Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC [ID 1340831.1

Posted 2020-12-06 耀阳居士

In this Document

Goal

Fix

References

---

 

Applies to:

Oracle Net Services - Version 10.2.0.3 to 11.2.0.3 [Release 10.2 to 11.2]
Information in this document applies to any platform.

Goal

To demonstrate how the COST parameter "SECURE_REGISTER_listener_name = " is used to restrict instance registration with listeners in RAC environments. With COST restrictions in place only local and authorized instances having appropriate credentials will be allowed to register. These instructions can be used to address the issues published in Oracle Security Alert CVE-2012-1675 by using COST to restrict connections to only those instances having appropriate credentials.


About COST

The class of secure transports (COST) parameters specify a list of transports that are considered secure for administration and registration of a particular listener. The COST parameters identify which transports are considered secure for that installation and whether the administration of a listener requires secure transports. COST will not affect client connections utilizing other protocols. For more details and for information about other available COST parameters please see the 11.2 Network Administrators Guide and Network Reference.

Oracle versions that support COST

Although not documented in the Oracle 10g Network Administrator Guide COST parameters and functionality are supported as of 10.2.0.3.

Fix

Topics in this section:

1) Oracle 11.2 RAC - Securing registration with Scan listeners

2) Oracle 11.2 RAC - Securing ASM and Database registration with the Local (node) listener.

3) Oracle RAC versions prior to 11.2 (10.2.0.3 - 11.1)

1) Oracle RAC 11.2 - Securing registration with Scan listeners

This example environment is a two node 11.2 RAC cluster with three SCAN listeners. COST restrictions will limit registration protocols to TCPS for remote registering instances and to IPC for the local grid agent. To establish a connection over TCPS PMON and the listener must perform. a SSL handshake.

Please refer to the Oracle licensing documentation available on Oracle.com regarding licensing changes that allow Oracle Advanced Security SSL/TLS to be used with Oracle SE Oracle Real Application Clusters and Oracle Enterprise Edition Real Application Customers (Oracle RAC) and Oracle RAC OneNode Options.

Steps:

1.1) Using orapki create a wallet with self signed certificates that will be shared among SCAN listeners and registering instances to make secure SSL connections.

If SSL is being used exclusively for instance registration then a single shared wallet with self signed certificates are all that is needed and this is the easiest setup to implement. If other SSL features are planned a unique wallet and certificate may be required for each node. Reference Oracle documentation for the SSL requirements of any additional SSL features that will be used and adjust as necessary.

Important: The wallet that is shared by the cluster must be created by the oracle user and in the environment of the lowest version supported by the cluster. For example, if the 11.2 RAC cluster supports a 10.2.0.5 database you must create the shared wallet in the 10.2.0.5 environment using the Oracle 10.2.0.5 version of orapki. Once created you can move copies of the wallet to the other nodes per the normal instructions. Step (b) in this section will not be possible with 10.2 orapki, this step is optional and can be skipped.

a) Create an Oracle wallet: "ewallet.p12".

The target directory in this example is within the grid home but the location can be anywhere that is accessible to Oracle.

[oracle@rac1]$ mkdir /u01/app/11.2.0.2/grid/network/admin/cost

[oracle@rac1]$ orapki wallet create -wallet /u01/app/11.2.0.2/grid/network/admin/cost

Oracle PKI Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

b) The new wallet will contain a number of trusted certificates that are installed by default, remove all of these well known trusted certificates from the wallet.

This step is optional. Removing the extra trusted certificates that come installed with a new wallet is a housecleaning step and does not affect function. If you skip this step there will just be more output seen when viewing the finished wallet in step 1.1-d.

[oracle@rac1]$ orapki wallet remove -trusted_cert_all -wallet /u01/app/11.2.0.2/grid/network/admin/cost

Oracle PKI Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

c) Create a self-signed certificate that will be stored in the wallet.

