Skip to Main Content

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, sudhakar.

Asked: March 03, 2017 - 5:41 am UTC

Last updated: March 07, 2017 - 9:36 am UTC

Version: 11.2.0.4

Viewed 1000+ times

You Asked

is the any specifics to valid_node_checking values 1/ON/local
If so in what situations each one to be used

We have rac one node setup
2 scan1 and scan2 are running in one node1
1 scan3 is running in node2

when we set valid_node_checking_<LISTENER>=ON
the dbservice in first node is not getting registered in scan3

but when we set valid_node_checking_<listener1>=1
the db service of first node is getting registered in scan3


thanks
sudhakar

and we said...

VNCR is supported for the cluster. Use MOS note 1914282.1 to ensure you've done all the required steps

===============================
How to Enable VNCR on RAC Database to Register only Local Instances (Doc ID 1914282.1)

Oracle Net Services - Version 11.2.0.4 to 12.1.0.2 [Release 11.2 to 12.1]
Oracle Database - Enterprise Edition - Version 11.2.0.4 to 12.1.0.2 [Release 11.2 to 12.1]
Information in this document applies to any platform.
GOAL

Starting with 11.2.0.4 we have the option of using VNCR to protect the listener from having remote/unknown instances registering to it.

See Note 1600630.1 Valid Node Checking For Registration (VNCR)


On 12.1 RAC databases, the parameter VALID_NODE_CHECKING_REGISTRATION_listener_name for both local and scan listeners is set by default to SUBNET/2 i.e. all machines in the subnet are allowed registration. This is done in order to allow registration to the local listeners and scan listeners from the instances on the other nodes of the RAC.

On 11.2.0.4 RAC databases, the parameter VALID_NODE_CHECKING_REGISTRATION_listener_name is set to off.

However, sometimes this allows other instances in the same subnet to register against these listeners. We want to prevent that and allow only local instances to that RAC database to be regsitered with these listeners.

SOLUTION

On 11.2.0.4:

To accomplish only local registration of the instances to local and scan listeners, the following settings will need to be made in listener.ora on all nodes:

VALID_NODE_CHECKING_REGISTRATION_LISTENER=1

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(<list of public ip's of all nodes>)

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN2=(<list of public ip's of all nodes>)

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN3=(<list of public ip's of all nodes>)



For example, for a two node rac with two scan listeners, we will have on both nodes:

VALID_NODE_CHECKING_REGISTRATION_LISTENER=1

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(node1,node2)

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN2=(node1,node2)



Having VALID_NODE_CHECKING_REGISTRATION_LISTENER and VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCANX set to 1 will allow local instances on that node to be registered. REGISTRATION_INVITED_NODES_LISTENER_SCANX parameter will add to the invited nodes all the instances on the other nodes. We will need to use public ip's of the nodes, even if the local listeners run only on VIP's (and not on both as ot is default in 11.2 and higher).



On 12c:

Starting with 12c, we can no longer set VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCANx=1 / REGISTRATION_INVITED_NODES_LISTENER_SCANx in listener.ora, as it will be overwritten by the agent. If we set 'invitednodes'/'invitedsubnets' using the srvctl utility, like below, then the agent will automatically set in listener.ora VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCANx to value 'SUBNET' and REGISTRATION_INVITED_NODES_LISTENER_SCANx to the specific list.

srvctl modify scan_listener {-update | -endpoints [TCP:]port[/IPC:key] [/NMP:pipe_name][/TCPS:s_port][/SDP:port] } [-invitednodes node_list] [-invitedsubnets subnet_list]

Note that in: In 11.2.0.4 '-invitednodes'/'-invitedsubnets' option for srvctl command is not available



Starting with 12c a new parameter is available, REMOTE_REGISTRATION_ADDRESS_<listener_name>. This parameter is configured internally in the SCAN listener to restrict registrations to the private network. The registration endpoint is on a private network within the cluster. All remote registration requests coming in on normal listening endpoints are redirected to the registration endpoint. Any system which is not a part of the cluster cannot connect to the endpoint.

The value of this parameter should not be modified or specified explicitly. The only supported explicit setting is for turning this feature off by setting the value to OFF. The value is OFF in non-SCAN listeners.


