stopping listener having a password
sami, December 04, 2003 - 5:47 am UTC
it didn't work.
December 04, 2003 - 8:51 am UTC
sure it does. you must not know the password.
show us a cut and paste of "it not working"
Stopping a listener with a password in a script
Shannon St. Dennis, January 12, 2006 - 3:31 pm UTC
We are using Oracle 8.1.7 in a OPS environment
The failover scripts try to gracefully stop the listener and database processes when failover happens
we are trying to password protect the listeners -- we have used the lsnrctl change_password command, etc.
We can start and stop the listeners by doing a interactive lsnrctl session:
ie...
lsnrctl
LSNRCTL> set current_listener lsnr_xxx
LSNRCTL> set password
xxxx
LSNRCTL> stop lsnr_xxx
the question is... is there a way to script this?
is there a way to script this is we scrap the encrypted passwords, and go to unencrypted passwords in the listener.ora file.
sometime this year, we'll be upgrading to 9i or 10g... but I need to do this now, unfortunately.
January 13, 2006 - 10:24 am UTC
not that I am aware of (the set password, and if I did, it would beg the question "why, you would have the password hard coded in scripts then") - but why not just have the listeners always running on both nodes?
Stopping listener in a script
Shannon St. Dennis, January 12, 2006 - 5:03 pm UTC
I ended up having to use the encrypted password -- not the cleartext password -- in the interactive script
ie
---------
stop_lsnr.sh
---------
#!/bin/sh
lsnrctl << EOF
set current_listener lsnr_xxx
set current_password "encrypted_password_from_listener.ora"
stop
exit
EOF
---------
instead of
---------
stop_lsnr_bad.sh
---------
#!/bin/sh
lsnrctl << EOF
set current_listener lsnr_xxx
set current_password "plain_text password"
stop
exit
EOF
---------
How to stop/start a password protected listener in batch?
Joe, March 17, 2006 - 2:59 pm UTC
We would like to script the listener start/stop process. How do you set the password non-interactively (ie: within a unix script)?
Oracle 9.2.0.7 is our current release.
Thank you in advance.
March 17, 2006 - 5:58 pm UTC
you cannot - but you do not need to. You can make it so the listener can only be interacted with using OS authentication (locally). That lets you not have to have a password at all - just have to be logged into the proper account.
Start/stop listener in batch
Joe, March 20, 2006 - 7:48 am UTC
If you can't script the start/stop of a password protected listener, how do you get the listener to start automatically during server boot, or during a failover situation? Any advice would be helpful. Thank you.
March 22, 2006 - 12:31 pm UTC
you use OS authentication, so the listener can be admin'ed by anyone on the local machine in the right group.
Just like sysdba
checking password set in lsnrctl
James K. Purtzer, May 17, 2006 - 1:51 pm UTC
running 9.2.0.7 on Windows Server 2003
Is there anyway to see Listener Password set status or any flags set anywhere than can be queried??, I don't have anything in the listener.ora file after I set a lsnrctl password.
Do I have to try to issue change_password then see if it errors out to determine the password is set?
May 18, 2006 - 10:25 am UTC
once you save the configuration, the password should be in the listener.ora
LSNRCTL> start
Starting /home/ora9ir2/bin/tnslsnr: please wait...
TNSLSNR for Linux: Version 9.2.0.6.0 - Production
System parameter file is /home/ora9ir2/network/admin/listener.ora
Log messages written to /home/ora9ir2/network/log/listener.log
...
The command completed successfully
LSNRCTL> change_password
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))
Password changed for LISTENER
The command completed successfully
LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> save
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))
Saved LISTENER configuration parameters.
