Best Practice - Removing Old Access-Control Lists from Bug Mitigations

I was just auditing my Internet router configuration against the NSA Router Security Configuration Guide and came across the old entries below.
access-list 100 deny   53 any any
access-list 100 deny   55 any any
access-list 100 deny   77 any any
access-list 100 deny   pim any any
I remember applying them in the dim dark past and tracked it down to this advisory "Cisco IOS Interface Blocked by IPv4 Packets".
Clearly they've just been propagated when then router and IOS get upgraded.
My question is should we remove all the old workarounds, and how often do people audit their configs?
Anything after 12.3 is not vulnerable, so it could safely be removed, but then it doesn't really hurt to leave them since we aren't expecting any of those protocols to be coming from the internet. There is always the possibility that someone will just copy it to a router with an older vulnerable IOS.
Obviously there will be a small amount of additional processing overhead on the acl too.
All comments are welcome.

I would not worry about processing. As long as you have an ACL applied, 2-3 lines more do not practically cause any extra overhead.
You can keep the deny lines there and they will not hurt.
As for how often people audit configs it depends on the policies. I have seen 6 months as the most common time frame.
I hope it helps.
PK

Similar Messages

Access Control Lists on USB drive connected to AirPort Extreme

I have a Seagate 320GB drive mounted in a NexStar 2 IDE drive enclosure and connected via USB to my AirPort Extreme Base Station, running version 7.4.1 firmware upgrade.
Every time I restart the computer or unmount the network drive, an access control list appears to be written to the drive when there should be none, according to Disk Utility. I can tell when there are problems with the drive because the desktop icon turns from bright blue to grey-blue. I have to unmount the drive from the base station and connect it directly to the computer via firewire in order for Disk Utility to examine it. Generally, Disk Utility will report "Incorrect number of Access Control Lists (It should be 0 instead of (whatever number found) )
Does anyone know why these Access Control Lists are appearing? Is there any easy way to locate them and remove them, other than disconnecting it from the base station and connecting to the computer?
This problem happens with several different drives, in various NexStar 2 and NexStar 3 enclosures.

Same problem for me, exept that it happends after copying a file to the drive. It don't happend if I just mount and unmount the disc. The same for all discs I have tryed.
2009-03-04 12:59:30 +0100: Disk Utility started.
2009-03-04 12:59:43 +0100: Verifying volume “UltramaxB”
Starting verification tool: 2009-03-04 12:59:43 +0100
2009-03-04 12:59:43 +0100: Checking Journaled HFS Plus volume.
2009-03-04 12:59:43 +0100: Checking Extents Overflow file.
2009-03-04 12:59:43 +0100: Checking Catalog file.
2009-03-04 12:59:43 +0100: Checking multi-linked files.
2009-03-04 12:59:43 +0100: Checking Catalog hierarchy.
2009-03-04 12:59:43 +0100: Checking Extended Attributes file.
2009-03-04 12:59:43 +0100: Incorrect number of Access Control Lists
2009-03-04 12:59:43 +0100: 2009-03-04 12:59:43 +0100: 2009-03-04 12:59:43 +0100: (It should be 5427 instead of 5430)
2009-03-04 12:59:43 +0100: Checking volume bitmap.
2009-03-04 12:59:44 +0100: Checking volume information.
2009-03-04 12:59:44 +0100: 2009-03-04 12:59:44 +0100: The volume UltramaxB needs to be repaired.
2009-03-04 12:59:44 +0100: Error: Filesystem verify or repair failed.2009-03-04 12:59:44 +0100:
2009-03-04 12:59:44 +0100: Disk Utility stopped verifying “UltramaxB” because the following error was encountered:
Filesystem verify or repair failed.
2009-03-04 12:59:44 +0100:

Cannot sort in file/folder access control list in 8 or Server 2012

I use Windows 8 and Server 2012 Datacenter (with GUI). In 7/2008R2, I was formerly able to get properties on a file or folder, go to Security tab, click Advanced, and sort the access control list by type, access, inherited from, etc. Now, it
doesn't do anything when I click on the headings. I know I did not find this during the Beta or Release Preview periods, but I do wish this feature would be added back.
I tried to send this through MS Connect, but they said it was a Server 2008 issue. Does that mean that it was never supposed to sort? But I argue that 8 and Server 2012 have the bug. Here is an image of the window I am referring to, for
clarification:

This is really frustrating. Just got 2012 R2 management server and a week after, I noticed the same issue. The only difference is that I'm sorting AD delegation, with 150+ ACEs. While having huge lists of ACEs, it is a must of being able to sort them
by different columns. Sad that it is considered a bug - it's usually an opposite, when a bug is offered as a feature...
I still hope this will be fixed with time to come, else - it will be more practical to use PowerShell than such handicapped GUI.
MCSE, MCITP

