encrypted listener password
There a few major changes in the database administration and the database security between 9i and 10g.
In 9i, I used to grep in the listener.ora to find out the password.
LISTENER_LSC61 =
(DESCRIPTION=(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=TCP)(HOST=dbsrv85a.ex.zkb.ch)(PORT=10061)(QUEUESIZE=200))
))
PASSWORDS_LISTENER_LSC61 = 1234567890ABCDEF
this 64bit encrypted string can be used in 9i to stop the listener
$ lsnrctl
LSNRCTL for IBM/AIX RISC System/6000: Version 9.2.0.6.0 - Production on 05-DEC-2005 14:33:51
Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> set current_listener listener_lsc61
Current Listener is listener_lsc61
LSNRCTL> set password 1234567890ABCDEF
The command completed successfully
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=dbsrv85a.ex.zkb.ch)(PORT=10061)(QUEUESIZE=200)))
The command completed successfully
As a dba, it is quite handy, because you can use grep (or awk) to find out the password out of the listener.ora. As a security admin, you should make sure the listener.ora is not readable. Note that the default, when created by netmgr, is to be world-readable :-(
However, this does no longer work in 10g
LISTENER_LSC62 =
(DESCRIPTION=(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=TCP)(HOST=dbsrv85a.ex.zkb.ch)(PORT=10062)(QUEUESIZE=200))
))
PASSWORDS_listener_LSC62 = 1234567890ABCDEF
the encrypted string can no longer be used
$ lsnrctl
LSNRCTL for IBM/AIX RISC System/6000: Version 10.1.0.4.0 - Production on 05-DEC-2005 14:37:24
Copyright (c) 1991, 2004, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> set current_listener listener_lsc62
Current Listener is listener_lsc62
LSNRCTL> set password 1234567890ABCDEF
The command completed successfully
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=dbsrv85a.ex.zkb.ch)(PORT=10062)(QUEUESIZE=200)))
TNS-01169: The listener has not recognized the password
TNS-01189: The listener could not authenticate the user
As a security admin, you would think it is better so. But, how are you going to stop the listener in your script? Well, in 10g, we can use local authentification (default). So if the script is started as oracle, we would not need to use password
LISTENER_LSC63 =
(DESCRIPTION=(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=TCP)(HOST=dbsrv85a.ex.zkb.ch)(PORT=10016)(QUEUESIZE=200))
))
PASSWORDS_listener_LSC63 = 1234567890ABCDEF
$ whoami
oracle
$ hostname
dbsrv85a.ex.zkb.ch
$ lsnrctl
LSNRCTL for IBM/AIX RISC System/6000: Version 10.2.0.1.0 - Production on 05-DEC-2005 14:43:33
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> set current_listener LISTENER_LSC63
Current Listener is LISTENER_LSC63
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=dbsrv85a.ex.zkb.ch)(PORT=10016)(QUEUESIZE=200)))
The command completed successfully
I read in an Alex Kornbrust post on Pete Finnigan forum, that a LOCAL_OS_AUTHENTICATION "undocumented" parameter could be used to "avoid" local authentication, but in that case, it is going to be a nightmare to "stop" the listener in an automated script, well, we can still use "kill", but it is not very beautifoul.
In 9i, I used to grep in the listener.ora to find out the password.
LISTENER_LSC61 =
(DESCRIPTION=(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=TCP)(HOST=dbsrv85a.ex.zkb.ch)(PORT=10061)(QUEUESIZE=200))
))
PASSWORDS_LISTENER_LSC61 = 1234567890ABCDEF
this 64bit encrypted string can be used in 9i to stop the listener
$ lsnrctl
LSNRCTL for IBM/AIX RISC System/6000: Version 9.2.0.6.0 - Production on 05-DEC-2005 14:33:51
Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> set current_listener listener_lsc61
Current Listener is listener_lsc61
LSNRCTL> set password 1234567890ABCDEF
The command completed successfully
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=dbsrv85a.ex.zkb.ch)(PORT=10061)(QUEUESIZE=200)))
The command completed successfully
As a dba, it is quite handy, because you can use grep (or awk) to find out the password out of the listener.ora. As a security admin, you should make sure the listener.ora is not readable. Note that the default, when created by netmgr, is to be world-readable :-(
However, this does no longer work in 10g
LISTENER_LSC62 =
(DESCRIPTION=(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=TCP)(HOST=dbsrv85a.ex.zkb.ch)(PORT=10062)(QUEUESIZE=200))
))
PASSWORDS_listener_LSC62 = 1234567890ABCDEF
the encrypted string can no longer be used
$ lsnrctl
LSNRCTL for IBM/AIX RISC System/6000: Version 10.1.0.4.0 - Production on 05-DEC-2005 14:37:24
Copyright (c) 1991, 2004, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> set current_listener listener_lsc62
Current Listener is listener_lsc62
LSNRCTL> set password 1234567890ABCDEF
The command completed successfully
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=dbsrv85a.ex.zkb.ch)(PORT=10062)(QUEUESIZE=200)))
TNS-01169: The listener has not recognized the password
TNS-01189: The listener could not authenticate the user
As a security admin, you would think it is better so. But, how are you going to stop the listener in your script? Well, in 10g, we can use local authentification (default). So if the script is started as oracle, we would not need to use password
LISTENER_LSC63 =
(DESCRIPTION=(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=TCP)(HOST=dbsrv85a.ex.zkb.ch)(PORT=10016)(QUEUESIZE=200))
))
PASSWORDS_listener_LSC63 = 1234567890ABCDEF
$ whoami
oracle
$ hostname
dbsrv85a.ex.zkb.ch
$ lsnrctl
LSNRCTL for IBM/AIX RISC System/6000: Version 10.2.0.1.0 - Production on 05-DEC-2005 14:43:33
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> set current_listener LISTENER_LSC63
Current Listener is LISTENER_LSC63
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=dbsrv85a.ex.zkb.ch)(PORT=10016)(QUEUESIZE=200)))
The command completed successfully
I read in an Alex Kornbrust post on Pete Finnigan forum, that a LOCAL_OS_AUTHENTICATION "undocumented" parameter could be used to "avoid" local authentication, but in that case, it is going to be a nightmare to "stop" the listener in an automated script, well, we can still use "kill", but it is not very beautifoul.
Posted by Laurent Schneider at 12/05/2005 02:30:00 PM
Permalink : encrypted listener password
Post to :
del.icio.us -
furl -
digg -
reddit -
co.mments
2 Comments:
Laurent,
Alexander found out that local os authentication can be circumvented and therefore his advice is to use and strong listener password and to disable local os authentication.
I suppose his advise is until Oracle solves this bug. And yes, I think killing the listener in automated script is the second best option in this case.
Ivan
If You could use Perl in Your script, it's possible to write the code, that will provide _non-encrypted_ password for the lnsrctl utility.
Here is one example:
www.gotchas.info/setting-password-for-oracle-listener-in-the-script/
Post a Comment
<< Home