Oracle Database 11g Oracle Net Services and Listener Security

Oracle Net Services Security Checklists
Learning Objectives
After completing this topic, you should be able to
recognize the uses of checklists
restrict network IP addresses
encrypt network traffic
1. Using security checklists

Security checklists help ensure that all required security requirements are met when
configuring Oracle Net Services.
There are three types of security checklist:
client
Client computer authentication is difficult over the Internet. Most Internet services rely on
user authentication. There are some steps that you can take to secure the client computer.
listener, and
The listener is the gateway to the network. For secure communication, the network traffic
is encrypted, and some privileges of the listener are restricted.
network
Network security is enforced by protecting the network traffic from being accessed or
modified. In addition to restricting physical access to the network, you must protect the
access points to the network from unauthorized access. This is done by protecting the
network-related software on computers, bridges, and routers.
If your data needs to be secure, you must use encryption. Firewalls are used to prevent
access to the intranet of your organization when you allow Internet access.
Supplement
Selecting the link title opens the resource in a new browser window.
Learning Aid
Use the learning aid Style Considerations for more information on the style
considerations for the Oracle 11g Database used in this course.
If you can physically secure the client computer, and are using the client-server model,
you can configure it to use strong authentication, such as certificates. A certificate issued
to the client computer authenticates anyone who uses that computer. For example, this
model could be used with a client computer in a public kiosk.
For additional security, configure the client computer to encrypt sensitive network traffic.
With Oracle Advanced Security, also known as ASO, you can configure the client
computer to use the secure sockets layer, commonly known as SSL, strong
authentication techniques, and end-to-end encryption over the Oracle Net protocol. ASO
does not provide any benefit for browser-based clients.
In most cases, authentication requires the user to be identified, rather than the client
computer. Make sure to properly educate users about the importance of security.
Users can be fooled into giving out identity information, such as account names and
passwords, on the phone by malefactors posing as help-desk technicians. Users should
not leave open sessions unattended, write down passwords, or use easy-to-guess
passwords.
Question
An intruder phoned one of your users posing as a help-desk technician. The user
gave this intruder the username and password, and the intruder was able to gain
access to internal network resources.
What would prevent this from happening in the future?
Options:
1.
Ensuring that you are using certificate-based authentication to ensure that external
users cannot access your network
2.
Implementing ASO to add an extra layer of security
3.
Prioritizing user education and making users aware that they should not provide
their password to anyone, including internal employees
4.
Ensuring that users close all open sessions when they physically leave their
computer
Answer
Option 1: This option is incorrect. Certificate-based authentication is a good
method to validate who the user is, but if an intruder has access to a user's
credentials and can initiate an unattended session, then they could get around the
certificate mechanisms.
Option 2: This option is incorrect. ASO can be used to configure the client
computer to use the SSL, strong authentication techniques, and end-to-end
encryption over the Oracle Net protocol. However, if an intruder has access to a
user's credentials and can initiate an unattended session, then they could get
around the certificate mechanisms.
Option 3: This option is correct. Educating the user is often a security mechanism
that is overlooked. One of the first rules is that users should not give out their
passwords, even if they are requested from a network administrator or manager.
Option 4: This option is correct. A user should close all sessions when they leave
their computer and ideally shut down their system at the end of their work day.
Even if network credentials are known, an unattended session can't be started if
there aren't any sessions running.
Correct answer(s):
3. Prioritizing user education and making users aware that they should not provide
their password to anyone, including internal employees
4. Ensuring that users close all open sessions when they physically leave their
computer
Client computers can be insecure because of the following issues:
spoofing of IP addresses
Often, the client computer cannot be secured. The IP address of the computer can be
spoofed. Any computer can easily be set to use that address.
An unattended session can allow anyone with access to the computer to assume the
user's identity. Any computer that is not physically secure can be broken into by anyone
with a boot disk.
operating systems vulnerabilities, and
Client systems that are administered by the user are vulnerable to attack because of
weaknesses in the operating system or in other software loaded on the system. The user
often does not have the system-administration skills that are required to secure the
computer and its software.
Your security is only as strong as its weakest link. A weak operating system authorization
on client computers can lead to a security infraction. A breach of the client's operating
system can allow an intruder to use an identifier stored on that system to assume the
identity of the user or client computer.
not being physically secure
A safe assumption is that the client computers are not secure. By using ASO, you require
strong authentication of the user with biometrics, certificates, smart cards, and so on.
If you are using Oracle Net Services from the client, ASO can provide additional measures,
such as session encryption and message checksums provide additional assurances that
session data is not being diverted, altered, or subject to eavesdropping.
The most popular Internet browsers include two security features SSL encryption and
decryption, and authentication of the client computer and the server.
SSL encryption and decryption is enforced by using the HTTPS protocol, which uses
HTTP with SSL.
Authentication of the client computer and the server is enforced by using one of the
following three methods:
server authentication
The server is authenticated by setting options on the browser to validate certificates. The
server authenticates to the browser and, in most cases, the user decides whether to
accept the certificate. (This is the most common.)
client authentication, and
The client computer is authenticated by storing the appropriate certificates in the browser.
Most organizations and users do not use client or user certificates.
two-way authentication
Two-way authentication requires that the client should authenticate to the server and the
server should authenticate to the client. This is a secure method of assuring that the client
and the server are truly the expected computers. This method requires that both have
certificates. (This is very seldom implemented.)
Data access and secure transfer of data are important considerations when deploying
Oracle Database.
Network security is enhanced by
using a firewall
restricting IP addresses
encrypting network traffic
preventing remote administration of Connection Manager, also known as CMAN, and
using network log files to monitor connections
2. Restricting IP addresses
A firewall is a single point of control on a network. It is used to prevent unauthorized client

computers from reaching the server. It acts as a filter, screening out unauthorized network
users from using the intranet. It does this by enforcing access control on the basis of the
contents of the packets of data that are being transmitted. It can thus protect against
attacks on individual protocols or applications.
Firewalls are rule based. They have a list of rules that define which client computers can
connect and which cannot. They can compare the client computer's host name or IP
name with the rules, and either grant the client computer access or not.
A firewall protects the perimeter. It cannot protect from insider threats. Many
organizations partition their networks with departmental firewalls to further limit privileges.
You can use the Oracle Net valid node checking security feature to allow or deny access
to the Oracle server processes from network client computers with specified IP
addresses.
By restricting client computer IP addresses from making connections to the Oracle
instance, you can limit access to the database. The listener is responsible for making this
check.
To limit database access, you set parameters in the SQLNET.ORA file that enables you to
perform the following actions:
Code
tcp.validnode_checking = YES
tcp.excluded_nodes = (135.245.234.44)
tcp.invited_nodes = (144.198.58.146, 144.198.58.147)
Syntax
tcp.excluded_nodes = {list of IP addresses}
tcp.invited_nodes = {list of IP addresses}

turn on the valid node checking feature
If the TCP.VALIDNODE_CHECKING field is YES, Oracle Net Services checks the
TCP.EXCLUDED_NODES and TCP.VALIDNODE_CHECKING parameters to determine
which client computers must be allowed access to the database. The default value is NO.
deny access from specific nodes, and

