8 Oracle Net Listener Parameters in the listener.ora File

This chapter provides a complete listing of the listener.ora file configuration parameters.

8.1 Overview of Oracle Net Listener Configuration File

Oracle Net Listener configuration, stored in the listener.ora file, consists of these elements.

  • Name of the listener

  • Protocol addresses that the listener is accepting connection requests on

  • Valid nodes that the listener allows to register with the database

  • Database services

  • Control parameters

Dynamic service registration, eliminates the need for static configuration of supported services. However, static service configuration is required if you plan to use Oracle Enterprise Manager Cloud Control. For information about static service configuration, see Oracle Database Net Services Administrator's Guide.

By default, the listener.ora file is located in the ORACLE_HOME/network/admin directory. You can also store the listener.ora in the following locations:

  • The directory specified by the TNS_ADMIN environment variable or registry value.

  • On Linux and UNIX operating systems, it is the global configuration directory. For example, on the Oracle Solaris operating system, the directory is /var/opt/oracle. See Oracle Database Global Data Services Concepts and Administration Guide for information about management of global service. Also refer to Oracle operating system-specific documentation.

  • In the read-only Oracle home mode, the default location for the listener.ora file is ORACLE_BASE_HOME/network/admin. If the listener.ora file is not present in the ORACLE_BASE_HOME/network/admin directory, then search for the file in the ORACLE_HOME/network/admin directory.

  • In the read-only Oracle home mode, the parameters are stored in the ORACLE_BASE_HOME location by default.

It is possible to configure multiple listeners, each with a unique name, in one listener.ora file. Multiple listener configurations are possible because each of the top-level configuration parameters has a suffix of the listener name or is the listener name itself.

Note:

  • It is often useful to configure multiple listeners in one listener.ora file. However, Oracle recommends running only one listener for each node in most customer environments.

  • Oracle Net Services supports the IFILE parameter in the listener.ora file, with up to three levels of nesting. The parameter is added manually to the file. The following is an example of the syntax:

    IFILE=/tmp/listener_em.ora
    IFILE=/tmp/listener_cust1.ora
    IFILE=/tmp/listener_cust2.ora 
    

    Refer to Oracle Database Reference for additional information.

The following example shows a listener.ora file for a listener named LISTENER, which is the default name of the listener.

Example 8-1 listener.ora File

LISTENER=
  (DESCRIPTION=
    (ADDRESS_LIST=
      (ADDRESS=(PROTOCOL=tcp)(HOST=sale-server)(PORT=1521))
      (ADDRESS=(PROTOCOL=ipc)(KEY=extproc))))

8.2 Protocol Address Parameters

The protocol address section of the listener.ora file defines the protocol addresses on which the listener is accepting connection requests. This section describes the most common parameters used in protocol addresses. The ADDRESS_LIST parameter is also supported.

This section lists and describes the following parameters:

8.2.1 ADDRESS

The protocol ADDRESS parameter’s networking parameter is in the listener.ora file. It specifies the protocol address under the DESCRIPTION parameter for one listener.

Purpose

Specifies a single listener protocol address in the DESCRIPTION parameter

Usage Notes

Use this parameter to define the protocol, the host, and the port number for the listener.

Example

listener_name=
 (DESCRIPTION=
  (ADDRESS_LIST=
   (ADDRESS=(PROTOCOL=tcp)(HOST=hr-server)(PORT=1521))
   (ADDRESS=(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521))))

8.2.2 DESCRIPTION

DESCRIPTION networking parameter of the listener.ora file contains listener protocol addresses.

Purpose

To contain listener protocol addresses.

Example 8-2 Example

listener_name= (DESCRIPTION= (ADDRESS_LIST= (ADDRESS=(PROTOCOL=tcp)(HOST=hr-server)(PORT=1521)) (ADDRESS=(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521))))

8.2.3 Firewall

Purpose

It can be set in endpoint to enable firewall functionality.

8.2.4 IP

The protocol address parameter IP determine which IP address the listener listens on when a host name is specified

Purpose

To determine which IP address the listener listens on when a host name is specified.

Usage Notes

This parameter is only applicable when the HOST parameter specifies a host name.

Values

  • first

    Listen on the first IP address returned by the DNS resolution of the host name. If the user wants the listener to listen on the first IP to which the specified host name resolves, then the address must be qualified with (IP=first).

  • v4_only

    Listen only on IPv4 addresses.

  • v6_only

    Listen only on IPv6 addresses.

Default

This feature is disabled by default.

Example

listener_name=
 (DESCRIPTION=
  (ADDRESS=(PROTOCOL=tcp)(HOST=rancode1-vip)(PORT=1522)(IP=v6_only))

8.2.5 QUEUESIZE

Purpose

To specify the number of concurrent connection requests that the listener can accept on a TCP/IP or IPC listening endpoint (protocol address).

Usage Notes

The number of concurrent connection requests is dependent on the platform and listener usage scenarios. If the listener is heavily-loaded, then set the parameter to a higher number.

Put this parameter at the end of the protocol address with its value set to the expected number of concurrent connection requests.

Default

The default number of concurrent connection requests is operating system specific.

Example

listener_name=
 (DESCRIPTION=
  (ADDRESS=(PROTOCOL=tcp)(HOST=hr-server)(PORT=1521)(QUEUESIZE=20)))

See Also:

Oracle Database Net Services Administrator's Guide for additional information about configuring this parameter

8.2.6 RECV_BUF_SIZE

Use the RECV_BUF_SIZE parameter to specify buffer space for session receive operations.

Purpose

To specify, in bytes, the buffer space for receive operations of sessions.

Usage Notes

Put this parameter under the DESCRIPTION parameter or at the end of the protocol address with its value set to the expected number of bytes.

This parameter is supported by the TCP/IP, TCP/IP with TLS, and SDP protocols.

Note:

Additional protocols might support this parameter on certain operating systems. Refer to the operating system-specific documentation for information about additional protocols that support this parameter.

