Transport (COST) Restrict (ÿÿ ID...版权所有(C) 2018, Oracleÿ 保留所有权利。 Using...
11
版权所有 (C) 2018, Oracleÿ 保留所有权利。 Using Class of Secure Transport (COST) to Restrict Instance Registration (ÿÿ ID 1453883.1) In this Document Goal Solution References APPLIES TO: Oracle Database - Enterprise Edition - Version 10.2.0.3 to 11.2.0.3 [Release 10.2 to 11.2] Oracle Net Services - Version 10.2.0.3 to 11.2.0.3 [Release 10.2 to 11.2] Information in this document applies to any platform. GOAL In addition to this note, also take a look at proactive Database Healthchecks provided by ORACHK Find out more ORACLE ORAchk To demonstrate how the COST parameter "SECURE 一 REGISTERJistener 一 name =" is used to restrict instance registration with database listeners. With this COST restriction in place only local instances will be allowed to register. These instructions can be used to address the issues published in Oracle Security Alert CVE-2012- 1675 by using COST to restrict connections to only local instances. About COST The class of secure transports (COST) parameters specify a list of transports that are considered secure for administration and registration of a particular listener. The COST parameters identify which transports are considered secure for that installation and whether the administration of a listener requires secure transports. COST will not affect client connections utilizing other protocols. For more details and for information about other available COST parameters please see the 11.2 Network Administrators Guide and Network Reference. About the IPC Protocol IPC protocol support is similar to BEQ protocol support in that it can only be used when the client program and the Oracle server are installed on the same system. IPC protocol support differs from BEQ protocol support in that it can be used with Oracle Shared Server configurations. IPC protocol support requires a listener for its operation. For more information about IPC please see Doc ID 29232.1 "IPC Explained".
Transcript of Transport (COST) Restrict (ÿÿ ID...版权所有(C) 2018, Oracleÿ 保留所有权利。 Using...
版权所有 (C) 2018, Oracleÿ 保留所有权利。
Using Class of Secure Transport (COST) to Restrict Instance Registration (ÿÿ ID 1453883.1)
In this Document
GoalSolutionReferences
APPLIES TO:
Oracle Database - Enterprise Edition - Version 10.2.0.3 to 11.2.0.3 [Release 10.2 to 11.2]Oracle Net Services - Version 10.2.0.3 to 11.2.0.3 [Release 10.2 to 11.2]Information in this document applies to any platform.
GOAL
In addition to this note, also take a look at proactiveDatabase Healthchecks provided by ORACHK
Find out more
ORACLEORAchk
To demonstrate how the COST parameter "SECURE一REGISTERJistener一name =" is used to restrict instance registration with database listeners. With this COSTrestriction in place only local instances will be allowed to register. These instructions can be used to address the issues published in Oracle Security Alert CVE-2012-1675 by using COST to restrict connections to only local instances.
About COST
The class of secure transports (COST) parameters specify a list of transports that are considered secure for administration and registration of a particular listener. TheCOST parameters identify which transports are considered secure for that installation and whether the administration of a listener requires secure transports. COSTwill not affect client connections utilizing other protocols. For more details and for information about other available COST parameters please see the 11.2 NetworkAdministrators Guide and Network Reference.
About the IPC Protocol
IPC protocol support is similar to BEQ protocol support in that it can only be used when the client program and the Oracle server are installed on the same system.IPC protocol support differs from BEQ protocol support in that it can be used with Oracle Shared Server configurations. IPC protocol support requires a listener for itsoperation. For more information about IPC please see Doc ID 29232.1 "IPC Explained".
Oracle versions that support COST
Although not documented in the Oracle lOg Network Administration Guides COST parameters and functionality are supported as of 10.2.0.3.
Starting with Oracle Database Version 11.2.0.4 and Oracle Database 12c (12.1.0.1), the screening of service registration requests from database instances isperformed using the Oracle Listener inherent "Valid Node Checking for Registration" feature. Oracle recommends using the "VNCR" feature in 11.2.0.4 and 12c asan alternative to COST if the implementation is only to regulate database service registration requests with Listeners. If COST parameters are needed for OracleDatabase 11.2.0.4 or 12c for other or for additional reasons, then they should be used as intended.
For more information information about "Valid Node Checking for Registration" in 11.2.0.4 and 12c please reference the following links:
Oracle Net 12c: Valid Node Checking For Registration (VNCR) (Doc ID 1600630.1)
Oracle® Database Net Services Reference12c Release1(12.1)New features overview
Oracle® Clusterware Administration and Deployment Guide12c Release 1(12.1)SCAN Listeners and Service Registration Restriction With Valid Node Checking
SOLUTION
There are two methods that can be used to protect the listener using COST nSECURE_REGISTERJistener_name =" in stand alone database installations.
