Securing Oracle Listeners against TNS Poison Attack by COST

The Oracle database component contains a vulnerability in the TNS listener service that has been referred to as (TNS Poison) in public discussions. The TNS listener service accepts unauthenticated remote registrations with the appropriate connect packet (COMMAND=SERVICE_REGISTER_NSGR). An unauthenticated attacker may be able to register a client using an already registered database’s instance name to perform a man-in-the-middle attack that allows the attack to sniff database traffic and inject database commands to the server. Joxean Koret was the first one to identify and provided code to produce man in middle attack by hacking the communication between client and DB server in 2008.

Oracle came with solution for this risk in 2012 April, as fix in code as well as securing listeners by COST (Class Of Secure Transports) and VNCR (Valid Node Checking for Registration). COST is supported solution for 10g to 11gR2 while from onwards VNCR is alternate to COST. Cost is little bit complex setup using subset of Oracle’s advanced security which was allowed to use without license only to securing listeners. VNCR is easy to configure compared to COST.

The class of secure transports (COST) parameters specifies a list of transports that are considered secure for administration and registration of a particular listener. The COST parameters identify which transports are considered secure for that installation and whether the administration of a listener requires secure transports. COST will not affect client connections utilizing other protocols.

IPC protocol support is similar to BEQ protocol support in that it can only be used when the client program and the Oracle server are installed on the same system. IPC protocol support differs from BEQ protocol support in that it can be used with Oracle Shared Server configurations. IPC protocol support requires a listener for its operation.

Here are steps to configure COST in 11g database.

Step -1 Create wallet directories on each node (as root)

mkdir -p /etc/oracle/wallets/COST

chown -R oracle:dba /etc/oracle/wallets

Read more of this post


How Many SCAN Listeners?

Today we will explore little more about SCAN listeners. The common question comes in mind like: How many SCAN listeners could be configured in a multi-node RAC environment? , How many SCAN listeners would actually be required and how many would be enough? Etc.

Let’s find out the answers for these common queries.

I am assuming that by now most of DBAs are pretty comfortable with SCAN listeners; in case need detailed explanation then following URL would a good choice to visit here. As usual, awesome documentation from Oracle for SCAN in 11g as well as 12c releases.

Basically SCAN Listeners are introduced to create another connection handler on top of existing node listeners to overcome the failover and load balancing issues till 11gR1 architecture for RAC. Till 11gR1 Node listeners were defined on VIPs to facilitate NACK (Negative Acknowledgement) to resolve the issue of TCP timeouts.

Pre 11gR2 database environments, clients may take up to 2 minutes to decide (on TCP level) a node is down. This is purely because of the TCP Timeouts, which can differ from platform to platform. These 2 minutes are unacceptable, and it was a good thing of Oracle to understand and address this issue. Oracle designed a virtual IP address to be assigned to the public interface. Under normal circumstances, the VIP will be located to its designated NIC, and the listener will be bound to this VIP. Whenever there is a need to failover the VIP to another node in the cluster, when clients want to connect to this VIP (due to tns alias addresses pointing to this VIP), the VIP will immediately respond (because it has failed over and the TCP stack is running against it), and the client is able to get negative acknowledgement (NACK) confirming that no listener is active at its designated port. Within few seconds the client will know and fail over to the alternative address in its TNS alias. This makes failover a lot faster.

From 11gR2 onwards oracle enhanced the administration as well as availability of database from client’s perspective, load balancing etc by introducing SCAN (Single Client Access Name). With SCAN, clients could use SCAN-NAME (resolved by 3 VIPs, for default configuration) rather than list of all rac nodes in connect string. By default SCAN listeners (defined on SCAN VIPs) created as first point which co-ordinate with Node Listeners (defined on VIPs), so even if failure of node scan listener running on that node (if any) would be relocated to any surviving node while available SCAN listeners would be serving as normal.

In practice any complex environment designed with multi-tier architecture involving connection handling via connection pool mechanism. It reduces connectivity time for application or web based end users. Normally 3 SCANs are capable enough to handle hundreds of new connections in a span of few seconds. Still if you feel that default 3 SCAN listeners are not enough for your environment then you have an option to add few more scan listeners. GNS based dynamic IP scheme still has no way to change number of SCAN listeners in your environment. Today we will elaborate the process of adding one extra scan listener in our DNS based static IP configuration. Read more of this post

Cloning Oracle Home in RAC

Cloning of Oracle software is an easy and fast way to achieve standardization across organization where all efforts put on one environment and after testing etc that environment could be used as a source of binaries. A simple tar ball could be shipped to all other servers and then untar on destination environment as a new home or replace the existing oracle home based on availability of space on destination environment.

