Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Learning Objectives
Supplement
Selecting the link title opens the resource in a new browser window.
Learning Aid
Use the learning aid Style Considerations for more information on the style
considerations for the Oracle 11g Database used in this course.
If you can physically secure the client computer, and are using the client-server model,
you can configure it to use strong authentication, such as certificates. A certificate issued
to the client computer authenticates anyone who uses that computer. For example, this
model could be used with a client computer in a public kiosk.
For additional security, configure the client computer to encrypt sensitive network traffic.
With Oracle Advanced Security, also known as ASO, you can configure the client
computer to use the secure sockets layer, commonly known as SSL, strong
authentication techniques, and end-to-end encryption over the Oracle Net protocol. ASO
does not provide any benefit for browser-based clients.
In most cases, authentication requires the user to be identified, rather than the client
computer. Make sure to properly educate users about the importance of security.
Users can be fooled into giving out identity information, such as account names and
passwords, on the phone by malefactors posing as help-desk technicians. Users should
not leave open sessions unattended, write down passwords, or use easy-to-guess
passwords.
Question
An intruder phoned one of your users posing as a help-desk technician. The user
gave this intruder the username and password, and the intruder was able to gain
access to internal network resources.
What would prevent this from happening in the future?
Options:
1.
Ensuring that you are using certificate-based authentication to ensure that external
users cannot access your network
2.
3.
Prioritizing user education and making users aware that they should not provide
their password to anyone, including internal employees
4.
Ensuring that users close all open sessions when they physically leave their
computer
Answer
Option 1: This option is incorrect. Certificate-based authentication is a good
method to validate who the user is, but if an intruder has access to a user's
credentials and can initiate an unattended session, then they could get around the
certificate mechanisms.
Option 2: This option is incorrect. ASO can be used to configure the client
computer to use the SSL, strong authentication techniques, and end-to-end
encryption over the Oracle Net protocol. However, if an intruder has access to a
user's credentials and can initiate an unattended session, then they could get
around the certificate mechanisms.
Option 3: This option is correct. Educating the user is often a security mechanism
that is overlooked. One of the first rules is that users should not give out their
passwords, even if they are requested from a network administrator or manager.
Option 4: This option is correct. A user should close all sessions when they leave
their computer and ideally shut down their system at the end of their work day.
Even if network credentials are known, an unattended session can't be started if
there aren't any sessions running.
Correct answer(s):
3. Prioritizing user education and making users aware that they should not provide
their password to anyone, including internal employees
4. Ensuring that users close all open sessions when they physically leave their
computer
Client computers can be insecure because of the following issues:
spoofing of IP addresses
Often, the client computer cannot be secured. The IP address of the computer can be
spoofed. Any computer can easily be set to use that address.
An unattended session can allow anyone with access to the computer to assume the
user's identity. Any computer that is not physically secure can be broken into by anyone
with a boot disk.
operating systems vulnerabilities, and
Client systems that are administered by the user are vulnerable to attack because of
weaknesses in the operating system or in other software loaded on the system. The user
often does not have the system-administration skills that are required to secure the
computer and its software.
Your security is only as strong as its weakest link. A weak operating system authorization
on client computers can lead to a security infraction. A breach of the client's operating
system can allow an intruder to use an identifier stored on that system to assume the
identity of the user or client computer.
not being physically secure
A safe assumption is that the client computers are not secure. By using ASO, you require
strong authentication of the user with biometrics, certificates, smart cards, and so on.
If you are using Oracle Net Services from the client, ASO can provide additional measures,
such as session encryption and message checksums provide additional assurances that
session data is not being diverted, altered, or subject to eavesdropping.
The most popular Internet browsers include two security features SSL encryption and
decryption, and authentication of the client computer and the server.
SSL encryption and decryption is enforced by using the HTTPS protocol, which uses
HTTP with SSL.
Authentication of the client computer and the server is enforced by using one of the
following three methods:
server authentication
The server is authenticated by setting options on the browser to validate certificates. The
server authenticates to the browser and, in most cases, the user decides whether to
accept the certificate. (This is the most common.)
client authentication, and
The client computer is authenticated by storing the appropriate certificates in the browser.
Most organizations and users do not use client or user certificates.
two-way authentication
Two-way authentication requires that the client should authenticate to the server and the
server should authenticate to the client. This is a secure method of assuring that the client
and the server are truly the expected computers. This method requires that both have
certificates. (This is very seldom implemented.)
Data access and secure transfer of data are important considerations when deploying
Oracle Database.
Network security is enhanced by
using a firewall
restricting IP addresses
2. Restricting IP addresses
Code
tcp.validnode_checking = YES
tcp.excluded_nodes = (135.245.234.44)
Syntax
tcp.excluded_nodes = {list of IP addresses}
Code
tcp.validnode_checking = YES
tcp.excluded_nodes = (135.245.234.44)
Question
Which statements best describe the Oracle Net valid node checking security
feature?
Options:
1.
2.
3.
4.
Answer
Option 1: This option is incorrect. By default, the TCP.VALIDNODE_CHECKING
parameter is set to NO. The TCP.EXCLUDED_NODES and TCP.INVITED_NODES
parameters will not be checked unless this is set to YES.
Option 2: This option is correct. IP addresses or node names may be used in the
TCP.EXCLUDED_NODES or TCP.INVITED_NODES parameters. These parameters
are used to determine which client computers must be allowed access to the
database.
