Please note that the indications below are strictly informative and they do not imply any security guarantee on Oracle’s behalf.
A1: Starting the listener is possible no matter if it is password protected or not. Administering the listener, including stopping the listener, requires authentication (with the previously set password for listener versions earlier than 10g).
A generic suggested solution for an automated shutdown script is the following under the Oracle user (for Unix platforms):
#!/bin/sh
lsnrctl << EOF set current_listener listener_name set password encrypted_password stop exit EOF
For Windows platforms you can have a batch file named listdown.bat as follows (please replace %ORACLE_HOME% with the path to your Oracle installation home):
@echo off %ORACLE_HOME%binlsnrctl @D:listdowncmd.txt
with the contents of D:listdowncmd.txt being:
set current_listener listener_name set password encrypted_password stop
For both platforms please replace listener_name with the name of the wanted listener profile (for the default listener use LISTENER or you can simply drop the “set current_listener” line) and encrypted_password with the value found in the PASSWORDS_listener_name statement in your LISTENER.ORA file.
In particular, for Oracle 10g there is a new listener feature (“Local OS Authentication”) activated by default which permits the user which has started the listener to administer the listener without authenticating with a password. So in this case a simple “lsnrctl stop listener_name” ran under the Oracle user is sufficient.
If you want to disable this feature you can use the “LOCAL_OS_AUTHENTICATION_listener_name = OFF” statement in LISTENER.ORA. Please note that in this situation, due to a change in Oracle 10g, you will have to replaceencrypted_password with the plain-text password set on the associated listener and not the encrypted password found in LISTENER.ORA.
For Oracle 8i and 9i you can use one of the above sample scripts to stop a password protected listener. See next section for a proposed shutdown script for Unix platforms.
A2:
Listener passwords are sensitive information and should be kept secret; even encrypted passwords are not secure to be revealed since they may be prone to brute-force dictionary attacks.
If you put a plain-text or encrypted password in a script or text file, make sure that this file has proper access restrictions (e.g. visible only by the user under which the command needs to be run). For Unix platforms use the chownand chmod utilities to change the ownership and permissions of the file to something like “chown oracle:orainstall ; chmod 700“(accessible and runnable only by the “oracle” user). For Windows NT platforms, the NTFS filesystem allows you to adjust the access permissions for the file to be accessible only by the users authorized to run the command, while the FAT(32) filesystem offers no protection mechanisms.
Another solution, yet still insecure, is to use environment variables to pass the password to the script. Be be aware that, depending on the operating system and settings, users may be able to see environment variables.
The best situation would be to run the lsnrctl command on a terminal and type the password at the command line (use “set password” and you will get a non-echo “Password:” prompt). You may simulate this terminal level communication by using, for example, the expect scripting tool (a Tcl based tool, available on Unix platforms with ports also available for Windows), but you still need to address the password storage issue. Please note that Oracle does not support the expect tool or other derived works.
You will not be able to use standard shell redirection to feed the plain-text password to the lsnrctl tool since lsnrctl will check that it’s being ran on a terminal upon giving the password and will set the terminal discipline not to echo back the password on the console. However, the “set password <encrypted_password>” command can be used with shell redirect, as seen in the above section.
You can find attached a sample proposed listener shutdown script for Unix platforms — lsnr_passwd_shutdown.sh. Check the comments in the file for instructions on how to run the script.
A3: The lsnrctl utility and the listener service has basically the same behavior whatever the platform. However, there are some implementation differences depending on the operating system platform.
For example, Oracle for Windows employs the Windows Service mechanism. When you first start a newly configured listener service (in LISTENER.ORA) with lsnrctl at the command prompt, an 1060 error will be shown (which you can ignore) and a specific Windows service is created for that listener profile with the name “Oracle<DB_Name>TNS<Listener_Name>“. This Windows service is set to run under the Local System account (while on the Unix platforms the listener process runs under the “oracle” user).
Comments