Restrict Client Connections To Just Two Specific IPs Over Oracle Listening Port?
Jan 18, 2013
I was asked if it was possible to restrict which users / or client IP's connect to my Oracle 11.2 database. I guess I could just shutdown the listener and have me and one other DBA connect to it via SSH / LOCALHOST but I was wondering if there was a more DBA specific way to restrict client connections to just two specific IP's over the Oracle listening port?
We are interested to find the number of connections from specific client. Is tracing on sqlnet.ora in the client machine the answer? If yes, which trace has the information?
I'm trying to restrict update in a specific field in my form . I have set its property(update allowed) to no and still the field is update able. I am also having on-commit trigger in my form level that well display a message and followed by the command commit. is it possible the trigger is overriding the property(update restriction).
We have a Data Source with min_pool_size (10) and max_pool_size (20). A Data Source is by default a connection pool. By starting a transaction we are retrieving a connection from the pool (i.e., opening it to retrieve data, perform queries, inserts and updates). Our application server is JBoss. An application workflow uses many transactions to build a product. The same connection is not used by the application for the entire workflow; but, it uses and returns them to the connection pool. We do not use Java syntax like "rs.close():"... this is performed by iBATIS.
On the Linux side when we execute a "ps" command (ps -elf|grep -i ora) we see all the Oracle processes. A further refinement of that command (ps -elf|grep -i local=no)shows a list of the "waiting" connections in the connection pool. The DB may be queried with the following syntax:
SELECT schemaname, sid, serial# FROM gv$session where schemaname = 'APP_USER' order by SID;
A list of connected sid and serial numbers is returned, identifying which connections are in use. From here we are able to force the connection to trace by executing the following:
exec dbms_monitor.session_trace_enable(249, 6595, TRUE, FALSE); ! 249 and 6595 being SID and Serial# from query above
There should be no need to execute the inverse, since the connection is returned to the pool when the transaction is committed or rolled back.
We are trying to trace in order to use the Quest Benchmark Factory. Their instructions request the following syntax be applied to each session:
alter session set events '10046 trace name context forever, level 4';
and again, the inverse should not be necessary.
alter session set events '10046 trace name context off'
When it became too cumbersome to alter each session as it appeared, we issued an "alter system" to monitor (trace) everything. The trace files filled the disk, and four hours of testing was stopped two hours in. Doing a system level trace is probably not a good idea.
My first inclination was to create a post-logon trigger to set trace in the session; however, these connections, coming from an JBoss connection pool, do not logon each time, and I presume that they are not all the "same session".
We opened a support ticket with Quest last Friday and do not have an answer yet. This was the third ticket with them, the first to get Benchmark Factory installed (the original installer did not work). The second ticket was to setting up a shared directory on Linux with a folder on Windows, a setup configuration required by their tool. The third ticket to address this issue.
They needed to contact "the developers" to answer the last two questions. Their latest suggestion is to fix ticket two so we "won't need to trace" anything. How do I set trace in these connections?
I want to add a new validation to restrict concurrent user and/or session from a client. (we have almost 60 client firms using the software to enter daily trasnactions). All users from all clients are connecting to the database using a common functional ID.
What I did was: 1) Add a column 'user_logged_in' in the master table for client and update it as Y when user from that client logged on to the system, 2) Insert the application logon details (we can figure out the client details from this) into a global temp table, 3) Create a logoff trigger to update the 'user_logged_in'flag in client master table by using values from global temp table when session logged off and 4) Restrict the users from same client if the flag is 'Y'
But the problem in this case is logoff trigger will not be executed in case if the session got killed or terminated abnormally.
select a.SETTINGVALUE db_owner from ABC a, DEF b where a.application_id = b.application_id
I want to confirm after executing this .sql that this variables v_number and db_owner should not have NULL value. I did searched a lot for SQL*PLUS commands. Only way i can check this is by writing anonymous PL/SQL block but i dont want to go for that option. How to restrict input of NULL values ?
I am trying to find the unix process for one of my application in the database but I am unable to view the same. To simulate, I did the following.
1. My database runs on different server. 2. I invoked "sqlplus" from another unix box to login to the database. 3. I found that the process id (ps -ef |grep sqlplus). 4. When I execute the below mentioned query it does not display the process id that I am looking for. But the osuser, username, program and machine details are correct. How can I know the process details from the database?
SELECT SYS.GV_$SESSION.OSUSER, SYS.GV_$SESSION.USERNAME, SYS.GV_$PROCESS.SPID, SYS.GV_$SESSION.MACHINE, SYS.GV_$SESSION.PROGRAM, SYS.GV_$PROCESS.PROGRAM ,SYS.GV_$SESSION.SQL_ID FROM SYS.GV_$PROCESS, SYS.GV_$SESSION WHERE SYS.GV_$PROCESS.ADDR=SYS.GV_$SESSION.PADDR and SYS.GV_$SESSION.USERNAME='TEST' and SYS.GV_$SESSION.MACHINE like '%hostname%'
i have created a database a make listener configuration and tns with netca.with netca configuration i used port 1525 then i need to change my database port with 1521 so i just moved to my listener.ora and tnsnames.ora and changed port setting to 1521 but after that also my database listening to both the locations.1521 and 1525..if i check connection with sql developer it says connect.how's it possible
For every connection, oracle listener creates a unique dynamic port. Is this can be made static port for all connection? This a query raised in our penetration testing.
+ Oracle 11g + Centos 5.5 + I create many users by shell script (user01, user02, user03 ..... user0n) + How can I connect all user to Oracle database in Centos (may be create connect.sh) - command line env ? ...... // user01 , user02 ... ---===> connect Oracles ? My idea: using fork to create multi sqlplus to connect but it cant o_0
If all users can connect to Orcl db, I can count real user connections.