This step creates a SSL certificate with the CN (common name) attribute value set to "cn=secure_register". This value can be used as is or interchanged with your own naming convention, e.g., "cn=orclprod".

 

[oracle@rac1]$ orapki wallet add -wallet /u01/app/11.2.0.2/grid/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650

Oracle PKI Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

d) View the wallet contents to confirm that it has a single trusted and user certificate.

[oracle@rac1]$ orapki wallet display -wallet /u01/app/11.2.0.2/grid/network/admin/cost -summary

Oracle PKI Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject: CN=secure_register
Trusted Certificates:
Subject: CN=secure_register

e) Make copies of the finished wallet (ewallet.p12) and place on each node in the same directory location; /u01/app/11.2.0.2/grid/network/admin/cost.

f) Using orapki create a unique obfuscated auto-login file "cwallet.sso" on each node. Both PMON and the listener will use the cwallet.sso to establish a secure SSL connection with each other. Once COST parameters restricting registration to TCPS are enabled only instances that have access to the wallet and obfuscated wallet (cwallet.sso) will be able to register with the SCAN listeners.

Creating the cwallet.sso file:

[oracle@rac1]$ orapki wallet create -wallet /u01/app/11.2.0.2/grid/network/admin/cost -auto_login

Oracle PKI Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

When using orapki version 11.2 -auto_login_local may also be specified when creating the cwallet.sso.

g) Modify the permissions of the obfuscated wallet (cwallet.sso) to allow usage by authorized group members.

[oracle@rac1]$ chmod 640 cwallet.sso

[oracle@rac1]$ ls -al
-rw-r----- 1 oracle oinstall 2493 Jul 11 15:18 cwallet.sso
-rw------- 1 oracle oinstall 2416 Jul 11 15:18 ewallet.p12

Important: Store the wallet password in a safe place. The wallet cannot be re-opened without it.


1.2) Update the grid home listener.ora so that it references the wallet location and add the COST parameters that will restrict registration. Do this for each node.

Add the wallet location to listener.ora.

WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/11.2.0.2/grid/network/admin/cost)
)
)

At this time also add the COST registration restrictions for the SCAN listeners to the listener.ora. These parameters should be commented now and will be enabled later.

In 11.2 RAC the grid agent uses the IPC protocol to create and manage scan listeners so both IPC and TCPS must be enabled.

#SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN2 = (IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)

The finished listener.ora should look like this:

[oracle@rac1]$ cat /u01/app/11.2.0.2/grid/network/admin/listener.ora

LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))) # line added by Agent
LISTENER_SCAN3=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN3)))) # line added by Agent
LISTENER_SCAN2=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN2)))) # line added by Agent
LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))) # line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN1=ON # line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN2=ON # line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN3=ON # line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON # line added by Agent

WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/11.2.0.2/grid/network/admin/cost)
)
)

#SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN2 = (IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)

1.3) Using srvctl modify the SCAN listeners to also include TCPS protocol endpoints, re-start the SCAN listeners.

Please see note 1092753.1 if you are using srvctl with Oracle version 11.2.0.1.

srvctl config scan_listener
SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521
SCAN Listener LISTENER_SCAN2 exists. Port: TCP:1521
SCAN Listener LISTENER_SCAN3 exists. Port: TCP:1521

srvctl modify scan_listener -p TCP:1521/TCPS:1523

srvctl stop scan_listener
srvctl start scan_listener

srvctl config scan_listener
SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521/TCPS:1523
SCAN Listener LISTENER_SCAN2 exists. Port: TCP:1521/TCPS:1523
SCAN Listener LISTENER_SCAN3 exists. Port: TCP:1521/TCPS:1523

1.4) Add the wallet location to the sqlnet.ora of each instance home. If no sqlnet.ora exists create a new file. Registering instances must know the wallet location and have access in order to make the required SSL connection with the SCAN listeners.

[oracle@rac1]$ cat /u01/app/oracle/product/11.2.0/dbhome_2/network/admin/sqlnet.ora

WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/11.2.0.2/grid/network/admin/cost)
)
)

Restart each instance after adding the wallet location to sqlnet.ora.

