Class of SEcure Transport (COST ) fix for TNS Poison

From: Saad Khan <saad4u_at_gmail.com>
Date: Tue, 11 Mar 2014 09:39:40 -0400
Message-ID: <CACqGOPKNojFMrRW1orps3H6q16-M9GdzxWEcj0-PQ_=z=QzOZg_at_mail.gmail.com>

Hi,

We've a 2-node RAC with oracle enterprise edition ver 11.2.0.3

Now in order to fix the TNS Poison security breach, I'm applying the fix as per metalink note 1340831.1 and took following steps:

Creation of wallet
Add the wallet location to grid home listener.ora.

WALLET_LOCATION =
  (SOURCE =
   (METHOD = FILE)
    (METHOD_DATA =
     (DIRECTORY = /u01/app/grid/network/admin/cost)     )
  )
3) Add new commented out parameters in listener.ora

#SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN2 = (IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)
4) Using srvctl modify the SCAN listeners to also include TCPS protocol endpoints on one node only

% srvctl config scan_listener

OUTPUT:

SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521
SCAN Listener LISTENER_SCAN2 exists. Port: TCP:1521
SCAN Listener LISTENER_SCAN3 exists. Port: TCP:1521

5) srvctl modify scan_listener -p TCP:1521/TCPS:1523

srvctl stop scan_listener
srvctl start scan_listener

6) -- View the change in both nodes

srvctl config scan_listener

OUTPUT:

SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521/TCPS:1523
SCAN Listener LISTENER_SCAN2 exists. Port: TCP:1521/TCPS:1523
SCAN Listener LISTENER_SCAN3 exists. Port: TCP:1521/TCPS:1523

7) --Add the wallet location to the sqlnet.ora of each instance home.

% cd $TNS_ADMIN
% vi sqlnet.ora
-- Add following
WALLET_LOCATION =
  (SOURCE =
   (METHOD = FILE)
    (METHOD_DATA =
     (DIRECTORY = /u01/app/grid/network/admin/cost)     )
  )

8) Restart all instances on both nodes

9) % srvctl config scan
SCAN name: <hostname.domain>, Network: 1/x.x.x.0/255.255.255.0/en1

SCAN VIP name: scan1, IP: /kronostdb-rac.nshs.edu/x.x.x.125
SCAN VIP name: scan2, IP: /kronostdb-rac.nshs.edu/x.x.x.123
SCAN VIP name: scan3, IP: /kronostdb-rac.nshs.edu/x.x.x.124

NOW, as a next step when I try changing the setting of remote listener by following sqlplus comamnda s sys:

alter system set
remote_listener='(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=x.x.x..123)(PORT=1523))(ADDRESS=(PROTOCOL=TCPS)(HOST=x.x.x.124)(PORT=1523))(ADDRESS=(PROTOCOL=TCPS)(HOST=x.x.x.125)(PORT=1523)))' scope=both sid='*';

*
ERROR at line 1:

ORA-02097: parameter cannot be modified because specified value is invalid
ORA-00119: invalid specification for system parameter REMOTE_LISTENER
ORA-00130: invalid listener address

'(ADDRESS=(PROTOCOL=TCPS)(HOST=x.x.x.123)(PORT=1523))' ORA-00130: invalid listener address
'(ADDRESS=(PROTOCOL=TCPS)(HOST=x.x.x.124)(PORT=1523))' ORA-00130: invalid listener address
'(ADDRESS=(PROTOCOL=TCPS)(HOST=x.x.x.125)(PORT=1523))'

To me its bit surprising as step 9 shows config scan has the same IPs as output.

Anybody encountered similar issue? Any clue what should I do to resolve this?

thanks.

--
http://www.freelists.org/webpage/oracle-l

Received on Tue Mar 11 2014 - 14:39:40 CET

This message: [ Message body ]
Next message: Uzzell, Stephan: "V$SGASTAT"
Previous message: Martin Klier: "Re: AIX 7.1 oracle 11.2.0.3 huge memory leak"
Next in thread: Saad Khan: "Re: Class of SEcure Transport (COST ) fix for TNS Poison"
Maybe reply: Saad Khan: "Re: Class of SEcure Transport (COST ) fix for TNS Poison"
Maybe reply: Rajesh Aialavajjala: "Re: Class of SEcure Transport (COST ) fix for TNS Poison"
Maybe reply: Saad Khan: "Re: Class of SEcure Transport (COST ) fix for TNS Poison"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message