Class of Secure Transport (COST) 限制实例注册 测试

来源:互联网 时间:1970-01-01

1. 我这里有一个两节点的RAC环境

2.首先在节点1和节点2上都没有打补丁,我们看看现象:

[[email protected] ~]$ /u01/app/11.2.0/grid/OPatch/opatch lsinventory

Invoking OPatch 11.2.0.1.7

Oracle Interim Patch Installer version 11.2.0.1.7

Copyright (c) 2011, Oracle Corporation. All rights reserved.

Oracle Home : /u01/app/11.2.0/grid

Central Inventory : /u01/app/oraInventory

from : /etc/oraInst.loc

OPatch version : 11.2.0.1.7

OUI version : 11.2.0.3.0

Log file location : /u01/app/11.2.0/grid/cfgtoollogs/opatch/opatch2015-09-10_06-27-03AM.log

Lsinventory Output file location : /u01/app/11.2.0/grid/cfgtoollogs/opatch/lsinv/lsinventory2015-09-10_06-27-03AM.txt

--------------------------------------------------------------------------------

Installed Top-level Products (1):

Oracle Grid Infrastructure 11.2.0.3.0

There are 1 products installed in this Oracle Home.

There are no Interim patches installed in this Oracle Home.

Rac system comprising of multiple nodes

Local node = nascds11

Remote node = nascds10

--------------------------------------------------------------------------------

OPatch succeeded.

[[email protected] ~]$

3.正常情况下的LOCAL_LISTENER的注册实例信息:

[[email protected] ~]$ lsnrctl status

LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 10-SEP-2015 06:28:55

Copyright (c) 1991, 2011, Oracle. All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))

STATUS of the LISTENER

------------------------

Alias LISTENER

Version TNSLSNR for Linux: Version 11.2.0.3.0 - Production

Start Date 01-SEP-2015 08:48:15

Uptime 8 days 21 hr. 40 min. 40 sec

Trace Level off

Security ON: Local OS Authentication

SNMP OFF

Listener Parameter File /u01/app/11.2.0/grid/network/admin/listener.ora

Listener Log File /u01/app/grid/diag/tnslsnr/nascds11/listener/alert/log.xml

Listening Endpoints Summary...

(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER)))

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.35)(PORT=1521)))

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.33)(PORT=1521)))

Services Summary...

Service "+ASM" has 1 instance(s).

Instance "+ASM2", status READY, has 1 handler(s) for this service...

Service "ora11g" has 1 instance(s).

Instance "ora11g2", status READY, has 1 handler(s) for this service...

The command completed successfully

[[email protected] ~]$

4. 正常情况下scan_listenr里的信息:

[[email protected] ~]$ lsnrctl status listener_scan1

LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 10-SEP-2015 06:30:38

Copyright (c) 1991, 2011, Oracle. All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))

STATUS of the LISTENER

------------------------

Alias LISTENER_SCAN1

Version TNSLSNR for Linux: Version 11.2.0.3.0 - Production

Start Date 10-SEP-2015 06:24:45

Uptime 0 days 0 hr. 5 min. 53 sec

Trace Level off

Security ON: Local OS Authentication

SNMP OFF

Listener Parameter File /u01/app/11.2.0/grid/network/admin/listener.ora

Listener Log File /u01/app/11.2.0/grid/log/diag/tnslsnr/nascds11/listener_scan1/alert/log.xml

Listening Endpoints Summary...

(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER_SCAN1)))

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.29)(PORT=1521)))

Services Summary...

Service "ora11g" has 2 instance(s).

Instance "ora11g1", status READY, has 2 handler(s) for this service...

Instance "ora11g2", status READY, has 2 handler(s) for this service...

The command completed successfully

[[email protected] ~]$

4.我们尝试对listener进行所谓的“投毒”操作:

我在同网段的另外一台数据库server上把一个单实例注册到这个监听上:

4.1 .我们先对scan listener进行 “投毒”操作:

SQL>

SQL> alter system set remote_listener='(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.29)(PORT=1521))' scope=memory;

System altered.

SQL> alter system register;

System altered.

