来源:http://blog.csdn.net/smasegain/article/details/46640345
一.官方说明
Oracle 11.2.0.4及12.1.0.1以后Net Service发布了一个新的特性:Valid Node Checking For Registration (VNCR)。不过我在自己offline 官方文档中并没有找到该功能的详细说明,MOS上的说明如下:
VNCR is a new feature in Oracle Net 11.2.0.4 and 12cwhich allows instance registrations to only come from known servers.
The idea is to make the listener secure by allowing registration to succeed only if it originates from a valid node.The user can specify a list of nodes that can register with the listener.ora, or a list they want to exclude from registering.This eliminates complex COST setups to ensure malicious servers do not register with a listener.Just as in validnode checking, both invited/excluded cannot be specified together. If they are, invited nodes take precedence.
This feature in independent of the validnode checking that clients use
通过官方的说法看来,该特性主要用于控制可以成功注册到Listener的Database服务。用户可以合理利用此功能来规避安全漏洞:CVE-2012-1675
该功能在11gR2中默认是处于关闭状态的,但是在12C中默认是打开的。用户需要根据实际的需求进行适当的配置,该功能受listener.ora参数文件中的下列参数控制(将各个参数中的"listener_name"替换为实际的监听名字,例如实际监听为LSNR则第一个参数为:VALID_NODE_CHECKING_REGISTRATION_LSNR):
VALID_NODE_CHECKING_REGISTRATION_listener_name
Values:
OFF/0 - Disable VNCR//禁用VNCR,此功能不会对注册过来的service进行check;
ON/1/LOCAL - The default. Enable VNCR. All local machine IPs can register.//启用VNCR,默认只允许本机的所有IP的服务注册到本监听,可通过REGISTRATION_INVITED_NODES参数添加其他有必要的服务器;
SUBNET/2 - All machines in the subnet are allowed registration.//指定子网内的服务器可以注册过来
REGISTRATION_INVITED_NODES_listener-name //控制允许链接过来的节点,可以通过IP地址/主机名/网段来指定
Values are valid IPs, valid hosts, a subnet using CIDR notation (for ip4/6), or wildcard (*) for ipv4. For example:REGISTRATION_INVITED_NODES_Listener=(net-vm1, 127.98.45.209, 127.42.5.*)
Note that when an INVITED list is set, it will automatically include the machine's local IP in the list. There is no need to include it.
REGISTRATION_EXCLUDED_NODES_listener_name - the inverse of INVITED_NODES.//不允许注册到本监听的节点,语法同REGISTRATION_INVITED_NODES_listener-name,如果两个参数都指定了,则会忽略本参数(官方文档有说明)
二.在单机环境中的测试和验证
测试环境所涉及到的主机及数据库信息:
项目 主机一 主机二 主机IP 192.168.100.100 192.168.100.110 主机名 node100 node110 DB版本 10.2.0.5 11.2.0.4 服务名 ggsp0 sample11
1.确认两个节点的监听配置文件
node100
node110
- LISTENER =
- (DESCRIPTION_LIST =
- (DESCRIPTION =
- (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.100.100)(PORT = 1521))
- )
- )
- LISTENER =
- (DESCRIPTION_LIST =
- (DESCRIPTION =
- (ADDRESS = (PROTOCOL = IPC)(KEY = Sample11))
- (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.100.110)(PORT = 1521))
- )
- )
- ADR_BASE_LISTENER = /u01/app/oracle
- INBOUND_CONNECT_TIMEOUT_LISTENER=0
2.在两个节点的数据库中都将对方的监听配置为remote_listenernode100
- alter system set remote_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.100.110)(PORT=1521)))' scope=memory;
- SQL> show parameter remote_listener
- NAME<span style="white-space:pre"> </span> TYPE<span style="white-space:pre"> </span> VALUE
- ------------------------------------ ----------- ------------------------------
- remote_listener <span style="white-space:pre"> </span> string<span style="white-space:pre"> </span> (DESCRIPTION=(ADDRESS=(PROTOCO
- <span style="white-space:pre"> </span> L=tcp)(HOST=192.168.100.110)(P
- <span style="white-space:pre"> </span> ORT=1521)))
node110
- alter system set remote_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.100.100)(PORT=1521)))' scope=memory;
3.在双方的监听日志都能找到对方的注册信息,监听的服务中也会有对方的服务
- [oracle@node100 admin]$ lsnrctl serivce
- LSNRCTL for Linux: Version 10.2.0.5.0 - Production on 25-JUN-2015 20:57:10
- Copyright (c) 1991, 2010, Oracle. All rights reserved.
