Académique Documents
Professionnel Documents
Culture Documents
P AP E R
W HIT E
P AP E R
Starting and stopping the CLEARTXT as well as ENCRYPTED listeners currently requires no password:
\---------------------------| E1.veritas.com$ lsnrctl start CLEARTXT | | LSNRCTL for Solaris: Version 9.2.0.6.0 - Production on 08-SEP-2005 11:31:46 | | Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved. | | Starting /u00/oracle/product/9.2.0/bin/tnslsnr: please wait... | | TNSLSNR for Solaris: Version 9.2.0.6.0 - Production | System parameter file is /u00/oracle/product/9.2.0/network/admin/listener.ora | Log messages written to /u00/oracle/product/9.2.0/network/log/cleartxt.log | Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=E1.veritas.com)(PORT=1528))) | | Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=e1.veritas.com)(PORT=1528))) | STATUS of the LISTENER | -----------------------| Alias CLEARTXT | Version TNSLSNR for Solaris: Version 9.2.0.6.0 - Production | Start Date 08-SEP-2005 11:31:47 | Uptime 0 days 0 hr. 0 min. 0 sec | Trace Level off | Security OFF | SNMP OFF | Listener Parameter File /u00/oracle/product/9.2.0/network/admin/listener.ora | Listener Log File /u00/oracle/product/9.2.0/network/log/cleartxt.log | Listening Endpoints Summary... | (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=E1.veritas.com)(PORT=1528))) | The listener supports no services | The command completed successfully | E1.veritas.com$ /---------------------------\---------------------------| E1.veritas.com$ lsnrctl start ENCRYPTED | | LSNRCTL for Solaris: Version 9.2.0.6.0 - Production on 08-SEP-2005 11:31:55 | | Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved. | | Starting /u00/oracle/product/9.2.0/bin/tnslsnr: please wait... | | TNSLSNR for Solaris: Version 9.2.0.6.0 - Production | System parameter file is /u00/oracle/product/9.2.0/network/admin/listener.ora | Log messages written to /u00/oracle/product/9.2.0/network/log/encrypted.log | Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=E1.veritas.com)(PORT=1529))) | | Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=e1.veritas.com)(PORT=1529))) | STATUS of the LISTENER | -----------------------| Alias ENCRYPTED | Version TNSLSNR for Solaris: Version 9.2.0.6.0 - Production | Start Date 08-SEP-2005 11:31:55 | Uptime 0 days 0 hr. 0 min. 0 sec | Trace Level off | Security OFF | SNMP OFF | Listener Parameter File /u00/oracle/product/9.2.0/network/admin/listener.ora | Listener Log File /u00/oracle/product/9.2.0/network/log/encrypted.log | Listening Endpoints Summary... | (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=E1.veritas.com)(PORT=1529))) | The listener supports no services | The command completed successfully | E1.veritas.com$ /----------------------------
W HIT E
P AP E R
\---------------------------| E1.veritas.com$ lsnrctl stop ENCRYPTED | | LSNRCTL for Solaris: Version 9.2.0.6.0 - Production on 08-SEP-2005 11:32:19 | | Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved. | | Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=e1.veritas.com)(PORT=1529))) | The command completed successfully | E1.veritas.com$ /---------------------------\---------------------------| E1.veritas.com$ lsnrctl stop CLEARTXT | | LSNRCTL for Solaris: Version 9.2.0.6.0 - Production on 08-SEP-2005 11:32:25 | | Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved. | | Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=e1.veritas.com)(PORT=1528))) | The command completed successfully | E1.veritas.com$ /----------------------------
W HIT E
P AP E R