4.2. 我们看以下监听的状态:

[[email protected] ~]$ lsnrctl status listener_scan1

LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 10-SEP-2015 06:33:38

Copyright (c) 1991, 2011, Oracle. All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))

STATUS of the LISTENER

------------------------

Alias LISTENER_SCAN1

Version TNSLSNR for Linux: Version 11.2.0.3.0 - Production

Start Date 10-SEP-2015 06:24:45

Uptime 0 days 0 hr. 8 min. 53 sec

Trace Level off

Security ON: Local OS Authentication

SNMP OFF

Listener Parameter File /u01/app/11.2.0/grid/network/admin/listener.ora

Listener Log File /u01/app/11.2.0/grid/log/diag/tnslsnr/nascds11/listener_scan1/alert/log.xml

Listening Endpoints Summary...

(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER_SCAN1)))

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.29)(PORT=1521)))

Services Summary...

Service "R10205" has 1 instance(s).

Instance "R10205", status READY, has 1 handler(s) for this service... <<<======================此时,我们看到R10205的单实例已经注册到了RAC环境中的scan listener中

Service "R10205XDB" has 1 instance(s).

Instance "R10205", status READY, has 1 handler(s) for this service...

Service "R10205_XPT" has 1 instance(s).

Instance "R10205", status READY, has 1 handler(s) for this service...

Service "ora11g" has 2 instance(s).

Instance "ora11g1", status READY, has 2 handler(s) for this service...

Instance "ora11g2", status READY, has 2 handler(s) for this service...

The command completed successfully

[[email protected] ~]$

4.3.我们尝试对本地的listenre 进行“投毒”测试:

SQL> alter system set remote_listener='(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.32)(PORT=1521))' scope=memory;

System altered.

SQL> alter system register;

System altered.

[[email protected] ~]$ lsnrctl status

LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 10-SEP-2015 06:37:01

Copyright (c) 1991, 2011, Oracle. All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))

STATUS of the LISTENER

------------------------

Alias LISTENER

Version TNSLSNR for Linux: Version 11.2.0.3.0 - Production

Start Date 01-SEP-2015 08:48:15

Uptime 8 days 21 hr. 48 min. 46 sec

Trace Level off

Security ON: Local OS Authentication

SNMP OFF

Listener Parameter File /u01/app/11.2.0/grid/network/admin/listener.ora

Listener Log File /u01/app/grid/diag/tnslsnr/nascds11/listener/alert/log.xml

Listening Endpoints Summary...

(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER)))

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.35)(PORT=1521)))

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.33)(PORT=1521)))

Services Summary...

Service "+ASM" has 1 instance(s).

Instance "+ASM2", status READY, has 1 handler(s) for this service...

Service "R10205" has 1 instance(s).

Instance "R10205", status READY, has 1 handler(s) for this service... <<======================此时,我们看到R10205的单实例已经注册到了RAC环境中的local listener中

Service "R10205XDB" has 1 instance(s).

Instance "R10205", status READY, has 1 handler(s) for this service...

Service "R10205_XPT" has 1 instance(s).

Instance "R10205", status READY, has 1 handler(s) for this service...

Service "ora11g" has 1 instance(s).

Instance "ora11g2", status READY, has 1 handler(s) for this service...

The command completed successfully

[[email protected] ~]$

截止到此,我们已经看到了所谓的"投毒" 是怎么回事儿,是如何操作的;

接下来我们看如何避免这种问题的产生:

5.首先,我们需要下载补丁12880299,并同时打到GI和RDBMS的HOME里, 如下

我们不介绍如何打补丁,打补丁的步骤就跳过了)

GI:

[[email protected] OPatch]$ ./opatch lsinventory

Invoking OPatch 11.2.0.1.7

Oracle Interim Patch Installer version 11.2.0.1.7

Copyright (c) 2011, Oracle Corporation. All rights reserved.

