Oracle Listener設定密碼示例說明

一.官網說明

MOS 上的一篇文章：

Setting Listener Passwords With an Oracle10g or Newer Listener [ID 260986.1]

這裡面提到如下內容：

In Oracle 10gand newer versions of the listener, the listener is secure out of the box.There should be no need to set a listener password to prohibit privilegedLSNRCTL commands from being executed.

--自Oracle10g後，listener 不需要設定密碼。

Beginning withversion 10g, the listener now uses local OS authentication. As long as oneruns LSNRCTL privileged commands (stop, status, etc) as the same user whostarted the listener, that user will be able to fully administer the runninglistener without providing a password.

--從10g開始，listener 使用local OS authentication。

This securityfeature is enabled by default and can be identified at listener startup,or when issuing a LSNRCTL STATUS command, by the following output:

Security ON:Local OS Authentication

If theTNSListener is started as the "oracle" user and the user"sales" attempts to administer the listener, or if"oracle" on a different node attempts to administer thelistener, the following error will be returned:
TNS-01190: The user is not authorized to execute the requested listener command

如果使用oracle使用者來啟動listener，那麼可以使用OS 認證，就不需要輸入密碼，如果使用其他的使用者來登陸，就需要密碼了。

1.1 配置密碼

Configuring and Changing the Oracle NetListener Password

http://docs.oracle.com/cd/E11882_01/network.112/e10836/listenercfg.htm#NETAG459

Localadministration of the listener is secure by default through the local operatingsystem. Therefore configuring a password is neither required nor recommendedfor secure local administration. However, a password can be configured for thelistener to provide security for administrative operations, such as starting orstopping the listener, viewing a list of supported services, or saving changesto the Listener Control configuration.

--listener 的安全預設使用本地作業系統的認證。因此對listener 不需要也不推薦。但是，設定密碼可以用來控制管理操作，比如start 或者stop listener，檢視supported services 列表或者儲存listener的配置。

Note:

If the PASSWORDS_listener_name parameteris set to an unencrypted password, then you must manually remove it fromthe listener.orafile before changing it. If the unencrypted password isnot removed, then you are unable to set an encrypted password.

--注意，如果 PASSWORDS_listener_name 引數被設定為unencryptedpassword，那麼必須從listener.ora 檔案裡移除這個引數，如果該引數沒有移除，就不能設定密碼。

You can use theListener Control utility (lsnrctl) or Oracle Enterprise Manager toconfigure or change the Oracle Net Listener password.

可以使用lsnrctl 或者OEM，或Oracle Net Listener 來設定密碼：

（1）To set a new encrypted passwordusing lsnrctl, do the following:

LSNRCTL> SET PASSWORD

Password: password

The command completed successfully

--該命令用來登陸listener，登陸成功之後才可以進行相關的操作。

（2）To change an encrypted passwordusing lsnrctl, do the following:

LSNRCTL> CHANGE_PASSWORD

Old password: old_password

New password: new_secure_password

Reenter new password: new_secure_password

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=tpc)(HOST=sales-server)(PORT=1521)))

Password changed for LISTENER

The command completed successfully

LSNRCTL> SAVE_CONFIG

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=sales-server)(PORT=1521)))

Saved LISTENER configuration parameters.

Listener Parameter File /oracle/network/admin/listener.ora

Old Parameter File /oracle/network/admin/listener.bak

The command completed successfully

（3）To set or change an encrypted password with OracleEnterprise Manager, do the following:

1）Access theNet Services Administration page in Oracle Enterprise Manager.

2）Select Listeners fromthe Administer list, and then select the Oracle home that contains the locationof the configuration files.

3）Click Go.You may be prompted to log in to the database server.

The Listeners page appears.

4）Select alistener, and then click Edit.

The Edit Listeners page appears.

5）Clickthe Authentication tab.

6）Click Requirea password for listener operations.

7）Click OK.

8）Restart thelistener.