Default

The default value for this parameter is operating system specific. The default for the Linux operating system is 87380 bytes.

Example

listener_name=
  (DESCRIPTION=
    (ADDRESS_LIST=
      (ADDRESS=(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521)
        (RECV_BUF_SIZE=11784))
      (ADDRESS=(PROTOCOL=ipc)(KEY=extproc)
        (RECV_BUF_SIZE=11784))))
listener_name=
  (DESCRIPTION=
    (ADDRESS_LIST=
      (RECV_BUF_SIZE=11784))
      (ADDRESS=(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521)
      (ADDRESS=(PROTOCOL=ipc)(KEY=extproc))))

8.2.7 SEND_BUF_SIZE

Use the SEND_BUF_SIZE parameter to specify buffer space for session send operations.

Purpose

To specify, in bytes, the buffer space for send operations of sessions.

Usage Notes

Put this parameter under the DESCRIPTION parameter or at the end of the protocol address.

This parameter is supported by the TCP/IP, TCP/IP with TLS, and SDP protocols.

Note:

Additional protocols might support this parameter on certain operating systems. Refer to operating system-specific documentation for additional information about additional protocols that support this parameter.

Default

The default value for this parameter is operating system specific. The default for the Linux operating system is 16 KB.

Example

listener_name=
  (DESCRIPTION=
    (ADDRESS_LIST=
      (ADDRESS=(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521)
       (SEND_BUF_SIZE=11280))
      (ADDRESS=(PROTOCOL=ipc)(KEY=extproc)
       (SEND_BUF_SIZE=11280))))
listener_name=
  (DESCRIPTION=
    (SEND_BUF_SIZE=11280)
    (ADDRESS_LIST=
      (ADDRESS=(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521)
      (ADDRESS=(PROTOCOL=ipc)(KEY=extproc))))

8.3 Connection Rate Limiter Parameters

The connection rate limiter feature in Oracle Net Listener enables a database administrator to limit the number of new connections handled by the listener. When this feature is enabled, Oracle Net Listener imposes a user-specified maximum limit on the number of new connections handled by the listener every second. Depending on the configuration, the rate can be applied to a collection of endpoints, or to a specific endpoint.

This feature is controlled through the following listener.ora configuration parameters:

8.3.1 CONNECTION_RATE_listener_name

The CONNECTION_RATE_listener_name configuration parameter of thelistener.ora file specifies a global rate that is enforced across all listening endpoints that are rate-limited.

Purpose

To specify a global rate that is enforced across all listening endpoints that are rate-limited.

Usage Notes

When this parameter is specified, it overrides any endpoint-level numeric rate values that might be specified.

Syntax

CONNECTION_RATE_listener_name=number_of_connections_per_second

8.3.2 RATE_LIMIT

The RATE_LIMIT configuration parameter of the listener.ora file indicates that a particular listening endpoint is rate-limited.

Purpose

To indicate that a particular listening endpoint is rate-limited.

Usage Notes

The parameter is specified in the ADDRESS section of the listener endpoint configuration.

Syntax

LISTENER=
   (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521)(RATE_LIMIT=yes))
  • When the RATE_LIMIT parameter is set to yes for an endpoint, that endpoint is included in the enforcement of the global rate configured by the CONNECTION_RATE_listener_name parameter. The global rate limit is enforced individually at each endpoint that has RATE_LIMIT set to yes.

  • Dynamic endpoints for listeners managed by Oracle Clusterware have the RATE_LIMIT parameter set to yes.

  • When the RATE_LIMIT parameter is set to a value greater than 0, then the rate limit is enforced at that endpoint level.

Examples

The following examples use the CONNECTION_RATE_listener name and RATE_LIMIT parameters.

Example 1

CONNECTION_RATE_LISTENER=10

LISTENER= 
  (ADDRESS_LIST=
   (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521)(RATE_LIMIT=yes))
   (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1522)(RATE_LIMIT=yes))
   (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1523)))

In the preceding example, the global rate of new connections is enforced separately for each endpoint. Connections through port 1521 are limited at 10 every second, and the connections through port 1522 are also separately limited at 10 every second. Connections through port 1523 are not limited.

Example 2

LISTENER= (ADDRESS_LIST=
   (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521)(RATE_LIMIT=5))
   (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1522)(RATE_LIMIT=10))
   (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1523))
   )

In the preceding example, the connection rates are enforced at the endpoint level. A maximum of 5 connections are processed through port 1521 every second. The limit for connections through port 1522 is 10 every second. Connections through port 1523 are not limited.

Note:

The global CONNECTON_RATE_listener_name parameter is not specified in the preceding configuration. If it is specified, then the limits on ports 1521 and 1522 are ignored, and the global value is used instead.

8.4 Control Parameters

This section describes the following parameters that control the behavior of the listener:

8.4.1 ADMIN_RESTRICTIONS_listener_name

The listener.ora control parameter ADMIN_RESTRICTIONS_listener_name restricts runtime administration of the listener.

Purpose

To restrict runtime administration of the listener.

Usage Notes

Setting ADMIN_RESTRICTIONS_listener_name=on disables the runtime modification of parameters in listener.ora. That is, the listener refuses to accept SET commands that alter its parameters. To change any of the parameters in listener.ora, including ADMIN_RESTRICTIONS_listener_name itself, modify the listener.ora file manually and reload its parameters using the RELOAD command for the new changes to take effect without explicitly stopping and restarting the listener.

Default

off

Example

ADMIN_RESTRICTIONS_listener=on

8.4.2 ALLOW_MULTIPLE_REDIRECTS_listener_name

The listener.ora control parameter ALLOW_MULTIPLE_REDIRECTS_listener_name enables multiple redirects of the client.

Purpose

To support multiple redirects of the client.

Usage Notes

This parameter should only be set on the SCAN listener on the Oracle Public Cloud. When set to on, multiple redirects of the client are allowed.

Do not set this parameter for a node listener if that is used as a SCAN listener.