Oracle Home : /u01/app/11.2.0/grid

Central Inventory : /u01/app/oraInventory

from : /etc/oraInst.loc

OPatch version : 11.2.0.1.7

OUI version : 11.2.0.3.0

Log file location : /u01/app/11.2.0/grid/cfgtoollogs/opatch/opatch2015-09-10_06-45-01AM.log

Lsinventory Output file location : /u01/app/11.2.0/grid/cfgtoollogs/opatch/lsinv/lsinventory2015-09-10_06-45-01AM.txt

--------------------------------------------------------------------------------

Installed Top-level Products (1):

Oracle Grid Infrastructure 11.2.0.3.0

There are 1 products installed in this Oracle Home.

Interim patches (1) :

Patch 12880299 : applied on Thu Sep 10 03:07:58 CST 2015

Unique Patch ID: 14821502

Created on 4 May 2012, 04:17:20 hrs PST8PDT

Bugs fixed:

12880299

Rac system comprising of multiple nodes

Local node = nascds10

Remote node = nascds11

--------------------------------------------------------------------------------

OPatch succeeded.

[[email protected] OPatch]$

RDBMS:

[[email protected] OPatch]$ ./opatch lsinventory

Invoking OPatch 11.2.0.1.7

Oracle Interim Patch Installer version 11.2.0.1.7

Copyright (c) 2011, Oracle Corporation. All rights reserved.

Oracle Home : /u01/app/oracle/product/11.2.0/db_1

Central Inventory : /u01/app/oraInventory

from : /etc/oraInst.loc

OPatch version : 11.2.0.1.7

OUI version : 11.2.0.3.0

Log file location : /u01/app/oracle/product/11.2.0/db_1/cfgtoollogs/opatch/opatch2015-09-10_06-52-02AM.log

Lsinventory Output file location : /u01/app/oracle/product/11.2.0/db_1/cfgtoollogs/opatch/lsinv/lsinventory2015-09-10_06-52-02AM.txt

--------------------------------------------------------------------------------

Installed Top-level Products (1):

Oracle Database 11g 11.2.0.3.0

There are 1 products installed in this Oracle Home.

Interim patches (1) :

Patch 12880299 : applied on Thu Sep 10 03:10:14 CST 2015

Unique Patch ID: 14821502

Created on 4 May 2012, 04:17:20 hrs PST8PDT

Bugs fixed:

12880299

Rac system comprising of multiple nodes

Local node = nascds10

Remote node = nascds11

--------------------------------------------------------------------------------

6.然后打开 listener.ora 文件,添加以下信息:

SECURE_REGISTER_LISTENER = (IPC,TCP,TCPS)

SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCP,TCPS)

注意,不要把监听的名字写错了,通过以下命令确认监听的名称

ps -ef |grep lsnr

grid 4176 1 0 Sep01 ? 00:01:01 /u01/app/11.2.0/grid/bin/tnslsnr LISTENER -inherit

grid 8086 1 0 06:24 ? 00:00:00 /u01/app/11.2.0/grid/bin/tnslsnr LISTENER_SCAN1 -inherit

重启listenrs

lsnrctl stop listener

lsnrctl start listener

lsnrctl stop LISTENER_SCAN1

lsnrctl start LISTENER_SCAN1

7.尝试是否可以避免该问题:

[[email protected] admin]$ lsnrctl status

LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 10-SEP-2015 07:06:15

Copyright (c) 1991, 2011, Oracle. All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))

STATUS of the LISTENER

------------------------

Alias listener

Version TNSLSNR for Linux: Version 11.2.0.3.0 - Production

Start Date 10-SEP-2015 03:19:57

Uptime 0 days 3 hr. 46 min. 19 sec

Trace Level off

Security ON: Local OS Authentication

SNMP OFF

Listener Parameter File /u01/app/11.2.0/grid/network/admin/listener.ora

Listener Log File /u01/app/grid/diag/tnslsnr/nascds10/listener/alert/log.xml

Listening Endpoints Summary...

(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER)))

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.32)(PORT=1521)))

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.34)(PORT=1521)))

Services Summary...

Service "+ASM" has 1 instance(s).

Instance "+ASM1", status READY, has 1 handler(s) for this service...

Service "ora11g" has 1 instance(s).

Instance "ora11g1", status READY, has 1 handler(s) for this service...