1.5) Modify instance startup parameters to use TCPS protocol with remote_listener.

The existing remote_listener value uses an ezconnect string value in the form. host:port.

[oracle@rac1]$ sqlplus "/ as sysdba"
SQL*Plus: Release 11.2.0.2.0 Production on Tue Jul 12 16:37:52 2011
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,
Data Mining and Real Application Testing options

SQL> show parameter remote_listener

NAME TYPE VALUE
--------------- ----------- ------------------------------
remote_listener string rac-scan:1521

The replacement remote_listener value is an address_list containing the resolved scan listener IP addresses and TCPS ports. The addresses can be listed using srvctl.

[oracle@rac1]$ srvctl config scan
SCAN name: racbde-scan, Network: 1/10.141.154.0/255.255.254.0/eth1
SCAN VIP name: scan1, IP: /rac-scan.us.oracle.com/10.141.155.122
SCAN VIP name: scan2, IP: /rac-scan.us.oracle.com/10.141.155.120
SCAN VIP name: scan3, IP: /rac-scan.us.oracle.com/10.141.155.121

Associate the three IP addresses assigned to the SCAN listeners with the TCPS port that was added in step 3, in this case port 1523.

The SCAN addresses are the same for all instances in the cluster so the remote_listener parameter value can be added from any instance home using the global option sid=‘*‘. This will update the remote_listener value for all instances.

SQL> alter system set remote_listener=‘(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=10.141.155.121)(PORT=1523))(ADDRESS=(PROTOCOL=TCPS)(HOST=10.141.155.122)(PORT=1523))(ADDRESS=(PROTOCOL=TCPS)(HOST=10.141.155.120)(PORT=1523)))‘ scope=both sid=‘*‘;

SQL> show parameter remote_listener

NAME TYPE VALUE
-------------- ----------- ------------------------------
remote_listener string (ADDRESS_LIST=(ADDRESS=(PROTOC
L=TCPS)(HOST=10.141.155.121)(
PORT=1523))(ADDRESS=(PROTOCOL=
TCPS)(HOST=10.141.155.122)(POR
T=1523))(ADDRESS=(PROTOCOL=TCP
S)(HOST=10.141.155.120)(PORT=1
523)))

Changing the remote_listener value is a critical stage as it forces registration over TCPS using the wallets and certificates that were created in earlier steps. It is best to stop here and verify that all instances are registering properly with the scan listeners. If not, go back and review each of the previous steps to ensure an item was not overlooked.

If registration using TCP needs to be restored for any reason it is a simple matter to revert to the previously noted ezconnect address. The following command can be performed from any instance in the cluster and will make changes globally for all instances. Do not do this unless it is your intention to revert back to TCP and not enable COST restrictions in the next step.

SQL> alter system set remote_listener=‘rac-scan:1521‘ scope=both sid=‘*‘;

1.6) Enable COST parameters restricting instance registration in the grid home listener.ora.

When instance registration over TCPS with SCAN listeners is working properly the COST registration rules can be implemented. Edit the grid home listener.ora and remove the comments from the COST restriction parameters that were added in step 1.2.

SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
SECURE_REGISTER_LISTENER_SCAN2 = (IPC,TCPS)
SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)

Restart all listeners to load the new parameters.

[oracle@rac1]$ srvctl stop scan_listener
[oracle@rac1]$ srvctl start scan_listener

With COST enabled attempts to register with SCAN listeners using a protocol other than TCPS are rejected and an event is logged in the listener log. Instances must also have the proper SSL credentials in order to connect and register their services.

13-JUL-2011 10:27:23 * service_register_NSGR * 1194
TNS-01194: The listener command did not arrive in a secure transport

 

To verify that COST restrictions are functioning appropriately please refer to DocID:1453883.1, section 3, "Verifying that COST is working".