Default

off

Values

on | off

Example

ALLOW_MULTIPLE_REDIRECTS_listener=on

8.4.3 CRS_NOTIFICATION_listener_name

CRS_NOTIFICATION_listener_name control parameter of the listener.ora file sets notification to allow or disallow Cluster Ready Services (CRS) to manage the listener in an Oracle Real Application Clusters environment.

Purpose

To set notification.

Usage Notes

By default, the Oracle Net listener notifies Cluster Ready Services (CRS) when it is started or stopped. These notifications allow CRS to manage the listener in an Oracle Real Application Clusters environment. This behavior can be prevented by setting the CRS_NOTIFICATION_listener_name parameter to off.

Default

on

Values

on | off

8.4.4 DEDICATED_THROUGH_BROKER_LISTENER

DEDICATED_THROUGH_BROKER_LISTENER networking parameter of the listener.ora file enables the server to spawn a thread or process when a connection to the database is requested through the listener.

Purpose

To enable the server to spawn a thread or process when a connection to the database is requested through the listener.

Default

off

Values

on | off

Example 8-3 Example

(Optional) Enter an example to illustrate your reference here.

8.4.5 DEFAULT_SERVICE_listener_name

DEFAULT_SERVICE_listener_name control parameter of the listener.ora file enables users to connect to the database without having to specify a service name from the client side.

Purpose

To enable users to connect to the database without having to specify a service name from the client side.

Usage Notes

When a client tries to connect to the database, the connection request passes through the listener. The listener may be servicing several different databases. If a service name is configured in this parameter, then users may not necessarily need to specify a service name in the connect syntax. If a user specifies a service name, then the listener connects the user to that specific database, otherwise the listener connects to the service name specified by the DEFAULT_SERVICE_listener_name parameter. For container databases, the client must explicitly specify the service name.

Default

There is no default value for the DEFAULT_SERVICE_listener_name parameter. If this parameter is not configured and a user does not specify a fully-qualified service name in the connect syntax, then the connection attempt fails. This parameter only accepts one value.

Example 8-4 Example

DEFAULT_SERVICE_listener=sales.us.example.com

8.4.6 ENABLE_EXADIRECT_listener_name

Purpose

To enable Exadirect protocol.

Usage Notes

The parameter enables Exadirect support.

Default

Off

Values

on | off

Example 8-5 Example

ENABLE_EXADIRECT_listener=on

8.4.7 INBOUND_CONNECT_TIMEOUT_listener_name

Purpose

To specify the time, in seconds, for the client to complete its connect request to the listener after the network connection had been established.

Usage Notes

If the listener does not receive the client request in the time specified, then it terminates the connection. In addition, the listener logs the IP address of the client and an ORA-12525:TNS: listener has not received client's request in time allowed error message to the listener.log file.

To protect both the listener and the database server, Oracle recommends setting this parameter in combination with the SQLNET.INBOUND_CONNECT_TIMEOUT parameter in the sqlnet.ora file. When specifying values for these parameters, consider the following recommendations:

  • Set both parameters to an initial low value.

  • Set the value of the INBOUND_CONNECT_TIMEOUT_listener_name parameter to a lower value than the SQLNET.INBOUND_CONNECT_TIMEOUT parameter.

For example, you can set the INBOUND_CONNECT_TIMEOUT_listener_name parameter to 2 seconds and the INBOUND_CONNECT_TIMEOUT parameter to 3 seconds. If clients are unable to complete connections within the specified time due to system or network delays that are normal for the particular environment, then increment the time as needed.

Default

60 seconds

Example

INBOUND_CONNECT_TIMEOUT_listener=2

8.4.8 LOCAL_REGISTRATION_ADDRESS_listener_name

Purpose

To secure registration requests through dedicated secure registration endpoints for local listeners. Service ACLs are accepted by listener only if LOCAL_REGISTRATION_ADDRESS_lsnr alias is configured. The parameter specifies the group that is allowed to send ACLs.

Usage Notes

The local registration endpoint accepts local registration connections from the specified group. All local registration requests coming on normal listening endpoints are redirected to the local registration endpoint. If the registrar is not a part of the group, then it cannot connect to the endpoint.

Default

OFF

Values

ON, OFF, or IPC endpoint address with group

When set to ON, listener defaults the group to oinstall on UNIX and ORA_INSTALL on Windows.

Example 8-6 Example

LOCAL_REGISTRATION_ADDRESS_lsnr_alias = (address=(protocol=ipc)(group=xyz)) LOCAL_REGISTRATION_ADDRESS_lsnr_alias =ON 

Related Topics

8.4.9 MAX_ALL_CONNECTIONS_listener_name

Use the MAX_ALL_CONNECTIONS_listener_name parameter to specify the maximum number of concurrent registration and client connection sessions.

Purpose

To specify the maximum number of concurrent registration and client connection sessions that can be supported by Oracle Net Listener.

Usage Notes

This number includes registration connections from databases, and ongoing client connection establishment requests. After a connection is established, the clients do not maintain a connection to the listener. This limit only applies to client connections that are in the initial connection establishment phase from a listener perspective.

Default

4096

Example

MAX_ALL_CONNECTIONS_listener=4096

8.4.10 MAX_REG_CONNECTIONS_listener_name

Use the MAX_REG_CONNECTIONS_listener_name parameter to specify the maximum number of concurrent registration connection sessions.

Purpose

To specify the maximum number of concurrent registration connection sessions that can be supported by Oracle Net Listener.

Default

512

Example

MAX_REG_CONNECTIONS_listener=2048

8.4.11 REGISTRATION_EXCLUDED_NODES_listener_name

Purpose

To specify the list of nodes that cannot register with the listener.

Usage Notes

The list can include host names or CIDR notation for IPv4 and IPv6 addresses. The wildcard format (*) is supported for IPv4 addresses. The presence of a host name in the list results in the inclusion of all IP addresses mapped to the host name. The host name should be consistent with the public network interface.