- NL-00853: undefined command "serivce". Try "help"
- [oracle@node100 admin]$ lsnrctl service
- LSNRCTL for Linux: Version 10.2.0.5.0 - Production on 25-JUN-2015 20:57:15
- Copyright (c) 1991, 2010, Oracle. All rights reserved.
- Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.100.100)(PORT=1521)))
- Services Summary...
- Service "sample11" has 1 instance(s).
- Instance "sample11", status READY, has 1 handler(s) for this service...
- Handler(s):
- "DEDICATED" established:0 refused:0 state:ready
- REMOTE SERVER
- (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(key=Sample11)))
- Service "sample11XDB" has 1 instance(s).
- Instance "sample11", status READY, has 1 handler(s) for this service...
- Handler(s):
- "D000" established:0 refused:0 current:0 max:1022 state:ready
- DISPATCHER <machine: node110, pid: 4875>
- (ADDRESS=(PROTOCOL=tcp)(HOST=node110)(PORT=39309))
- The command completed successfully
- 日志信息:
- 25-JUN-2015 20:57:07 * service_update * sample11 * 0
4.添加VNCR参数(在listener.ora中):VALID_NODE_CHECKING_REGISTRATION_LISTENER=1,添加完成后reload监听完成可以看到两个节点的监听日志如下
node100
- 25-JUN-2015 21:03:36 * service_update * sample11 * 0
- 25-JUN-2015 21:03:54 * service_update * sample11 * 0
- 25-JUN-2015 21:04:09 * service_update * sample11 * 0
- 25-JUN-2015 21:04:18 * service_update * sample11 * 0
- 25-JUN-2015 21:04:21 * service_update * sample11 * 0
- 25-JUN-2015 21:04:36 * service_update * sample11 * 0
node110(已经可以看到两个节点都可以往本机监听注册,11g的监听拒绝10g数据库注册过来,但是10g数据库不会拦截远程注册。)
- 25-JUN-2015 21:04:19 * service_register * sample11 * 0
- 25-JUN-2015 21:04:21 * service_update * sample11 * 0
- <span style="color:#ff0000;">Listener(VNCR option 1) rejected Registration request from destination 192.168.100.100</span>
- 25-JUN-2015 21:04:29 * service_register_NSGR * 1182
- TNS-01182: Listener rejected registration of service ""
- [oracle@node110 admin]$ lsnrctl status
- LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 25-JUN-2015 21:04:59
- Copyright (c) 1991, 2013, Oracle. All rights reserved.
- Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=Sample11)))
- STATUS of the LISTENER
- ------------------------
- Alias LISTENER
- Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production
- Start Date 25-JUN-2015 16:27:06
- Uptime 0 days 4 hr. 37 min. 52 sec
- Trace Level off
- Security ON: Local OS Authentication
- SNMP OFF
- Listener Parameter File /u01/app/oracle/product/11.2.0/db_1/network/admin/listener.ora
- Listener Log File /u01/app/oracle/diag/tnslsnr/node110/listener/alert/log.xml
- Listening Endpoints Summary...
- (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=Sample11)))
- (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.100.110)(PORT=1521)))
- Services Summary...
- Service "sample11" has 1 instance(s).
- Instance "sample11", status READY, has 1 handler(s) for this service...
- Service "sample11XDB" has 1 instance(s).