 

2) Oracle 11.2 RAC - Securing ASM and Database registration with the Local (node) listener.

In a RAC environment, and without the patch for bug:12880299, an IPC restriction on the local/node listener will cause the scan listener TCP handlers to block and not allow incoming client connections. The patch not only fixes this issue but also allows for registration from only the local node over TCP provided that TCP is listed as a secure transport for registration.

Steps:

2.1) Obtain and apply the patch for bug:12880299. The patch should be applied to both the grid and rdbms homes on each node in the cluster.

2.2) Add COST IPC and TCP protocol restrictions to the listener.ora on each node.

Edit the grid home listener.ora and add SECURE_REGISTER_LISTENER = (IPC,TCP) to the existing list of scan listener restrictions.

In 11.2 RAC the grid agent uses the IPC protocol to create and manage node listeners so both IPC and TCP restrictions must be enabled.

SECURE_REGISTER_LISTENER = (IPC,TCP)
SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
SECURE_REGISTER_LISTENER_SCAN2 = (IPC,TCPS)
SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)

2.3) To activate the COST restriction use srvctl to re-start all instance/local listeners. (This action only needs to be performed on one node, all local listeners will restart.)

[oracle@rac1 ~]$ srvctl stop listener
[oracle@rac1 ~]$ srvctl start listener

 

To verify that COST restrictions are functioning appropriately please refer to DocID:1453883.1, section 3, "Verifying that COST is working".

 

3) Oracle RAC versions prior to 11.2 (10.2.0.3 - 11.1)

Note: The configuration and the usage of COST in these Oracle versions requires the prior installation of PSE 12880299. Only database/ASM homes should be patched, there is no requirement to patch CRS.

Steps:

3.1) Using orapki create a wallet with self signed certificates that will be shared among node listeners and registering instances to make secure SSL connections.

If SSL is being used exclusively for instance registration then a single shared wallet with self signed certificates are all that is needed and this is the easiest setup to implement. If other SSL features are planned a unique wallet and certificate may be required for each node. Reference Oracle documentation for the SSL requirements of any additional SSL features that will be used and adjust as necessary.

a) Create an Oracle wallet: "ewallet.p12".

The target directory in this example is within the database home but the location can be anywhere that is accessible to Oracle.

[oracle@rac1]$ mkdir /u01/app/oracle/product/10.2.0/db_1/network/admin/cost

[oracle@rac1]$ orapki wallet create -wallet /u01/app/oracle/product/10.2.0/db_1/network/admin/cost
Enter password:
Enter password again:

b) Create a self-signed certificate that will be stored in the wallet.

This step creates a SSL certificate with the CN (common name) attribute value set to "cn=secure_register". This value can be used as is or interchanged with your own naming convention, e.g., "cn=orclprod".

[oracle@rac1]$ orapki wallet add -wallet /u01/app/oracle/product/10.2.0/db_1/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650
Enter wallet password:

c) The new wallet will contain a number of trusted certificates that are installed by default. You can use Oracle Wallet Manager (OWM), a java tool in $ORACLE_HOME/bin, to remove all other trusted certificates except for the self signed certificate "CN=secure_register" that was created in step 3.1-b.

Running OWM to remove the default trusted certs in the wallet is optional. Removing the extra trusted certificates that come installed with a new wallet is a housecleaning step and does not affect function. If you skip this step there will just be more output seen when viewing the finished wallet.

Once all the additional trusted certificates have been removed the finished wallet should look like this:

[oracle@rac1]$orapki wallet display -wallet /u01/app/oracle/product/10.2.0/db_1/network/admin/cost
Enter wallet password:

Requested Certificates:
User Certificates:
Subject: CN=secure_register
Trusted Certificates:
Subject: CN=secure_register

d) Make copies of the finished wallet (ewallet.p12) and place on each node in the same directory location, i.e., $ORACLE_HOME/network/admin/cost

e) Using orapki create a unique obfuscated auto-login file "cwallet.sso" on each node. Both PMON and the listener will use the cwallet.sso to establish a secure SSL connection with each other. Once COST parameters restricting remote registration to TCPS are enabled only instances that have access to the wallet and obfuscated wallet (cwallet.sso) will be able to remotely register with listeners.