If the REGISTRATION_INVITED_NODES_listener_name parameter and the REGISTRATION_EXCLUDED_NODES_listener_name parameter are set, then the REGISTRATION_EXCLUDED_NODES_listener_name parameter is ignored.

Values

Valid nodes and subnet IP addresses or names.

Example

REGISTRATION_EXCLUDED_NODES_listener = (10.1.26.*, 10.16.40.0/24, \
                                       2001:DB8:3eff:fe38, node2)

8.4.12 REGISTRATION_INVITED_NODES_listener_name

Purpose

To specify the list of node that can register with the listener.

Usage Notes

  • The list can include host names or CIDR notation for IPv4 and IPv6 addresses. The wildcard format (*) is supported for IPv4 addresses. The presence of a host name in the list results in the inclusion of all IP addresses mapped to the host name. The host name should be consistent with the public network interface.

  • If the REGISTRATION_INVITED_NODES_listener_name parameter and the REGISTRATION_EXCLUDED_NODES_listener_name parameter are set, then the REGISTRATION_EXCLUDED_NODES_listener_name parameter is ignored.

  • Starting with Oracle Grid Infrastructure 12c, for a SCAN listener, if the VALID_NODE_CHECKING_REGISTRATION_listener_name and REGISTRATION_INVITED_NODES_listener_name parameters are set in the listener.ora file, then the listener agent overwrites these parameters.

Values

Valid nodes and subnet IP addresses or names.

Example

REGISTRATION_INVITED_NODES_listener = (10.1.35.*, 10.1.34.0/24, \
                                      2001:DB8:fe38:7303, node1)

See Also:

Oracle Real Application Clusters Administration and Deployment Guide for information about valid node checking for registration

8.4.13 REMOTE_REGISTRATION_ADDRESS_listener_name

Purpose

To secure registration requests through dedicated secure registration endpoints for SCAN listeners.

Usage Notes

The registration endpoint is on a private network within the cluster. All remote registration requests coming in on normal listening endpoints are redirected to the registration endpoint. Any system which is not a part of the cluster cannot connect to the endpoint. This feature is not supported when ADMIN_RESTRICTIONS_listener_name is set to ON as the Cluster Ready Services agent configures the remote_registration_address dynamically at run time.

Default

This parameter is configured internally in listeners managed by Oracle Clusterware to restrict registrations to the private network. The value of this parameter should not be modified or specified explicitly. The only supported explicit setting is for turning this feature off by setting the value to OFF.

Values

off

Example

REMOTE_REGISTRATION_ADDRESS_listener=off

8.4.14 SAVE_CONFIG_ON_STOP_listener_name

Purpose

To specify whether runtime configuration changes are saved to the listener.ora file.

Usage Notes

When you set the parameter to true, any parameters that were modified while the listener was running using the Listener Control utility SET command are saved to the listener.ora file when the STOP command is issued. When you set the parameter to false, the Listener Control utility does not save the runtime configuration changes to the listener.ora file.

Default

false

Values

true | false

Example

SAVE_CONFIG_ON_STOP_listener=true

8.4.15 SERVICE_RATE_listener_name

The SERVICE_RATE_listener_name control parameter specifies incoming connection rate that is allowed per service for an instance.

Purpose

To specify incoming connection rate that is allowed per service for an instance.

Usage Notes

Any user-specified value greater than 0 sets the maximum limit on the number of new connections per service-instance handled by the proxy listener every second. Listener rejects connections after it reaches the maximum limit. Client side connection failure is reported with the “TNS:listener: rate limit reached” error.

Default

0

Example 8-7 Example

SERVICE_RATE=10

8.4.16 SSL_CIPHER_SUITES

Use the SSL_CIPHER_SUITES parameter to control the combination of authentication, encryption, and data integrity algorithms used by Transport Layer Security (TLS).

Purpose

To control the combination of authentication, encryption, and data integrity algorithms used by TLS. By default, the strongest protocol and cipher are negotiated between the database client and server. Setting this parameter will override the default behavior. You must use this parameter only if you have internal security controls that dictate the usage of certain protocol versions.

Usage Notes

Starting with Database 23ai, the use of Transport Layer Security protocol versions 1.0 and 1.1 are desupported.

In most cases, this change will not have any impact, because the database client and server will negotiate the use of the most secure protocol and cipher algorithm. However, if TLS 1.0 or 1.1 has been specified, then you must either remove it to allow the database server and client to pick the most secure protocol, or you must specify either TLS 1.2, or TLS 1.3, or both, for the protocol. Oracle recommends using the latest, most secure protocol. That protocol is TLS 1.3, which is introduced with Oracle Database 23ai.

Enclose the SSL_CIPHER_SUITES parameter value in parentheses. Otherwise, the cipher suite setting does not parse correctly.

Default

None

Values

Approved ciphers compatible with TLS 1.3:
  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256 (non-FIPS only)

  • TLS_AES_128_CCM_SHA256

  • TLS_AES_128_GCM_SHA256

Approved ciphers compatible with TLS 1.2:
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Deprecated ciphers compatible with TLS 1.2:
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_256_GCM_SHA384

  • TLS_RSA_WITH_AES_256_CBC_SHA256

  • TLS_RSA_WITH_AES_256_CBC_SHA

  • TLS_RSA_WITH_AES_128_GCM_SHA256

  • TLS_RSA_WITH_AES_128_CBC_SHA256

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Examples

SSL_CIPHER_SUITES=(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
SSL_CIPHER_SUITES=(TLS_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)

8.4.17 SSL_CLIENT_AUTHENTICATION

Use the SSL_CLIENT_AUTHENTICATION parameter to specify whether the database client is authenticated using Transport Layer Security (TLS).

Purpose

To enable client authentication in a TLS connection. The connection can be one-way or two-way (mutual TLS or mTLS).

Usage Notes

When set to TRUE, a two-way TLS connection is initiated. Both the client and server (including the listener) authenticate each other. For example, if you set this parameter to TRUE in the server configuration (server-side sqlnet.ora), then the server attempts to authenticate the client. If you set it to TRUE in the listener configuration (listener.ora), then the listener attempts to authenticate the client.

