This discussion is archived
6 Replies Latest reply: Dec 4, 2012 12:41 PM by BillyVerreynne RSS

Port of the Node listener

JOE_humble Newbie
Currently Being Moderated
GI Version: 11.2.0.3
Platform : RHEL 5.4

SCAN Listener Port : 3843
Node Listener port in each node : 3921

IBM Websphere guys are trying to connect to our RAC DB. There is a firewall between the DB and the Apps server. They got the network team to open the SCAN Listener's port 3843.

Following telnet test from Apps machine on SCAN listener's port has succeeded.
telnet <scanName> 3843
But, when they tried connecting using the jdbc url, they were getting a TNS related error (ORA-12xxx).
From apps machine , I did the telnet test to port where the each machine's Node Listener is running.
telnet <VIP Name> 3921
This has failed for all of the RAC Nodes. ie . The node listener's port is not open to the Apps machine.

My question is :

Both SCAN Listener and Node listener's port MUST be open and accessible to the Apps machine. Right ?
  • 1. Re: Port of the Node listener
    Balazs Papp Expert
    Currently Being Moderated
    right, SCAN listener forwards requests to local listeners
  • 2. Re: Port of the Node listener
    Levi-Pereira Guru
    Currently Being Moderated
    ...adding little note:

    “When a client submits a request, the SCAN listener listening on a SCAN IP address and the SCAN port is contracted on a client’s behalf. Because all services on the cluster are registered with the SCAN listener, the SCAN listener replies with the address of the local listener on the least-loaded node (Each scan listener keeps updated cluster load statistics) where the service is currently being offered. Finally, the client establishes connection to the service through the listener on the node where service is offered.All of these actions take place transparently to the client without any explicit configuration required in the client.”

    So, all Listeners/IP/Port of SCAN and all Listeners/VIP/Port of all Local nodes must be accessible by the Clients.

    Regars,
    Levi Pereira
  • 3. Re: Port of the Node listener
    BillyVerreynne Oracle ACE
    Currently Being Moderated
    JOE_humble wrote:
    GI Version: 11.2.0.3
    Platform : RHEL 5.4

    SCAN Listener Port : 3843
    Node Listener port in each node : 3921
    Why are you guys using ports for Quest Common Agent and Herodotus Net, for Oracle?

    Sure, the Listener can be run on a different port. But why?

    It does not make for better security. Something like nmap can tell me in seconds which port you have an Oracle Listener on. It however makes network management a lot more complex by selecting arbitrary ports for network applications.

    Also why different ports? The SCAN Listener is still a Listener. Why have it on a different port that a local Listener? There is no port collision as each Listener supports its own unique and distinct set of IP addresses.

    Mucking about with application ports need damn good justification.
    IBM Websphere guys are trying to connect to our RAC DB. There is a firewall between the DB and the Apps server. They got the network team to open the SCAN Listener's port 3843.
    The SCAN Listener redirects an incoming connection to a database Listener. That database Listener can in turn redirect the the client to any of the static IP and virtual IP addresses of that cluster (depending on configuration and db service requested by client).

    This typically requires the Listener port to be opened to all cluster IP addresses (excluding private Interconnect addresses - these should in any case be unreachable by any other platform).
  • 4. Re: Port of the Node listener
    JOE_humble Newbie
    Currently Being Moderated
    Thank you Balaz, Levi.

    Thank you Billy.
    I didn't know that it was technically possible to use the same port for both SCAN Listener and Node listener.

    Although the SCAN IPs are different than each nodes' Public IP and VIP , at end of the day, the SCAN listener has to run in either one of the nodes. ie ps -ef output will confirm
    $ ps -ef  | grep tns
    grid      9345     1  0 Oct26 ?        03:44:32 /u01/app/grid/product/11.2.0.3/bin/tnslsnr LISTENER_SCAN1 -inherit
    grid      9713     1  0 Oct26 ?        01:48:37 /u01/app/grid/product/11.2.0.3/bin/tnslsnr LISTENER -inherit
    oracle   23611 23398  0 09:13 pts/1    00:00:00 grep tns
    So, If i assign 1521 to both SCAN and Node listener wouldn't there be a collision ?

    I agree with you on the arbitrary port usage. We can't use 1521 because of our security policy (no default ports should be used anywhere ). Last week , in a meeting someone was suggesting to use ports after 15000.
  • 5. Re: Port of the Node listener
    Balazs Papp Expert
    Currently Being Moderated
    So, If i assign 1521 to both SCAN and Node listener wouldn't there be a collision ?
    no, they listen on different IP addresses
  • 6. Re: Port of the Node listener
    BillyVerreynne Oracle ACE
    Currently Being Moderated
    JOE_humble wrote:

    I didn't know that it was technically possible to use the same port for both SCAN Listener and Node listener.
    It is the standard RAC configuration. SCAN Listener uses the SCAN IP. The db Listener uses virtual and static IPs. No collission.
    I agree with you on the arbitrary port usage. We can't use 1521 because of our security policy (no default ports should be used anywhere ). Last week , in a meeting someone was suggesting to use ports after 15000.
    Sorry, but I'm going to be blunt. It. Is. An. Idiotic. Security. Policy.

    I can use nmap to determine what sits on which ports with a 99.9999% accuracy. Obfuscating port number is NOT security. It is NOT going to stop hackers from exploiting that network.

    And by mucking with port numbers, how on earth do you implement QoS classes and policies? Manage firewall access? Do network reporting? Do network growth estimations? Etc.

    Whoever came up with the idea that changing port numbers makes networks more secure it horrible mistaken.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points