Oracle Exadata로 데이터베이스 액세스
Teleport can provide secure access to Oracle Exadata via the Teleport Database Service. In this guide, you will: The Teleport Database Service authenticates to your self-hosted Oracle database using mutual TLS.
Teleport can provide secure access to Oracle Exadata via the Teleport Database Service. This allows for fine-grained access control through Teleport's RBAC.
In this guide, you will:
- Configure your Oracle Exadata database mTLS 인증으로.
- Add the database to your Teleport cluster.
- Connect to the database via Teleport.
작동 방식#
The Teleport Database Service authenticates to your self-hosted Oracle database using mutual TLS. Oracle trusts the Teleport certificate authority for database clients, and presents a certificate signed by either the Teleport database CA or a custom CA. When a user initiates a database session, the Teleport Database Service presents a certificate signed by Teleport. The authenticated connection then proxies client traffic from the user.
사전 조건#
-
A running Teleport Enterprise cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
-
The
tctlandtshclients.Installing `tctl` and `tsh` clients
-
Determine the version of your Teleport cluster. The
tctlandtshclients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at/v1/webapi/findand use a JSON query tool to obtain your cluster version. Replace with the web address of your Teleport Proxy Service:$ TELEPORT_DOMAIN= $ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" -
Follow the instructions for your platform to install
tctlandtshclients:
-
- Oracle Exadata 서버 인스턴스 19c 이상.
sqlclOracle 클라이언트가 설치되어 시스템PATH환경 변수에 추가되어 있거나 JDBC Oracle thin 클라이언트를 지원하는 GUI 클라이언트.
To check that you can connect to your Teleport cluster, sign in with tsh login, then
verify that you can run tctl commands using your current credentials.
For example, run the following command, assigning to the domain name of the Teleport Proxy Service in your cluster and to your Teleport username:
$ tsh login --proxy= --user=
$ tctl status
# Cluster (=teleport.url=)
# Version (=teleport.version=)
# CA pin (=presets.ca_pin=)
If you can connect to the cluster and run the tctl status command, you can use your
current credentials to run subsequent tctl commands from your workstation.
If you host your own Teleport cluster, you can also run tctl commands on the computer that
hosts the Teleport Auth Service for full permissions.
1/6단계. Oracle Exadata 구성#
이 가이드는 Oracle Exadata 시스템의 기본 구성을 가정합니다. 특히:
- 사전 구성된 TCPS 리스너.
- 그리드 지갑의 기존 데이터베이스 인증서.
- 호스트 이름이
인 단일 Oracle Exadata VM이 SSH를 통해opc사용자로 액세스 가능. 추가 VM을 구성하려면 단계를 반복합니다. - SCAN DNS 이름은
입니다.
명령을 사용자 구성에 맞게 조정하세요.
데이터베이스별 구성 업데이트#
opc 사용자로 Oracle Exadata VM에 연결한 후 oracle 사용자로 전환합니다:
$ ssh opc@
$ sudo su - oracle
각 데이터베이스별 Oracle home에 대해 $ORACLE_HOME/network/admin/sqlnet.ora 파일을 다음 항목으로 업데이트합니다:
SSL_CLIENT_AUTHENTICATION = TRUE
SQLNET.AUTHENTICATION_SERVICES = (ALL)
예를 들어, spark라는 데이터베이스가 있는 경우 oracle 사용자는 데이터베이스별 환경 변수가 포함된 자동 생성 파일 /home/oracle/spark.env에 액세스할 수 있습니다. 이 파일을 소싱하면 $ORACLE_HOME/network/admin/sqlnet.ora 경로가 spark 데이터베이스 및 관련 Oracle home의 sqlnet.ora 파일을 가리킵니다.
# 'spark' 데이터베이스의 환경 변수 로드
$ . spark.env
# $ORACLE_HOME/network/admin/sqlnet.ora에 있는 구성 파일 편집
...
필요에 따라 각 추가 데이터베이스 또는 데이터베이스 home에 대해 이 단계를 반복합니다.
