At least use a non-standard port
Cookie, December 05, 2004 - 7:01 pm UTC
While port 80 might not be a great solution, IMHO it would be better to use some random high port if you're going to open it to the public at large.
Hackers using scanning tools to look for Oracle servers would probably be looking for opened port 1521... putting the server on, say, 7335 instead will take you out of the "low hanging fruit" category.
Of course, the best solution is to button down the firewall as tight as possible, but in some scenarios, it is very difficult (for example, if you've got a large roaming sales team that need to connect from a multitude of wifi hot-spots, dial-ups, etc. Especially since VPN is not always a workable solution...)
Is Port 1521 Communication really a 'problem'?
DJ, December 16, 2004 - 12:49 pm UTC
I guess I'm still wondering if there is a real problem.
The client software at the customer site communicates with an ASP-Hosted Oracle Database Server thru JDBC and port 1521. The customer site is required to open up port 1521 (for outbound traffic only) on their firewall.
Is opening port 1521 (outbound only) on a firewall a security risk?
Also, someone suggested the Java's RMI (Remote Method Invocation) might be a way to communicate over another port (80?). Any thoughts on that?
December 16, 2004 - 1:34 pm UTC
actually, you would have to open port 1521 for INBOUND traffic no?
the client initiated the conversation from the outside didn't it?
Client initiates the DB Request
DJ, December 16, 2004 - 1:43 pm UTC
The customer has the Java software installed on their client machines behind their firewall. The Java code on the client machine issues the JDBC call to the central ASP-hosted database.
December 16, 2004 - 2:51 pm UTC
yes, ok -- client firewall would have to open port NNNN to outbound traffic. (i was thinking firewall was protecting database ;)
many commercial firewalls have builtin "i know what sqlnet traffic looks like" so they can make sure that only sqlnet traffic goes out over this port (of your choosing)
Oracle Consultant
Dawar, January 25, 2005 - 10:50 pm UTC
Tom,
We have three servers.
One is Oracle Database Server and other two are web servers.
We were able to access Oracle DB through all servers prior to use firewall.
Recently, our security folks setup firewall and move Databse server on other side of the firewall & web servers on other site.
Now I can logon to Oracle database through Database server only.
But I am not able to access Oracle Database through Web Server.
Now I asked Seurity folk to open port 1521.
Is it correct approach?
What else I need to do?
Could you please give some guideline?
Regards,
Dawar
January 26, 2005 - 8:33 am UTC
your security folk should know how to configure a firewall to permit traffic through.
they should actually have been able to definitely predict this would happen.
opening 1521 may or may not be sufficient. depends on how you connect to the database, what your OS's are.
and opening 1521 opens a host of other questions...
I'm not going to directly answer this, for this is something that affects your security here and there are many ways to set things up (correctly and not correctly). Not knowing your setup, your needs, etc -- just saying "oh, open port 1521" isn't the best thing.
Have your security guys ever set up such a configuration?
Have they consulted with someone who has?
If not, they need to -- if they have, they should know what to do in your case.
My configuration for example is a DMZ setting. firewall between the outside world and my servers, firewall between my servers and me. the servers are all in the middle and are told which servers they are allowed to accept traffic from. My setup would not apply to you at all.
Oracle Consultant
Dawar, January 26, 2005 - 1:06 pm UTC
Tom,
My OS is Red Hat 3.1 AS. (Refer to above question & answer)
1) Do they need to open port 1521 on both servers? I mean Database server & web server. Right now they open for Database server but still I am not able to logon to Oracle database through
2)
[oracle@DN-VFWS2 bin]$ sqlplus
SQL*Plus: Release 9.2.0.5.0 - Production on Wed Jan 26 10:12:57 2005
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Enter user-name: system
Enter password:
ERROR:
ORA-12545: Connect failed because target host or object does not exist
3)
[oracle@dn-VFWS2 bin]$ tnsping ip_address of DB server
TNS Ping Utility for Linux: Version 9.2.0.5.0 - Production on 26-JAN-2005 09:59:34
Copyright (c) 1997 Oracle Corporation. All rights reserved.
Segmentation fault
Do you have any suggestion?
Regards,
Dawar
January 26, 2005 - 1:45 pm UTC
1) i've said "without me being there and understanding your needs, topology, infrastructure, it would be somewhat irresponsible to say "open this port" "
the web server needs access to the database -- they (the security team) needs to provide that access, they understand the layout, I do not.