1) Restricting registration to the TCP protocol (Requires the fix for BUG:12880299)
_ or _
2) Restricting registration to the IPC protocol (The patch for BUG:12880299 is NOT required for the IPC method)
Either method accomplishes the same goal but it is your choice which to implement. Both methods will be discussed.
Topics in this section:
1) Setting a COST restriction using the TCP protocol to limit registration to local instances,
2) Setting a COST restriction using the IPC protocol to limit registration to local instances.
3) Verifying that COST is working.
1) Setting a COST restriction using the TCP protocol to limit registration to local instances.
The patch for bug:12880299 allows for registration of the local node over TCP protocol provided that TCP is listed as a secure transport for registration. With thefix for 12880299 in place registration attempts from non-local nodes over TCP will be refused. This patch is a requirement when securing a stand alone databaselistener and using the TCP protocol for registration. The patch for bug:12880299 can be used with all Oracle installations that utilize a listener whether they areRAC installations or standalone databases.
Client
Server
k
__>— m~~�Database
Client
Listener1
Client
]J
S5
SECURE_REGISTER_listener_name=(TCP) restricts communication between the database and the listener but does not affect client communication protocols.
Steps:
1.1) Obtain and apply the patch for bug:12880299.
1.2) Add the COST TCP protocol restriction "SECURE_REGISTER_[listener_name] = (TCP)" to the listener.ora.
Match the COST parameter variable listener_name with the name of the listener you are using in the listener.ora, e.g., If your listener name is "LISTENER_PROD"then use SECURE_REGISTER_LISTENER_PROD = (TCP)
LISTENER_PRÿD =(DESCRIPTIÿN_LIST =
(DESCRIPTION =(ADDRESS = (PROTOCOL TCP)(HOST = netfl-bde)(PORT = 1551))
SECURE—REGISTER—LISTENER—PROD = (TCP)
The database must be using the TCP protocol to register with the listener. Check the value of the startup parameter locaUistener to confimÿ
Important for grid installations: The grid agent uses the IPC protocol to contact and manage the listener so both IPC and TCP must be enabled in this step.
For a grid environment use the following value,
SECURE— REGISTER—LISTENER— PROD = (IPC,TCP)
1.3) Restart the listener.
The listener will now only accept database registration information from the local database and over TCP.
With COST enabled for the TCP protocol attempts to register with the listener from anything other than the local system using TCP is rejected and an event is loggedin the listener log.
ll-MAY-2011 10:27:23 * service_register_NSGR * 1194TNS-01194: The listener command did not arrive in a secure transport
2) Setting a COST restriction using the IPC protocol to limit registration to local instances.
In the following section the IPC keyname "REGISTER" is being used as an example. IPC keynames must be unique for each listener on the same system, if thekeyname "REGISTER" is used on the first of two listeners then the second listener must have a different keyname, e.g., ,,REGISTER2". If the setup already has IPCconfigured then it is a personal choice whether to create additional keys for registration, pre-exising IPC protocol address keynames can also be used for COST.
Clientm Server
Client
1_i i 丨遲 * ..
~�DatabaseListener
Client
SECURE_REGISTER_listener_name=(IPC) restricts communication between the database and the listener but does not affect client communication protocols.
Steps:
2.1) Stop the listener
2.2) If it does not already exist, add support for the IPC protocol to the listener configuration " (ADDRESS= (PROTOCOL = IPC) (KEY = REGISTER)) If you alreadyhave an IPC key defined you may use it as is. Also add the COST parameter " SECURE_REGISTER_[listener_name] = (IPC)
Match the COST parameter variable listener一name with the name of the listener you are using in the listener.ora, e.g., If your listener name is "LISTENER_PRÿD"then use SECURE— REGISTER— LISTENER—PROD = (IPC)
LISTENER.ORA
LISTENER PROD
(DESCRIPTION—LIST =(DESCRIPTION =(ADDRESS = (PROTOCOL = 工PC)(KEY = REGISTER))(ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))
SECURE—REGISTER LISTENER PROD = (IPC)
2.3) Start the listener.
LSNRCTL> start listener_prÿdStarting /uOl/app/oracle/product/ll.2.0.3/bin/tnslsnr: please wait...