Oracle 사용자 계정 구성#
Oracle 사용자 계정은 유효한 클라이언트 인증서를 요구하도록 구성해야 합니다.
새 사용자 생성:
CREATE USER alice IDENTIFIED EXTERNALLY AS 'CN=alice';
GRANT CREATE SESSION TO alice;
기존 사용자 변경:
ALTER USER alice IDENTIFIED EXTERNALLY AS 'CN=alice';
이 작업은 비밀번호와 같은 기존 인증 방법을 무효화합니다. 인증서 기반 인증이 이 사용자의 유일한 인증 방법이 됩니다.
Teleport Database Client CA 신뢰#
Teleport는 Oracle Exadata와 상호 TLS 인증을 사용합니다. 클라이언트 인증서를 확인하려면 Teleport의 인증 기관으로 구성해야 합니다.
로컬 머신에서 Teleport Database Client CA를 내보내고 대상 Oracle Exadata VM에 복사합니다.
# Teleport의 데이터베이스 클라이언트 인증 기관 내보내기
$ tctl auth export --type=db-client > teleport-db-client-ca.crt
# CA를 Oracle Exadata VM에 복사
$ scp teleport-db-client-ca.crt opc@:/tmp/teleport-db-client-ca.crt
grid 사용자로 그리드 TCPS 지갑을 업데이트하여 Teleport User Database CA를 신뢰합니다.
# 지갑 비밀번호 읽기
$ mkstore -wrl /u01/app/oracle/admin/cprops/cprops_wallet -nologo -viewEntry grid_tcps_wallet_passwd
grid_tcps_wallet_passwd = <wallet password>
# 그리드 TCPS 지갑 업데이트; 프롬프트 시 비밀번호 입력
$ orapki wallet add -wallet "/var/opt/oracle/dbaas_acfs/grid/tcps_wallets" -trusted_cert -cert /tmp/teleport-db-client-ca.crt
그리드 리스너에 TLS 인증 활성화#
다음 항목을 추가하여 $ORACLE_HOME/network/admin/listener.ora에서 그리드 리스너 구성을 조정하여 TLS 인증을 활성화합니다:
SSL_CLIENT_AUTHENTICATION = TRUE
리스너 재시작#
완료되면 리스너를 재시작합니다.
$ lsnrctl stop
$ lsnrctl start
2/6단계. 데이터베이스 구성 데이터 수집#
Oracle에서 내장 데이터베이스 인증서를 내보냅니다. Teleport는 이 인증서를 사용하여 데이터베이스 연결을 확인합니다.
# 데이터베이스 인증서를 내보냅니다. "-dn" 파라미터를 실제 설정에 맞게 업데이트합니다.
$ orapki wallet export -wallet "/var/opt/oracle/dbaas_acfs/grid/tcps_wallets" -dn "CN=" -cert /tmp/oracle-server-certificate.crt
/tmp/oracle-server-certificate.crt 파일을 임시 위치에 저장합니다. 최종 위치는 Teleport 설치 방법에 따라 달라지며 다음 단계에서 자세히 설명합니다.
로컬 리스너의 TCPS 주소를 확인합니다. 이 주소는 Teleport가 연결에 사용합니다. 아래 예제에서 주소는 입니다.
$ sqlplus / as sysdba
# ...
# SQL> SHOW PARAMETER local_listener;
#
# . NAME TYPE VALUE
# . -------------- ------ ------------------------------
# . local_listener string (ADDRESS=(PROTOCOL=TCP)(HOST=10.20.30.40)(PORT=1521)),
# . (ADDRESS=(PROTOCOL=TCPS)(HOST=10.20.30.40)(PORT=2484))
3/6단계. Database Service 구성 및 시작#
Teleport 조인 토큰 생성#
The Database Service requires a valid join token to join your Teleport cluster.
Run the following tctl command and save the token output in /tmp/token
on the server that will run the Database Service:
$ tctl tokens add --type=db --format=text
(=presets.tokens.first=)
Teleport Database Service#
Teleport Database Service를 실행할 곳에 Teleport를 설치하고 구성합니다:
To install a Teleport Agent on your Linux server:
The recommended installation method is the cluster install script. It will select the correct version, edition, and installation mode for your cluster.