APEX and ORA-24247: network access denied by access control list (ACL)

Hi,
I try to send email with APEX.
I have enter the parameters of my mail server and activate the email on my application.
I have follow the APEX installation guide and apply the script given in the "Granting Connect Privileges" section.
When I try to send email or make a subscription, I don't receive any email and can see this error in the table "WWV_FLOW_MAIL_LOG"
+"MAIL_TO","MAIL_FROM","MAIL_REPLYTO","MAIL_SUBJ","MAIL_CC","MAIL_BCC","MAIL_SEND_ERROR","LAST_UPDATED_BY","LAST_UPDATED_ON","SECURITY_GROUP_ID"+
+"[email protected]","[email protected]","[email protected]","Suivi de Besoins","","","ORA-24247: network access denied by access control list (ACL)","SYS",05/03/12,3210210578052219+
+"[email protected]","[email protected]","[email protected]","Suivi de Besoins","","","ORA-24247: network access denied by access control list (ACL)","SYS",05/03/12,3210210578052219+
+"[email protected]","[email protected]","[email protected]","Suivi de Besoins","","","ORA-24247: network access denied by access control list (ACL)","SYS",05/03/12,3210210578052219+
+"[email protected]","[email protected]","[email protected]","Suivi de Besoins","","","ORA-24247: network access denied by access control list (ACL)","SYS",05/03/12,3210210578052219+
+"[email protected]","[email protected]","[email protected]","Suivi de Besoins","","","ORA-24247: network access denied by access control list (ACL)","SYS",24/02/12,3210210578052219+
+"[email protected]","[email protected]","[email protected]","Suivi de Besoins","","","ORA-24247: network access denied by access control list (ACL)","SYS",05/03/12,3210210578052219+
Do you see what is wrong in my configuration ?
I use APEX 4.1, Oracle 11g.
The script that I have apply is :
DECLARE
ACL_PATH VARCHAR2(4000);
ACL_ID    RAW(16);
BEGIN
-- Look for the ACL currently assigned to '*' and give APEX_040100
-- the "connect" privilege if APEX_040100 does not have the privilege yet.
SELECT ACL INTO ACL_PATH FROM DBA_NETWORK_ACLS
WHERE HOST = '*' AND LOWER_PORT IS NULL AND UPPER_PORT IS NULL;
-- Before checking the privilege, make sure that the ACL is valid
-- (for example, does not contain stale references to dropped users).
-- If it does, the following exception will be raised:
--+
-- ORA-44416: Invalid ACL: Unresolved principal 'APEX_040100'
-- ORA-06512: at "XDB.DBMS_XDBZ", line ...
--+
SELECT SYS_OP_R2O(extractValue(P.RES, '/Resource/XMLRef')) INTO ACL_ID
FROM XDB.XDB$ACL A, PATH_VIEW P
WHERE extractValue(P.RES, '/Resource/XMLRef') = REF(A) AND
EQUALS_PATH(P.RES, ACL_PATH) = 1;
DBMS_XDBZ.ValidateACL(ACL_ID);
IF DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE(ACL_PATH, 'APEX_040100',
+'connect') IS NULL THEN+
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(ACL_PATH,
+'APEX_040100', TRUE, 'connect');+
END IF;
EXCEPTION
-- When no ACL has been assigned to '*'.
WHEN NO_DATA_FOUND THEN
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL('power_users.xml',
+'ACL that lets power users to connect to everywhere',+
+'APEX_040100', TRUE, 'connect');+
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL('power_users.xml','*');
END;
+/+
COMMIT;
Thanks for your help,

Hi,
You need to grant privilege to the user.
i.e add principal
You can use script :
DECLARE
ACL_ID   RAW(16);
CNT      NUMBER;
BEGIN
-- Look for the object ID of the ACL currently assigned to ''*
SELECT ACLID INTO ACL_ID FROM DBA_NETWORK_ACLS
WHERE HOST = '' AND LOWER_PORT IS NULL AND UPPER_PORT IS NULL;*
-- If just some users referenced in the ACL are invalid, remove just those
-- users in the ACL. Otherwise, drop the ACL completely.
SELECT COUNT(PRINCIPAL) INTO CNT FROM XDS_ACE
WHERE ACLID = ACL_ID AND
EXISTS (SELECT NULL FROM ALL_USERS WHERE USERNAME = PRINCIPAL);
IF (CNT > 0) THEN
FOR R IN (SELECT PRINCIPAL FROM XDS_ACE
WHERE ACLID = ACL_ID AND
NOT EXISTS (SELECT NULL FROM ALL_USERS
WHERE USERNAME = PRINCIPAL)) LOOP
UPDATE XDB.XDB$ACL
SET OBJECT_VALUE =
DELETEXML(OBJECT_VALUE,
*'/ACL/ACE[PRINCIPAL="'||R.PRINCIPAL||'"]')*
WHERE OBJECT_ID = ACL_ID;
END LOOP;
ELSE
DELETE FROM XDB.XDB$ACL WHERE OBJECT_ID = ACL_ID;
END IF;
END;
REM commit the changes.
COMMIT;
Or you need to add privilege to specific user/schema using following script:
BEGIN
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE (
acl          => 'aclfilename.xml',
principal    => 'databaseuser',
is_grant     => TRUE,
privilege    => 'connect',
position     => null);
COMMIT;
END;
Please execute this code after connect as sysdba user.
Thanks & Regards,
Jaydipsinh Raulji
Web: [www.oracleapexconsultant.com|www.oracleapexconsultant.com]