Option 3: This option is correct. The TCP.EXCLUDED_NODES and
TCP.INVITED_NODES parameters can be used independently. When
TCP.EXCLUDED_NODES is used by itself, only the nodes listed will be denied
access. When TCP.INVITED_NODES is used by itself, only the nodes listed will
be granted access.
Option 4: This option is incorrect. When both the TCP.EXCLUDED_NODES and
TCP.INVITED_NODES parameters are used together, TCP.INVITED_NODES
takes precedence.
Correct answer(s):
2. IP addresses or host names can be used for the TCP.EXCLUDED_NODES and
TCP.INVITED_NODES parameters
3. The TCP.EXCLUDED_NODES and TCP.INVITED_NODES parameters can be
used independently
RELOAD does not cause the listener to read the sqlnet.ora file. You must stop and restart
the listener to have changes to these parameters take effect.
Code
tcp.validnode_checking = YES
tcp.excluded_nodes = (135.245.234.44)
Graphic
The welcome screen of Oracle Net Manager is open. Oracle Net Manager
enables you to configure three aspects of the network Naming, Naming
Methods, and Listeners. You can navigate using the File, Edit, Command, and
Help menus from the menu bar. The navigator pane contains two nodes
Directory and Local under the Oracle Net Configuration node.
To configure database access control, perform the following steps:
1. start Oracle Net Manager
2. select Local - Profile in the navigator pane
In addition to the Profile node, the other nodes under the Local node are Service Naming and Listeners.
The right pane displays a drop-down list and five tabs Tracing, Logging, Routing, Access Rights, and
Advanced. The Tracing tabbed page is currently open.
3. select General from the drop-down list in the right pane
In addition to General, the other list items in the drop-down list are Naming and Oracle Advanced
Security.
4. click the Access Rights tab
5. ensure that the Check TCP/IP client access rights checkbox is selected, and
In addition to the Check TCP/IP client access rights checkbox, the page contains two text boxes Clients
excluded from access and Clients allowed to access.
6. enter either a host name or an IP address in the two text boxes for a client computer that you want to
include or exclude, using commas to delimit entries placed on the same line
A host name is entered in the Clients excluded from access text box. The Clients allowed to access text
box is blank, currently.
It is part of the principle of least privilege to open only those ports on your computer that
are being used. Open ports can give an attacker valuable information, such as the OS
and version, or which services are available. It is important to know which ports on your
computer are open and have a justification for each open port.
Finding the open ports is not an obvious task. The netstat command shows all process
network connections either in the LISTEN or ESTABLISH mode. The ports being used by
installed Oracle products are listed in the portlist.ini file in the ORACLE_HOME/install
directory. The listener ports are defined in the LISTENER.ORA file in the TNS_ADMIN or
ORACLE_HOME/network/admin directory.
The CMAN listener port is assigned in the cman.ora file, but the ports used by the
gateway and administration processes are seemingly random. All the ports used by
CMAN processes can be seen by using the SHOW SERVICES command in CMCTL.
The dispatcher port can be seen through the lsnrctl tool with the SERVICES command
if they have registered with the listener. Other ports can be checked with port-scanning
tools, such as nmap.
Make sure to ask permission and notify proper administrators before scanning ports.
Some firewall software and intrusion-detection software can detect a port scan and block
the scan, possibly closing ports to all traffic.
Question
You recently ran the netstat command to review the open ports on your Oracle
server. You know there are more ports open than are needed, and your security
manager has asked for a list of required open ports for Oracle.
2.
3.
You can review the cman.ora file to determine all of the CMAN specific ports
4.
You can use port-scanning tools such as nmap to scan the ports of all nodes to
which your Oracle server is connected
Answer
Option 1: This option is correct. The ports being used by installed Oracle products
are listed in the portlist.ini file in the ORACLE_HOME/install directory. This file
should give you the most complete list of ports that are required.
Option 2: This option is correct. The listener ports are defined in the
LISTENER.ORA file in the TNS_ADMIN or ORACLE_HOME/network/admin
directory. This will tell you what ports the listener requires.
Option 3: This option is incorrect. The CMAN listener port is assigned in the
cman.ora file, but the ports used by the gateway and administration processes are
seemingly random. All the ports used by CMAN processes can be seen by using
the SHOW SERVICES command in CMCTL.
Option 4: This option is incorrect. In most cases, network intrusion software will
view this as an attack on the network. This could result in closing all ports on the
network to traffic.
Correct answer(s):
1. You can review the portlist.ini file in the ORACLE_HOME/install directory
2. You can review the LISTENER.ORA file in the TNS_ADMIN or
ORACLE_HOME/network/admin directory
The U.S. Data Encryption Standard, also known as DES, algorithm uses symmetric key
cryptography. This encryption method is not recommended.
3DES
Triple-DES encryption encrypts message data with three passes of Data Encryption
Standard, also known as DES.
RSA RC4, and
The RC4 algorithm, developed by RSA Security, Inc., uses a secret, randomly generated
key that is unique to each session.
AES
Advanced Encryption Standard, also known as AES, is a new cryptographic algorithm that
uses cipher keys with lengths of 128, 192, and 256 bits.
Network encryption provides varying levels of security and performance for different types
of data transfers. Longer key length provides stronger encryption and is harder to break,
but uses more resources during encryption and decryption.
Use Oracle Net Manager to configure the SQLNET parameters for network encryption on
both the client and server.
