COST 是class of secure transports 的缩写。是为了控制实例注册提供的一种安全控制机制。其作用是对于一个确定的listener,限制哪些实例通过哪些协议可以进行注册。这将避免有其他远程实例进行恶意注册,并由此产生信息泄露等风险。
它通过在 listner.ora中设置参数SECURE_REGISTER_listener_name的值,指定为一个transport list(限定的注册协议列表,如IPC、TCP、TCPS)来实现这一功能。 该功能从 10.2.0.3 版本开始支持(虽然10g R2的在线文档中并未明确说明),一直到11.2.0.4版本及之后依然可用。但是,在11.2.0.4后,oracle建议使用默认的VNCR配置。
(关于cost的细节请参考 本文末尾的链接) 。
下面,我们将对这一功能的基本配置进行一个测试:
1. 我这里有一个两节点的RAC环境
2.首先在节点1和节点2上都没有打补丁,我们看看现象:
[grid@nascds11 ~]$ /u01/app/11.2.0/grid/OPatch/opatch lsinventory
Invoking OPatch 11.2.0.1.7
Oracle Interim Patch Installer version 11.2.0.1.7
Copyright (c) 2011, Oracle Corporation. All rights reserved.
Oracle Home : /u01/app/11.2.0/grid
Central Inventory : /u01/app/oraInventory
from : /etc/oraInst.loc
OPatch version : 11.2.0.1.7
OUI version : 11.2.0.3.0
Log file location : /u01/app/11.2.0/grid/cfgtoollogs/opatch/opatch2015-09-10_06-27-03AM.log
Lsinventory Output file location : /u01/app/11.2.0/grid/cfgtoollogs/opatch/lsinv/lsinventory2015-09-10_06-27-03AM.txt
——————————————————————————–
Installed Top-level Products (1):
Oracle Grid Infrastructure 11.2.0.3.0
There are 1 products installed in this Oracle Home.
There are no Interim patches installed in this Oracle Home.
Rac system comprising of multiple nodes
Local node = nascds11
Remote node = nascds10
——————————————————————————–
OPatch succeeded.
[grid@nascds11 ~]$
3.正常情况下的LOCAL_LISTENER的注册实例信息:
[grid@nascds11 ~]$ lsnrctl status
LSNRCTL for Linux: Version 11.2.0.3.0 – Production on 10-SEP-2015 06:28:55
Copyright (c) 1991, 2011, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))
STATUS of the LISTENER
————————
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.3.0 – Production
Start Date 01-SEP-2015 08:48:15
Uptime 8 days 21 hr. 40 min. 40 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /u01/app/11.2.0/grid/network/admin/listener.ora
Listener Log File /u01/app/grid/diag/tnslsnr/nascds11/listener/alert/log.xml
Listening Endpoints Summary…
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.35)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.33)(PORT=1521)))
Services Summary…
Service “+ASM” has 1 instance(s).
Instance “+ASM2”, status READY, has 1 handler(s) for this service…
Service “ora11g” has 1 instance(s).
Instance “ora11g2”, status READY, has 1 handler(s) for this service…
The command completed successfully
[grid@nascds11 ~]$
4. 正常情况下scan_listenr里的信息:
[grid@nascds11 ~]$ lsnrctl status listener_scan1
LSNRCTL for Linux: Version 11.2.0.3.0 – Production on 10-SEP-2015 06:30:38
Copyright (c) 1991, 2011, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))
STATUS of the LISTENER
————————
Alias LISTENER_SCAN1
Version TNSLSNR for Linux: Version 11.2.0.3.0 – Production
Start Date 10-SEP-2015 06:24:45
Uptime 0 days 0 hr. 5 min. 53 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /u01/app/11.2.0/grid/network/admin/listener.ora
Listener Log File /u01/app/11.2.0/grid/log/diag/tnslsnr/nascds11/listener_scan1/alert/log.xml
Listening Endpoints Summary…
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER_SCAN1)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.29)(PORT=1521)))
Services Summary…
Service “ora11g” has 2 instance(s).