HT3477 Why would a Guest network need an Access Control List?

I have an Airport Extreme running software 7.6.4 and I have figured out today, to my dismay, that because I have an Access Control List active on my main network (with MAC addresses of my devices), the Guest Network feature, as implemented, becomes simply useless.
Essentially any friend coming at my place, to whom I want to share my internet connection for a while (say, a couple of hours) with an easy password, either provides me with the MAC address of his device, or has no access at all. And if he has to give me the MAC, then I could just simply add him to the main network in the first place and, BTW, I need to give him also the (complicated) password of my main network.
What is the purpose of a Guest Network then, if it is subject to the same access restrictions of the main one? I need to remove the access list on my main one, to offer quick and easy access to friends and family defeating the purpose of protecting my main network with MAC addresses and a separate guest network?
I don't get it. This is a bug. It has to be. I see no logic in it, in the way it is implemented. Or it should have 2 separate access lists, for flexibility. But a *Guest* network, should be by definition open, or easy access (with password, sure, if necessary) - and in case it should have restricted access, it should be by time maybe, not by MAC address....!

Why would a Guest Network need an Access Control List
The short answer would be that it would not need an Access Control listing......if you used the default settings in Timed Access.
Sorry, but I do not understand how you have constructed your Timed Access control list.
Normally, you would use the default settings and leave the "main" (and "guest") networks set for Unlimited Access.....and then only list the devices that you want to limit separately, establishing "rules" and timeframes for each device that you want to control.
When you do it the default way, a user would be able to connect to the Guest Network at any time, provided that he/she had the password for the guest network. No MAC Address needed at all.
If you wanted to limit the time that the "guest" could connect to the guest network, you would have to set up a "rule" for the guest. I would not normally think of limiting the time that a guest could connect.....(unless the guest were one of the grandkids).
It sounds to me as if you might have set the default network setting to No Access, and you have then set up each device with the times that they would be allowed to connect.
If you did it this way, then the default No Access would also apply to the Guest Network....and any guest would have to then be set up by MAC Address with a rule set for the times that they were allowed to connect.
Personally, I have changed the default rule for the "main" (and guest) networks from Unlimited Access to Everyday between 7:00 AM and 11:30 PM. So no one on either the main or guest network can connect before 7:00 AM or after 11:30 PM.
Then, there are a few rules that I have for devices that connect to the guest network to further limit them to certain times each day. You could do this as well for devices that you want to control on the "main" network.

Access Control List Problem -won't let me in anymore?

Whilst attempting to add a second Airport Express (AE2) to my network I believe i have changed some setting somewhere!!!
I can see the new AE (AE2) in the menu bar as a seperate network not what i want - more importantly, when i select my network 'orchard' i now get the following message...
"...Selected Network uses Access Control List to restrict Access etc...
See Administrator for help - well i'm the Administrator!!!
If i select other from the menu bar and then 'orchard' from that list
Then enter the WEP p/w i get the same message as above.
Any ideas please - all i wanted to do was add AE2 to enable iTunes to stream throughout the house - now i'm i a right old mess!!!
thanks
ianjh

That message indicates that you have enabled the access control list on the AirPort Express (AX) and the computer you are trying to connect is not on that list.
I suggest that you disable that list since it doesn't offer any real security. The MAC addresses are broadcast, easy to determine, and easy to clone.
If you only want to use the AirPort Express (AX) for iTunes, reset the AX and then follow the directions in KB 302153, AirPort Express: How to join an existing wireless network in client mode.

How to remove old signed in devices from iCloud.

How does one remove old signed apple devices from iCloud? I erased devices, deleted backups, but they still show up.

