Oracle TNS Listener Security

About Oracle TNS Listener Security

Oracle E-Business Suite Architecture

the picture is described in the document text

Oracle clients communicate with the database using the Transparent Network Substrate (TNS) protocol. When the listener receives a connection request (tcp port 1521, by default), it starts up a new database process and establishes a connection between the client and the database. This chapter contains security recommendations for the database TNS listener.

Hardening

Hardening Operating Environment

Follow the hardening instructions for Operating Environment Security.

Network

Adding IP Restrictions / Enable Valid Node Checking

Valid Node Checking allows or denies access from specified IP addresses to Oracle services. Oracle recommends using an allowlist of IP addresses that are authorized to make a TCP connection to the database listener. To enable Valid Node Checking, set the following parameters in $TNS_ADMIN/sqlnet.ora:

tcp.validnode_ checking = YES
tcp.invited_nodes = ( x.x.x.x, hostname.domain, ... )

The first parameter turns on Valid Node Checking. The next parameter specify the IP addresses or host names that are permitted to make network connections to the database. Replace x.x.x.x with the application tiers' IP addresses. Application tier components include web servers, forms servers, concurrent managers, terminal servers, central administrator machines, and any remote monitoring tool that uses SQL*Net.

Note: The use of SQLNet desktop clients such as sqlplus , sqldeveloper, toad , or ADI from a windows desktop is not recommended on production databases. If implemented, the desktop cannot use DHCP (unless the DHCP server is configured with address reservation). Oracle recommends that only trusted servers be allowed to make direct database connections.

Additional Information: See also My Oracle Support Knowledge Document 2277369.1, Oracle E-Business Suite Support Implications for Discoverer 11gR1.

AutoConfig supports automated configuration of this setting. If the profile option "SQLNet Access" (FND_SQLNET_ACCESS) is set to "ALLOW_RESTRICTED" at the site level when AutoConfig is run on the database server, AutoConfig will add IP restrictions to sqlnet.ora. The list of host will be all those from the FND_NODES table that are registered as an Oracle E-Business Suite node.

For more information, refer to the "Technical Configuration" chapter of the Oracle E-Business Suite Setup Guide, Release 12.2.

The easiest way to verify this is to implement a manual check from a node not in the allowlist. You should not be able to connect (by using Telnet, for example) to the database listener port. When connecting through an untrusted node, it should look like this:

bash$ telnet ebs.example.com 1521
Trying 115.X.X.X... 
Connected to ebs.example.com 
Escape character is '^]`
Connection closed by foreign host.

Specifying Connection Timeout

In $TNS_ADMIN/listener.ora , set the following parameter:

CONNECT_TIMEOUT_$ORACLE_SID = 10

For example:

CONNECT_TIMEOUT_PRD12 = 10

Where PRD12 is the value of the ORACLE_SID in this example.

Use the parameter CONNECT_TIMEOUT to specify the amounts of time, in seconds, for the Oracle listener to wait for the connection from a client to complete.

Specifying Class of Secure Transport for Dynamic Registration

In 2012, Oracle issued a security alert to have customers configure the Dynamic Registration feature in the listener securely. Dynamic Registration is a feature that allows the database process PMON to register itself with a running database TNS listener. The Oracle E-Business Suite default installation uses static registration, meaning the databases for a listener are defined in listener.ora.

There is no "software fix" to be applied to resolve this issue. Customers are advised to use the "Class of Secure Transport" (COST) parameters to set up their listeners securely. The alert points to the following My Oracle Support Knowledge Documents:

The overall conclusion is that for single node databases forcing the secure registration to the IPC or TCP protocol will work whereas for multinode databases TCPS must be used. The TPCS configuration specifies SSL with use of server and client certificates.

Enabling Encryption of Network Traffic

Ensure that the TNS network traffic (SQL*Net traffic) in your Oracle E-Business Suite environment is not sent "in-the-clear" by enabling encryption of the TNS (aka SQL*Net) traffic.

