Serverside Configuration   «Prev  Next»

Lesson 12 Setting a listener password
Objective Explain where the password is stored and how to specify the password.

Setting Oracle Listener Password

To start Oracle's listener process, you invoke the Oracle program called LSNRCTL (the Listener Control utility) in the $ORACLE_HOME/bin directory. There are several ways to prevent unauthorized people from starting the listener.

The chmod command

The first approach is to use the UNIX chmod command to protect the execution permissions of the LSNRCTL program at the UNIX level. For example, you can alter the LSNRCTL program to allow only the Oracle owner to start the listener by entering chmod 744 $ORACLE_HOME/bin/lsnrctl. Or, you can allow all members of the DBA group to start the listener by entering chmod 774 $ORACLE_HOME/bin/lsnrctl.

Encrypting the password

Another approach is to specify that the listener password be encrypted when it appears in the listener.ora file. This is done via a check box in the Oracle Net Assistant. (The check box is selected by default.)
Encrypting the password enhances network security, ensuring that the listener.ora file cannot be read by people who are not authorized to perform DBA tasks against the listener. If you do not encrypt the password, it appears in listener.ora as clear text.

Requiring a password

You can also protect the listener at the Oracle level by requiring a password. Because the password text is stored in the listener.ora file, it is important to hide "read" access, such that unauthorized users cannot see the password. This is done by entering chmod 700 listener.ora in UNIX.
Following is an example of the line that can be added to the listener.ora file to require the password "jacob" whenever the listener is started, stopped, or reloaded:

passwords_listener=(jacob)

Once this entry has been placed into the listener.ora file, you will need to use the SET PASSWORD command before issuing the lsnrctl start, lsnrctl stop, or lsnrctl reload commands. Now let's take the opportunity to see how to store a password and start the listener with a password.
The first step is to add the password to the listener.ora file. (The listener.ora file is located in /etc or /var/opt/oracle on most UNIX servers). You simply add the text password_listener=don to the listener.ora file. Next, you stop and re-start your listener.
The second step is to set the listener password. You can set the password dynamically for a running listener. Of course, this password will only be in effect until the listener is stopped. To set a temporary listener password, enter the UNIX command
lsnrctl set password

Example:

The following shows a new password of takd01 being set:
LSNRCTL> CHANGE_PASSWORD
Old password:
New password: takd01
Reenter new password: takd01
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=tpc)
(HOST=sales-server)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL> SAVE_CONFIG
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)
(HOST=sales-server)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File /oracle/network/admin/listener.ora
Old Parameter File /oracle/network/admin/listener.bak
The command completed successfully

The following shows the password being changed from takd01 to smd01:
LSNRCTL> SET PASSWORD
Password: takd01
The command completed successfully
LSNRCTL> CHANGE_PASSWORD
Old password: takd01
New password: smd01
Reenter new password: smd01
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=tpc)
(HOST=sales-server)(PORT=1521)))
Password changed for LISTENER
The command completed successfully
LSNRCTL> SAVE_CONFIG