LISTENER.ORA

Use LD_LIBRARY_PATH_64 for Oracle Solaris on SPARC (64-Bit) and x86-64 (64-Bit), LIBPATH for IBM AIX on POWER Systems, and LD_LIBRARY_PATH for the remaining platforms.
LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY=EXTPROC1521)) (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521)) ) )SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = mgwextproc) (ENVS = EXTPROC_DLLS=/u01/app/oracle/product/11.2.0.3/lib/libmgwagent.so,LIBPATH=/u01/app/oracle/product/11.2.0.3/jdk/jre/bin:/u01/app/oracle/product/11.2.0.3/jdk/jre/bin/classic:/u01/app/oracle/product/11.2.0.3/lib,MPROTECT_TXT=OFF) (ORACLE_HOME = /u01/app/oracle/product/11.2.0.3) (PROGRAM = extproc) ) )

This example assumes Oracle 12.1.0.2 on AIX

Use LD_LIBRARY_PATH_64 for Oracle Solaris on SPARC (64-Bit) and x86-64 (64-Bit), LIBPATH for IBM AIX on POWER Systems, and LD_LIBRARY_PATH for the remaining platforms.
(SID_DESC = (SID_NAME = mgwextproc) (ENVS = EXTPROC_DLLS=/u01/app/oracle/product/12.1.0.2/lib/libmgwagent.so,LIBPATH=/u01/app/oracle/product/12.1.0.2/jdk/jre/bin:/u01/app/oracle/product/12.1.0.2/jdk/jre/bin/classic:/u01/app/oracle/product/12.1.0.2/lib:/u01/app/oracle/product/12.1.0.2/jdk/jre/lib/ppc64:/u01/app/oracle/product/12.1.0.2/jdk/jre/lib/ppc64/j9vm,MPROTECT_TXT=OFF) (ORACLE_HOME = /u01/app/oracle/product/12.1.0.2) (PROGRAM = extproc) )

This example assumes Oracle 12.2.0.1 on AIX

Use LD_LIBRARY_PATH_64 for Oracle Solaris on SPARC (64-Bit) and x86-64 (64-Bit), LIBPATH for IBM AIX on POWER Systems, and LD_LIBRARY_PATH for the remaining platforms.
(SID_DESC = (SID_NAME = mgwextproc) (ENVS = EXTPROC_DLLS=/u01/app/oracle/product/122010/lib/libmgwagent.so,LIBPATH=/u01/app/oracle/product/122010/jdk/jre/bin:/u01/app/oracle/product/122010/jdk/jre/bin/classic:/u01/app/oracle/product/122010/lib:/u01/app/oracle/product/122010/jdk/jre/lib/ppc64:/u01/app/oracle/product/122010/jdk/jre/lib/ppc64/j9vm,MPROTECT_TXT=OFF) (ORACLE_HOME = /u01/app/oracle/product/122010) (PROGRAM = extproc) )

NOTE: The CIS Oracle Database 19c Benchmark v1.2.0 suggests "extproc" should be removed from the listener.ora. For MGW this needs to be an exception.

Example Data Guard Configuration

Oracle Data Guard

This example assumes Primary and Standby are on the same host for testing purposes (this configuration is not recommended for production databases.
You should update the Listener Name and values of HOST, PORT, SID_NAME and ORACLE_HOME to reflect your environment.
The Data Guard Broker Configuration stanza is only required if you intend to use the Data Guard Broker.
This example assumes DB_DOMAIN is not set. GLOBAL_DBNAME must equal the value of DB_UNIQUE_NAME, an underscore, the string DGMGRL, a period, and the value of DB_DOMAIN.