Listener Parameter File /home/ora9ir2/network/admin/listener.ora
Old Parameter File /home/ora9ir2/network/admin/listener.bak
The command completed successfully
LSNRCTL> ^D
[ora9ir2@vmware admin]$ tail listener.ora
(GLOBAL_DBNAME = ora9ir2)
(ORACLE_HOME = /home/ora9ir2)
(SID_NAME = ora9ir2)
)
)
#----ADDED BY TNSLSNR 18-MAY-2006 10:27:15---
PASSWORDS_LISTENER = 20A22647832FB454
#--------------------------------------------
[ora9ir2@vmware admin]$ date
Thu May 18 10:27:28 EDT 2006
[ora9ir2@vmware admin]$
stop listener in script
A reader, August 08, 2006 - 7:33 pm UTC
Tom,
i have the database listener stop script:
........
.......
fi
else
printf "\nShutting down listener process $listener_name ...\n\n"
lsnrctl stop $listener_name >> $LOGFILE 2>&1
exit_code=$?
fi
printf "\n$program: exiting with status $exit_code\n"
exit $exit_code
I want to use the password to protect the listener. So I changed above "lsnrctl stop $listener_name >> $LOGFILE 2>&1
" To
"
lsnrctl << EOT >> $LOGFILE
set current_listener $listener_name
set password lpwd
stop $listener_name
exit
EOT
"
when i ran the script got the error:
$ ./oraclebase/product/8.1.7/appsutil/scripts/DBT3/addlnctl.sh stop DBT3
/oraclebase/product/8.1.7/appsutil/scripts/DBT3/addlnctl.sh: syntax error at line 114: `end of file' unexpected
I know this' a unix scipting problem. could you point out how can it be fixed?
TIA
August 09, 2006 - 10:35 am UTC
Using current software, you can use OS authentication. Which means no nasty trying to put passwords into scripts which sort of defeats having passwords.
you don't even mention your shell :(
this is a shell scripting error somewhere.
why don't you remove your redirection for a moment and run this with "-v" to get the verbose output, you might find the issue that way.
what is that?
A reader, August 09, 2006 - 2:07 pm UTC
<<Using current software, you can use OS authentication. Which means no nasty
trying to put passwords into scripts which sort of defeats having passwords.>>
what is that? example will help.
August 09, 2006 - 5:04 pm UTC
see metalink note 372717.1
lsnrctl reload
A reader, November 16, 2006 - 7:26 pm UTC
What is the difference between lsnctl
reload Vs <stop and start>
Do they achive the same goal ?
Is it preferred to use reload over stop/start when the system needs to be online.
November 17, 2006 - 3:18 am UTC
one reloads the config files without stopping
the other stops and restarts.
in effect, both would have the same end result.
You tell me which you prefer to use.
A reader, November 17, 2006 - 10:24 am UTC
Then i prefer to use "lsnrctl reload" to avoid downtime of application.
Is there any know issue of issuing "reload" instead of "stop/start" which you are aware of.
November 19, 2006 - 4:03 pm UTC
nope
automating the password enabled listener shutdown/startup
Tom Evert, November 17, 2006 - 3:30 pm UTC
I only started writing shell scripts and I've got a script that stops/starts the password enabled listener with no password hardcoding. It took me a weekend of googling shell script commands but it's not that complex. I was a developer before becoming a DBA so I know a little bit about writing code. Have I misunderstood the discussion?
Regarding reload vs stop/start, it's been my observation that reload does not read the listener.ora file if you have one. Try corrupting your listener.ora file. You should still be able to reload but your lsnrctl start will fail after the stop.
The script below just does a start. Easy enough to clone into one that just does a stop or combine the two into one.