Network encryption was formerly an optional database feature available at extra cost as part of the Advanced Security Option. It is now part of the Oracle Database Enterprise Edition and no additional license is required for Oracle E-Business Suite customers. As of Oracle E-Business Suite Release 12, the encryption functionality is also available in the client code. You can configure the database server to require encryption by performing the following steps:

  1. Add the following lines to the $TNS_ADMIN/sqlnet_ifile.ora in your database Oracle home:

    SQLNET.ENCRYPTION_TYPES_SERVER=(AES256,AES192,AES128)
    SQLNET.CRYPTO_SEED=<SEED>
    SQLNET.ENCRYPTION_SERVER=REQUIRED
    SQLNET.CRYPTO_CHECKSUM_SERVER=REQUIRED
    SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA1)

    The value for SQLNET.CRYPTO_SEED for your deployment should be a random string up to 70 characters.

  2. Restart the database listener.

Authentication

Enabling TNS Listener Password (Only if Required)

For terminal releases of the 9i database series, setting a password for the listener was one of the most important hardening procedures. Setting a password prevented remote administration (shutdown) of the listener.

However starting with Oracle Database Release 10g, the listener password is no longer required as the listener implements OS-Authentication. This means that the OS user that owns the software installation can start and stop the listener without requiring an additional, listener-specific password. For these database releases, you should only set a password if remote admin access to the listener configuration is required.

If you decide to set a password for the listener, follow the instructions below or set the AutoConfig variable s_enable_listener_password to ON and run AutoConfig on the database server.

These instructions assume that the listener name is VIS12. The default listener name for oracle databases in general is "LISTENER" while for Oracle E-Business Suite databases it is set to the SID of the database.

  1. Start the listener control program:

    $ lsnrctl

  2. Set the current listener, then change the password.

    LSNRCTL> set current_listener VIS12
     Current Listener is VIS12
    LSNRCTL> change_password
     Old password:              -- just hit return
     New password:              -- new, secure password
     Reenter new password:      -- new, secure password
     Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=dbs01)(PORT=1541)))
     Password changed for VIS12
     The command completed successfully
    LSNRCTL> set password
     Password:
     The command completed successfully
    LSNRCTL> save_config
     Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=dbs01)(PORT=1541)))
     Saved DBLSNR configuration parameters.
     Listener Parameter File /x/db/tech_st/10.2.0/network/admin/VIS12_dbs01/listener.ora
    The command completed successfully

    This added the following lines to listener.ora:

    #----ADDED BY TNSLSNR 13-JAN-2007 11:47:56---
    PASSWORDS_VIS12 = D911537D50B15546
    #--------------------------------------------

To undo these steps:

  1. Stop the tnslsnr process (using lsnrctl or use ps to find the pid and kill to kill it).

  2. Edit listener.ora and remove the PASSWORDS_<listener> line.

  3. Restart the listener (using lsnrctl start).

Note, password protecting the TNS listener has the following effects:

Authorization

Enabling Admin Restrictions

You should configure the database listener with ADMIN_RESTRICTIONS set to ON. When ADMIN_RESTRICTIONS is ON, all the set commands in lsnrctl are disabled and the only way to change the configuration is to edit the listener.ora file.

In $TNS_ADMIN/listener.ora, set the following parameter:

ADMIN_RESTRICTIONS_<listener>=ON

For example:

ADMIN_RESTRICTIONS_VIS12=ON

where VIS12 is the name of the listener (equal to ORACLE_SID in Oracle E-Business Suite)

AutoConfig can set this if you set the AutoConfig variable s_admin_restrictions to ON and run AutoConfig on the database server.

Audit

Enabling TNS Listener Logging

To enable logging, in $TNS_ADMIN/listener.ora set the following parameters:

LOG_STATUS = ON

LOG_DIRECTORY_$ORACLE_SID = $TNS_ADMIN

LOG_FILE_$ORACLE_SID = $ORACLE_SID

For example:

LOG_STATUS = ON

LOG_DIRECTORY_VIS12 = /u/db/tech_st/10.2.0/network/admin/VIS12_dbs01

LOG_FILE_VIS12 = VIS12

Where VIS21 is the LISTENER_NAME.

This is done by default in Release 12.

Notice that newer database versions use the richer ADR log settings, this silently overrides/ignores the older LOG settings. See Oracle Database documentation for more details.