2) that is saying "dns lookup failed" basically, it cannot find the host
3) you tnsping tns connect strings, not ip addresses.
Dawar, January 26, 2005 - 1:57 pm UTC
Here is the intersted situation. But also see (2)
I can logon to the database as (1)
1)
[oracle@DN-VFWS2 runsqlplus]$ sqlplus system@"(description=(Address=(protocol=tcp)(host=100.50.11.88)(port=1521))(connect_data=(service_name=pm.dddd.org)))"
SQL*Plus: Release 9.2.0.5.0 - Production on Wed Jan 26 10:54:57 2005
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Enter password:
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.5.0 - Production
With the Partitioning option
JServer Release 9.2.0.5.0 - Production
SQL>
But If I do as below
2)
[oracle@DN-VFWS2 bin]$ sqlplus
SQL*Plus: Release 9.2.0.5.0 - Production on Wed Jan 26 10:58:14 2005
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Enter user-name: system
Enter password:
ERROR:
ORA-12545: Connect failed because target host or object does not exist
Enter user-name:
is it tnsnames.ora file has a problem.
Please note I had put correct IP address in tnsnames.ora.
I used SSH to connect to the sever.
I copied tnsnames.ora on windows and put back to the linux server after change.
Regards,
Dawar
January 26, 2005 - 2:02 pm UTC
#2 is not using a newwork to connect to anything. so not really sure what you are trying to show with that one.
#1 uses a network to connect to a remote server.
#2 is trying to connect locally and locally, well, guess there is nothing there.
perhaps you have an environment variable TWO_TASK set and it is trying a remote connection -- but to a host that doesn't exist.
Dawar, January 26, 2005 - 2:43 pm UTC
Tom,
#2
you are correct there is nothing there.
Here is the env
Could you pl.see what is wrong with it?
[oracle@DN-VFWS2 admin]$ env
HOSTNAME=DN-VFWS2.DDDD.ORG
TERM=xterm
SHELL=/bin/bash
HISTSIZE=1000
TMPDIR=/tmp
NLS_LANG=American_America.WE8ISO8859P1
SSH_CLIENT=111.222.00.00 1820 22
CVSROOT=:ext:oracle@tiger.verinform.com:/verinform/cvs
OLDPWD=/usr/local/oracle/network
SSH_TTY=/dev/pts/2
USER=oracle
TEMP=/tmp
LD_LIBRARY_PATH=/usr/local/oracle/lib:
LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:
MAIL=/var/spool/mail/oracle
PATH=/usr/local/oracle/bin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/oracle/bin
INPUTRC=/etc/inputrc
PWD=/usr/local/oracle/network/admin
LANG=en_US.UTF-8
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
SHLVL=1
HOME=/home/oracle
TMP=/tmp
LOGNAME=oracle
CVS_RSH=ssh
SSH_CONNECTION=111.222.00.00 1820 160.50.90.48 22
LESSOPEN=|/usr/bin/lesspipe.sh %s
ORACLE_HOME=/usr/local/oracle
G_BROKEN_FILENAMES=1
_=/bin/env
[oracle@DN-VFWS2 admin]$
Regards,
Dawar
January 26, 2005 - 2:45 pm UTC
umm, there is nothing wrong with it -- it is just that when you sqlplus system/password -- you are not even asking to connect over the network and since the database is across the network -- you sort of need too.
(you should be really careful cutting and pasting stuff like this, with ip addresses and other information)
Dawar, January 26, 2005 - 3:03 pm UTC
Tom,
Sorry to bother you again.
All Ip addresses & info is fake ummm
Is there any proxy issue?
what do you think?
cheers,
Dawar
January 26, 2005 - 3:06 pm UTC
ok, good on the ip stuff.