The TCP.EXCLUDED_NODES parameter specifies which client computers that use TCP/IP
are denied access to the database, as in this format.
The format is the following:
tcp.excluded_nodes = {list of IP addresses}
allow access from specific nodes
The TCP.INVITED_NODES parameter specifies which client computers that use the
TCP/IP protocol are allowed access to the database, as in this format.
The format is the following:
tcp.invited_nodes = {list of IP addresses}
If the INVITED_NODES parameter does not include the listener node, the lsnrctl
process cannot contact the listener. This prevents the start, stop, and administration
commands from being performed. If there are invalid host names listed in either the
EXCLUDED_NODES or INVITED_NODES list, or a lookup error finding the IP address for
one of the nodes in the list, the lsnrctl process cannot contact the listener.
The TCP.INVITED_NODES and TCP.EXCLUDED_NODES lists can be used independently.
If TCP.EXCLUDED_NODES is used by itself, only the nodes listed are blocked. If
TCP.INVITED_NODES is used by itself, only TCP.INVITED_NODES is allowed to
connect. If both are used together, the TCP.INVITED_NODES list takes precedence.
IP addresses or node names can be used in the EXCLUDED_NODES or INVITED_NODES
list. There are no recognized wildcards for IP addresses or partial IP addresses.
Code
Question
Which statements best describe the Oracle Net valid node checking security
feature?
Options:
1.
By default, this feature is enabled
2.
IP addresses or host names can be used for the TCP.EXCLUDED_NODES and

TCP.INVITED_NODES parameters
3.
The TCP.EXCLUDED_NODES and TCP.INVITED_NODES parameters can be used

independently
4.
The TCP.EXCLUDED_NODES parameter takes precedence over the

TCP.INVITED_NODES parameter
Answer
Option 1: This option is incorrect. By default, the TCP.VALIDNODE_CHECKING
parameter is set to NO. The TCP.EXCLUDED_NODES and TCP.INVITED_NODES
parameters will not be checked unless this is set to YES.
Option 2: This option is correct. IP addresses or node names may be used in the
TCP.EXCLUDED_NODES or TCP.INVITED_NODES parameters. These parameters
are used to determine which client computers must be allowed access to the
database.
Option 3: This option is correct. The TCP.EXCLUDED_NODES and
TCP.INVITED_NODES parameters can be used independently. When
TCP.EXCLUDED_NODES is used by itself, only the nodes listed will be denied
access. When TCP.INVITED_NODES is used by itself, only the nodes listed will
be granted access.
Option 4: This option is incorrect. When both the TCP.EXCLUDED_NODES and
TCP.INVITED_NODES parameters are used together, TCP.INVITED_NODES
takes precedence.
Correct answer(s):
2. IP addresses or host names can be used for the TCP.EXCLUDED_NODES and
TCP.INVITED_NODES parameters
3. The TCP.EXCLUDED_NODES and TCP.INVITED_NODES parameters can be
used independently
RELOAD does not cause the listener to read the sqlnet.ora file. You must stop and restart
the listener to have changes to these parameters take effect.
Code

Network IP restrictions can help secure access to your server.
Consider the following guidelines:
do not use IP address restriction alone for authorization
Because IP addresses can be spoofed, do not use this technique as your primary method
for authorizing users.
use Connection Manager, also known as CMAN, to limit access by node, and
IP restrictions can be enhanced by using them in conjunction with CMAN. CMAN is a rulebased firewall, allowing connections on matches of source, destination, and service.
Clients can be forced to come through CMAN nodes to access the server when IP
restrictions are used.
limit access by protocol
The protocols included in the LISTENER.ORA file limit which protocol can access the
database. However, because most networks use the TCP/IP protocol, this restriction is not
as important as it once was.
To start Oracle Net Manager for configuring IP restrictions on a UNIX or Linux system,
use the $ netmgr command.
To start Oracle Net Manager on Windows, select Start - Programs - Oracle OraDB11g_home1 - Configuration and Migration Tools - Net Manager.
Graphic
The welcome screen of Oracle Net Manager is open. Oracle Net Manager
enables you to configure three aspects of the network Naming, Naming
Methods, and Listeners. You can navigate using the File, Edit, Command, and
Help menus from the menu bar. The navigator pane contains two nodes
Directory and Local under the Oracle Net Configuration node.
To configure database access control, perform the following steps:
1. start Oracle Net Manager
2. select Local - Profile in the navigator pane
In addition to the Profile node, the other nodes under the Local node are Service Naming and Listeners.
The right pane displays a drop-down list and five tabs Tracing, Logging, Routing, Access Rights, and
Advanced. The Tracing tabbed page is currently open.
3. select General from the drop-down list in the right pane
In addition to General, the other list items in the drop-down list are Naming and Oracle Advanced
Security.
4. click the Access Rights tab
5. ensure that the Check TCP/IP client access rights checkbox is selected, and
In addition to the Check TCP/IP client access rights checkbox, the page contains two text boxes Clients
excluded from access and Clients allowed to access.
6. enter either a host name or an IP address in the two text boxes for a client computer that you want to
include or exclude, using commas to delimit entries placed on the same line
A host name is entered in the Clients excluded from access text box. The Clients allowed to access text
box is blank, currently.
It is part of the principle of least privilege to open only those ports on your computer that
are being used. Open ports can give an attacker valuable information, such as the OS
and version, or which services are available. It is important to know which ports on your
computer are open and have a justification for each open port.
Finding the open ports is not an obvious task. The netstat command shows all process
network connections either in the LISTEN or ESTABLISH mode. The ports being used by
installed Oracle products are listed in the portlist.ini file in the ORACLE_HOME/install
directory. The listener ports are defined in the LISTENER.ORA file in the TNS_ADMIN or
ORACLE_HOME/network/admin directory.
The CMAN listener port is assigned in the cman.ora file, but the ports used by the
gateway and administration processes are seemingly random. All the ports used by
CMAN processes can be seen by using the SHOW SERVICES command in CMCTL.
The dispatcher port can be seen through the lsnrctl tool with the SERVICES command
if they have registered with the listener. Other ports can be checked with port-scanning
tools, such as nmap.
Make sure to ask permission and notify proper administrators before scanning ports.
Some firewall software and intrusion-detection software can detect a port scan and block
the scan, possibly closing ports to all traffic.
Question
You recently ran the netstat command to review the open ports on your Oracle
server. You know there are more ports open than are needed, and your security
manager has asked for a list of required open ports for Oracle.
What tools can help you to produce this list?