Primary

LISTENER1 = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521)) (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521)) ) )SID_LIST_LISTENER1 = (SID_LIST = (SID_DESC = (SID_NAME = ORCL1) (ORACLE_HOME = /u01/app/oracle/product/122010ORCL1) ) # *** Data Guard Broker Configuration START (SID_DESC = (GLOBAL_DBNAME = ORCL1_DGMGRL) (ORACLE_HOME = /u01/app/oracle/product/122010ORCL1) (SID_NAME = ORCL1) ) # *** Data Guard Broker Configuration END )

Standby

LISTENER2 = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1522)) (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1522)) ) )SID_LIST_LISTENER2 = (SID_LIST = (SID_DESC = (SID_NAME = ORCL2) (ORACLE_HOME = /u01/app/oracle/product/122010ORCL2) ) # *** Data Guard Broker Configuration START (SID_DESC = (GLOBAL_DBNAME = ORCL2_DGMGRL) (ORACLE_HOME = /u01/app/oracle/product/122010ORCL2) (SID_NAME = ORCL2) ) # *** Data Guard Broker Configuration END )

Class of Secure Transport (COST)

Note that for 11.2.0.4 and above you should consider VNCR instead of COST.

Enable COST

To enable cost for IPC...

Ensure a line like this exists in the LISTENER.ORA...

(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))

Add a line like this to the LISTENER.ORA...

SECURE_REGISTER_LISTENER = (IPC)

COST can restrict registration to the TCP protocol or the IPC protocol (or both). Refer to Note 1453883.1 for full details. This should address CVE-2012-1675.

Replace any TCP address in the database LOCAL_LISTENER parameter with the IPC address used by the listener...

SHOW PARAMETER local_listener

ALTER SYSTEM SET local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))' SCOPE=BOTH;

Reload listener config

lsnrctl services listener

lsnrctl reload

lsnrctl services listener

Investigate any differences in services running before and after this change.

With COST enabled attempts to register with the listener using a protocol other than IPC is rejected and an event is logged in the listener log...

TNS-01194: The listener command did not arrive in a secure transport

Test COST

For the purpose of this test... the "Remote" database server is remoteservername and the "Local" database server is localservername.

[Local] Comment out the SECURE_REGISTER_LISTENER line in the LISTENER.ORA (if it exists).

[Remote] add the Listener to be tested to the REMOTE_LISTENER parameter...

sqlplus / as sysdba

SHOW PARAMETER remote_listener;

NAME TYPE VALUE------------------------------------ ----------- --------------------------------------------------------remote_listener string

ALTER SYSTEM SET remote_listener='(ADDRESS=(PROTOCOL=TCP)(HOST=localservername)(PORT=1521))' scope=memory;

SHOW PARAMETER remote_listener;

NAME TYPE VALUE------------------------------------ ----------- ---------------------------------------------------------remote_listener string (ADDRESS=(PROTOCOL=TCP)(HOST=localservername)(PORT=1521))

exit

[Local] You should now see a service handler created for the remotely registered instance...

this is the activity that we need to prevent

lsnrctl

services listener

...Service "REMOTE.dbdomain.com" has 1 instance(s). Instance "REMOTE", status READY, has 1 handler(s) for this service... Handler(s): "DEDICATED" established:0 refused:0 state:ready REMOTE SERVER (ADDRESS=(PROTOCOL=TCP)(HOST=remoteservername.dbdomain.com)(PORT=1521))...

[Local] Uncomment/Add the SECURE_REGISTER_LISTENER line in the LISTENER.ORA file and reload Listener configuration...

there should now be no REMOTE SERVER entries in the Services list

SECURE_REGISTER_LISTENER=(IPC)

lsnrctl

reload listener

services listener

[Remote] Force another registration attempt...

sqlplus / as sysdba

ALTER SYSTEM REGISTER;

System altered.

exit

[Local] Check the listener for service handlers

there should still be no REMOTE SERVER entries in the Services list

lsnrctl

services listener

[Local] Check the listener.log.. there should be TNS-01194 messages... this confirms that the COST restriction is working properly...

...Listener rejected connection from destination 10.170.6.1507-NOV-2017 11:37:35 * service_register_NSGR * 1194TNS-01194: The listener command did not arrive in a secure transport...Note: earlier versions of the database may not show the IP address line.

[Remote] Tidy up...

ALTER SYSTEM SET remote_listener='' SCOPE=MEMORY;

Valid Node Checking for Registration (VNCR)

For 11.2.0.3 and earlier, consider using COST instead

VALID_NODE_CHECKING_REGISTRATION_listener=OFF

Default is OFF in 11g. Default is ON for 12c.

