- Get link
- X
- Other Apps
Valid Node Checking Registration (VNCR)
Overview
In previous post we saw how to secure remote service registration with the listener by using COST which requires wallet and TCPS endpoints to be enabled. In this post we will go through VNCR which is the replacement of COST from 11.2.0.4 onwards. This feature doesn't require wallet or TCPS endpoints, in fact its just matter of setting few parameters in listener.ora parameter file. In case of RAC both Node listener and Scan listeners can leverage VNCR feature, but since Scan listeners has to be aware of all the services running on all the nodes in RAC we need to carefully allow remote registration from remote instances of RAC.
VNCR related parameters:
- VALID_NODE_CHECKING_REGISTRATION_listener_nameValid Values:- (OFF/0, ON/1/LOCAL, SUBNET/2)By default this parameter will be set to OFF, and we can enable it at two levels LOCAL and SUBNET. When set to ON/1/LOCAL then only the local IP addresses can register the services with the listener, if we invite any IP's then invited IP's and all the local IP addresses will be allowed to register with the listener. When set to SUBNET/2 then all the IP's under the same subnet will be allowed to register the services with the listener, if we invite any IP's then all the invited IP's and the IP's under the same subnet are allowed.
- REGISTRATION_INVITED_NODES_listener_nameValid Values:- (10.1.35.*, 10.1.34.0/24, 2001:DB8:fe38:7303, node1)Use it to specify the invited list of IP's, Host names, CIDR notation for IPv4 and IPv6 addresses who can register services with the listener. Using wildcard * is supported for IPV4.
- REGISTRATION_EXCLUDED_NODES_listener_nameValid Values:- (10.1.35.*, 10.1.34.0/24, 2001:DB8:fe38:7303, node1)Use it specify the excluded list of IP's, Host names, CIDR notation for IPv4 and IPv6 addresses who cannot register services with the listener. Using wildcard * is supported for IPV4. If both REGISTRATION_INVITED_NODES_listener_name and REGISTRATION_EXCLUDED_NODES_listener_name are set then excluded list parameter will be ignored.
VNCR for Standalone Database
Standalone databases will have only node listeners and we can enable VNCR for this listener at LOCAL level as we would want to allow only local IP addresses to register its services with the listener.
VALID_NODE_CHECKING_REGISTRATION_listener_name=LOCAL
After enabling VNCR for LOCAL, when we try to register services from remote machine using remote_listener parameter we get below messages in listener log file. It clearly shows that any service registration attempts from remote machine are getting rejected. Also notice that VNCR option is displayed as 1 which is LOCAL/ON in the log file.
Listener(VNCR option 1) rejected Registration request from destination 10.114.13.117
27-JUL-2015 01:16:00 * service_register_NSGR * 1182
TNS-01182: Listener rejected registration of service ""
Listener(VNCR option 1) rejected Registration request from destination 10.114.13.117
27-JUL-2015 01:16:23 * service_register_NSGR * 1182
TNS-01182: Listener rejected registration of service ""
VNCR for RAC
In RAC both Node listener and Scan listener uses the same binary tnslsnr and also they are started from the GRID_HOME instead of ORACLE_HOME. Oraagent spawned by crsd process is the one who takes care of these listeners, this is the agent who maintains endpoints file. This agent monitors the listeners with frequency of every 60 seconds as per the log file oraagent_oracle.log. The entries modified by this agent in listener.ora file will be commented as "# line added by agent". As best practice local_listener should not be set as its the duty of oraagent to take care and remote_listener should be set with scan name and port number to enable server side connection load balance.
To implement VNCR for Node listener is straight forward, we can set VNCR at LOCAL since Node listeners need to be aware of only the local node specific services but Scan listeners has to be aware of all the services running in all the RAC nodes. So VNCR at SUBNET level is the preferred way for all the Scan listeners, if you set VNCR at LOCAL level for Scan listeners then you will lose the connection load balancing functionality. For any reason if we need to set LOCAL for Scan listeners then we need to invite all the Public IP's of the RAC cluster to ensure that Scan listeners are aware of all the services running in the RAC cluster. All the combination of VNCR settings for RAC are detailed below.
- VNCR LOCAL for both node listener and scan listenerWhen we set VNCR for LOCAL, only local machines can register with listeners. This should be fine for node listeners but for scan listeners we need to include all the nodes public IP’s by using one more parameter as shown below. Else scan listeners will not have any service information of remote nodes.
VALID_NODE_CHECKING_REGISTRATION_LISTENER=LOCAL VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=LOCAL REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(list of public ip's of all nodes) VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=LOCAL REGISTRATION_INVITED_NODES_LISTENER_SCAN2=(list of public ip's of all nodes) VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=LOCAL REGISTRATION_INVITED_NODES_LISTENER_SCAN3=(list of public ip's of all nodes)
- VNCR SUBNET for both node listener and scan listenerWhen we set VNCR for SUBNET, all the machines under the RAC defined subnet can register the services with both type of listeners. This configuration holds good for scan listeners but not for node listeners, as node listeners are meant to be aware of only local services. But with this configuration node listeners will be having many unwanted/malicious services getting registered.
VALID_NODE_CHECKING_REGISTRATION_LISTENER=SUBNET VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=SUBNET VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=SUBNET VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=SUBNET
- VNCR LOCAL for node listener and SUBNET for scan listenerWhen we set LOCAL for node listener and SUBNET for scan listeners, only local machines can register with the node listeners and all the machines under RAC defined subnet can register the services with the scan listeners. This setup will remove the complexity of defining other additional parameters and works perfectly according to the architectural responsibility of each node and scan listeners without any overhead.