1.2 移除密碼

Removing the Listener Password

http://docs.oracle.com/cd/E11882_01/network.112/e10835/mignet.htm#NETRF1971

In OracleDatabase 11g Release 2 (11.2), the password feature is being deprecated.This does not cause a loss of security because authentication is enforcedthrough local operating system authentication. To migrate a listener that has aset password, do the following:

--在Oracle 11gR2裡，listener 的密碼功能已經被廢除，因為本地的OS 認證被加強。移除listener 的密碼通過如下步驟：

（1）Remove allPASSWORDS_listener_name entries from the listener.ora file.

（2）Reload the listener using thefollowing command:

lsnrctl reload listener_name

If remote administration of a listener is required, then use one of the following methodsto connect to and administer the listener.

（1）Connect tothe host where listener is running using SSH or other secure method, and thenperform local administration. Local administration is enforced by the operatingsystem authentication.

（2）Use OracleEnterprise Manager to administer the listener. Oracle Enterprise Manager usesHTTPS, which ensures security.

二.示例

2.1 檢視監聽狀態

LSNRCTL> status

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

STATUS of the LISTENER

------------------------

Alias LISTENER

Version TNSLSNR for 32-bit Windows:Version 11.2.0.1.0 - Production

Start Date 18-DEC-2011 10:53:55

Uptime 0 days 9 hr. 38 min. 4 sec

Trace Level off

Security ON: Local OS Authentication

--注意這裡預設的安全級別

SNMP OFF

Listener Parameter File D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora

Listener Log File d:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml

Listening Endpoints Summary...

(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))

Services Summary...

Service "CLRExtProc" has 1instance(s).

Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) forthis service...

Service "dave" has 1 instance(s).

Instance "NEWCCS", status UNKNOWN, has 1 handler(s) for thisservice...

Service "newccs" has 1instance(s).

Instance "newccs", status READY, has 1 handler(s) for thisservice...

Service "newccsXDB" has 1instance(s).

Instance "newccs", status READY, has 1 handler(s) for thisservice...

The command completed successfully

2.2 改變密碼：

LSNRCTL> change_password

Old password:

New password:

Reenter new password:

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

Password changed for LISTENER

The command completed successfully

--檢視status

LSNRCTL> status

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

STATUS of the LISTENER

------------------------

Alias LISTENER

Version TNSLSNR for 32-bit Windows:Version 11.2.0.1.0 - Production

Start Date 18-DEC-2011 10:53:55

Uptime 0 days 9 hr. 56 min. 54 sec

Trace Level off

Security ON: Password or Local OSAuthentication

--這裡的驗證方式發生改變，這裡顯示的額資訊表明Listener的安全機制使用了Password方式或者Local OS Authentication方式，在這種狀態下，即使是設定了監聽密碼，對於啟動監聽的user來說，也仍然是不需要任何密碼就可以停止監聽的。

SNMP OFF

Listener Parameter File D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora

Listener Log File d:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml

Listening Endpoints Summary...

(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))

Services Summary...

Service "CLRExtProc" has 1instance(s).

Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) forthis service...

Service "dave" has 1 instance(s).

Instance "NEWCCS", status UNKNOWN, has 1 handler(s) for thisservice...

Service "newccs" has 1instance(s).

Instance "newccs", status READY, has 1 handler(s) for thisservice...

Service "newccsXDB" has 1instance(s).

Instance "newccs", status READY, has 1 handler(s) for thisservice...

The command completed successfully

--儲存配置：

LSNRCTL> save_config

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

Saved LISTENER configuration parameters.

Listener Parameter File D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora

Old Parameter File D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.bak

The command completed successfully

--注意這裡，當我們改變密碼之後，在儲存配置時，原listener.ora 檔案儲存了listener.bak. 修改的引數新增到現在的listener.ora 檔案裡。

檢視listener.ora 檔案，多了一個密碼：

#----ADDED BY TNSLSNR 18-DEC-201120:52:38---

PASSWORDS_LISTENER = 1DF5C2FD0FE9CFA2

#--------------------------------------------

2.3 用Listener密碼登陸

預設口令為空.

LSNRCTL> set password

Password:

The command completed successfully

2.4 測試一: 用啟動listener的使用者

C:\Users\Administrator.DavidDai>lsnrctl

LSNRCTL for 32-bit Windows: Version 11.2.0.1.0- Production on 18-DEC-2011 21:13:42

Welcome to LSNRCTL, type "help"for information.

