2012-05-02

SECURE_REGISTER_LISTENER

Using Class of Secure Transport (COST) to Restrict Instance Registration [ID 1453883.1]


Applies to:

Oracle Net Services - Version 10.2.0.3 to 11.2.0.3 [Release 10.2 to 11.2]
Information in this document applies to any platform.

Goal

To demonstrate how the COST parameter "SECURE_REGISTER_listener_name = (IPC)" is used to restrict instance registration with database listeners. With this COST restriction in place only local instances will be allowed to register. These instructions can be used to address the issues published in Oracle Security Alert CVE-2012-1675 by using COST to restrict connections to only local instances.

About COST

The class of secure transports (COST) parameters specify a list of transports that are considered secure for administration and registration of a particular listener. The COST parameters identify which transports are considered secure for that installation and whether the administration of a listener requires secure transports. Configuring COST parameters is optional.

About the IPC Protocol

IPC protocol support is similar to BEQ protocol support in that it can only be used when the client program and the Oracle server are installed on the same system. IPC protocol support differs from BEQ protocol support in that it can be used with Oracle Shared Server configurations. IPC protocol support requires a listener for its operation.

Fix

Setting a COST restriction using the IPC protocol to limit registration to local instances only.

Steps:

1) Stop the listener

2) Add support for the IPC protocol to the listener configuration " (ADDRESS= (PROTOCOL = IPC) (KEY = REGISTER)) ".  Also add the COST parameter  " SECURE_REGISTER_LISTENER = (IPC) ".
LISTENER.ORA
------------
LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = IPC)(KEY = REGISTER))
      (ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))
    )
  )

SECURE_REGISTER_LISTENER = (IPC)

3) Start the listener.
LSNRCTL> start
Starting /u01/app/oracle/product/11.2.0.3/bin/tnslsnr: please wait...

TNSLSNR for Solaris: Version 11.2.0.3.0 - Production
System parameter file is /u01/app/oracle/product/11.2.0.3/network/admin/listener.ora
Log messages written to /u01/app/oracle/diag/tnslsnr/netfl-bde/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=REGISTER)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=netfl-bde.us.oracle.com)(PORT=1551)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Solaris: Version 11.2.0.3.0 - Production
Start Date                27-APR-2012 16:34:20
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/oracle/product/11.2.0.3/network/admin/listener.ora
Listener Log File         /u01/app/oracle/diag/tnslsnr/netfl-bde/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=REGISTER)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=netfl-bde.us.oracle.com)(PORT=1551)))
The listener supports no services
The command completed successfully

4) Replace the the TCP address in the database local_listener parameter with the IPC address used by the listener.
SQL> show parameter local_listener

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
local_listener                       string      (ADDRESS = (PROTOCOL = TCP)(HO
                                                 ST = netfl-bde)(PORT = 1551))
                                               

SQL> alter system set local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))' scope = both;

System altered.


SQL> show parameter local_listener

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
local_listener                       string      (DESCRIPTION=(ADDRESS=(PROTOCO
                                                 L=IPC)(KEY=REGISTER)))

5) Verify that the instance is now registered with the listener.
LSNRCTL> services
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))
Services Summary...
Service "N11203.us.oracle.com" has 1 instance(s).
  Instance "N11203", status READY, has 1 handler(s) for this service...
    Handler(s):
      "DEDICATED" established:0 refused:0 state:ready
         LOCAL SERVER

The command completed successfully


With COST enabled attempts to register with the listener using a protocol other than IPC is rejected and an event is logged in the listener log.
11-MAY-2011 10:27:23 * service_register_NSGR * 1194
TNS-01194: The listener command did not arrive in a secure transport

3 comentarii:

  1. Is there a way to identify where the attempts to register are coming from?

    RăspundețiȘtergere
  2. If i want to go with COST implementation for two listener in same server if i put register for both lisener and try to start one get stated and second one is giving message that already running.

    Is there any way that we can implement COST in two listener in same server.

    Kindly let me know if you have any information in this regard.

    RăspundețiȘtergere