Hello Kalyan
I raised an OSS note for this and below is the reply from SAP. Thanks for your support.
Thank you for your query.
To delete the old class their are 2 options available to you .
1 )
To delete the old class you have to remove the assignments of where
it is used . Please access the old class in CL03 and then the menu
path "Environment - Where used list"
Once all assignments are removed you should be able to delete the class
2)
You could use a change number created in transaction CC01 to delete
the class from the classification view.
Please review note 166530 which explains about the deletion of
classification data.
Please refer to the online documentation at help.sap.com and the
Classification section where it states :
Once you have used engineering change management to process
characteristics, characteristics of a class, or classifications, you
must use engineering change management for all further changes.
I hope the information is of help , please test carefully on a Non
Productive system first
Enda Fennelly
Senior Support Consultant
AGS Primary Support
Global Support Center Ireland

HT203756 How can I remove 'old' or 'incomplete' backups from iCloud?

How can I remove 'old' or 'incomplete' backups from iCloud?
When I attempted, the iPhone 6+ message asked if I wanted to remove ALL of the backups... without giving me the option of selecting the specific one I wanted to remove.
I had performed 'backups' of my old iPhone, but, when I tried to RESTORE to the REPLACEMENT iPhone, at least one of the iCloud backups shows 'incomplete'. There was no 'error' on the original iPhone...when it 'failed' to complete the backup.
Now, I would like to 'clear up' the 'storage' on the iCloud, but am unable to select specific ones. I can either keep all instances or shut off iCloud Backup which would, according to the message, remove/delete ALL of the BACKUPS.
This shouldn't be this difficult.....

I too wondered how you remove apps from iCloud. Judging by the quantity of questions, comments, suggestions and replies (some rather rude) there is a clear need for Apple to make their literature a lot clearer. The page describing what iCloud backs up refers to "app data" as an item which is backed up. To the uniniated this might mean the app program but it seems not. The app is "bought" via iTunes or the App Store and details of your purchase (free or otherwise) is held there separately on the server.
It would be nice however to be able to remove the reference to junk I have downloaded and decided I don't want so that it doesn't appear on the purchased apps listing! Apple please note this.
It must be remembered that Apple products come pitifully supported by manuals "out of the box" on the assumption that it is so easy to use the product that no explanation is needed. They forget that most buyers of Apple products (me included) don't know (and don't want to know) how they work, so when something is not obvious they are required to plough through Lord knows how many web pages of "knowledge base" material until they find an answer.
All I can add is that it is worth spending time reading the multiitude of discussion threads before asking the question yet again...

ORA-24247: network access denied by access control list (ACL)error-UTL_HTTP

I am getting following ACL error while executing following procedure:
create or replace procedure sat_proc as
http_req utl_http.req;
http_resp utl_http.resp;
BEGIN
http_req := utl_http.begin_request('www.yahoo.com');
http_resp := utl_http.get_response(http_req);
utl_http.end_response(http_resp);
END;
exec sat_proc;
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at "TRANSDBA.SAT_PROC", line 5
ORA-06512: at line 1
I am able to execute successfully while executing above code as PL/SQL block:
DECLARE
http_req utl_http.req;
http_resp utl_http.resp;
BEGIN
http_req := utl_http.begin_request('www.yahoo.com');
http_resp := utl_http.get_response(http_req);
utl_http.end_response(http_resp);
END;
PL/SQL procedure successfully completed.
Could help me find why I am getting error while executing same code in a procedure? Is there any privilege missing?

GRANT EXECUTE ON SYS.UTL_HTTP TO <your_user>;
SQL> set time on
17:21:01 SQL> set role none;
Role set.
17:21:23 SQL> @utl_http.sql
17:21:34 SQL> DECLARE
17:21:34   2 http_req utl_http.req;
17:21:34   3 http_resp utl_http.resp;
17:21:34   4 BEGIN
17:21:34   5 http_req := utl_http.begin_request('www.yahoo.com');
17:21:34   6 http_resp := utl_http.get_response(http_req);
17:21:34   7 utl_http.end_response(http_resp);
17:21:34   8 END;
17:21:34   9 /
PL/SQL procedure successfully completed.
17:21:35 SQL> connect / as sysdba
Connected.
17:22:47 SQL> connect dbadmin/admindb
Connected.
17:23:06 SQL> @utl_http.sql
17:23:22 SQL> DECLARE
17:23:22   2 http_req utl_http.req;
17:23:22   3 http_resp utl_http.resp;
17:23:22   4 BEGIN
17:23:22   5 http_req := utl_http.begin_request('www.yahoo.com');
17:23:22   6 http_resp := utl_http.get_response(http_req);
17:23:22   7 utl_http.end_response(http_resp);
17:23:22   8 END;
17:23:22   9 /
PL/SQL procedure successfully completed.
17:23:23 SQL> set role none;
Role set.
17:23:29 SQL> @utl_http.sql
17:23:31 SQL> DECLARE
17:23:31   2 http_req utl_http.req;
17:23:31   3 http_resp utl_http.resp;
17:23:31   4 BEGIN
17:23:31   5 http_req := utl_http.begin_request('www.yahoo.com');
17:23:31   6 http_resp := utl_http.get_response(http_req);
17:23:31   7 utl_http.end_response(http_resp);
17:23:31   8 END;
17:23:31   9 /
DECLARE
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at line 5
17:23:31 SQL> above is from test user
Below is from SYSDBA account
SQL> set time on
17:20:53 SQL> revoke execute on sys.utl_http to dbadmin;
revoke execute on sys.utl_http to dbadmin
ERROR at line 1:
ORA-00905: missing keyword
17:22:03 SQL> revoke execute on sys.utl_http from dbadmin;
revoke execute on sys.utl_http from dbadmin
ERROR at line 1:
ORA-04020: deadlock detected while trying to lock object
ACLiLZU+w09hR7gQAB/AQAjcw==
17:22:32 SQL> /
Revoke succeeded.
17:22:52 SQL> Edited by: sb92075 on Jun 10, 2010 5:24 PM

