來源:http://blog.csdn.net/smasegain/article/details/46640345
一.官方說明
Oracle 11.2.0.4及12.1.0.1以后Net Service發布了一個新的特性:Valid Node Checking For Registration (VNCR)。不過我在自己offline 官方文檔中並沒有找到該功能的詳細說明,MOS上的說明如下:
VNCR is a new feature in Oracle Net 11.2.0.4 and 12c which allows instance registrations to only come from known servers.
The idea is to make the listener secure by allowing registration to succeed only if it originates from a valid node.The user can specify a list of nodes that can register with the listener.ora, or a list they want to exclude from registering.This eliminates complex COST setups to ensure malicious servers do not register with a listener.Just as in validnode checking, both invited/excluded cannot be specified together. If they are, invited nodes take precedence.
This feature in independent of the validnode checking that clients use
通過官方的說法看來,該特性主要用於控制可以成功注冊到Listener的Database服務。用戶可以合理利用此功能來規避安全漏洞:CVE-2012-1675
該功能在11gR2中默認是處於關閉狀態的,但是在12C中默認是打開的。用戶需要根據實際的需求進行適當的配置,該功能受listener.ora參數文件中的下列參數控制(將各個參數中的"listener_name"替換為實際的監聽名字,例如實際監聽為LSNR則第一個參數為:VALID_NODE_CHECKING_REGISTRATION_LSNR):
VALID_NODE_CHECKING_REGISTRATION_listener_name
Values:
OFF/0 - Disable VNCR//禁用VNCR,此功能不會對注冊過來的service進行check;
ON/1/LOCAL - The default. Enable VNCR. All local machine IPs can register.//啟用VNCR,默認只允許本機的所有IP的服務注冊到本監聽,可通過REGISTRATION_INVITED_NODES參數添加其他有必要的服務器;
SUBNET/2 - All machines in the subnet are allowed registration.//指定子網內的服務器可以注冊過來
REGISTRATION_INVITED_NODES_listener-name //控制允許鏈接過來的節點,可以通過IP地址/主機名/網段來指定
Values are valid IPs, valid hosts, a subnet using CIDR notation (for ip4/6), or wildcard (*) for ipv4. For example:REGISTRATION_INVITED_NODES_Listener=(net-vm1, 127.98.45.209, 127.42.5.*)
Note that when an INVITED list is set, it will automatically include the machine's local IP in the list. There is no need to include it.
REGISTRATION_EXCLUDED_NODES_listener_name - the inverse of INVITED_NODES.//不允許注冊到本監聽的節點,語法同REGISTRATION_INVITED_NODES_listener-name,如果兩個參數都指定了,則會忽略本參數(官方文檔有說明)
二.在單機環境中的測試和驗證
測試環境所涉及到的主機及數據庫信息:
項目 主機一 主機二 主機IP 192.168.100.100 192.168.100.110 主機名 node100 node110 DB版本 10.2.0.5 11.2.0.4 服務名 ggsp0 sample11
1.確認兩個節點的監聽配置文件
node100
node110
- LISTENER =
- (DESCRIPTION_LIST =
- (DESCRIPTION =
- (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.100.100)(PORT = 1521))
- )
- )
- LISTENER =
- (DESCRIPTION_LIST =
- (DESCRIPTION =
- (ADDRESS = (PROTOCOL = IPC)(KEY = Sample11))
- (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.100.110)(PORT = 1521))
- )
- )
- ADR_BASE_LISTENER = /u01/app/oracle
- INBOUND_CONNECT_TIMEOUT_LISTENER=0
2.在兩個節點的數據庫中都將對方的監聽配置為remote_listenernode100
- alter system set remote_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.100.110)(PORT=1521)))' scope=memory;
- SQL> show parameter remote_listener
- NAME<span style="white-space:pre"> </span> TYPE<span style="white-space:pre"> </span> VALUE
- ------------------------------------ ----------- ------------------------------
- remote_listener <span style="white-space:pre"> </span> string<span style="white-space:pre"> </span> (DESCRIPTION=(ADDRESS=(PROTOCO
- <span style="white-space:pre"> </span> L=tcp)(HOST=192.168.100.110)(P
- <span style="white-space:pre"> </span> ORT=1521)))
node110
- alter system set remote_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.100.100)(PORT=1521)))' scope=memory;
3.在雙方的監聽日志都能找到對方的注冊信息,監聽的服務中也會有對方的服務
- [oracle@node100 admin]$ lsnrctl serivce
- LSNRCTL for Linux: Version 10.2.0.5.0 - Production on 25-JUN-2015 20:57:10
- Copyright (c) 1991, 2010, Oracle. All rights reserved.
- NL-00853: undefined command "serivce". Try "help"
- [oracle@node100 admin]$ lsnrctl service
- LSNRCTL for Linux: Version 10.2.0.5.0 - Production on 25-JUN-2015 20:57:15
- Copyright (c) 1991, 2010, Oracle. All rights reserved.
- Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.100.100)(PORT=1521)))
- Services Summary...
- Service "sample11" has 1 instance(s).
- Instance "sample11", status READY, has 1 handler(s) for this service...
- Handler(s):
- "DEDICATED" established:0 refused:0 state:ready
- REMOTE SERVER
- (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(key=Sample11)))
- Service "sample11XDB" has 1 instance(s).
- Instance "sample11", status READY, has 1 handler(s) for this service...
- Handler(s):
- "D000" established:0 refused:0 current:0 max:1022 state:ready
- DISPATCHER <machine: node110, pid: 4875>
- (ADDRESS=(PROTOCOL=tcp)(HOST=node110)(PORT=39309))
- The command completed successfully
- 日志信息:
- 25-JUN-2015 20:57:07 * service_update * sample11 * 0
4.添加VNCR參數(在listener.ora中):VALID_NODE_CHECKING_REGISTRATION_LISTENER=1,添加完成后reload監聽完成可以看到兩個節點的監聽日志如下
node100
- 25-JUN-2015 21:03:36 * service_update * sample11 * 0
- 25-JUN-2015 21:03:54 * service_update * sample11 * 0
- 25-JUN-2015 21:04:09 * service_update * sample11 * 0
- 25-JUN-2015 21:04:18 * service_update * sample11 * 0
- 25-JUN-2015 21:04:21 * service_update * sample11 * 0
- 25-JUN-2015 21:04:36 * service_update * sample11 * 0
node110(已經可以看到兩個節點都可以往本機監聽注冊,11g的監聽拒絕10g數據庫注冊過來,但是10g數據庫不會攔截遠程注冊。)
- 25-JUN-2015 21:04:19 * service_register * sample11 * 0
- 25-JUN-2015 21:04:21 * service_update * sample11 * 0
- <span style="color:#ff0000;">Listener(VNCR option 1) rejected Registration request from destination 192.168.100.100</span>
- 25-JUN-2015 21:04:29 * service_register_NSGR * 1182
- TNS-01182: Listener rejected registration of service ""
- [oracle@node110 admin]$ lsnrctl status
- LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 25-JUN-2015 21:04:59
- Copyright (c) 1991, 2013, Oracle. All rights reserved.
- Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=Sample11)))
- STATUS of the LISTENER
- ------------------------
- Alias LISTENER
- Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production
- Start Date 25-JUN-2015 16:27:06
- Uptime 0 days 4 hr. 37 min. 52 sec
- Trace Level off
- Security ON: Local OS Authentication
- SNMP OFF
- Listener Parameter File /u01/app/oracle/product/11.2.0/db_1/network/admin/listener.ora
- Listener Log File /u01/app/oracle/diag/tnslsnr/node110/listener/alert/log.xml
- Listening Endpoints Summary...
- (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=Sample11)))
- (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.100.110)(PORT=1521)))
- Services Summary...
- Service "sample11" has 1 instance(s).
- Instance "sample11", status READY, has 1 handler(s) for this service...
- Service "sample11XDB" has 1 instance(s).
- Instance "sample11", status READY, has 1 handler(s) for this service...
- The command completed successfully
5.指定例外節點:在11g數據庫監聽配置文件中加入:REGISTRATION_INVITED_NODES_LISTENER=(192.168.100.100)並重啟監聽后可以看到10g數據庫再次可以注冊過來:
- 25-JUN-2015 21:10:23 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=node110)(USER=oracle))(COMMAND=reload)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647552)) * reload * 0
- 25-JUN-2015 21:10:25 * service_register * sample11 * 0
- 25-JUN-2015 21:10:28 * service_update * sample11 * 0
- <span style="color:#ff0000;">25-JUN-2015 21:10:28 * service_register * ggsp0 * 0</span>
- Thu Jun 25 21:10:40 2015
- 25-JUN-2015 21:10:40 * service_update * sample11 * 0
6.本次未演示同子網。
三.RAC環境配置
在RAC環境中,可以通過VNCR確保僅本集群的node可以注冊到相關的監聽中去。MOS上對於默認配置的說明如下:
- On 12.1 RAC databases, the parameter VALID_NODE_CHECKING_REGISTRATION_listener_name for both local and scan listeners is set by default to SUBNET/2 i.e. all machines in the subnet are allowed registration. This is done in order to allow registration to the local listeners and scan listeners from the instances on the other nodes of the RAC
可見,11g的RAC默認未啟用NVCR而12C則通過子網來指定。如果需要限定僅本集群的數據庫實例可以注冊服務到監聽則可以通過如下步驟實現:
- On 11.2.0.4 RAC databases, the parameter VALID_NODE_CHECKING_REGISTRATION_listener_name is set to off.
11.2.0.4集群可以通過在監聽中添加參數配置:
- VALID_NODE_CHECKING_REGISTRATION_LISTENER=1
- VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=1
- REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(<list of public ip's of all nodes>)
- VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=1
- REGISTRATION_INVITED_NODES_LISTENER_SCAN2=(<list of public ip's of all nodes>)
- VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=1
- REGISTRATION_INVITED_NODES_LISTENER_SCAN3=(<list of public ip's of all nodes>)
12c中監聽的配置文件是通過Grid的agent來生成和維護的,故需要通過用srvctl來配置,語法如下(invitednodes/invitedsubnets在11g中不可用):
四.12C中的新參數
在MOS中提到了一個新參數,同樣是為了更進一步的完善VNCR。官方說明如下:
//所有不合規鏈接都會被重定向到HAIP
- Starting with 12c a new parameter is available, REMOTE_REGISTRATION_ADDRESS_<listener_name>. This parameter is configured internally in the SCAN listener to restrict registrations to the private network. The registration endpoint is on a private network within the cluster. All remote registration requests coming in on normal listening endpoints are redirected to the registration endpoint. Any system which is not a part of the cluster cannot connect to the endpoint.
- The value of this parameter should not be modified or specified explicitly. The only supported explicit setting is for turning this feature off by setting the value to OFF. The value is OFF in non-SCAN listeners.
- You can check its value by running:
- lsnrctl show remote_registration_address <scan name>:<scan listener port>
- All the instances registration requests will be redirected to this private endpoint and only the instances from the same cluster will be able to register with the scan listeners. This is the alternative for VNCR settings on local listeners.
- NOTE: In 12.1.0.2, the GI agent sets the remote_registration_address to HAIP or the private IP address by default. This is true for both local listener and scan_listener.
- The agent turns the remote_registration_address to off if invited_nodes or invited_subnet (VNCR) is set using srvctl.
- The agent also turns the remote_registration_address to off if invited_nodes or invited_subnet (VNCR) information is found in the listener.ora file.
- Both database and the GRID home must be at version 12. If the database is pre 12, the REMOTE_REGISTRATION_ADDRESS will not be set to HAIP.
五.參照文檔
NOTE:1914282.1 - How to Enable VNCR on RAC Database to Register only Local Instances
NOTE:1600630.1 - Valid Node Checking For Registration (VNCR)