VALID_NODE_CHECKING_REGISTRATION_LISTENER=LOCAL VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=SUBNET VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=SUBNET VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=SUBNET
Secure service registration with listeners in 12c
In 12c VNCR functionality is similar to 11.2.0.4, but default settings are different when compared to 11.2.0.4. In 12c LREG is the process instead of PMON responsible for service registration with the listeners. In 12c Standalone database listeners are protected by default using VNCR set at LOCAL to allow only local registering instances. But in 12c RAC by default Node listeners are protected by VNCR but not Scan listeners. Scan listeners in 12c uses new feature by setting remote_registration_address to redirect remote registrations and it also enables additional endpoints for the Scan listeners in HAIP network. Whenever listener receives the remote service registration request it will ask registering instances to re-send the registering request through HAIP network. This ensures only the nodes members of RAC can perform remote registration with listeners as they are the ones who can access the HAIP/Private network of the RAC cluster. Also please note that in 12c you will find one more listener meant for MGMT database called as MGMTLSNR and for this listener by default VNCR will be set at SUBNET level.
Below are the default VNCR parameters set by oraagent.
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=OFF # line added by Agent
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=OFF # line added by Agent
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=OFF # line added by Agent
VALID_NODE_CHECKING_REGISTRATION_LISTENER=SUBNET # line added by Agent
VALID_NODE_CHECKING_REGISTRATION_MGMTLSNR=SUBNET # line added by Agent
As you can see VNCR for Scan listeners are disabled and enabled at SUBNET level for node listener and MGMTLSNR listener.
lsnrctl command can be used to check Scan listeners using remote_registration_address. By default scan listeners are secured by oraagent which sets REMOTE_REGISTRATION_ADDRESS as shown below.
{/home/oracle}: lsnrctl show remote_registration_address 12clabserver:1521
LSNRCTL for Linux: Version 12.1.0.2.0 - Production on 03-AUG-2015 07:08:09
Copyright (c) 1991, 2014, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=))(ADDRESS=(PROTOCOL=TCP)(HOST=10.275.23.11)(PORT=1521)))
LISTENER parameter "remote_registration_address" set to (DESCRIPTION=(ASYNC_TIMER=yes)(EXPIRE_TIME=1)(TRANSPORT_CONNECT_TIMEOUT=15)(ADDRESS_LIST=(ADDRESS=(PROTOCOL=tcp)(HOST=189.254.170.8)(PORT=38804))))
The command completed successfully
Usually service registration request will be sent back to re-send it through (HOST=189.254.170.8)(PORT=38804). To secure further, change node listener VNCR setting from SUBNET to LOCAL as node listeners need to be aware of services registered by only local instances.
Conclusion
VNCR from 11.2.0.4 on wards has simplified the way to secure remote service registration with the listeners. Different VNCR settings can be used to restrict the registering machines, but in case of RAC we need to ensure that Scan listeners are aware of all the services running in the RAC. So the best option would be to use LOCAL for node listeners and SUBNET for scan listeners, provided that each RAC clusters are having dedicated subnets assigned and are not shared/configured in any other servers. In 12c default configuration holds good for Scan listener and for Node listener if subnet is shared then its better to set VNCR at LOCAL level.
To monitor the services currently supported by listeners we can use undocumented view GV$LISTENER_NETWORK, this way we can find out whenever an malicious services gets register with listener.
SQL> select INST_ID,TYPE,VALUE from gv$listener_network;
INST_ID TYPE VALUE
------- --------------- --------------------------------------------------------------------------------------------------
1 LOCAL LISTENER (ADDRESS=(PROTOCOL=TCP)(HOST=10.250.7.21)(PORT=1521))
1 REMOTE LISTENER (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=))(ADDRESS=(PROTOCOL=TCP)(HOST=10.250.7.11)(PORT=1521)))
1 REMOTE LISTENER (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=))(ADDRESS=(PROTOCOL=TCP)(HOST=10.250.7.12)(PORT=1521)))
1 REMOTE LISTENER (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=))(ADDRESS=(PROTOCOL=TCP)(HOST=10.250.7.13)(PORT=1521)))
1 SERVICE NAME labdb.world.com
1 SERVICE NAME labdb.world.com
1 SERVICE NAME labdb_DGB.world.com
1 SERVICE NAME study.world.com
2 LOCAL LISTENER (ADDRESS=(PROTOCOL=TCP)(HOST=10.250.7.22)(PORT=1521))
2 REMOTE LISTENER (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=))(ADDRESS=(PROTOCOL=TCP)(HOST=10.250.7.11)(PORT=1521)))
2 REMOTE LISTENER (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=))(ADDRESS=(PROTOCOL=TCP)(HOST=10.250.7.12)(PORT=1521)))
2 REMOTE LISTENER (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=))(ADDRESS=(PROTOCOL=TCP)(HOST=10.250.7.13)(PORT=1521)))
2 SERVICE NAME labdb.world.com
2 SERVICE NAME labdb.world.com
2 SERVICE NAME labdb_DGB.world.com
2 SERVICE NAME study.world.com
Here REMOTE LISTENER is the Scan listener and LOCAL LISTENER is the Node listener existing in the RAC cluster. SERVICE NAME is the key to monitor the services currently registered with the listeners.
- Get link
- X
- Other Apps
Comments
Post a Comment
Oracle DBA Information