sqlnet.ora中进行下列参数的设置可以限制或允许用户从特定的客户机连接到数据库中。
tcp.validnode_checking=yes|no
tcp.invited_nodes=(ip|hostname,...)
tcp.excluded_nodes=(ip|hostname,...)
##如果是hostname 则需要在/etc/hosts 里面配置对应的ip
tcp.validnode_checking 参数确定是否对客户机IP地址进行检查;
tcp.invited_nodes 参数列举允许连接的客户机的IP地址;
tcp.excluded_nodes 参数列举不允许连接的客户机的IP地址。
需要注意的地方:
1、tcp.invited_nodes与tcp.excluded_nodes都存在,以tcp.invited_nodes为主
2、一定要许可或不要禁止服务器本机的IP地址,否则通过lsnrctl将不能启动或停止监听,因为该过程监听程序会通过本机的IP访问监听器,而该IP被禁止了,但是通过服务启动或关闭则不影响。
3、修改之后,分两种情况
如果是第一次使用sqlnet.ora 文件,则需要重启数据库。
如果之前已经使用了sqlnet.ora 则不需要重启数据库,reload 监听就可以!
4、任何平台都可以,但是只适用于TCP/IP协议
下面做实验测试访问控制:
环境:、
数据库:yangdb 主机名:rac3 ip 10.250.7.241
主机名:rac1 ip 10.250.7.225
在 yangdb 上面的sqlnet.ora 设置,在rac1服务器端进行访问!
场景一:修改文件,不启动监听
oracle@rac3:/opt/oracle/11.2.0/alifpre/network/admin>vi sqlnet.ora
tcp.validnode_checking=yes
#允许访问的ip
tcp.invited_nodes =(10.250.7.241,10.250.7.225)
#不允许访问的ip
#tcp.excluded_nodes=(ip1,ip2,…x…)
在rac1 端访问,显示TNS-12547: TNS:lost contact
oracle@rac1:/opt/rac/oracle/11.2.0/dbs/network/admin>tnsping yangdb
TNS Ping Utility for Linux: Version 11.2.0.1.0 - Production on 27-SEP-2011 21:50:35
Copyright (c) 1997, 2009, Oracle. All rights reserved.
Used parameter files:
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 10.250.7.241)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = yangdb)))
TNS-12547: TNS:lost contact
oracle@rac1:/opt/rac/oracle/11.2.0/dbs/network/admin>tnsping yangdb
TNS Ping Utility for Linux: Version 11.2.0.1.0 - Production on 27-SEP-2011 21:53:58
Copyright (c) 1997, 2009, Oracle. All rights reserved.
Used parameter files:
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 10.250.7.241)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = yangdb)))
TNS-12547: TNS:lost contact
oracle@rac1:/opt/rac/oracle/11.2.0/dbs/network/admin>tnsping yangdb
TNS Ping Utility for Linux: Version 11.2.0.1.0 - Production on 27-SEP-2011 21:54:49
Copyright (c) 1997, 2009, Oracle. All rights reserved.
Used parameter files:
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 10.250.7.241)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = yangdb)))
TNS-12537: TNS:connection closed~
在 rac3 上进行reload 命令:
oracle@rac3:/opt/oracle/11.2.0/alifpre/network/admin>lsnrctl reload
LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 27-SEP-2011 21:55:05
Copyright (c) 1991, 2009, Oracle. All rights reserved.
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
The command completed successfully
再次访问yangdb,则可以访问
在yangdb 上创建表
YANG@yangdb-rac3> create table yang1 as select * from dba_objects ;
Table created.
oracle@rac1:/opt/rac/oracle/11.2.0/dbs/network/admin>tnsping yangdb
TNS Ping Utility for Linux: Version 11.2.0.1.0 - Production on 27-SEP-2011 21:55:10
Copyright (c) 1997, 2009, Oracle. All rights reserved.
Used parameter files:
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 10.250.7.241)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = yangdb)))
OK (10 msec)
oracle@rac1:/opt/rac/oracle/11.2.0/dbs/network/admin>sqlplus yang/yang@yangdb
SQL*Plus: Release 11.2.0.1.0 Production on Tue Sep 27 21:55:17 2011
Copyright (c) 1982, 2009, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
yang@YANGDB> select count(*) from yang1
COUNT(*)
----------
72508
yang@YANGDB> exit
场景二:修改rac3 上的sqlnet.ora 文件,进行reload操作,rac1 访问rac3的yangdb受限制
oracle@rac3:/opt/oracle/11.2.0/alifpre/network/admin>vi sqlnet.ora
tcp.validnode_checking=yes
#允许访问的ip
#tcp.invited_nodes =(10.250.7.241,10.250.7.225)
tcp.invited_nodes =(10.250.7.241)
#不允许访问的ip
#tcp.excluded_nodes=(ip1,ip2,…x…)
oracle@rac1:/opt/rac/oracle/11.2.0/dbs/network/admin>tnsping yangdb
TNS Ping Utility for Linux: Version 11.2.0.1.0 - Production on 27-SEP-2011 21:57:20
Copyright (c) 1997, 2009, Oracle. All rights reserved.
Used parameter files:
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 10.250.7.241)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = yangdb)))
TNS-12537: TNS:connection closed
oracle@rac1:/opt/rac/oracle/11.2.0/dbs/network/admin>tnsping yangdb
TNS Ping Utility for Linux: Version 11.2.0.1.0 - Production on 27-SEP-2011 21:58:11
Copyright (c) 1997, 2009, Oracle. All rights reserved.
Used parameter files:
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 10.250.7.241)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = yangdb)))
TNS-12547: TNS:lost contact
场景三 在sqlnet.ora 中同时设置 tcp.invited_nodes,tcp.excluded_nodes 以tcp.invited_nodes 为准!
oracle@rac3:/opt/oracle/11.2.0/alifpre/network/admin>vi sqlnet.ora
tcp.validnode_checking=yes
#允许访问的ip
tcp.invited_nodes =(10.250.7.241,10.250.7.225)
#tcp.invited_nodes =(10.250.7.241)
#不允许访问的ip
tcp.excluded_nodes=(10.250.7.225)
"sqlnet.ora" 7L, 186C 已写入
oracle@rac3:/opt/oracle/11.2.0/alifpre/network/admin>
oracle@rac3:/opt/oracle/11.2.0/alifpre/network/admin>lsnrctl reload
LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 27-SEP-2011 21:58:19
Copyright (c) 1991, 2009, Oracle. All rights reserved.
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
The command completed successfully
oracle@rac3:/opt/oracle/11.2.0/alifpre/network/admin>
oracle@rac1:/opt/rac/oracle/11.2.0/dbs/network/admin>tnsping yangdb
TNS Ping Utility for Linux: Version 11.2.0.1.0 - Production on 27-SEP-2011 21:58:25
Copyright (c) 1997, 2009, Oracle. All rights reserved.
Used parameter files:
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 10.250.7.241)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = yangdb)))
OK (0 msec)