When set to FALSE, only the client authenticates the server and listener as a one-way TLS connection. For example, if you set this parameter to FALSE in the server configuration, then the server does not authenticate the client. If you set it to FALSE in the listener configuration, then the listener does not authenticate the client.

When set to OPTIONAL, the server behaves as follows:
  • If the client sends a certificate, then the connection is completed as a two-way TLS connection after authenticating the client.

  • If the client does not send a certificate, then the connection is completed as a one-way TLS connection.

Ensure that this parameter setting is consistent for the server or listener (on one side) and the client (on the other). Otherwise, the connection may fail. For example, if you enable client authentication in the server or listener configuration, then you must enable it in the client configuration.

Default

TRUE

Values

  • TRUE | ON | YES | 1: To enable mTLS

  • FALSE | OFF | NO | 0: To enable one-way TLS

  • OPTIONAL: To enable both TLS and mTLS

Example

SSL_CLIENT_AUTHENTICATION=FALSE

8.4.18 SSL_DISABLE_WEAK_EC_CURVES

Use the SSL_DISABLE_WEAK_EC_CURVES parameter to disable the use of weak Elliptic Curve Cryptography (ECC) curves.

Purpose

To disable the use of weak ECC curves with key length less than 256 bits. You can set this parameter in the database server (sqlnet.ora), client (sqlnet.ora or tnsnames.ora connect string), or the listener (listener.ora).

Usage Notes

By default, this parameter is set to FALSE to enable the use of all ECC curves. If you want to enable the use of only Oracle approved curves with ECC curve key size of 256 bits or higher, then set this parameter to TRUE.

When set to TRUE, you can use only the following ECC curves:
  • secp256r1

  • secp384r1

  • secp521r1

  • x25519

  • x448

Values

  • TRUE | ON | YES | 1: To enable only the Oracle approved ECC curves with minimum ECC curve key length of 256 bits

  • FALSE | OFF | NO | 0: To enable all ECC curves

Default

FALSE

Examples

  • In the tnsnames.ora file:

    net_service_name= 
      (DESCRIPTION=
        (ADDRESS=(PROTOCOL=tcps)(HOST=sales-svr)(PORT=1521)) 
        (SECURITY=(SSL_DISABLE_WEAK_EC_CURVES=TRUE))
      ) 
  • In the sqlnet.ora file or the listener.ora file:

    SSL_DISABLE_WEAK_EC_CURVES=TRUE

8.4.19 SSL_VERSION

Use the SSL_VERSION parameter to define valid Transport Layer Security (TLS) versions to be used for connections.

Purpose

To define the version of TLS that must run on the systems with which the database server communicates. By default, the database server and client negotiate the strongest security protocol. Oracle does not recommend modifying this parameter, unless your security requirements mandate the usage of certain protocol versions.

Usage Notes

  • Clients, listeners, and database servers must use compatible versions. Modify this parameter only when necessary to enforce the use of the more secure TLS protocol and not allow clients that only work with the older TLS protocols. The current default uses TLS 1.3, which is the version required for multiple security compliance requirements. If you need to specify TLS 1.2, then also include TLS 1.3 to allow more secure connections.

  • In addition to sqlnet.ora, listener.ora, and cman.ora, you can specify this parameter under the SECURITY section of tnsnames.ora or directly as part of the connect string. The parameter value specified in the connect string takes precedence over the other specified values.

  • Starting with Database 23ai, the use of Transport Layer Security protocol versions 1.0 and 1.1 are desupported.

    In most cases, this change will not have any impact, because the database client and server will negotiate the use of the most secure protocol and cipher algorithm. However, if TLS 1.0 or 1.1 has been specified, then you must either remove it to allow the database server and client to pick the most secure protocol, or you must specify either TLS 1.2, or TLS 1.3, or both, for the protocol. Oracle recommends using the latest, most secure protocol. That protocol is TLS 1.3, which is introduced with Oracle Database 23ai.

  • Starting with Oracle Database 23ai, the Secure Socket Layer v3 protocol (SSLv3) is no longer supported for database server-client connections, and the sqlnet.ora parameter ADD_SSLV3_TO_DEFAULT has been removed.

    SSLv3 is a much less secure protocol to secure the database server-to-client connection. Instead of using SSLv3, allow the database server and client to negotiate the most secure protocol that is common between the server and the client. Oracle Database 23ai provides TLS 1.2 and TLS 1.3 protocols for certificate-based network encryption.

  • If you set SSL_VERSION to undetermined, then the most secure TLS protocol version is used. You can also use the SSL_VERSION=undetermined setting in the connect string for a specific connection to override the SSL_VERSION value configured in the sqlnet.ora, listener.ora, or cman.ora file.

  • If you do not set SSL_VERSION to any value, then all the supported TLS protocol versions are tried starting with the most secure version. This is typically the most common configuration, ensuring that the strongest protocol is chosen during TLS negotiation.

Values

undetermined | TLSv1.2 | TLSv1.3

Default

undetermined

Syntax and Examples

  • To specify a single protocol version:
    SSL_VERSION=TLS_protocol_version
    For example:
    SSL_VERSION=TLSv1.3
  • To specify multiple protocol versions, use a comma-separated string of values, enclosed in parenthesis:
    SSL_VERSION=(TLS_protocol_version1,TLS_protocol_version2)
    For example:
    SSL_VERSION=(TLSv1.2,TLSv1.3)

    Note:

    Do not enclose protocol versions in parenthesis while specifying this parameter in the tnsnames.ora file or as part of the connect string, otherwise the setting will not parse correctly. For example:

    net_service_name=
      (DESCRIPTION=
         (ADDRESS=(PROTOCOL=tcps)(HOST=salesserver)(PORT=1522))
         (SECURITY=(SSL_VERSION=TLSv1.2,TLSv1.3)) 
      )
    

8.4.20 SUBSCRIBE_FOR_NODE_DOWN_EVENT_listener_name

Purpose

To subscribe to Oracle Notification Service (ONS) notifications for downed events.

