Showing posts with label Oracle Net. Show all posts
Showing posts with label Oracle Net. Show all posts

Tuesday, July 9, 2024

Stupid mistake that causes TNS-12533: TNS:illegal ADDRESS parameters during tns names resolution

Consider the following tnsnames.ora file:
cdb =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = myserver1.oric.no)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = cdb)
    )
  )


 pdb1 =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = myserver1.oric.no)(PORT = 1521))
      (CONNECT_DATA =
        (SERVER = DEDICATED)
        (SERVICE_NAME = pdb1.oric.no)
        (INSTANCE_NAME = cdb)
      )
    )
A tnsping against the cdb would return
 tnsping cdb

Used parameter files:
$ORACLE_HOME/network/admin/sqlnet.ora


Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = myserver1.oric.no)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = cdb))) pdb1 = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = myserver1.oric.no)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = pdb1.oric.no) (INSTANCE_NAME = cdb) ) )
TNS-12533: TNS:illegal ADDRESS parameters
For the pdb1 the error was:
TNS-03505: Failed to resolve name
The solution is simple: open tnsnames.ora in an editor and remove the blank space erroniously indented before "pdb1":
 pdb1 =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = myserver1.oric.no)(PORT = 1521))
      (CONNECT_DATA =
        (SERVER = DEDICATED)
        (SERVICE_NAME = pdb1.oric.no)
        (INSTANCE_NAME = cdb)
      )
    )
Make sure every tnsnames.ora entry starts at the very left end of the file, and this problem goes away.

Wednesday, June 5, 2024

Some Oracle Net related terms and what they mean

The terms used in Oracle Networking can be very similar and somewhat confusing.

Here is an attempt to explain some of them.

What is a network service name?

The network service name is shown in yellow below:
BRNY01 =
(DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = oric-sandbox-db01.oric.no)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = brny01.oric.no)
    )
  )
A network service name resolves to a connect descriptor.

What is a connect descriptor?

A specially-formatted description of the destination for a network connection. A connect descriptor contains destination service and network route information.
Everyhing contained within the DESCRIPTION part constitutes the connect description:
(DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = oric-sandbox-db01.oric.no)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = brny01.oric.no)
    )
  )
What is a connect identifier?

A connect identifier can be a network service name, database service name, or network service alias. Users will have to pass along username and password together with the connect identifier, to connect to a database.

For all intents and purposes, think about a connect identifier as a database name, or a nicname for a database name that you make up yourself.

What is a connect string?

By connect string we mean the information the user passes to a service to connect, such as user name, password and connect identifier
CONNECT scott/tiger@net_service_name

Friday, May 17, 2024

Easy Connect syntax

Basic syntax:
sqlplus uid/pwd@//servername.domain.com:port_number/service_name
If you do not specify port, 1521 is assumed.

Example connecting to a cntainer databaser:
C:\Users\vegard>sqlplus system/mypassword@oric-sandbox-db01.oric.no/cdb.oric.no

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.23.0.0.0

SQL> show user
USER is "SYSTEM"
SQL> show con_name

CON_NAME
------------------------------
CDB$ROOT
Example connecting to a pdb plugged into the same container database:
C:\Users\vegard>sqlplus system/mypassword@oric-sandbox-db01.oric.no/vksa.oric.no

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.23.0.0.0

SQL> show user
USER is "SYSTEM"
SQL> show con_name

CON_NAME
------------------------------
VKSA01
SQL>
You can also use easy connect syntax with the tnsping utility, just to check if there is an oracle service running on a specific server.

Example using tnsping from my Windows 11 client, using a cmd/powershell terminal:
C:\Users\vegard>tnsping "(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=oric-sandbox-db01.oric.no)(PORT=1521)))"

Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=oric-sandbox-db01.oric.no)(PORT=1521)))
OK (50 msec)
Documentation for the Net Services Administrator's Guide can be found here

Thursday, March 7, 2024

How to solve TNS-01194: The listener command did not arrive in a secure transport

On one of my servers running Oracle 19c with a container database and a PDB, I had trouble getting the services to automatically register themselves in the listener.

