In this Document
Applies to:
Oracle Net Services
Information in this document applies to any platform.
Checked for relevance on 8-OCT-2009.
Goal
How to set a password for 10g and newer listeners leaving the default OS authentication mechanism in place.
In Oracle 10g and newer versions of the listener, the listener is secure out of the box. There should be no need to set a listener password to prohibit privileged LSNRCTL commands from being executed.
Beginning with version 10g, the listener now uses local OS authentication. As long as one runs LSNRCTL privileged commands (stop, status, etc) as the same user who started the listener, that user will be able to fully administer the running listener without providing a password.
This security feature is enabled by default and can be identified at listener
startup, or when issuing a LSNRCTL STATUS command, by the following output:
Security ON: Local OS Authentication
If the TNSListener is started as the "oracle" user and the user "sales" attempts
to administer the listener, or if "oracle" on a different node attempts to
administer the listener, the following error will be returned:
TNS-01190: The user is not authorized to execute the requested listener command
The following commands are all privileged:
SAVE_CONFIG, STOP, TRACE, SPAWN, RELOAD,
SET {LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SAVE_CONFIG_STOP_ON,
TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME}
SHOW {RULES, TRC_DIRECTORY, LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT,
SNMP_VISIBLE, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME,
SAVE_CONFIG_STOP_ON}
Solution
A secondary user is able to administer the listener if a listener password is
set and the secondary user knows the password. In this example, "oracle" will
set an encrypted password for the listener and the user "sales" will stop the
listener.
As the "oracle" user, set and encrypt the listener password:
1) LSNRCTL> set current_listener 2) LSNRCTL> change_password
Old password: New password: 10glistener (text is not echoed)
Reenter new password: 10glistener (text is not echoed)
3) LSNRCTL> save_config
4) LSNRCTL> status
STATUS output will now show:
Security ON: Password or Local OS Authentication
As the "sales" user, enter the password to administer the listener:
1) LSNRCTL> set password Password: 10glistener (text is not echoed)
2) LSNRCTL> stop