TNSLSNR for Solaris: Version 11.2.0.3.0System parameter file is /uOl/app/oracle/product/ll.2.0.3/network/admin/listenerLog messages written to /uOl/app/oracle/diag/tnslsnr/netfl-bde/listener/alert/log.xmlListeningListening on: (DESCRIPTION:(ADDRESS=(PRÿTÿCÿL=tcp)(HÿST=netfl_bde•us•oracle•com)(PÿRT=1551)))
Production.ora
(DESCRIPTIÿN=(ADDRESS=(PRÿTÿCÿL=ipc)(KEY=REGISTER)))on:
Connecting to (DESCRIPTION:(ADDRESS=(PRÿTÿCÿL=IPC)(KEY=REGISTER)))STATUS of the LISTENER
AliasVersionStart DateUptimeTrace LevelSecuritySNMPListener Parameter FileListener Log FileListening Endpoints Summary...
(DESCRIPTIÿN=(ADDRESS=(PRÿTÿCÿL=ipc)(KEY=REGISTER)))(DESCRIPTIÿN=(ADDRESS=(PRÿTÿCÿL=tcp)(HÿST=netfl_bde.us.ÿracle.cÿm)(PÿRT=1551)))
The listener supportsThe command completed
LISTENER—PRODTNSLSNR for Solaris: Version 11.2.0.3.027-APR-2012 16:34:200 days 0 hr. 0 min. 0offON: Local OS Authentication
Production
sec
OFF/u01/app/oracle/product/11.2.0.3/network/admin/listener/uOl/app/oracle/diag/tnslsnr/netfl-bde/listener/alert/log.xml
.ora
no services
sfullysucces
2.4) Replace the TCP address in the database localjistener parameter with the IPC address used by the listener.
Some installations may be using a pfile rather than spfile as this example shows. In that case modify the pfile startup parameter to provide the same functionality.
SQL> show parameter local_listener
NAME TYPE VALUE
local listener string (ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))
SQL> alter system set local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))! scope = both;
System altered.
SQL> show parameter local_listener
NAME TYPE VALUE
local listener string (DESCRIPTIÿN=(ADDRESS=(PRÿTÿCÿL=IPC> (KEY=REGISTER)))
2.5) Verify that the instance is now registered with the listener.
LSNRCTL> services listener_prÿdConnecting to (DESCRIPTION:(ADDRESS=(PRÿTÿCÿL=IPC)(KEY=REGISTER)))Services Summary...Service "N11203.us.oracle.comn has 1 instance(s).
Instance "N11203", status READY, has 1 handler(s) for thisHandler(s):
’'DEDICATED'’ established:0 refused:0 state:readyLOCAL SERVER
service..
The command completed sfullysucces
With COST enabled attempts to register with the listener using a protocol other than IPC is rejected and an event is logged in the listener log.
ll-MAY-2011 10:27:23 * service_register_NSGR * 1194TNS-01194: The listener command did not arrive in a secure transport
3) Verifying that COST is working
Overview: To confirm the functionality of a COST configuration in a standalone database environment start the COST protected listener and attempt to register with itfrom a remote machine. A remotely registered instance will display as "REMOTE SERVER" in Isnrctl services output.
This is just one example of how to check. Configurations and listener output may vary per setup but the test logic remains the same; can an unauthorized protocolregister with the listener? This same testing methodology can be used for COST restrictions using IPC, TCP or TCPS protocol or any combinations thereof.
prerequisites:If the installation is using COST with a TCP restriction the patch for bug:12880299 should have already been applied.Two systems are required, the installation and listener you are verifying and a remote instance with which to attempt registration.
Test Logic: First ensure that remote registration will take place with COST disabled, then re-enable COST and verify that it is restricting the same remote registrationattempts.
In this example patch 12880299 is installed and COST is configured to restrict registration to the local node only over the TCP protocol.
Steps:
3.1) Comment the COST rule in listener.ora and restart the listener.
LISTENER_PRÿD =(DESCRIPTION =
(ADDRESS_LIST=(ADDRESS=(PRÿTÿCÿL=IPC)(KEY=EXTPRÿC2))(ADDRESS=(PROTOCOL = TCP)(HOST=netf1-bde)(PORT=1551))
#SECURE_REGISTER_LISTENER—PRÿD = (TCP)
3.2) At the remote system that will be sending registration information to the listener being tested, load the target listeners TCP address into the databaseinitialization parameter "remoteÿistener=". Enclose the address in single quotes and use the scope clause "scope=memory;". This action will tell the instance to alsosend registration packets to the remote listener over TCP.
