Oracle Listener 设置密码 示例 说明

一.官网说明

MOS 上的一篇文章：

Setting Listener Passwords With an Oracle10g or Newer Listener [ID 260986.1]

这里面提到如下内容：

In Oracle 10gand newer versions of the listener, the listener is secure out of the box.There should be no need to set a listener password to prohibit privilegedLSNRCTL commands from being executed. 

--自Oracle10g后，listener 不需要设置密码。

Beginning withversion 10g, the listener now uses local OS authentication. As long as oneruns LSNRCTL privileged commands (stop, status, etc) as the same user whostarted the listener, that user will be able to fully administer the runninglistener without providing a password. 

--从10g开始，listener 使用local OS authentication。

This securityfeature is enabled by default and can be identified at listener  startup,or when issuing a LSNRCTL STATUS command, by the following output: 

Security ON:Local OS Authentication 

If theTNSListener is started as the "oracle" user and the user"sales" attempts  to administer the listener, or if"oracle" on a different node attempts to  administer thelistener, the following error will be returned: 
TNS-01190: The user is not authorized to execute the requested listener command

       如果使用oracle用户来启动listener，那么可以使用OS 认证，就不需要输入密码，如果使用其他的用户来登陆，就需要密码了。

1.1 配置密码

Configuring and Changing the Oracle NetListener Password

http://docs.oracle.com/cd/E11882_01/network.112/e10836/listenercfg.htm#NETAG459

Localadministration of the listener is secure by default through the local operatingsystem. Therefore configuring a password is neither required nor recommendedfor secure local administration. However, a password can be configured for thelistener to provide security for administrative operations, such as starting orstopping the listener, viewing a list of supported services, or saving changesto the Listener Control configuration.

--listener 的安全默认使用本地操作系统的认证。 因此对listener 不需要也不推荐。 但是，设置密码可以用来控制管理操作，比如start 或者stop listener，查看supported services 列表或者保存listener的配置。

Note:

If the PASSWORDS_listener_name parameteris set to an unencrypted password, then you must manually remove it fromthe listener.orafile before changing it. If the unencrypted password isnot removed, then you are unable to set an encrypted password.

       --注意，如果 PASSWORDS_listener_name  参数被设置为unencryptedpassword，那么必须从listener.ora 文件里移除这个参数，如果该参数没有移除，就不能设置密码。

You can use theListener Control utility (lsnrctl) or Oracle Enterprise Manager toconfigure or change the Oracle Net Listener password.

可以使用lsnrctl 或者OEM，或Oracle Net Listener 来设置密码：

（1）To set a new encrypted passwordusing lsnrctl, do the following:

LSNRCTL> SET PASSWORD

Password: password

The command completed successfully

--该命令用来登陆listener，登陆成功之后才可以进行相关的操作。

（2）To change an encrypted passwordusing lsnrctl, do the following:

LSNRCTL> CHANGE_PASSWORD

Old password: old_password

New password: new_secure_password

Reenter new password: new_secure_password

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=tpc)(HOST=sales-server)(PORT=1521)))

Password changed for LISTENER

The command completed successfully

LSNRCTL> SAVE_CONFIG

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=sales-server)(PORT=1521)))

Saved LISTENER configuration parameters.

Listener Parameter File   /oracle/network/admin/listener.ora

Old Parameter File   /oracle/network/admin/listener.bak

The command completed successfully

（3）To set or change an encrypted password with OracleEnterprise Manager, do the following:

1）Access theNet Services Administration page in Oracle Enterprise Manager.

2）Select Listeners fromthe Administer list, and then select the Oracle home that contains the locationof the configuration files.

3）Click Go.You may be prompted to log in to the database server.

The Listeners page appears.

4）Select alistener, and then click Edit.

The Edit Listeners page appears.

5）Clickthe Authentication tab.

6）Click Requirea password for listener operations.

7）Click OK.

8）Restart thelistener.

1.2 移除密码

Removing the Listener Password

http://docs.oracle.com/cd/E11882_01/network.112/e10835/mignet.htm#NETRF1971

In OracleDatabase 11g Release 2 (11.2), the password feature is being deprecated.This does not cause a loss of security because authentication is enforcedthrough local operating system authentication. To migrate a listener that has aset password, do the following:

--在Oracle 11gR2里，listener 的密码功能已经被废除，因为本地的OS 认证被加强。 移除listener 的密码通过如下步骤：

（1）Remove allPASSWORDS_listener_name entries from the listener.ora file.