Oracle Errors

See: TNS-01198

OFF

use one of these options to specify valid node checking registration is off, and no checking is performed.

LOCAL

use one of these options to specify valid node checking registration is on, and all local IP addresses can register. If a list of invited nodes is set, then all IP addresses, host names, or subnets in the list as well as local IP addresses are allowed.

SUBNET

use one of these options to specify valid node checking registration is on, and all machines in the local subnets are allowed to register. If a list of invited nodes is set, then all nodes in the local subnets as well as all IP addresses, host names and subnets in the list are allowed.

REGISTRATION_INVITED_NODES_listener=(10.170.6.16,10.170.7.16,19.170.28.228)

To specify the list of nodes that can register with the listener. The list can include host names or CIDR notation for IPv4 and IPv6 addresses. The wildcard format (*) is supported for IPv4 addresses. The presence of a host name in the list results in the inclusion of all IP addresses mapped to the host name. The host name should be consistent with the public network interface.

IP Addressing

If REGISTRATION_INVITED_NODES_listener and REGISTRATION_EXCLUDED_NODES_listener are set, then REGISTRATION_EXCLUDED_NODES_listener is ignored.

Parameters

ADMIN_RESTRICTIONS_listener

This is a CIS Benchmark requirement

ADMIN_RESTRICTIONS_listener=ON

DYNAMIC_REGISTRATION_listener

DYNAMIC_REGISTRATION_listener=off

Disables dynamic listener registration. Also set LOCAL_LISTENER.

INBOUND_CONNECT_TIMEOUT_listener

To specify the time, in seconds, for the client to complete its connect request to the listener after the network connection had been established. (1)

Default: 60 seconds

Example entry...

SQLNET.INBOUND_CONNECT_TIMEOUT_LISTENER=60

Related Errors: ORA-12525

This value is read each time a new connection is made. i.e. you do not need to restart or reload the listener for this to take effect.
A value of 0 signifies an unlimited timeout

SQLNET.ORA

Also consider setting INBOUND_CONNECT_TIMEOUT in SQLNET.ORA.
Oracle recommend setting SQLNET.INBOUND_CONNECT_TIMEOUT slightly higher than INBOUND_CONNECT_TIMEOUT_listener.

REGISTRATION_EXCLUDED_NODES_listener

See Valid Node Checking for Registration (VNCR) section earlier on this page.

REGISTRATION_INVITED_NODES_listener

See Valid Node Checking for Registration (VNCR) section earlier on this page.

SECURE_REGISTER_listener

See Class of Secure Transport (COST) section earlier on this page.

SUBSCRIBE_FOR_NODE_DOWN_EVENT_listener

SUBSCRIBE_FOR_NODE_DOWN_EVENT_listener=OFF

Set to OFF in non-RAC environments only. Relates to ONS. Restart listener for setting to take effect. Avoids this warning in listener.log...WARNING: Subscription for node down event still pending

You need to reload the listener for this change to take effect...

lsnrctl reload listener

VALID_NODE_CHECKING_REGISTRATION_listener

See Valid Node Checking for Registration (VNCR) section earlier on this page.

Bibliography

https://support.oracle.comNon-RAC- How to Disable Automatic or Dynamic Registration of the Database with the Default Listener (Doc ID 130574.1)Non-RAC or Standalone Only: 'WARNING: Subscription for node down event still pending' in Listener Log (Doc ID 372959.1)Using Class of Secure Transport (COST) to Restrict Instance Registration (Doc ID 1453883.1)IPC Explained (Doc ID 29232.1)
https://dba.stackexchange.com/questions/259204/listener-lsnrctl-reload-vs-stop-start
COST/VNCRhttps://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.htmlhttp://seclists.org/fulldisclosure/2012/Apr/204
INBOUND_CONNECT_TIMEOUT_listener(1) https://docs.oracle.com/en/database/oracle/oracle-database/21/netrf/oracle-net-listener-parameters-in-listener-ora.html#GUID-140AC8D3-091C-4129-B2E6-0A4773590C14