OCI Base Database Service: Custom Port
Most of the customers (at least from BFSI sector) have the requirement of not using custom port for many reasons like a) Security b) Avoiding Port Conflicts c) Hosting Multiple Services d) Specific use cases.
In BFSI sector the CISO team will not allow you to open firewall for default ports as these ports are known to the entire world and are more susceptible to attacks.
In this blog we will see how to create custom port for OCI Base Database Service aka OCI DBCS aka OCI PaaS Database from Default Port 1521 to a custom port (e.g.: 1492).
Have created a Jump Server in OCI Public Subnet to connect to OCI DBCS VM. We can use the same Jump Server as Tunnel to connect to OCI DBCS from local SQL Developer which you can check here.
Now, let us connect to Jump Server and then connect to OCI DBCS VM
Now that you are connected to OCI DBCS VM, let us run the below commands and complete custom port creation.
While creating Custom Port for OCI DBCS we can do two things:
a) Add a new Custom Port entry in TNSNAMES.ora to listen/connect DB on b) Replace the default 1521 port from TNSNAMES.ora with a Custom Port.
For now, we will go with the second option i.e., Replacing default 1521 port with a Custom Port though I will show how to add a new Custom Port entry as well.
- Connect to grid user “sudo su — grid”
- Navigate to listener.ora file “cd $ORACLE_HOME/network/admin/
- Verify the contents in listener.ora “more listener.ora”
- Check the default port in listener.ora “lsnrctl status”
- Verify the default listener configuration “srvctl config listener”
- Check for the availability of custom port “netstat -an | grep <Custom Port> | grep -i listen”
Now, we will have an option to either add a new Custom Port without removing the default 1521 port or replace the existing 1521 port with a custom Port.
Command to add new Custom Port along with existing default port of 1521 is “srvctl modify listener -p “TCP :1521/TCPS:1492”” whereas if you want to replace the existing default port of 1521 the command is “srvctl modify listener -p “TCP:1492/TCPS:1492””.
Once done let us check the listener configuration by executing the command “srvctl config listener”
Restart the default listener and check the status using the below commands:
- srvctl stop listener
- srvctl start listener
- lsnrctl status
Now that listener configuration is updated, let us restart the database.
Now it’s time we update the IPTables for this let us login to OCI DBCS VM as root user. For that “exit” from current grid user and login to root user by running the command “sudo su”.
Let us list the exisiting entries in IPTables by running the below command “iptables -L -n -v — line-numbers”
From the above snippet we see that port 1521 is still present in the IPTables. Now, let us search for custom port entry i.e., 1492 by running the command “iptables -L -n -v — line-number| grep 1492”
Let us take a backup of the existing rules before making changes to add entry for Custom Port (1492) and removing entry for default port (1521).
Now, let us add a new entry for Custom Port 1492 in iptables for which run the command “iptables -I INPUT 2 -p tcp -m state — state NEW -m tcp — dport <CustomPort> -j ACCEPT -m comment — comment “To enable Listener on Custom Port 1492”” and then verify the entry in iptables.
Verify the line number for default port 1521 in iptables which is to be deleted now. For this verify the existing entries in the iptables
Now, to delete an entry in iptables run the below command “iptables -D INPUT <line-number>”. Once done let us verify the entries once again to make sure 1492 entry is present, and 1521 entry is deleted.
Let us save the iptables entry by running the command “service iptables save”
Let us check the port 1492 by tunning the command “netstat -tnpl|grep -i <CustomPort>”
This completes custom Port change in OCI Base Database Service.