The database it self seemed healthy; the v$active_services view showed that my services were indeed alive.

But still, the services wouldn't be registered by LREG and thus wouldn't be available for the the listener to service incoming requests.

I turned on logging for the listener by setting the following parameter in listener.ora:
LOGGING_LISTENER=on
Then restart the listener. Logging starts:
lsnrctl start
LSNRCTL for Linux: Version 19.0.0.0.0 - Production on 07-MAR-2024 11:22:33

Copyright (c) 1991, 2023, Oracle.  All rights reserved.

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 19.0.0.0.0 - Production
Start Date                07-MAR-2024 11:11:35
Uptime                    0 days 0 hr. 10 min. 57 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /orainst/product/19c/network/admin/listener.ora
Listener Log File         /orainst/diag/tnslsnr/myserver/listener/alert/log.xml
I then put a tail on the listener log and register the services with the listener manually:
sqlplus / as sysdba
alter system register;


I then noticed the output on the listener.log file:
 07-MAR-2024 10:37:56 * service_register_NSGR * 1194
 
 TNS-01194: The listener command did not arrive in a secure transport
Look up the error:
oracle@myserver.oric.no:[cdb]# oerr tns 01194
01194, 00000, "The listener command did not arrive in a secure transport"
// *Cause: Most of the listener administrative commands are only intended to
// be issued in a secure transport, which are configured in
// secure_control_ parameter. If the parameter is set, then the listener
// accepts administrative requests only on those secure transports.
// *Action: Make sure the command is issued using a transport specified
// in secure transport list.
I then noticed that my listener.ora parameter SECURE_REGISTER_LISTENER was set to TCP:
SECURE_REGISTER_LISTENER = (TCP)
To allow for dynamic instance registration, I needed to allow for the other protocol, IPC, too:
SECURE_REGISTER_LISTENER = (TCP,IPC)
My tests showed that they both need to be present, in that particular order.

In fact, the listener.ora file could be as simple as this:
ADR_BASE_LISTENER = /orainst/oracle
LOGGING_LISTENER=on
TRACE_LEVEL_LISTENER=off
SECURE_REGISTER_LISTENER = (TCP,IPC)

  SID_LIST_LISTENER =
    (SID_LIST =
    (SID_DESC =
        (ORACLE_HOME = /orainst/oracle/product/19c)
        (SID_NAME = cdb)
      )
    )

  LISTENER =
    (DESCRIPTION_LIST =
      (DESCRIPTION =
        (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
      )
    )
and still allow for remote client connections over TCP.

Sources: Oracle Net LISTENER Parameters for 19c

Wednesday, January 31, 2024

How come I cannot logon to my instance as sysdba, when the ORACLE_SID variable is set correctly?

Here's a reminder if you use a symbolic link for your ORACLE_HOME variable:

You will not be able to attach to your instance using OS authentication, like under the following circumstances:
echo $ORACLE_SID
testdb01
echo $ORACLE_HOME=/orasw/oracle/product/current
ls -la /orasw/oracle/product/current
lrwxrwxrwx 1 oracle dba 12 Jan 31 08:34 /orasw/oracle/product/current -> 19.21
ls -la 
sqlplus / as sysdba
The above statement will not be able to connect to your instance.

You can, however, connect to the instance by going through the listener instead:
sqlplus sys@testdb01 as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Wed Jan 31 08:38:42 2024
Version 19.21.0.0.0

Copyright (c) 1982, 2022, Oracle.  All rights reserved.

Enter password:

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.21.0.0.0

SYS@testdb01>SQL>show user
USER is "SYS"
So in order to create a bequeath session, you need an ORACLE_HOME variable that does not use symbolic links.

See this post about IPC and bequeath sessions for more details.

Thursday, November 23, 2023

How to use strace to figure out what files are being accessed by a shell script

I had a situation where an ebs-supplied script adstrtal.sh would not start - it kept throwing error
ORA-12541: TNS:no listener
Although $TNS_ADMIN was correctly set, and sqlplus and tnsping would confirm that the database was open and the listener was up, accepting connections on the desired port.

