一.官網說明
MOS 上的一篇文章:
Setting Listener Passwords With an Oracle10g or Newer Listener [ID 260986.1]
這里面提到如下內容:
In Oracle 10gand newer versions of the listener, the listener is secure out of the box.There should be no need to set a listener password to prohibit privilegedLSNRCTL commands from being executed.
--自Oracle10g后,listener 不需要設置密碼。
Beginning withversion 10g, the listener now uses local OS authentication. As long as oneruns LSNRCTL privileged commands (stop, status, etc) as the same user whostarted the listener, that user will be able to fully administer the runninglistener without providing a password.
--從10g開始,listener 使用local OS authentication。
This securityfeature is enabled by default and can be identified at listener startup,or when issuing a LSNRCTL STATUS command, by the following output:
Security ON:Local OS Authentication
If theTNSListener is started as the "oracle" user and the user"sales" attempts to administer the listener, or if"oracle" on a different node attempts to administer thelistener, the following error will be returned:
TNS-01190: The user is not authorized to execute the requested listener command
如果使用oracle用戶來啟動listener,那么可以使用OS 認證,就不需要輸入密碼,如果使用其他的用戶來登陸,就需要密碼了。
1.1 配置密碼
Configuring and Changing the Oracle NetListener Password
http://docs.oracle.com/cd/E11882_01/network.112/e10836/listenercfg.htm#NETAG459
Localadministration of the listener is secure by default through the local operatingsystem. Therefore configuring a password is neither required nor recommendedfor secure local administration. However, a password can be configured for thelistener to provide security for administrative operations, such as starting orstopping the listener, viewing a list of supported services, or saving changesto the Listener Control configuration.
--listener 的安全默認使用本地操作系統的認證。 因此對listener 不需要也不推薦。 但是,設置密碼可以用來控制管理操作,比如start 或者stop listener,查看supported services 列表或者保存listener的配置。
Note:
If the PASSWORDS_listener_name parameteris set to an unencrypted password, then you must manually remove it fromthe listener.orafile before changing it. If the unencrypted password isnot removed, then you are unable to set an encrypted password.
--注意,如果 PASSWORDS_listener_name 參數被設置為unencryptedpassword,那么必須從listener.ora 文件里移除這個參數,如果該參數沒有移除,就不能設置密碼。
You can use theListener Control utility (lsnrctl) or Oracle Enterprise Manager toconfigure or change the Oracle Net Listener password.
可以使用lsnrctl 或者OEM,或Oracle Net Listener 來設置密碼:
(1)To set a new encrypted passwordusing lsnrctl, do the following:
LSNRCTL> SET PASSWORD
Password: password
The command completed successfully
--該命令用來登陸listener,登陸成功之后才可以進行相關的操作。
(2)To change an encrypted passwordusing lsnrctl, do the following:
LSNRCTL> CHANGE_PASSWORD
Old password: old_password
New password: new_secure_password
Reenter new password: new_secure_password
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=tpc)(HOST=sales-server)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL> SAVE_CONFIG
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=sales-server)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File /oracle/network/admin/listener.ora
Old Parameter File /oracle/network/admin/listener.bak
The command completed successfully
(3)To set or change an encrypted password with OracleEnterprise Manager, do the following:
1)Access theNet Services Administration page in Oracle Enterprise Manager.
2)Select Listeners fromthe Administer list, and then select the Oracle home that contains the locationof the configuration files.
3)Click Go.You may be prompted to log in to the database server.
The Listeners page appears.
4)Select alistener, and then click Edit.
The Edit Listeners page appears.
5)Clickthe Authentication tab.
6)Click Requirea password for listener operations.
7)Click OK.
8)Restart thelistener.
1.2 移除密碼
Removing the Listener Password
http://docs.oracle.com/cd/E11882_01/network.112/e10835/mignet.htm#NETRF1971
In OracleDatabase 11g Release 2 (11.2), the password feature is being deprecated.This does not cause a loss of security because authentication is enforcedthrough local operating system authentication. To migrate a listener that has aset password, do the following:
--在Oracle 11gR2里,listener 的密碼功能已經被廢除,因為本地的OS 認證被加強。 移除listener 的密碼通過如下步驟:
(1)Remove allPASSWORDS_listener_name entries from the listener.ora file.
