KEMBAR78
Enable VNCR in Oracle RAC for Security | PDF | Ip Address | Network Protocols
Scribd
Upload
121 views4 pages

Enable VNCR in Oracle RAC for Security

1. This document provides steps to enable VNCR (Valid Node Checking for Registration) in an Oracle RAC environment to protect against SQL poisoning attacks. 2. It describes editing the listener.ora file on each node to add parameters enabling VNCR and specifying allowed nodes for each SCAN listener. 3. The changes must be reloaded on all listeners to activate the new configuration.

Uploaded by

Olivier
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
121 views4 pages

Enable VNCR in Oracle RAC for Security

1. This document provides steps to enable VNCR (Valid Node Checking for Registration) in an Oracle RAC environment to protect against SQL poisoning attacks. 2. It describes editing the listener.ora file on each node to add parameters enabling VNCR and specifying allowed nodes for each SCAN listener. 3. The changes must be reloaded on all listeners to activate the new configuration.

Uploaded by

Olivier
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

SETUP VNCR IN ORACLE RAC

Link : https://www.dbarj.com.br/en/2014/08/setup-vncr-oracle-rac/

 By DBA RJ in Database Security, RAC, ASM & Clusterware


This post is also available in: Portuguese (Brazil)
Enabling VNCR (Valid Node Checking for Registration) is a mandatory task that
every DBA should do when terminates the configuration of a new database, being it a
Single Instance or a Oracle RAC. In my opinion, Oracle should have already defined this
option enabled by default on new releases.

In times of SQL Poison (Oracle Security Alert CVE-2012-1675), which reaches "any"
version of Oracle to the most current (12c), we can not risk that a compromised
computer inside the network of eventually making a man-in-the-middle attack. So, in this
article, I'll show you how to activate this protection in a RAC.

Remembering that VNCR is only available in versions 11g (after PS 11.2.0.4) and 12c. In
other versions, this protection may be done using an Oracle feature called COST (Class
of Secure Transport). If you run a version of DB lower than 10.2.0.4, there is no
Oracle tool and the best form of protection is via firewall (iptables, etc).

For more information about COST, MOS provides step by step guides of how to enable it:

 Using Class of Secure Transport (COST) to Restrict Instance Registration (Doc ID


1453883.1)
 Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle
RAC (Doc ID 1340831.1)
(In both cases, you must apply the patch for Bug 12880299)

Let's start. In our scenario, we are in a 4 nodes Oracle


RAC: oracbddrjs001,oracbddrjs002,oracbddrjs003,oracbddrjs004.

We will need to edit the listener.ora file inside GRID_HOME of all 4 servers. The path to
the file can be obtained by running "lsnrctl status":

1 [oracle@oracbddrjs001 ~]$ lsnrctl status


2 ...
3 Listener Parameter File /u01/app/11.2.4/grid/network/admin/listener.ora
4 ...
5 [oracle@oracbddrjs001 ~]$

Checking the current content, we have:

1 [oracle@oracbddrjs001 ~]$ cat /u01/app/11.2.4/grid/network/admin/listener.ora


2 LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)
3 (KEY=LISTENER)))) # line added by Agent
4 LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)
5 (KEY=LISTENER_SCAN1)))) # line added by Agent
LISTENER_SCAN2=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)
(KEY=LISTENER_SCAN2)))) # line added by Agent
6
LISTENER_SCAN3=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)
7
(KEY=LISTENER_SCAN3)))) # line added by Agent
8
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON # line added by Agent
9
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN1=ON # line added by Agent
1
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN2=ON # line added by Agent
0
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN3=ON # line added by Agent
[oracle@oracbddrjs001 ~]$
What we need to do is to add in each of the 4 listeners (1 local and 3 scans) the
parameter VALID_NODE_CHECKING_REGISTRATION_listener_name=ON.
Thus, we add:

1 VALID_NODE_CHECKING_REGISTRATION_LISTENER=ON
2 VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=ON
3 VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=ON
4 VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=ON

The ON value permits that only locally originated registration requests are accepted.
Therefore, to allow SCAN_LISTENERS accept requests from other nodes in the cluster, we
must include an exception list of nodes allowed:

REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(oracbddrjs001,oracbddrjs002,orac
bddrjs003,oracbddrjs004)
1
REGISTRATION_INVITED_NODES_LISTENER_SCAN2=(oracbddrjs001,oracbddrjs002,orac
2
bddrjs003,oracbddrjs004)
3
REGISTRATION_INVITED_NODES_LISTENER_SCAN3=(oracbddrjs001,oracbddrjs002,orac
bddrjs003,oracbddrjs004)

PS: Note that we need to include here the name of the corresponding hostname
for the public interface.

