Oracle10g开始,增加了另一个listener验证方式Local OS Authentication(本地操作系统验证),设置listener密码已不是安全检查的必要条件。
在10g里,即使listener没设置密码。除了启动监听的用户外,其它用户也无法对listener做相关操作,如stop、reload、trace等。
一、listener安全验证
测试环境:
OS:RHEL AS 4.8
DB:Oracle 10.2.0.1
User:oracle、oracle1
测试1:
验证默认状态,用户oracle启动listener,用户oracle1无法stop、reload、trace用户oracle启动的listener。
用户oracle启动listener并查看状态
LSNRCTL>start
Starting /orahome/oracle/product/10.2.0/db_1/bin/tnslsnr: please wait...
TNSLSNR for Linux: Version 10.2.0.1.0 - Production
省略输出信息若干
LSNRCTL>status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
STATUS of the LISTENER
------------------------
省略输出信息若干
Trace Level off
Security ON: Local OS Authentication
省略输出信息若干
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.23)(PORT=1521)))
Services Summary...
Service "mydata" has 1 instance(s).
Instance "mydata", status READY, has 1 handler(s) for this service...
The command completed successfully
红字部分显示:默认安全性开启,并启用Local OS Authentication(本地操作系统验证),未设置密码。
切换到另一个用户oracle1
[oracle@oraserver ~]$su - oracle1
Password:
[oracle1@oraserver ~]$id
uid=1003(oracle1) gid=1002(oinstall) groups=1001(dba),1002(oinstall)
[oracle1@oraserver ~]$lsnrctl
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 12-APR-2011 18:35:48
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL>stop listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
TNS-01190: The user is not authorized to execute the requested listener command
LSNRCTL>
LSNRCTL>reload listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
TNS-01190: The user is not authorized to execute the requested listener command
LSNRCTL>
LSNRCTL>trace user listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
TNS-01190: The user is not authorized to execute the requested listener command
红字部分显示:用户oracle1未被授权执行请求的listener命令,即无权操作listener。
测试2:
用户oracle对自己启动的listener启用密码安全验证,但密码验证对用户oracle不起作用
用户oracle启动listener并启用密码验证
[oracle@oraserver ~]$id
uid=1001(oracle) gid=1002(oinstall) groups=1001(dba),1002(oinstall)
LSNRCTL>start
Starting /orahome/oracle/product/10.2.0/db_1/bin/tnslsnr: please wait...
TNSLSNR for Linux: Version 10.2.0.1.0 - Production
省略输出信息若干
LSNRCTL>change_password
Old password:空
New password:123456
Reenter new password:123456
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL>save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File /orahome/oracle/product/10.2.0/db_1/network/admin/listener.ora
Old Parameter File /orahome/oracle/product/10.2.0/db_1/network/admin/listener.bak
The command completed successfully
LSNRCTL>status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
STATUS of the LISTENER
------------------------
省略输出信息若干
Security ON: Password or Local OS Authentication
SNMP OFF
省略输出信息若干
红字部分显示:安全验证方式为Password(密码验证)或Local OS Authentication(本地操作系统验证)
LSNRCTL>reload listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
The command completed successfully
LSNRCTL>
LSNRCTL>trace user listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
Opened trace file: /orahome/oracle/product/10.2.0/db_1/network/trace/listener.trc
The command completed successfully
LSNRCTL>
LSNRCTL>stop listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
The command completed successfully
红字部分显示:用户oracle不需要密码验证,即可对已自动的listener执行reload、stop、trace等操作。
测试3:
用户oracle启动listener,并启用密码验证方式。
用户oracle1若通过密码验证后,可对用户oracle启动的listener执行reload、stop、trace等操作。
若用户oracle1未通过密码验证,则无权对用户oracle启动的listener执行以上操作。
[oracle@oraserver ~]$id
uid=1001(oracle) gid=1002(oinstall) groups=1001(dba),1002(oinstall)
listener密码设置同测试2
[oracle@oraserver ~]$lsnrctl status listener
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 12-APR-2011 19:06:36
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
STATUS of the LISTENER
------------------------
省略输出信息若干
Security ON: Password or Local OS Authentication
SNMP OFF
Listener Parameter File /orahome/oracle/product/10.2.0/db_1/network/admin/listener.ora
Listener Log File /orahome/oracle/product/10.2.0/db_1/network/log/listener.log
省略若干输出信息
红字部分显示:安全验证方式为密码验证或本地操作系统验证
[oracle1@oraserver ~]$id
uid=1003(oracle1) gid=1002(oinstall) groups=1001(dba),1002(oinstall)
[oracle1@oraserver ~]$lsnrctl reload listener
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 12-APR-2011 19:10:19
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
TNS-01190: The user is not authorized to execute the requested listener command
[oracle1@oraserver ~]$lsnrctl
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 12-APR-2011 19:10:29
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL>reload listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
TNS-01190: The user is not authorized to execute the requested listener command
LSNRCTL>
LSNRCTL>set password 123456
The command completed successfully
LSNRCTL>reload listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
The command completed successfully
LSNRCTL>trace user listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
Opened trace file: /orahome/oracle/product/10.2.0/db_1/network/trace/listener.trc
The command completed successfully
LSNRCTL>
LSNRCTL>stop listener
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
Opened trace file: /orahome/oracle/product/10.2.0/db_1/network/trace/listener.trc
The command completed successfully
用户oracle1进入lsnrctl命令行模式后,因执行“set password 123456”通过用户oracle设置的密码验证,
所以可以对用户oracle启动的listener执行reload、stop、trace等操作。
受影响的操作除了reload、stop、trace之外,还有如下命令:
SAVE_CONFIG, SPAWN,
SET {LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SAVE_CONFIG_STOP_ON, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME}
SHOW {RULES, TRC_DIRECTORY, LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SNMP_VISIBLE, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME, SAVE_CONFIG_STOP_ON}
二、远程监听注册remote_listener
环境
A机:
IP:192.168.1.23
OS:RHEL AS 4.8
service_name:test
db_name:mydata
username:oracle
B机:
IP:192.168.1.24
OS:RHEL AS 4.8
service_name:product
db_name:lottery
username:oracle
A机的listener状态
LSNRCTL>status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521)))
STATUS of the LISTENER
------------------------
省略若干输出信息
Security ON: Local OS Authentication
SNMP OFF
省略若干信息
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.23)(PORT=1521)))
Services Summary...
