标签:comment clu bug addition amp pass conf ssl sar
In this Document
Applies to:
Oracle Net Services - Version 10.2.0.3 to 11.2.0.3 [Release 10.2 to 11.2]
Information in this document applies to any
platform.
Goal
To demonstrate how the COST parameter "SECURE_REGISTER_listener_name
= " is used to restrict instance registration with listeners in RAC
environments. With COST restrictions in place only local and authorized
instances having appropriate credentials will be allowed to register. These
instructions can be used to address the issues published in Oracle Security
Alert CVE-2012-1675 by using COST to restrict connections to only those
instances having appropriate credentials.
About
COST
The class of secure transports (COST) parameters specify a
list of transports that are considered secure for administration and
registration of a particular listener. The COST parameters identify which
transports are considered secure for that installation and whether the
administration of a listener requires secure transports. COST will not affect
client connections utilizing other protocols. For more details and for
information about other available COST parameters please see the 11.2 Network
Administrators Guide and Network Reference.
Oracle versions that support COST
Although not documented in the Oracle 10g Network Administrator Guide COST
parameters and functionality are supported as of 10.2.0.3.
Fix
Topics in this section:
1) Oracle 11.2 RAC - Securing registration with
Scan listeners
2) Oracle 11.2 RAC - Securing ASM and Database
registration with the Local (node) listener.
3) Oracle RAC versions prior to 11.2 (10.2.0.3
- 11.1)
1) Oracle RAC 11.2 - Securing registration with Scan
listeners
This example environment is a two node 11.2 RAC cluster with three SCAN
listeners. COST restrictions will limit registration protocols to TCPS for
remote registering instances and to IPC for the local grid agent. To establish a
connection over TCPS PMON and the listener must perform. a SSL
handshake.
Please refer to the Oracle licensing documentation
available on Oracle.com regarding licensing changes that allow Oracle Advanced
Security SSL/TLS to be used with Oracle SE Oracle Real Application Clusters and
Oracle Enterprise Edition Real Application Customers (Oracle RAC) and Oracle RAC
OneNode Options.
Steps:
1.1) Using orapki create a wallet with
self signed certificates that will be shared among SCAN listeners and
registering instances to make secure SSL connections.
If SSL is being
used exclusively for instance registration then a single shared wallet with self
signed certificates are all that is needed and this is the easiest setup to
implement. If other SSL features are planned a unique wallet and certificate may
be required for each node. Reference Oracle documentation for the SSL
requirements of any additional SSL features that will be used and adjust as
necessary.
Important: The wallet that is shared by the cluster must be
created by the oracle user and in the environment of the lowest version
supported by the cluster. For example, if the 11.2 RAC cluster supports a
10.2.0.5 database you must create the shared wallet in the 10.2.0.5 environment
using the Oracle 10.2.0.5 version of orapki. Once created you can move copies of
the wallet to the other nodes per the normal instructions. Step (b) in this
section will not be possible with 10.2 orapki, this step is optional and can be
skipped.
a) Create an Oracle wallet: "ewallet.p12".
The target directory
in this example is within the grid home but the location can be anywhere that is
accessible to Oracle.
[oracle@rac1]$ mkdir
/u01/app/11.2.0.2/grid/network/admin/cost
[oracle@rac1]$ orapki wallet
create -wallet /u01/app/11.2.0.2/grid/network/admin/cost
Oracle PKI Tool
: Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its
affiliates. All rights reserved.
b) The new wallet will contain a number of trusted certificates that are
installed by default, remove all of these well known trusted certificates from
the wallet.
This step is optional. Removing the extra trusted
certificates that come installed with a new wallet is a housecleaning step and
does not affect function. If you skip this step there will just be more output
seen when viewing the finished wallet in step 1.1-d.
[oracle@rac1]$ orapki
wallet remove -trusted_cert_all -wallet
/u01/app/11.2.0.2/grid/network/admin/cost
Oracle PKI Tool : Version
11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its
affiliates. All rights reserved.
c) Create a self-signed certificate that will be stored in the
wallet.
This step creates a SSL certificate with the CN (common
name) attribute value set to "cn=secure_register". This value can be used as is
or interchanged with your own naming convention, e.g., "cn=orclprod".
[oracle@rac1]$ orapki
wallet add -wallet /u01/app/11.2.0.2/grid/network/admin/cost -self_signed -dn
"cn=secure_register" -keysize 1024 -validity 3650
Oracle PKI Tool :
Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its
affiliates. All rights reserved.
d) View the wallet contents to confirm that it has a single trusted and
user certificate.
