Oracle Listener設定密碼示例說明
Oracle Listener設定密碼示例說明
一.官網說明
MOS 上的一篇文章:
Setting Listener Passwords With an Oracle10g or Newer Listener [ID 260986.1]
這裡面提到如下內容:
In Oracle 10gand newer versions of the listener, the listener is secure out of the box.There should be no need to set a listener password to prohibit privilegedLSNRCTL commands from being executed.
--自Oracle10g後,listener 不需要設定密碼。
Beginning withversion 10g, the listener now uses local OS authentication. As long as oneruns LSNRCTL privileged commands (stop, status, etc) as the same user whostarted the listener, that user will be able to fully administer the runninglistener without providing a password.
--從10g開始,listener 使用local OS authentication。
This securityfeature is enabled by default and can be identified at listener startup,or when issuing a LSNRCTL STATUS command, by the following output:
Security ON:Local OS Authentication
If theTNSListener is started as the "oracle" user and the user"sales" attempts to administer the listener, or if"oracle" on a different node attempts to administer thelistener, the following error will be returned:
TNS-01190: The user is not authorized to execute the requested listener command
如果使用oracle使用者來啟動listener,那麼可以使用OS 認證,就不需要輸入密碼,如果使用其他的使用者來登陸,就需要密碼了。
1.1 配置密碼
Configuring and Changing the Oracle NetListener Password
http://docs.oracle.com/cd/E11882_01/network.112/e10836/listenercfg.htm#NETAG459
Localadministration of the listener is secure by default through the local operatingsystem. Therefore configuring a password is neither required nor recommendedfor secure local administration. However, a password can be configured for thelistener to provide security for administrative operations, such as starting orstopping the listener, viewing a list of supported services, or saving changesto the Listener Control configuration.
--listener 的安全預設使用本地作業系統的認證。 因此對listener 不需要也不推薦。 但是,設定密碼可以用來控制管理操作,比如start 或者stop listener,檢視supported services 列表或者儲存listener的配置。
Note:
If the PASSWORDS_listener_name parameteris set to an unencrypted password, then you must manually remove it fromthe listener.orafile before changing it. If the unencrypted password isnot removed, then you are unable to set an encrypted password.
--注意,如果 PASSWORDS_listener_name 引數被設定為unencryptedpassword,那麼必須從listener.ora 檔案裡移除這個引數,如果該引數沒有移除,就不能設定密碼。
You can use theListener Control utility (lsnrctl) or Oracle Enterprise Manager toconfigure or change the Oracle Net Listener password.
可以使用lsnrctl 或者OEM,或Oracle Net Listener 來設定密碼:
(1)To set a new encrypted passwordusing lsnrctl, do the following:
LSNRCTL> SET PASSWORD
Password: password
The command completed successfully
--該命令用來登陸listener,登陸成功之後才可以進行相關的操作。
(2)To change an encrypted passwordusing lsnrctl, do the following:
LSNRCTL> CHANGE_PASSWORD
Old password: old_password
New password: new_secure_password
Reenter new password: new_secure_password
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=tpc)(HOST=sales-server)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL> SAVE_CONFIG
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=sales-server)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File /oracle/network/admin/listener.ora
Old Parameter File /oracle/network/admin/listener.bak
The command completed successfully
(3)To set or change an encrypted password with OracleEnterprise Manager, do the following:
1)Access theNet Services Administration page in Oracle Enterprise Manager.
2)Select Listeners fromthe Administer list, and then select the Oracle home that contains the locationof the configuration files.
3)Click Go.You may be prompted to log in to the database server.
The Listeners page appears.
4)Select alistener, and then click Edit.
The Edit Listeners page appears.
5)Clickthe Authentication tab.
6)Click Requirea password for listener operations.
7)Click OK.
8)Restart thelistener.
1.2 移除密碼
Removing the Listener Password
http://docs.oracle.com/cd/E11882_01/network.112/e10835/mignet.htm#NETRF1971
In OracleDatabase 11g Release 2 (11.2), the password feature is being deprecated.This does not cause a loss of security because authentication is enforcedthrough local operating system authentication. To migrate a listener that has aset password, do the following:
--在Oracle 11gR2裡,listener 的密碼功能已經被廢除,因為本地的OS 認證被加強。 移除listener 的密碼通過如下步驟:
(1)Remove allPASSWORDS_listener_name entries from the listener.ora file.
(2)Reload the listener using thefollowing command:
lsnrctl reload listener_name
If remote administration of a listener is required, then use one of the following methodsto connect to and administer the listener.
(1)Connect tothe host where listener is running using SSH or other secure method, and thenperform local administration. Local administration is enforced by the operatingsystem authentication.
(2)Use OracleEnterprise Manager to administer the listener. Oracle Enterprise Manager usesHTTPS, which ensures security.