Service "TEST" has 1 instance(s).
Instance "mydata", status READY, has 1 handler(s) for this service...
Service "mydata" has 1 instance(s).
Instance "mydata", status READY, has 1 handler(s) for this service...
The command completed successfully
B机的listener状态
LSNRCTL>status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ccddt)(PORT=1521)))
STATUS of the LISTENER
------------------------
省略若干输出信息
Security ON: Local OS Authentication
SNMP OFF
省略若干输出信息
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=ccddt)(PORT=1521)))
Services Summary...
Service "product" has 1 instance(s).
Instance "lottery", status READY, has 1 handler(s) for this service...
Service "lottery" has 1 instance(s).
Instance "lottery", status READY, has 1 handler(s) for this service...
The command completed successfully
远程监听注册remote_listener
将A机的service_name:test注册到远程(B机)的listener中
在A机的tnsnames.ora加入如下内容
LISTENER_R =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.1.24)(PORT = 1521))
修改A机的服务器参数remote_listener
SQL>alter system set remote_listener=LISTENER_R;
System altered.
在B机执行lsnrctl status,观察listener状态,可以看到
有两条信息(红色部分)为A机下DB的service_names(test),db_name(mydata)
LSNRCTL>status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ccddt)(PORT=1521)))
STATUS of the LISTENER
------------------------
省略若干输出信息
Security ON: Local OS Authentication
省略若干输出信息
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=ccddt)(PORT=1521)))
Services Summary...
Service "lottery" has 1 instance(s).
Instance "lottery", status READY, has 1 handler(s) for this service...
Service "mydata" has 1 instance(s).
Instance "mydata", status READY, has 1 handler(s) for this service...
Service "product" has 1 instance(s).
Instance "lottery", status READY, has 1 handler(s) for this service...
Service "test" has 1 instance(s).
Instance "mydata", status READY, has 1 handler(s) for this service...
The command completed successfully
注:不管参数service_names为何值,oracle都会以db_name为服务名,执行动态注册。
因此,会多出一条Service "mydata" has 1 instance(s)的记录。
测试1:
验证oracle10g,默认设置(listener验证为操作系统验证),无法远程停止listener。
在A机执行如下命令,远程停止B机的监听
LSNRCTL>stop listener_r
Connecting to (ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.24)(PORT=1521))
TNS-01189: The listener could not authenticate the user
LSNRCTL>
红字显示,未通过listener的验证。因此,stop操作失败。
在B机为监听器启用密码验证
LSNRCTL>change_password
Old password:空
New password:123456
Reenter new password:123456
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ccddt)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL>save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ccddt)(PORT=1521)))
Saved LISTENER configuration parameters.
省略若干输出信息
The command completed successfully
测试2:
通过远程的listener安全验证,远程停止listener监听
A机执行如下命令,输入错误密码654321
LSNRCTL>set password 654321
The command completed successfully
LSNRCTL>stop listener_r
Connecting to (ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.24)(PORT=1521))
TNS-01169: The listener has not recognized the password
TNS-01189: The listener could not authenticate the user
验证失败
A机输入正确密码123456
LSNRCTL>set password 123456
The command completed successfully
LSNRCTL>
LSNRCTL>stop listener_r
Connecting to (ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.24)(PORT=1521))
The command completed successfully
LSNRCTL>
红字显示,远程stop监听成功
B机执行如下命令,查看监听器状态,已被A机远程停止。
LSNRCTL>status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ccddt)(PORT=1521)))
TNS-12541: TNS:no listener
TNS-12560: TNS:protocol adapter error
TNS-00511: No listener
Linux Error: 111: Connection refused