Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC [ID 1340831.1]
In this Document
Applies to:
Oracle Net Services - Version 10.2.0.3 to 11.2.0.3 [Release 10.2 to 11.2]
Information in this document applies to any
platform.
Goal
To demonstrate how the COST parameter "SECURE_REGISTER_listener_name
= " is used to restrict instance registration with listeners in RAC
environments. With COST restrictions in place only local and authorized
instances having appropriate credentials will be allowed to register. These
instructions can be used to address the issues published in Oracle Security
Alert CVE-2012-1675 by using COST to restrict connections to only those
instances having appropriate credentials.
About
COST
The class of secure transports (COST) parameters specify a
list of transports that are considered secure for administration and
registration of a particular listener. The COST parameters identify which
transports are considered secure for that installation and whether the
administration of a listener requires secure transports. COST will not affect
client connections utilizing other protocols. For more details and for
information about other available COST parameters please see the 11.2 Network
Administrators Guide and Network Reference.
Oracle versions that support COST
Although not documented in the Oracle 10g Network Administrator Guide COST parameters and functionality are supported as of 10.2.0.3.
Fix
Topics in this section:
1) Oracle 11.2 RAC - Securing registration with Scan listeners
2) Oracle 11.2 RAC - Securing ASM and Database registration with the Local (node) listener.
3) Oracle RAC versions prior to 11.2 (10.2.0.3
- 11.1)
1) Oracle RAC 11.2 - Securing registration with Scan listeners
This example environment is a two node 11.2 RAC cluster with three SCAN
listeners. COST restrictions will limit registration protocols to TCPS for
remote registering instances and to IPC for the local grid agent. To establish a
connection over TCPS PMON and the listener must perform. a SSL
handshake.
Steps:
1.1) Using orapki create a wallet with
self signed certificates that will be shared among SCAN listeners and
registering instances to make secure SSL connections.
If SSL is being
used exclusively for instance registration then a single shared wallet with self
signed certificates are all that is needed and this is the easiest setup to
implement. If other SSL features are planned a unique wallet and certificate may
be required for each node. Reference Oracle documentation for the SSL
requirements of any additional SSL features that will be used and adjust as
necessary.
a) Create an Oracle wallet: "ewallet.p12".
The target directory
in this example is within the grid home but the location can be anywhere that is
accessible to Oracle.
[oracle@rac1]$ orapki wallet create -wallet /u01/app/11.2.0.2/grid/network/admin/cost
Oracle PKI Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
b) The new wallet will contain a number of trusted certificates that are
installed by default, remove all of these well known trusted certificates from
the wallet.
Oracle PKI Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
c) Create a self-signed certificate that will be stored in the
wallet.
Oracle PKI Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
d) View the wallet contents to confirm that it has a single trusted and
user certificate.
Oracle PKI Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=secure_register
Trusted Certificates:
Subject: CN=secure_register
e) Make copies of the finished wallet (ewallet.p12) and place on each
node in the same directory location; /u01/app/11.2.0.2/grid/network/admin/cost.
f) Using orapki create a unique
obfuscated auto-login file "cwallet.sso" on each node. Both PMON and the
listener will use the cwallet.sso to establish a secure SSL connection with each
other. Once COST parameters restricting registration to TCPS are enabled only
instances that have access to the wallet and obfuscated wallet (cwallet.sso)
will be able to register with the SCAN listeners.
Creating the
cwallet.sso file:
Oracle PKI Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
g) Modify the permissions of the obfuscated wallet (cwallet.sso) to
allow usage by authorized group members.
[oracle@rac1]$ ls -al
-rw-r----- 1 oracle oinstall 2493 Jul 11 15:18 cwallet.sso
-rw------- 1 oracle oinstall 2416 Jul 11 15:18 ewallet.p12
Important: Store the wallet password in a safe place. The wallet cannot
be re-opened without it.
1.2) Update the grid home listener.ora so
that it references the wallet location and add the COST parameters that will
restrict registration. Do this for each node.
Add the wallet location to
listener.ora.
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/11.2.0.2/grid/network/admin/cost)
)
)
At this time also add the COST registration restrictions for the SCAN
listeners to the listener.ora. These parameters should be commented now and will
be enabled later.
