Oracle RAC listener password protection

Similar Messages

• Oracle RAC listener password

  Hi Guys,
  We have 2 node RAC setup oracle 10g(10.2.0.4) and we wish to set password on listener which registered with CRS.
  Can some one please guide how can we set password on listenet thts registered with CRS.
  What would be the impact if any....
  Help is appreciated.
  Regards,
  Milan

  http://docs.oracle.com/cd/B19306_01/network.102/b14213/lsnrctl.htm#CIHEFEDH
  just fyi,from 10g by default we have
  lsnrctl status
  Alias                     LISTENER
  Version                   TNSLSNR for Solaris: Version 11.2.0.3.0 - Production
  Start Date                29-MAR-2012 12:11:31
  Uptime                    5 days 0 hr. 46 min. 19 sec
  Trace Level               off
  Security                  ON: Local OS Authentication     <<--------------see this
  SNMP                      OFF

• Oracle TNS Listener password

  Where do I specify the tns listener password in CF MX. I have
  added a password to the oracle TNS listener service. I need to get
  MX to pass this password to the oracle server. Is there a place to
  do this.
  cfk

  Here is what I was given from our security group here at
  USDOJ:
  We are using 9i,
  Server Product ColdFusion MX
  Version 7,0,2,142559
  Edition Enterprise
  Serial Number
  Operating System Windows 2003
  OS Version 5.2
  Description:
  A Oracle TNS Listener has been detected on the host with
  login security disabled (SECURITY=OFF).
  Observation:
  Oracle is an enterprise level database which is available on
  many different platforms.
  A configuration vulnerability exists within the Oracle TNS
  Listener which allows remote unauthenticated access. The TNS
  Listener accepts a clients request and establishes a TNS
  (Transparent Network Substrate) data connection between the client
  and the service. A TNS connection allows clients and servers to
  communicate over a network via a common API, regardless of the
  network protocol used on either end (TCP/IP, IPX, etc). A default
  installation of the TNS listens on TCP port 1521.
  Vulnerable Systems:
  Oracle 8i
  Oracle 9i
  Recommendation:
  It is recommended to only allow certain IP's or subnet ranges
  to access the TNS listener. This can be done by adding a rule in
  the firewall. We also recommend that you enable a password for the
  TNS listener within Oracle

• Setting an Oracle TNS Listener password

  Im trying to enable a TNS Listener password on a database that I am monitoring through UNIX.
  I have tried set current_listener, but lsnrctl only recognizes the listener on my machine.
  Do I have to find the machine (remotely or not) where the listener is configured?
  Each time I try, I get TNS-01101 error : could not service name
  (I have already doen this successfully on my own machine, but I have to do the same for one of the databases in our firm)
  Thanks.
  Message was edited by:
  Dan A

  This error means that the service name could not be resolved by name-lookup. Verify the listener.ora is properly configured, check the name and address defined either in listener.ora or in the tnsnames.ora file.
  I suggest you this reference Configuring Password Listener Authentication
  ~ Madrid

• Advice on Oracle RAC Listener Set up

  Hi Forum
  I am installing two databases on a 2 node RAC environment.
  We have the SCAN setup which is listening on port 1521
  I want the two databases I create to have seperate listener ports
  i.e.
  database1 to listen on port 1531
  database2 to listen on port 1532
  We are using GRID 11.2.0.3 and same for databases
  Is there a best practice / process that I can follow to do this?
  Thanks in advance.

  The best practice is to have common SCAN listener (since it already have redundancy) and you are free to choose local port for each database or share the same port (default configuration). You can always change the ports even after default installation so nothing to worry here. Just make sure to decide on SCAN early before giving out to users since anything after SCAN is transparent to users but SCAN port must be advised in advance.
  Regards
  Tushar

• Setting up Listener Password for Oracle 9.2.0.7

  I am looking for information on configuration needed for "stopsap"  when password is set  up for the 9i listener.

  Hi Inho,
  When a listener password is set, you don't need a special configuration to start/stop sap.
  The password is to protect the listener operation, not the connection to it.
  It's started with the ora<sid> user before the sap instance starts, and stopped after it stops.
  Regards,
  JC Llanes.

