Brad's Blog: RAC TLS: Enabling TLS TCPS/2484 on local node IP

Over the past couple of days, I've been preparing a Real Application Cluster (RAC) cluster via the Oracle AI Base Database Service for setting up a demonstration where I need to connect securely to the cluster nodes remotely over Transport Layer Security (TLS) to TCPS/2484 from my home computer. The problem is two fold.

First, the public IP addresses given by Oracle Cloud Infrastructure (OCI) console map to the individual RAC node IP addresses.

Second, the default RAC listener configuration only has the non-TLS TCP/1521 port listening on the RAC node IP address. I need to add the TLS TCP/2484 port to the RAC node IP address as well.

Thankfully, the workaround was very simple. I just needed to alter the default LISTENER in listener.ora to include both TCP/1521 and TCPS/2484 for both the local RAC node IP address (10.0.0.15) and the virtual IP address (VIP) (10.0.0.120).

Before applying the change, the client would return the following error:

ORA-12541: Cannot connect. No listener at host 132.226.96.94 port 2484

Here's the listener.ora config change where I commented out the original LISTENER definition and added a new LISTENER definition that includes the original information plus ADDRESS entries for the RAC node IP address is 10.0.0.15 and the VIP address is 10.0.0.120 as well. I also specified. Note that if the WALLET_LOCATION was already specified in listener.ora, I wouldn't need to include it here but for completeness, I added it to be clear on which wallet to use for the TCPS port.

$ tail -12 /u01/app/19.0.0.0/grid/network/admin/listener.ora

#LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER))))
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = 10.0.0.120)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.120)(PORT = 2484))
(ADDRESS = (PROTOCOL = TCP)(HOST = 10.0.0.15)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = 10.0.0.15)(PORT = 2484))
(SECURITY=(WALLET_LOCATION=/opt/oracle/dcs/commonstore/tcps_wallet))
)
)

Then, restart the local listener.

$ srvctl stop listener
$ srvctl start listener

Confirm that the listener includes TCPS/2484 on the local RAC node IP (10.0.0.15) and the VIP (10.0.0.120) from the listener status and netstat outputs.

$ lsnrctl status|egrep "Endpoint|HOST="
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.0.0.120)(PORT=1521))(SECURITY=(WALLET_LOCATION=/opt/oracle/dcs/commonstore/tcps_wallet)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=10.0.0.120)(PORT=2484))(SECURITY=(WALLET_LOCATION=/opt/oracle/dcs/commonstore/tcps_wallet)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.0.0.15)(PORT=1521))(SECURITY=(WALLET_LOCATION=/opt/oracle/dcs/commonstore/tcps_wallet)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=10.0.0.15)(PORT=2484))(SECURITY=(WALLET_LOCATION=/opt/oracle/dcs/commonstore/tcps_wallet)))

$ netstat -ltn | grep 2484
tcp 0 0 10.0.0.62:2484 0.0.0.0:* LISTEN
tcp 0 0 10.0.0.182:2484 0.0.0.0:* LISTEN
tcp 0 0 10.0.0.45:2484 0.0.0.0:* LISTEN
tcp 0 0 10.0.0.120:2484 0.0.0.0:* LISTEN
tcp 0 0 10.0.0.15:2484 0.0.0.0:* LISTEN

Confirm that the remote client can now connect over TLS to TCPS/2484 of each cluster node:

$ cat tnsnames.ora
DEVDB_SSL=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=TCPS)(HOST=devdb-scan.mysubnet.odswest.oraclevcn.com)(PORT=2484))
(SECURITY=
(WALLET_LOCATION=C:\Oracle\client_wallet)
(SSL_SERVER_DN_MATCH=TRUE)
(SSL_SERVER_CERT_DN="CN=devdb-scan.mysubnet.odswest.oraclevcn.com")
)
(CONNECT_DATA=
(SERVER=DEDICATED)
(SERVICE_NAME=devdb.mysubnet.odswest.oraclevcn.com)
)
)

$ sqlplus system/'<db_password>@DEVDB_SSL

SQL> select instance_name from v$instance;

INSTANCE_NAME
----------------
devdb1

I hope you find this helpful.

Blessings!

Brad's Blog

Thursday, June 25, 2026

RAC TLS: Enabling TLS TCPS/2484 on local node IP

No comments: