OGG 12.1: WARNING OGG-00936 Access denied (request from xxxx, rule #0)

一、報錯

Ogg12.1版本，DB11.2.0.4

安裝OGG軟件后,MGR進程看起來是running狀態，后續配置抽取進程無法啟動，觀察mgr進程日志顯示上述報錯！！！

 OGG 12.2: WARNING OGG-00936 Access denied (request from xxxx, rule #0)
OGG MGR參數配置

ACCESSRULE,PROG SERVER,ALLOW

 

 

二、問題處理

2.1 MOS 2095174.1

OGG無法啟動和停止MGR的使用！！！
OGG 12.2: WARNING OGG-00936 Access denied (request from xxxx, rule #0) (Doc ID 2095174.1)
APPLIES TO:
Oracle GoldenGate - Version 12.1.2.1.1 and later
Information in this document applies to any platform.
SYMPTOMS
In ogg version 12.2, by default, the manager (and related extract/replicat) cannot be stopped/started remotely.
1. start manager from a shared drive, then try to stop from another server with same shared directory (like different RAC nodes)
2. start direct initial load.
error:
WARNING OGG-00936 Access denied (request from xxxx, rule #0)
ERROR OGG-01201 Error reported by MGR : Access denied. 
CAUSE
 In ogg version 12.2, by default, the manager (and related extract/replicat) cannot be stopped/started remotely.
SOLUTION
The manager parameter ACCESSRULE can be used to control connection access to the Manager process and the processes under its control.
It can be specified in the manager parameter file (the default location for the Oracle GoldenGate parameter files is the dirprm sub-directory
 of the Oracle GoldenGate directory)
 ACCESSRULE, PROG *, IPADDR *, ALLOW 
按照MOS的建議,調整后,kill mgr,start mgr 恢復使用！ 但是為什么無法啟動停止MGR呢？？？ 這個參數代表什么含義？ 

 

2.2 參數說明

https://docs.oracle.com/en/middleware/goldengate/core/19.1/reference/accessrule.html#GUID-6C74776D-2E05-429A-8B86-EBE882B4CF49
ACCESSRULE
Valid for Manager
以控制連接訪問管理器進程，並在其控制下的過程。
Use ACCESSRULE to control connection access to the Manager process and the processes under its control. You can establish multiple
 rules by specifying multiple ACCESSRULE statements in the parameter file and control their priority. There is no limit to the number
 of rules that you can specify. To establish priority, you can either list the rules in order from most important to least important,
 or you can explicitly set the priority of each rule with the PRI option.
Default  None

程序名稱
PROG program_name
配置訪問規則適用於MGR的啟動、停止、或者Kill,*統配符號,代表指定上述所有操作！
Specifies connection security for a specific Oracle GoldenGate program or multiple programs specified with a wildcard. If one of these
 options is not specified, the access rule applies to all programs that Manager starts, stops, or kills.
Valid values:
GGSCI: Secures access to the GGSCI command-line interface.
GUI: Secures access to Oracle GoldenGate from the Activity Console.
MGR | MANAGER: Secures access to all inter-process commands controlled by Manager, such as START, STOP, and KILL
REPLICAT: Secures connection to the Replicat process.
COLLECTOR | SERVER: Secures the ability to dynamically create a Collector process.
* (asterisk): Wildcard. Use a wildcard to specify all of the preceding options.

IPADDR address
允許指定IP的主機,訪問MGR
Permits access to Manager from the host with the specified IP address.

優先規則
PRI rule
為每個ACCESSRULE訪問語句指定優先級別,有效值1-99,1是優先級別最高！
Specifies a priority for each ACCESSRULE statement. Valid values are from 1 through 99, with 1 being the highest priority and 99 being
 the lowest. Rules that have priorities assigned can appear in any order in the parameter file.

login_ID
允許基於用戶密碼的訪問,此參數需要指定USER and PASSWORD選項,或者使用秘鑰
Permits access based on a user password. This option requires specifying USER and PASSWORD options with the RMTHOST parameter.
The syntax for login_ID is:
USER user, PASSWORD password, [ENCRYPTKEY keyname]
Valid values:
user : The user specified with the USER option of the RMTHOST parameter.
password: The password specified with the PASSWORD option of the RMTHOST parameter.
keyname: Optional. Specifies an encryption key in the ENCKEYS file.
When ENCRYPTKEY keyname is used as part of the login ID, Oracle GoldenGate looks up the key in the ENCKEYS file on the target system and
 uses it to decrypt the corresponding password. If the decrypted password matches the password supplied with the password portion of the
 login ID option, the rule passes.

ALLOW | DENY
指定的規則是允許訪問還是拒絕訪問
Determines whether the rule specified with ACCESSRULE permits or denies access. Either ALLOW or DENY is required.


Example 1
以下訪問規則允許任何以 IP 地址 205 或節點 194.168.11.102 開頭的節點訪問請求的服務。所有其他人都被拒絕。
The following access rules allow any nodes that begin with IP address 205 or the node 194.168.11.102 to access the requested services.
 All others are denied.
ACCESSRULE, PROG *, IPADDR 194.168.11.102, ALLOW ACCESSRULE, PROG *, IPADDR 205.*, ALLOW ACCESSRULE, PROG *, IPADDR *, DENY

Example 2
以下訪問規則已通過 PRI 選項指定了明確的優先級。這些規則允許任何用戶訪問收集器進程（SERVER 程序），此外，允許 IP 地址 122.11.12.13 訪問 GGSCI 命令。
拒絕訪問所有其他 Oracle GoldenGate 程序。
ACCESSRULE、PROG *、DENY、PRI 99ACCESSRULE、PROG SERVER、ALLOW、PRI 1ACCESSRULE、PROG GGSCI、IPADDR 122.11.12.13、PRI 1

Example 3
以下訪問規則與示例 2 相同，但它們通過它們在參數文件中的順序而不是PRI選項來分配優先級。
ACCESSRULE, PROG SERVER, ALLOWACCESSRULE, PROG GGSCI, IPADDR 122.11.12.13 ACCESSRULE, PROG *, DENY

Example 4
以下訪問規則授予用戶JOHN具有訪問所有程序的權限。
ACCESSRULE, PROG *, USER JOHN, PASSWORD OCEAN1

Example 5
以下訪問規則授予用戶 JOHN 訪問所有程序的權限，並指定一個加密密鑰來解密密碼。如果提供的密碼與查找文件中的密碼PASSWORD匹配ENCKEYS，則授予連接。
ACCESSRULE, PROG *, USER JOHN, PASSWORD OCEAN1, ENCRYPTKEY lookup1

看完這個參數，我們可以理解，最初的配置是ACCESSRULE,PROG SERVER,ALLOW ，即允許其它人訪問,獲取Secures the ability to dynamically create a Collector process.
但是呢？ 並沒有啟動和關閉MGR的能力,因此按照MOS調整后,大家都有stop,start,kill的權限了！！！ 
但是這個問題12.2的OGG是沒有問題的！ 我的測試參數是從12.2 OGG MGR Copy過來的！