Usage Notes

By default, the listener subscribes to the ONS node down event on startup, if ONS is available. This subscription enables the listener to remove the affected service when it receives node down event notification from ONS. The listener uses asynchronous subscription for the event notification. Alter this behavior by setting SUBSCRIBE_FOR_NODE_DOWN_EVENT_listener_name=off in listener.ora.

Default

on

Values

on | off

8.4.21 USE_SID_AS_SERVICE_listener_name

Purpose

To enable the system identifier (SID) in the connect descriptor to be interpreted as a service name when a user attempts a database connection.

Usage Notes

Database clients with earlier releases of Oracle Database that have hard-coded connect descriptors can use this parameter to connect to a container or pluggable database.

For an Oracle container database, the client must specify a service name in order to connect to it. Setting this parameter to on instructs the listener to use the SID in the connect descriptor as a service name and connect the client to the specified database.

Default

off

Example

USE_SID_AS_SERVICE_listener=on

8.4.22 VALID_NODE_CHECKING_REGISTRATION_listener_name

The listener.ora control parameter VALID_NODE_CHECKING_REGISTRATION_listener_name determines if valid node checking registration is performed, or if the subnet is allowed.

Purpose

To determine whether valid node checking registration is performed, or the subnet is allowed.

Usage Notes

  • When set to on, valid node checking registration is performed at the listener for any incoming registration request, and only local IP addresses are allowed.

  • Starting with Oracle Grid Infrastructure 12c, for a SCAN listener, if the VALID_NODE_CHECKING_REGISTRATION_listener_name and REGISTRATION_INVITED_NODES_listener_name parameters are set in the listener.ora file, then the listener agent overwrites these parameters.

Default

on

Values

  • off | 0 to specify valid node checking registration is off, and no checking is performed.

  • on | 1 | local to specify valid node checking registration is on, and all local IP addresses can register. If a list of invited nodes is set, then all IP addresses, host names, or subnets in the list as well as local IP addresses are allowed.

  • subnet | 2 to specify valid node checking registration is on, and all machines in the local subnets are allowed to register. If a list of invited nodes is set, then all nodes in the local subnets as well as all IP addresses, host names and subnets in the list are allowed.

Example

VALID_NODE_CHECKING_REGISTRATION_listener=on

See Also:

Oracle Real Application Clusters Administration and Deployment Guide for information about valid node checking for registration

8.4.23 WALLET_LOCATION

Use the WALLET_LOCATION parameter to specify the location of Oracle wallets.

Purpose

To specify the directory path where an Oracle wallet is stored. Wallets securely contain certificates, secrets, private keys, and trust points used by Oracle Database.

Usage Notes

  • Where to set this parameter:

    You can set WALLET_LOCATION in the listener.ora file to specify a common wallet location for all listeners. You can also set WALLET_LOCATION as part of address string of the listener in listener.ora to specify a different wallet location for each listener. For example:
    net_service_name=
        (DESCRIPTION =
           (ADDRESS=(PROTOCOL=tcps)(HOST=sales-svr)(PORT=1234))
           (SECURITY=(WALLET_LOCATION=DIRECTORY))
    
  • Storage of wallet files:

    The password-protected wallet is stored in an ewallet.p12 file. The auto-login and local auto-login wallets are stored in a cwallet.sso file.

    For example, if an Oracle wallet is stored in the Microsoft Windows registry and the wallet's key (KEY) is SALESAPP, then the storage location of the password-protected wallet is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\EWALLET.P12. The storage location of the auto-login and local auto-login wallets is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\CWALLET.SSO.

Additional Parameters

Use SOURCE to specify the type of storage and storage location for wallets, as follows:
  • METHOD: Type of storage

  • METHOD_DATA: Storage location:
    • DIRECTORY: Location of wallet on the file system

    • KEY: Wallet type and location in the Microsoft Windows registry

Syntax and Examples

The syntax depends on the wallet as follows:

  • Wallet on the file system:
    WALLET_LOCATION=
      (SOURCE=
        (METHOD=file)
        (METHOD_DATA=
           (DIRECTORY=directory)))
    For example:
    WALLET_LOCATION=  
      (SOURCE=
          (METHOD=file)
          (METHOD_DATA=  
             (DIRECTORY=/etc/oracle/wallets/databases)))
  • Microsoft certificate store:
    WALLET_LOCATION=
      (SOURCE=
         (METHOD=mcs))

    The key-value pair for MCS omits the METHOD_DATA parameter because MCS does not use wallets. Instead, Oracle PKI (public key infrastructure) applications obtain certificates, trust points and private keys directly from a user's profile.

  • Wallet in the Microsoft Windows registry:
    WALLET_LOCATION=
       (SOURCE=
          (METHOD=reg)
          (METHOD_DATA=
             (KEY=registry_key)))
    For example:
    WALLET_LOCATION=
       (SOURCE=
         (METHOD=reg)
         (METHOD_DATA=
            (KEY=SALESAPP)))

Default

None

8.5 ADR Diagnostic Parameters for Oracle Net Listener

The diagnostic data for the critical errors is quickly captured and stored in the ADR for Oracle Net listener.

Since Oracle Database 11g, Oracle Database includes an advanced fault diagnosability infrastructure for preventing, detecting, diagnosing, and resolving problems. The problems are critical errors such as those caused by database code bugs, metadata corruption, and customer data corruption.

When a critical error occurs, it is assigned an incident number, and diagnostic data for the error, such as traces and dumps, are immediately captured and tagged with the incident number. The data is then stored in the Automatic Diagnostic Repository (ADR), a file-based repository outside the database.

This section includes the parameters used when ADR is enabled. ADR is enabled by default. Non-ADR parameters listed in the listener.ora file are ignored when ADR is enabled.