[oracle@rac1]$ orapki
wallet display -wallet /u01/app/11.2.0.2/grid/network/admin/cost -summary
Oracle PKI Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004,
2010, Oracle and/or its affiliates. All rights reserved.
Requested
Certificates:
User Certificates:
Subject: CN=secure_register
Trusted
Certificates:
Subject: CN=secure_register
e) Make copies of the finished wallet (ewallet.p12) and place on each
node in the same directory location; /u01/app/11.2.0.2/grid/network/admin/cost.
f) Using orapki create a unique
obfuscated auto-login file "cwallet.sso" on each node. Both PMON and the
listener will use the cwallet.sso to establish a secure SSL connection with each
other. Once COST parameters restricting registration to TCPS are enabled only
instances that have access to the wallet and obfuscated wallet (cwallet.sso)
will be able to register with the SCAN listeners.
Creating the
cwallet.sso file:
[oracle@rac1]$ orapki
wallet create -wallet /u01/app/11.2.0.2/grid/network/admin/cost -auto_login
Oracle PKI Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004,
2010, Oracle and/or its affiliates. All rights reserved.
When using orapki version 11.2 -auto_login_local may also
be specified when creating the cwallet.sso.
g) Modify the permissions of the obfuscated wallet (cwallet.sso) to
allow usage by authorized group members.
[oracle@rac1]$ chmod
640 cwallet.sso
[oracle@rac1]$ ls -al
-rw-r----- 1 oracle oinstall
2493 Jul 11 15:18 cwallet.sso
-rw------- 1 oracle oinstall 2416 Jul 11 15:18
ewallet.p12
Important: Store the wallet password in a safe place. The wallet cannot
be re-opened without it.
1.2) Update the grid home listener.ora so
that it references the wallet location and add the COST parameters that will
restrict registration. Do this for each node.
Add the wallet location to
listener.ora.
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY =
/u01/app/11.2.0.2/grid/network/admin/cost)
)
)
At this time also add the COST registration restrictions for the SCAN
listeners to the listener.ora. These parameters should be commented now and will
be enabled later.
In 11.2 RAC the grid agent uses the IPC protocol to create
and manage scan listeners so both IPC and TCPS must be enabled.
#SECURE_REGISTER_LISTENER_SCAN1 =
(IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN2 =
(IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)
The finished listener.ora should look like this:
[oracle@rac1]$ cat
/u01/app/11.2.0.2/grid/network/admin/listener.ora
LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER))))
# line added by
Agent
LISTENER_SCAN3=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN3))))
# line added by
Agent
LISTENER_SCAN2=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN2))))
# line added by
Agent
LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1))))
# line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN1=ON # line
added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN2=ON # line added
by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN3=ON # line added by
Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON # line added by
Agent
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY =
/u01/app/11.2.0.2/grid/network/admin/cost)
)
)
#SECURE_REGISTER_LISTENER_SCAN1 =
(IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN2 =
(IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)
1.3) Using srvctl modify the SCAN listeners to also include TCPS
protocol endpoints, re-start the SCAN listeners.
Please see note 1092753.1 if you are using srvctl with
Oracle version 11.2.0.1.
srvctl config
scan_listener
SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521
SCAN
Listener LISTENER_SCAN2 exists. Port: TCP:1521
SCAN Listener LISTENER_SCAN3
exists. Port: TCP:1521
srvctl modify scan_listener -p
TCP:1521/TCPS:1523
srvctl stop scan_listener
srvctl start
scan_listener
srvctl config scan_listener
SCAN Listener LISTENER_SCAN1
exists. Port: TCP:1521/TCPS:1523
SCAN Listener LISTENER_SCAN2 exists. Port:
TCP:1521/TCPS:1523
SCAN Listener LISTENER_SCAN3 exists. Port:
TCP:1521/TCPS:1523
1.4) Add the wallet location to the sqlnet.ora of each instance home.
If no sqlnet.ora exists create a new file. Registering instances must know the
wallet location and have access in order to make the required SSL connection
with the SCAN listeners.
[oracle@rac1]$ cat
/u01/app/oracle/product/11.2.0/dbhome_2/network/admin/sqlnet.ora
WALLET_LOCATION
=
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY
= /u01/app/11.2.0.2/grid/network/admin/cost)
)
)
Restart each instance after adding the wallet location to
sqlnet.ora.
