Skip to content

Posts from the ‘Security’ Category

Feb 26

Listener valid node checking

Valid node checking is the one of the listener secuirty feature. I thought may be very lesser known this feature. What purpose of this feature use, this feature uses If you configuring the the set of invited or exluded nodes, you can take control of which hosts are allowed to connect your database. You can add it hostnames or ip address in sqlnet.ora file.

In other cases it can be more complex, particularly when a single database is hosting several applications.There will be some cases where a database must accept connections from a large number of hosts, when the list of hosts that connect is constantly hanging, or even some organizations that change both IP addresses and hostnames for their machines on a somewhat random basis. For these systems,Valid Node Checking is not a viable feature.

If you think your database may connect few client hosts, you can add this feature in sqlnet.ora file. this feature restricted to connect the database from other client hosts.

Let’s See ,

Database Server , I just configured following entries in sqlnet.ora file.



tcp.validnode_checking = yes


 


 tcp.invited_nodes = (siebelpoc)




Reload listener






lsnrctl>reload




From client host :




[oracle@siebelpoc ~]$ export ORACLE_SID=testdb 
[oracle@siebelpoc ~]$ sqlplus system/Admin123@testdb

SQL*Plus: Release 11.2.0.1.0 Production on Sun Feb 26 11:02:48 2012

Copyright (c) 1982, 2009, Oracle.  All rights reserved.

Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> select name from v$database;

NAME --------- TESTDB




I can able to connect.


Again I just edited invited nodes in database server sqlnet.ora file






tcp.validnode_checking = yes


 


tcp.invited_nodes = (siebel)




Reload listener






lsnrctl>reload




From client machine,




[oracle@siebelpoc ~]$ sqlplus system/Admin123@testdb

SQL*Plus: Release 11.2.0.1.0 Production on Sun Feb 26 11:05:36 2012

Copyright (c) 1982, 2009, Oracle.  All rights reserved.

ERROR: ORA-12537: TNS:connection closed




Now I can not able to connect the database from client hosts because of i changed invited node in sqlnet.ora file.

							

		

			

			

				

					
Feb 21

				

									

											

			

			

				

					TNS-12508: TNS:listener could not resolve the COMMAND given
				

				


LSNRCTL> set  log_directory /u01/app/oracle/product/11.2.0.2/dbhome_2/network/admin/lsnrlog

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=xxxxxxxxxxxxxx)(PORT=1521)))

TNS-12508: TNS:listener could not resolve the COMMAND given




the above issues happen while i’m trying to set log directory for listener. But It refused the comments, Why it’s refused the commands means I enabled the ADMIN_RESTRICTIONS parameter option in listener.ora file. So that reason, I cann’t set command used as administrator level, It restircted for executing the following set command options like SET TRC_FILE, SET TRC_DIRECTORY,SET TRC_LEVEL, SET LOG_DIRECTORY,SET LOG_STATUS,SET CURRENT_LISTENER,SET STARTUP_TIME.


When enabled, ADMIN_RESTRICTIONS instructs the Listener not to accept any administrative commands from lsnrctl. Instead, an administrator must log in to the Listener’s host OS and make configuration changes directly in listener.ora.


So In this case, We should  disable the  ADMIN_RESTRICTIONS_LISTENER = OFF and after reload the listener.


This parameter used for preventing from hackers who are trying to take the listener trace file through remote and It refused the set commands…



		
	
							

		

			

			

				

					
Feb 21

				

									

											

			

			

				

					TNS-01251: Cannot set trace/log directory under ADR
				

				
When you’re trying to set new listener log directory, you may face a same error below




LSNRCTL> set log_directory /u01/app/oracle/product/11.2.0.2/dbhome_2/network/admin/lsnr_log 
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=xxxxxx)(PORT=1521)))

TNS-01251: Cannot set trace/log directory under ADR




Solution :


If the parameter DIAG_ADR_ENABLED_listenername is set to ON in the listener.ora file, the trace and log file should be located under ADRBASE_listenername location. If ADR is enabled, all listener related trace file and log file stored in under ADR base location. If you don’t want to store there, you can disable ADR.


In listener.ora file




DIAG_ADR_ENABLED_LISTENER = OFF




reload the listener.




LSNRCTL> reload

LSNRCTL> set log_directory /u01/app/oracle/product/11.2.0.2/dbhome_2/network/admin/lsnr_log
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=xxxxxx)(PORT=1521)))
LISTENER parameter "log_directory" set to /u01/app/oracle/product/11.2.0.2/dbhome_2/network/admin/lsnr_log The command completed successfully



							

		

			

			

			
Newer Entries »