The following listener.ora parameters are used when ADR is enabled (when DIAG_ADR_ENABLED is set to on):

8.5.1 ADR_BASE_listener_name

The ADR_BASE_listener_name parameter is a diagnostic parameter specifies the base directory that stores tracing and logging incidents when ADR is enabled.

Purpose

To specify the base directory that stores tracing and logging incidents when ADR is enabled.

Default

The default is ORACLE_BASE, or ORACLE_HOME/log if ORACLE_BASE is not defined.

Values

Any valid directory path to a directory with write permission.

Example

ADR_BASE_listener=/oracle/network/trace

8.5.2 DIAG_ADR_ENABLED_listener_name

The DIAG_ADR_ENABLED_listener_name is a diagnostic parameter of the listener.ora file. It indicates whether ADR is enabled.

Purpose

To indicate whether ADR tracing is enabled.

Usage Notes

When the DIAG_ADR_ENABLED_listener_name parameter is set to on, then ADR file tracing is used. When the DIAG_ADR_ENABLED_listener_name parameter is set to off, then non-ADR file tracing is used.

Default

on

Values

on|off

Example 8-8 Example

DIAG_ADR_ENABLED_listener=on

8.5.3 LOG_FILE_NUM_listener_name

The LOG_FILE_NUM_listener_name is a diagnostic parameter of the listener.ora file that specifies the number of log file segments.

Purpose

To specify the number of log file segments. At any point of time there can be only n log file segments where n is LOG_FILE_NUM_listener_name. If the log grows beyond this number, then the older segments are deleted.

Default

No default. If you don't specify a value, or set the value to zero, then the number of segments grows indefinitely.

Values

Any integer value.

Example 8-9

LOG_FILE_NUM_listener=3

8.5.4 LOG_FILE_SIZE_listener_name

The LOG_FILE_SIZE_listener_name diagnostic parameter of thelistener.ora file specifies the size of each log file segment.

Purpose

To specify the size of each log file segment. The size is in MB.

Default

300 MB

Values

Any integer value.

Example 8-10 Example

LOG_FILE_SIZE_listener=10

8.5.5 LOGGING_listener_name

The LOGGING_listener_name diagnostic parameter of the listener.ora file turns logging on or off.

Purpose

To turn logging on or off.

Usage Notes

This parameter is also applicable when non-ADR tracing is used.

Default

on

Values

on | off

Example

LOGGING_listener=on

8.5.6 TRACE_LEVEL_listener_name

The TRACE_LEVEL_listener_name diagnostic parameter of the listener.ora file turns listener tracing on, at a specific level, or turns it off.

Purpose

To turn listener tracing on, at a specific level, or to turn it off.

Usage Notes

This parameter is also applicable when non-ADR tracing is used.

Default

off | 0

Values

  • off or 0 for no trace output

  • user or 4 for user trace information

  • admin or 10 for administration trace information

  • support or 16 for Oracle Support Services trace information

Example

TRACE_LEVEL_listener=admin

8.5.7 TRACE_TIMESTAMP_listener_name

The TRACE_TIMESTAMP_listener_name diagnostic parameter of the listener.ora file adds a time stamp to every trace event in the trace file for the listener.

Purpose

To add a time stamp in the form of dd-mmm-yyyy hh:mi:ss:mil to every trace event in the trace file for the listener.

Usage Notes

This parameter is used with the TRACE_LEVEL_listener_name parameter. This parameter is also applicable when non-ADR tracing is used.

Default

on

Values

  • on | true

  • off | false

Example

TRACE_TIMESTAMP_listener=true

8.6 Non-ADR Diagnostic Parameters for Oracle Net Listener

This section lists the parameters used when ADR is disabled. The default value of DIAG_ADR_ENABLED_listener_name is on. Therefore, the DIAG_ADR_ENABLED_listener_name parameter must explicitly be set to off to use non-ADR tracing.

8.6.1 LOG_DIRECTORY_listener_name

Purpose

To specify the destination directory of the listener log file.

Usage Notes

Use this parameter when ADR is not enabled.

Default

ORACLE_HOME/network/log

Example

LOG_DIRECTORY_listener=/oracle/network/admin/log

8.6.2 LOG_FILE_listener_name

Purpose

To specify the name of the log file for the listener.

Usage Notes

Use this parameter when ADR is not enabled.

Default

listener.log

Example

LOG_FILE_listener=list.log

8.6.3 TRACE_DIRECTORY_listener_name

Purpose

To specify the destination directory of the listener trace file.

Usage Notes

Use this parameter when ADR is not enabled.

Default

ORACLE_HOME/network/trace

Example

TRACE_DIRECTORY_listener=/oracle/network/admin/trace

8.6.4 TRACE_FILE_listener_name

Purpose

To specify the name of the trace file for the listener.

Usage Notes

Use this parameter when ADR is not enabled.

Default

listener.trc

Example

TRACE_FILE_listener=list.trc

8.6.5 TRACE_FILEAGE_listener_name

Purpose

To specify the maximum age of listener trace files in minutes.

Usage Notes

When the age limit is reached, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_listener_name parameter. Use this parameter when ADR is not enabled.

Default

Unlimited

This is the same as setting the parameter to 0.

Example 8-11 Example

TRACE_FILEAGE_listener=60

8.6.6 TRACE_FILELEN_listener_name

Purpose

To specify the size of the listener trace files in kilobytes (KB).

Usage Notes

When the size is met, the trace information is written to the next file. The number of files is specified using the TRACE_FILENO_listener_name parameter. Use this parameter when ADR is not enabled.

Default

Unlimited

Example

TRACE_FILELEN_listener=100

8.6.7 TRACE_FILENO_listener_name

Purpose

To specify the number of trace files for listener tracing.

Usage Notes

When this parameter is set along with the TRACE_FILELEN_listener_name parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, the first file is re-used, and so on.

The trace file names are distinguished from one another by their sequence number. For example, if the default trace file of listener.trc is used, and this parameter is set to 3, then the trace files would be named listener1.trc, listener2.trc and listener3.trc.