Cannot remove the access control entry object on the object because the ACE isn't present

Hello,
I am very new to using Powershell and Exchange Management Shell, and have no prior experience using either of these tools. However, the software I am installing requires me to use the EMS tool in order to set certain permissions for a user in Exchange, which
will be like the admin account.
The command I am attempting to run follows as:
Get-ExchangeServer | Remove-ADPermission -User $newusername -Deny -ExtendedRights Receive-As -Confirm:$False
This throws me an error saying:
cannot remove the access control entry on the object because the ACE isn't present. I've done some research, and have found that this error is quite common, but the solutions do not apply to what I am specifically trying to accomplish. I am simply trying
to remove the Receive-As permission for the admin user that I just created.
Once again, I am very new to Exchange and Powershell, but if there is any advice anyone has, it would greatly appreciated.

I ran this command, and a very long list was displayed, it looks like everything is there.
The weird thing is that I was able to run a previous command which granted Receive-As access to the user I am creating:
Get-ExchangeServer | Add-ADPermission -User $newusername -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin -Confirm:$False
The description for the commands to run read to 'grant permissions and to revoke denies, if present'. I'm not sure what this means, but the second part of this pertains to the second command that I am having trouble with:
Get-ExchangeServer | Remove-ADPermission -User $newusername -Deny -ExtendedRights Receive-As -Confirm:$False

Can't Add To Access Control List Airport Express

We have both Airport Extreme (2) and Express Base Stations (3) to create a wireless network. On the Extremes I can click the Add button in Access Control in the Airport Admin Utility to add people to the list. On all the Express Base Staions I can edit or delete entries already on the list but can't add any new ones. I can export an Access Control List but not import one. The button is greyed out only the button works. I could add to the lists in the past and I'm not sure when it stopped working. The network structure and settings have not changed. Has anyone heard of this problem?
Aiport Express Mac OS X (10.4.8)

WDS is used on two Express units to relay the signal from the main base station but not on third one which is connected directly to the network via ethernet.
On the internet connected Express the Airport Network setting is:
Wireless Mode: Create a Wireless Network (Home Router)
All base stations have the same name to allow roaming.
Internet is connected using Ethernet.

Designing a network with 6 base stations and an Access control lists

I have 6 airport extreme (802.11n) base stations setup in my studio.
I'm a little concerned about security as they're all setup individually (wireless mode: Create a wireless network) with the same Network names (mystudio) and WPA/WPA2 personal password so my roaming users don't have to keep entering passwords / experience dropouts etc
i have lots of freelancers who are in and out of the studio and there isn't anyway for me to monitor who is currently connected to my wifi network.
i'd like to setup a wireless network that only allows you to connect to the WIFI network only if your MAC address is on the access control list.
is this possible with Apple Airport extreme base stations or would it be a better idea for me to invest in a 3rd party product?
all the base station are connected to an Ethernet point and have static IP's assigned to them.
whats the best way to deploy such a solution;should i keep the setting as they are and manually enter the mac address for 30 portable machines on each base station or is there a more pragmatic solution...
any help / input would be much appreciated.
Thank You

When employing Access Control in a roaming network configuration, the MAC addresses would be required to be entered atr each of the base stations ... as there is no means (unfortunately) to have them "automatically" migrate amongst them.
However, one important thing to note. Only wireless security, using WPA or WPA2, will actually secure the wireless network. MAC addresses can easily be spoofed. Someone, determined to do so, can still access your network ... even if secured by Access Control.

