LISTENER.ORA
Example Configurations
Example MGW Configuration
This example assumes native Websphere MQ integration
This example assumes Oracle 11.2.0.3 on AIX
LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY=EXTPROC1521)) (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521)) ) )SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = mgwextproc) (ENVS = EXTPROC_DLLS=/u01/app/oracle/product/11.2.0.3/lib/libmgwagent.so,LIBPATH=/u01/app/oracle/product/11.2.0.3/jdk/jre/bin:/u01/app/oracle/product/11.2.0.3/jdk/jre/bin/classic:/u01/app/oracle/product/11.2.0.3/lib,MPROTECT_TXT=OFF) (ORACLE_HOME = /u01/app/oracle/product/11.2.0.3) (PROGRAM = extproc) ) )
This example assumes Oracle 12.1.0.2 on AIX
(SID_DESC = (SID_NAME = mgwextproc) (ENVS = EXTPROC_DLLS=/u01/app/oracle/product/12.1.0.2/lib/libmgwagent.so,LIBPATH=/u01/app/oracle/product/12.1.0.2/jdk/jre/bin:/u01/app/oracle/product/12.1.0.2/jdk/jre/bin/classic:/u01/app/oracle/product/12.1.0.2/lib:/u01/app/oracle/product/12.1.0.2/jdk/jre/lib/ppc64:/u01/app/oracle/product/12.1.0.2/jdk/jre/lib/ppc64/j9vm,MPROTECT_TXT=OFF) (ORACLE_HOME = /u01/app/oracle/product/12.1.0.2) (PROGRAM = extproc) )
This example assumes Oracle 12.2.0.1 on AIX
(SID_DESC = (SID_NAME = mgwextproc) (ENVS = EXTPROC_DLLS=/u01/app/oracle/product/122010/lib/libmgwagent.so,LIBPATH=/u01/app/oracle/product/122010/jdk/jre/bin:/u01/app/oracle/product/122010/jdk/jre/bin/classic:/u01/app/oracle/product/122010/lib:/u01/app/oracle/product/122010/jdk/jre/lib/ppc64:/u01/app/oracle/product/122010/jdk/jre/lib/ppc64/j9vm,MPROTECT_TXT=OFF) (ORACLE_HOME = /u01/app/oracle/product/122010) (PROGRAM = extproc) )
Example Data Guard Configuration
This example assumes Primary and Standby are on the same host for testing purposes (this configuration is not recommended for production databases.
You should update the Listener Name and values of HOST, PORT, SID_NAME and ORACLE_HOME to reflect your environment.
The Data Guard Broker Configuration stanza is only required if you intend to use the Data Guard Broker.
This example assumes DB_DOMAIN is not set. GLOBAL_DBNAME must equal the value of DB_UNIQUE_NAME, an underscore, the string DGMGRL, a period, and the value of DB_DOMAIN.
Primary
LISTENER1 = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521)) (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521)) ) )SID_LIST_LISTENER1 = (SID_LIST = (SID_DESC = (SID_NAME = ORCL1) (ORACLE_HOME = /u01/app/oracle/product/122010ORCL1) ) # *** Data Guard Broker Configuration START (SID_DESC = (GLOBAL_DBNAME = ORCL1_DGMGRL) (ORACLE_HOME = /u01/app/oracle/product/122010ORCL1) (SID_NAME = ORCL1) ) # *** Data Guard Broker Configuration END )Standby
LISTENER2 = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1522)) (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1522)) ) )SID_LIST_LISTENER2 = (SID_LIST = (SID_DESC = (SID_NAME = ORCL2) (ORACLE_HOME = /u01/app/oracle/product/122010ORCL2) ) # *** Data Guard Broker Configuration START (SID_DESC = (GLOBAL_DBNAME = ORCL2_DGMGRL) (ORACLE_HOME = /u01/app/oracle/product/122010ORCL2) (SID_NAME = ORCL2) ) # *** Data Guard Broker Configuration END )Class of Secure Transport (COST)
Enable COST
To enable cost for IPC...
Ensure a line like this exists in the LISTENER.ORA...
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
Add a line like this to the LISTENER.ORA...
SECURE_REGISTER_LISTENER = (IPC)
Replace any TCP address in the database LOCAL_LISTENER parameter with the IPC address used by the listener...
SHOW PARAMETER local_listener
ALTER SYSTEM SET local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))' SCOPE=BOTH;
Reload listener config
lsnrctl services listener
lsnrctl reload
lsnrctl services listener
Investigate any differences in services running before and after this change.
With COST enabled attempts to register with the listener using a protocol other than IPC is rejected and an event is logged in the listener log...
TNS-01194: The listener command did not arrive in a secure transport
Test COST
[Local] Comment out the SECURE_REGISTER_LISTENER line in the LISTENER.ORA (if it exists).
