I love Oracle’s Connection Manager for its proxy filtering of Oracle Net connections, but it has one major flaw: it isn’t integrated into Oracle’s Cluster Ready Services (CRS) or Oracle Restart at all. When configured securely, Connection Manager requires a manually entered password to perform most maintenance and administrative functions, including startup and shutdown. If I had a need to startup and shutdown Connection manager with a system reboot, like in the middle of the night, or for OS maintenance performed by the system administrator, or during an unplanned outage, what would I do?
It doesn’t make sense for the DBA to have to be available (especially if I must be on-site!) just to enter a password so that somebody else can do their job, or for Oracle Net services to be unavailable after an unplanned outage until someone can manually start things up again – not when Oracle has made all other service restarts fully automated. I could trust the sys admin with the password and train him or her in the proper startup and shutdown procedures – it isn’t terribly complicated – but this would still rely on manual intervention. It would be better if I could fully automate the Connection Manager service, but how would I deal with the password entry? Putting the password in a script would largely defeat the purpose of having a password in the first place.
It turns out that there is a relatively simple solution, made possible because of a feature of the cmctl utility: I don’t really need a password to start the Connection Manager process, even though cmctl prompts me for one. I only need to enter the password if I want to perform any administrative actions after the startup is complete. Once I realized this, the startup script became simple:
1. As the “oracle” user, I created the “start-cm” script. This script actually performs the startup and can reside anywhere that is convenient for me in the operating system. I chose to place it in the “/home/oracle/scripts” directory:
#!/bin/bash $ORACLE_HOME=/apps/oracle/product/126.96.36.199/cm $ORACLE_HOME/bin/cmctl <<EOF administer cman_public startup exit exit EOF
The script should have permissions of “700” to ensure that only the oracle user may read or execute it.
# chmod 700 /home/oracle/scripts/start-cm
2. Create an “oracle-cm” script in the /etc/init.d directory. This init script will run during the system startup and call the start-cm script. This script should have permissions consistent with other scripts in the directory – likely “700” or “750” or “755”.
# chmod 750 /etc/init.d/oracle-cm
3. Create a soft link in the “/etc/rc5.d” run-level initialization directory to start connection manager when the system enters normal operations.
# cd /etc/rc5.d
# ln -s ../init.d/oracle-cm S99oracle-cm
That solved half of my problem, but what about shutting down Connection Manager? That really can’t be done through the cmctl utility without entering the password.
The key to this part of the problem is understanding that Oracle Connection Manager is a relatively simple process: it maintains no repository of data, no detailed registry or process information other than what is defined in “$ORACLE_HOME/network/admin/cman.ora”. In other words, it doesn’t really matter how I shutdown Connection Manager during a system reboot at all. I can simply let the operating system kill any Connection Manager processes as it sees fit during the shutdown phase, without any fear that my configuration will become corrupted or otherwise damaged. When the system starts back up, it will call the S99oracle-cm link in the rc5.d directory and restart Connection Manager with no trouble.