but -- look. Your database is "over the network". Your connection over the network:
[oracle@DN-VFWS2 runsqlplus]$ sqlplus
system@"(description=(Address=(protocol=tcp)(host=100.50.11.88)(port=1521))(conne
ct_data=(service_name=pm.dddd.org)))"
SQL*Plus: Release 9.2.0.5.0 - Production on Wed Jan 26 10:54:57 2005
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Enter password:
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.5.0 - Production
With the Partitioning option
JServer Release 9.2.0.5.0 - Production
SQL>
<b>WORKED -- no surprises there. But when you DON'T USE A TNS CONNECT STRING:</b>
[oracle@DN-VFWS2 bin]$ sqlplus
SQL*Plus: Release 9.2.0.5.0 - Production on Wed Jan 26 10:58:14 2005
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Enter user-name: system
Enter password:
ERROR:
ORA-12545: Connect failed because target host or object does not exist
<b>it does not work -- why? because your database is over the network perhaps? I'm not sure what you think is wrong here -- you need to use "user/password@tnsname" to connect</b>
Oracle consultnat
Dawar, January 26, 2005 - 3:39 pm UTC
Yes I used as below
sqlplus
Enter user-name: system
Enter password: --- mypassword@am.dddd.org (SERVICE_NAME from tnsames.ora)
ERROR:
ORA-12154: TNS:could not resolve service name
cheers,
Dawar
January 26, 2005 - 4:38 pm UTC
your tnsnames.ora file is botched then.
that is fairly clear at this point. am.dddd.org is not in there
[tkyte@localhost tkyte]$ oerr ora 12154
12154, 00000, "TNS:could not resolve service name"
// *Cause: The service name specified is not defined correctly in the
// TNSNAMES.ORA file.
// *Action: Make the following checks and correct the error:
// - Verify that a TNSNAMES.ORA file exists and is in the proper
// place and accessible. See the operating system specific manual
// for details on the required name and location.
// - Check to see that the service name exists in one of the
// TNSNAMES.ORA files and add it if necessary.
// - Make sure there are no syntax errors anywhere in the file.
// Particularly look for unmatched parentheses or stray characters.
// Any error in a TNSNAMES.ORA file makes it unusable. See
// Chapter 4 in the SQL*Net V2 Administrator's Guide. If
// possible, regenerate the configuration files using the Oracle
// Network Manager.
If you believe it is "correct", perhaps you are using the wrong files - use (assuming LINUX here) strace to SEE what files it is looking at:
[tkyte@localhost tkyte]$ csh
[tkyte@localhost ~]$ strace $ORACLE_HOME/bin/sqlplus scott/tiger@foobar |& grep tns
access("/etc/tnsnav.ora", F_OK) = -1 ENOENT (No such file or directory)
access("/home/ora9ir2/network/admin/tnsnav.ora", F_OK) = -1 ENOENT (No such file or directory)
access("/home/tkyte/.tnsnames.ora", F_OK) = 0
access("/etc/tnsnames.ora", F_OK) = -1 ENOENT (No such file or directory)
access("/home/ora9ir2/network/admin/tnsnames.ora", F_OK) = 0
stat64("/home/tkyte/.tnsnames.ora", {st_mode=S_IFREG|0664, st_size=698, ...}) = 0
open("/home/tkyte/.tnsnames.ora", O_RDONLY) = 7
stat64("/home/ora9ir2/network/admin/tnsnames.ora", {st_mode=S_IFREG|0644, st_size=1739, ...}) = 0
open("/home/ora9ir2/network/admin/tnsnames.ora", O_RDONLY) = 7
stat64("/home/tkyte/.tnsnames.ora", {st_mode=S_IFREG|0664, st_size=698, ...}) = 0
stat64("/home/ora9ir2/network/admin/tnsnames.ora", {st_mode=S_IFREG|0644, st_size=1739, ...}) = 0
For Dawar:
Bill Schwartz, January 26, 2005 - 3:57 pm UTC
You are not using the correct syntax. It should be username@tnsname
then supply your pw when prompted.
January 26, 2005 - 4:40 pm UTC
scott@ORA9IR2> connect
Enter user-name: scott@ora9ir2.us.oracle.com
Enter password: *****
Connected.
scott@ORA9IR2> connect
Enter user-name: scott
Enter password: ***************************
Connected.
scott@ORA9IR2>
either or should be ok
dawar, January 26, 2005 - 4:10 pm UTC
I did this before but getting following error.
Enter user-name: system@am.dddd.org (service name)
Enter password:
ERROR:
ORA-12154: TNS:could not resolve service name
I want to check tnsping is working or not from the web servre.
what should I typed after tnsping to test,
> tnsping
Regards,
Dawar
January 26, 2005 - 4:40 pm UTC
tnsping am.dddd.org
period.
How to TNSPING
Bill Schwartz, January 26, 2005 - 4:18 pm UTC
Dawar,
From your command line shell, just type:
tnsping hostname
where hostname is the hostname in your tnsnames.ora file
That should come back if the host is there.