Instance “ora11g1”, status READY, has 2 handler(s) for this service…
Instance “ora11g2”, status READY, has 2 handler(s) for this service…
The command completed successfully
[grid@nascds11 ~]$
4.我们尝试对listener进行所谓的“投毒”操作:
我在同网段的另外一台数据库server上把一个单实例注册到这个监听上:
4.1 .我们先对scan listener进行 “投毒”操作:
SQL> alter system set remote_listener='(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.29)(PORT=1521))’ scope=memory;
System altered.
SQL> alter system register;
System altered.
4.2. 我们看以下监听的状态:
[grid@nascds11 ~]$ lsnrctl status listener_scan1
LSNRCTL for Linux: Version 11.2.0.3.0 – Production on 10-SEP-2015 06:33:38
Copyright (c) 1991, 2011, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))
STATUS of the LISTENER
————————
Alias LISTENER_SCAN1
Version TNSLSNR for Linux: Version 11.2.0.3.0 – Production
Start Date 10-SEP-2015 06:24:45
Uptime 0 days 0 hr. 8 min. 53 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /u01/app/11.2.0/grid/network/admin/listener.ora
Listener Log File /u01/app/11.2.0/grid/log/diag/tnslsnr/nascds11/listener_scan1/alert/log.xml
Listening Endpoints Summary…
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER_SCAN1)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.29)(PORT=1521)))
Services Summary…
Service “R10205” has 1 instance(s).
Instance “R10205”, status READY, has 1 handler(s) for this service… <<<======================此时,我们看到R10205的单实例已经注册到了RAC环境中的scan listener中
Service “R10205XDB” has 1 instance(s).
Instance “R10205”, status READY, has 1 handler(s) for this service…
Service “R10205_XPT” has 1 instance(s).
Instance “R10205”, status READY, has 1 handler(s) for this service…
Service “ora11g” has 2 instance(s).
Instance “ora11g1”, status READY, has 2 handler(s) for this service…
Instance “ora11g2”, status READY, has 2 handler(s) for this service…
The command completed successfully
[grid@nascds11 ~]$
4.3.我们尝试对本地的listenre 进行“投毒”测试:
SQL> alter system set remote_listener='(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.32)(PORT=1521))’ scope=memory;
System altered.
SQL> alter system register;
System altered.
[grid@nascds11 ~]$ lsnrctl status
LSNRCTL for Linux: Version 11.2.0.3.0 – Production on 10-SEP-2015 06:37:01
Copyright (c) 1991, 2011, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))
STATUS of the LISTENER
————————
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.3.0 – Production
Start Date 01-SEP-2015 08:48:15
Uptime 8 days 21 hr. 48 min. 46 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /u01/app/11.2.0/grid/network/admin/listener.ora
Listener Log File /u01/app/grid/diag/tnslsnr/nascds11/listener/alert/log.xml
Listening Endpoints Summary…
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.35)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.33)(PORT=1521)))
Services Summary…
Service “+ASM” has 1 instance(s).
Instance “+ASM2”, status READY, has 1 handler(s) for this service…
Service “R10205” has 1 instance(s).
Instance “R10205”, status READY, has 1 handler(s) for this service… <<======================此时,我们看到R10205的单实例已经注册到了RAC环境中的local listener中
Service “R10205XDB” has 1 instance(s).
Instance “R10205”, status READY, has 1 handler(s) for this service…
Service “R10205_XPT” has 1 instance(s).
Instance “R10205”, status READY, has 1 handler(s) for this service…
Service “ora11g” has 1 instance(s).
Instance “ora11g2”, status READY, has 1 handler(s) for this service…
The command completed successfully
[grid@nascds11 ~]$
截止到此,我们已经看到了所谓的”投毒” 是怎么回事儿,是如何操作的;
接下来我们看如何避免这种问题的产生:
5. 首先,我们需要下载补丁12880299,并同时打到GI和RDBMS的HOME里, 如下: (我们不介绍如何打补丁,打补丁的步骤就跳过了)
GI:
[grid@nascds10 OPatch]$ ./opatch lsinventory
Invoking OPatch 11.2.0.1.7
Oracle Interim Patch Installer version 11.2.0.1.7
Copyright (c) 2011, Oracle Corporation. All rights reserved.
