Lesson 12	Securing the Oracle Listener with a Password
Objective	Demonstrate how to securely set, encrypt, and manage the Oracle Listener password using recommended best practices.

Securing the Oracle Listener with a Password using Oracle 23ai

The Oracle Listener is a critical network service that directs client connection requests to the database. If left unprotected, unauthorized users could stop, start, or alter listener settings. This lesson explains how to secure the listener with a password, beginning with operating system–level security and progressing to modern Oracle 19c/23ai best practices.

1. Restricting Listener Control at the OS Level

Restricting file execution and read permissions helps prevent unauthorized control of the listener.


# Allow only the Oracle owner to run LSNRCTL
chmod 744 $ORACLE_HOME/bin/lsnrctl

# Allow Oracle owner and DBA group members
chmod 774 $ORACLE_HOME/bin/lsnrctl

# Restrict read access to listener.ora
chmod 700 $ORACLE_HOME/network/admin/listener.ora

On Windows, use **File Properties → Security** to restrict access to the Oracle service account.

2. Encrypting the Listener Password

In current Oracle releases, listener passwords are encrypted automatically when set using the lsnrctl utility. Never type a clear-text password directly into listener.ora.

When you use:


LSNRCTL> CHANGE_PASSWORD

and then:


LSNRCTL> SAVE_CONFIG

Oracle writes the encrypted password hash into listener.ora. This prevents exposure of the password to unauthorized users.

3. Understanding SET PASSWORD vs. CHANGE_PASSWORD

It's important to distinguish between these two commands:

SET PASSWORD – Authenticates your current lsnrctl session using the existing listener password.
CHANGE_PASSWORD – Updates the stored listener password (and requires you to provide the old password first).

4. Changing the Listener Password

Example: Changing the password from admin01 to secure01:


LSNRCTL> SET PASSWORD
Password: admin01   -- Authenticate to the listener

LSNRCTL> CHANGE_PASSWORD
Old password: admin01
New password: secure01
Reenter new password: secure01

Password changed for LISTENER
The command completed successfully

LSNRCTL> SAVE_CONFIG

The SAVE_CONFIG command writes the encrypted password to listener.ora and creates a backup file (listener.bak).

5. Using a Temporary Listener Password

A temporary listener password can be set for the current session only:


lsnrctl set password

This password is valid until the listener process stops and is not written to listener.ora.

6. Recommended Modern Practice

For Oracle 19c and 23ai, use the Secure External Password Store (SEPS) or Oracle Wallet for maximum security:

No credentials stored in listener.ora
Centralized, encrypted password management
Integration with advanced Oracle security features

This approach further reduces the risk of credential exposure.

Conclusion

Securing the Oracle Listener with a password is essential to protect database connectivity and configuration. Always use lsnrctl to set or change passwords so that they are encrypted, and complement this with OS-level restrictions and, where possible, Oracle Wallet integration.