ERROR    does not support access control lists

Please be patient ...
guiengine: login in process.
INFO       2004-07-19 16:33:45 [syxxcfile.cpp:346]
           CSyFileImpl::copy(iastring)
Copying file C:/Program Files/sapinst_instdir/j2ee-sneak-preview/install/keydb.xml to: q0w9e9r8t7.1.xml.
INFO       2004-07-19 16:33:45 [syxxcfile.cpp:446]
           CSyFileImpl::copy(iastring)
Copying file C:/Program Files/sapinst_instdir/j2ee-sneak-preview/install/keydb.xml to: q0w9e9r8t7.1.xml.
INFO       2004-07-19 16:33:45 [synxcnodut.cpp:339]
           CSyNodeUtils::createNodeWithType(iastring,bool,ISyNode::eNodeType,iastring)
Creating file C:\Program Files\sapinst_instdir\j2ee-sneak-preview\install\q0w9e9r8t7.1.xml.
INFO       2004-07-19 16:33:47 [syxxcfile.cpp:346]
           CSyFileImpl::copy(iastring)
Copying file C:/Program Files/sapinst_instdir/j2ee-sneak-preview/install/keydb.xml to: C:/Program Files/sapinst_instdir/j2ee-sneak-preview/install/keydb.1.xml.
INFO       2004-07-19 16:33:47 [syxxcfile.cpp:446]
           CSyFileImpl::copy(iastring)
Copying file C:/Program Files/sapinst_instdir/j2ee-sneak-preview/install/keydb.xml to: C:/Program Files/sapinst_instdir/j2ee-sneak-preview/install/keydb.1.xml.
INFO       2004-07-19 16:33:47 [synxcnodut.cpp:339]
           CSyNodeUtils::createNodeWithType(iastring,bool,ISyNode::eNodeType,iastring)
Creating file C:\Program Files\sapinst_instdir\j2ee-sneak-preview\install\keydb.1.xml.
INFO       2004-07-19 16:33:49 [ianxbusprv.cpp:337]
           CIaNtUserPrivileges::add_impl(., ASIAPACIFIC\chirutha, SeTcbPrivilege SeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege)
Successfully added privileges 'SeTcbPrivilege SeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege' to account 'ASIAPACIFIC\chirutha' on host '.'.
PHASE      2004-07-19 16:33:52 [iaxxcwalker.cpp:409]
           CDomWalker::printPhaseInfo()
Prepare the installation program.
INFO       2004-07-19 16:33:57 [iaxxcwalker.cpp:59]
           CDomWalker::walk()
Installation start: Monday, 19 July 2004, 16:33:45; installation directory: C:\Program Files\sapinst_instdir\j2ee-sneak-preview\install; product to be installed: Sneak Preview Edition of SAP Web Application Server Java 6.40> Install SAP Web Application Server Java 6.40
INFO       2004-07-19 16:34:03
           CJSlibModule::writeLogEntry()
DNS is configured correctly.
INFO[E]    2004-07-19 16:34:07 [synxcfsmgt.cpp:126]
           CSyFileSystemMgtImpl::getFSExport(iastring)
File system export (share) saploc does not exist.
INFO[E]    2004-07-19 16:34:23 [synxcuser.cpp:98]
           CSyUserImpl::CSyUserImpl(const CUserData&, bool)
Account user="j2eadm" does not exist. <#1>
INFO[E]    2004-07-19 16:34:27 [synxcfsmgt.cpp:126]
           CSyFileSystemMgtImpl::getFSExport(iastring)
File system export (share) saploc does not exist.
INFO       2004-07-19 16:34:28
           CJSlibModule::writeLogEntry()
Looking for WebAS instances installed on this host...
INFO       2004-07-19 16:34:28
           CJSlibModule::writeLogEntry()
No installed instances found!
WARNING[E] 2004-07-19 16:34:29 [syxxcnamrs.cpp:125]
           PSyServicesEntry CSyIPNameResolverImpl::getServiceByName(const iastring& serviceName, const iastring& protocol) const
Error converting from service name=sapmsJ2E/protocol=tcp to port number. SAPRETURN=12
WARNING[E] 2004-07-19 16:34:29 [syxxcnamrs.cpp:334]
           PSyServicesEntry CSyIPNameResolverImpl::getServiceByPort(const unsigned int portNumber, const iastring& protocol) const
Error converting from port number=3601/protocol=tcp to service names. SAPRETURN=12
INFO[E]    2004-07-19 16:34:33 [synxcuser.cpp:98]
           CSyUserImpl::CSyUserImpl(const CUserData&, bool)
Account user="chiruthad1\j2eadm" does not exist. <#1>
INFO[E]    2004-07-19 16:34:38 [synxcuser.cpp:98]
           CSyUserImpl::CSyUserImpl(const CUserData&, bool)
Account user="chiruthad1\SAPServiceJ2E" does not exist. <#1>
INFO       2004-07-19 16:34:38 [syxxcfile.cpp:346]
           CSyFileImpl::copy(iastring)
Copying file C:/Program Files/SAPinst_WAS/J2EE-CD/JDKVersion.xml to: ..