The parameters can be set manually in the sqlnet.ora file for both the
Graphic
The Encryption tabbed page of the Oracle Net Manager screen is open and
contains the fields for providing the encryption details, such as encryption,
encryption type, encryption seed, available encryption methods, and selected
encryption methods.
client and
The parameters set for the client are SQLNET.ENCRYPTION_CLIENT and
SQLNET.ENCRYPTION_TYPES_CLIENT. The default values for client encryptions allow
clients to connect however the server is configured.
server
The parameters for the server are similar SQLNET.ENCRYPTION_SERVER and
SQLNET.ENCRYPTION_TYPES_SERVER.
ENCRYPTION_SERVER and ENCRYPTION_CLIENT have four valid values accepted,
rejected, requested, and required. The default value for both is accepted. If the
server specifies required and the client is not set to rejected, the encrypted
connection will be attempted.
ENCRYPTION_TYPES lists the allowed encryption algorithms. At least one of the types
listed on both the client and the server must be the same for the encrypted connect to be
set up. The server list is used to find an available algorithm on the client. If no algorithm is
specified on the server, all installed algorithms are tried.
Checksumming ensures the integrity of data packets. A checksum or digest is produced
by applying the checksumming algorithm to all the data. The same algorithm is applied at
the packet destination. If the checksum produced has a different value, the data has been
changed during transmission.
To ensure the integrity of data packets during transmission, the checksumming algorithm
generates a cryptographically secure message digest and includes it with each message
sent across a network. Data integrity algorithms add little overhead and protect against
data modification, deleted packets, and replay attacks.
ASO supports common industry-standard algorithms MD5 and SHA-1. SHA-1 is slightly
slower than MD5, but produces a larger message digest to make it more secure against
brute-force collision and inversion attacks.
Question
Identify the features of checksumming.
Options:
1.
2.
3.
4.
Data integrity algorithms add a lot of overhead and should be used sparingly
Answer
Option 1: This option is correct. Checksumming ensures the integrity of data
packets during transmission by generating a cryptographically secure message
digest that is included with each message sent across a network.
Option 2: This option is incorrect. ASO supports the common industry-standard
algorithms MD5 and SHA-1. SHA-1 is slightly slower than MD5, but produces a
larger message digest to make it more secure against brute-force collision and
inversion attacks.
Option 3: This option is correct. A checksum or digest is produced by applying the
checksumming algorithm to all the data. The same algorithm is applied at the
packet destination. If the checksum produced has a different value, the data has
been changed during transmission.
Option 4: This option is incorrect. Data integrity algorithms add little overhead and
protect against data modification, deleted packets, and replay attacks.
Correct answer(s):
1. It ensures the integrity of data packets
3. The checksumming algorithm generates a cryptographically secure message
digest
Use Net Manager to configure the SQLNET parameters on the client and server that
control data integrity (checksumming).
These parameters can be set manually in the sqlnet.ora file for both the
Graphic
The Oracle Net Manager screen is open. The Integrity tabbed page of the Profile
node is open. The page contains fields for providing details such as integrity,
checksum level, available encryption methods, and selected encryption methods.
server and
The parameters for the server are SQLNET.CRYPTO_CHECKSUM_SERVER and
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER.
client
The parameters for the client are SQLNET.CRYPTO_CHECKSUM_CLIENT and
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT.
The CRYPTO_CHECKSUM_CLIENT and CRYPTO_CHECKSUM_SERVER parameters have
four valid values accepted, rejected, requested, and required. The default
value for both is accepted. If the server specifies required, and the client is not set to
rejected, the checksumming on the connection will be attempted.
On both the client and server, CRYPTO_CHECKSUM_TYPES determines the algorithms that
will be tried. The server will try each algorithm in order until a matching algorithm on the
client is found. If no matching algorithm is found, the connect will revert to no
checksumming, or fail depending on the setting of CRYPTO_CHECKSUM on both the client
and the server. If no algorithms are specified, all installed algorithms will be tried.
You can understand and resolve network problems better through the use of Oracle Net
Services log and trace files. These files keep track of the interaction between network
components as errors occur.
Graphic
The log files are connected to their corresponding components. The listener.log
file is connected to the listener, the sqlnet.log file to the database server, the
<name>_pid.log file to the CMAN listener, <name>_cmadm_pid.log to the
CMADMIN process, and <name>_cmgw_pid.log file to the CMGW process.
Evaluating this information helps you to diagnose and troubleshoot even the most
complex network problems. These files can also be used to resolve security problems.
Trace files contain some of the same information that is included in log files however,
the format in the log file is easier to read. The trace file is used for debugging.
All errors encountered in Oracle Net Services are appended to a log file. When the error
message on the screen is inadequate to understand the failure, this file provides you with
additional information to resolve the problem. The log file, by way of the error stack,
shows the state of the software at various layers.
The log file for the listener also includes audit trail information about every client
connection request, as well as most listener control commands.
A number of log files are created by Oracle Net Services components.
The following list includes the default log file names and the component that generates
the log:
listener.log listener
Summary
In this topic, you've learned how security checklists are used, how to restrict IP
addresses, and how network traffic is encrypted.
Learning Objective
Exercise overview
You want to implement network encryption and checksumming using Oracle Net
Manager.
In this exercise, you're required to create the ORACLE listener and the UORACLE net
service name, and configure the sqlnet.ora file using Oracle Net Manager for encryption
and checksumming.