[oracle@rac1]$ orapki wallet create -wallet /u01/app/oracle/product/10.2.0/db_1/network/admin/cost -auto_login
Enter wallet password:

[oracle@rac1]$ ls/u01/app/oracle/product/10.2.0/db_1/network/admin/cost

cwallet.sso ewallet.p12

The wallet is now ready to use with files ewallet.p12 and cwallet.sso in $ORACLE_HOME/network/admin/cost
Important: Store the wallet password in a safe place. The wallet cannot be re-opened without it.

 

3.2) Obtain and apply the patch for bug:12880299 to all nodes in the cluster.

In a RAC environment, and without the patch for bug:12880299, an IPC restriction on the local/node listener will cause the scan listener TCP handlers to block incoming connections. The patch not only fixes this issue but also allows for registration from only the local node over TCP provided that TCP is listed as a secure transport for registration.

 

3.3) Update the listener.ora so that it references the wallet location and add the COST parameters that will restrict registration, also add a listen endpoint for TCPS that pmon will use to send registration updates. Do this on the listener.ora of each node.

The location of the listener.ora that the running listener is using can be identified with lsnrctl> status.

Before edit, the listener.ora will look similar to:

LISTENER_RAC1 =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST = rac1-vip.us.oracle.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.203.210)(PORT = 1521))
)
)

a) Add a TCPS address and endpoint to listener.ora. Use the existing node vip address and any available port for the TCPS endpoint.

LISTENER_RAC1 =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST = rac1-vip.us.oracle.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = rac1-vip.us.oracle.com)(PORT = 1523))
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.203.210)(PORT = 1521))
)
)

b) Add the wallet location to listener.ora.

WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/product/10.2.0/db_1/network/admin/cost)
)
)

c) Add the COST registration restrictions for TCP and TCPS to the listener.ora. The parameter should be commented now but will be enabled later.

#SECURE_REGISTER_LISTENER_RAC1 = (TCP,TCPS)

 

The above actions, 3.3-a,b & c, should be performed on each listener.ora on each cluster node. Make sure references to listener and vip names are accurate for each node.

 

A finished listener.ora will look like this:

LISTENER_RAC1 =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST = rac1-vip.us.oracle.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = rac1-vip.us.oracle.com)(PORT = 1523))
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.203.210)(PORT = 1521))
)
)

WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/product/10.2.0/db_1/network/admin/cost)
)
)

#SECURE_REGISTER_LISTENER_RAC1 = (TCP,TCPS)

 

3.4) After the changes to the listener.ora have been made stop and restart the listener and confirm that it has the TCPS listen endpoint that was added along with the previously existing endpoints.

[oracle@rac1]$ srvctl stop listener -n rac1
[oracle@rac1]$ srvctl start listener -n rac1

LSNRCTL> status
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias LISTENER_RAC1
...
...
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.203.214)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.203.214)(PORT=1523)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.203.210)(PORT=1521)))
The listener supports no services
The command completed successfully

3.5) Add the wallet location to the sqlnet.ora of each instance home. The sqlnet.ora is read by the instance at startup. Registering instances must know the wallet location and have access in order to make the required SSL connection with remote listeners.

[oracle@rac1]$ cat /u01/app/oracle/product/10.2.0/db_1/network/admin/sqlnet.ora

WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/product/10.2.0/db_1/network/admin/cost)
)
)

3.6) Modify instance startup parameters to use the new TCPS protocol addresses used by all of the node listeners. The instance uses the remote_listener parameter value to locate those addresses.

