This discussion is archived
7 Replies Latest reply: Nov 7, 2012 6:13 AM by user2966648 RSS

Oracle RAC listener password protection

LANCERIQUE Newbie
Currently Being Moderated
Dear Gurus,

We have 2 node RAC setup 11gR2 and as a part of hardening we wish to set password for listener.
Can some one please guide how can we set password on listener that registered with CRS. What would be the impact if any?

Also, there are two things with which should be noted.

1) We are not using SCAN feature.
2) Listener created should be owned by oracle user but all listener are getting started by Grid.

Node 1 -

ps -ef | grep -i tns
root 125 2 0 Oct30 ? 00:00:00 [netns]
ora11g 35141 73510 0 12:50 pts/0 00:00:00 grep -i tns
grid 41763 1 0 Nov04 ? 00:00:05 /u01/app/11.2.0/grid/bin/tnslsnr LISTENER -inherit
grid 49634 1 0 Nov04 ? 00:00:05 /u01/app/ora11g/product/11.2.0/db_1/bin/tnslsnr LISTENER_REMCORP1 -inherit


Node 2 -
ps -ef | grep -i tns
root 125 2 0 Oct30 ? 00:00:00 [netns]
ora11g 33783 33742 0 12:50 pts/1 00:00:00 grep -i tns
grid 49817 1 0 Nov04 ? 00:00:05 /u01/app/11.2.0/grid/bin/tnslsnr LISTENER -inherit
grid 56446 1 0 Nov04 ? 00:00:05 /u01/app/ora11g/product/11.2.0/db_1/bin/tnslsnr LISTENER_REMCORP2 -inherit


Regards,
Nikhil Mehta.

Edited by: 905267 on Nov 6, 2012 1:13 AM
  • 1. Re: Oracle RAC listener password protection
    LANCERIQUE Newbie
    Currently Being Moderated
    Gurus,

    Is someone could please help me on this.

    Regards,
    Nikhil Mehta.
  • 2. Re: Oracle RAC listener password protection
    vlethakula Expert
    Currently Being Moderated
    From 10g onwards, listener is protected through OS authentication

    lsnrctl status


    STATUS of the LISTENER
    ------------------------
    Alias LISTENER
    Version TNSLSNR for Linux: Version 11.2.0.3.0 - Production
    Start Date 11-AUG-2012 16:47:40
    Uptime 86 days 16 hr. 49 min. 59 sec
    Trace Level off
    Security ON: Local OS Authentication
    SNMP OFF


    And best practice is to start the LISTENER from ASM(clusterware) home.
  • 3. Re: Oracle RAC listener password protection
    LANCERIQUE Newbie
    Currently Being Moderated
    Thanks for your reply Vlethakula.

    When firing command from GRID/ASM home, it says service not available where as status is available from oracle home. While stopping listener from oracle home it gives TNS-01190 error.

    remedy-ebu-db1*+ASM1:/home/grid>lsnrctl

    LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 06-NOV-2012 18:20:00

    Copyright (c) 1991, 2011, Oracle. All rights reserved.

    Welcome to LSNRCTL, type "help" for information.

    LSNRCTL> set current_listener LISTENER_REMCORP1
    Current Listener is LISTENER_REMCORP1
    LSNRCTL> stop LISTENER_REMCORP1
    TNS-01101: Could not find service name


    LSNRCTL> stop LISTENER_REMCORP1
    TNS-01101: Could not find service name
    LSNRCTL> status
    TNS-01101: Could not find service name
    LSNRCTL> exit
    remedy-ebu-db1*+ASM1:/home/grid>su - ora11
    su: user ora11 does not exist
    remedy-ebu-db1*+ASM1:/home/grid>su - ora11g
    Password:
    remedy-ebu-db1*REMCORP1:/home/ora11g>lsnrctl

    LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 07-NOV-2012 09:18:52

    Copyright (c) 1991, 2011, Oracle. All rights reserved.

    Welcome to LSNRCTL, type "help" for information.

    LSNRCTL> set current_listener LISTENER_REMCORP1
    Current Listener is LISTENER_REMCORP1
    LSNRCTL> status
    Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=remedy-vip-ebu-db1)(PORT=1526)(IP=FIRST)))
    STATUS of the LISTENER
    ------------------------
    Alias LISTENER_REMCORP1
    Version TNSLSNR for Linux: Version 11.2.0.3.0 - Production
    Start Date 04-NOV-2012 14:56:49
    Uptime 2 days 18 hr. 22 min. 17 sec
    Trace Level off
    Security ON: Local OS Authentication
    SNMP OFF
    Listener Parameter File /u01/app/ora11g/product/11.2.0/db_1/network/admin/listener.ora
    Listener Log File /u01/app/ora11g/product/11.2.0/db_1/log/diag/tnslsnr/remedy-ebu-db1/listener_remcorp1/alert/log.xml
    Listening Endpoints Summary...
    (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=121.244.255.54)(PORT=1526)))
    (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=121.244.255.50)(PORT=1526)))
    Services Summary...
    Service "REMCORP" has 2 instance(s).
    Instance "REMCORP1", status READY, has 1 handler(s) for this service...
    Instance "REMCORP2", status READY, has 1 handler(s) for this service...
    Service "REMCORPXDB" has 2 instance(s).
    Instance "REMCORP1", status READY, has 1 handler(s) for this service...
    Instance "REMCORP2", status READY, has 1 handler(s) for this service...
    The command completed successfully
    LSNRCTL> stop
    Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=remedy-vip-ebu-db1)(PORT=1526)(IP=FIRST)))
    TNS-01190: The user is not authorized to execute the requested listener command
    LSNRCTL>



    Regards,
    Nikhil Mehta.
  • 4. Re: Oracle RAC listener password protection
    JohnWatson Guru
    Currently Being Moderated
    Your problem is that the REMCORP1 listener is defined in the RDBMS home. Proof:
    Listener Parameter File /u01/app/ora11g/product/11.2.0/db_1/network/admin/listener.ora
    but it is running under the OS account of the grid owner. Proof:
    grid 49634 1 0 Nov04 ? 00:00:05 /u01/app/ora11g/product/11.2.0/db_1/bin/tnslsnr LISTENER_REMCORP1 -inherit
    What may have happened is that you ran the oraenv script as user grid, and specified the datbase name. The end result is that right now, grid can't manage the listener because he can't see the listener.ora, and oracle can't manage the listener because he doesn't have permission.
    The easiest way out is to conenct as grid, and stop the listener with
    kill -9 49634
    Depending on how you have registered it in the OCR, it may well restart automatically under the correct account. If not, start it with the srvctl utility.
  • 5. Re: Oracle RAC listener password protection
    LANCERIQUE Newbie
    Currently Being Moderated
    Thanks John. Using SRVCTL listener is getting started after process killing but I am facing same issue.

    Our task is to password protect listener but listener is not getting stoped only from any of the user.

    Regards,
    Nikhil Mehta.
  • 6. Re: Oracle RAC listener password protection
    Levi-Pereira Guru
    Currently Being Moderated
    Hi,

    In Oracle Database 11g Release 2 (11.2), the password feature is being deprecated. This does not cause a loss of security because authentication is enforced through local operating system authentication.

    See what you need to do:
    *Deprecation of Listener Password in Oracle Database 11g Release 2 [ID 1328725.1]*
  • 7. Re: Oracle RAC listener password protection
    user2966648 Newbie
    Currently Being Moderated
    Levi,

    Thanks a ton. Thanks again for the useful info.

    Regards,
    Nikhil Mehta.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points