Securing Listener through a Password

DBA's Home Page - A website for Oracle, Greenplum and PostgreSQL DBA's‎ > ‎

Securing Listener through a Password

posted Sep 8, 2010, 7:10 AM by Sachchida Ojha [ updated Sep 8, 2010, 7:13 AM ]

Setting a password for listener is the least security you should maintain for it. By default, it doesn't have any password and many DBAs simply do not create one. Part of the reason is the perceived complexity in specifying and using a password. This lesson hopefully will repel that myth.

If a password is set for the listener, you will need to supply a correct password for any command other than START, STATUS and HELP. When the listener is first created, there is no password. The password is set by the command from LSNRCTL prompt:

LSNRCTL> change_password

This will prompt for the old and new passwords; and when entered, they are not displayed on the screen. When the listener is initially created, the password is not set, or null. So, just press the return key when prompted for the old password.

Once the passwords are changed, you have to supply the password before doing any administrative work such as changing a parameter or stopping the listener. The password is set by the command SET PASSWORD <password>. For instance, to stop the listener, you would use the following commands in LSNRCTL utility, assuming the password is t0p53r3t:

LSNRCTL> set password
Password: Enter <password> here; it will not be displayed.
The command completed successfully
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=PROLIGENCE1)(PORT=1521)))
The command completed successfully
LSNRCTL>

Entering Passwords

LSNRCTL> set password g3#@657
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))
TNS-01169: The listener has not recognized the password
LSNRCTL>

The password has to be specified on the prompt as follows:

LSNRCTL> set password
Password: Enter g3#@657 here; it will not be displayed.
The command completed successfully
LSNRCTL> stop

The other method of setting the password is through the parameter file. In the file listener.ora, place the following line:

passwords_listener = g3#@657

To specify passwords for other listeners, use the name appended to the word passwords above, for example

passwords_listener1 = g3#@657

sets the password for listener1. This method of setting the password has to be passed in one line such as:

LSNRCTL> set password g3#@657

The other method of getting a prompt and entering the non-displayed password will not work.

However, when the password is changed in the case when the password is explicitly mentioned in the parameter file, the operation will never be successful.

LSNRCTL> set password manager1
The command completed successfully
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=DBDEV1)(PORT=1526)))
TNS-01169: The listener has not recognized the password
LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=DBDEV1)(PORT=1526)))
TNS-01169: The listener has not recognized the password
LSNRCTL>

Regardless of how you enter the password, through a single line or on the prompt, the change will not be successful. To change the password, you have to remove the line passwords_listener in the file listener.ora and then change the password.

Encrypted Passwords

The other option in specifying the password of the listener is to record the password encrypted in the parameter file. This is done by recording the configuration changes automatically in the parameter file as described below:

LSNRCTL> set save_config_on_stop on
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))
LISTENER parameter "save_config_on_stop" set to ON
The command completed successfully
LSNRCTL> set password g3#@657
The command completed successfully

How to Check If the Password is Set

LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ANANDA)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 - Production
Start Date                05-JUL-2003 15:23:19
Uptime                    0 days 6 hr. 24 min. 56 sec
Trace Level               off
Security                  ON

SNMP                      OFF
Listener Parameter File   oracle_home\network\admin\listener.ora
Listener Log File         oracle_home\network\log\listener.log
Services Summary...
  DBCEO                has 1 service handler(s)
  DBCEO                has 2 service handler(s)
  DBCEO                has 2 service handler(s)
The command completed successfully
LSNRCTL>

Comments