-
Assign to your Teleport cluster hostname and port, but not the scheme (https://).
-
Run your cluster's install script:
$ curl "https:///scripts/install.sh" | sudo bash
Teleport Database Service를 실행할 호스트에서 적절한 구성으로 Teleport를 시작합니다.
단일 Teleport 프로세스는 여러 Database Service 에이전트, SSH Service 또는 Application Service 등 여러 다른 서비스를 실행할 수 있습니다. 아래 단계는 기존 구성 파일을 덮어쓰므로 여러 서비스를 실행하는 경우 --output=stdout을 추가하여 터미널에 구성을 출력하고 /etc/teleport.yaml을 수동으로 조정하세요.
Oracle Database 인증서를 복사하여 Teleport Database Service 호스트의 /var/lib/teleport/oracle-server-certificate.crt에 제공합니다.
다음 명령을 실행하여 Database Service용 구성 파일을 /etc/teleport.yaml에 생성합니다. 을 Teleport Proxy Service의 도메인 이름으로 업데이트합니다:
$ sudo teleport db configure create \
-o file \
--token=/tmp/token \
--proxy=:443 \
--name="" \
--protocol=oracle \
--uri="" \
--ca-cert-file="/var/lib/teleport/oracle-server-certificate.crt" \
--labels=env=dev
생성된 구성 파일을 수동으로 편집하여 tls.mode: verify-ca를 포함합니다.
데이터베이스의 최종 항목은 다음과 유사합니다:
db_service:
enabled: true
databases:
- name:
You can check the status of the Teleport Database Service with systemctl status teleport
and view its logs with journalctl -fu teleport.
다음 명령을 사용하여 Teleport와 같은 네임스페이스에 데이터베이스 CA 인증서가 포함된 시크릿을 생성합니다:
$ kubectl create secret generic db-ca --from-file=ca.pem=/path/to/oracle-server-certificate.crt
다음 내용으로 values.yaml 파일을 생성합니다. 을 tctl tokens add 명령으로 생성한 조인 토큰으로 업데이트합니다:
roles: db
proxyAddr:
Flag
Description
--rolesList of roles to assign to the user. The builtin access role allows them to connect to any database server registered with Teleport.
--db-usersList of database usernames the user will be allowed to use when connecting to the databases. A wildcard allows any user.
--db-namesList of logical databases (aka schemas) the user will be allowed to connect to within a database server. A wildcard allows any database.
For more detailed information about database access controls and how to restrict
access see RBAC documentation.
6/6단계. 연결#
Database Service가 클러스터에 참여하면 로그인하여 사용 가능한 데이터베이스를 확인합니다:
$ tsh login --proxy= --user=alice
$ tsh db ls
# Name Description Allowed Users Labels Connect
# ------ -------------- ------------- ------- -------
[*] env=dev
"" 데이터베이스에 연결합니다. --db-name 파라미터로 올바른 서비스 이름을 전달합니다.
Oracle Exadata VM에서 데이터베이스 구성을 검사하여 서비스 이름을 확인할 수 있습니다.
> lsnrctl services | grep paas
Service "spark_PDB1.paas.oracle.com" has 1 instance(s).
$ tsh db connect --db-user alice --db-name spark_PDB1.paas.oracle.com
# SQLcl: Release 24.2 Production on Fri Aug 09 15:29:41 2024
#
# Copyright (c) 1982, 2024, Oracle. All rights reserved.
#
# Connected to:
# Oracle Database 19c EE Extreme Perf Release 19.0.0.0.0 - Production
# Version 19.24.0.0.0
#
# SQL> select user from dual;
#
# USER
# ________
# ALICE
#
# SQL>
데이터베이스에서 로그아웃하고 자격 증명을 제거하려면:
# 특정 데이터베이스 인스턴스의 자격 증명 제거.
$ tsh db logout oracle
# 모든 데이터베이스 인스턴스의 자격 증명 제거.
$ tsh db logout
(선택 사항) 추가 호스트 이름 구성#
In some deployments the same logical database is reachable via multiple hostnames with different characteristics, for example:
- replicated databases
- hostnames that traverse different network paths
If this applies to your setup, list all hosts in order of preference to improve connection resiliency.