In addition, trace events in the trace files are preceded by the sequence number of the file. Use this parameter when ADR is not enabled.

Default

1

Example

TRACE_FILENO_listener=3

8.7 Class of Secure Transports Parameters

The class of secure transports (COST) parameters specify a list of transports that are considered secure for administration and registration of a particular listener.

The COST parameters identify which transports are considered secure for that installation and whether the administration of a listener requires secure transports. Configuring these parameters is optional.

See Also:

Oracle Database Net Services Administrator's Guide for additional information about COST parameters and listener security

8.7.1 SECURE_REGISTER_listener_name

Purpose

To specify the transports on which registration requests are to be accepted.

Usage Notes

If the SECURE_REGISTER_listener_name parameter is configured with a list of transport names, then only the connections arriving on the specified transports are able to register the service with the listener. Connections arriving by other transport protocols are refused. The following is an example:

SECURE_REGISTER_listener1 = (TCPS,IPC)

In the preceding example, registration requests are accepted only on TCPS and IPC transports.

If no values are entered for this parameter, then the listener accepts registration requests from any transport.

Syntax

SECURE_REGISTER_listener_name = 
[(]transport1[,transport2, ....,transportn)]

In the preceding example, transport1, transport2, and transportn are valid, installed transport protocol names.

If this parameter and SECURE_CONTROL_listener_name are configured, then they override the SECURE_PROTOCOL_listener_name parameter.

Example

LISTENER1=
 (DESCRIPTION=
    (ADDRESS_LIST=
      (ADDRESS=(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521))
      (ADDRESS=(PROTOCOL=ipc)(KEY=extproc))
      (ADDRESS=(PROTOCOL=tcps)(HOST=sales-server)(PORT=1522))))
  SECURE_REGISTER_listener1=tcps

8.7.2 Using COST Parameters in Combination

COST parameters can also be used in combination to further control which transports accept service registration and control commands.

In Example 8-12, control commands are accepted only on the IPC channel and the TCPS transport, and service registrations are accepted only on an IPC channel.

Example 8-12 Combining COST Parameters

LISTENER1=
 (DESCRIPTION=
   (ADDRESS_LIST=
     (ADDRESS=(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521))
     (ADDRESS=(PROTOCOL=ipc)(KEY=extproc))
     (ADDRESS=(PROTOCOL=tcps)(HOST=sales-server)(PORT=1522))))
  SECURE_CONTROL_listener1=(tcps,ipc)
  SECURE_REGISTER_listener1=ipc

In Example 8-13, control commands are accepted only on the TCPS transport, and service registrations are accepted only on the IPC channel.

Example 8-13 Combining COST Parameters

LISTENER1=
 (DESCRIPTION=
   (ADDRESS_LIST=
     (ADDRESS=(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521))
     (ADDRESS=(PROTOCOL=ipc)(KEY=extproc))
     (ADDRESS=(PROTOCOL=tcps)(HOST=sales-server)(PORT=1522))))
  SECURE_CONTROL_listener1=tcps
  SECURE_PROTOCOL_listener1=ipc

8.7.3 DYNAMIC_REGISTRATION_listener_name

DYNAMIC_REGISTRATION_listener_name is a class of secure transports (COST) parameter and it enables or disables dynamic registration of a listener.

Purpose

To enable or disable dynamic registration.

Usage Notes

Static registrations are not affected by this parameter.

Default

The default value is on. Unless this parameter is explicitly set to off, all registration connections are accepted.

Values

  • on: The listener accepts dynamic registration.

  • off: The listener refuses dynamic registration.

Example 8-14 Example

DYNAMIC_REGISTRATION_listener_name=on

8.7.4 SECURE_PROTOCOL_listener_name

Purpose

To specify the transports on which administration and registration requests are accepted.

Usage Notes

If this parameter is configured with a list of transport names, then the control commands and service registration can happen only if the connection belongs to the list of transports.

If this parameter is not present and neither SECURE_CONTROL_listener_name or SECURE_REGISTER_listener_name are configured, then all supported transports accept control and registration requests.

If the SECURE_CONTROL_listener_name and SECURE_REGISTER_listener_name parameters are configured, then they override the SECURE_PROTOCOL_listener_name parameter.

Syntax

SECURE_PROTOCOL_listener_name = 
[(]transport1[,transport2, ....,transportn)]

In the preceding syntax, transport1, transport2, and transportn are valid, installed transport protocol names.

Example

LISTENER1=
 (DESCRIPTION=
    (ADDRESS_LIST=
      (ADDRESS=(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521))
      (ADDRESS=(PROTOCOL=ipc)(KEY=extproc))
      (ADDRESS=(PROTOCOL=tcps)(HOST=sales-server)(PORT=1522))))
  SECURE_PROTOCOL_listener1=tcps

8.7.5 SECURE_CONTROL_listener_name

Purpose

To specify the transports on which control commands are to be serviced.

Usage Notes

If the SECURE_CONTROL_listener_name parameter is configured with a list of transport names, then the control commands are serviced only if the connection is one of the listed transports. Connections arriving by other transport protocols are refused. The following is an example:

SECURE_CONTROL_listener1 = (TCPS,IPC)

In the preceding example, administration requests are accepted only on TCPS and IPC transports.

If no values are entered for this parameter, then the listener accepts any connection on any endpoint.

Syntax

SECURE_CONTROL_listener_name = 
[(]transport1[,transport2, ....,transportn)]

In the preceding syntax, transport1, transport2, and transportn are valid, installed transport protocol names.

Example

LISTENER1=
 (DESCRIPTION=
    (ADDRESS_LIST=
      (ADDRESS=(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521))
      (ADDRESS=(PROTOCOL=ipc)(KEY=extproc))
      (ADDRESS=(PROTOCOL=tcps)(HOST=sales-server)(PORT=1522))))
  SECURE_CONTROL_LISTENER1=tcps