Regards, Bill
Thanks Tom - must have mistyped hostname
Bill Schwartz, January 26, 2005 - 4:45 pm UTC
because when I first attempted pw@hostname it bombed with an unresolved host. But after seeing your follow-up, I went back and did it again VERY CAREFULLY and it worked.
Regards,
Bill
Dawar
Dawar, January 26, 2005 - 4:57 pm UTC
Bill,
[oracle@DN-VFWS2 admin]$ tnsping am.dddd.org
TNS Ping Utility for Linux: Version 9.2.0.5.0 - Production on 26-JAN-2005 14:03:19
Copyright (c) 1997 Oracle Corporation. All rights reserved.
Segmentation fault
[oracle@DN-VFWS2 admin]$ tnsping lllll (hostmane_of DB server)
TNS Ping Utility for Linux: Version 9.2.0.5.0 - Production on 26-JAN-2005 14:05:31
Copyright (c) 1997 Oracle Corporation. All rights reserved.
Segmentation fault
[oracle@DN-VFWS2 admin]$ tnsping llll.am.dddd.org
TNS Ping Utility for Linux: Version 9.2.0.5.0 - Production on 26-JAN-2005 14:05:31
Copyright (c) 1997 Oracle Corporation. All rights reserved.
Segmentation fault
Regards,
Dawar
January 27, 2005 - 7:31 am UTC
please contact support.
Reader
Nikunj Thaker, January 27, 2005 - 1:01 am UTC
Followup:
scott@ORA9IR2> connect
Enter user-name: scott@ora9ir2.us.oracle.com
Enter password: *****
Connected.
scott@ORA9IR2> connect
Enter user-name: scott
Enter password: ***************************
Connected.
scott@ORA9IR2>
either or should be ok
Above works fine if the database is local but in network its not working.
regards,
January 27, 2005 - 8:15 am UTC
umm, that was over the network.
if the database is "local", you don't use @connect_string
One more issue - NAT
Edgar, January 27, 2005 - 3:34 am UTC
Sorry, it may be offtopic, but
Btw, take care about one more issue.
If your db server is located in private IP network and there is Network Address Translation configured on your firewall, you should study one more topic - Oracle Connection Manager (CMAN).
Use HTTP Tunneling?
Doug, February 24, 2005 - 1:21 pm UTC
If the client application uses JDBC thin driver to communicate with the database, couldn't it use some HTTP Tunneling software to communicate over port 80?
February 24, 2005 - 5:19 pm UTC
could use lots of things, ssh included, sure.
Connect failed becxause target host or object doest not exist
Dawar, March 22, 2005 - 7:30 pm UTC
Tom,
I have installed Oracle 10DS.
I also applied latest path set.3628736 for Oracle forms.
Forms [32 Bit] Version 9.0.4.1.0
I copied my tnsnames.ora file from DB and copied to Oracle DS suite.
I can logon from sqlplus but can not connect from Oracle Form Builder or Oracle report.
I got following message
--File---Connects
Insert username, password and db
string.
***************************************************************************
ORA-12545: Connect failed becxause target host or object doest not exist.
***************************************************************************
Please note: OC4J Instance is running.
Regards,
Dawar
March 23, 2005 - 1:11 am UTC
typically means the hostname in the tnsnames.ora is wrong.....
check your environment, remember oc4j is running under the app server environment and that could be very different from yours.
ORA-12545: Connect failed becxause target host or object doest not exist.
Dawar, March 23, 2005 - 7:18 pm UTC
Tom,
I got Oracle Support but it does not work.
We came to the stage.
when we used below code in tnsnames.ora its does not work.
even thpough we created through configuration assistant and test was suuccesfull.
abc =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = ip_add)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = abc)
)
)
so we used
hellotom =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = ipadd)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = abc)
)
)
so i was also able to connect through Oracle form builder 10g .
But no I have realize Developer 6i also have same issue as above. they are using same tnsnames.ora even there are on different oracle home.
any idea.
Regards,
Dawar
March 23, 2005 - 7:21 pm UTC
they have different hostnames???? all this is saying is the machine you did the tnsping from (the test) was able to resolve ip_add but the other machine was NOT.
TNS-03505
Fernando Sanchez, April 25, 2005 - 4:35 am UTC
I'm having a very specific problem but I hope it can be interesting for more people (maybe those who don't understand too well how communications work).
