% ACLs are stored
in XML DB.
XML DB must be installed for the use of ACLs
!
The creation of ACLs is a two step
procedure.
The first step is to create
the actual ACL and define the privileges for it:
The general syntax is as follows:
BEGIN
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL (
acl => "file_name.xml",
description => "file description",
principal => "user_or_role",
is_grant => TRUE|FALSE,
privilege => "connect|resolve",
start_date => null|timestamp_with_time_zone,
end_date => null|timestamp_with_time_zone);
END;
The value connect for
the parameter privilege includes resolve!
This is necessary for the package UTL_INTADDR.
%
The parameter principal specifies the
first username granted the ACL and is case
sensitive!
%
If you want to grant multiple users you must use the
DBMS_NETWORK_ACL.ADD_PRIVILEGE
procedure to add users.
Here is an example for an ACL:
BEGIN
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL (
acl => 'sysdba-ch-permissions.xml',
description => "Permissions for sysdba network',
principal => "LUTZ',
is_grant => TRUE,
privilege => 'connect');
END;
This creates an xml file which holds
a list of users and privileges. This container is located
under /sys/acl/ in the XML DB.
The second step is to assign
network hosts to the ACL.
After the creation of the ACL you can
add hosts to it:
Below again you find the general
syntax:
BEGIN
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL (
acl => "file_name.xml",
host => "network_host",
lower_port => null|port_number,
upper_port => null|port_number);
END;
And here is an example:
BEGIN
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL (
acl => 'sysdba-ch-permissions.xml',
host => "*.sysdba.ch',
lower_port => 80,
upper_port => null);
END;
%
It is possible to use wildcards in the
hosts parameter. This allows access to
all hosts in the domain.
Hostnames are case sensitive
You can use an IP address as well as
a DNS hostname
%
Only one ACL can be assigned to a host or domain or IP
subnet or port range (if specified)!
%
You can assign multiple hosts to the same ACL by calling
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL
multiple times
Oracle evaluated ACLs in the
following sequence:
-
fully qualified hostnames
are evaluated
-
hostnames with ports
-
partial domain names
and sub-domains
% Do not
modify the xml files with a text editor!
The data dictionary views related to
ACLs are dba_network_acls and
dba_"user_network_acl_privileges:
LUTZ AS SYSDBA @ orcl
SQL> DESC dba_network_acls
Name
Null" Type
---------------------------- --------
------------------------------------
HOST
NOT NULL VARCHAR2(1000)
LOWER_PORT
NUMBER(5)
UPPER_PORT
NUMBER(5)
ACL
VARCHAR2(4000)
ACLID
NOT NULL RAW(16)
LUTZ AS SYSDBA @ orcl SQL> DESC dba_network_acl_privileges
Name
Null" Type
------------------------------------
----------------------------------------
ACL
VARCHAR2(4000)
ACLID
RAW(16)
PRINCIPAL
VARCHAR2(4000)
PRIVILEGE
VARCHAR2(7)
IS_GRANT
VARCHAR2(5)
INVERT
VARCHAR2(5)
START_DATE
TIMESTAMP(9) WITH TIME ZONE
END_DATE
TIMESTAMP(9) WITH TIME ZONE
How to create and manage ACLs with OEM
The friends of graphical interfaces
can also create and manage ACLs. There is an interface to
the XML DB integrated into the Enterprise Manager.
%
Access Control Lists are an XML DB functionality.
You find the link for the ACLs in the
SCHEMA pane in Database Control 11g:
Other Network Security Features
The listener is secured by default in
11g.
It is not possible to manage the
listener from remote any more without a password or
Class of Secure Transports (COST).
Only the local user who started the
listener can stop it in 11g.
%
Still we have a default listener with the name
LISTENER and port 1521!
In 11g and beyond, Oracle has introduced the ability
to restrict connections to specific hosts (or IP
addresses).
The access control lists (ACL) are used to restrict
the hosts that are allowed to connect to the Oracle
database.
ACL"s are created using the
dbms_network_acl_admin and
dbms_network_acl_utility packages. Either
package can be used to create and manage ACLs.
Here is an example for an ACL:
BEGIN
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL (
acl => 'sysdba-ch-permissions.xml',
description => "Permissions for sysdba network',
principal => "LUTZ',
is_grant =>
TRUE,
privilege => 'connect');
END;
The ACL is then added to the
"http://host:port/sys/acls/" directory.
Please note that you will encounter an
ORA-24247 error if it relies on one of the network
packages and no proper ACL has been created.