cloud

instance is via a VPN tunnel. Oracle Cloud Infrastructure provides a Dynamic Routing Gateway

through which an IPSec tunnel can be created. A pfSense Gateway will be added to the app and web

tier in Ravello and all external traffic for the app will be routed through this VM.

Figure 9: IPsec VPN implementation diagram

Setting up the Dynamic Routing Gateway in OCI In order to create a Dynamic Routing Gateway (DRG) for the Cloud Database instance and set up the

IPSec tunnel, the following information is needed.

• The VCN’s CIDR

• The public IP address of the on-premises router

• The static routes for the IPSec connection

Follow these steps to set up the gateway and IPSec tunnel in the Oracle Cloud Infrastructure A. Create the DRG

1. Click Networking, and then click Dynamic Routing Gateways. 2. Click Create Dynamic Routing Gateway. 3. Enter the following: 4. Create in Compartment: Leave as is (the VCN's compartment). 5. Name: A friendly name for the DRG.


6. Click Create Dynamic Routing Gateway. The DRG will be in the "Provisioning" state for a short period. Make sure it is done being provisioned before continuing.

Figure 10: Create a Dynamic Routing Gateway

B. Attach the DRG to your VCN 1. Click the DRG that was just created. 2. On the left side of the page, click Virtual Cloud Networks. 3. Click Attach to Virtual Cloud Network. 4. Select the VCN you created earlier, and then click Attach to Virtual Cloud Network.

The attachment will be in the "Attaching" state for a short period before it's ready.

C. Update the routing in the VCN to use the DRG 1. Click Networking, click Virtual Cloud Networks, and then click the VCN to which the DRG is

attached. 2. Click Route Tables to see a list of the route tables. For each subnet that needs to

communicate with your on-premises network, update that subnet's route table with a new route for the DRG:

a. For a given route table (the default route table in this example), click Create Route Rule.

b. Enter the following: • CIDR: The CIDR for the on-premises network. • Target Type: Dynamic Routing Gateway. • Target Compartment: Leave as is. • Target: The DRG created earlier.

c. Click Create. The route table now directs traffic destined for in your on-premises network to the DRG.


Figure 11: Update Route Rule to use the DRG

D. Create a Customer-Premises Equipment (CPE) object and provide your router’s public IP address 1. Click Networking, and then click Customer-Premises Equipment. 2. Click Create Customer-Premises Equipment. 3. Enter the following:

• Create in Compartment: Leave as is (the VCN's compartment). • Name: A friendly name for the CPE object. • IP Address: The IP address of the on-premises router at the Ravello end of the VPN.

4. Click Create. The CPE object will be in the "Provisioning" state for a short period. E. From the DRG, create an IPSec connection to the CPE and provide the static routes

1. Click Networking, and then click Dynamic Routing Gateways. 2. Click the DRG you created earlier. 3. Click Create IPSec Connection. 4. Enter the following:

• Create in Compartment: Leave as is (the VCN's compartment). • Name: Enter a friendly name for the IPSec connection. It doesn't have to be unique,

and it cannot be changed later in the Console (but you can change it with the API). • Customer-Premises Equipment Compartment: Leave as is (the VCN's

compartment). • Customer-Premises Equipment: Select the CPE object you created earlier. • Static Route CIDR: The CIDR block for a static route (see the list of information to

gather in Before You Get Started). For this example, enter 0.0.0.0/0. 5. Click Create IPSec Connection.

The IPSec connection will be in the "Provisioning" state for a short period.


Figure 12: Create an IPSec Connection from the DRG 6. Click the Actions icon ( ), and then click Tunnel Information.

The configuration information for each tunnel is displayed (the IP address of the VPN headend and the shared secret). Also, the tunnel's status is displayed (possible values are "Available" or "Down"). At this point, the status will be "Down".

7. The tunnel information will be sued to configure the pfSense Gateway in Ravello.

Setting up the pfSense VPN gateway for the app tier in Ravello In order to create an IPSec tunnel between the app and web tier on Ravello and the Oracle Database

Cloud instance on OCI, a pfSense Gateway VM needs to be added to the Ravello environment and all

external traffic needs to be routed through the pfSense VM.

The following steps illustrate the preparation of the Ravello environment to set up a pfSense Gateway.

1. Add a pfSense VM from the Ravello library by dragging it on to the canvas.


Figure 13: Adding a pfSense Gateway VM to the Ravello environment.

2. Open NIC properties of the pfSense VM and configure the public (WAN) and private (LAN) NICs. Configure static IPs for both NICs. For WAN NIC in external access select “Elastic IP” option and assign an elastic IP from the list.

3. For the LAN NIC configure only “Static IP” and “Netmask”. There is no need to fill in the “Gateway” and “DNS” fields. Do not configure external access.

Figure 14: Public and Private network configurations of the CSG.