1.5) Modify instance startup parameters to use TCPS protocol
with remote_listener.
The existing remote_listener value uses an
ezconnect string value in the form. host:port.
[oracle@rac1]$ sqlplus
"/ as sysdba"
SQL*Plus: Release 11.2.0.2.0 Production on Tue Jul 12 16:37:52
2011
Connected to:
Oracle Database 11g Enterprise Edition Release
11.2.0.2.0 - 64bit Production
With the Partitioning, Real Application
Clusters, Automatic Storage Management, OLAP,
Data Mining and Real
Application Testing options
SQL> show parameter
remote_listener
NAME TYPE VALUE
--------------- -----------
------------------------------
remote_listener string
rac-scan:1521
The replacement remote_listener value is an address_list containing
the resolved scan listener IP addresses and TCPS ports. The addresses can be
listed using srvctl.
[oracle@rac1]$ srvctl
config scan
SCAN name: racbde-scan, Network:
1/10.141.154.0/255.255.254.0/eth1
SCAN VIP name: scan1, IP:
/rac-scan.us.oracle.com/10.141.155.122
SCAN VIP name: scan2, IP:
/rac-scan.us.oracle.com/10.141.155.120
SCAN VIP name: scan3, IP:
/rac-scan.us.oracle.com/10.141.155.121
Associate the three IP addresses assigned to the SCAN listeners with the
TCPS port that was added in step 3, in this case port 1523.
The SCAN
addresses are the same for all instances in the cluster so the remote_listener
parameter value can be added from any instance home using the global option
sid=‘*‘. This will update the remote_listener value for all instances.
SQL> alter system
set
remote_listener=‘(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=10.141.155.121)(PORT=1523))(ADDRESS=(PROTOCOL=TCPS)(HOST=10.141.155.122)(PORT=1523))(ADDRESS=(PROTOCOL=TCPS)(HOST=10.141.155.120)(PORT=1523)))‘
scope=both sid=‘*‘;
SQL> show parameter
remote_listener
NAME TYPE VALUE
--------------
----------- ------------------------------
remote_listener string
(ADDRESS_LIST=(ADDRESS=(PROTOC
L=TCPS)(HOST=10.141.155.121)(
PORT=1523))(ADDRESS=(PROTOCOL=
TCPS)(HOST=10.141.155.122)(POR
T=1523))(ADDRESS=(PROTOCOL=TCP
S)(HOST=10.141.155.120)(PORT=1
523)))
Changing the remote_listener value is a critical stage as it forces
registration over TCPS using the wallets and certificates that were created in
earlier steps. It is best to stop here and verify that all instances are
registering properly with the scan listeners. If not, go back and review each of
the previous steps to ensure an item was not overlooked.
If registration
using TCP needs to be restored for any reason it is a simple matter to revert to
the previously noted ezconnect address. The following command can be performed
from any instance in the cluster and will make changes globally for all
instances. Do not do this unless it is your intention to revert back to TCP and
not enable COST restrictions in the next step.
SQL> alter system
set remote_listener=‘rac-scan:1521‘ scope=both sid=‘*‘;
1.6) Enable COST parameters restricting instance registration in the
grid home listener.ora.
When instance registration over TCPS with SCAN
listeners is working properly the COST registration rules can be implemented.
Edit the grid home listener.ora and remove the comments from the COST
restriction parameters that were added in step 1.2.
SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
SECURE_REGISTER_LISTENER_SCAN2 =
(IPC,TCPS)
SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)
Restart all listeners to load the new parameters.
[oracle@rac1]$ srvctl
stop scan_listener
[oracle@rac1]$ srvctl start scan_listener
With COST enabled attempts to register with SCAN listeners using a
protocol other than TCPS are rejected and an event is logged in the listener
log. Instances must also have the proper SSL credentials in order to connect and
register their services.
13-JUL-2011 10:27:23 *
service_register_NSGR * 1194
TNS-01194: The listener command did not arrive
in a secure transport
To verify that COST restrictions are functioning
appropriately please refer to
DocID:1453883.1,
section 3, "Verifying that COST is working".
2) Oracle 11.2 RAC - Securing ASM and Database registration with the
Local (node) listener.