#SECURE_REGISTER_LISTENER_SCAN2 = (IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)
The finished listener.ora should look like this:
LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))) # line added by Agent
LISTENER_SCAN3=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN3)))) # line added by Agent
LISTENER_SCAN2=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN2)))) # line added by Agent
LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))) # line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN1=ON # line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN2=ON # line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN3=ON # line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON # line added by Agent
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/11.2.0.2/grid/network/admin/cost)
)
)
#SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN2 = (IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)
1.3) Using srvctl modify the SCAN listeners to also include TCPS
protocol endpoints, re-start the SCAN listeners.
SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521
SCAN Listener LISTENER_SCAN2 exists. Port: TCP:1521
SCAN Listener LISTENER_SCAN3 exists. Port: TCP:1521
srvctl modify scan_listener -p TCP:1521/TCPS:1523
srvctl stop scan_listener
srvctl start scan_listener
srvctl config scan_listener
SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521/TCPS:1523
SCAN Listener LISTENER_SCAN2 exists. Port: TCP:1521/TCPS:1523
SCAN Listener LISTENER_SCAN3 exists. Port: TCP:1521/TCPS:1523
1.4) Add the wallet location to the sqlnet.ora of each instance home.
If no sqlnet.ora exists create a new file. Registering instances must know the
wallet location and have access in order to make the required SSL connection
with the SCAN listeners.
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/11.2.0.2/grid/network/admin/cost)
)
)
Restart each instance after adding the wallet location to
sqlnet.ora.
1.5) Modify instance startup parameters to use TCPS protocol
with remote_listener.
The existing remote_listener value uses an
ezconnect string value in the form. host:port.
SQL*Plus: Release 11.2.0.2.0 Production on Tue Jul 12 16:37:52 2011
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,
Data Mining and Real Application Testing options
SQL> show parameter remote_listener
NAME TYPE VALUE
--------------- ----------- ------------------------------
remote_listener string rac-scan:1521
The replacement remote_listener value is an address_list containing
the resolved scan listener IP addresses and TCPS ports. The addresses can be
listed using srvctl.
SCAN name: racbde-scan, Network: 1/10.141.154.0/255.255.254.0/eth1
SCAN VIP name: scan1, IP: /rac-scan.us.oracle.com/10.141.155.122
SCAN VIP name: scan2, IP: /rac-scan.us.oracle.com/10.141.155.120
SCAN VIP name: scan3, IP: /rac-scan.us.oracle.com/10.141.155.121
Associate the three IP addresses assigned to the SCAN listeners with the
TCPS port that was added in step 3, in this case port 1523.
The SCAN
addresses are the same for all instances in the cluster so the remote_listener
parameter value can be added from any instance home using the global option
sid='*'. This will update the remote_listener value for all instances.
SQL> show parameter remote_listener
NAME TYPE VALUE
-------------- ----------- ------------------------------
remote_listener string (ADDRESS_LIST=(ADDRESS=(PROTOC
L=TCPS)(HOST=10.141.155.121)(
PORT=1523))(ADDRESS=(PROTOCOL=
TCPS)(HOST=10.141.155.122)(POR
T=1523))(ADDRESS=(PROTOCOL=TCP
S)(HOST=10.141.155.120)(PORT=1
523)))
Changing the remote_listener value is a critical stage as it forces
registration over TCPS using the wallets and certificates that were created in
earlier steps. It is best to stop here and verify that all instances are
registering properly with the scan listeners. If not, go back and review each of
the previous steps to ensure an item was not overlooked.
If registration
using TCP needs to be restored for any reason it is a simple matter to revert to
the previously noted ezconnect address. The following command can be performed
from any instance in the cluster and will make changes globally for all
instances. Do not do this unless it is your intention to revert back to TCP and
not enable COST restrictions in the next step.
1.6) Enable COST parameters restricting instance registration in the
grid home listener.ora.
When instance registration over TCPS with SCAN
listeners is working properly the COST registration rules can be implemented.
Edit the grid home listener.ora and remove the comments from the COST
restriction parameters that were added in step 1.2.
SECURE_REGISTER_LISTENER_SCAN2 = (IPC,TCPS)
SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)
Restart all listeners to load the new parameters.
[oracle@rac1]$ srvctl start scan_listener
With COST enabled attempts to register with SCAN listeners using a
protocol other than TCPS are rejected and an event is logged in the listener
log. Instances must also have the proper SSL credentials in order to connect and
register their services.
TNS-01194: The listener command did not arrive in a secure transport
2) Oracle 11.2 RAC - Securing ASM and Database registration with the Local (node) listener.