With those changes, we will have the listeners of our servers as follows:

1 [oracle@oracbddrjs001 ~]$ cat /u01/app/11.2.4/grid/network/admin/listener.ora


2 LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)
3 (KEY=LISTENER)))) # line added by Agent
4 LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)
5 (KEY=LISTENER_SCAN1)))) # line added by Agent
6 LISTENER_SCAN2=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)
7 (KEY=LISTENER_SCAN2)))) # line added by Agent
8 LISTENER_SCAN3=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)
9 (KEY=LISTENER_SCAN3)))) # line added by Agent
1 ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON # line added by Agent
0 ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN1=ON # line added by Agent
1 ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN2=ON # line added by Agent
1 ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN3=ON # line added by Agent
1 # Enable VNCR
2
1 VALID_NODE_CHECKING_REGISTRATION_LISTENER=ON
3 VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=ON
1 VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=ON
4 VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=ON
1 REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(oracbddrjs001,oracbddrjs002,orac
5 bddrjs003,oracbddrjs004)
1 REGISTRATION_INVITED_NODES_LISTENER_SCAN2=(oracbddrjs001,oracbddrjs002,orac
6 bddrjs003,oracbddrjs004)
1 REGISTRATION_INVITED_NODES_LISTENER_SCAN3=(oracbddrjs001,oracbddrjs002,orac
7 bddrjs003,oracbddrjs004)
1 [oracle@oracbddrjs001 ~]$
8
Another way that could also have been utilized would be changing the 3 parameters
VALID_NODE_CHECKING_REGISTRATION_listener_name of SCAN LISTENER to SUBNET.
This would make unnecessary the use of
REGISTRATION_INVITED_NODES_listener_name parameter.

However, I do not recommend this approach because depending on the amount of


servers that exist in the subnet of your cluster, you could put it at risk if any of these
servers were compromised. The disadvantage of not using the value SUBNETis that
whenever a new node is added to the cluster, all listener.ora may be changed including
the new host.

Following are the possible values for the variables of the VNC, according to the
MOS Oracle Net 12c: Valid Node Checking For Registration (VNCR) (Doc ID
1600630.1)

VALID_NODE_CHECKING_REGISTRATION_listener_name
Values:
1
OFF/0 - Disable VNCR
2
ON/1/LOCAL - The default. Enable VNCR. All local machine IPs can register.
3
SUBNET/2 - All machines in the subnet are allowed registration.
4
 
5
REGISTRATION_INVITED_NODES_listener_name
6
Values are valid IPs, valid hosts, a subnet using CIDR notation (for ip4/6), or wildcard (*)
7
for ipv4. For example: REGISTRATION_INVITED_NODES_Listener=(net-vm1,
8
127.98.45.209, 127.42.5.*)
9
 
10
Note that when an INVITED list is set, it will automatically include the machine's local IP
11
in the list. There is no need to include it.
12
 
REGISTRATION_EXCLUDED_NODES_listener_name - the inverse of INVITED_NODES.
Finally, reload all listeners (on each node) to activate the changes made in listener.ora:

Check which are running:

1 [grid@oracbddrjs001 ~]$ lsnrctl status LISTENER


2 [grid@oracbddrjs001 ~]$ lsnrctl status LISTENER_SCAN1
3 [grid@oracbddrjs001 ~]$ lsnrctl status LISTENER_SCAN2
4 [grid@oracbddrjs001 ~]$ lsnrctl status LISTENER_SCAN3
For those who are running, do the reload:
1 [grid@oracbddrjs001 ~]$ lsnrctl reload LISTENER
2 [grid@oracbddrjs001 ~]$ lsnrctl reload LISTENER_SCAN3
Okay, now we are with our Oracle RAC protected from SQL Poison attacks.

You might also like