Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 74 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.


Back

How to set the Oracle database listener password

This short paper shows you how you can set a password for the Oracle listener. These passwords can be set either encrypted or unencrypted. Obviously I would not recommend setting clear text passwords. Whilst in some cases these can be made reasonably secure the problem is that a password is stored in clear text in a file. For completeness I will show both methods:

Setting an Oracle listener password in clear text

The listener password can be set in clear text as follows: (It should be noted that it is possible to set more than one listener password in this way.)

Open the $ORACLE_HOME/network/admin/listener.ora file and locate the name of your listener. For instance my listener has the default name LISTENER. I can see this in the following lines:

	
	LISTENER =
  	(DESCRIPTION_LIST =
  						

It is the line starting LISTENER= . Simply add a line to this file with the following format:

  	PASSWORDS_{LISTENER_NAME}=somesecretpassword
  						

i.e in my case if the listener is called LISTENER then:

	PASSWORDS_LISTENER=somesecretpassword  						
  						

You can also set multiple passwords as follows:

  	PASSWORDS_LISTENER=(somesecretpassword,anothersecret)
  						
Setting an encrypted Oracle listener password

Anyway as I said this is not the best way to secure your listener. It should be done with an encrypted password as follows:

	C:\oracle\ora90\network\admin>lsnrctl
	
	LSNRCTL for 32-bit Windows: Version 9.2.0.1.0 - Production on 24-FEB-2004 11:27:
	55
	
	Copyright (c) 1991, 2002, Oracle Corporation.  All rights reserved.
	
	Welcome to LSNRCTL, type "help" for information.
	
	LSNRCTL> set current_listener listener
	Current Listener is listener
	LSNRCTL> change_password
	Old password:
	New password:
	Reenter new password:
	Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC0)))
	Password changed for listener
	The command completed successfully
	LSNRCTL> set password
	Password:
	The command completed successfully
	LSNRCTL> save_config
	Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC0)))
	Saved LISTENER configuration parameters.
	Listener Parameter File   C:\oracle\ora90\network\admin\listener.ora
	Old Parameter File   C:\oracle\ora90\network\admin\listener.bak
	The command completed successfully
	LSNRCTL>						
  						

You must save the configuration after setting the password otherwise it will be lost. Also you can check what was generated by looking in the listener.ora file. This is what was generated from the above commands:

	#----ADDED BY TNSLSNR 24-FEB-2004 11:29:18---
	PASSWORDS_LISTENER = F0354118688257FB
	#--------------------------------------------					
  						

Should you want to remove the listener password do the following:

	C:\oracle\ora90\network\admin>lsnrctl
	
	LSNRCTL for 32-bit Windows: Version 9.2.0.1.0 - Production on 24-FEB-2004 11:32:
	05
	
	Copyright (c) 1991, 2002, Oracle Corporation.  All rights reserved.
	
	Welcome to LSNRCTL, type "help" for information.
	
	LSNRCTL> set password
	Password:
	The command completed successfully
	LSNRCTL> stop
	Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC0)))
	The command completed successfully
	LSNRCTL>  						
  						

Edit the listener.ora file to remove the lines added above and restart the listener as follows:

	C:\oracle\ora90\network\admin>lsnrctl
	
	LSNRCTL for 32-bit Windows: Version 9.2.0.1.0 - Production on 24-FEB-2004 11:33:
	34
	
	Copyright (c) 1991, 2002, Oracle Corporation.  All rights reserved.
	
	Welcome to LSNRCTL, type "help" for information.
	
	LSNRCTL> start
	Starting tnslsnr: please wait...
	
	TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 - Production
	System parameter file is C:\oracle\ora90\network\admin\listener.ora
	Log messages written to C:\oracle\ora90\network\log\listener.log
	Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC0ipc
	)))
	Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=zulia)(PORT=1521)))
	
	Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC0)))
	STATUS of the LISTENER
	------------------------
	Alias                     LISTENER
	Version                   TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 - Produc
	tion
	Start Date                24-FEB-2004 11:33:38
	Uptime                    0 days 0 hr. 0 min. 2 sec
	Trace Level               off
	Security                  OFF
	SNMP                      OFF
	Listener Parameter File   C:\oracle\ora90\network\admin\listener.ora
	Listener Log File         C:\oracle\ora90\network\log\listener.log
	Listening Endpoints Summary...
	  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC0ipc)))
	  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=zulia)(PORT=1521)))
	Services Summary...
	Service "PLSExtProc" has 1 instance(s).
	  Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
	Service "sans" has 1 instance(s).
	  Instance "sans", status UNKNOWN, has 1 handler(s) for this service...
	The command completed successfully
	LSNRCTL>  						
  						

That's it!, you should always protect your listener with a password. This is a basic security requirement. If the listener is not password protected then it can be shutdown remotely or have its configuration change or could be used to hack your server.



Back