Oracle Home : /u01/app/11.2.0/grid
Central Inventory : /u01/app/oraInventory
from : /etc/oraInst.loc
OPatch version : 11.2.0.1.7
OUI version : 11.2.0.3.0
Log file location : /u01/app/11.2.0/grid/cfgtoollogs/opatch/opatch2015-09-10_06-45-01AM.log
Lsinventory Output file location : /u01/app/11.2.0/grid/cfgtoollogs/opatch/lsinv/lsinventory2015-09-10_06-45-01AM.txt
——————————————————————————–
Installed Top-level Products (1):
Oracle Grid Infrastructure 11.2.0.3.0
There are 1 products installed in this Oracle Home.
Interim patches (1) :
Patch 12880299 : applied on Thu Sep 10 03:07:58 CST 2015
Unique Patch ID: 14821502
Created on 4 May 2012, 04:17:20 hrs PST8PDT
Bugs fixed:
12880299
Rac system comprising of multiple nodes
Local node = nascds10
Remote node = nascds11
——————————————————————————–
OPatch succeeded.
[grid@nascds10 OPatch]$
RDBMS:
[oracle@nascds10 OPatch]$ ./opatch lsinventory
Invoking OPatch 11.2.0.1.7
Oracle Interim Patch Installer version 11.2.0.1.7
Copyright (c) 2011, Oracle Corporation. All rights reserved.
Oracle Home : /u01/app/oracle/product/11.2.0/db_1
Central Inventory : /u01/app/oraInventory
from : /etc/oraInst.loc
OPatch version : 11.2.0.1.7
OUI version : 11.2.0.3.0
Log file location : /u01/app/oracle/product/11.2.0/db_1/cfgtoollogs/opatch/opatch2015-09-10_06-52-02AM.log
Lsinventory Output file location : /u01/app/oracle/product/11.2.0/db_1/cfgtoollogs/opatch/lsinv/lsinventory2015-09-10_06-52-02AM.txt
——————————————————————————–
Installed Top-level Products (1):
Oracle Database 11g 11.2.0.3.0
There are 1 products installed in this Oracle Home.
Interim patches (1) :
Patch 12880299 : applied on Thu Sep 10 03:10:14 CST 2015
Unique Patch ID: 14821502
Created on 4 May 2012, 04:17:20 hrs PST8PDT
Bugs fixed:
12880299
Rac system comprising of multiple nodes
Local node = nascds10
Remote node = nascds11
……
(通过以上命令输出验证补丁安装结果)。
6. 打开 listener.ora 文件,添加以下信息:
SECURE_REGISTER_LISTENER = (IPC,TCP,TCPS)
SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCP,TCPS)
–注意,不要把监听的名字写错了,通过以下命令确认监听的名称:
ps -ef |grep lsnr
grid 4176 1 0 Sep01 ? 00:01:01 /u01/app/11.2.0/grid/bin/tnslsnr LISTENER -inherit
grid 8086 1 0 06:24 ? 00:00:00 /u01/app/11.2.0/grid/bin/tnslsnr LISTENER_SCAN1 -inherit
–重启listenrs,命令如下:
lsnrctl stop listener
lsnrctl start listener
lsnrctl stop LISTENER_SCAN1
lsnrctl start LISTENER_SCAN1
7.尝试是否可以避免该问题:
[grid@nascds10 admin]$ lsnrctl status
LSNRCTL for Linux: Version 11.2.0.3.0 – Production on 10-SEP-2015 07:06:15
Copyright (c) 1991, 2011, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))
STATUS of the LISTENER
————————
Alias listener
Version TNSLSNR for Linux: Version 11.2.0.3.0 – Production
Start Date 10-SEP-2015 03:19:57
Uptime 0 days 3 hr. 46 min. 19 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /u01/app/11.2.0/grid/network/admin/listener.ora
Listener Log File /u01/app/grid/diag/tnslsnr/nascds10/listener/alert/log.xml
Listening Endpoints Summary…
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.32)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.34)(PORT=1521)))
Services Summary…
Service “+ASM” has 1 instance(s).
Instance “+ASM1”, status READY, has 1 handler(s) for this service…
Service “ora11g” has 1 instance(s).