The command completed successfully

[[email protected] admin]$

SQL> alter system set remote_listener='(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.32)(PORT=1521))' scope=memory;

System altered.

SQL> alter system register;

System altered.

SQL>

[[email protected] admin]$ lsnrctl status

LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 10-SEP-2015 07:07:40

Copyright (c) 1991, 2011, Oracle. All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))

STATUS of the LISTENER

------------------------

Alias listener

Version TNSLSNR for Linux: Version 11.2.0.3.0 - Production

Start Date 10-SEP-2015 03:19:57

Uptime 0 days 3 hr. 47 min. 45 sec

Trace Level off

Security ON: Local OS Authentication

SNMP OFF

Listener Parameter File /u01/app/11.2.0/grid/network/admin/listener.ora

Listener Log File /u01/app/grid/diag/tnslsnr/nascds10/listener/alert/log.xml

Listening Endpoints Summary...

(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER)))

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.32)(PORT=1521)))

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.34)(PORT=1521)))

Services Summary...

Service "+ASM" has 1 instance(s).

Instance "+ASM1", status READY, has 1 handler(s) for this service...

Service "ora11g" has 1 instance(s).

Instance "ora11g1", status READY, has 1 handler(s) for this service...

The command completed successfully

[[email protected] admin]$

查看listenr的日志,我们会发现以下信息:

10-SEP-2015 07:07:13 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=nascds10.cn.oracle.com)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647296)) * status * 0

10-SEP-2015 07:07:20 * service_register_NSGR * 1194

TNS-01194: The listener command did not arrive in a secure transport

10-SEP-2015 07:07:20 * service_register_NSGR * 1194

TNS-01194: The listener command did not arrive in a secure transport

Thu Sep 10 07:07:25 2015

10-SEP-2015 07:07:25 * service_register_NSGR * 1194

TNS-01194: The listener command did not arrive in a secure transport

Thu Sep 10 07:07:40 2015

10-SEP-2015 07:07:40 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=nascds10.cn.oracle.com)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647296)) * status * 0

Thu Sep 10 07:08:08 2015

10-SEP-2015 07:08:08 * service_register_NSGR * 1194

TNS-01194: The listener command did not arrive in a secure transport

10-SEP-2015 07:08:13 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=nascds10.cn.oracle.com)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647296)) * status * 0

同样,我们看对scan_listenr进行测试:

SQL> alter system set remote_listener='(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.29)(PORT=1521))' scope=memory;

System altered.

SQL> alter system register;

System altered.

SQL>

[[email protected] trace]$ lsnrctl status listener_scan1

LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 10-SEP-2015 07:11:35

Copyright (c) 1991, 2011, Oracle. All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))

STATUS of the LISTENER

------------------------

Alias LISTENER_SCAN1

Version TNSLSNR for Linux: Version 11.2.0.3.0 - Production

Start Date 10-SEP-2015 07:05:16

Uptime 0 days 0 hr. 6 min. 22 sec

Trace Level off

Security ON: Local OS Authentication

SNMP OFF

Listener Parameter File /u01/app/11.2.0/grid/network/admin/listener.ora

Listener Log File /u01/app/11.2.0/grid/log/diag/tnslsnr/nascds10/listener_scan1/alert/log.xml

Listening Endpoints Summary...

(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER_SCAN1)))

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.182.208.29)(PORT=1521)))

Services Summary...

Service "ora11g" has 2 instance(s).

Instance "ora11g1", status READY, has 2 handler(s) for this service...

Instance "ora11g2", status READY, has 2 handler(s) for this service...

The command completed successfully

日志信息:

10-SEP-2015 07:13:21 * service_register_NSGR * 1194

TNS-01194: The listener command did not arrive in a secure transport

Thu Sep 10 07:13:27 2015

10-SEP-2015 07:13:27 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=nascds10.cn.oracle.com)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER_SCAN1)(VERSION=186647296)) * status * 0

10-SEP-2015 07:13:31 * service_register_NSGR * 1194

TNS-01194: The listener command did not arrive in a secure transport

参考:


相关阅读:
Top