You can check its value by running:

lsnrctl show remote_registration_address <listener_name>

Example:

LSNRCTL>set current_listener LISTENER_SCAN1

LSNRCTL>show remote_registration_address


All the instances registration requests will be redirected to this private endpoint and only the instances from the same cluster will be able to register with the scan listeners. This is the alternative for VNCR settings on local listeners.

NOTE: In 12.1.0.2, the GI agent sets the remote_registration_address to HAIP or the private IP address by default. This is true for both local listener and scan_listener.
The agent turns the remote_registration_address to off if invited_nodes or invited_subnet (VNCR) is set using srvctl.
The agent also turns the remote_registration_address to off if invited_nodes or invited_subnet (VNCR) information is found in the listener.ora file.

Both database and the GRID home must be at version 12. If the database is pre 12 OR upgraded from 11g, the REMOTE_REGISTRATION_ADDRESS will not be set to HAIP. VNCR will not be enabled by default for those instances that have been upgraded from 11g.


As of 12.1.0.2 Grid Infrastructure, VCNR is enabled by default (since REMOTE_REGISTRATION_ADDRESS points only to internal IP address) and there is no additional step required.

If one wants to relax this default VCNR in 12.1.0.2, he can use srvctl modify invited_node or invited_subnet commands
================================



Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

A reader, March 07, 2017 - 2:20 pm UTC


12cR1 still vulnerable to the TNS listener poison attack (CVE-2012-1675) by Joxean Koret

Norbert Debes, August 08, 2017 - 9:28 am UTC

In other words Oracle Corp. has failed to develop configuration tools for RAC installations that result in a cluster setup that is impervious to the TNS listener poison attack by Joxean Koret (CVE-2012-1675).
Quote from above Ask Tom post (comments in brackets are mine):
"On 12.1 RAC databases, the parameter VALID_NODE_CHECKING_REGISTRATION_listener_name for both local and scan listeners is set by default to SUBNET/2 i.e. all machines in the subnet are allowed registration. This is done in order to allow registration to the local listeners and scan listeners from the instances on the other nodes of the RAC.
[...]
However, sometimes [Sometimes? No! Always!] this allows other instances in the same subnet [which may include an entire unsegmented company network or hundresds of Windows desktop systems in the same subnet as the database server] to register against these listeners. We want to prevent that [otherwise CVE-2012-1675 applies] and allow only local instances to that RAC database to be regsitered with these listeners."

It gets worse than this. After a fresh installation of Grid Infrastructure (GI) for RAC on a two node Linux cluster with 12.1.0.2 the following totally unsafe settings were made in listener.ora by GI:
$ grep -i registration $ORACLE_HOME/network/admin/listener.ora
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=OFF             # line added by Agent
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=OFF             # line added by Agent
VALID_NODE_CHECKING_REGISTRATION_LISTENER=SUBNET                # line added by Agent
VALID_NODE_CHECKING_REGISTRATION_MGMTLSNR=SUBNET                # line added by Agent


Consistent with Oracle's other often inadequate documentation the manuals "Oracle® Grid Infrastructure Installation and Upgrade Guide 12c Release 2 (12.2) for Linux E49640-10 May 2017" and "Oracle® Database Security Guide 12c Release 1 (12.1) E48135-15 September 2016" fail to mention the command srvctl modify scan_listener -update -invitednodes <list of safe cluster node names> to restrict service registration.

The manual "Oracle® Clusterware Administration and Deployment Guide 12c Release 1 (12.1) E48819-08 January 2015" does mention the new switch -invited_nodes but states the nonsense below such that DBAs reading the section quoted below will think that no changes are required. Quote: "You can configure the listeners to accept service registrations from a different subnet. For example, you might want to configure this environment when SCAN listeners share with instances on different clusters, and nodes in those clusters are on a different subnet. Run the srvctl modfiy scan_listener -invitednodes -invitedsubnets command to include the nodes in this environment."
There simply are no interactions between SCAN listeners of different clusters. The paragraph makes no sense.

Conclusion: Oracle once again has failed to properly handle a security issue.