Troubleshoot DLP Enforce connections to Oracle
search cancel

Troubleshoot DLP Enforce connections to Oracle

book

Article ID: 192817

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention Data Loss Prevention Enterprise Suite Data Loss Prevention Plus Suite Data Loss Prevention Oracle Standard Edition 2 Data Loss Prevention Core Package

Issue/Introduction

You need to troubleshoot database connectivity issues between the Data Loss Prevention (DLP) Enforce server and Oracle.

Resolution

There are 3 files to work with when troubleshooting, 1 for Oracle and 2 for DLP Enforce:

Oracle

  • tnsnames.ora - the original source for the tnsnames.ora file. 
    • Path: C:\oracle\product\12.2.0.1\db_1\network\admin\tnsnames.ora

DLP Enforce

  • tnsnames.ora - primarily used for upgrades and testing.
    • Path: C:\Oracle\client\<user name>\product\12.2.0\client_1\network\admin\tnsnames.ora
  • jdbc.properties - the primary source of information for the day-to-day connections for Oracle.
    • Path: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.7\Protect\config\Jdbc.properties

Test your connection and log in

Next, use TNSPING to test your connection to the Oracle server and SQLPlus to log in to the Oracle server.

TNSPING

Start with a basic "tnsping" from the DLP Enforce server. This command runs completely outside of DLP, so this is a good way to test your connection to the Oracle Server while completely removing DLP from the equation. It is important to note that this command runs through the Oracle Client (which should be installed on the DLP Enforce server if the Oracle server is not on the same machine).

The "tnsping" command pulls its connection data from the "tnsnames.ora" file that is on the DLP Enforce server. If this command does not work for any reason then the first step should be to copy the "tnsnames.ora" file from the Oracle server and paste it into the path specified above for the tnsnames.ora file on the DLP Enforce server.

Syntax: tnsping <service_name>

The last line should say "OK (30 msec)", which indicates that the ping was successful and that it took 30 milliseconds.

SQLPlus

Log in to the Oracle server through SQLPlus. SQLPlus is included with the Oracle server or client installation.

Log in to the Oracle database from the Oracle server

Syntax: conn user@connect_identifier

  1. Use the command "sqlplus /nolog" to log into sqlplus without a user.
  2. Type "conn protect@protect"

    This should show "Connected" after you enter your password if it is successful.

If unsuccessful, the issue is on the database side and is not related to DLP, which is on the local Oracle server.

Log in to the Oracle database from the DLP Enforce server

Syntax: conn user@connect_identifier

  1. Use the command "sqlplus /nolog" to log into sqlplus without a user.
  2. Type "conn protect@protect"
  • If successful, this shows "Connected" (after you enter your password).
  • If unsuccessful, the issue is with the communication between the DLP Enforce server and the Oracle server.
    • You should see an error that provides specific details about the failure.

Note: This is the exact same process as logging in to the Oracle database from the Oracle server; the only difference is that we are connecting from the DLP Enforce server instead of the Oracle server.

Connect using the jdbc.properties connection string

Syntax: conn user@connection_string

This process is very similar to the previous steps, but we have simply replaced the "connection_identifier" with the "connection_string" found in the jdbc.properties file on the DLP Enforce server.

  1. Open the jdbc.properties file on the DLP Enforce server and scroll to the very bottom. You will see an entry similar to the following:
    • jdbc.dbalias.oracle-thin=@(description=(address=(host=<Oracle DB IP Address>)(protocol=tcp)(port=1521))(connect_data=(service_name=protect)))
    • The "connection_string" in this case would be defined as everything including and after the @ symbol.
    • connection_string = @(description=(address=(host=<Oracle DB IP Address>)(protocol=tcp)(port=1521))(connect_data=(service_name=protect)))
  2. Use the command "sqlplus /nolog" to log into sqlplus without a user.
  3. Use "conn protect@(description=(address=(host=<Oracle DB IP Address>)(protocol=tcp)(port=1521))(connect_data=(service_name=protect)))"
  • If successful, this shows "Connected" (after you enter your password).
  • If unsuccessful and logging in with the connection string fails, review the files (tnsnames.ora, jdbc.properties) and the connection string to determine what is wrong, and correct any problems.

Note: If you cannot connect with the connection string, then DLP Enforce will not be able to communicate with the database, and you would be unable to log in.

Powered by Wolken Software