Options:
1.
You can review the portlist.ini file in the ORACLE_HOME/install directory
2.
You can review the LISTENER.ORA file in the TNS_ADMIN or

ORACLE_HOME/network/admin directory
3.
You can review the cman.ora file to determine all of the CMAN specific ports
4.
You can use port-scanning tools such as nmap to scan the ports of all nodes to
which your Oracle server is connected
Answer
Option 1: This option is correct. The ports being used by installed Oracle products
are listed in the portlist.ini file in the ORACLE_HOME/install directory. This file
should give you the most complete list of ports that are required.
Option 2: This option is correct. The listener ports are defined in the
LISTENER.ORA file in the TNS_ADMIN or ORACLE_HOME/network/admin
directory. This will tell you what ports the listener requires.
Option 3: This option is incorrect. The CMAN listener port is assigned in the
cman.ora file, but the ports used by the gateway and administration processes are
seemingly random. All the ports used by CMAN processes can be seen by using
the SHOW SERVICES command in CMCTL.
Option 4: This option is incorrect. In most cases, network intrusion software will
view this as an attack on the network. This could result in closing all ports on the
network to traffic.
Correct answer(s):
1. You can review the portlist.ini file in the ORACLE_HOME/install directory
2. You can review the LISTENER.ORA file in the TNS_ADMIN or
ORACLE_HOME/network/admin directory
3. Encrypting network traffic

Although you may want to avoid the overhead of encrypting and decrypting internal
network communication, remember that 70% of security violations are from internal
sources.
Both SSL and Oracle Net native encryption encrypts all network traffic between a client
and a server. Although the SSL solution also provides authentication, it requires the use
of certificates. Oracle Net native encryption provides end-to-end encryption in an n-tier

environment without a certificate.
The following information is encrypted to ensure security:
sensitive client-server communication
Use the HTTPS protocol to encrypt sensitive data passed between the client computer and
the HTTP server.
Oracle Net Services traffic, and
Use Oracle Advanced Security, also known as ASO, to encrypt network traffic between
client computers, databases, and application servers. ASO is available only with the
Enterprise Edition of Oracle Database.
ASO provides data encryption and integrity for all network protocols into Oracle Database,
including Oracle Net with native encryption; Oracle Net/SSL; Internet Inter-ORB Protocol,
also known as IIOP/SSL; and Java-based encryption for thin Java Database Connectivity,
abbreviated as JDBC, clients. Connection Manager, commonly referred to as CMAN,
handles network traffic by using native encryption.
The code to use the TCPS protocol is the following:
...
(ADDRESS=
(PROTOCOL=tcps)
...
transparent gateway traffic
If you are using a transparent gateway to interface to another database, network
communications that use Oracle Net Services can be encrypted by using Oracle Advanced
Security, also known as ASO.
The client computer communicates with the Oracle instance by using Oracle Net Services,
the Oracle instance communicates with the transparent gateway by using Oracle Net
Services, and the gateway communicates with the other database over an encrypted
network connection or a memory-to-memory connection.
How the transparent gateway communicates with the other database is dependent on the
options offered by that database vendor.
ASO provides the ability to have end-to-end encryption. This option allows the encryption
of all the Oracle Net packets. ASO and CMAN are not supported together.
ASO supports four common encryption methods:
DES
The U.S. Data Encryption Standard, also known as DES, algorithm uses symmetric key
cryptography. This encryption method is not recommended.
3DES
Triple-DES encryption encrypts message data with three passes of Data Encryption
Standard, also known as DES.
RSA RC4, and
The RC4 algorithm, developed by RSA Security, Inc., uses a secret, randomly generated
key that is unique to each session.
AES
Advanced Encryption Standard, also known as AES, is a new cryptographic algorithm that
uses cipher keys with lengths of 128, 192, and 256 bits.
Network encryption provides varying levels of security and performance for different types
of data transfers. Longer key length provides stronger encryption and is harder to break,
but uses more resources during encryption and decryption.
Use Oracle Net Manager to configure the SQLNET parameters for network encryption on
both the client and server.
The parameters can be set manually in the sqlnet.ora file for both the
Graphic
The Encryption tabbed page of the Oracle Net Manager screen is open and
contains the fields for providing the encryption details, such as encryption,
encryption type, encryption seed, available encryption methods, and selected
encryption methods.
client and
The parameters set for the client are SQLNET.ENCRYPTION_CLIENT and
SQLNET.ENCRYPTION_TYPES_CLIENT. The default values for client encryptions allow
clients to connect however the server is configured.
server
The parameters for the server are similar SQLNET.ENCRYPTION_SERVER and
SQLNET.ENCRYPTION_TYPES_SERVER.
ENCRYPTION_SERVER and ENCRYPTION_CLIENT have four valid values accepted,
rejected, requested, and required. The default value for both is accepted. If the
server specifies required and the client is not set to rejected, the encrypted
connection will be attempted.
ENCRYPTION_TYPES lists the allowed encryption algorithms. At least one of the types
listed on both the client and the server must be the same for the encrypted connect to be
set up. The server list is used to find an available algorithm on the client. If no algorithm is
specified on the server, all installed algorithms are tried.
Checksumming ensures the integrity of data packets. A checksum or digest is produced
by applying the checksumming algorithm to all the data. The same algorithm is applied at
the packet destination. If the checksum produced has a different value, the data has been
changed during transmission.
To ensure the integrity of data packets during transmission, the checksumming algorithm
generates a cryptographically secure message digest and includes it with each message
sent across a network. Data integrity algorithms add little overhead and protect against
data modification, deleted packets, and replay attacks.
ASO supports common industry-standard algorithms MD5 and SHA-1. SHA-1 is slightly
slower than MD5, but produces a larger message digest to make it more secure against
brute-force collision and inversion attacks.
Question
Identify the features of checksumming.
Options:
1.
It ensures the integrity of data packets
2.
ASO supports MD5 but not SHA-1
3.
The checksumming algorithm generates a cryptographically secure message digest
4.
Data integrity algorithms add a lot of overhead and should be used sparingly
Answer
Option 1: This option is correct. Checksumming ensures the integrity of data
packets during transmission by generating a cryptographically secure message
digest that is included with each message sent across a network.
Option 2: This option is incorrect. ASO supports the common industry-standard
algorithms MD5 and SHA-1. SHA-1 is slightly slower than MD5, but produces a
larger message digest to make it more secure against brute-force collision and
inversion attacks.
Option 3: This option is correct. A checksum or digest is produced by applying the
checksumming algorithm to all the data. The same algorithm is applied at the
packet destination. If the checksum produced has a different value, the data has
been changed during transmission.
Option 4: This option is incorrect. Data integrity algorithms add little overhead and
protect against data modification, deleted packets, and replay attacks.
Correct answer(s):
1. It ensures the integrity of data packets
3. The checksumming algorithm generates a cryptographically secure message
digest
Use Net Manager to configure the SQLNET parameters on the client and server that
control data integrity (checksumming).
These parameters can be set manually in the sqlnet.ora file for both the
Graphic
The Oracle Net Manager screen is open. The Integrity tabbed page of the Profile
node is open. The page contains fields for providing details such as integrity,
checksum level, available encryption methods, and selected encryption methods.
server and
The parameters for the server are SQLNET.CRYPTO_CHECKSUM_SERVER and
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER.
client
The parameters for the client are SQLNET.CRYPTO_CHECKSUM_CLIENT and
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT.
The CRYPTO_CHECKSUM_CLIENT and CRYPTO_CHECKSUM_SERVER parameters have
four valid values accepted, rejected, requested, and required. The default
value for both is accepted. If the server specifies required, and the client is not set to
rejected, the checksumming on the connection will be attempted.
On both the client and server, CRYPTO_CHECKSUM_TYPES determines the algorithms that
will be tried. The server will try each algorithm in order until a matching algorithm on the
client is found. If no matching algorithm is found, the connect will revert to no
checksumming, or fail depending on the setting of CRYPTO_CHECKSUM on both the client
and the server. If no algorithms are specified, all installed algorithms will be tried.
You can understand and resolve network problems better through the use of Oracle Net
Services log and trace files. These files keep track of the interaction between network
components as errors occur.
Graphic
The log files are connected to their corresponding components. The listener.log
file is connected to the listener, the sqlnet.log file to the database server, the
<name>_pid.log file to the CMAN listener, <name>_cmadm_pid.log to the
CMADMIN process, and <name>_cmgw_pid.log file to the CMGW process.
Evaluating this information helps you to diagnose and troubleshoot even the most
complex network problems. These files can also be used to resolve security problems.
Trace files contain some of the same information that is included in log files however,
the format in the log file is easier to read. The trace file is used for debugging.
All errors encountered in Oracle Net Services are appended to a log file. When the error
message on the screen is inadequate to understand the failure, this file provides you with
additional information to resolve the problem. The log file, by way of the error stack,
shows the state of the software at various layers.
The log file for the listener also includes audit trail information about every client
connection request, as well as most listener control commands.
A number of log files are created by Oracle Net Services components.
The following list includes the default log file names and the component that generates
the log:
sqlnet.log client computer or database server
listener.log listener
cman_name_pid.log (UNIX) cmanpid.log (Windows NT) Oracle Connection Manager listener