#!/bin/sh
#
# this script only works with password enabled listeners
#
. /home/oracle/work/oraenv.10g
#
RTC=1
# each password enabled listener will have an entry in listener.ora
# that reads PASSWORDS_listener_name = xxxxxxxxx
PASSWDS=PASSWORDS_
# check for specific listener input parameter and append to search string
if [ "$1" ]
then
PASSWDS=$PASSWDS$1
LISTIN=$1
else
LISTIN=A
fi
# spool the listener password lines into a file cutting out the first
# ten columns (PASSWORDS_)
cd $TNS_ADMIN
grep $PASSWDS listener.ora | cut -c11-80 > $HOME/xx.lst
XX=$HOME/xx.lst
# process the file
# if at least one entry processed set the return code to 0
cat $XX | while read LINE
do
# first field is listener name, second is =, third is password
LISTENER=`echo $LINE | awk '{print $1}' -`
LISTPASS=`echo $LINE | awk '{print $3}' -`
# retest because greping LISTENER also retrieves LISTENER1
# or if no listener specified process all listeners
if [ "$1" ] && [ $LISTIN = $LISTENER ] || [ $# = 0 ]
then
RTC=0
lsnrctl <<EOF
set current_listener $LISTENER
set password $LISTPASS
start
exit
EOF
fi
done
# temp file cleanup
rm $HOME/xx.lst
if [ $RTC = 1 ]
then
echo "Listener " $1 " not found"
fi
exit $RTC
oops
Tom Evert, November 18, 2006 - 9:39 pm UTC
Forget my comments about the reload not reading listener.ora. Thought it happened but I can't reproduce it.
Removing the password from listener
Suraj Sharma, February 20, 2007 - 2:36 am UTC
Hi Tom,
For one of our client, one application member has set a password for a database for listener and now we are not able to trace the person who set the same or what is the password atleast. Now we want to remove the password and make the listener as it was before. Please let me know the best wayout for the same. We are on HP-UX with Oracle 9i.
February 20, 2007 - 9:40 am UTC
edit the listener.ora, remove password.
listener password
Samuel, August 30, 2007 - 12:18 pm UTC
we are using 9.2.0.7.
There has been a recommendation to set password for listener. If we use non-default port number and also my understanding is that only Oracle user can start and stop the listener, then why do we need to set password for listener. One can log on to the server only if one knows password for user oracle..only then listener can be stopped..then is it redundant to have password for listener ? Thanks.
September 04, 2007 - 5:39 pm UTC
your understanding is incorrect - the port number doesn't restrict things like that.
listener password
Samuel, September 07, 2007 - 10:04 pm UTC
I could stop a listener on server A from server B as long as the name of the listener is LISTENER. Example:
serverB>lsnrctl stop serverA
The above command stops the listener from serverB. This is considered as a security issue in 9i and below 9i versions.
Howvere, If I had a named listener (LISTENER_somename), can i stop it from another server? I tried with the following syntax.
serverB>lsnrctl stop LISTENER_somename serverA
It results in error as below.
LSNRCTL for IBM/AIX RISC System/6000: Version 9.2.0.7.0 - Production on 07-SEP-2007 20:52:35
Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved.
NL-00857: wrong number (0 - 1 needed) of arguments to "stop"
If one cannot stop a named listener remotely, then password for listener is not needed. correct? My database version is 9.2.0.7. Thanks.
listener password
Samuel, September 12, 2007 - 9:39 pm UTC
Regarding above, what should I do to protect the listener on serverA from getting stopped remotely from serverB? Thanks,
do we really need a password for Listener?
Shankar, February 19, 2008 - 5:40 pm UTC
I have a "named" listener that listens on a non-default port number. I will be starting/stopping the listener only using oracle user account on the server. Do I still need a password to secure the listener? we are on 9.2.0.7 RDBMS. With non-default name for the listener that listens on non-default port number, can the listener be stopped from a remote server? Thanks.
February 20, 2008 - 8:15 am UTC
if i figure out your name and your port, sure.
what you describe is commonly referred to as "security by obscurity"
It might make you feel good, but it doesn't stop anyone.
Listener password
Dave, February 20, 2008 - 9:25 am UTC
Regarding your answer above..is this true in 10g as well that listener must have a password? Thanks.
February 20, 2008 - 9:55 am UTC
do you want it to? I mean what are you asking?
would you like to remotely administer it?
if so, would you like it to be protected by a password.
Kill the listener
Tony, February 20, 2008 - 11:18 am UTC
If I can't stop a listener because it has a password, I would do this.
ps -ef | grep list
kill <process_id>
Does this have any side effects?
February 20, 2008 - 12:50 pm UTC
well, that means you are root or the oracle software owner...
but anyway, it kills the tns listener and that is about it.