If a TCP dial error occurs for a host, the next host in the list is tried automatically. Non-network errors (e.g., certificate or authentication failures) are not retried and do not advance to the next host.
By default, hosts are attempted in the listed order. Retries cycle through the list and wrap to the start as needed (e.g., host1 → host2 → host3 → host1 → ...). To randomize the sequence per connection attempt, set shuffle_hostnames; the same cyclic pattern then applies to that randomized order.
retry_count controls the number of retries per host after the initial attempt on a network error. The default is 2, so there are 3 total attempts per host (1 initial + 2 retries) before moving to the next host in sequence.
This setup supports failover and basic load-balancing for new connections: enabling shuffle_hostnames spreads initial connection attempts across hosts (load-balancing), while retries automatically move to the next host if the current one is unreachable (failover).
- name: oracle
protocol: oracle
uri: host1:2484,host2:2484,host3:2484 # Multiple hosts; dials in sequence and wraps (host1 → host2 → host3 → host1 ...). Dialing sequence can be randomized with `shuffle_hostnames`.
static_labels:
env: dev
oracle:
# Randomize host order per connection attempt to spread load. Optional.
shuffle_hostnames: true
# Retries per host on network errors only; non-network errors stop (default: 2). Optional.
retry_count: 5
문제 해결#
Connection hangs or is refused#
A common issue when connecting to an Oracle database is a connection timeout or refusal. This typically indicates a networking problem where the Teleport Database Service cannot reach the Oracle database endpoint.
Verify that network routing and access controls, such as firewalls and VPC security groups, allow traffic to flow from the Database Service host to the database endpoint.
You can validate connectivity using a native Oracle client, which helps confirm whether the issue is with Teleport or the underlying network configuration. For example, using Oracle SQLcl:
# Example: Oracle SQLcl
sql -L myuser/mypassword@oracle-instance.example.com:2484
Network connectivity issues are often detected by automated health checks.
To check the health status of all registered databases:
# All databases
tctl db ls --format=json | jq -r '.[] | [.metadata.name, .status.target_health]'
An unhealthy database will have output similar to the following:
...
"oracle",
{
"address": "11.22.33.44:2484",
"protocol": "TCP",
"status": "unhealthy",
"transition_timestamp": "2025-09-25T09:47:39.435973Z",
"transition_reason": "threshold_reached",
"transition_error": "dial tcp 11.22.33.44:2484: i/o timeout",
"message": "1 health check failed"
}
...
TLS negotiation fails#
Properly configuring TLS on an Oracle database can be challenging. Different underlying issues can result in the same error message, such as the following from Teleport:
Original Error: *tls.permanentError remote error: tls: handshake failure
Or you might see the following in the Oracle logs:
ORA-00609: could not attach to incoming connection
ORA-28860: Fatal SSL error
To identify the root cause, follow the debugging steps in the sections below. The output of the following openssl command can help diagnose many common TLS issues. Capture the output and use it as you follow the debugging steps.
> openssl s_client -connect oracle.example.com:2484 -showcerts
Wrong server certificate#
Teleport rejects connections to databases with untrusted server certificates. If you are using Teleport to issue certificates, ensure that the server certificate was issued by the Teleport Database CA. An invalid server certificate will prevent Teleport from establishing a secure connection.
You can view the Teleport Database CA certificate with the following command:
tctl auth export --type=db | openssl x509 -issuer -noout
...
issuer=O=teleport.example.com, CN=teleport.example.com, serialNumber=200129862304303044762346177566738813560
Compare the issuer in the server certificate with the issuer of the Teleport Database CA certificate. The openssl s_client command from the previous section will show you the server certificate:
# openssl s_client output:
...
Server certificate
subject=CN=oracle.example.com
issuer=O=teleport.example.com, CN=teleport.example.com, serialNumber=200129862304303044762346177566738813560
...