When I write
tnsping SOPRA_TOSHIBA in the server (linux) I'm getting:
TNS Ping Utility for Linux: Version 9.2.0.4.0 - Production on 24-ABR-2005 22:21:37
Copyright (c) 1997 Oracle Corporation. All rights reserved.
Archivos de parßmetros utilizados:
/opt/ora9/product/9.2/network/admin/sqlnet.ora
TNS-03505: Fallo al resolver el nombre
I don't have that problem in my client (windows):
TNS Ping Utility for 32-bit Windows: Version 9.2.0.1.0 - Production on 24-ABR-20
05 22:21:27
Copyright (c) 1997 Oracle Corporation. All rights reserved.
Archivos de parßmetros utilizados:
C:\oracle\ora92\network\admin\sqlnet.ora
Adaptador TNSNAMES utilizado para resolver el alias
Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)
(HOST = toshiba)(PORT = 1521))) (CONNECT_DATA = (SID = sopra) (SERVER = DEDICATE
D)))
Realizado correctamente (80 mseg)
Both sqlnet.ora and tnsnames.ora are identical in both machines:
###################################
sqlnet.ora
###################################
NAMES.DIRECTORY_PATH= (TNSNAMES)
###################################
tnsnames.ora
###################################
SOPRA_TOSHIBA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = toshiba)(PORT = 1521))
)
(CONNECT_DATA =
(SID = sopra)
(SERVER = DEDICATED)
)
)
I don't know where the problem is.
April 25, 2005 - 7:18 am UTC
your tnsnames.ora file on the server doesn't have this entry or the sqlnet.ora on that server is different, causing a default domain to be added.
do this on the linux box:
$ strace tnsping SOPRA_TOSHIBA 2>&1 | grep tnsnames
access("/home/tkyte/.tnsnames.ora", F_OK) = 0
access("/etc/tnsnames.ora", F_OK) = -1 ENOENT (No such file or directory)
access("/home/ora9ir2/network/admin/tnsnames.ora", F_OK) = 0
stat64("/home/tkyte/.tnsnames.ora", {st_mode=S_IFREG|0664, st_size=698, ...}) = 0
open("/home/tkyte/.tnsnames.ora", O_RDONLY) = 3
stat64("/home/ora9ir2/network/admin/tnsnames.ora", {st_mode=S_IFREG|0644, st_size=823, ...}) = 0
open("/home/ora9ir2/network/admin/tnsnames.ora", O_RDONLY) = 3
and cut and paste your results.
Fernando Sanchez, April 25, 2005 - 3:26 pm UTC
"strace tnsping SOPRA_TOSHIBA 2>&1 | grep tnsnames" returns:
access("/home/oracle/.tnsnames.ora", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/tnsnames.ora", F_OK) = -1 ENOENT (No such file or directory)
access("/opt/ora9/product/9.2/network/admin/tnsnames.ora", F_OK) = 0
stat64("/opt/ora9/product/9.2/network/admin/tnsnames.ora", {st_mode=S_IFREG|0644, st_size=335, ...}) = 0
open("/opt/ora9/product/9.2/network/admin/tnsnames.ora", O_RDONLY) = 3
(In my linux server:
cat sqlnet.ora
# SQLNET.ORA Network Configuration File: /opt/ora9/product/9.2/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.
NAMES.DIRECTORY_PATH= (TNSNAMES)
)
Thanks.
April 25, 2005 - 3:47 pm UTC
can you show us that:
/opt/ora9/product/9.2/network/admin/tnsnames.ora
is "well formed"
Your sqlnet.ora for example is not if it ends with ) like that.
Fernando Sanchez, April 25, 2005 - 4:44 pm UTC
Here are my tnsnames.ora and sqlnet.ora in the server:
[oracle@toshiba oracle]$ cat /opt/ora9/product/9.2/network/admin/tnsnames.ora
# TNSNAMES.ORA Network Configuration File: /opt/ora9/product/9.2/network/admin/t
nsnames.ora
# Generated by Oracle configuration tools.
SOPRA_TOSHIBA
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = toshiba)(PORT = 1521))
)
(CONNECT_DATA =
(SID = sopra)
(SERVER = DEDICATED)
)
)
[oracle@toshiba oracle]$ cat /opt/ora9/product/9.2/network/admin/sqlnet.ora
# SQLNET.ORA Network Configuration File: /opt/ora9/product/9.2/network/admin/sql
net.ora
# Generated by Oracle configuration tools.
NAMES.DIRECTORY_PATH= (TNSNAMES)
Thanks again.
