6 Replies Latest reply: Dec 4, 2012 2:41 PM by Billy~Verreynne RSS

    Port of the Node listener

    JOE_humble
      GI Version: 11.2.0.3
      Platform : RHEL 5.4

      SCAN Listener Port : 3843
      Node Listener port in each node : 3921

      IBM Websphere guys are trying to connect to our RAC DB. There is a firewall between the DB and the Apps server. They got the network team to open the SCAN Listener's port 3843.

      Following telnet test from Apps machine on SCAN listener's port has succeeded.
      telnet <scanName> 3843
      But, when they tried connecting using the jdbc url, they were getting a TNS related error (ORA-12xxx).
      From apps machine , I did the telnet test to port where the each machine's Node Listener is running.
      telnet <VIP Name> 3921
      This has failed for all of the RAC Nodes. ie . The node listener's port is not open to the Apps machine.

      My question is :

      Both SCAN Listener and Node listener's port MUST be open and accessible to the Apps machine. Right ?
        • 1. Re: Port of the Node listener
          Balazs Papp
          right, SCAN listener forwards requests to local listeners
          • 2. Re: Port of the Node listener
            Levi Pereira
            ...adding little note:

            “When a client submits a request, the SCAN listener listening on a SCAN IP address and the SCAN port is contracted on a client’s behalf. Because all services on the cluster are registered with the SCAN listener, the SCAN listener replies with the address of the local listener on the least-loaded node (Each scan listener keeps updated cluster load statistics) where the service is currently being offered. Finally, the client establishes connection to the service through the listener on the node where service is offered.All of these actions take place transparently to the client without any explicit configuration required in the client.”

            So, all Listeners/IP/Port of SCAN and all Listeners/VIP/Port of all Local nodes must be accessible by the Clients.

            Regars,
            Levi Pereira
            • 3. Re: Port of the Node listener
              Billy~Verreynne
              JOE_humble wrote:
              GI Version: 11.2.0.3
              Platform : RHEL 5.4

              SCAN Listener Port : 3843
              Node Listener port in each node : 3921
              Why are you guys using ports for Quest Common Agent and Herodotus Net, for Oracle?

              Sure, the Listener can be run on a different port. But why?

              It does not make for better security. Something like nmap can tell me in seconds which port you have an Oracle Listener on. It however makes network management a lot more complex by selecting arbitrary ports for network applications.

              Also why different ports? The SCAN Listener is still a Listener. Why have it on a different port that a local Listener? There is no port collision as each Listener supports its own unique and distinct set of IP addresses.

              Mucking about with application ports need damn good justification.
              IBM Websphere guys are trying to connect to our RAC DB. There is a firewall between the DB and the Apps server. They got the network team to open the SCAN Listener's port 3843.
              The SCAN Listener redirects an incoming connection to a database Listener. That database Listener can in turn redirect the the client to any of the static IP and virtual IP addresses of that cluster (depending on configuration and db service requested by client).

              This typically requires the Listener port to be opened to all cluster IP addresses (excluding private Interconnect addresses - these should in any case be unreachable by any other platform).
              • 4. Re: Port of the Node listener
                JOE_humble
                Thank you Balaz, Levi.

                Thank you Billy.
                I didn't know that it was technically possible to use the same port for both SCAN Listener and Node listener.

                Although the SCAN IPs are different than each nodes' Public IP and VIP , at end of the day, the SCAN listener has to run in either one of the nodes. ie ps -ef output will confirm
                $ ps -ef  | grep tns
                grid      9345     1  0 Oct26 ?        03:44:32 /u01/app/grid/product/11.2.0.3/bin/tnslsnr LISTENER_SCAN1 -inherit
                grid      9713     1  0 Oct26 ?        01:48:37 /u01/app/grid/product/11.2.0.3/bin/tnslsnr LISTENER -inherit
                oracle   23611 23398  0 09:13 pts/1    00:00:00 grep tns
                So, If i assign 1521 to both SCAN and Node listener wouldn't there be a collision ?

                I agree with you on the arbitrary port usage. We can't use 1521 because of our security policy (no default ports should be used anywhere ). Last week , in a meeting someone was suggesting to use ports after 15000.
                • 5. Re: Port of the Node listener
                  Balazs Papp
                  So, If i assign 1521 to both SCAN and Node listener wouldn't there be a collision ?
                  no, they listen on different IP addresses
                  • 6. Re: Port of the Node listener
                    Billy~Verreynne
                    JOE_humble wrote:

                    I didn't know that it was technically possible to use the same port for both SCAN Listener and Node listener.
                    It is the standard RAC configuration. SCAN Listener uses the SCAN IP. The db Listener uses virtual and static IPs. No collission.
                    I agree with you on the arbitrary port usage. We can't use 1521 because of our security policy (no default ports should be used anywhere ). Last week , in a meeting someone was suggesting to use ports after 15000.
                    Sorry, but I'm going to be blunt. It. Is. An. Idiotic. Security. Policy.

                    I can use nmap to determine what sits on which ports with a 99.9999% accuracy. Obfuscating port number is NOT security. It is NOT going to stop hackers from exploiting that network.

                    And by mucking with port numbers, how on earth do you implement QoS classes and policies? Manage firewall access? Do network reporting? Do network growth estimations? Etc.

                    Whoever came up with the idea that changing port numbers makes networks more secure it horrible mistaken.