INFO       2004-07-19 16:34:38 [syxxcfile.cpp:446]
           CSyFileImpl::copy(iastring)
Copying file C:/Program Files/SAPinst_WAS/J2EE-CD/JDKVersion.xml to: ..
INFO       2004-07-19 16:34:38 [synxcnodut.cpp:339]
           CSyNodeUtils::createNodeWithType(iastring,bool,ISyNode::eNodeType,iastring)
Creating file C:\Program Files\sapinst_instdir\j2ee-sneak-preview\install\JDKVersion.xml.
INFO[E]    2004-07-19 16:34:38 [syxxccuren.hpp:192]
           CSyCurrentProcessEnvironmentImpl::getEnvironmentVariable(iastring)
Unable to get value for environment variable JAVA_HOME.
INFO       2004-07-19 16:34:39
           CJSlibModule::writeLogEntry()
Execution of the command "C:/j2sdk1.4.2_04/bin/java.exe '-version'" finished with return code 0. Output: 1.4.2_04
INFO       2004-07-19 16:34:40
           CJSlibModule::writeLogEntry()
Execution of the command "C:/j2sdk1.4.2_03/bin/java.exe '-version'" finished with return code 0. Output: 1.4.2_03
WARNING    2004-07-19 16:34:40
           CJSlibModule::writeLogEntry()
Directory C:/WINNT is not a valid JDK directory: the java executable is missing.
INFO       2004-07-19 16:34:40
           CJSlibModule::writeLogEntry()
Found valid JAVA_HOME directory C:\j2sdk1.4.2_04 with JDK version 1.4.2_04.
INFO       2004-07-19 16:34:40
           CJSlibModule::writeLogEntry()
Execution of the command "C:\j2sdk1.4.2_04/bin/java.exe '-version'" finished with return code 0. Output: 1.4.2_04
INFO[E]    2004-07-19 16:34:41 [syxxccuren.hpp:192]
           CSyCurrentProcessEnvironmentImpl::getEnvironmentVariable(iastring)
Unable to get value for environment variable SAPINST_DEBUG_TRACE.
INFO[E]    2004-07-19 16:34:46 [synxcfsmgt.cpp:126]
           CSyFileSystemMgtImpl::getFSExport(iastring)
File system export (share) saploc does not exist.
INFO[E]    2004-07-19 16:34:48 [synxcfsmgt.cpp:126]
           CSyFileSystemMgtImpl::getFSExport(iastring)
File system export (share) saploc does not exist.
INFO[E]    2004-07-19 16:35:09 [synxcfsmgt.cpp:126]
           CSyFileSystemMgtImpl::getFSExport(iastring)
File system export (share) saploc does not exist.
INFO       2004-07-19 16:35:22
           CJSlibModule::writeLogEntry()
Execution of the command "C:\j2sdk1.4.2_04/bin/java.exe '-version'" finished with return code 0. Output: 1.4.2_04
Transaction begin ********************************************************
ERROR      2004-07-19 16:35:22
           CJSlibModule::writeLogEntry()
The file system on drive C: does not support access control lists. Choose a different drive.
Transaction end **********************************************************
WARNING    2004-07-19 16:35:22 [iaxxccntrl.cpp:474]
           CController::stepExecuted()
The step checkParameters with step key J2EE_Workplace|ind|ind|ind|WebAS|630|0|J2EE_EngineEnterpriseDefault|ind|ind|ind|WebAS|630|0|J2EE_Engine|ind|ind|ind|J2EE_Engine|630|0|checkParameters was executed with status ERROR.
SAPinst component stack:
========================
Preinstall|ind|ind|ind|ind|ind|0
Current script:
===============
if (context.getBool("installJ2EEEngine") && ! context.getBool('applyPatch')) {
ASSERT(arguments.callee, context.get("JAVA_HOME"), "JAVA_HOME ist not set.");
var jh = context.get("JAVA_HOME");
var len = jh.length;
if (jh.substr(len-1) == "/" || jh.substr(len-1) == "
    jh = jh.substr(0, len-1);
    context.set("JAVA_HOME", jh);
var versions = Java.readVersionFile(installer.getCD("J2EE"));
var version = Java.checkHome(jh, versions.minVersion, versions.maxVersion);
if (!version) {
    installer.writeErrorWithArray(Java.errorMessage);
} else if (Java.compareVersions(version, versions.maxVersion) != -1) {
    installer.writeWarningWithArray(Java.errorMessage);
var drives = ["WindowsDrive", "DBDataDrive", "DBRedologDrive", "DBSoftwareDrive"];
for (var i = 0; i < drives.length; ++i) {
var drive = context.get(drives<i>);
if (drive && ! check_drive(drive)) {
    installer.writeError("ind-rel.ind-os.ind-db.j2ee-eng.noFAT", drive);
WARNING    2004-07-19 16:36:48 [iaxxcsihlp.hpp:183]
           main()
An error occurred during the installation.
Exit status of child: 1

Hi Stefan,
Thanks.
Regards,
krishna

Another ORA-24247: network access denied by access control list (ACL)

Hi
We have just upgraded from 10g to 11g (DB version is 11.2.0.1.0), and i've have nothing but problems with ACL.
I've tried:
Creation code (as dba-user):
begin
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(’netacl.xml’,
‘Allow usage to the UTL network packages’, ‘ACLTEST’, TRUE, ‘connect’);
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(’netacl.xml’ ,’ACLTEST’, TRUE, ‘resolve’);
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(’netacl.xml’,'*’);
commit;
end;
Execution code (as ACLTEST):
declare
l_conn UTL_TCP.connection;
v_file ftp.TStringTable;
l_list ftp.t_string_table;
begin
l_conn := ftp.Logind('DOMAIN', 21, 'USERNAME', 'PASSWORD');
ftp.logout(l_conn);
end;
Error stack
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at “SYS.UTL_TCP”, line 17
ORA-06512: at “SYS.UTL_TCP”, line 246
ORA-06512: at “COMMON.FTP”, line 784
ORA-06512: at line 7
i've tried to add the domain in the acl with full port range with no luck:
begin
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(’netacl.xml’,'DOMAIN’,1,65000);
commit;
end;

Hi;
First what below query return
SELECT acl,
principal,
privilege,
is_grant,
to_char(start_date) ,
to_char(end_date)
FROM dba_network_acl_privileges;
Regard
Helios

ORA-24247: network access denied by access control list (ACL) using FTP

What used to work on our 10g server now doesn't work on 11g. We recently migrated to a new server and this FTP download process is the only thing that is giving me problems.
I have tried using the IP Address and Domain name, opened up the ports 10 to 80 (just in case) and even tried FTPing to a local FTP site and cannot seem to get past the ORA-24247 error. At this point I am not sure what else to try. The FTP process worked great in 10g...
begin
dbms_network_acl_admin.create_acl (
acl => 'cwtoto_acl_file.xml',
description => 'FTP Access',
principal => 'CWT_OPERATOR',
is_grant => TRUE,
privilege => 'connect',
start_date => null,
end_date => null
dbms_network_acl_admin.add_privilege (
acl => 'cwtoto_acl_file.xml',
principal => 'CWT_OPERATOR',
is_grant => TRUE,
privilege => 'resolve',
start_date => null,
end_date => null
dbms_network_acl_admin.assign_acl (
acl => 'cwtoto_acl_file.xml',
host => '69.30.63.173',
lower_port => 10,
upper_port => 80
dbms_network_acl_admin.assign_acl (
acl => 'cwtoto_acl_file.xml',
host => 'ftp.rmpc.org',
lower_port => 10,
upper_port => 80
dbms_network_acl_admin.assign_acl (
acl => 'cwtoto_acl_file.xml',
host => 'ftp.taglab.org',
lower_port => 10,
upper_port => 80
dbms_network_acl_admin.assign_acl (
acl => 'cwtoto_acl_file.xml',
host => '146.63.252.61',
lower_port => 10,
upper_port => 80
commit;
end;
Edited by: tfrawley on Jan 20, 2011 10:23 AM

So, I have contacted support to fix my inability to login to Oracle Support. In the meantime I'll just run through this problem one more time:
I executed the following:
begin
dbms_network_acl_admin.create_acl (
acl => 'cwtoto_acl_file.xml',
description => 'FTP Access',
principal => 'CWT_OPERATOR',
is_grant => TRUE,
privilege => 'connect',
start_date => null,
end_date => null
dbms_network_acl_admin.assign_acl (
acl => 'cwtoto_acl_file.xml',
host => 'ftp.rmpc.org',
lower_port => 1,
upper_port => 1000
commit;
end;
This should give me an ACL xml file and permission for CWT_OPERATOR to connect to ftp.rmpc.org on ports 1 through 1000.
I can look and see if the creation was successful: SELECT host, lower_port, upper_port, acl FROM dba_network_acls t ;
HOST LOWER_PORT UPPER_PORT ACL
1 ftp.rmpc.org 1 1000 /sys/acls/cwtoto_acl_file.xml
Looks good right?
So I test it using the following:
DECLARE
l_conn UTL_TCP.connection;
BEGIN
l_conn := ftp.login('ftp.rmpc.org','21','[email protected]','anonymous');
ftp.logout( l_conn);
END;
And get the following errors:
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at "SYS.UTL_TCP", line 17
ORA-06512: at "SYS.UTL_TCP", line 246
ORA-06512: at "SYSTEM.FTP", line 49
ORA-06512: at line 4
Has anyone else tried to use UTL_TCP and experienced a simliar issue?

Best Practice - Removing Old Access-Control Lists from Bug Mitigations

Similar Messages

Maybe you are looking for