• Oracle listener password

  Hi,
  I have set password for listener in 9i database (9.2.0.8).
  Password is prompted during stopping the listener but not during starting the listener. Below are the steps followed to set password for the listener,
  LSNRCTL>set cur LIST_TESTDB
  LSNRCTL>change_password
  LSNRCTL>set password
  LSNRCTL>save_config
  $lsnrctl stop LIST_TESTDB
  TNS-01169: The listener has not recognized the password.
  LSNRCTL>set cur LIST_TESTDB
  LSNRCTL>stop
  (the listener stops successfully)
  $lsnrctl start LIST_TESTDB
  (the listener gets started successfully).
  How to enable the password protection during starting the listener.
  Regards.

  I have set password for listener in 9i database (9.2.0.8).
  Password is prompted during stopping the listener but not during starting the listener. Below are the steps followed to set password for the listener,password is not required to start the listener even if it is set. except for start you need to enter/set password of all other listener administration.

• Adding Standalone listener Oracle RAC

  Dear Experts
  We have oracle RAC setup on in our organization, now we also need to do streaming between our RAC server and another oracle server for public reports. We installed another network interface card on of our Oracle RAC server and connect it directly to other server but we are not able to add listener for that interfaces. I did manually entered listener configuration in "listener.ora" and added it also in CRS using "srvctl add listener". Srvctl start listener properly but when i check the status of listener using "lsnrctl status <listener_name> than it shows that listener do not support any services.
  Your help will really be appreciate.

  Dear P
  Thanks for prompt reply. My listener for RAC is working fine, but standalone listener for one node on specific interface is not working. However i have added the listener using "srvctl add listener" command and it also start successfully but it does not support any service. See below the output of lsnrctl status.
  [oracle@mangla ~]$ lsnrctl status listener_mangla_priv2
  LSNRCTL for Linux: Version 11.1.0.6.0 - Production on 08-OCT-2010 13:01:35
  Copyright (c) 1991, 2007, Oracle. All rights reserved.
  Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=mangla-priv2)(PORT=1522)))
  STATUS of the LISTENER
  Alias listener_mangla_priv2
  Version TNSLSNR for Linux: Version 11.1.0.6.0 - Production
  Start Date 08-OCT-2010 12:35:54
  Uptime 0 days 0 hr. 25 min. 41 sec
  Trace Level off
  Security ON: Local OS Authentication
  SNMP OFF
  Listener Parameter File /u01/app/oracle/product/network/admin/listener.ora
  Listener Log File /u01/app/oracle/diag/tnslsnr/mangla/listener_mangla_priv2/alert/log.xml
  Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.10.10.1)(PORT=1522)))
  The listener supports no services
  The command completed successfully
  [oracle@mangla ~]$ lsnrctl status listener_mangla
  LSNRCTL for Linux: Version 11.1.0.6.0 - Production on 08-OCT-2010 13:03:07
  Copyright (c) 1991, 2007, Oracle. All rights reserved.
  Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=mangla-vip)(PORT=1521)(IP=FIRST)))
  STATUS of the LISTENER
  Alias LISTENER_MANGLA
  Version TNSLSNR for Linux: Version 11.1.0.6.0 - Production
  Start Date 08-OCT-2010 08:14:41
  Uptime 0 days 4 hr. 48 min. 26 sec
  Trace Level off
  Security ON: Local OS Authentication
  SNMP OFF
  Listener Parameter File /u01/app/oracle/product/network/admin/listener.ora
  Listener Log File /u01/app/oracle/diag/tnslsnr/mangla/listener_mangla/alert/log.xml
  Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.0.11)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=172.16.0.211)(PORT=1521)))
  Services Summary...
  Service "SYS$STRMADMIN.STREAMS_CAPTURE_CB_Q.PCBA" has 1 instance(s).
  Instance "pcba1", status READY, has 1 handler(s) for this service...
  Service "SYS$STRMADMIN.STREAMS_CAPTURE_GLB_Q.PCBA" has 1 instance(s).
  Instance "pcba1", status READY, has 1 handler(s) for this service...
  Service "SYS$STRMADMIN.STREAMS_CAPTURE_Q.PCBA" has 1 instance(s).
  Instance "pcba1", status READY, has 1 handler(s) for this service...
  Service "pcba" has 2 instance(s).
  Instance "pcba1", status READY, has 1 handler(s) for this service...
  Instance "pcba2", status READY, has 2 handler(s) for this service...
  Service "pcbaXDB" has 2 instance(s).
  Instance "pcba1", status READY, has 1 handler(s) for this service...
  Instance "pcba2", status READY, has 1 handler(s) for this service...
  Service "pcba_XPT" has 2 instance(s).
  Instance "pcba1", status READY, has 1 handler(s) for this service...
  Instance "pcba2", status READY, has 2 handler(s) for this service...
  The command completed successfully
  [oracle@mangla ~]$ crs_stat -t
  Name Type Target State Host
  ora....LA.lsnr application ONLINE ONLINE mangla
  ora.mangla.gsd application    ONLINE    ONLINE    mangla
  ora....v2.lsnr application    ONLINE    ONLINE    mangla
  ora.mangla.ons application ONLINE ONLINE mangla
  ora.mangla.vip application ONLINE ONLINE mangla
  ora.pcba.db application ONLINE ONLINE mangla
  ora....a1.inst application ONLINE ONLINE tarbela
  ora....a2.inst application ONLINE ONLINE mangla
  ora....LA.lsnr application ONLINE ONLINE tarbela
  ora....ela.gsd application ONLINE ONLINE tarbela
  ora....ela.ons application ONLINE ONLINE tarbela
  ora....ela.vip application ONLINE ONLINE tarbela

• Check the listener is password protected and admin restrictions on from OEM

  Hi All,
  Is there any way to check the listener is password protected and admin restrcitions are on from OEM?
  Thanks,
  Mahi

  mrak wrote:
  hi,
  if you try to run,
  lsnrctl status and get the error :
  TNS-01169: The listener has not recognized the password
  then it shows that the listener is protected.
  to proceed, issue:
  LSNRCTL> set password
  Password: <your password>
  you should be able to run lsnrctl status after this
  br,
  mrakBut beware that starting with 10g, the listener uses the same os authentication as sqlplus, so if your OS account is a member of the dba group, you will be able to run lsnrctl without supplying a password, even if the listener is password protected. So while the above error is proof of password protection, lack of the above error is is not necessarily proof of non-password protection.

• Trying to change Oracle listener port 1521 to nodefault port on Oracle RAC

  Could somebody please help me in the process of changing teh Oracle listener port 1521 to a non-default port on an Oracle RAC environment. I am total of four instance.
  Regards.

  Please read carefully about LOCAL_LISTENER parameter, you shouldn't put there just hostname....
  Another way to do so - statically register database SID in listener. You should do it in listener.ora file, please read carefully documentation, otherwise you can use netca utility - it could make configuration for you properly.

• Setting listener password in oracle 8i

  i have some very old windows databases that are 8.1.0.7. I am not able to upgrade these.
  I am trying to set a password.
  1. go to command line
  2. lsnrctl
  3. set password <password>
  LSNRCTL> set password l1stener1$
  The command completed successfully
  LSNRCTL> save_config
  Connecting to (DESCRIPTION=(ADDRESS=(
  21)))
  No changes to save for LISTENER.
  The command completed successfully
  LSNRCTL>Why does it say nothing to save?
  3. When I type status
  I get: Security: off
  How do I verify that there is a password? I can't turn the listener off. Its a production database.
  When I look in my listener.ora file, it does not appear to be getting updated with a password?
  Edited by: Guess2 on Sep 30, 2009 12:20 PM

  First: Always test in a test environment before doing it in production.
  Next: If you are very brief, you can stop and restart the listener without interupting service.
  The only people who might be affected would be someone who happened to be attempting to connect at the split second your listener is down. Otherwise, existing connections should not be impacted. But, do NOT do this in production (never, ever, ever). Got it?
  Finally, if you have set the password, changed the password, and saved your configuration, you should be able to look into your listener.ora file and see the password setting. It should look something like:
  #----ADDED BY TNSLSNR 30-SEP-2009 15:41:13---
  PASSWORDS_LISTENER = 9BD20802761D432E
  There are numerous sites discussing listener passwords.
  Do a search on "lsnrctl set password"
  Hope that helps...
  ji li

• How connect to oracle RAC via the RSG using port forwarding

  Hi all,
  I got a problem trying to connect to oracle RAC via the RSG using port forwarding .
  on command line i sue to connect :
  sqlplus 'username/password@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=tcp)(HOST=firstRACnode)(PORT=1521))(ADDRESS=(PROTOCOL=tcp)(HOST=secondRACnode)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=MSDP)))'
  but when using port forwarding i forward the port 1521 to a local port and make ssh to the DB node ( as normal with other nodes but not RAC) but it never work with me for this situation
  can any one give me a help ifthere is any changes should be done on the server side , or if any one faced such a problem and found a solution
  Thanks,
  Prathap.

  782011 wrote:
  I got a problem trying to connect to oracle RAC via the RSG using port forwarding .
  on command line i sue to connect :
  sqlplus 'username/password@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=tcp)(HOST=firstRACnode)(PORT=1521))(ADDRESS=(PROTOCOL=tcp)(HOST=secondRACnode)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=MSDP)))'Not exactly sure what you are attempting, but if you doing port forwarding via ssh, the basic approach is as follows:
  Step 1
  Create a ssh tunnel from local machine to remote db server. Forward any local port (should not be a well known port or a port in the private/dynamic port range) to connect to the database server's listener port. If the ssh tunnel is into the db server itself, the connection (port forwarding) can be on localhost (as the Listener should be listening on it). Alternatively use a public IP of that db server.
  Example (using OpenSSH on Ubuntu 9.4):
  Local server port 1527 tunneled to port 1521 on database server 192.168.0.100 using o/s account johnd (we connect to port 1521 on db server via 127.0.0.1):
  ssh -X -f -N -o ServerAliveInterval=3 -L 1527:127.0.0.1:1521 [email protected]
  Step 2
  Run sqlplus and connect to the local fowarded port on localhost, using the applicable connection settings (e.g SID/Service Name, etc).
  sqlplus scott/tiger@"(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=127.0.0.1)(PORT=1527)) (CONNECT_DATA=(SID=orcl) (SERVER=dedicated)))"Note that the Listener must not hand our connection off - as the case would be when using RAC for example and connecting via a Service Name and not a SID. We need the Listener that accepts our connection to immediately hand us over to the database instance (via either a dedicated server or a shared server dispatcher process).

• Solaris x86 with Oracle RAC 10g Enterprise Edition Release 10.2.0.3.0

  Hello,
  Maybe you can help me (new on RMAN backup) in doing this.
  I have configured a single Oracle 10g database to have backup with RMAN with following steps:
  1. $ mkdir $ORACLE_BASE/rman_scripts
  2. $ mkdir $ORACLE_BASE/logs
  3. $ mkdir $ORACLE_BASE/tracking
  4. $ mkdir $ORACLE_BASE/c_backup
  5. $ sqlplus sys/<password> as sysdba
  6. SQL> alter system set db_recovery_file_dest_size = 50G scope=both;
  7. SQL> alter system set db_recovery_file_dest='${ ORACLE_BASE}/flash_recovery_ area' scope=both;
  8. SQL> alter system set log_archive_dest_10='location= use_db_recovery_file_dest';
  9. SQL> shutdown immediate
  10. SQL> startup nomount
  11. SQL> alter database archivelog;
  12. SQL> alter database open;
  13. SQL> alter database enable block change tracking using file '${ORACLE_BASE}/tracking/rman_ change_track.f';
  14. $ rman target /
  15. RMAN> CONFIGURE CONTROLFILE AUTOBACKUP FORMAT FOR DEVICE TYPE DISK
  TO '/var/opt/oracle/flash_ recovery_area/ORCL/c_backup/% F';
  16. RMAN> CONFIGURE CONTROLFILE AUTOBACKUP ON;
  17. RMAN> CONFIGURE BACKUP OPTIMIZATION ON;
  18. RMAN> CONFIGURE RETENTION POLICY TO RECOVERY WINDOW OF 7 DAYS;
  19. RMAN> exit
  I need to configure incremental backup with RMAN on a two node Solaris x86 with Oracle RAC 10g Enterprise Edition Release 10.2.0.3.0 installation.
  We also use ASM to store database files, and have Oracle software installed on separate file systems (two Oracle roots for Node1 and Node2).
  I have following questions:
  1) where to put Flash Recovery Area (FRA)?
  I saw recommendations to put FRA on the ASM, is this the best way to do it?
  2) Can I put FRA on another file system (not on the ASM) which is available only from Node1? This way I can save space on the ASM.
  3) Is it possible/recommended to run RMAN from Node1 only?
  Below is the script used to run RMAN on the normal Oracle database (without RAC) which I need to change :
  =============================================================================================
  2.0 Oracle backup script: /opt/app/oracle/rman_scripts/backup.sh
  Use this for daily backups, possiblly as a cron job.
  Once a week run this: /opt/app/oracle/rman_scripts/backup.sh FULL
  All other days of the week: /opt/app/oracle/rman_scripts/backup.sh INCREMENTAL
  Note: You may have to change ORACLE_SID, ORACLE_BASE below to match your database.
  =============================================================================================
  #!/usr/bin/ksh
  ORACLE_SID=orcl
  ORACLE_BASE=/opt/app/oracle
  ORACLE_HOME=${ORACLE_BASE}/product/10.2.0/db_1
  PATH=${ORACLE_HOME}/bin:/usr/bin
  LOGDIR=${ORACLE_BASE}/logs
  LOGFILE=${LOGDIR}/rman.log
  if [[ $# < 1 ]]
  then
  echo "usage: backup.sh FULL|INCREMENTAL"
  exit;
  fi
  BACKUPTYPE=${1}
  full='FULL'
  incremental='INCREMENTAL'
  if [[ $BACKUPTYPE == $full ]]
  then
  $ORACLE_HOME/bin/rman target / nocatalog log ${LOGFILE} append << eof
  run {
  backup database;
  SQL 'alter system archive log current';
  backup archivelog all;
  delete noprompt obsolete;
  exit;
  eof
  echo ''
  fi
  if [[ $BACKUPTYPE == $incremental ]]
  then
  $ORACLE_HOME/bin/rman target / nocatalog log ${LOGFILE} append << eof
  run {
  backup database;
  backup incremental level 1 database;
  SQL 'alter system archive log current';
  backup archivelog all;
  delete noprompt obsolete;
  exit;
  eof
  echo ''
  fi

  Hi [email protected],
  Q1) where to put Flash Recovery Area (FRA)?
  A1) With RAC: on the shared storage
  I saw recommendations to put FRA on the ASM, is this the best way to do it?
  If you want your backups to be available for both nodes you have to use shared storage or tape using an mml library.
  So if you want to use the FRA for rman backups and the database is on ASM just make ASM the standard for the FRA as well.
  Q2) Can I put FRA on another file system (not on the ASM) which is available only from Node1? This way I can save space on the ASM.
  A2) Than you cannot recover in case Node1 is down. Best would be to send your storage admin to a training course so he can manage the clustered raw devices needed for ASM.
  Q3) Is it possible/recommended to run RMAN from Node1 only?
  A3) No see A2.
  Regards,
  Tycho

• Listener password - good or bad idea?

  Hello
  We have recently been audited on one of our Oracle databases (10.2.0.4). One of the recommendations is that we apply a password to our Listener.
  I’ve looked at some of the Oracle documentation & checked a few references on the web. What I’m picking up is contradictory. One site (http://andrewfraserdba.com/2007/05/24/listener-passwords-always-for-9i-never-for-10g/) explicitly says do not set a password for Listener in Oracle 10 (unless you need to) because it makes the system less secure. This is also my reading of Metalink 260986.1 (“In Oracle 10g and newer versions of the listener, the listener is secure out of the box. There should be no need to set a listener password to prohibit privileged LSNRCTL commands from being executed.”)
  On the other hand the Oracle 10g security guide does explicitly say that a password should be applied (“Protect the listener with a password" p. 2-7). Though it doesn’t go into detail on this point.
  Does anyone have any comment on this – I prefer not to apply a password as long as the system remains secure mainly because it’s just another thing to manage.
  Any advice appreciated.
  Chris

  That portion of the 10g guide wasn't updated as it should have been.
  You could log an SR with Oracle Support. I am sure that they will refer you to the Notes already mentioned.
  The 11gR2 guide doesn't have such a statement. The 11gR2 Net Services Administrator's guide even goes on to say that a listener password is deprecated.
  Hemant K Chitale

• Listener passwords

  In
  http://www.petefinnigan.com/weblog/archives/00000639.htm
  Pete is worried about listeners with no passwords.
  Why cant the XE install script set a password for the listener.?

  While I generally agree with Pete, at this time I have two reactions:
  1) Look at the number of listener problems we have in the beta. Do we need the added complexity right now?
  2) The password is not for accessing the listener, but for accessing the listener control facility with which you make configuration changes. It seems to be designed for protection in remote administration environments.
  I have often wondered how critical the listener password is in an XE environment, when appropriate lsnrctl useage (at least in Linux) can be controlled by ACL. For example - on my system, without a password a non-DBA user would see:
  pops@fuzzy:~> lsnrctl stop
  LSNRCTL for Linux: Version 10.2.0.1.0 - Beta on 20-NOV-2005 07:36:33
  Copyright (c) 1991, 2005, Oracle. All rights reserved.
  Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=fuzzy)(PORT=1521)))
  TNS-01190: The user is not authorized to execute the requested listener command