Steps:
2.1) Obtain and apply the patch for bug:12880299. The patch should be applied to both the grid and rdbms homes on each node in the cluster.
2.2) Add COST IPC and TCP protocol restrictions to the listener.ora on each node.
Edit the grid home listener.ora and add SECURE_REGISTER_LISTENER = (IPC,TCP) to the existing list of scan listener restrictions.
SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
SECURE_REGISTER_LISTENER_SCAN2 = (IPC,TCPS)
SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)
2.3) To activate the COST restriction use srvctl to re-start all instance/local listeners. (This action only needs to be performed on one node, all local listeners will restart.)
[oracle@rac1 ~]$ srvctl start listener
3) Oracle RAC versions prior to 11.2 (10.2.0.3 - 11.1)
Steps:
3.1) Using orapki create a wallet with self
signed certificates that will be shared among node listeners and registering
instances to make secure SSL connections.
If SSL is being used
exclusively for instance registration then a single shared wallet with self
signed certificates are all that is needed and this is the easiest setup to
implement. If other SSL features are planned a unique wallet and certificate may
be required for each node. Reference Oracle documentation for the SSL
requirements of any additional SSL features that will be used and adjust as
necessary.
a) Create an Oracle wallet: "ewallet.p12".
The target
directory in this example is within the database home but the location can be
anywhere that is accessible to Oracle.
[oracle@rac1]$ orapki wallet create -wallet /u01/app/oracle/product/10.2.0/db_1/network/admin/cost
Enter password:
Enter password again:
b) Create a self-signed certificate that will be stored in the
wallet.
Enter wallet password:
c) The new wallet will contain a number of trusted certificates that are
installed by default. You can use Oracle Wallet Manager (OWM), a java tool in
$ORACLE_HOME/bin, to remove all other trusted certificates except for the self
signed certificate "CN=secure_register" that was created in step 3.1-b.
Once all the additional trusted certificates have been removed the
finished wallet should look like this:
Enter wallet password:
Requested Certificates:
User Certificates:
Subject: CN=secure_register
Trusted Certificates:
Subject: CN=secure_register
d) Make copies of the finished wallet (ewallet.p12) and place on each
node in the same directory location, i.e.,
$ORACLE_HOME/network/admin/cost
e) Using orapki create a unique
obfuscated auto-login file "cwallet.sso" on each node. Both PMON and the
listener will use the cwallet.sso to establish a secure SSL connection with each
other. Once COST parameters restricting remote registration to TCPS are enabled
only instances that have access to the wallet and obfuscated wallet
(cwallet.sso) will be able to remotely register with listeners.
Enter wallet password:
[oracle@rac1]$ ls/u01/app/oracle/product/10.2.0/db_1/network/admin/cost
cwallet.sso ewallet.p12
The wallet is now ready to use with files ewallet.p12 and cwallet.sso in
$ORACLE_HOME/network/admin/cost
Important: Store the wallet password in a
safe place. The wallet cannot be re-opened without it.
3.2) Obtain and apply the patch for bug:12880299 to all nodes in the cluster.
3.3) Update the listener.ora so that it references the wallet location and add the COST parameters that will restrict registration, also add a listen endpoint for TCPS that pmon will use to send registration updates. Do this on the listener.ora of each node.
The location of the listener.ora that the running listener is using can be
identified with lsnrctl> status.
Before edit, the listener.ora will
look similar to:
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST = rac1-vip.us.oracle.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.203.210)(PORT = 1521))
)
)
a) Add a TCPS address and endpoint to listener.ora. Use the existing node
vip address and any available port for the TCPS endpoint.
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST = rac1-vip.us.oracle.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = rac1-vip.us.oracle.com)(PORT = 1523))
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.203.210)(PORT = 1521))
)
)
b) Add the wallet location to listener.ora.
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/product/10.2.0/db_1/network/admin/cost)
)
)
c) Add the COST registration restrictions for TCP and TCPS to the
listener.ora. The parameter should be commented now but will be enabled
later.
A finished listener.ora will look like this:
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST = rac1-vip.us.oracle.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = rac1-vip.us.oracle.com)(PORT = 1523))
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.203.210)(PORT = 1521))
)
)
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/product/10.2.0/db_1/network/admin/cost)
)
)
#SECURE_REGISTER_LISTENER_RAC1 = (TCP,TCPS)
3.4) After the changes to the listener.ora have been made stop and restart the listener and confirm that it has the TCPS listen endpoint that was added along with the previously existing endpoints.