LSNRCTL> set current_listener listener

Current Listener is listener

LSNRCTL> stop

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

The command completed successfully

LSNRCTL> start

Starting tnslsnr: please wait...

TNSLSNR for 32-bit Windows: Version11.2.0.1.0 - Production

System parameter file isD:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora

Log messages written tod:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml

Listening on:(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))

Listening on:(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

STATUS of the LISTENER

------------------------

Alias listener

Version TNSLSNR for 32-bit Windows:Version 11.2.0.1.0 - Production

Start Date 18-DEC-2011 21:15:59

Uptime 0 days 0 hr. 0 min. 5 sec

Trace Level off

Security ON: Password or Local OSAuthentication

SNMP OFF

Listener Parameter File D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora

Listener Log File d:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml

Listening Endpoints Summary...

(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))

Services Summary...

Service "CLRExtProc" has 1instance(s).

Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) forthis service...

Service "dave" has 1 instance(s).

Instance "NEWCCS", status UNKNOWN, has 1 handler(s) for thisservice...

The command completed successfully

LSNRCTL>

通過以上測試，對於啟動listener的使用者，不需要密碼。

2.5. 設定 LOCAL_OS_AUTHENTICATION 引數

OS 認證是Oracle 10g裡推出的，所以我這裡直接禁用掉OS認證，這樣只要密碼檔案存在，所有操作都需要set password。

在listener.ora 檔案裡新增如下引數：

LOCAL_OS_AUTHENTICATION_[listenername]=OFF

--開始測試：

C:\Users\Administrator.DavidDai>lsnrctlreload listener

LSNRCTL for 32-bit Windows: Version11.2.0.1.0 - Production on 18-DEC-2011 21:41:10

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

The command completed successfully

C:\Users\Administrator.DavidDai>lsnrctlstatus

LSNRCTL for 32-bit Windows: Version11.2.0.1.0 - Production on 18-DEC-2011 21:41:21

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

TNS-01169: The listenerhas not recognized the password

這裡就需要我們輸入密碼了。

C:\Users\Administrator.DavidDai>lsnrctl

LSNRCTL for 32-bit Windows: Version11.2.0.1.0 - Production on 18-DEC-2011 21:41:55

Welcome to LSNRCTL, type "help"for information.

LSNRCTL> set current_listener listener

Current Listener is listener

LSNRCTL> status

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

TNS-01169: The listener has not recognizedthe password

LSNRCTL> set password

--設定密碼後，操作成功

Password:

The command completed successfully

LSNRCTL> status

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

STATUS of the LISTENER

------------------------

Alias listener

Version TNSLSNR for 32-bit Windows: Version11.2.0.1.0 - Production

Start Date 18-DEC-2011 21:15:59

Uptime 0 days 0 hr. 26 min. 22 sec

Trace Level off

Security ON: Password

SNMP OFF

Listener Parameter File D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora

Listener Log File d:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml

Listening Endpoints Summary...

(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))

Services Summary...

Service "CLRExtProc" has 1instance(s).

Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) forthis service...

Service "dave" has 1 instance(s).

Instance "NEWCCS", status UNKNOWN, has 1 handler(s) for thisservice...

Service "newccs" has 1instance(s).

Instance "newccs", status READY, has 1 handler(s) for thisservice...

Service "newccsXDB" has 1instance(s).

Instance"newccs", status READY, has 1 handler(s) for this service...

The command completed successfully

LSNRCTL>

2.7 移除密碼

如果監聽已啟動，密碼忘記了，直接修改listener.ora檔案是沒用的，因為那個檔案在監聽啟動後甚至可以刪除，所以可以先在作業系統中kill掉系統程式，然後在listener.ora檔案中移除PASSWORDS_LISTENER引數，再啟動監聽密碼恢復為空。

小結：

在Oracle 10g 以後已經不推薦對listener 設定密碼了，所以這裡僅做為一個知識點了解一下。

來自 “ ITPUB部落格 ” ，連結：http://blog.itpub.net/24996904/viewspace-1164612/，如需轉載，請註明出處，否則將追究法律責任。

Oracle Listener設定密碼示例說明