- Instance "sample11", status READY, has 1 handler(s) for this service...
- The command completed successfully
5.指定例外节点:在11g数据库监听配置文件中加入:REGISTRATION_INVITED_NODES_LISTENER=(192.168.100.100)并重启监听后可以看到10g数据库再次可以注册过来:
- 25-JUN-2015 21:10:23 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=node110)(USER=oracle))(COMMAND=reload)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647552)) * reload * 0
- 25-JUN-2015 21:10:25 * service_register * sample11 * 0
- 25-JUN-2015 21:10:28 * service_update * sample11 * 0
- <span style="color:#ff0000;">25-JUN-2015 21:10:28 * service_register * ggsp0 * 0</span>
- Thu Jun 25 21:10:40 2015
- 25-JUN-2015 21:10:40 * service_update * sample11 * 0
6.本次未演示同子网。
三.RAC环境配置
在RAC环境中,可以通过VNCR确保仅本集群的node可以注册到相关的监听中去。MOS上对于默认配置的说明如下:
- On 12.1 RAC databases, the parameter VALID_NODE_CHECKING_REGISTRATION_listener_name for both local and scan listeners is set by default to SUBNET/2 i.e. all machines in the subnet are allowed registration. This is done in order to allow registration to the local listeners and scan listeners from the instances on the other nodes of the RAC
可见,11g的RAC默认未启用NVCR而12C则通过子网来指定。如果需要限定仅本集群的数据库实例可以注册服务到监听则可以通过如下步骤实现:
- On 11.2.0.4 RAC databases, the parameter VALID_NODE_CHECKING_REGISTRATION_listener_name is set to off.
11.2.0.4集群可以通过在监听中添加参数配置:
- VALID_NODE_CHECKING_REGISTRATION_LISTENER=1
- VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=1
- REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(<list of public ip's of all nodes>)
- VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=1
- REGISTRATION_INVITED_NODES_LISTENER_SCAN2=(<list of public ip's of all nodes>)
- VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=1
- REGISTRATION_INVITED_NODES_LISTENER_SCAN3=(<list of public ip's of all nodes>)
12c中监听的配置文件是通过Grid的agent来生成和维护的,故需要通过用srvctl来配置,语法如下(invitednodes/invitedsubnets在11g中不可用):
四.12C中的新参数
在MOS中提到了一个新参数,同样是为了更进一步的完善VNCR。官方说明如下:
//所有不合规链接都会被重定向到HAIP
- Starting with 12c a new parameter is available, REMOTE_REGISTRATION_ADDRESS_<listener_name>. This parameter is configured internally in the SCAN listener to restrict registrations to the private network. The registration endpoint is on a private network within the cluster. All remote registration requests coming in on normal listening endpoints are redirected to the registration endpoint. Any system which is not a part of the cluster cannot connect to the endpoint.
- The value of this parameter should not be modified or specified explicitly. The only supported explicit setting is for turning this feature off by setting the value to OFF. The value is OFF in non-SCAN listeners.
- You can check its value by running:
- lsnrctl show remote_registration_address <scan name>:<scan listener port>
- All the instances registration requests will be redirected to this private endpoint and only the instances from the same cluster will be able to register with the scan listeners. This is the alternative for VNCR settings on local listeners.
- NOTE: In 12.1.0.2, the GI agent sets the remote_registration_address to HAIP or the private IP address by default. This is true for both local listener and scan_listener.
- The agent turns the remote_registration_address to off if invited_nodes or invited_subnet (VNCR) is set using srvctl.
- The agent also turns the remote_registration_address to off if invited_nodes or invited_subnet (VNCR) information is found in the listener.ora file.
- Both database and the GRID home must be at version 12. If the database is pre 12, the REMOTE_REGISTRATION_ADDRESS will not be set to HAIP.
五.参照文档
NOTE:1914282.1 - How to Enable VNCR on RAC Database to Register only Local Instances
NOTE:1600630.1 - Valid Node Checking For Registration (VNCR)