This involves the following tasks:
creating a listener
configuring sqlnet.ora
configuring checksumming
Steps list
Instructions
1. Expand the Local node
2. Select Listeners
3. Click the Add icon
4. Type oracle in the Listener Name text box and click OK
5. Click Add Address
6. Select Save Network Configuration from the File menu
Steps list
Instructions
1. Select Service Naming
2. Click the Add icon
3. Type uoracle in the Net Service Name text box and click Next
4. Click Next
5. Type localhost2.easynomadtravel.com in the Host Name text box and click Next
6. Type orcl2 in the (Oracle8i or later) Service Name text box and click Next
7. Click Test
8. Click the Close icon
9. Click Finish
10. Select Save Network Configuration from the File menu
Steps list
Instructions
1. Select Profile
2. Select Oracle Advanced Security from the drop-down list
3. Click the Encryption tab
4. Select required from the Encryption Type drop-down list
5. Type kjhgfdsa0987654321 in the Encryption Seed text box
6. Select AES256 from the Available Methods list and click the > button
7. Select AES192 from the Available Methods list and click the > button
8. Select AES128 from the Available Methods list and click the > button
Steps list
Instructions
9. Select Save Network Configuration from the File menu
Steps list
Instructions
1. Select Profile
2. Select Oracle Advanced Security from the drop-down list
3. Click the Encryption tab
4. Select CLIENT from the Encryption drop-down list
5. Select required from the Encryption Type drop-down list
6. Type 1234567890asdfghjkl in the Encryption Seed text box
7. Select AES192 from the Available Methods list and click the > button
8. Select Save Network Configuration from the File menu
Steps list
Instructions
1. Select Profile
2. Select Oracle Advanced Security from the drop-down list
3. Click the Integrity tab
4. Select CLIENT from the Integrity drop-down list
5. Select required from the Checksum Level drop-down list
Steps list
Instructions
6. Select SHA1 from the Available Methods list and click the > button
7. Select Save Network Configuration from the File menu
1. Listener security
The listener acts as the gateway to the network, so some of the listener checklist items
are closely related to network checklist items. For example, using secure sockets layer,
also known as SSL, to encrypt network traffic is on the listener checklist and is part of the
network checklist.
The listener checklist includes the following items:
securing administration by protecting the listener with a password for remote administration and
using SSL when administering the listener
The owner of this separate listener process should not be the owner that installed the
Oracle software or executes the Oracle instance.
The listener process should not have permission to read from or write to database files or
the Oracle server address space. Also, the owner of this separate listener process should
not be the ORACLE user, which is the default owner of the server executable and
database files.
Question
Which statements best describe restricting the privileges of the listener?
Options:
1.
2.
The listener process should have permission to read from or write to the Oracle
server address space
3.
If you are using external procedures, you must restrict the privileges of the listener
process
4.
Answer
Option 1: This option is correct. By default, the listener is configured to start
external procedures. If you do not intend to use them, remove the external
procedure configuration from the LISTENER.ORA file.
Option 2: This option is incorrect. The listener process should not have
permission to read from or write to the database files or the Oracle server address
space.
Option 3: This option is correct. If you are using external procedures, you must
restrict the privileges of the listener process. The owner of this separate listener
process should not be the owner that installed the Oracle software or executes the
Oracle instance.
Option 4: This option is incorrect. The owner of this separate listener process
should not be the ORACLE user, which is the default owner of the server
executable and database files.
Correct answer(s):
1. By default, the listener is configured to start external procedures
3. If you are using external procedures, you must restrict the privileges of the
listener process
The example depicts the LISTENER.ORA configuration for a separate listener process
named EXTPROC_LISTENER.
Code
EXTPROC_LISTENER=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=ipc)(KEY=extproc)))
SID_LIST_EXTPROC_LISTENER=
(SID_LIST=
(SID_DESC=
(SID_NAME=plsextproc)
(ORACLE_HOME=
/u1/app/oracle/product/11.1.0/db_1)
(PROGRAM=extproc)))
The entry in the TNSNAMES.ORA file based on the LISTENER.ORA configuration is as in
this example.
The value in the KEY parameter is used to match the entries in the two files. You can also
configure the LISTENER.ORA and TNSNAMES.ORA files by using Oracle Net
Configuration Assistant.
Graphic
The code to specify the value in the KEY parameter is the following:
KEY=extproc
Code
EXTPROC_CONNECTION_DATA=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=ipc)(KEY=extproc))
(CONNECT_DATA=(SID=plsextproc)))
The following are the privileges required for the user that starts the listener process for
external procedures:
Read access to the directories where the external procedure libraries are stored
Write access on the directories where the listener log and trace files are stored
Write access to the listener configuration files if you are going to save the configuration files (for
example, after changing the listener password), and
Read or Write access (as required) to the directories used by external procedures
The CREATE LIBRARY privilege allows the user to create a library and run modules from
the library. The modules in the library are called external procedures.
The user can grant the EXECUTE privileges on the external procedures by creating a
PL/SQL program unit for the external procedure and granting EXECUTE on the PL/SQL
program unit. External procedures run with the privileges of the listener process that
starts the external procedure.
Only administrators and trusted users should have the CREATE LIBRARY privilege. Limit
the privilege of the listener by creating a separate listener for external procedures.
Perform the following activities when moving the listener to a nondefault port:
hide the listener
It is very common to leave the listener in the default configuration, listening on port 1521.
You must assume that any hacker, internal or external, will know this port number.