process
In this example, the <name>_pid.log file format is associated to the CMAN listener.
cman_name_cmgw_pid.log (UNIX) cman_namecmgwpid.log (Windows NT) Oracle Connection

Manager gateway process, and
In this example, the <name>_cmgw_pid.log file format is associated to the CMGW process.
cman_name_cmadm_pid.log (UNIX) cman_namecmadmpid.log (Windows NT) Oracle

Connection Manager administrative process
In this example, the <name>_cmadm_pid.log file format is associated to the CMADMIN process.
Summary
In this topic, you've learned how security checklists are used, how to restrict IP
addresses, and how network traffic is encrypted.
Configuring Net Security
Learning Objective
configure Net Security
Exercise overview
You want to implement network encryption and checksumming using Oracle Net
Manager.
In this exercise, you're required to create the ORACLE listener and the UORACLE net
service name, and configure the sqlnet.ora file using Oracle Net Manager for encryption
and checksumming.
This involves the following tasks:
creating a listener
creating a net service name
configuring sqlnet.ora
using AES192 encryption
configuring checksumming
Task 1: Creating a listener

Using Oracle Net Manager, you want to create a listener.ora file for a separate listener.
Create a listener called "oracle." Add an address that uses TCP/IP as the protocol.
Specify a host of "localhost2.easynomadtravel.com" and 1521 as the port. Then save the
network configuration.
Steps list
Instructions
1. Expand the Local node
2. Select Listeners
3. Click the Add icon
4. Type oracle in the Listener Name text box and click OK
5. Click Add Address
6. Select Save Network Configuration from the File menu
Task 2: Creating a net service name
You have edited the listener.ora file to include the line

DIAG_ADR_ENABLED_ORACLE=OFF and have started the listener. You now want to
create the net service name. Create the net service name "uoracle." Specify
"localhost2.easynomadtravel.com" as the host name and "orcl2" as the Oracle8i or later
service name. Test the connection, complete the wizard, and save the network
configuration. Accept all other default selections.
Steps list
Instructions
1. Select Service Naming
2. Click the Add icon
3. Type uoracle in the Net Service Name text box and click Next
4. Click Next
5. Type localhost2.easynomadtravel.com in the Host Name text box and click Next
6. Type orcl2 in the (Oracle8i or later) Service Name text box and click Next
7. Click Test
8. Click the Close icon
9. Click Finish
Task 3: Configuring sqlnet.ora

You now want to use Oracle Net Manager to configure the server sqlnet.ora file. Access
the Profile page and configure Oracle Advanced Security options. Specify that server
encryption is required using one of the AES256, AES192, and AES128 encryption
algorithms. Specify an encryption set of "kjhgfdsa0987654321." Save the network
configuration and accept all other default selections.
Steps list
Instructions
1. Select Profile
2. Select Oracle Advanced Security from the drop-down list
3. Click the Encryption tab
4. Select required from the Encryption Type drop-down list
5. Type kjhgfdsa0987654321 in the Encryption Seed text box
6. Select AES256 from the Available Methods list and click the > button
Steps list
Instructions
Task 4: Using AES192 encryption

You have verified the changes to the sqlnet.ora file and now want to change the settings
to require encryption for communication to the client. Access the Profile page and
configure Oracle Advanced Security options. For the client, specify that encryption is
required and an encryption seed of "1234567890asdfghjkl." Use AES192 encryption only
and save the network configuration.
Steps list
Instructions
1. Select Profile
3. Click the Encryption tab
4. Select CLIENT from the Encryption drop-down list
5. Select required from the Encryption Type drop-down list
6. Type 1234567890asdfghjkl in the Encryption Seed text box
Task 5: Configuring checksumming

Using Oracle Net Manager, you want to change the settings for sqlnet.ora to require
checksumming for communication to the client. Access the Profile page and configure
Oracle Advanced Security settings. On the Integrity tab, specify that checksumming is
required for the client and that the SHA-1 message digest be used. Save the network
configuration.
Steps list
Instructions
1. Select Profile
3. Click the Integrity tab
4. Select CLIENT from the Integrity drop-down list
5. Select required from the Checksum Level drop-down list
Steps list
Instructions
6. Select SHA1 from the Available Methods list and click the > button
Securing the Listener

Learning Objectives
restrict listener privileges
administer and monitor a listener
1. Listener security
The listener acts as the gateway to the network, so some of the listener checklist items
are closely related to network checklist items. For example, using secure sockets layer,
also known as SSL, to encrypt network traffic is on the listener checklist and is part of the
network checklist.
The listener checklist includes the following items:
restricting the privileges of the listener
moving the listener to a nondefault port
securing administration by protecting the listener with a password for remote administration and
using SSL when administering the listener
protecting against denial-of-service or DoS attacks, and
monitoring listener activity