（2）Reload the listener using thefollowing command:

lsnrctl reload listener_name

If remote administration of a listener is required, then use one of the following methodsto connect to and administer the listener.

（1）Connect tothe host where listener is running using SSH or other secure method, and thenperform local administration. Local administration is enforced by the operatingsystem authentication.

（2）Use OracleEnterprise Manager to administer the listener. Oracle Enterprise Manager usesHTTPS, which ensures security.

二.示例

2.1 查看监听状态

LSNRCTL> status

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

STATUS of the LISTENER

------------------------

Alias                     LISTENER

Version                   TNSLSNR for 32-bit Windows:Version 11.2.0.1.0 - Production

Start Date                18-DEC-2011 10:53:55

Uptime                    0 days 9 hr. 38 min. 4 sec

Trace Level               off

Security                  ON: Local OS Authentication

--注意这里默认的安全级别

SNMP                      OFF

Listener Parameter File  D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora

Listener Log File        d:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml

Listening Endpoints Summary...

 (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))

 (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))

Services Summary...

Service "CLRExtProc" has 1instance(s).

 Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) forthis service...

Service "dave" has 1 instance(s).

 Instance "NEWCCS", status UNKNOWN, has 1 handler(s) for thisservice...

Service "newccs" has 1instance(s).

 Instance "newccs", status READY, has 1 handler(s) for thisservice...

Service "newccsXDB" has 1instance(s).

 Instance "newccs", status READY, has 1 handler(s) for thisservice...

The command completed successfully

2.2 改变密码：

LSNRCTL> change_password

Old password:

New password:

Reenter new password:

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

Password changed for LISTENER

The command completed successfully

--查看status

LSNRCTL> status

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

STATUS of the LISTENER

------------------------

Alias                     LISTENER

Version                   TNSLSNR for 32-bit Windows:Version 11.2.0.1.0 - Production

Start Date                18-DEC-2011 10:53:55

Uptime                    0 days 9 hr. 56 min. 54 sec

Trace Level               off

Security                  ON: Password or Local OSAuthentication

--这里的验证方式发生改变，这里显示的额信息表明Listener的安全机制使用了Password方式或者Local OS Authentication方式，在这种状态下，即使是设置了监听密码，对于启动监听的user来说，也仍然是不需要任何密码就可以停止监听的。

SNMP                      OFF

Listener Parameter File  D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora

Listener Log File        d:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml

Listening Endpoints Summary...

 (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))

 (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))

Services Summary...

Service "CLRExtProc" has 1instance(s).

 Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) forthis service...

Service "dave" has 1 instance(s).

 Instance "NEWCCS", status UNKNOWN, has 1 handler(s) for thisservice...

Service "newccs" has 1instance(s).

 Instance "newccs", status READY, has 1 handler(s) for thisservice...

Service "newccsXDB" has 1instance(s).

 Instance "newccs", status READY, has 1 handler(s) for thisservice...

The command completed successfully

--保存配置：

LSNRCTL> save_config

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

Saved LISTENER configuration parameters.

Listener Parameter File  D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora

Old Parameter File  D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.bak

The command completed successfully

--注意这里，当我们改变密码之后，在保存配置时，原listener.ora 文件保存了listener.bak. 修改的参数添加到现在的listener.ora 文件里。

查看listener.ora 文件，多了一个密码：

#----ADDED BY TNSLSNR 18-DEC-201120:52:38---

PASSWORDS_LISTENER = 1DF5C2FD0FE9CFA2

#--------------------------------------------

2.3 用Listener密码登陆

默认口令为空.

LSNRCTL> set password

Password:

The command completed successfully

2.4 测试一: 用启动listener的用户

C:\Users\Administrator.DavidDai>lsnrctl

LSNRCTL for 32-bit Windows: Version 11.2.0.1.0- Production on 18-DEC-2011 21:13:42

Copyright (c) 1991, 2010, Oracle.  All rights reserved.

Welcome to LSNRCTL, type "help"for information.

LSNRCTL> set current_listener listener

Current Listener is listener

LSNRCTL> stop

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

The command completed successfully

LSNRCTL> start

Starting tnslsnr: please wait...

TNSLSNR for 32-bit Windows: Version11.2.0.1.0 - Production

System parameter file isD:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora

Log messages written tod:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml

Listening on:(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))

Listening on:(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

STATUS of the LISTENER

------------------------

Alias                     listener

Version                   TNSLSNR for 32-bit Windows:Version 11.2.0.1.0 - Production

Start Date                18-DEC-2011 21:15:59

Uptime                    0 days 0 hr. 0 min. 5 sec

Trace Level               off

Security                  ON: Password or Local OSAuthentication

SNMP                      OFF

Listener Parameter File  D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora

Listener Log File        d:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml

Listening Endpoints Summary...