[oracle@rac1 ~]$ sqlplus "/ as sysdba"

SQL*Plus: Release 10.2.0.3.0 - Production on Tue May 1 11:12:33 2012

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production
With the Partitioning, Real Application Clusters, OLAP and Data Mining options

SQL> show parameter remote_listener

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_listener string listeners_rac

In this case the database is using the tns alias "listeners_rac" in tnsnames.ora to store the listener addresses.

Edit the listeners_rac entry in TNSNAMES.ORA that is being used by the database.

Before edit:

LISTENERS_RAC =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = rac1-vip.us.oracle.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = rac2-vip.us.oracle.com)(PORT = 1521))
)

Comment the existing TCP addresses and add the new TCPS addresses we will be using for registration.

LISTENERS_RAC =
(ADDRESS_LIST =
# (ADDRESS = (PROTOCOL = TCP)(HOST = rac1-vip.us.oracle.com)(PORT = 1521))
# (ADDRESS = (PROTOCOL = TCP)(HOST = rac2-vip.us.oracle.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = rac1-vip.us.oracle.com)(PORT = 1523))
(ADDRESS = (PROTOCOL = TCPS)(HOST = rac2-vip.us.oracle.com)(PORT = 1523))
)

 

The next step is to restart the instance but before doing that make note of the current lsnrctl services output on one of the listeners on another node (a remote listener) so you can compare the results after the restart (they should match). Of particular interest is the remote service handler of the instance you are testing.

srvctl stop instance -d rac -i rac2 -o immediate
srvctl start instance -d rac -i rac2

If the remote service handler output matches the handler output prior to the restart then TCPS connectivity and secure network registration is functional. Repeat this process until all nodes are successfully registering remotely over TCPS. If the lsnrctl services output is not correct after restart go back over the configuration steps to make sure nothing was missed. If there is a need to revert to the previous TCP configuration just remove the comment from the TCP entries in the listeners_rac tns alias, comment the TCPS entries and restart the instance.

3.6) When all instances are properly registering with remote listeners over TCPS protocol you are ready to enable COST restrictions.

Remove the comment from the cost restriction entry in each listener and restart the listener.

SECURE_REGISTER_LISTENER_RAC1 = (TCP,TCPS)

 

To verify that COST restrictions are functioning appropriately please refer to DocID:1453883.1, section 3, "Verifying that COST is working".

 

Patch/fix information for BUG:12880299

The fix for BUG:12880299 will be included in Oracle 11.2.0.4.

PSU‘s that include the fix:
Cumulative Patch Inclusion - DBPSU 10.2.0.5.8 (Released)
Cumulative Patch Inclusion - DBPSU 11.2.0.2.7 (Released)
Cumulative Patch Inclusion - DBPSU 10.2.0.4.13 (Released)
Cumulative Patch Inclusion - DBPSU 11.2.0.3.3 (Released)
Cumulative Patch Inclusion - DBPSU 11.1.0.7.12 (Released)


Windows patch availability for bugfix:12880299

11.2.0.3: 12880299 is included in bundle 6 (Released)
--------
32-bit : Patch 13965210
64-bit : Patch 13965211

11.2.0.2: 12880299 is included in bundle 19 (Released)
--------
32-bit : Patch 14046710
64-bit : Patch 14046711

11.1.0.7: 12880299 is included in bundle 46 (Released)

10.2.0.5: 12880299 is included in bundle 17 (Released)

 

References

NOTE:1455068.1 - Force Connections to a Specific Database Service When two Identical Services are Registered to CMAN
NOTE:1453883.1 - Using Class of Secure Transport (COST) to Restrict Instance Registration
@ BUG:12880299 - RAC: TCP HANDLERS BLOCK IF LISTENER REGISTRATION IS RESTRICTED TO IPC W/COST
@NOTE:1457854.1 - How To Enable TCPS Support For Oracle Standard Edition
NOTE:1092753.1 - How To Configure Scan Listeners With A TCPS Port?

Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC [ID 1340831.1]
		修改时间 08-OCT-2012 类型 HOWTO 状态 PUBLISHED