The external procedure agent spawned by the listener and the external procedures
executed by the agent inherit the operating system privileges of the listener. If the
privileges of the listener are not limited, external procedures can read from or write to the
database files or the Oracle server address space.
By default, the listener is configured to start external procedures. If you do not intend to
use them, remove the external procedure configuration from the LISTENER.ORA file. If
you are using external procedures, you must restrict the privileges of the listener process.
The owner of this separate listener process should not be the owner that installed the
Oracle software or executes the Oracle instance.
The listener process should not have permission to read from or write to database files or
the Oracle server address space. Also, the owner of this separate listener process should
not be the ORACLE user, which is the default owner of the server executable and
database files.
Question
Which statements best describe restricting the privileges of the listener?
Options:
1.
By default, the listener is configured to start external procedures
2.
The listener process should have permission to read from or write to the Oracle
server address space
3.
If you are using external procedures, you must restrict the privileges of the listener
process
4.
The separate listener process should be the ORACLE user
Answer
Option 1: This option is correct. By default, the listener is configured to start
external procedures. If you do not intend to use them, remove the external
procedure configuration from the LISTENER.ORA file.
Option 2: This option is incorrect. The listener process should not have
permission to read from or write to the database files or the Oracle server address
space.
Option 3: This option is correct. If you are using external procedures, you must
restrict the privileges of the listener process. The owner of this separate listener
process should not be the owner that installed the Oracle software or executes the
Oracle instance.
Option 4: This option is incorrect. The owner of this separate listener process
should not be the ORACLE user, which is the default owner of the server
executable and database files.
Correct answer(s):
1. By default, the listener is configured to start external procedures
3. If you are using external procedures, you must restrict the privileges of the
listener process
The example depicts the LISTENER.ORA configuration for a separate listener process
named EXTPROC_LISTENER.
Code
EXTPROC_LISTENER=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=ipc)(KEY=extproc)))
SID_LIST_EXTPROC_LISTENER=
(SID_LIST=
(SID_DESC=
(SID_NAME=plsextproc)
(ORACLE_HOME=
/u1/app/oracle/product/11.1.0/db_1)
(PROGRAM=extproc)))
The entry in the TNSNAMES.ORA file based on the LISTENER.ORA configuration is as in
this example.
The value in the KEY parameter is used to match the entries in the two files. You can also
configure the LISTENER.ORA and TNSNAMES.ORA files by using Oracle Net
Configuration Assistant.
Graphic
The code to specify the value in the KEY parameter is the following:
KEY=extproc
Code
EXTPROC_CONNECTION_DATA=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=ipc)(KEY=extproc))
(CONNECT_DATA=(SID=plsextproc)))
The following are the privileges required for the user that starts the listener process for
external procedures:
Execute on the $ORACLE_HOME/bin directories
Read on the $ORACLE_HOME/network/* directories
Read access to the directories where the external procedure libraries are stored
Write access on the directories where the listener log and trace files are stored
Write access to the listener configuration files if you are going to save the configuration files (for
example, after changing the listener password), and
Read or Write access (as required) to the directories used by external procedures
The CREATE LIBRARY privilege allows the user to create a library and run modules from
the library. The modules in the library are called external procedures.
The user can grant the EXECUTE privileges on the external procedures by creating a
PL/SQL program unit for the external procedure and granting EXECUTE on the PL/SQL
program unit. External procedures run with the privileges of the listener process that
starts the external procedure.
Only administrators and trusted users should have the CREATE LIBRARY privilege. Limit
the privilege of the listener by creating a separate listener for external procedures.
Perform the following activities when moving the listener to a nondefault port:
hide the listener
It is very common to leave the listener in the default configuration, listening on port 1521.
You must assume that any hacker, internal or external, will know this port number.
Because most remote connects require that the listener set up the connection, you can
reduce illegitimate connections by hiding the listener. This is by no means a serious
barrier, but will help prevent scripted attacks, viruses that make use of default ports, and
unsophisticated attacks that rely on published information.
register the database, and
When you move the listener to a nondefault port, you must give the database the listener
port number with the LOCAL_LISTENER initialization parameter. The database will
automatically register with a listener on the local machine if it is using port 1521, and with a
listener described by the LOCAL_LISTENER parameter.
set a password on the listener
Prior to 10g, if a user had access to lsnrctl, locally or remotely, and knew the port
number, lsnrctl status or lsnrctl services would yield information about the
instances registered with the listener. By setting a password on the listener, only
authenticated users could access this information.
In 10g and later, a remote lsnrctl status or services command yields only the error
TNS-01189: The listener could not authenticate the user, unless the
password is set and provided by the user.
Question
What action would result in the TNS-01189: The listener could not
authenticate the user error when a password is not provided by the user?
Options:
1.
Issuing a remote lsnrctl status or services
2.
Leaving the listener in the default configuration listening on port 1521
3.
Moving the listener to a nondefault port
4.
Setting a password on the listener
Answer
Option 1: This option is correct. In 10g and later releases, a remote lsnrctl
status or services command yields only TNS-01189: The listener could
not authenticate the user, unless the password is set and provided by the
user.
Option 2: This option is incorrect. It is very common to leave the listener in the
default configuration listening on port 1521. Although you should assume that any
hacker will know this port number, it would not result in the provided error.
Option 3: This option is incorrect. When you move the listener to a nondefault
port, you must give the database the listener port number with the
LOCAL_LISTENER initialization parameter. This will not result in the provided
error.
Option 4: This option is incorrect. Prior to 10g, if a user had access to lsnrctl,
locally or remotely, and knew the port number, lsnrctl status or lsnrctl
services would yield information about the instances registered with the listener.
By setting a password on the listener, only authenticated users could access this
information.
Correct answer(s):
1. Issuing a remote lsnrctl status or services
In Oracle Database 11g, by default, the listener can be administered only from the node
that it is running on and by the process owner and group. A password is required only if
you want to remotely administer the listener or allow other users to manage the listener.
The PASSWORDS_listener_name parameter stores an encrypted password for a
listener. If a password is not present, it cannot be guessed.
Unless you absolutely need remote listener administration, do not add a password. If you
do add one, be certain to monitor the logs for password guessing, use a strong password,
and change it according to your schedule.
Code
LSNRCTL> CHANGE_PASSWORD
Old password: lsnrc80
New password: lsnrc90
Reenter new password: lsnrc90
LSNRCTL> SET PASSWORD
Password:
The command completed successfully
LSNRCTL> SAVE_CONFIG
Use the CHANGE_PASSWORD command of the Listener Control utility or Oracle Net
Manager to set or modify an encrypted password in the PASSWORDS_listener_name
parameter in the LISTENER.ORA file.
For example, using the default listener name of LISTENER and the
PASSWORDS_listener_name parameter, with an encrypted password, may appear like
this example.
Graphic
The example is the following:
PASSWORDS_LISTENER=(2D6C48144CF753AC)
Code
Password:
PASSWORDS_LISTENER=(2D6C48144CF753AC)
An encrypted password can be set by using either the CHANGE_PASSWORD command of

the Listener Control utility or Oracle Net Manager.
To set or modify an encrypted password with Oracle Net Manager, perform the following
steps:
Graphic
The welcome page of Oracle Net Manager is open. Oracle Net Manager enables
you to configure three aspects of the network Naming, Naming Methods, and
Listeners. You can navigate using the File, Edit, Command, and Help menus from
the menu bar. The navigator pane contains two nodes Directory and Local
under the Oracle Net Configuration node.
1. select Oracle Net Configuration - Local - Listeners in the navigator pane
The starting node, Oracle Net Configuration contains Directory and Local nodes. The Local node
is expanded to Profile, Service Naming, and Listeners.
2. select a listener
The listener, which is currently selected is LISTENER.
3. select General Parameters from the drop-down list in the right pane, and
In addition to General Parameters, the other list items in the drop-down list are Listening Locations,
Database Services, and Other Services.
4. click the Authentication tab
The General tabbed page is open. In addition to the Authentication tab, the other tab that is available is
Logging & Tracing.
Remaining steps to perform to set or modify an encrypted password with Oracle Net
Manager are the following:
select the Require a Password for Listener Operations option

The other option that is available is Do Not Require a Password for Listener Operations. Currently,
the Change Password dialog box is also open requesting a new password.
enter the password in the New Password field, and reenter the password in the Confirm New
Password field, and
The corresponding password is entered in these fields. In addition, the Change Password dialog
box contains the Old Password field, which is currently disabled.
select File - Save Network Configuration

The other menu options available in the File menu are Open Network Configuration, Save As,
Revert to Saved Configuration, and Exit.
To set a new encrypted password with the CHANGE_PASSWORD command, issue these
commands from the Listener Control utility. The user input is in bold. The password is not
displayed when entered, but asterisks are used in the example.
If you are performing administrative operations locally, the password is never considered.
If you are administering the listener remotely, because you have changed the password
used to configure the listener, you must reset the current password with the SET
PASSWORD command before saving the configuration.
Code
Password: *******
You can restrict runtime administration of the listener by using the
ADMIN_RESTRICTIONS_listener_name parameter. When this parameter is set, the
listener refuses to accept the SET commands that alter its parameters. This feature
provides additional security on the locally managed listener.
To change any of the listener parameters, including
ADMIN_RESTRICTIONS_listener_name, modify the LISTENER.ORA file, and use the
RELOAD command to reload the parameters. This RELOAD command enables the new
changes without explicitly stopping and restarting the listener.
To turn the parameter on for the default listener, enter the LISTENER.ORA parameter.
Code
ADMIN_RESTRICTIONS_LISTENER=ON
To turn the parameter on for a listener named PAY_LSNR, include the
ADMIN_RESTRICTIONS_PAY_LSNR parameter.
To change the LISTENER.ORA file, the user must have the operating system Write
privilege on the file. This feature is useful only with a listener without a password. Remote
administration of the listener is not allowed without a password.
Code
ADMIN_RESTRICTIONS_PAY_LSNR=ON
Note
Listener configuration cannot be changed online.
2. Administering a listener
If you are administering the listener remotely over an insecure network and require
maximum security, configure the listener with a secure protocol address that uses TCP/IP
for secure sockets layer, also known as TCPS.
If the listener has multiple protocol addresses, ensure that the TCPS protocol address is
listed first in the LISTENER.ORA file. To use TCPS, configure LISTENER.ORA with the
PROTOCOL=TCPS parameter.
Code
LISTENER=
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS=
(PROTOCOL=tcps)
(HOST = ed-pdsun1.us.oracle.com)
(PORT = 8281)))
...
Note
To use SSL, Oracle Advanced Security must be installed, and you must have
certificates for the server and the client.
To administer the listener remotely, you must define the listener in the client computer's
TNSNAMES.ORA file. For example, to access the USER281 listener remotely, use this
configuration.
Code
user281 =
(DESCRIPTION =
(ADDRESS =
(PROTOCOL = tcps)
(HOST = hostname.us.oracle.com)
(PORT = 8281))))
It is possible for connections without authentication to stay open indefinitely. Malicious
clients can attempt to flood database servers with connect requests that consume
resources. This is a possible scenario for a denial-of-service, abbreviated as DoS, or
distributed DoS attack.
To prevent this scenario, use the following two parameters in conjunction:
SQLNET.INBOUND_CONNECT_TIMEOUT and
In the sqlnet.ora file, SQLNET.INBOUND_CONNECT_TIMEOUT is set to a value in seconds,
and it determines how long a client has to provide the necessary authentication information
to a database.
INBOUND_CONNECT_TIMEOUT_listener_name
Set the INBOUND_CONNECT_TIMEOUT_listener_name parameter in the
LISTENER.ORA file. INBOUND_CONNECT_TIMEOUT_listener_name is set to a value in
seconds, and it determines how long a client has to complete it's connect request to the
listener after the network connection has been established.
If the client fails to establish a connection and complete authentication in the time
specified, the database server terminates the connection. The database server logs the
IP address of the client and an ORA-12170: TNS:Connect timeout occurred error
message to the sqlnet.log file.
To protect both the database server and the listener, Oracle Corporation recommends
setting both parameters in combination.
When specifying values for the two parameters, consider the following recommendations:
set both parameters to an initial low value and

set the value of the INBOUND_CONNECT_TIMEOUT_listener_name parameter to a lower value
than that of the SQLNET.INBOUND_CONNECT_TIMEOUT parameter
For example, you can set the INBOUND_CONNECT_TIMEOUT_listener_name
parameter to two seconds and the INBOUND_CONNECT_TIMEOUT parameter to three
seconds. If clients are unable to complete connections within the specified time due to
system or network delays that are normal for a particular environment, increment the time
as needed.
In Oracle Database 11g, by default, the listener log is sent to the Automatic Diagnostic
Repository, also referred to as ADR. The ADR is a directory specified by the ADR_BASE
initialization parameter.
On Linux, with a default installation, the listener log defaults to this location.
Graphic
The default location is the following:
$ORACLE_BASE/diag/tnslsnr/hostname/listener/alert/log.xml
You can set the following logging parameters in the LISTENER.ORA file:
DIAG_ADR_ENABLED_<listener>=OFF
The DIAG_ADR_ENABLED_<listener>=OFF parameter is used to direct the log file to
another location. The LOG_DIRECTORY_listener_name and
LOG_FILE_listener_name parameters are ignored if this parameter is ON.
This parameter must be set manually. It cannot be set from the netmgr utility.
LOG_DIRECTORY_listener_name, and
LOG_DIRECTORY_listener_name is the destination directory for the log file. The default
directory on UNIX is $ORACLE_HOME/network/log and on Windows is
%ORACLE_HOME%\network\log.
LOG_FILE_listener_name
LOG_FILE_listener_name is the file name for the log file. The default name is
listener.log.
To set the logging parameters in Oracle Net Manager, perform the following steps:
Graphic
The listener.ora file is open from the following path:
/u01/app/oracle/product/11.1.0/db_1/network/admin/listener.ora (modified) - gedit
1. With an editor, add the line DIAG_ADR_ENABLED_<listener>=OFF to the listener.ora file. Save
the file and close the editor.
The code line entered in the listener.ora file is the following:
DIAG_ADR_ENABLED_LISTENER = OFF
And the file menu is open.
2. Start Oracle Net Manager. In the navigator pane, select the listener that you want to configure.
The listener, which is currently selected is LISTENER.
3. Select General Parameters from the drop-down list in the right pane.
Perform the remaining steps to set the logging parameters in Oracle Net Manager:
Click the Logging & Tracing tab.
Set the parameter. The directory and log file names are a single parameter.
The Logging & Tracing tabbed page is open. It contains options to disable and enable logging and
tracing operations. The Logging Enabled option is selected and the corresponding path of the log
file is selected in the Log File field.
To save the configuration by using the menu options, select File - Save Network Configuration.
If the DIAG_ADR_ENABLED_<listener> parameter is set to OFF, you can also control
the listener logging during runtime by using the SET command in the Listener Control
utility with the LOG_DIRECTORY and LOG_FILE parameters.
The LOG_DIRECTORY parameter is the destination directory for the listener log file. The
LOG_FILE parameter is the name of the log file for the listener.
These changes remain in effect until the listener is shut down.
Question
Which listener-logging parameter specifies the destination directory for the log
file?
Options:
1.
DIAG_ADR_ENABLED_<listener>
2.
LOG_DIRECTORY_listener_name
3.
LOG_FILE_listener_name
4.
LOG_DIRECTORY
Answer
Option 1: This option is incorrect. The DIAG_ADR_ENABLED_<listener>=OFF
parameter is used to have the log file go to another location. The other log
parameters are ignored if this parameter is ON. This parameter must be set
manually. It cannot be set from the netmgr utility.
Option 2: This option is correct. The LOG_DIRECTORY_listener_name
parameter is the destination directory for the log file. The default directory on UNIX
is $ORACLE_HOME/network/log and on Windows is %ORACLE_HOME

