The views and opinions expressed all for my own,only for study and test, not reflect the views of Any Company and its affiliates.
分类: Oracle
2009-09-11 14:16:09
■■Tips_22 Configuring Security for the Listener
■Three advanced features of the listener
①How to control administrative access.
②How to configure the listener to reject connection requests from unauthorized sources.
③How to set up a listener to run external procedures
■Securing the Listener
・Listener Operating System Authentication (default security)
・Listener Password Authentication
Listener passwords can be enabled and set through the Net Manager GUI, through Database Control, with the lsnrctl utility, or by editing the listener.ora file by hand.
■
eg: Setting a Listener Password with lsnrctl
Enable password authentication for a listener, using the lsnrctl command-line utility.
This exercise assumes that your listener is the default listener, named LISTENER.
1. From an operating system prompt, launch the lsnrctl utility. On Windows,
C:\> lsnrctl
or Unix,
$ lsnrctl
2. Check the status of the listener, and if it is not running, start it. For example,
on Windows,
C:\>lsnrctl
LSNRCTL for 32-bit Windows: Version 10.1.0.2.0 - Production on 24-JAN-2005 13:06:55
Copyright (c) 1991, 2004, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.on Windows,
C:\>lsnrctl
LSNRCTL for 32-bit Windows: Version 10.1.0.2.0 - Production on 24-JAN-2005 13:06:55
Copyright (c) 1991, 2004, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ora10g)(PORT=1521)))
TNS-12541: TNS:no listener
TNS-12560: TNS:protocol adapter error
TNS-00511: No listener
32-bit Windows Error: 61: Unknown error
LSNRCTL> start
Starting tnslsnr: please wait...
3. Choose a password (in the example that follows, it is “pass,” but this is not displayed) and apply it as shown here. As there is no password currently, press ENTER when prompted for the old password.
LSNRCTL>
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ora10g)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL>
4. Save the password to the listener.ora file.
LSNRCTL>
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ora10g)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File c:\oracle\product\10.1.0\db_2\network\
admin\listener.ora
Old Parameter File c:\oracle\product\10.1.0\db_2\network\admin\
listener.bak
The command completed successfully
LSNRCTL>
5. Set your lsnrctl session to use the password, and confirm that you can stop the listener.
LSNRCTL>
LSNRCTL> set password pass
The command completed successfully
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ora10g)(PORT=1521)))
The command completed successfully
LSNRCTL>
6. Exit from lsnrctl, use an editor to open the listener.ora file, and observe the encrypted password.
LISTENER =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = ora10g)(PORT = 1521))
)
#----ADDED BY TNSLSNR 06-NOV-2004 18:31:37---
PASSWORDS_LISTENER = 1AB3AFF023F1126C
#--------------------------------------------
■Controlling Database Access
Controlling access to a listener is done through configuring Oracle Net profiles,which are in fact a set of directives in the sqlnet.ora file on the server machine.
•TCP.VALIDNODE_CHECKING (default of NO)
changed to YES means the other directives are enabled.
•TCP.EXCLUDED_NODES
If any node is listed in TCP.INVITED_NODES, then all other nodes are implicitly excluded;
•TCP.INVITED_NODES
if any node is listed in TCP.EXCLUDED_NODES, then all other nodes are implicitly invited
※Tips:
・If both directives are set and there is a conflict, then the TCP.INVITED_NODES list takes precedence
・The invited and excluded nodes can be listed by name or by IP address, but the syntax does not permit wildcards; each node must be listed individually.
The Connection Manager gives greater control over access, including use of wildcards in both hostnames and IP addresses.
・Note that this mechanism applies only to TCP.
Connections from user processes running on the server machine using IPC will always be accepted.
eg:
TCP.VALIDNODE_CHECKING = YES
TCP.INVITED_NODES = (as1.haunting.com, as2.haunting.com)
■External Procedures
•Oracle stored procedures can be written in either PL/SQL or Java
•External procedures must be written in C. User process software,linked with the OCI libraries, can be written in C or in C++.
*TIP:
It is possible to convert your PL/SQL code to C and then compile and link it, which may give great performance gains.
This is the “native compilation”technique, enabled through the PLSQL_CODE_TYPE (Native)initialization parameter.