Oracle10g的listener安全验证

发布时间:2017-1-16 18:38:03 编辑:www.fx114.net 分享查询网我要评论
本篇文章主要介绍了"Oracle10g的listener安全验证",主要涉及到Oracle10g的listener安全验证方面的内容,对于Oracle10g的listener安全验证感兴趣的同学可以参考一下。

Oracle10g开始,增加了另一个listener验证方式Local OS Authentication(本地操作系统验证),设置listener密码已不是安全检查的必要条件。 在10g里,即使listener没设置密码。除了启动监听的用户外,其它用户也无法对listener做相关操作,如stop、reload、trace等。 一、listener安全验证 测试环境: OS:RHEL AS 4.8 DB:Oracle 10.2.0.1 User:oracle、oracle1 测试1: 验证默认状态,用户oracle启动listener,用户oracle1无法stop、reload、trace用户oracle启动的listener。 用户oracle启动listener并查看状态 LSNRCTL>start Starting /orahome/oracle/product/10.2.0/db_1/bin/tnslsnr: please wait... TNSLSNR for Linux: Version 10.2.0.1.0 - Production 省略输出信息若干 LSNRCTL>status Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521))) STATUS of the LISTENER ------------------------ 省略输出信息若干 Trace Level               off Security                  ON: Local OS Authentication 省略输出信息若干   (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.23)(PORT=1521))) Services Summary... Service "mydata" has 1 instance(s).   Instance "mydata", status READY, has 1 handler(s) for this service... The command completed successfully 红字部分显示:默认安全性开启,并启用Local OS Authentication(本地操作系统验证),未设置密码。 切换到另一个用户oracle1 [[email protected] ~]$su - oracle1 Password: [[email protected] ~]$id uid=1003(oracle1) gid=1002(oinstall) groups=1001(dba),1002(oinstall) [[email protected] ~]$lsnrctl LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 12-APR-2011 18:35:48 Copyright (c) 1991, 2005, Oracle.  All rights reserved. Welcome to LSNRCTL, type "help" for information. LSNRCTL>stop listener Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521))) TNS-01190: The user is not authorized to execute the requested listener command LSNRCTL> LSNRCTL>reload listener Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521))) TNS-01190: The user is not authorized to execute the requested listener command LSNRCTL>  LSNRCTL>trace user listener Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521))) TNS-01190: The user is not authorized to execute the requested listener command 红字部分显示:用户oracle1未被授权执行请求的listener命令,即无权操作listener。 测试2: 用户oracle对自己启动的listener启用密码安全验证,但密码验证对用户oracle不起作用 用户oracle启动listener并启用密码验证 [[email protected] ~]$id uid=1001(oracle) gid=1002(oinstall) groups=1001(dba),1002(oinstall) LSNRCTL>start Starting /orahome/oracle/product/10.2.0/db_1/bin/tnslsnr: please wait... TNSLSNR for Linux: Version 10.2.0.1.0 - Production 省略输出信息若干 LSNRCTL>change_password Old password:空 New password:123456 Reenter new password:123456 Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521))) Password changed for LISTENER The command completed successfully LSNRCTL>save_config Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521))) Saved LISTENER configuration parameters. Listener Parameter File   /orahome/oracle/product/10.2.0/db_1/network/admin/listener.ora Old Parameter File   /orahome/oracle/product/10.2.0/db_1/network/admin/listener.bak The command completed successfully LSNRCTL>status Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521))) STATUS of the LISTENER ------------------------ 省略输出信息若干 Security                  ON: Password or Local OS Authentication SNMP                      OFF 省略输出信息若干 红字部分显示:安全验证方式为Password(密码验证)或Local OS Authentication(本地操作系统验证) LSNRCTL>reload listener Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521))) The command completed successfully LSNRCTL> LSNRCTL>trace user listener Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521))) Opened trace file: /orahome/oracle/product/10.2.0/db_1/network/trace/listener.trc The command completed successfully LSNRCTL> LSNRCTL>stop listener Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521))) The command completed successfully 红字部分显示:用户oracle不需要密码验证,即可对已自动的listener执行reload、stop、trace等操作。 测试3: 用户oracle启动listener,并启用密码验证方式。 用户oracle1若通过密码验证后,可对用户oracle启动的listener执行reload、stop、trace等操作。 若用户oracle1未通过密码验证,则无权对用户oracle启动的listener执行以上操作。 [[email protected] ~]$id uid=1001(oracle) gid=1002(oinstall) groups=1001(dba),1002(oinstall) listener密码设置同测试2 [[email protected] ~]$lsnrctl status listener LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 12-APR-2011 19:06:36 Copyright (c) 1991, 2005, Oracle.  All rights reserved. Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521))) STATUS of the LISTENER ------------------------ 省略输出信息若干 Security                  ON: Password or Local OS Authentication SNMP                      OFF Listener Parameter File   /orahome/oracle/product/10.2.0/db_1/network/admin/listener.ora Listener Log File         /orahome/oracle/product/10.2.0/db_1/network/log/listener.log 省略若干输出信息 红字部分显示:安全验证方式为密码验证或本地操作系统验证 [[email protected] ~]$id uid=1003(oracle1) gid=1002(oinstall) groups=1001(dba),1002(oinstall) [[email protected] ~]$lsnrctl reload listener LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 12-APR-2011 19:10:19 Copyright (c) 1991, 2005, Oracle.  All rights reserved. Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521))) TNS-01190: The user is not authorized to execute the requested listener command [[email protected] ~]$lsnrctl LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 12-APR-2011 19:10:29 Copyright (c) 1991, 2005, Oracle.  All rights reserved. Welcome to LSNRCTL, type "help" for information. LSNRCTL>reload listener Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521))) TNS-01190: The user is not authorized to execute the requested listener command LSNRCTL> LSNRCTL>set password 123456 The command completed successfully LSNRCTL>reload listener Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521))) The command completed successfully LSNRCTL>trace user listener Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521))) Opened trace file: /orahome/oracle/product/10.2.0/db_1/network/trace/listener.trc The command completed successfully LSNRCTL>  LSNRCTL>stop listener Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521))) Opened trace file: /orahome/oracle/product/10.2.0/db_1/network/trace/listener.trc The command completed successfully 用户oracle1进入lsnrctl命令行模式后,因执行“set password 123456”通过用户oracle设置的密码验证, 所以可以对用户oracle启动的listener执行reload、stop、trace等操作。 受影响的操作除了reload、stop、trace之外,还有如下命令: SAVE_CONFIG, SPAWN, SET {LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SAVE_CONFIG_STOP_ON, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME} SHOW {RULES, TRC_DIRECTORY, LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SNMP_VISIBLE, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME, SAVE_CONFIG_STOP_ON} 二、远程监听注册remote_listener 环境 A机: IP:192.168.1.23  OS:RHEL AS 4.8 service_name:test db_name:mydata username:oracle B机: IP:192.168.1.24 OS:RHEL AS 4.8 service_name:product db_name:lottery username:oracle A机的listener状态 LSNRCTL>status Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.23)(PORT=1521))) STATUS of the LISTENER ------------------------ 省略若干输出信息 Security                  ON: Local OS Authentication SNMP                      OFF 省略若干信息   (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.23)(PORT=1521))) Services Summary... Service "TEST" has 1 instance(s).   Instance "mydata", status READY, has 1 handler(s) for this service... Service "mydata" has 1 instance(s).   Instance "mydata", status READY, has 1 handler(s) for this service... The command completed successfully B机的listener状态 LSNRCTL>status Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ccddt)(PORT=1521))) STATUS of the LISTENER ------------------------ 省略若干输出信息 Security                  ON: Local OS Authentication SNMP                      OFF 省略若干输出信息    (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=ccddt)(PORT=1521))) Services Summary... Service "product" has 1 instance(s).   Instance "lottery", status READY, has 1 handler(s) for this service... Service "lottery" has 1 instance(s).   Instance "lottery", status READY, has 1 handler(s) for this service... The command completed successfully 远程监听注册remote_listener 将A机的service_name:test注册到远程(B机)的listener中 在A机的tnsnames.ora加入如下内容 LISTENER_R = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.1.24)(PORT = 1521)) 修改A机的服务器参数remote_listener SQL>alter system set remote_listener=LISTENER_R; System altered. 在B机执行lsnrctl status,观察listener状态,可以看到 有两条信息(红色部分)为A机下DB的service_names(test),db_name(mydata) LSNRCTL>status Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ccddt)(PORT=1521))) STATUS of the LISTENER ------------------------ 省略若干输出信息 Security                  ON: Local OS Authentication 省略若干输出信息   (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=ccddt)(PORT=1521))) Services Summary... Service "lottery" has 1 instance(s).   Instance "lottery", status READY, has 1 handler(s) for this service... Service "mydata" has 1 instance(s).   Instance "mydata", status READY, has 1 handler(s) for this service... Service "product" has 1 instance(s).   Instance "lottery", status READY, has 1 handler(s) for this service... Service "test" has 1 instance(s).   Instance "mydata", status READY, has 1 handler(s) for this service... The command completed successfully 注:不管参数service_names为何值,oracle都会以db_name为服务名,执行动态注册。     因此,会多出一条Service "mydata" has 1 instance(s)的记录。 测试1: 验证oracle10g,默认设置(listener验证为操作系统验证),无法远程停止listener。 在A机执行如下命令,远程停止B机的监听 LSNRCTL>stop listener_r Connecting to (ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.24)(PORT=1521)) TNS-01189: The listener could not authenticate the user LSNRCTL> 红字显示,未通过listener的验证。因此,stop操作失败。 在B机为监听器启用密码验证 LSNRCTL>change_password Old password:空 New password:123456 Reenter new password:123456 Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ccddt)(PORT=1521))) Password changed for LISTENER The command completed successfully LSNRCTL>save_config Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ccddt)(PORT=1521))) Saved LISTENER configuration parameters. 省略若干输出信息 The command completed successfully 测试2: 通过远程的listener安全验证,远程停止listener监听 A机执行如下命令,输入错误密码654321 LSNRCTL>set password 654321 The command completed successfully LSNRCTL>stop listener_r Connecting to (ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.24)(PORT=1521)) TNS-01169: The listener has not recognized the password  TNS-01189: The listener could not authenticate the user 验证失败 A机输入正确密码123456 LSNRCTL>set password 123456 The command completed successfully LSNRCTL> LSNRCTL>stop listener_r Connecting to (ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.24)(PORT=1521)) The command completed successfully LSNRCTL> 红字显示,远程stop监听成功 B机执行如下命令,查看监听器状态,已被A机远程停止。 LSNRCTL>status Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ccddt)(PORT=1521))) TNS-12541: TNS:no listener  TNS-12560: TNS:protocol adapter error   TNS-00511: No listener    Linux Error: 111: Connection refused

上一篇:如何删去csdn博文中的段落标记(缩小换行行距)?
下一篇:大学软件工程总结

相关文章

相关评论