%\network\log.
Option 3: This option is incorrect. The LOG_FILE_listener_name parameter is
the file name for the log file. The default name is listener.log.
Option 4: This option is incorrect. If the DIAG_ADR_ENABLED_<listener>
parameter is set to OFF, you can also control the listener logging by using the SET
command in the Listener Control utility with the LOG_DIRECTORY and LOG_FILE
parameters.
Correct answer(s):
2. LOG_DIRECTORY_listener_name
3. Analyzing a listener log

The listener log file contains audit trail information that helps you analyze network usage.
The recorded information includes a client connection request and a RELOAD, START,
STOP, STATUS, or SERVICES command issued by the Listener Control utility.
The format of the audit trail record is as in this code. When diagnosing security problems,
you primarily use the listener audit records.
Code
Timestamp * Connect Data * [Protocol] * Event * [SID|
Service] *
Return Code
The audit trail fields have the following properties:
Code
Timestamp * Connect Data * [Protocol] * Event * [SID|
Service] *
Return Code
protocol address information and system identifier, abbreviated as SID, or service name
information appear only when a connection is attempted
a successful connection or command returns a code of zero, and
a failed connection or command includes a return code that maps to an error message
Service registration events are recorded in the listener.log file. The service_register
event indicates that the listener received registration information for an instance.
The service_update event indicates that the listener received updated registration
information for a particular instance. The service_died event indicates that the listener
lost its connection to the PMON background process.
The service registration records have this format.
Code
Timestamp * Event * Instance Name * Return Code
The service registration fields have the following properties:
Code
Timestamp * Event * Instance Name * Return Code
It is normal for the events to appear multiple times in a row for one instance.
A successful registration returns a code of zero that is, the client can connect to the instance.
A failure produces a code that maps to an error message. Frequent starts and stops of the
database instance may indicate a problem, such as abuse of privileges.
Information concerning the direct hand-off to dispatchers is recorded in the listener.log
file. The direct hand-off event records have this format.
Code
Timestamp * Presentation * Handoff * Error Code
The direct hand-off fields have the following properties:
Code
Timestamp * Presentation * Handoff * Error Code
a successful connection or command returns a code of zero and
a failure produces a code that maps to an error message
Question
Identity the properties of service registration fields.
Options:
1.
A successful connection or command returns a code of zero
2.
It is normal for the events to appear multiple times in a row for one instance
3.
A failed connection or command includes a return code that maps to an error

message
4.
A successful registration returns a code of zero
Answer
Option 1: This option is incorrect. A property of audit trail fields is that a
successful connection or command returns a code of zero.
Option 2: This option is correct. A property of service registration fields is that it is
normal for the events to appear multiple times in a row for one instance. Also, a
successful registration returns a code of zero.
Option 3: This option is incorrect. A property of audit trail fields is that a failed
connection or command includes a return code that maps to an error message.
Option 4: This option is correct. A property of service registration fields is that a
successful registration returns a code of zero, which means the client can connect
to the instance.
Correct answer(s):
2. It is normal for the events to appear multiple times in a row for one instance
4. A successful registration returns a code of zero
Each record in the listener.log file is on a single line. An asterisk (*) is used to delimit the
fields in the log record. The examples are formatted for readability.
The first record example contains a successful connect request. It includes the following
components:
Code
22-NOV-2008 22:55:32 *
CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=p1orcl.
us.oracle.com)(CID=(PROGRAM=sqlplus)(HOST=edt3r24p0.
us.oracle.com)(USER=oracle))) *
(ADDRESS=(PROTOCOL=tcp)(HOST=10.150.21.135)
(PORT=23499)) * establish * p1orcl.us.oracle.com * 0
...
22-NOV-2008 22:58:33 *
(CONNECT_DATA=(SERVICE_NAME=p0orcl)(CID=(PROGRAM=sql
plus)(HOST=edt3r24p1.us.oracle.com)(USER=oracle))) *
(ADDRESS=(PROTOCOL=tcp)(HOST=10.150.21.136)(PORT=583
23)) * establish * p0orcl * 12514
TNS-12514: TNS:listener does not currently know of
service requested in connect descriptor
...
the current date and time

The current date and time is 22-NOV-2008 22:55:32.
Code
22-NOV-2008 22:55:32 *
...
22-NOV-2008 22:58:33 *
...
the computer and user that originated the request

The code representing the computer and the user is the following:
us.oracle.com)(USER=oracle)))
Code
22-NOV-2008 22:55:32 *
...
22-NOV-2008 22:58:33 *
...
the destination requested

The code representing the requested destination is the following:
(PORT=23499))
Code
22-NOV-2008 22:55:32 *
...
22-NOV-2008 22:58:33 *
...
the type of request

The type of request is establish.
Code
22-NOV-2008 22:55:32 *
...
22-NOV-2008 22:58:33 *
...
the service requested, and

The service requested is p1orcl.us.oracle.com.
Code
22-NOV-2008 22:55:32 *
...
22-NOV-2008 22:58:33 *
...
the return code

In this example, 0 is the return code.
Code
22-NOV-2008 22:55:32 *
...
22-NOV-2008 22:58:33 *

...
The zero return code indicates that the listener found the service. It does not indicate that
the user made a successful connection.
For example, if the user enters an invalid password, the listener still shows a return code
of zero. You can audit connection attempts to get information about failed database
connections.
Code
22-NOV-2008 22:55:32 *
...
22-NOV-2008 22:58:33 *
...
The second record example contains an unsuccessful connect request.
It includes the following components:
Code
22-NOV-2008 22:55:32 *
...
22-NOV-2008 22:58:33 *
...
the current date and time

The current date and time is 22-NOV-2008 22:58:33.
Code
22-NOV-2008 22:55:32 *
...
22-NOV-2008 22:58:33 *
...
the computer and user that originated the request

The code representing the computer and the user is the following:
plus)(HOST=edt3r24p1.us.oracle.com)(USER=oracle)))
Code
22-NOV-2008 22:55:32 *
...
22-NOV-2008 22:58:33 *

...
the destination requested

The code representing the requested destination is the following:
23))
Code
22-NOV-2008 22:55:32 *
...
22-NOV-2008 22:58:33 *
...
the type of request

The type of request is establish.
Code
22-NOV-2008 22:55:32 *
...
22-NOV-2008 22:58:33 *

...
the service requested, and

The service requested is p0orcl.
Code
22-NOV-2008 22:55:32 *
...
22-NOV-2008 22:58:33 *
...
the return code

In this example, 12514 is the return code.
Code
22-NOV-2008 22:55:32 *
...
22-NOV-2008 22:58:33 *
...
Because the return code is nonzero, the next line displays the associated error message
TNS-12514: TNS:listener could not resolve SERVICE_NAME given in
connect descriptor.
Code
22-NOV-2008 22:55:32 *
...
22-NOV-2008 22:58:33 *
...
If your listener is being probed, it shows up as a series of failed connection attempts from
the same source but with different destinations.
A denial-of-service, abbreviated as DoS, attack appears as multiple connections from the
same source that may or may not fail. Probing may be sufficient for a DoS attack, so a
successful connection may not be required.
Code
22-NOV-2008 22:58:33 * *
(ADDRESS=(PROTOCOL=tcp)(HOST=10.150.21.136)(PORT=58323)) *
establish * p0orcl * 12514
TNS-12514: TNS:listener does not currently know of service
requested in connect descriptor
The listener log command examples contain four records.
Graphic
The initial lines of code are the following:
TNSLSNR for Linux: Version 11.1.0.6.0 ...
...
System parameter file is ...