二.示例
2.1 檢視監聽狀態
LSNRCTL> status
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for 32-bit Windows:Version 11.2.0.1.0 - Production
Start Date 18-DEC-2011 10:53:55
Uptime 0 days 9 hr. 38 min. 4 sec
Trace Level off
Security ON: Local OS Authentication
--注意這裡預設的安全級別
SNMP OFF
Listener Parameter File D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora
Listener Log File d:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))
Services Summary...
Service "CLRExtProc" has 1instance(s).
Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) forthis service...
Service "dave" has 1 instance(s).
Instance "NEWCCS", status UNKNOWN, has 1 handler(s) for thisservice...
Service "newccs" has 1instance(s).
Instance "newccs", status READY, has 1 handler(s) for thisservice...
Service "newccsXDB" has 1instance(s).
Instance "newccs", status READY, has 1 handler(s) for thisservice...
The command completed successfully
2.2 改變密碼:
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
Password changed for LISTENER
The command completed successfully
--檢視status
LSNRCTL> status
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for 32-bit Windows:Version 11.2.0.1.0 - Production
Start Date 18-DEC-2011 10:53:55
Uptime 0 days 9 hr. 56 min. 54 sec
Trace Level off
Security ON: Password or Local OSAuthentication
--這裡的驗證方式發生改變,這裡顯示的額資訊表明Listener的安全機制使用了Password方式或者Local OS Authentication方式,在這種狀態下,即使是設定了監聽密碼,對於啟動監聽的user來說,也仍然是不需要任何密碼就可以停止監聽的。
SNMP OFF
Listener Parameter File D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora
Listener Log File d:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))
Services Summary...
Service "CLRExtProc" has 1instance(s).
Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) forthis service...
Service "dave" has 1 instance(s).
Instance "NEWCCS", status UNKNOWN, has 1 handler(s) for thisservice...
Service "newccs" has 1instance(s).
Instance "newccs", status READY, has 1 handler(s) for thisservice...
Service "newccsXDB" has 1instance(s).
Instance "newccs", status READY, has 1 handler(s) for thisservice...
The command completed successfully
--儲存配置:
LSNRCTL> save_config
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
Saved LISTENER configuration parameters.
Listener Parameter File D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora
Old Parameter File D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.bak
The command completed successfully
--注意這裡,當我們改變密碼之後,在儲存配置時,原listener.ora 檔案儲存了listener.bak. 修改的引數新增到現在的listener.ora 檔案裡。
檢視listener.ora 檔案,多了一個密碼:
#----ADDED BY TNSLSNR 18-DEC-201120:52:38---
PASSWORDS_LISTENER = 1DF5C2FD0FE9CFA2
#--------------------------------------------
2.3 用Listener密碼登陸
預設口令為空.
LSNRCTL> set password
Password:
The command completed successfully
2.4 測試一: 用啟動listener的使用者
C:\Users\Administrator.DavidDai>lsnrctl
LSNRCTL for 32-bit Windows: Version 11.2.0.1.0- Production on 18-DEC-2011 21:13:42
Copyright (c) 1991, 2010, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help"for information.
LSNRCTL> set current_listener listener
Current Listener is listener
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
The command completed successfully
LSNRCTL> start
Starting tnslsnr: please wait...
TNSLSNR for 32-bit Windows: Version11.2.0.1.0 - Production
System parameter file isD:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora
Log messages written tod:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml
Listening on:(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))
Listening on:(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
STATUS of the LISTENER
------------------------
Alias listener
Version TNSLSNR for 32-bit Windows:Version 11.2.0.1.0 - Production
Start Date 18-DEC-2011 21:15:59
Uptime 0 days 0 hr. 0 min. 5 sec
Trace Level off
Security ON: Password or Local OSAuthentication
SNMP OFF
Listener Parameter File D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora
Listener Log File d:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))
Services Summary...
Service "CLRExtProc" has 1instance(s).
Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) forthis service...
Service "dave" has 1 instance(s).
Instance "NEWCCS", status UNKNOWN, has 1 handler(s) for thisservice...
The command completed successfully
LSNRCTL>
通過以上測試,對於啟動listener的使用者,不需要密碼。
2.5. 設定 LOCAL_OS_AUTHENTICATION 引數
OS 認證是Oracle 10g裡推出的,所以我這裡直接禁用掉OS認證,這樣只要密碼檔案存在,所有操作都需要set password。
在listener.ora 檔案裡新增如下引數:
LOCAL_OS_AUTHENTICATION_[listenername]=OFF
--開始測試:
C:\Users\Administrator.DavidDai>lsnrctlreload listener
LSNRCTL for 32-bit Windows: Version11.2.0.1.0 - Production on 18-DEC-2011 21:41:10
Copyright (c) 1991, 2010, Oracle. All rights reserved.