In a RAC environment, and without the patch for
bug:12880299, an IPC restriction on the local/node listener will cause the scan
listener TCP handlers to block and not allow incoming client connections. The
patch not only fixes this issue but also allows for registration from only the
local node over TCP provided that TCP is listed as a secure transport for
registration.
Steps:
2.1) Obtain and apply the patch for bug:12880299. The patch should be applied
to both the grid and rdbms homes on each node in the cluster.
2.2) Add COST IPC and TCP protocol restrictions to the listener.ora on each
node.
Edit the grid home listener.ora and add
SECURE_REGISTER_LISTENER = (IPC,TCP) to the existing list of scan
listener restrictions.
In 11.2 RAC the grid agent uses the IPC protocol to create
and manage node listeners so both IPC and TCP restrictions must be
enabled.
SECURE_REGISTER_LISTENER =
(IPC,TCP)
SECURE_REGISTER_LISTENER_SCAN1 =
(IPC,TCPS)
SECURE_REGISTER_LISTENER_SCAN2 =
(IPC,TCPS)
SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)
2.3) To activate the COST restriction use srvctl to re-start all
instance/local listeners. (This action only needs to be performed on one node,
all local listeners will restart.)
[oracle@rac1 ~]$ srvctl stop
listener
[oracle@rac1 ~]$ srvctl start listener
To verify that COST restrictions are functioning
appropriately please refer to
DocID:1453883.1,
section 3, "Verifying that COST is working".
3) Oracle RAC versions prior to 11.2 (10.2.0.3 - 11.1)
Note: The configuration and the usage of COST in these
Oracle versions requires the prior installation of PSE 12880299. Only
database/ASM homes should be patched, there is no requirement to patch
CRS.
Steps:
3.1) Using orapki create a wallet with self
signed certificates that will be shared among node listeners and registering
instances to make secure SSL connections.
If SSL is being used
exclusively for instance registration then a single shared wallet with self
signed certificates are all that is needed and this is the easiest setup to
implement. If other SSL features are planned a unique wallet and certificate may
be required for each node. Reference Oracle documentation for the SSL
requirements of any additional SSL features that will be used and adjust as
necessary.
a) Create an Oracle wallet: "ewallet.p12".
The target
directory in this example is within the database home but the location can be
anywhere that is accessible to Oracle.
[oracle@rac1]$ mkdir
/u01/app/oracle/product/10.2.0/db_1/network/admin/cost
[oracle@rac1]$
orapki wallet create -wallet
/u01/app/oracle/product/10.2.0/db_1/network/admin/cost
Enter
password:
Enter password again:
b) Create a self-signed certificate that will be stored in the
wallet.
This step creates a SSL certificate with the CN (common
name) attribute value set to "cn=secure_register". This value can be used as is
or interchanged with your own naming convention, e.g., "cn=orclprod".
[oracle@rac1]$ orapki wallet add -wallet
/u01/app/oracle/product/10.2.0/db_1/network/admin/cost -self_signed -dn
"cn=secure_register" -keysize 1024 -validity 3650
Enter wallet
password:
c) The new wallet will contain a number of trusted certificates that are
installed by default. You can use Oracle Wallet Manager (OWM), a java tool in
$ORACLE_HOME/bin, to remove all other trusted certificates except for the self
signed certificate "CN=secure_register" that was created in step 3.1-b.
Running OWM to remove the default trusted certs in the
wallet is optional. Removing the extra trusted certificates that come installed
with a new wallet is a housecleaning step and does not affect function. If you
skip this step there will just be more output seen when viewing the finished
wallet.
Once all the additional trusted certificates have been removed the
finished wallet should look like this:
[oracle@rac1]$orapki wallet display
-wallet /u01/app/oracle/product/10.2.0/db_1/network/admin/cost
Enter wallet
password:
Requested Certificates:
User
Certificates:
Subject: CN=secure_register
Trusted
Certificates:
Subject: CN=secure_register
d) Make copies of the finished wallet (ewallet.p12) and place on each
node in the same directory location, i.e.,
$ORACLE_HOME/network/admin/cost
e) Using orapki create a unique
obfuscated auto-login file "cwallet.sso" on each node. Both PMON and the
listener will use the cwallet.sso to establish a secure SSL connection with each
other. Once COST parameters restricting remote registration to TCPS are enabled
only instances that have access to the wallet and obfuscated wallet
(cwallet.sso) will be able to remotely register with listeners.