| Current Listener is ENCRYPTED | LSNRCTL> set save_config_on_stop on | Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=e1.veritas.com)(PORT=1529))) | ENCRYPTED parameter "save_config_on_stop" set to ON | The command completed successfully | LSNRCTL> change_password | Old password: <- just hit enter | New password: <- lsnrpwd | Reenter new password: <- lsnrpwd | Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=e1.veritas.com)(PORT=1529))) | Password changed for ENCRYPTED | The command completed successfully | LSNRCTL> /----------------------------
That failed because we configured a password with change_password, but did not set the required session level password with set password. Lets try to use set password by specifying the password directly on the same line (which will fail), then we will enter the same password interactively (which will work):
\---------------------------| LSNRCTL> set password lsnrpwd | The command completed successfully | LSNRCTL> | LSNRCTL> | LSNRCTL> stop | Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=e1.veritas.com)(PORT=1529))) | TNS-01169: The listener has not recognized the password | LSNRCTL> set password | Password: <- lsnrpwd | The command completed successfully | LSNRCTL> | LSNRCTL> | LSNRCTL> stop | Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=e1.veritas.com)(PORT=1529))) | The command completed successfully | LSNRCTL> | LSNRCTL> exit | E1.veritas.com$ /----------------------------
Examining the changes made to our listener.ora file, we see the password was stored in an encrypted format:
\---------------------------| E1.veritas.com$ diff listener.ora listener.ora.no_passwords | 21,25d20 | < | < #----ADDED BY TNSLSNR 08-SEP-2005 11:37:10--| < SAVE_CONFIG_ON_STOP_ENCRYPTED = ON | < PASSWORDS_ENCRYPTED = CF20C8417F556C6E | < #-------------------------------------------| E1.veritas.com$ /----------------------------
W HIT E
P AP E R
Now, lets setup a password for the CLEARTXT listener, which must be done by manually editing the listener.ora:
\---------------------------| E1.veritas.com$ cp listener.ora listener.ora.encrypted_passwd_set_ONLY | E1.veritas.com$ vi listener.ora | E1.veritas.com$ diff listener.ora listener.ora.encrypted_passwd_set_ONLY | 26,27d25 | < | < PASSWORDS_CLEARTXT = (lsnrpwd) | E1.veritas.com$ | E1.veritas.com$ lsnrctl start CLEARTXT | | LSNRCTL for Solaris: Version 9.2.0.6.0 - Production on 08-SEP-2005 11:42:11 | | Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved. | | Starting /u00/oracle/product/9.2.0/bin/tnslsnr: please wait... | | TNSLSNR for Solaris: Version 9.2.0.6.0 - Production | System parameter file is /u00/oracle/product/9.2.0/network/admin/listener.ora | Log messages written to /u00/oracle/product/9.2.0/network/log/cleartxt.log | Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=E1.veritas.com)(PORT=1528))) | | Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=e1.veritas.com)(PORT=1528))) | STATUS of the LISTENER | -----------------------| Alias CLEARTXT | Version TNSLSNR for Solaris: Version 9.2.0.6.0 - Production | Start Date 08-SEP-2005 11:42:11 | Uptime 0 days 0 hr. 0 min. 0 sec | Trace Level off | Security ON | SNMP OFF | Listener Parameter File /u00/oracle/product/9.2.0/network/admin/listener.ora | Listener Log File /u00/oracle/product/9.2.0/network/log/cleartxt.log | Listening Endpoints Summary... | (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=E1.veritas.com)(PORT=1528))) | The listener supports no services | The command completed successfully | E1.veritas.com$ /----------------------------
W HIT E
P AP E R
| LSNRCTL> stop | Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=e1.veritas.com)(PORT=1528))) | The command completed successfully | LSNRCTL> | LSNRCTL> | LSNRCTL> exit | E1.veritas.com$ /----------------------------
Providing the password on the same line with set password worked because the password is stored in the listener.ora file as clear text. Now, lets try the ENCRYPTED listener once more:
\---------------------------| E1.veritas.com$ lsnrctl | | LSNRCTL for Solaris: Version 9.2.0.6.0 - Production on 08-SEP-2005 12:29:37 | | Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved. | | Welcome to LSNRCTL, type "help" for information. | | LSNRCTL> set current_listener ENCRYPTED | Current Listener is ENCRYPTED | LSNRCTL> start | Starting /u00/oracle/product/9.2.0/bin/tnslsnr: please wait... | | TNSLSNR for Solaris: Version 9.2.0.6.0 - Production | System parameter file is /u00/oracle/product/9.2.0/network/admin/listener.ora | Log messages written to /u00/oracle/product/9.2.0/network/log/encrypted.log | Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=E1.veritas.com)(PORT=1529))) | | Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=e1.veritas.com)(PORT=1529))) | STATUS of the LISTENER | -----------------------| Alias ENCRYPTED | Version TNSLSNR for Solaris: Version 9.2.0.6.0 - Production | Start Date 08-SEP-2005 13:11:41 | Uptime 0 days 0 hr. 0 min. 0 sec | Trace Level off | Security ON | SNMP OFF | Listener Parameter File /u00/oracle/product/9.2.0/network/admin/listener.ora | Listener Log File /u00/oracle/product/9.2.0/network/log/encrypted.log | Listening Endpoints Summary... | (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=E1.veritas.com)(PORT=1529))) | The listener supports no services | The command completed successfully | LSNRCTL> /----------------------------
As discussed above, attempting to use the clear text version of the password on the same line with set password will not work, but if we use the encrypted version from the listener.ora file, it works:
\---------------------------| LSNRCTL> | LSNRCTL> set password lsnrpwd | The command completed successfully | LSNRCTL> | LSNRCTL> | LSNRCTL> stop | Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=e1.veritas.com)(PORT=1529))) | TNS-01169: The listener has not recognized the password | LSNRCTL>
W HIT E
P AP E R
| LSNRCTL> | LSNRCTL> set password CF20C8417F556C6E <- this came from listener.ora | The command completed successfully | LSNRCTL> | LSNRCTL> | LSNRCTL> stop | Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=e1.veritas.com)(PORT=1529))) | The command completed successfully | LSNRCTL> exit | E1.veritas.com$ /----------------------------
So, to summarize the above exercises for an encrypted listener password: If you specify the clear text password on the same line as "set password" it does NOT work. If you type "set password" hit enter, then enter clear text password interactively, it works (see example at top of file) If you specify the encrypted version on the same line, it works. Because the VCS agent specifies the string on the same line, we must vcsencrypt the Oracle encrypted version, which is covered in the next section.
W HIT E
P AP E R
The Oracle encrypted version of the password must be provided when vcsencrypting the string for the ENCRYPTED listener. This is necessary, because the LsnrTest.pl script specifies the password on the same line with the set password command. The easy way to remember: encrypt the string stored in the listener.ora file. Even if the string is encrypted by Oracle, we still need to vcsencrypt the string, so we may pass the password on the same line with the set password command in lsnrctl.
SUMMARY
The agent users guide (http://support.veritas.com/docs/265404), provides a detailed overview of configuring the Oracle and Netlsnr agents, but does not include examples. When accompanied by this document, re-encrypting the Oracle listener password that was already encrypted by Oracle hopefully should be less confusing. Please do not hesitate to contact Symantec, formerly VERITAS, Support if we may be of any assistance.