...
Started with pid=4792
Listening on: ...
...
22-NOV-2008 23:09:29 * ... * status * 0
...
22-NOV-2008 23:09:40 * ... * reload * 0
...
No longer listening on: ...
...
22-NOV-2008 23:13:55 * ... * stop * 0
...
1
This record depicts a successful listener startup.
Code
TNSLSNR for Linux: Version 11.1.0.6.0 - Production on 22-NOV-2008
23:09:29
Copyright (c) 1991, 2007, Oracle. All rights reserved.
System parameter file is
/u01/app/oracle/product/11.1.0/db_1/network/admin/listener.ora
Log messages written to /home/oracle/network/log/log_list.log
Trace information written to
/u01/app/oracle/product/11.1.0/db_1/network/trace/listener.trc
Trace level is currently 0
Started with pid=4792
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1)))
Listening on:
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=edt3r24p1.us.oracle.com)
(PORT=12001)))
Listener completed notification to CRS on start
2
This record depicts a listener status command.
Code
TIMESTAMP * CONNECT DATA [* PROTOCOL INFO] * EVENT [* SID] *
RETURN CODE
22-NOV-2008 23:09:29 *
(CONNECT_DATA=(CID=(PROGRAM=)(HOST=edt3r24p1.us.oracle.com)
(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)
(VERSION=185599488)) * status * 0
3
This record depicts a successful listener reload.
Code
22-NOV-2008 23:09:40 *
(USER=oracle))(COMMAND=reload)(ARGUMENTS=64)(SERVICE=LISTENER)
(VERSION=185599488)) * reload * 0
4
This record depicts a successful listener shutdown.
Code
22-NOV-2008 23:09:40 *
(USER=oracle))(COMMAND=reload)(ARGUMENTS=64)(SERVICE=LISTENER)
(VERSION=185599488)) * reload * 0
Summary
In this topic, you've learned how to administer and monitor a listener, and restrict listener
privileges.
Configuring Listener Security

Learning Objective
configure listener security
Exercise overview
You want to secure the listener by setting a password that must be used during remote
administration. You also want to view the effects of changes to the listener.ora file.
In this exercise, you're required to set a password for the ORACLE listener, start and stop
the listener and set the trace level, and reload the listener.ora file after changes have
been made.
This involves the following tasks:
setting a listener password
setting the trace level
reloading listener.ora
Task 1: Setting a listener password

You want to protect the ORACLE listener with a password. You have already connected
to the server. Within lsnrctl, set ORACLE as the current listener. Set the listener password
to "oracle," pressing Enter when prompted for the old password. Save the configuration
and exit lsnrctl.
Steps list
Instructions
1. Type lsnrctl and press Enter
2. Type set current_listener oracle and press Enter
3. Type change_password and press Enter
4. Press Enter
5. Type oracle and press Enter
6. Type oracle and press Enter
7. Type save_config and press Enter
8. Type exit and press Enter
Task 2: Setting the trace level

You have tested the listener password for remote administration and have edited the
listener.ora file to include the ADMIN_RESTRICTIONS_ORACLE = ON line. Now stop
and start the ORACLE listener to force the listener.ora file to be read. From lsnrctl, set
ORACLE as the current listener. Then set the trace level off and exit lsnrctl.
Steps list
Instructions
1. Type lsnrctl stop oracle and press Enter
2. Type lsnrctl start oracle and press Enter
Steps list
Instructions
5. Type set trc_level off and press Enter
Task 3: Reloading listener.ora

You have removed the ADMIN_RESTRICTIONS_ORACLE = ON line from the listener.ora
file. Access lsnrctl and set ORACLE as the current listener. Reload the listener, set the
trace level off, and then exit lsnrctl.
Steps list
Instructions
3. Type reload and press Enter
4. Type set trc_level off and press Enter

Oracle Database 11g Oracle Net Services and Listener Security

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Oracle Database 11g Oracle Net Services and Listener Security

Caricato da

Copyright:

Formati disponibili

Oracle Net Services Security Checklists

After completing this topic, you should be able to

recognize the uses of checklists

restrict network IP addresses

encrypt network traffic

1. Using security checklists

Implementing ASO to add an extra layer of security

encrypting network traffic

preventing remote administration of Connection Manager, also known as CMAN, and

using network log files to monitor connections

A firewall is a single point of control on a network. It is used to prevent unauthorized client

tcp.invited_nodes = (144.198.58.146, 144.198.58.147)

tcp.invited_nodes = {list of IP addresses}

deny access from specific nodes, and

tcp.invited_nodes = (144.198.58.146, 144.198.58.147)

By default, this feature is enabled

IP addresses or host names can be used for the TCP.EXCLUDED_NODES and

The TCP.EXCLUDED_NODES and TCP.INVITED_NODES parameters can be used

The TCP.EXCLUDED_NODES parameter takes precedence over the

tcp.invited_nodes = (144.198.58.146, 144.198.58.147)

What tools can help you to produce this list?

You can review the portlist.ini file in the ORACLE_HOME/install directory

You can review the LISTENER.ORA file in the TNS_ADMIN or

3. Encrypting network traffic

of certificates. Oracle Net native encryption provides end-to-end encryption in an n-tier

It ensures the integrity of data packets

ASO supports MD5 but not SHA-1

The checksumming algorithm generates a cryptographically secure message digest

sqlnet.log client computer or database server

cman_name_pid.log (UNIX) cmanpid.log (Windows NT) Oracle Connection Manager listener

cman_name_cmgw_pid.log (UNIX) cman_namecmgwpid.log (Windows NT) Oracle Connection

cman_name_cmadm_pid.log (UNIX) cman_namecmadmpid.log (Windows NT) Oracle

Configuring Net Security

After completing this topic, you should be able to

configure Net Security

creating a net service name

using AES192 encryption

Task 1: Creating a listener

Task 2: Creating a net service name

You have edited the listener.ora file to include the line

Task 3: Configuring sqlnet.ora

Task 4: Using AES192 encryption

Task 5: Configuring checksumming

Securing the Listener

After completing this topic, you should be able to

restrict listener privileges

administer and monitor a listener

restricting the privileges of the listener

moving the listener to a nondefault port

protecting against denial-of-service or DoS attacks, and

monitoring listener activity

By default, the listener is configured to start external procedures

The separate listener process should be the ORACLE user

Execute on the $ORACLE_HOME/bin directories

Read on the $ORACLE_HOME/network/* directories

Issuing a remote lsnrctl status or services

Leaving the listener in the default configuration listening on port 1521

Moving the listener to a nondefault port

Setting a password on the listener

An encrypted password can be set by using either the CHANGE_PASSWORD command of

select the Require a Password for Listener Operations option

select File - Save Network Configuration

set both parameters to an initial low value and