[Remote] add the Listener to be tested to the REMOTE_LISTENER parameter...
sqlplus / as sysdba
SHOW PARAMETER remote_listener;
NAME TYPE VALUE------------------------------------ ----------- --------------------------------------------------------remote_listener string
ALTER SYSTEM SET remote_listener='(ADDRESS=(PROTOCOL=TCP)(HOST=localservername)(PORT=1521))' scope=memory;
SHOW PARAMETER remote_listener;
NAME TYPE VALUE------------------------------------ ----------- ---------------------------------------------------------remote_listener string (ADDRESS=(PROTOCOL=TCP)(HOST=localservername)(PORT=1521))
exit
[Local] You should now see a service handler created for the remotely registered instance...
this is the activity that we need to preventlsnrctl
services listener
...Service "REMOTE.dbdomain.com" has 1 instance(s). Instance "REMOTE", status READY, has 1 handler(s) for this service... Handler(s): "DEDICATED" established:0 refused:0 state:ready REMOTE SERVER (ADDRESS=(PROTOCOL=TCP)(HOST=remoteservername.dbdomain.com)(PORT=1521))...
[Local] Uncomment/Add the SECURE_REGISTER_LISTENER line in the LISTENER.ORA file and reload Listener configuration...
there should now be no REMOTE SERVER entries in the Services listSECURE_REGISTER_LISTENER=(IPC)
lsnrctl
reload listener
services listener
[Remote] Force another registration attempt...
sqlplus / as sysdba
ALTER SYSTEM REGISTER;
System altered.exit
[Local] Check the listener for service handlers
there should still be no REMOTE SERVER entries in the Services listlsnrctl
services listener
[Local] Check the listener.log.. there should be TNS-01194 messages... this confirms that the COST restriction is working properly...
...Listener rejected connection from destination 10.170.6.1507-NOV-2017 11:37:35 * service_register_NSGR * 1194TNS-01194: The listener command did not arrive in a secure transport...Note: earlier versions of the database may not show the IP address line.[Remote] Tidy up...
ALTER SYSTEM SET remote_listener='' SCOPE=MEMORY;
Valid Node Checking for Registration (VNCR)
VALID_NODE_CHECKING_REGISTRATION_listener=OFF
Default is OFF in 11g. Default is ON for 12c.0
OFF
use one of these options to specify valid node checking registration is off, and no checking is performed.
1
ON
LOCAL
use one of these options to specify valid node checking registration is on, and all local IP addresses can register. If a list of invited nodes is set, then all IP addresses, host names, or subnets in the list as well as local IP addresses are allowed.
2
SUBNET
use one of these options to specify valid node checking registration is on, and all machines in the local subnets are allowed to register. If a list of invited nodes is set, then all nodes in the local subnets as well as all IP addresses, host names and subnets in the list are allowed.
REGISTRATION_INVITED_NODES_listener=(10.170.6.16,10.170.7.16,19.170.28.228)
To specify the list of nodes that can register with the listener. The list can include host names or CIDR notation for IPv4 and IPv6 addresses. The wildcard format (*) is supported for IPv4 addresses. The presence of a host name in the list results in the inclusion of all IP addresses mapped to the host name. The host name should be consistent with the public network interface.Parameters
ADMIN_RESTRICTIONS_listener
ADMIN_RESTRICTIONS_listener=ON
DYNAMIC_REGISTRATION_listener
DYNAMIC_REGISTRATION_listener=off
Disables dynamic listener registration. Also set LOCAL_LISTENER.To specify the time, in seconds, for the client to complete its connect request to the listener after the network connection had been established. (1)
Default: 60 seconds
Example entry...
SQLNET.INBOUND_CONNECT_TIMEOUT_LISTENER=60
Related Errors: ORA-12525
A value of 0 signifies an unlimited timeout
Oracle recommend setting SQLNET.INBOUND_CONNECT_TIMEOUT slightly higher than INBOUND_CONNECT_TIMEOUT_listener.
REGISTRATION_EXCLUDED_NODES_listener
See Valid Node Checking for Registration (VNCR) section earlier on this page.
REGISTRATION_INVITED_NODES_listener
See Valid Node Checking for Registration (VNCR) section earlier on this page.
SECURE_REGISTER_listener
See Class of Secure Transport (COST) section earlier on this page.
SUBSCRIBE_FOR_NODE_DOWN_EVENT_listener
SUBSCRIBE_FOR_NODE_DOWN_EVENT_listener=OFF
Set to OFF in non-RAC environments only. Relates to ONS. Restart listener for setting to take effect. Avoids this warning in listener.log...WARNING: Subscription for node down event still pendingYou need to reload the listener for this change to take effect...
lsnrctl reload listener
VALID_NODE_CHECKING_REGISTRATION_listener
See Valid Node Checking for Registration (VNCR) section earlier on this page.
Bibliography
https://support.oracle.comNon-RAC- How to Disable Automatic or Dynamic Registration of the Database with the Default Listener (Doc ID 130574.1)Non-RAC or Standalone Only: 'WARNING: Subscription for node down event still pending' in Listener Log (Doc ID 372959.1)Using Class of Secure Transport (COST) to Restrict Instance Registration (Doc ID 1453883.1)IPC Explained (Doc ID 29232.1)
https://dba.stackexchange.com/questions/259204/listener-lsnrctl-reload-vs-stop-start
COST/VNCRhttps://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.htmlhttp://seclists.org/fulldisclosure/2012/Apr/204
INBOUND_CONNECT_TIMEOUT_listener(1) https://docs.oracle.com/en/database/oracle/oracle-database/21/netrf/oracle-net-listener-parameters-in-listener-ora.html#GUID-140AC8D3-091C-4129-B2E6-0A4773590C14