(2)Reload the listener using thefollowing command:
lsnrctl reload listener_name
If remote administration of a listener is required, then use one of the following methodsto connect to and administer the listener.
(1)Connect tothe host where listener is running using SSH or other secure method, and thenperform local administration. Local administration is enforced by the operatingsystem authentication.
(2)Use OracleEnterprise Manager to administer the listener. Oracle Enterprise Manager usesHTTPS, which ensures security.
二.示例
2.1 查看監聽狀態
LSNRCTL> status
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for 32-bit Windows:Version 11.2.0.1.0 - Production
Start Date 18-DEC-2011 10:53:55
Uptime 0 days 9 hr. 38 min. 4 sec
Trace Level off
Security ON: Local OS Authentication
--注意這里默認的安全級別
SNMP OFF
Listener Parameter File D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora
Listener Log File d:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))
Services Summary...
Service "CLRExtProc" has 1instance(s).
Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) forthis service...
Service "dave" has 1 instance(s).
Instance "NEWCCS", status UNKNOWN, has 1 handler(s) for thisservice...
Service "newccs" has 1instance(s).
Instance "newccs", status READY, has 1 handler(s) for thisservice...
Service "newccsXDB" has 1instance(s).
Instance "newccs", status READY, has 1 handler(s) for thisservice...
The command completed successfully
2.2 改變密碼:
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
Password changed for LISTENER
The command completed successfully
--查看status
LSNRCTL> status
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for 32-bit Windows:Version 11.2.0.1.0 - Production
Start Date 18-DEC-2011 10:53:55
Uptime 0 days 9 hr. 56 min. 54 sec
Trace Level off
Security ON: Password or Local OSAuthentication
--這里的驗證方式發生改變,這里顯示的額信息表明Listener的安全機制使用了Password方式或者Local OS Authentication方式,在這種狀態下,即使是設置了監聽密碼,對於啟動監聽的user來說,也仍然是不需要任何密碼就可以停止監聽的。
SNMP OFF
Listener Parameter File D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora
Listener Log File d:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))
Services Summary...
Service "CLRExtProc" has 1instance(s).
Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) forthis service...
Service "dave" has 1 instance(s).
Instance "NEWCCS", status UNKNOWN, has 1 handler(s) for thisservice...
Service "newccs" has 1instance(s).
Instance "newccs", status READY, has 1 handler(s) for thisservice...
Service "newccsXDB" has 1instance(s).
Instance "newccs", status READY, has 1 handler(s) for thisservice...
The command completed successfully
--保存配置:
LSNRCTL> save_config
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
Saved LISTENER configuration parameters.
Listener Parameter File D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora
Old Parameter File D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.bak
The command completed successfully
--注意這里,當我們改變密碼之后,在保存配置時,原listener.ora 文件保存了listener.bak. 修改的參數添加到現在的listener.ora 文件里。
查看listener.ora 文件,多了一個密碼:
#----ADDED BY TNSLSNR 18-DEC-201120:52:38---
PASSWORDS_LISTENER = 1DF5C2FD0FE9CFA2
#--------------------------------------------
2.3 用Listener密碼登陸
默認口令為空.
LSNRCTL> set password
Password:
The command completed successfully
2.4 測試一: 用啟動listener的用戶
C:\Users\Administrator.DavidDai>lsnrctl
LSNRCTL for 32-bit Windows: Version 11.2.0.1.0- Production on 18-DEC-2011 21:13:42
Copyright (c) 1991, 2010, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help"for information.
LSNRCTL> set current_listener listener
Current Listener is listener
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
The command completed successfully
LSNRCTL> start
Starting tnslsnr: please wait...
TNSLSNR for 32-bit Windows: Version11.2.0.1.0 - Production
System parameter file isD:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora
Log messages written tod:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml
Listening on:(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))
Listening on:(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
STATUS of the LISTENER
------------------------
Alias listener
Version TNSLSNR for 32-bit Windows:Version 11.2.0.1.0 - Production
Start Date 18-DEC-2011 21:15:59
Uptime 0 days 0 hr. 0 min. 5 sec
Trace Level off
Security ON: Password or Local OSAuthentication
SNMP OFF
Listener Parameter File D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora
Listener Log File d:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))
Services Summary...
Service "CLRExtProc" has 1instance(s).
Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) forthis service...
Service "dave" has 1 instance(s).
Instance "NEWCCS", status UNKNOWN, has 1 handler(s) for thisservice...
The command completed successfully
LSNRCTL>
通過以上測試,對於啟動listener的用戶,不需要密碼。
2.5. 設置 LOCAL_OS_AUTHENTICATION 參數
OS 認證是Oracle 10g里推出的,所以我這里直接禁用掉OS認證,這樣只要密碼文件存在,所有操作都需要set password。
在listener.ora 文件里添加如下參數:
LOCAL_OS_AUTHENTICATION_[listenername]=OFF
--開始測試:
C:\Users\Administrator.DavidDai>lsnrctlreload listener
LSNRCTL for 32-bit Windows: Version11.2.0.1.0 - Production on 18-DEC-2011 21:41:10
Copyright (c) 1991, 2010, Oracle. All rights reserved.
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
The command completed successfully
C:\Users\Administrator.DavidDai>lsnrctlstatus
LSNRCTL for 32-bit Windows: Version11.2.0.1.0 - Production on 18-DEC-2011 21:41:21
Copyright (c) 1991, 2010, Oracle. All rights reserved.
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
TNS-01169: The listenerhas not recognized the password
這里就需要我們輸入密碼了。
C:\Users\Administrator.DavidDai>lsnrctl
LSNRCTL for 32-bit Windows: Version11.2.0.1.0 - Production on 18-DEC-2011 21:41:55
Copyright (c) 1991, 2010, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help"for information.
LSNRCTL> set current_listener listener
Current Listener is listener
LSNRCTL> status
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
TNS-01169: The listener has not recognizedthe password
LSNRCTL> set password
--設置密碼后,操作成功
Password:
The command completed successfully
LSNRCTL> status
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
STATUS of the LISTENER
------------------------
Alias listener
Version TNSLSNR for 32-bit Windows: Version11.2.0.1.0 - Production
Start Date 18-DEC-2011 21:15:59
Uptime 0 days 0 hr. 26 min. 22 sec
Trace Level off
Security ON: Password
SNMP OFF
Listener Parameter File D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora
Listener Log File d:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))
Services Summary...
Service "CLRExtProc" has 1instance(s).
Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) forthis service...
Service "dave" has 1 instance(s).
Instance "NEWCCS", status UNKNOWN, has 1 handler(s) for thisservice...
Service "newccs" has 1instance(s).
Instance "newccs", status READY, has 1 handler(s) for thisservice...
Service "newccsXDB" has 1instance(s).
Instance"newccs", status READY, has 1 handler(s) for this service...
The command completed successfully
LSNRCTL>
2.7 移除密碼
如果監聽已啟動,密碼忘記了,直接修改listener.ora文件是沒用的,因為那個文件在監聽啟動后甚至可以刪除,所以可以先在操作系統中kill掉系統進程,然后在listener.ora文件中移除PASSWORDS_LISTENER參數,再啟動監聽密碼恢復為空。
小結:
在Oracle 10g 以后已經不推薦對listener 設置密碼了,所以這里僅做為一個知識點了解一下。
-------------------------------------------------------------------------------------------------------
版權所有,文章允許轉載,但必須以鏈接方式注明源地址,否則追究法律責任!
Email: tianlesoftware@gmail.com
Skype: tianlesoftware
Blog: http://www.tianlesoftware.com
Weibo: http://weibo.com/tianlesoftware
Twitter: http://twitter.com/tianlesoftware
Facebook:http://www.facebook.com/tianlesoftware
-------加群需要在備注說明Oracle表空間和數據文件的關系,否則拒絕申請----
DBA1 群:62697716(滿); DBA2 群:62697977(滿) DBA3 群:62697850(滿)
DBA 超級群:63306533(滿); DBA4 群:83829929 DBA5群: 142216823
DBA6 群:158654907 DBA7 群:172855474