[mes2]/uOl/app/oracle/product/10.2.0> sqlplus "/ sysdba"as
SQL*Plus: Release 10.2.0.5.0 - Production on Fri May 4 10:11:27 2012Connected to:Oracle Database lOg Enterprise Edition Release 10.2.0.5.0 - 64bit ProductionWith the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> show parameter remote_listener;
NAME TYPE VALUE
remote listener string
SQL> alter system set remote_listener='(ADDRESS=(PROTOCOL=TCP)(HOST=netf1-bde)(PORT=1551)) i scope=memory;
System altered.
3.3) Back at the listener you should now see a service handler created for the remotely registered instance. Notice how it is listed as a REMOTE SERVER.
LSNRCTL> services listener_prÿdConnecting to (DESCRIPTION:(ADDRESS=(PRÿTÿCÿL=IPC)(KEY=EXTPRÿC2)))Services Summary...Service "N102.us.oracle.com" has 1 instance(s).
Instance "N102", status READY, has 1 handler(s) for this service...Handler(s):
"DEDICATED" established:0 refused:0 state:readyREMOTE SERVER(ADDRESS=(PROTOCOL=TCP)(H0ST=mes2)(PORT=1521))
sfullyThe command completed succes
3.4) With remote registration confirmed test COST. Remove the comment from the COST parameter in the listener.ora and restart the listener. COST is now protectingthe listener from registration attempts that are not coming from the local node.
3.5) At the remote instance force another registration attempt by issuing the SQL command "alter system register;" .
SQL> alter system register;
System altered.
SQL>
3.6) Check the listener for service handlers, no handlers for REMOTE SERVER(s) should be seen.
[oracle@bde]$ lsnrctl
LSNRCTL for Linux: Version 11.2.0.2.0Copyright (c) 1991, 2010, Oracle. All rights reserved.
04-MAY-2012 10:42:57
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> services listener_prodConnecting to (DESCRIPTION:(ADDRESS=(PRÿTÿCÿL=IPC)(KEY=EXTPRÿC2)))The listener supportsThe command completed successfully
no services
3.7) Check the listener log, TNS-01194 messages will occur with each registration attempt that was refused.
[oracle@bde]$ tail /uOl/app/oracle/product/11.2.0.2/network/log/listener.log
04-MAY-2012 10:43:03 * (CÿNNECT_DATA=(CID=(PRÿGRAM=)(HÿST=netfl_bde)(USER=oracle))(CÿMMAND=services)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSIÿN=186647040)) * services * 0
04-MAY-2012 10:43:05 * service_register_NSGR * 1194TNS-01194: The listener command did not arrive in a secure transport
register—NSGR * 119404-MAY-2012 10:44:05 *TNS-01194: The listener command did not arrive in a secure transport
service
With COST enabled the results of steps 3.6 and 3.7 above are expected and confirm that the COST registration restriction is working properly.
3.8) When finished testing dear the remotejistener value of the remote instance either by restarting or replacing the parameter in memory with a null string.
SQL> alter system set remÿte_listener= i i scope=memory;
System altered.
This same test method will also confirm COST restrictions that are set to IPC or TCPS .
Patch/fix information for BUG:12880299
The fix for BUG:12880299 will be included in Oracle 11.2.0.4.
PSU's that include the fix:Cumulative Patch Inclusion - DBPSU 10.2.0.5.8 (Released)Cumulative Patch Inclusion - DBPSU 11.2.0.2.7 (Released)Cumulative Patch Inclusion - DBPSU 10.2.0.4.13 (Released)Cumulative Patch Inclusion - DBPSU 11.2.0.3.3 (Released)Cumulative Patch Inclusion - DBPSU 11.1.0.7.12 (Released)
Windows patch availability for bugfix:12880299
11.2.0.3: 12880299 is included in bundle 6 (Released)
32-bit : Patch 1396521064-bit : Patch 13965211
11.2.0.2: 12880299 is included in bundle 19 (Released)
32-bit : Patch 1404671064-bit : Patch 14046711
11.1.0.7: 12880299 is included in bundle 46 (Released)
10.2.0.5: 12880299 is included in bundle 17 (Released)
REFERENCES
NOTE:134Q831.1 - Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC
- IPC ExplainedNQTE:1600630.1 - Valid Node Checking For Registration (VNCR)NOTE:1455Q68.1 - Force Connections to a Specific Database Service When two Identical Services are Registered to CMAN
NÿTE:29232.1
未找到您要查找的产品?