 (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))

 (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))

Services Summary...

Service "CLRExtProc" has 1instance(s).

 Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) forthis service...

Service "dave" has 1 instance(s).

 Instance "NEWCCS", status UNKNOWN, has 1 handler(s) for thisservice...

The command completed successfully

LSNRCTL>

通过以上测试，对于启动listener的用户，不需要密码。

2.5. 设置 LOCAL_OS_AUTHENTICATION 参数

OS 认证是Oracle 10g里推出的，所以我这里直接禁用掉OS认证，这样只要密码文件存在，所有操作都需要set password。

在listener.ora 文件里添加如下参数：

LOCAL_OS_AUTHENTICATION_[listenername]=OFF

--开始测试：

C:\Users\Administrator.DavidDai>lsnrctlreload listener

LSNRCTL for 32-bit Windows: Version11.2.0.1.0 - Production on 18-DEC-2011 21:41:10

Copyright (c) 1991, 2010, Oracle.  All rights reserved.

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

The command completed successfully

C:\Users\Administrator.DavidDai>lsnrctlstatus

LSNRCTL for 32-bit Windows: Version11.2.0.1.0 - Production on 18-DEC-2011 21:41:21

Copyright (c) 1991, 2010, Oracle.  All rights reserved.

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

TNS-01169: The listenerhas not recognized the password

这里就需要我们输入密码了。

C:\Users\Administrator.DavidDai>lsnrctl

LSNRCTL for 32-bit Windows: Version11.2.0.1.0 - Production on 18-DEC-2011 21:41:55

Copyright (c) 1991, 2010, Oracle.  All rights reserved.

Welcome to LSNRCTL, type "help"for information.

LSNRCTL> set current_listener listener

Current Listener is listener

LSNRCTL> status

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

TNS-01169: The listener has not recognizedthe password

LSNRCTL> set password

--设置密码后，操作成功

Password:

The command completed successfully

LSNRCTL> status

Connecting to(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))

STATUS of the LISTENER

------------------------

Alias                     listener

Version                   TNSLSNR for 32-bit Windows: Version11.2.0.1.0 - Production

Start Date                18-DEC-2011 21:15:59

Uptime                    0 days 0 hr. 26 min. 22 sec

Trace Level               off

Security                  ON: Password

SNMP                      OFF

Listener Parameter File  D:\app\Administrator\product\11.2.0\dbhome_1\network\admin\listener.ora

Listener Log File        d:\app\administrator\diag\tnslsnr\DAVIDDAI\listener\alert\log.xml

Listening Endpoints Summary...

 (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))

 (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=DAVIDDAI)(PORT=1521)))

Services Summary...

Service "CLRExtProc" has 1instance(s).

 Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) forthis service...

Service "dave" has 1 instance(s).

 Instance "NEWCCS", status UNKNOWN, has 1 handler(s) for thisservice...

Service "newccs" has 1instance(s).

 Instance "newccs", status READY, has 1 handler(s) for thisservice...

Service "newccsXDB" has 1instance(s).

  Instance"newccs", status READY, has 1 handler(s) for this service...

The command completed successfully

LSNRCTL>

2.7 移除密码

       如果监听已启动，密码忘记了，直接修改listener.ora文件是没用的，因为那个文件在监听启动后甚至可以删除，所以可以先在操作系统中kill掉系统进程，然后在listener.ora文件中移除PASSWORDS_LISTENER参数，再启动监听密码恢复为空。

小结：

       在Oracle 10g 以后已经不推荐对listener 设置密码了，所以这里仅做为一个知识点了解一下。

-------------------------------------------------------------------------------------------------------

版权所有，文章允许转载，但必须以链接方式注明源地址，否则追究法律责任!

Email:   tianlesoftware@gmail.com

Skype: tianlesoftware

Blog:     http://www.tianlesoftware.com

Weibo: http://weibo.com/tianlesoftware

Twitter: http://twitter.com/tianlesoftware

Facebook:http://www.facebook.com/tianlesoftware

-------加群需要在备注说明Oracle表空间和数据文件的关系，否则拒绝申请----

DBA1 群：62697716(满);   DBA2 群：62697977(满)  DBA3 群：62697850(满)  

DBA 超级群：63306533(满);  DBA4 群：83829929   DBA5群： 142216823

DBA6 群：158654907    DBA7 群：172855474