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
The command completed successfully
C:\Users\Administrator.DavidDai>lsnrctlstatus
LSNRCTL for 32-bit Windows: Version11.2.0.1.0 - Production on 18-DEC-2011 21:41:21
Copyright (c) 1991, 2010, Oracle. All rights reserved.
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
TNS-01169: The listenerhas not recognized the password
這裡就需要我們輸入密碼了。
C:\Users\Administrator.DavidDai>lsnrctl
LSNRCTL for 32-bit Windows: Version11.2.0.1.0 - Production on 18-DEC-2011 21:41:55
Copyright (c) 1991, 2010, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help"for information.
LSNRCTL> set current_listener listener
Current Listener is listener
LSNRCTL> status
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
TNS-01169: The listener has not recognizedthe password
LSNRCTL> set password
--設定密碼後,操作成功
Password:
The command completed successfully
LSNRCTL> status
Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
STATUS of the LISTENER
------------------------
Alias listener
Version TNSLSNR for 32-bit Windows: Version11.2.0.1.0 - Production
Start Date 18-DEC-2011 21:15:59
Uptime 0 days 0 hr. 26 min. 22 sec
Trace Level off
Security ON: Password
SNMP OFF
Listener Parameter File D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora
Listener Log File d:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))
Services Summary...
Service "CLRExtProc" has 1instance(s).
Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) forthis service...
Service "dave" has 1 instance(s).
Instance "NEWCCS", status UNKNOWN, has 1 handler(s) for thisservice...
Service "newccs" has 1instance(s).
Instance "newccs", status READY, has 1 handler(s) for thisservice...
Service "newccsXDB" has 1instance(s).
Instance"newccs", status READY, has 1 handler(s) for this service...
The command completed successfully
LSNRCTL>
2.7 移除密碼
如果監聽已啟動,密碼忘記了,直接修改listener.ora檔案是沒用的,因為那個檔案在監聽啟動後甚至可以刪除,所以可以先在作業系統中kill掉系統程式,然後在listener.ora檔案中移除PASSWORDS_LISTENER引數,再啟動監聽密碼恢復為空。
小結:
在Oracle 10g 以後已經不推薦對listener 設定密碼了,所以這裡僅做為一個知識點了解一下。
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/24996904/viewspace-1164612/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- ORACLE listener監聽設定密碼Oracle密碼
- 設定 Oracle 監聽器密碼(LISTENER)Oracle密碼
- Oracle密碼檔案的作用和說明Oracle密碼
- 【PROFILE】Oracle11g密碼複雜度說明Oracle密碼複雜度
- Oracle 11g RAC 叢集 SCAN IP Listener說明Oracle
- local_listener 與 remote_listener 引數說明REM
- Oracle 密碼永不過期設定Oracle密碼
- oracle 9i、10g、11g資料庫設定listener密碼的方法Oracle資料庫密碼
- Oracle(listener.sqlnet.tnsnames)設定OracleSQL
- filesystemio_options設定說明
- 支付寶程式碼示例結構說明
- LOCAL_LISTENER 和 REMOTE_LISTENER說明 ——轉自chinaunixREM
- redis設定密碼Redis密碼
- Azure Blob (三)引數設定說明
- oracle使用者密碼有效期設定Oracle密碼
- 為listener設定口令!
- ORACLE更改密碼時不能使用最近5次密碼的設定方法Oracle密碼
- Oracle Latch 說明Oracle
- Oracle Namespace 說明Oraclenamespace
- Oracle 版本說明Oracle
- ubantu 設定root密碼密碼
- redis cluster 設定密碼Redis密碼
- mysql如何設定密碼MySql密碼
- 監聽設定密碼密碼
- rehdat 5.3 iptables 的防火牆設定說明防火牆
- Oracle EBS 資料庫密碼複雜度設定Oracle資料庫密碼複雜度
- Oracle 11g 密碼設定為不過期Oracle密碼
- win10設定密碼在哪裡_win10設定開機密碼怎麼設定Win10密碼
- Oracle RAC ASM disk header 備份 恢復 與 重建 示例說明OracleASMHeader
- Oracle 10g 11g密碼策略 使用者口令 大小寫敏感 說明Oracle 10g密碼
- TSM for Oracle備份指令碼及策略說明Oracle指令碼
- delphi 常用控制元件屬性設定說明控制元件
- 電腦鎖屏密碼怎麼設定 win10電腦休眠密碼設定方法設定密碼Win10
- Oracle8i,9i Standby引數設定及相關說明Oracle
- 設定 Homestead root 密碼密碼
- Linux設定密碼策略Linux密碼
- 為監聽設定密碼密碼
- profile進行密碼設定密碼