Because most remote connects require that the listener set up the connection, you can
reduce illegitimate connections by hiding the listener. This is by no means a serious
barrier, but will help prevent scripted attacks, viruses that make use of default ports, and
unsophisticated attacks that rely on published information.
register the database, and
When you move the listener to a nondefault port, you must give the database the listener
port number with the LOCAL_LISTENER initialization parameter. The database will
automatically register with a listener on the local machine if it is using port 1521, and with a
listener described by the LOCAL_LISTENER parameter.
set a password on the listener
Prior to 10g, if a user had access to lsnrctl, locally or remotely, and knew the port
number, lsnrctl status or lsnrctl services would yield information about the
instances registered with the listener. By setting a password on the listener, only
authenticated users could access this information.
In 10g and later, a remote lsnrctl status or services command yields only the error
TNS-01189: The listener could not authenticate the user, unless the
password is set and provided by the user.
Question
What action would result in the TNS-01189: The listener could not
authenticate the user error when a password is not provided by the user?
Options:
1.
2.
3.
4.
Answer
Option 1: This option is correct. In 10g and later releases, a remote lsnrctl
status or services command yields only TNS-01189: The listener could
not authenticate the user, unless the password is set and provided by the
user.
Option 2: This option is incorrect. It is very common to leave the listener in the
default configuration listening on port 1521. Although you should assume that any
hacker will know this port number, it would not result in the provided error.
Option 3: This option is incorrect. When you move the listener to a nondefault
port, you must give the database the listener port number with the
LOCAL_LISTENER initialization parameter. This will not result in the provided
error.
Option 4: This option is incorrect. Prior to 10g, if a user had access to lsnrctl,
locally or remotely, and knew the port number, lsnrctl status or lsnrctl
services would yield information about the instances registered with the listener.
By setting a password on the listener, only authenticated users could access this
information.
Correct answer(s):
1. Issuing a remote lsnrctl status or services
In Oracle Database 11g, by default, the listener can be administered only from the node
that it is running on and by the process owner and group. A password is required only if
you want to remotely administer the listener or allow other users to manage the listener.
The PASSWORDS_listener_name parameter stores an encrypted password for a
listener. If a password is not present, it cannot be guessed.
Unless you absolutely need remote listener administration, do not add a password. If you
do add one, be certain to monitor the logs for password guessing, use a strong password,
and change it according to your schedule.
Code
LSNRCTL> CHANGE_PASSWORD
Old password: lsnrc80
New password: lsnrc90
Reenter new password: lsnrc90
LSNRCTL> SET PASSWORD
Password:
The command completed successfully
LSNRCTL> SAVE_CONFIG
The command completed successfully
Use the CHANGE_PASSWORD command of the Listener Control utility or Oracle Net
Manager to set or modify an encrypted password in the PASSWORDS_listener_name
parameter in the LISTENER.ORA file.
For example, using the default listener name of LISTENER and the
PASSWORDS_listener_name parameter, with an encrypted password, may appear like
this example.
Graphic
The example is the following:
PASSWORDS_LISTENER=(2D6C48144CF753AC)
Code
LSNRCTL> CHANGE_PASSWORD
Old password: lsnrc80
New password: lsnrc90
Reenter new password: lsnrc90
LSNRCTL> SET PASSWORD
Password:
The command completed successfully
LSNRCTL> SAVE_CONFIG
The command completed successfully
PASSWORDS_LISTENER=(2D6C48144CF753AC)
Graphic
The welcome page of Oracle Net Manager is open. Oracle Net Manager enables
you to configure three aspects of the network Naming, Naming Methods, and
Listeners. You can navigate using the File, Edit, Command, and Help menus from
the menu bar. The navigator pane contains two nodes Directory and Local
under the Oracle Net Configuration node.
1. select Oracle Net Configuration - Local - Listeners in the navigator pane
The starting node, Oracle Net Configuration contains Directory and Local nodes. The Local node
is expanded to Profile, Service Naming, and Listeners.
2. select a listener
The listener, which is currently selected is LISTENER.
3. select General Parameters from the drop-down list in the right pane, and
In addition to General Parameters, the other list items in the drop-down list are Listening Locations,
Database Services, and Other Services.
4. click the Authentication tab
The General tabbed page is open. In addition to the Authentication tab, the other tab that is available is
Logging & Tracing.
Remaining steps to perform to set or modify an encrypted password with Oracle Net
Manager are the following:
enter the password in the New Password field, and reenter the password in the Confirm New
Password field, and
The corresponding password is entered in these fields. In addition, the Change Password dialog
box contains the Old Password field, which is currently disabled.
To set a new encrypted password with the CHANGE_PASSWORD command, issue these
commands from the Listener Control utility. The user input is in bold. The password is not
displayed when entered, but asterisks are used in the example.
If you are performing administrative operations locally, the password is never considered.
If you are administering the listener remotely, because you have changed the password
used to configure the listener, you must reset the current password with the SET
PASSWORD command before saving the configuration.
Code
LSNRCTL> CHANGE_PASSWORD
Old password: lsnrc80
New password: lsnrc90
Reenter new password: lsnrc90
LSNRCTL> SET PASSWORD
Password: *******
The command completed successfully
LSNRCTL> SAVE_CONFIG
The command completed successfully
You can restrict runtime administration of the listener by using the
ADMIN_RESTRICTIONS_listener_name parameter. When this parameter is set, the
listener refuses to accept the SET commands that alter its parameters. This feature
provides additional security on the locally managed listener.
To change any of the listener parameters, including
ADMIN_RESTRICTIONS_listener_name, modify the LISTENER.ORA file, and use the
RELOAD command to reload the parameters. This RELOAD command enables the new
changes without explicitly stopping and restarting the listener.
To turn the parameter on for the default listener, enter the LISTENER.ORA parameter.