[oracle@rac1]$ orapki wallet create
-wallet /u01/app/oracle/product/10.2.0/db_1/network/admin/cost
-auto_login
Enter wallet password:
[oracle@rac1]$
ls/u01/app/oracle/product/10.2.0/db_1/network/admin/cost
cwallet.sso
ewallet.p12
The wallet is now ready to use with files ewallet.p12 and cwallet.sso in
$ORACLE_HOME/network/admin/cost
Important: Store the wallet password in a
safe place. The wallet cannot be re-opened without it.
3.2) Obtain and apply the patch for bug:12880299 to all nodes in the
cluster.
In a RAC environment, and without the patch for
bug:12880299, an IPC restriction on the local/node listener will cause the scan
listener TCP handlers to block incoming connections. The patch not only fixes
this issue but also allows for registration from only the local node over TCP
provided that TCP is listed as a secure transport for registration.
3.3) Update the listener.ora so that it references the wallet location and
add the COST parameters that will restrict registration, also add a listen
endpoint for TCPS that pmon will use to send registration updates. Do this on
the listener.ora of each node.
The location of the listener.ora that the running listener is using can be
identified with lsnrctl> status.
Before edit, the listener.ora will
look similar to:
LISTENER_RAC1 =
(DESCRIPTION_LIST
=
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY =
EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST =
rac1-vip.us.oracle.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCP)(HOST
= 192.168.203.210)(PORT = 1521))
)
)
a) Add a TCPS address and endpoint to listener.ora. Use the existing node
vip address and any available port for the TCPS endpoint.
LISTENER_RAC1 =
(DESCRIPTION_LIST
=
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY =
EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST =
rac1-vip.us.oracle.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST
= rac1-vip.us.oracle.com)(PORT = 1523))
(ADDRESS = (PROTOCOL =
TCP)(HOST = 192.168.203.210)(PORT = 1521))
)
)
b) Add the wallet location to listener.ora.
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY =
/u01/app/oracle/product/10.2.0/db_1/network/admin/cost)
)
)
c) Add the COST registration restrictions for TCP and TCPS to the
listener.ora. The parameter should be commented now but will be enabled
later.
#SECURE_REGISTER_LISTENER_RAC1 =
(TCP,TCPS)
The above actions, 3.3-a,b & c, should be performed on
each listener.ora on each cluster node. Make sure references to listener and vip
names are accurate for each node.
A finished listener.ora will look like this:
LISTENER_RAC1 =
(DESCRIPTION_LIST
=
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY =
EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST =
rac1-vip.us.oracle.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST
= rac1-vip.us.oracle.com)(PORT = 1523))
(ADDRESS = (PROTOCOL =
TCP)(HOST = 192.168.203.210)(PORT = 1521))
)
)
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY =
/u01/app/oracle/product/10.2.0/db_1/network/admin/cost)
)
)
#SECURE_REGISTER_LISTENER_RAC1 = (TCP,TCPS)
3.4) After the changes to the listener.ora have been made stop and restart
the listener and confirm that it has the TCPS listen endpoint that was added
along with the previously existing endpoints.
[oracle@rac1]$ srvctl stop listener -n
rac1
[oracle@rac1]$ srvctl start listener -n rac1
LSNRCTL>
status
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of
the LISTENER
------------------------
Alias
LISTENER_RAC1
...
...
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.203.214)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.203.214)(PORT=1523)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.203.210)(PORT=1521)))
The
listener supports no services
The command completed successfully
3.5) Add the wallet location to the sqlnet.ora of each instance home. The
sqlnet.ora is read by the instance at startup. Registering instances must know
the wallet location and have access in order to make the required SSL connection
with remote listeners.
[oracle@rac1]$ cat
/u01/app/oracle/product/10.2.0/db_1/network/admin/sqlnet.ora
WALLET_LOCATION
=
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY
= /u01/app/oracle/product/10.2.0/db_1/network/admin/cost)
)
)
3.6) Modify instance startup parameters to use the new TCPS protocol
addresses used by all of the node listeners. The instance uses the
remote_listener parameter value to locate those addresses.
[oracle@rac1 ~]$ sqlplus "/ as
sysdba"
SQL*Plus: Release 10.2.0.3.0 - Production on Tue May 1 11:12:33
2012
Connected to:
Oracle Database 10g Enterprise Edition Release
10.2.0.3.0 - 64bit Production
With the Partitioning, Real Application
Clusters, OLAP and Data Mining options
SQL> show parameter
remote_listener
NAME TYPE
VALUE
------------------------------------ -----------
------------------------------
remote_listener
string listeners_rac
In this case the database is using the tns alias "listeners_rac" in
tnsnames.ora to store the listener addresses.