4. In the Services tab, on the WAN interface, add the following supplied services


• UDP ports 500 (IPSec Phase 1), 4500 (IPSec Phase 2) and 88

• TCP ports 80 and 443 (for the web interface)

Figure 15: Adding supplied services on ports 500, 4500, 80, and 443

Next, all external traffic will be routed through the pfSense VM.

5. In the NIC tab of the Siebel App Server VM, remove the Gateway and DNS address from the public NIC and in the private NIC, add the internal IP address of the pfSense VM as the Gateway and DNS address.


Figure 16: Update the Gateway and DNS addresses of all VMs with external traffic

6. Log into the console of the VM and make similar updates as Step 5 to the interface configuration file for the private and public NICs. The if-cfg files are usually found under /etc/sysconfig/network-scripts/

Figure 17: Update the if-cfg files through the console of the VM

7. Repeat Steps 5 and 6 for the Siebel Gateway and Siebel Tools VMs.

The next step is to configure the pfSense Services Gateway on Ravello. The VPN IPsec tunnel

setting will be created through the web interface of the pfSense virtual appliance.

8. Connect to the pfSense web admin page via the the Elastic IP assigned to the pfSense (use

https://<ElasticIPaddress>). The default login credentials are:

Username: admin

Password: pfsense


The setup of the tunnel is comprised of two phases:

• Phase 1 specifies how the tunnel connects to its remote peer (DBCS on OCI).

• Phase 2 specifies which local network traffic/subnets should be sent through the tunnel. This

division makes it possible for the tunnel to handle requests from multiple local subnets. In this

example, one local subnet: 10.1.0.0/24 connects to 10.0.0.0/16 through the tunnel that has the

to endpoints 31.220.71.130 and 129.213.7.49.

1. Add firewall rules to the WAN interface to allow incoming connections (3 rules for UDP ports

88,500,4500):

Figure 18: Firewall rules for IPSec tunnel Phase 1 Configuration

1. Click on IPSec under the VPN tab. Click Add P1

2. For pfSense, the P1 options are:

• ISAKMP Protocol version 1

• Remote Gateway: Enter the tunnel IP address assigned to the OCI IPSec connection in Step 6

• Authentication method: pre-shared-keys

• Exchange type: Main mode

• My Identifier: IP address <Elastic IP of pfSense VM>

• Pre Shared Key: Enter the key corresponding to the Remote Gateway IP address

• Encryption: AES-128-cbc, AES-192-cbc, or AES-256-cbc

• Authentication algorithm: SHA-256, or SHA-384

• Diffie-Hellman group: group 1, group 2, or group 5

• IKE session key lifetime: 28800 seconds (8 hours)

3. Click Save.


Figure 19: Configuring Phase 1 of IPSec tunnel in pfSense

4. Click Add P2.

5. The P2 options are:

• Local Network: Lan Subnet

• Remote Network: Network <Private CIDR of OCI VCN>

• IPSec protocol: ESP, tunnel-mode

• Encryption: AES-128-cbc, AES-192-cbc, or AES-256-cbc

• Authentication algorithm: HMAC-SHA1-96

• IPSec session key lifetime: 3600 seconds (1 hour)

• Perfect Forward Secrecy (PFS): enabled, group 5

6. Click Save and then Apply Changes.


Figure 20: Configuring Phase 2 of VPN tunnel in pfSense

7. To establish the VPN tunnel, click Status and then IPSec.

8. Click Connect VPN. The IPSec connection will shortly be established.

Verifying the Siebel CRM application running on Ravello

1. The Cloud Database instance can now be accessed from any VM on Ravello to confirm that the Siebel database and listener service is up and running.

Figure 21: Checking database and listener status

2. Check connectivity from the Siebel server using ‘srvrmgr’ utility


Figure 22: Siebel server verification

3. Test connectivity to the Siebel Web Server from a browser. The IP address for the Web

Server is located in Summary tab of the VM. For this Siebel CRM deployment, the Call Center

component is enabled, for which is connectivity is shown above using the public IP assigned

to the VM.

Figure 23: Public IP of Siebel WebServer


Figure 24: Application login

4. Siebel Tools can be verified by connecting to the Tools VM either through RDP or Console

access.

Figure 25: Siebel Tools verification

5. Shutting down the pfSense Gateway VM in Ravello causes errors while accessing the Siebel

app, proving that the VPN setup is functioning as expected.

Figure 26: Test to prove functioning VPN Tunnel


Learn more Learn more and sign up for a free trial at https://cloud.oracle.com/ravello

Figure 27: Sign up for a free trial.

Oracle Corporation, World Headquarters Worldwide Inquiries 500 Oracle Parkway Phone: +1.650.506.7000 Redwood Shores, CA 94065, USA Fax: +1.650.506.7200

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 1217 Establishing secure connectivity between Oracle Ravello and Oracle Cloud Infrastructure Database Cloud December 2017

C O N N E C T W I T H U S

blogs.oracle.com/oracle

facebook.com/oracle

twitter.com/oracle

oracle.com

establishing secure connectivity between oracle ravello … · 1 | establishing secure connectivity...

Documents