Code
ADMIN_RESTRICTIONS_LISTENER=ON
To turn the parameter on for a listener named PAY_LSNR, include the
ADMIN_RESTRICTIONS_PAY_LSNR parameter.
To change the LISTENER.ORA file, the user must have the operating system Write
privilege on the file. This feature is useful only with a listener without a password. Remote
administration of the listener is not allowed without a password.
Code
ADMIN_RESTRICTIONS_PAY_LSNR=ON
Note
Listener configuration cannot be changed online.
2. Administering a listener
If you are administering the listener remotely over an insecure network and require
maximum security, configure the listener with a secure protocol address that uses TCP/IP
for secure sockets layer, also known as TCPS.
If the listener has multiple protocol addresses, ensure that the TCPS protocol address is
listed first in the LISTENER.ORA file. To use TCPS, configure LISTENER.ORA with the
PROTOCOL=TCPS parameter.
Code
LISTENER=
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS=
(PROTOCOL=tcps)
(HOST = ed-pdsun1.us.oracle.com)
(PORT = 8281)))
...
Note
To use SSL, Oracle Advanced Security must be installed, and you must have
certificates for the server and the client.
To administer the listener remotely, you must define the listener in the client computer's
TNSNAMES.ORA file. For example, to access the USER281 listener remotely, use this
configuration.
Code
user281 =
(DESCRIPTION =
(ADDRESS =
(PROTOCOL = tcps)
(HOST = hostname.us.oracle.com)
(PORT = 8281))))
It is possible for connections without authentication to stay open indefinitely. Malicious
clients can attempt to flood database servers with connect requests that consume
resources. This is a possible scenario for a denial-of-service, abbreviated as DoS, or
distributed DoS attack.
To prevent this scenario, use the following two parameters in conjunction:
SQLNET.INBOUND_CONNECT_TIMEOUT and
In the sqlnet.ora file, SQLNET.INBOUND_CONNECT_TIMEOUT is set to a value in seconds,
and it determines how long a client has to provide the necessary authentication information
to a database.
INBOUND_CONNECT_TIMEOUT_listener_name
Set the INBOUND_CONNECT_TIMEOUT_listener_name parameter in the
LISTENER.ORA file. INBOUND_CONNECT_TIMEOUT_listener_name is set to a value in
seconds, and it determines how long a client has to complete it's connect request to the
listener after the network connection has been established.
If the client fails to establish a connection and complete authentication in the time
specified, the database server terminates the connection. The database server logs the
IP address of the client and an ORA-12170: TNS:Connect timeout occurred error
message to the sqlnet.log file.
To protect both the database server and the listener, Oracle Corporation recommends
setting both parameters in combination.
When specifying values for the two parameters, consider the following recommendations:
On Linux, with a default installation, the listener log defaults to this location.
Graphic
The default location is the following:
$ORACLE_BASE/diag/tnslsnr/hostname/listener/alert/log.xml
You can set the following logging parameters in the LISTENER.ORA file:
DIAG_ADR_ENABLED_<listener>=OFF
The DIAG_ADR_ENABLED_<listener>=OFF parameter is used to direct the log file to
another location. The LOG_DIRECTORY_listener_name and
LOG_FILE_listener_name parameters are ignored if this parameter is ON.
This parameter must be set manually. It cannot be set from the netmgr utility.
LOG_DIRECTORY_listener_name, and
LOG_DIRECTORY_listener_name is the destination directory for the log file. The default
directory on UNIX is $ORACLE_HOME/network/log and on Windows is
%ORACLE_HOME%\network\log.
LOG_FILE_listener_name
LOG_FILE_listener_name is the file name for the log file. The default name is
listener.log.
To set the logging parameters in Oracle Net Manager, perform the following steps:
Graphic
The listener.ora file is open from the following path:
/u01/app/oracle/product/11.1.0/db_1/network/admin/listener.ora (modified) - gedit
1. With an editor, add the line DIAG_ADR_ENABLED_<listener>=OFF to the listener.ora file. Save
the file and close the editor.
The code line entered in the listener.ora file is the following:
DIAG_ADR_ENABLED_LISTENER = OFF
And the file menu is open.
2. Start Oracle Net Manager. In the navigator pane, select the listener that you want to configure.
The listener, which is currently selected is LISTENER.
3. Select General Parameters from the drop-down list in the right pane.
Perform the remaining steps to set the logging parameters in Oracle Net Manager:
Set the parameter. The directory and log file names are a single parameter.
The Logging & Tracing tabbed page is open. It contains options to disable and enable logging and
tracing operations. The Logging Enabled option is selected and the corresponding path of the log
file is selected in the Log File field.
To save the configuration by using the menu options, select File - Save Network Configuration.
If the DIAG_ADR_ENABLED_<listener> parameter is set to OFF, you can also control
the listener logging during runtime by using the SET command in the Listener Control
utility with the LOG_DIRECTORY and LOG_FILE parameters.
The LOG_DIRECTORY parameter is the destination directory for the listener log file. The
LOG_FILE parameter is the name of the log file for the listener.
These changes remain in effect until the listener is shut down.
Question
Which listener-logging parameter specifies the destination directory for the log
file?
Options:
1.
DIAG_ADR_ENABLED_<listener>
2.
LOG_DIRECTORY_listener_name
3.
LOG_FILE_listener_name
4.
LOG_DIRECTORY
Answer
Option 1: This option is incorrect. The DIAG_ADR_ENABLED_<listener>=OFF
parameter is used to have the log file go to another location. The other log
parameters are ignored if this parameter is ON. This parameter must be set
manually. It cannot be set from the netmgr utility.
Option 2: This option is correct. The LOG_DIRECTORY_listener_name
parameter is the destination directory for the log file. The default directory on UNIX
Code
Timestamp * Connect Data * [Protocol] * Event * [SID|
Service] *
Return Code
The audit trail fields have the following properties:
Code
Timestamp * Connect Data * [Protocol] * Event * [SID|
Service] *
Return Code
protocol address information and system identifier, abbreviated as SID, or service name
information appear only when a connection is attempted
a failed connection or command includes a return code that maps to an error message
Service registration events are recorded in the listener.log file. The service_register
event indicates that the listener received registration information for an instance.
The service_update event indicates that the listener received updated registration
information for a particular instance. The service_died event indicates that the listener
lost its connection to the PMON background process.
The service registration records have this format.
Code
Timestamp * Event * Instance Name * Return Code
The service registration fields have the following properties:
Code
Timestamp * Event * Instance Name * Return Code
It is normal for the events to appear multiple times in a row for one instance.
A successful registration returns a code of zero that is, the client can connect to the instance.
A failure produces a code that maps to an error message. Frequent starts and stops of the
database instance may indicate a problem, such as abuse of privileges.
Information concerning the direct hand-off to dispatchers is recorded in the listener.log
file. The direct hand-off event records have this format.
Code
Timestamp * Presentation * Handoff * Error Code
The direct hand-off fields have the following properties:
Code
Timestamp * Presentation * Handoff * Error Code
Question
Identity the properties of service registration fields.
Options:
1.
2.
It is normal for the events to appear multiple times in a row for one instance
3.
4.
Answer
Option 1: This option is incorrect. A property of audit trail fields is that a
successful connection or command returns a code of zero.
Option 2: This option is correct. A property of service registration fields is that it is
normal for the events to appear multiple times in a row for one instance. Also, a
successful registration returns a code of zero.
Option 3: This option is incorrect. A property of audit trail fields is that a failed
connection or command includes a return code that maps to an error message.
Option 4: This option is correct. A property of service registration fields is that a
successful registration returns a code of zero, which means the client can connect
to the instance.
Correct answer(s):
2. It is normal for the events to appear multiple times in a row for one instance
4. A successful registration returns a code of zero
Each record in the listener.log file is on a single line. An asterisk (*) is used to delimit the
fields in the log record. The examples are formatted for readability.
The first record example contains a successful connect request. It includes the following
components:
Code
22-NOV-2008 22:55:32 *
CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=p1orcl.
us.oracle.com)(CID=(PROGRAM=sqlplus)(HOST=edt3r24p0.
us.oracle.com)(USER=oracle))) *
(ADDRESS=(PROTOCOL=tcp)(HOST=10.150.21.135)
(PORT=23499)) * establish * p1orcl.us.oracle.com * 0
...
22-NOV-2008 22:58:33 *
(CONNECT_DATA=(SERVICE_NAME=p0orcl)(CID=(PROGRAM=sql
plus)(HOST=edt3r24p1.us.oracle.com)(USER=oracle))) *
(ADDRESS=(PROTOCOL=tcp)(HOST=10.150.21.136)(PORT=583
23)) * establish * p0orcl * 12514
TNS-12514: TNS:listener does not currently know of
service requested in connect descriptor
...
...
22-NOV-2008 22:58:33 *
(CONNECT_DATA=(SERVICE_NAME=p0orcl)(CID=(PROGRAM=sql
plus)(HOST=edt3r24p1.us.oracle.com)(USER=oracle))) *
(ADDRESS=(PROTOCOL=tcp)(HOST=10.150.21.136)(PORT=583
23)) * establish * p0orcl * 12514
TNS-12514: TNS:listener does not currently know of
service requested in connect descriptor
...
22-NOV-2008 22:58:33 *
(CONNECT_DATA=(SERVICE_NAME=p0orcl)(CID=(PROGRAM=sql
plus)(HOST=edt3r24p1.us.oracle.com)(USER=oracle))) *
(ADDRESS=(PROTOCOL=tcp)(HOST=10.150.21.136)(PORT=583
23)) * establish * p0orcl * 12514
TNS-12514: TNS:listener does not currently know of
service requested in connect descriptor
...
The zero return code indicates that the listener found the service. It does not indicate that
the user made a successful connection.
For example, if the user enters an invalid password, the listener still shows a return code
of zero. You can audit connection attempts to get information about failed database
connections.
Code
22-NOV-2008 22:55:32 *
CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=p1orcl.
us.oracle.com)(CID=(PROGRAM=sqlplus)(HOST=edt3r24p0.
us.oracle.com)(USER=oracle))) *
(ADDRESS=(PROTOCOL=tcp)(HOST=10.150.21.135)
(PORT=23499)) * establish * p1orcl.us.oracle.com * 0
...
22-NOV-2008 22:58:33 *
(CONNECT_DATA=(SERVICE_NAME=p0orcl)(CID=(PROGRAM=sql
plus)(HOST=edt3r24p1.us.oracle.com)(USER=oracle))) *
(ADDRESS=(PROTOCOL=tcp)(HOST=10.150.21.136)(PORT=583
23)) * establish * p0orcl * 12514
TNS-12514: TNS:listener does not currently know of
service requested in connect descriptor
...
The second record example contains an unsuccessful connect request.