[oracle@rac1]$ srvctl start listener -n rac1
LSNRCTL> status
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias LISTENER_RAC1
...
...
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.203.214)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.203.214)(PORT=1523)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.203.210)(PORT=1521)))
The listener supports no services
The command completed successfully
3.5) Add the wallet location to the sqlnet.ora of each instance home. The
sqlnet.ora is read by the instance at startup. Registering instances must know
the wallet location and have access in order to make the required SSL connection
with remote listeners.
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/product/10.2.0/db_1/network/admin/cost)
)
)
3.6) Modify instance startup parameters to use the new TCPS protocol
addresses used by all of the node listeners. The instance uses the
remote_listener parameter value to locate those addresses.
SQL*Plus: Release 10.2.0.3.0 - Production on Tue May 1 11:12:33 2012
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production
With the Partitioning, Real Application Clusters, OLAP and Data Mining options
SQL> show parameter remote_listener
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_listener string listeners_rac
In this case the database is using the tns alias "listeners_rac" in tnsnames.ora to store the listener addresses.
Edit the listeners_rac entry in TNSNAMES.ORA that is being used by the database.
Before edit:
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = rac1-vip.us.oracle.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = rac2-vip.us.oracle.com)(PORT = 1521))
)
Comment the existing TCP addresses and add the new TCPS addresses we will
be using for registration.
(ADDRESS_LIST =
# (ADDRESS = (PROTOCOL = TCP)(HOST = rac1-vip.us.oracle.com)(PORT = 1521))
# (ADDRESS = (PROTOCOL = TCP)(HOST = rac2-vip.us.oracle.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = rac1-vip.us.oracle.com)(PORT = 1523))
(ADDRESS = (PROTOCOL = TCPS)(HOST = rac2-vip.us.oracle.com)(PORT = 1523))
)
The next step is to restart the instance but before doing that make note of the current lsnrctl services output on one of the listeners on another node (a remote listener) so you can compare the results after the restart (they should match). Of particular interest is the remote service handler of the instance you are testing.
srvctl start instance -d rac -i rac2
If the remote service handler output matches the handler output prior to
the restart then TCPS connectivity and secure network registration is
functional. Repeat this process until all nodes are successfully registering
remotely over TCPS. If the lsnrctl services output is not correct after restart
go back over the configuration steps to make sure nothing was missed. If there
is a need to revert to the previous TCP configuration just remove the comment
from the TCP entries in the listeners_rac tns alias, comment the TCPS entries
and restart the instance.
3.6) When all instances are properly
registering with remote listeners over TCPS protocol you are ready to enable
COST restrictions.
Remove the comment from the cost restriction entry in each listener and restart the listener.
The fix for BUG:12880299 will be included in Oracle 11.2.0.4.
PSU's that include the fix:
Cumulative Patch Inclusion - DBPSU 10.2.0.5.8 (Released)
Cumulative Patch Inclusion - DBPSU 11.2.0.2.7 (Released)
Cumulative Patch Inclusion - DBPSU 10.2.0.4.13 (Released)
Cumulative Patch Inclusion - DBPSU 11.2.0.3.3 (Released)
Cumulative Patch Inclusion - DBPSU 11.1.0.7.12 (Released)
Windows patch availability for bugfix:12880299
11.2.0.3: 12880299 is included in bundle 6 (Released)
--------
32-bit : Patch 13965210
64-bit : Patch 13965211
11.2.0.2: 12880299 is included in bundle 19 (Released)
--------
32-bit : Patch 14046710
64-bit : Patch 14046711
11.1.0.7: 12880299 is included in bundle 46 (Released)
10.2.0.5: 12880299 is included in bundle 17 (Released)
References
NOTE:1455068.1
- Force Connections to a Specific Database Service When two Identical Services
are Registered to CMAN
NOTE:1453883.1
- Using Class of Secure Transport (COST) to Restrict Instance Registration
@
BUG:12880299
- RAC: TCP HANDLERS BLOCK IF LISTENER REGISTRATION IS RESTRICTED TO IPC
W/COST
@NOTE:1457854.1
- How To Enable TCPS Support For Oracle Standard Edition
NOTE:1092753.1
- How To Configure Scan Listeners With A TCPS Port?
Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC [ID 1340831.1] | |||||
修改时间 08-OCT-2012 类型 HOWTO 状态 PUBLISHED |