W HIT E
P AP E R
| Starting /u00/oracle/product/9.2.0/bin/tnslsnr: please wait... | | TNSLSNR for Solaris: Version 9.2.0.6.0 - Production | System parameter file is /u00/oracle/product/9.2.0/network/admin/listener.ora | Log messages written to /u00/oracle/product/9.2.0/network/log/cleartxt.log | Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=E1.veritas.com)(PORT=1528))) | | Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=e1.veritas.com)(PORT=1528))) | STATUS of the LISTENER | -----------------------| Alias CLEARTXT | Version TNSLSNR for Solaris: Version 9.2.0.6.0 - Production | Start Date 08-SEP-2005 13:30:32 | Uptime 0 days 0 hr. 0 min. 0 sec | Trace Level off | Security ON | SNMP OFF | Listener Parameter File /u00/oracle/product/9.2.0/network/admin/listener.ora | Listener Log File /u00/oracle/product/9.2.0/network/log/cleartxt.log | Listening Endpoints Summary... | (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=E1.veritas.com)(PORT=1528))) | The listener supports no services | The command completed successfully | +====================================================================+ | 2005/09/08 13:30:32 VCS NOTICE V-16-20002-40 (E1) Netlsnr:encrypted_listener:online:lsnrctl returned the following output | +--------------------------------------------------------------------+ | LD_LIBRARY_PATH - /usr/lib: | | LSNRCTL for Solaris: Version 9.2.0.6.0 - Production on 08-SEP-2005 13:30:31 | | Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved. | | Starting /u00/oracle/product/9.2.0/bin/tnslsnr: please wait... | | TNSLSNR for Solaris: Version 9.2.0.6.0 - Production | System parameter file is /u00/oracle/product/9.2.0/network/admin/listener.ora | Log messages written to /u00/oracle/product/9.2.0/network/log/encrypted.log | Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=E1.veritas.com)(PORT=1529))) | | Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=e1.veritas.com)(PORT=1529))) | STATUS of the LISTENER | -----------------------| Alias ENCRYPTED | Version TNSLSNR for Solaris: Version 9.2.0.6.0 - Production | Start Date 08-SEP-2005 13:30:32 | Uptime 0 days 0 hr. 0 min. 0 sec | Trace Level off | Security ON | SNMP OFF | Listener Parameter File /u00/oracle/product/9.2.0/network/admin/listener.ora | Listener Log File /u00/oracle/product/9.2.0/network/log/encrypted.log | Listening Endpoints Summary... | (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=E1.veritas.com)(PORT=1529))) | The listener supports no services | The command completed successfully | +====================================================================+ | 2005/09/08 13:30:34 VCS INFO V-16-1-10298 Resource encrypted_listener (Owner: unknown, Group: listener_tests) is online on E1 (VCS initiated) | 2005/09/08 13:30:34 VCS INFO V-16-1-10298 Resource cleartxt_listener (Owner: unknown, Group: listener_tests) is online on E1 (VCS initiated) | 2005/09/08 13:30:34 VCS NOTICE V-16-1-10447 Group listener_tests is online on system E1 | 2005/09/08 13:30:35 VCS INFO V-16-6-15002 (E1) hatrigger:hatrigger executed /opt/VRTSvcs/bin/triggers/nfs_restart listener_tests successfully | 2005/09/08 13:30:35 VCS INFO V-16-6-15004 (E1) hatrigger:Failed to send trigger for postonline; script doesn't exist |
W HIT E
P AP E R
| [E1.veritas.com]# hastatus -sum | | -- SYSTEM STATE | -- System State Frozen | | A E1 RUNNING 0 | A E3 RUNNING 0 | | -- GROUP STATE | -- Group System Probed AutoDisabled State | | B ClusterService E1 Y N ONLINE | B ClusterService E3 Y N OFFLINE | B VxSS E1 Y N ONLINE | B VxSS E3 Y N ONLINE | B cvm E1 Y N ONLINE | B cvm E3 Y N ONLINE | B fastt_test E1 Y N OFFLINE | B fastt_test E3 Y N OFFLINE | B listener_tests E1 Y N ONLINE | [E1.veritas.com]# | | | [E1.veritas.com]# hagrp -offline listener_tests -sys E1 | [E1.veritas.com]# 2005/09/08 13:31:12 VCS INFO V-16-1-50135 User root fired command: hagrp -offline listener_tests E1 from localhost | 2005/09/08 13:31:12 VCS NOTICE V-16-1-10167 Initiating manual offline of group listener_tests on system E1 | 2005/09/08 13:31:12 VCS NOTICE V-16-1-10300 Initiating Offline of Resource cleartxt_listener (Owner: unknown, Group: listener_tests) on System E1 | 2005/09/08 13:31:12 VCS NOTICE V-16-1-10300 Initiating Offline of Resource encrypted_listener (Owner: unknown, Group: listener_tests) on System E1 | 2005/09/08 13:31:13 VCS INFO V-16-20002-40 (E1) Netlsnr:cleartxt_listener:offline:lsnrctl returned the following output | +--------------------------------------------------------------------+ | LD_LIBRARY_PATH - /usr/lib: | | LSNRCTL for Solaris: Version 9.2.0.6.0 - Production on 08-SEP-2005 13:31:12 | | Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved. | | Welcome to LSNRCTL, type help for information. | | LSNRCTL> Current Listener is CLEARTXT | LSNRCTL> The command completed successfully | LSNRCTL> Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=e1.veritas.com)(PORT=1528))) | The command completed successfully | LSNRCTL> +====================================================================+ | 2005/09/08 13:31:13 VCS INFO V-16-20002-40 (E1) Netlsnr:encrypted_listener:offline:lsnrctl returned the following output | +--------------------------------------------------------------------+ | LD_LIBRARY_PATH - /usr/lib: | | LSNRCTL for Solaris: Version 9.2.0.6.0 - Production on 08-SEP-2005 13:31:12 | | Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved. | | Welcome to LSNRCTL, type help for information. | | LSNRCTL> Current Listener is ENCRYPTED | LSNRCTL> The command completed successfully | LSNRCTL> Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=e1.veritas.com)(PORT=1529))) | The command completed successfully | LSNRCTL> +====================================================================+ | 2005/09/08 13:31:13 VCS WARNING V-16-20002-207 (E1) Netlsnr:cleartxt_listener:monitor:Open for tnslsnr failed, setting cookie to null | 2005/09/08 13:31:13 VCS WARNING V-16-20002-207 (E1) Netlsnr:encrypted_listener:monitor:Open for tnslsnr failed, setting cookie to null
10
W HIT E
P AP E R
| 2005/09/08 13:31:13 VCS INFO V-16-1-10305 Resource cleartxt_listener (Owner: unknown, Group: listener_tests) is offline on E1 (VCS initiated) | 2005/09/08 13:31:13 VCS INFO V-16-1-10305 Resource encrypted_listener (Owner: unknown, Group: listener_tests) is offline on E1 (VCS initiated) | 2005/09/08 13:31:13 VCS NOTICE V-16-1-10446 Group listener_tests is offline on system E1 | 2005/09/08 13:31:13 VCS INFO V-16-6-15004 (E1) hatrigger:Failed to send trigger for postoffline; script doesn't exist | [E1.veritas.com]# | [E1.veritas.com]# | | [E1.veritas.com]# hastatus -sum | | -- SYSTEM STATE | -- System State Frozen | | A E1 RUNNING 0 | A E3 RUNNING 0 | | -- GROUP STATE | -- Group System Probed AutoDisabled State | | B ClusterService E1 Y N ONLINE | B ClusterService E3 Y N OFFLINE | B VxSS E1 Y N ONLINE | B VxSS E3 Y N ONLINE | B cvm E1 Y N ONLINE | B cvm E3 Y N ONLINE | B fastt_test E1 Y N OFFLINE | B fastt_test E3 Y N OFFLINE | B listener_tests E1 Y N OFFLINE | [E1.veritas.com]# /----------------------------
11
For additional information about VERITAS Software, its products, or the location of an office near you, please call our corporate headquarters or visit our Web site at www.veritas.com.
12
Copyright 2005 VERITAS Software Corporation. All rights reserved. VERITAS, the VERITAS Logo and all other VERITAS product names and slogans are trademarks or registered trademarks of VERITAS Software Corporation. VERITAS, the VERITAS Logo Reg. U.S. Pat. & Tm. Off. Other product names and/or slogans mentioned herein may be trademarks or registered trademarks of their respective companies. Specifications and product offerings subject to change without notice.