It includes the following components:
Code
22-NOV-2008 22:55:32 *
CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=p1orcl.
us.oracle.com)(CID=(PROGRAM=sqlplus)(HOST=edt3r24p0.
us.oracle.com)(USER=oracle))) *
(ADDRESS=(PROTOCOL=tcp)(HOST=10.150.21.135)
(PORT=23499)) * establish * p1orcl.us.oracle.com * 0
...
22-NOV-2008 22:58:33 *
(CONNECT_DATA=(SERVICE_NAME=p0orcl)(CID=(PROGRAM=sql
plus)(HOST=edt3r24p1.us.oracle.com)(USER=oracle))) *
(ADDRESS=(PROTOCOL=tcp)(HOST=10.150.21.136)(PORT=583
23)) * establish * p0orcl * 12514
TNS-12514: TNS:listener does not currently know of
service requested in connect descriptor
...
Because the return code is nonzero, the next line displays the associated error message
TNS-12514: TNS:listener could not resolve SERVICE_NAME given in
connect descriptor.
Code
22-NOV-2008 22:55:32 *
CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=p1orcl.
us.oracle.com)(CID=(PROGRAM=sqlplus)(HOST=edt3r24p0.
us.oracle.com)(USER=oracle))) *
(ADDRESS=(PROTOCOL=tcp)(HOST=10.150.21.135)
(PORT=23499)) * establish * p1orcl.us.oracle.com * 0
...
22-NOV-2008 22:58:33 *
(CONNECT_DATA=(SERVICE_NAME=p0orcl)(CID=(PROGRAM=sql
plus)(HOST=edt3r24p1.us.oracle.com)(USER=oracle))) *
(ADDRESS=(PROTOCOL=tcp)(HOST=10.150.21.136)(PORT=583
23)) * establish * p0orcl * 12514
TNS-12514: TNS:listener does not currently know of
service requested in connect descriptor
...
If your listener is being probed, it shows up as a series of failed connection attempts from
the same source but with different destinations.
A denial-of-service, abbreviated as DoS, attack appears as multiple connections from the
same source that may or may not fail. Probing may be sufficient for a DoS attack, so a
successful connection may not be required.
Code
22-NOV-2008 22:58:33 * *
(ADDRESS=(PROTOCOL=tcp)(HOST=10.150.21.136)(PORT=58323)) *
establish * p0orcl * 12514
TNS-12514: TNS:listener does not currently know of service
requested in connect descriptor
The listener log command examples contain four records.
Graphic
The initial lines of code are the following:
TNSLSNR for Linux: Version 11.1.0.6.0 ...
...
Code
TNSLSNR for Linux: Version 11.1.0.6.0 - Production on 22-NOV-2008
23:09:29
Copyright (c) 1991, 2007, Oracle. All rights reserved.
System parameter file is
/u01/app/oracle/product/11.1.0/db_1/network/admin/listener.ora
Log messages written to /home/oracle/network/log/log_list.log
Trace information written to
/u01/app/oracle/product/11.1.0/db_1/network/trace/listener.trc
Trace level is currently 0
Started with pid=4792
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1)))
Listening on:
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=edt3r24p1.us.oracle.com)
(PORT=12001)))
Listener completed notification to CRS on start
2
This record depicts a listener status command.
Code
TIMESTAMP * CONNECT DATA [* PROTOCOL INFO] * EVENT [* SID] *
RETURN CODE
22-NOV-2008 23:09:29 *
(CONNECT_DATA=(CID=(PROGRAM=)(HOST=edt3r24p1.us.oracle.com)
(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)
(VERSION=185599488)) * status * 0
3
This record depicts a successful listener reload.
Code
22-NOV-2008 23:09:40 *
(CONNECT_DATA=(CID=(PROGRAM=)(HOST=edt3r24p1.us.oracle.com)
(USER=oracle))(COMMAND=reload)(ARGUMENTS=64)(SERVICE=LISTENER)
(VERSION=185599488)) * reload * 0
4
This record depicts a successful listener shutdown.
Code
22-NOV-2008 23:09:40 *
(CONNECT_DATA=(CID=(PROGRAM=)(HOST=edt3r24p1.us.oracle.com)
(USER=oracle))(COMMAND=reload)(ARGUMENTS=64)(SERVICE=LISTENER)
(VERSION=185599488)) * reload * 0
Summary
In this topic, you've learned how to administer and monitor a listener, and restrict listener
privileges.
Exercise overview
You want to secure the listener by setting a password that must be used during remote
administration. You also want to view the effects of changes to the listener.ora file.
In this exercise, you're required to set a password for the ORACLE listener, start and stop
the listener and set the trace level, and reload the listener.ora file after changes have
been made.
This involves the following tasks:
reloading listener.ora
Steps list
Instructions
1. Type lsnrctl and press Enter
2. Type set current_listener oracle and press Enter
3. Type change_password and press Enter
4. Press Enter
5. Type oracle and press Enter
6. Type oracle and press Enter
7. Type save_config and press Enter
8. Type exit and press Enter
Steps list
Instructions
1. Type lsnrctl stop oracle and press Enter
2. Type lsnrctl start oracle and press Enter
Steps list
Instructions
3. Type lsnrctl and press Enter
4. Type set current_listener oracle and press Enter
5. Type set trc_level off and press Enter
6. Type exit and press Enter
Steps list
Instructions
1. Type lsnrctl and press Enter
2. Type set current_listener oracle and press Enter
3. Type reload and press Enter
4. Type set trc_level off and press Enter
5. Type exit and press Enter