There could be different situations where we could use this method in a little bit twisted way to achieve desired result. Possible scenarios are:

  • Lost filesystem hosting oracle database software, so either new installation or cloning of software from surviving nodes in case of RAC or some other environment in case of standalone environment.
  • Enterprise wide periodic patching activity where cloning could save a lot of efforts by just building an image and clone it across enterprise.
  • Building new environments during migration databases across of datacenters
  • Node edition in RAC also uses cloning technique

Read more of this post

GI (Oracle Restart) Upgrade from to

Recently I have upgraded Single node GI (Oracle Restart) from to and thought to share with you. Though it’s not something very interesting to share yet not that bad at all.J

In this blog I’ll use GI or Grid Infrastructure, which is also Oracle Restart in our case. Here are details of GI (Oracle Restart):

Grid Infra Version:

Grid Home: /u01/app/oracle/product/11.2.0/grid

Host Name: mask11g

Storage: ASM

DB Version:

Purpose: Upgrade GI from to

Path for upgrade: Out of place (New location on same server) followed by removal of old GI home.

Going forward from 11gR2 oracle recommend to go with out of place upgrade though in place upgrade is still available. I tried both and both are almost similar except the few minor things. In place upgrade enables you to upgrade an existing installation of GI into the same directory by replacing the existing installation files. The patch set application requires more downtime and is not recommended. This upgrade type requires less disk space.

For out of place upgrade we need almost 5 GB extra space during upgrade and we would be able to release space by removing the old grid software.

In order to make it easily understandable as a step by step approach I am attaching snapshots of upgrade process.

Software is available on MOS with patch number 10404530 and could be easily downloadable. This patch contains total 7 files but we need only (933 MB) to complete GI upgrade. This patch is actually full release so it could be used to perform new installation as well as upgrade from old versions.

I would suggest you to read the instructions from all aspects before you test the upgrade on your environment. I couldn’t share more details or else this blog looks like upgrade companion doc J.

  1. Download and unzip the into staging location on your server.
  2. Take backup of existing environment
  3. Upgrade the GI software
  4. Once upgrade is done then you could remove the old GI installation as it’s of no use or could leave it as it is in case you have plenty of space on your server.

Read more of this post

Frits Hoogland Weblog

IT Technology; Oracle, linux, TCP/IP and other stuff I find interesting

Pierre blog

Pierre Forstmann Oracle Database blog


Oracle databases, storage and the high-performance world of flash memory

Future Veterans

Ramblings about Oracle

Ranjeet Srivastava

Smile! You’re at the best blog ever

Kevin Closson's Blog: Platforms, Databases and Storage

Platform, Database and Storage Topics

Real Life Database / SQL Experiences : An Oracle Blog from Vivek Sharma

Being an Oracle Professional, I like to share all my Real Life Performance Tuning Challenges and Experiences. The Content and Views on this site are my own and not necessarily those of Oracle. While, I write on my real life experiences, the resolutions mentioned are solely mine. Comments / Criticisms are always a welcome.


Dominic Brooks on Oracle Performance, Tuning, Data Quality & Sensible Design ... (Now with added Sets Appeal)

ASM Support Guy

Just Another Crazy Oracle DBA

Exadata Certification

Just Another Crazy Oracle DBA

Carlos Sierra's Tools and Tips

Tools and Tips for Oracle Performance and SQL Tuning

Sangram keshari's Oracle Blog

The Fusion Middleware Administration & Database Administration Blog

Amit Saraswat

Just Another Crazy Oracle DBA

Oracle Scratchpad

Just another Oracle weblog

The Tom Kyte Blog

Just Another Crazy Oracle DBA

Hemant's Oracle DBA Blog

Just Another Crazy Oracle DBA

Uwe Hesse

about Database Technology

Richard Foote's Oracle Blog

Focusing Specifically On Oracle Indexes, Database Administration and Some Great Music