We have a custom portal application that uses a bunch of application servers. Our connection pool max size is 1100. For the past two days, we had two incidents when the cpus reached the max limit and the db was not allowing connections to come thro' for 10 minute periods. The alert log does not have any entry and the listener log does not have any entry for that 10 minute period.
A DB server (Oracle 11g) on Linux will support a Web Application Server (Java based) for hosting a public web site.For sending multiple INSERT statements over from the Java Server to Oracle Server, I have two ways to do it:
1) Wrap those insert statements together and send it over with one connection to Oracle
2) Send each insert statement separately to Oracle. As the result, multiple insert statements are sent and accordingly multiple connections to Oracle are needed.
Advantage of option 1 is just using one Connection. Disadvantages are that Oracle will then need to parse the statement string into multiple separate insert statements, and then loop through them to execute each. This may be costly in CPU sense.
While the option 2 may have quicker execute of each insert statement, but will need to create multiple connections.If the number of users is known and stable (such as intranet), I would prefer option 1; while for the internet there could hundreds concurrent users at the peak, I lean towards the option 2.
We are using erwin to generate Er diagram.But with that tool unable to generate the ERD for specific object.Or suggest any other tool from which i can generate the ERD of specific object.
i.e. Lets take an example.
I have a table with one primary key and 10 foreign keys. So now if i select the main table the tool should draw the ERD based on the Constraints ('P' and 'R') so all the different table which have the relation those table should only display. Right now we are getting all the tables ERD(more than 1500 tables) which is not neccesary.
While connecting my oracle with My JDBC driver . i got an SQLException:
public class Orajdbc { public static void main(String args[]) { try { Class.forName("oracle.jdbc.driver.OracleDriver"); Connection con = DriverManager.getConnection [code]......
i am successfully connected by type 1 odbc driver but while i want to connect it with "ojdbc6.jar" file then i got this exception i already added that jar file to my Environment variable ClASSPATH ..
i want to online my oracle 10g database but when i make connection string then i don't know what the port i set. I set default port 1521 but it not work on client site .
so when i changed my idle_time value in profile and the when the user exceeds the idle_time value the user still i can see in-active state in v$session.
and when i was tried to execute any query on inactive session that time i got an ORA- error and then session was not visible from v$session.
in my environment inactive session was not getting used afterwards so is there any way to kill that sessions automatically once reached idle_timeout value.
lets say i have 50 max sessions, out of which 10 are inactive state and 40 in active state .what if i created one more sessions will that give me ORA- error stating max sessions reached or it will kill the one session which are in-active state.
insight into the overheads for mutally authenticated SSL for database connections? This is over a fast local network, to a RAC cluster, with DB firewall in front. There's always a large element of "it depends"
Information I'm interested in are things like latency for initial session setup and subsequent data transfer. Also the increase in network packet size, and the increase in CPU cost for the database server. I guess there is some implications for session memory usage as well.
I have a problem with a PCI DSS - requirement in Oracle 11.2. (PCI DSS = Payment Card Industry Data Security Standard)
Problem:
we connect via ' ssh -2 -X -l oracle hostname ' to the databaseserver and become os-user 'oracle'. we have also two offshore locations with dba's and each dba comes with his personalized user to the jumphost and then with the above ssh command to the database server.
the problem is that each dba becomes the oracle-os-account and can now connect with '/ as sysdba' to the database.in pci-dss this is not allowed !
now my question:how can I audit these '/ as sysdba'-connections and prove which user connected at which time with the '/ as sysdba' command ?
database is in audit mode. we log to syslog on linus redhat 5. I know one solution could be setting "SQLNET.AUTHENTICATION_SERVICES" parameter to "NONE" in sqlnet.ora file will make it not possible to connect to the database without a password as sysdba. (sqlplus / as sysdba). but we have to many applications and jobs and this is not really the solution in this case.
I think I can only solve this problem with personalized OS-user DBA-accounts in the dba-goup on os-site and os-user oracle should not be used for the future ?? I also need personalized dba-user-accounts in the database. using sys and system is not allowed. this users has to be locked and only for special administration work could it be unlocked.
I am currently doing a project where i need to write a stored procedure which will be doing the following-
i)it will retrieve multiple columns from multiple tables in a single database(through join) based on certain conditions II)then it will store the entire data in a certain field(File_data) of staging table
inside file_data a header and a trailer will be present with the records.also the field values will be pipe separated and a new record will start in a new line.
So,the data inside the file_data of staging table will look like this-
the more customers we have for our software solution the more individual oracle objects (Tables, Packages, Functions, etc.) we have in our scheme. Right now we separate these by giving them identifying names like "X_CUSTOMER1_TABLENAME" e.g. (I know ..... )
This is not very practical when keeping our reference clean and when deploying/syncing our reference with a customer db: One customer would receive the objects of other customers on a deploy.
Is there a common solution to this problem? We were thinking about having a separate scheme for each customer. That way we would have our standard, untouched scheme with the basic functionality and the customer schemes with the individual content.
To make it a bit more concrete: We have around 100 basic tables that make the most of the content/functionality of the software. Each customer might have between 1 -5 additional tables with "custom" data that is used in conjunction with the standard objects in individual packages, functions etc. The installations will be made on our customers systems. So I have in mind to have schemes 0001, 0002, etc for each customer IN OUR REFERENCE. But we would then deploy only the scheme for that certain user when installing on their system. So for example for customer 0001 I would deploy the STANDARD and 0001 scheme