April 25, 2005 - 5:09 pm UTC
and that is not a well formed tnsnames.ora file.
SOPRA_TOSHIBA <<<<<<<<===== missing an = sign
(DESCRIPTION =
(ADDRESS_LIST =
than you
Fernando Sanchez, April 25, 2005 - 5:24 pm UTC
You're absolutely right.
I'm sorry for that silly mistake.
one port for multiple processes ?
A reader, October 04, 2006 - 5:22 pm UTC
so if I understand correctly, when running dedicated server,
and you want to connect thru firewall, it suffices to open
port 1521, presumed you have configure standard listener port,
and all sql*net communication is via 1521 ?
how can this be ?
there is one server process for each connection ?
they all share the same port ?
October 04, 2006 - 7:36 pm UTC
the magic of fork and exec, it is the way it works. you "inherit" things.
magic indeed
A reader, October 05, 2006 - 6:03 am UTC
how could I forget this?
thx
One listener for multiple instances
Nikhil, November 08, 2006 - 6:55 am UTC
Hello Tom,
Can we have one listener for multiple instances (one instance of Oracle 9i and another of Oracle 10g) on port 1521?
When I tried to configure that way it did not work. If I want both the instances to be working at the same time then should I configure one of the listener to some other port (eg 80)?
Does listener created in Oracle 9i can be configured to Oracle 10g DB?
We are working on test database and no other service or application is working on this server.
Thanks
November 08, 2006 - 8:31 am UTC
yes, it is not only possible, it is recommended and done all of the time.
you use the listener of the HIGHEST release of Oracle, not the lowest.
SQL Net security concerns
Saibal, May 30, 2007 - 8:21 pm UTC
Hi Tom,
I am at a client site and they are not willing to open their firewall for SQL Net traffic. They have a mix of all flavors of Oracle from 7 through 10. I have not heard any reasoning from them except that they have heard it somewhere. Is their concern justified. If yes then what can be our options ?
Thanks in advance.
May 30, 2007 - 9:26 pm UTC
umm, sort of sketchy information here.
no clue what you want us to comment on?
Saibal, May 31, 2007 - 1:10 pm UTC
I probably wasnt very clear. Attempting again...The client databases reside within their firewall. For access of these databases fron a remote site I had requested that the listener ports be opened for sqlnet traffic. The client is suggesting that sqlnet connections are not secure so I will have to look for other alternatives to access the databases. I was hoping if you could comment whether the client fears are true or a myth. Thanks.
May 31, 2007 - 2:31 pm UTC
depends on how you open the firewall.
If you just ask them to open 1521 or whatever, you are just opening a port. Rather simplistic and yes, a problem
Just like if you asked me to open port 80 - and not restrict it to http traffic (eg: no TELNET over port 80, no smtp over port 80, just http).
does their firewall have a sqlnet filter (don't ask me, I wouldn't know)
do they have experience configuring it (apparently not)
is it against their security policy (probably)
I cannot sqlnet to my own database from outside Oracle. In fact, I can only sqlnet from inside Oracle to my database in the DMZ (my database in the DMZ cannot sqlnet into Oracle).
And even if I said "myth", I would pray they wouldn't pay attention to me - that would not be a very good approach either. Playing around with the network capabilities of a firewall isn't something you do without a bit of planning, research and thought.
Ora10g DMZ problem
aymurguy, January 26, 2009 - 5:24 pm UTC
Hi Tom, hope you can give me an insight on this. I am testing on 10g 10.1.0.2 trying to move a current DB from 8i. The current 8i server residing in local network can be accessed by an apps server inside the DMZ. when I change the host address in the apps tnsnames.ora to the 10g server it cannot be accessed by the apps server. Is there any other configuration I need to enable in 10g DB so that it can be seen from the DMZ? Our network guys says the port (1521) is already open and can telnet into the 10g server. What service do I need to add on the 10g server to achieve my goal? Thank you very much in advance.
January 28, 2009 - 8:12 am UTC
none, we are firewall "unaware". If you cannot tnsping from the application server to the database, then it is not set up DMZ (networking) wise.
You should probably *not* be using 1521 (that is a rather obvious port)...
get onto the application server and tnsping the 10g database, if you cannot - then then either your sqlnet configuration is wrong (wrong host, wrong port) or your network rules don't permit it.