You can also inspect the Oracle wallet directly using the orapki utility to verify the server certificate.
# Prompt for wallet password
orapki wallet display -complete -wallet /path/to/wallet
The "User Certificates" section of the output should contain the server's certificate. Its Issuer should match the Subject of the Teleport Database CA.
User Certificates:
Subject: CN=oracle.example.com
Issuer: SERIALNUMBER=200129862304303044762346177566738813560,CN=teleport.example.com,O=teleport.example.com
Serial Number: ...
Wrong client certificate#
If the Oracle server rejects client certificates presented by the Teleport Database Service, you should verify that the Oracle database trusts the Teleport Database User CA.
You can view the Teleport Database User CA with this command:
tctl auth export --type=db-client | openssl x509 -issuer -noout
issuer=O=teleport.example.com, CN=teleport.example.com, serialNumber=183359545647055551607366887578713393931
Compare the Teleport Database User CA with the list of CAs trusted by the Oracle database. The openssl s_client command from earlier will show the list of CAs the Oracle database trusts:
# openssl s_client output:
...
---
Acceptable client certificate CA names
O=teleport.example.com, CN=teleport.example.com, serialNumber=183359545647055551607366887578713393931
Ensure that the Teleport Database User CA certificate has been added to the correct wallet and that the Oracle server configuration references this wallet.
You can also inspect the Oracle wallet directly using the orapki utility to verify that the Teleport Database User CA is trusted.
# Prompt for wallet password
orapki wallet display -complete -wallet /path/to/wallet
The "Trusted Certificates" section of the output should contain the Teleport Database User CA. Its Issuer should match the issuer of the Teleport Database User CA.
Trusted Certificates:
Subject: SERIALNUMBER=183359545647055551607366887578713393931,CN=teleport.example.com,O=teleport.example.com
Issuer: SERIALNUMBER=183359545647055551607366887578713393931,CN=teleport.example.com,O=teleport.example.com
Serial Number: ...
Wrong TLS version#
Teleport rejects connections that use TLS 1.0 or 1.1 due to known weaknesses. Ensure that the SSL_VERSION parameter in your Oracle configuration is set to 1.2 or higher to enable TLS 1.2 or a newer version.
No common cipher suites#
Ensure that the SQLNET.CIPHER_SUITE parameter in your Oracle configuration contains modern TLS cipher suites that match the configured TLS version.
The following cipher suites are secure and widely supported across different Oracle versions.
For TLS 1.2:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
For TLS 1.3:
TLS_AES_128_GCM_SHA256TLS_AES_256_GCM_SHA384
Must be logged on to the server error#
The following error indicates that the login procedure has failed:
ORA-17430: Must be logged on to the server.
This is most commonly caused by the Oracle database enforcing native encryption or data-integrity checksums on a TCPS endpoint.
Teleport uses TLS for transport security, and does not support native Oracle encryption.
To disable the redundant encryption requirement for the TCPS endpoint, add the following line to your sqlnet.ora file:
SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS=TRUE
Make sure to use an up-to-date version of the Oracle database. In older versions, this setting may not disable data-integrity checksums, which will lead to continued failures.
Invalid username#
An incorrectly specified username will result in the following error:
ORA-01017: invalid username/password; logon denied
When using TLS-based authentication, Oracle maps the Common Name (CN) from the client certificate to an external user in the database. Verify the EXTERNAL_NAME for your user in the dba_users table. It should be in the format cn=<name>, where <name> matches the value of the --db-user flag used in the tsh db login command.
You can query the dba_users table to check the EXTERNAL_NAME of your users:
SQL> SELECT username, authentication_type, external_name
2 FROM dba_users
3 WHERE authentication_type = 'EXTERNAL'
4 ORDER BY 1;
USERNAME AUTHENTICATION_TYPE EXTERNAL_NAME
_____________ ______________________ ________________
ALICE EXTERNAL cn=alice
다음 단계#
-
Learn how to restrict access to certain users and databases.
-
View the High Availability
(HA) guide.
-
Take a look at the YAML configuration reference.
-
See the full CLI reference.
다음 문서를 참조하세요: