7 Replies Latest reply: Nov 7, 2012 8:13 AM by user2966648 RSS

    Oracle RAC listener password protection

    LANCERIQUE
      Dear Gurus,

      We have 2 node RAC setup 11gR2 and as a part of hardening we wish to set password for listener.
      Can some one please guide how can we set password on listener that registered with CRS. What would be the impact if any?

      Also, there are two things with which should be noted.

      1) We are not using SCAN feature.
      2) Listener created should be owned by oracle user but all listener are getting started by Grid.

      Node 1 -

      ps -ef | grep -i tns
      root 125 2 0 Oct30 ? 00:00:00 [netns]
      ora11g 35141 73510 0 12:50 pts/0 00:00:00 grep -i tns
      grid 41763 1 0 Nov04 ? 00:00:05 /u01/app/11.2.0/grid/bin/tnslsnr LISTENER -inherit
      grid 49634 1 0 Nov04 ? 00:00:05 /u01/app/ora11g/product/11.2.0/db_1/bin/tnslsnr LISTENER_REMCORP1 -inherit


      Node 2 -
      ps -ef | grep -i tns
      root 125 2 0 Oct30 ? 00:00:00 [netns]
      ora11g 33783 33742 0 12:50 pts/1 00:00:00 grep -i tns
      grid 49817 1 0 Nov04 ? 00:00:05 /u01/app/11.2.0/grid/bin/tnslsnr LISTENER -inherit
      grid 56446 1 0 Nov04 ? 00:00:05 /u01/app/ora11g/product/11.2.0/db_1/bin/tnslsnr LISTENER_REMCORP2 -inherit


      Regards,
      Nikhil Mehta.

      Edited by: 905267 on Nov 6, 2012 1:13 AM
        • 1. Re: Oracle RAC listener password protection
          LANCERIQUE
          Gurus,

          Is someone could please help me on this.

          Regards,
          Nikhil Mehta.
          • 2. Re: Oracle RAC listener password protection
            vlethakula
            From 10g onwards, listener is protected through OS authentication

            lsnrctl status


            STATUS of the LISTENER
            ------------------------
            Alias LISTENER
            Version TNSLSNR for Linux: Version 11.2.0.3.0 - Production
            Start Date 11-AUG-2012 16:47:40
            Uptime 86 days 16 hr. 49 min. 59 sec
            Trace Level off
            Security ON: Local OS Authentication
            SNMP OFF


            And best practice is to start the LISTENER from ASM(clusterware) home.
            • 3. Re: Oracle RAC listener password protection
              LANCERIQUE
              Thanks for your reply Vlethakula.

              When firing command from GRID/ASM home, it says service not available where as status is available from oracle home. While stopping listener from oracle home it gives TNS-01190 error.

              remedy-ebu-db1*+ASM1:/home/grid>lsnrctl

              LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 06-NOV-2012 18:20:00

              Copyright (c) 1991, 2011, Oracle. All rights reserved.

              Welcome to LSNRCTL, type "help" for information.

              LSNRCTL> set current_listener LISTENER_REMCORP1
              Current Listener is LISTENER_REMCORP1
              LSNRCTL> stop LISTENER_REMCORP1
              TNS-01101: Could not find service name


              LSNRCTL> stop LISTENER_REMCORP1
              TNS-01101: Could not find service name
              LSNRCTL> status
              TNS-01101: Could not find service name
              LSNRCTL> exit
              remedy-ebu-db1*+ASM1:/home/grid>su - ora11
              su: user ora11 does not exist
              remedy-ebu-db1*+ASM1:/home/grid>su - ora11g
              Password:
              remedy-ebu-db1*REMCORP1:/home/ora11g>lsnrctl

              LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 07-NOV-2012 09:18:52

              Copyright (c) 1991, 2011, Oracle. All rights reserved.

              Welcome to LSNRCTL, type "help" for information.

              LSNRCTL> set current_listener LISTENER_REMCORP1
              Current Listener is LISTENER_REMCORP1
              LSNRCTL> status
              Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=remedy-vip-ebu-db1)(PORT=1526)(IP=FIRST)))
              STATUS of the LISTENER
              ------------------------
              Alias LISTENER_REMCORP1
              Version TNSLSNR for Linux: Version 11.2.0.3.0 - Production
              Start Date 04-NOV-2012 14:56:49
              Uptime 2 days 18 hr. 22 min. 17 sec
              Trace Level off
              Security ON: Local OS Authentication
              SNMP OFF
              Listener Parameter File /u01/app/ora11g/product/11.2.0/db_1/network/admin/listener.ora
              Listener Log File /u01/app/ora11g/product/11.2.0/db_1/log/diag/tnslsnr/remedy-ebu-db1/listener_remcorp1/alert/log.xml
              Listening Endpoints Summary...
              (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=121.244.255.54)(PORT=1526)))
              (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=121.244.255.50)(PORT=1526)))
              Services Summary...
              Service "REMCORP" has 2 instance(s).
              Instance "REMCORP1", status READY, has 1 handler(s) for this service...
              Instance "REMCORP2", status READY, has 1 handler(s) for this service...
              Service "REMCORPXDB" has 2 instance(s).
              Instance "REMCORP1", status READY, has 1 handler(s) for this service...
              Instance "REMCORP2", status READY, has 1 handler(s) for this service...
              The command completed successfully
              LSNRCTL> stop
              Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=remedy-vip-ebu-db1)(PORT=1526)(IP=FIRST)))
              TNS-01190: The user is not authorized to execute the requested listener command
              LSNRCTL>



              Regards,
              Nikhil Mehta.
              • 4. Re: Oracle RAC listener password protection
                JohnWatson
                Your problem is that the REMCORP1 listener is defined in the RDBMS home. Proof:
                Listener Parameter File /u01/app/ora11g/product/11.2.0/db_1/network/admin/listener.ora
                but it is running under the OS account of the grid owner. Proof:
                grid 49634 1 0 Nov04 ? 00:00:05 /u01/app/ora11g/product/11.2.0/db_1/bin/tnslsnr LISTENER_REMCORP1 -inherit
                What may have happened is that you ran the oraenv script as user grid, and specified the datbase name. The end result is that right now, grid can't manage the listener because he can't see the listener.ora, and oracle can't manage the listener because he doesn't have permission.
                The easiest way out is to conenct as grid, and stop the listener with
                kill -9 49634
                Depending on how you have registered it in the OCR, it may well restart automatically under the correct account. If not, start it with the srvctl utility.
                • 5. Re: Oracle RAC listener password protection
                  LANCERIQUE
                  Thanks John. Using SRVCTL listener is getting started after process killing but I am facing same issue.

                  Our task is to password protect listener but listener is not getting stoped only from any of the user.

                  Regards,
                  Nikhil Mehta.
                  • 6. Re: Oracle RAC listener password protection
                    Levi Pereira
                    Hi,

                    In Oracle Database 11g Release 2 (11.2), the password feature is being deprecated. This does not cause a loss of security because authentication is enforced through local operating system authentication.

                    See what you need to do:
                    *Deprecation of Listener Password in Oracle Database 11g Release 2 [ID 1328725.1]*
                    • 7. Re: Oracle RAC listener password protection
                      user2966648
                      Levi,

                      Thanks a ton. Thanks again for the useful info.

                      Regards,
                      Nikhil Mehta.