Edit the listeners_rac entry in TNSNAMES.ORA that is being used by the
database.
Before edit:
LISTENERS_RAC =
(ADDRESS_LIST
=
(ADDRESS = (PROTOCOL = TCP)(HOST = rac1-vip.us.oracle.com)(PORT =
1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = rac2-vip.us.oracle.com)(PORT =
1521))
)
Comment the existing TCP addresses and add the new TCPS addresses we will
be using for registration.
LISTENERS_RAC =
(ADDRESS_LIST
=
# (ADDRESS = (PROTOCOL = TCP)(HOST = rac1-vip.us.oracle.com)(PORT =
1521))
# (ADDRESS = (PROTOCOL = TCP)(HOST = rac2-vip.us.oracle.com)(PORT =
1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = rac1-vip.us.oracle.com)(PORT =
1523))
(ADDRESS = (PROTOCOL = TCPS)(HOST = rac2-vip.us.oracle.com)(PORT =
1523))
)
The next step is to restart the instance but before doing that make note of
the current lsnrctl services output on one of the listeners on another node (a
remote listener) so you can compare the results after the restart (they should
match). Of particular interest is the remote service handler of the instance you
are testing.
srvctl stop instance -d rac -i rac2 -o
immediate
srvctl start instance -d rac -i rac2
If the remote service handler output matches the handler output prior to
the restart then TCPS connectivity and secure network registration is
functional. Repeat this process until all nodes are successfully registering
remotely over TCPS. If the lsnrctl services output is not correct after restart
go back over the configuration steps to make sure nothing was missed. If there
is a need to revert to the previous TCP configuration just remove the comment
from the TCP entries in the listeners_rac tns alias, comment the TCPS entries
and restart the instance.
3.6) When all instances are properly
registering with remote listeners over TCPS protocol you are ready to enable
COST restrictions.
Remove the comment from the cost restriction entry in each listener and
restart the listener.
SECURE_REGISTER_LISTENER_RAC1 =
(TCP,TCPS)
To verify that COST restrictions are functioning
appropriately please refer to
DocID:1453883.1,
section 3, "Verifying that COST is working".
Patch/fix information for BUG:12880299
The fix for
BUG:12880299 will be included in Oracle 11.2.0.4.
PSU‘s that include the
fix:
Cumulative Patch Inclusion - DBPSU 10.2.0.5.8
(Released)
Cumulative Patch Inclusion - DBPSU 11.2.0.2.7
(Released)
Cumulative Patch Inclusion - DBPSU 10.2.0.4.13
(Released)
Cumulative Patch Inclusion - DBPSU 11.2.0.3.3
(Released)
Cumulative Patch Inclusion - DBPSU 11.1.0.7.12
(Released)
Windows patch availability for
bugfix:12880299
11.2.0.3: 12880299 is included in bundle 6
(Released)
--------
32-bit : Patch 13965210
64-bit : Patch 13965211
11.2.0.2: 12880299 is included in bundle 19
(Released)
--------
32-bit : Patch 14046710
64-bit : Patch
14046711
11.1.0.7: 12880299 is included in bundle 46
(Released)
10.2.0.5: 12880299 is included in bundle 17 (Released)
References
NOTE:1455068.1
- Force Connections to a Specific Database Service When two Identical Services
are Registered to CMAN
NOTE:1453883.1
- Using Class of Secure Transport (COST) to Restrict Instance Registration
@
BUG:12880299
- RAC: TCP HANDLERS BLOCK IF LISTENER REGISTRATION IS RESTRICTED TO IPC
W/COST
@NOTE:1457854.1
- How To Enable TCPS Support For Oracle Standard Edition
NOTE:1092753.1
- How To Configure Scan Listeners With A TCPS Port?
Using Class of Secure Transport
(COST) to Restrict Instance Registration in Oracle RAC [ID
1340831.1] |
|
|
修改时间
08-OCT-2012 类型 HOWTO 状态 PUBLISHED |
|
Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC [ID 1340831.1]
标签:comment clu bug addition amp pass conf ssl sar
原文地址:https://www.cnblogs.com/yaoyangding/p/12971519.html