Oracle 11.2.0.4/12C新特性Valid Node Checking For Registration (VNCR)

一.官方说明

Oracle 11.2.0.4及12.1.0.1以后Net Service发布了一个新的特性:Valid Node Checking For Registration (VNCR)。不过我在自己offline 官方文档中并没有找到该功能的详细说明，MOS上的说明如下:

VNCR is a new feature in Oracle Net 11.2.0.4 and 12c which allows instance registrations to only come from known servers.

The idea is to make the listener secure by allowing registration to succeed only if it originates from a valid node.

The user can specify a list of nodes that can register with the listener.ora, or a list they want to exclude from registering.

This eliminates complex COST setups to ensure malicious servers do not register with a listener.

Just as in validnode checking, both invited/excluded cannot be specified together. If they are, invited nodes take precedence.

This feature in independent of the validnode checking that clients use

通过官方的说法看来，该特性主要用于控制可以成功注册到Listener的Database服务。用户可以合理利用此功能来规避安全漏洞:CVE-2012-1675

该功能在11gR2中默认是处于关闭状态的，但是在12C中默认是打开的。用户需要根据实际的需求进行适当的配置，该功能受listener.ora参数文件中的下列参数控制(将各个参数中的"listener_name"替换为实际的监听名字，例如实际监听为LSNR则第一个参数为:VALID_NODE_CHECKING_REGISTRATION_LSNR):

VALID_NODE_CHECKING_REGISTRATION_listener_name
Values:
OFF/0 - Disable VNCR//禁用VNCR，此功能不会对注册过来的service进行check;
ON/1/LOCAL - The default. Enable VNCR. All local machine IPs can register.//启用VNCR,默认只允许本机的所有IP的服务注册到本监听,可通过REGISTRATION_INVITED_NODES参数添加其他有必要的服务器;
SUBNET/2 - All machines in the subnet are allowed registration.//指定子网内的服务器可以注册过来

REGISTRATION_INVITED_NODES_listener-name