Instance “ora11g1”, status READY, has 1 handler(s) for this service…
The command completed successfully
[grid@nascds10 admin]$
SQL> alter system set remote_listener='(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.32)(PORT=1521))’ scope=memory;
System altered.
SQL> alter system register;
System altered.
[grid@nascds10 admin]$ lsnrctl status
LSNRCTL for Linux: Version 11.2.0.3.0 – Production on 10-SEP-2015 07:07:40
Copyright (c) 1991, 2011, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))
STATUS of the LISTENER
————————
Alias listener
Version TNSLSNR for Linux: Version 11.2.0.3.0 – Production
Start Date 10-SEP-2015 03:19:57
Uptime 0 days 3 hr. 47 min. 45 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /u01/app/11.2.0/grid/network/admin/listener.ora
Listener Log File /u01/app/grid/diag/tnslsnr/nascds10/listener/alert/log.xml
Listening Endpoints Summary…
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.32)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.34)(PORT=1521)))
Services Summary…
Service “+ASM” has 1 instance(s).
Instance “+ASM1”, status READY, has 1 handler(s) for this service…
Service “ora11g” has 1 instance(s).
Instance “ora11g1”, status READY, has 1 handler(s) for this service…
The command completed successfully
[grid@nascds10 admin]$
查看listenr的日志,我们会发现以下信息:
10-SEP-2015 07:07:13 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=nascds10.cn.oracle.com)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647296)) * status * 0
10-SEP-2015 07:07:20 * service_register_NSGR * 1194
TNS-01194: The listener command did not arrive in a secure transport
10-SEP-2015 07:07:20 * service_register_NSGR * 1194
TNS-01194: The listener command did not arrive in a secure transport
Thu Sep 10 07:07:25 2015
10-SEP-2015 07:07:25 * service_register_NSGR * 1194
TNS-01194: The listener command did not arrive in a secure transport
Thu Sep 10 07:07:40 2015
10-SEP-2015 07:07:40 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=nascds10.cn.oracle.com)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647296)) * status * 0
Thu Sep 10 07:08:08 2015
10-SEP-2015 07:08:08 * service_register_NSGR * 1194
TNS-01194: The listener command did not arrive in a secure transport
10-SEP-2015 07:08:13 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=nascds10.cn.oracle.com)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647296)) * status * 0
同样,我们看对scan_listenr进行测试:
SQL> alter system set remote_listener='(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.29)(PORT=1521))’ scope=memory;
System altered.
SQL> alter system register;
System altered.
SQL>
[grid@nascds10 trace]$ lsnrctl status listener_scan1
LSNRCTL for Linux: Version 11.2.0.3.0 – Production on 10-SEP-2015 07:11:35
Copyright (c) 1991, 2011, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))
STATUS of the LISTENER
————————
Alias LISTENER_SCAN1
Version TNSLSNR for Linux: Version 11.2.0.3.0 – Production
Start Date 10-SEP-2015 07:05:16
Uptime 0 days 0 hr. 6 min. 22 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /u01/app/11.2.0/grid/network/admin/listener.ora
Listener Log File /u01/app/11.2.0/grid/log/diag/tnslsnr/nascds10/listener_scan1/alert/log.xml
Listening Endpoints Summary…
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER_SCAN1)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.29)(PORT=1521)))
Services Summary…
Service “ora11g” has 2 instance(s).
Instance “ora11g1”, status READY, has 2 handler(s) for this service…
Instance “ora11g2”, status READY, has 2 handler(s) for this service…
The command completed successfully
日志信息:
10-SEP-2015 07:13:21 * service_register_NSGR * 1194
TNS-01194: The listener command did not arrive in a secure transport
Thu Sep 10 07:13:27 2015
10-SEP-2015 07:13:27 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=nascds10.cn.oracle.com)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER_SCAN1)(VERSION=186647296)) * status
* 0
10-SEP-2015 07:13:31 * service_register_NSGR * 1194
TNS-01194: The listener command did not arrive in a secure transport
参考:
Note: 1453883.1 (Using Class of Secure Transport (COST) to Restrict Instance Registration)
Note: 1340831.1 (Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC)