Restrict network access to listener
If I have a limited number of db clients which are authorized to access my listener, I can restrict access to my listener by setting only two parameters in sqlnet.ora.
chltlxlsc1 is my db server, I include it in the list, it is required to start the listener locally.
From dbclient001, I can connect :
From dbclient002, I cannot connect
TCP.VALIDNODE_CHECKING = yes
TCP.INVITED_NODES = (dbclient001,chltlxlsc1)
chltlxlsc1 is my db server, I include it in the list, it is required to start the listener locally.
From dbclient001, I can connect :
$ sqlplus scott/tiger@lsc02
SQL*Plus: Release 10.1.0.4.2 - Production on Wed Nov 22 09:47:43 2006
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.8.0 - Production
With the Partitioning option
JServer Release 9.2.0.8.0 - Production
From dbclient002, I cannot connect
$ sqlplus scott/tiger@lsc02
SQL*Plus: Release 10.1.0.4.2 - Production on Wed Nov 22 09:48:26 2006
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-12547: TNS:lost contact
Posted by Laurent Schneider at 11/22/2006 10:18:00 AM
Permalink : Restrict network access to listener
Post to :
del.icio.us -
furl -
digg -
reddit -
co.mments
4 Comments:
Laurent,
TCP/IP node checking works welll if we have a small list. The last time when I implemented node checking , I had a huge list of AP addresses and eventually it became quite a headache to maintain this list and to keep track of who had access to which database? --->is there a better way we can do this assuming we have a huge list.
ocm maybe
It could have been a great feature.
Its great, if you want to delimit database access only to, for instance, your application server.
It would have been even greater, if you could use wild cards like 10.10.10.*, but alas, you can't.
yes, one application server, one enterprise manager grid control, one database server is fine. More is headache.
Since it is in sqlnet.ora, a single client addition means restarting all the listeners from that oracle home (no reload of course)
Exclude_node also exists, for example to prevent some ugly developer to use toad ;-)
Post a Comment
<< Home