The sqlnet.log file created in the same directory from which I executed adstrtal.sh displayed the connection being attempted:
Fatal NI connect error 12541, connecting to:
 (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=EBS32.oric.no)(CID=(PROGRAM=sqlplus)(HOST=oric-ebsapp-utv.oric.no)(USER=ebs)))
 (ADDRESS=(PROTOCOL=TCP)(HOST=162.20.5.225)(PORT=1521)))
We are not using default port 1521, but a different port.

I then used strace to find the source of the error, like this:
strace -f -o /tmp/strace.out ./adstrtal.sh apps/****
When going through the /tmp/strace.out file, I was pointed in the right direction:
openat(AT_FDCWD, "$INST_TOP/ora/10.1.3/network/admin/EBS32_oric-ebsapp-utv_ifile.ora", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
Turns out that adstrtal.sh was looking for a tnsnames.ora entry not in the tnsnames.ora in $TNS_ADMIN ($INST_TOP/ora/10.1.2/network/admin) but rather in $INST_TOP/ora/10.1.3/network/admin.

As soon as I had added the correct tnsnames.ora entry, the adstrtall.sh script worked.

Solution to ORA-12504: TNS:listener was not given the SERVICE_NAME in CONNECT_DATA

I had a situation where the error
ORA-12504: TNS:listener was not given the SERVICE_NAME in CONNECT_DATA
was thrown when connecting to a PDB.

The PDB was up and the listener runnning and serving the service_name which I wanted to connect to:

Solution was to reverse the order of directory_path in sqlnet.ora from
NAMES.DIRECTORY_PATH= (EZCONNECT,TNSNAMES)
to
NAMES.DIRECTORY_PATH= (TNSNAMES,EZCONNECT )

Thursday, January 19, 2023

What is the ifile directive sometimes used in tnsnames.ora?

My customer is using Oracle E-Business Suite, and during a so-called "autoconfig", some files in the Oracle RDBMS home on the database server is overwritten.

Oracle eBS actually warns the DBA against changing these files manually. Here is an example from the $TNS_ADMIN/tnsnames.ora:
###############################################################
#
# Do not edit settings in this file manually. They are managed
# automatically and will be overwritten when AutoConfig runs.
# For more information about AutoConfig, refer to the Oracle
# E-Business Suite Setup Guide.
###############################################################
Since we are using multitenant architecture, and also use Golden Gate to extract data, we need to tnsnames.ora entries for the Golden Gate setup:

  • One entry for the pluggable database
  • One entry for the container database

    After the initial setup, before the Golden Gate installation was ready, the $TNS_ADMIN/tnsnames.ora contained only the first of these two entries:
    ebsref=
            (DESCRIPTION=
                (ADDRESS=(PROTOCOL=tcp)(HOST=ebs-ref-db01.oric.no)(PORT=1537))
                (CONNECT_DATA=
                    (SERVICE_NAME=ebs_ebsref)
                    (INSTANCE_NAME=cdb)
                )
            )
    
    This entry is fine for the first of our two required connections. But there was no one supporting a direct connection to the root container, in my case called "cdb".
    The listener process already supports a service called "cdb":
    Services Summary...
    Service "cdb" has 1 instance(s).
      Instance "cdb", status READY, has 1 handler(s) for this service...
    Service "ebsref" has 1 instance(s).
      Instance "ebsref", status UNKNOWN, has 1 handler(s) for this service...
    
    But we cannot add the necessary Golden Gate configuration unless we add another entry in the tnsnames.ora file.

    How to do this, when we are not supposed to edit the tnsnames.ora because it eventually will be overwritten by autoconfig?

    The answer was actually already in the tnsnames.ora file.

    Oracle has included an example of how to use an include file in the tnsnames.ora file, so we can add our entries according to our needs. At the bottom of the file, you can see this string:
    IFILE=/u01/oracle/sw/19c/network/admin/ebsref_ebs-ref-db01/ebsref_ebs-ref-ref-db01_ifile.ora
    
    The file does not exist, so you need to create it:
    vi /u01/oracle/sw/19c/network/admin/ebsref_ebs-ref-db01/ebsref_ebs-ref-ref-db01_ifile.ora
    
    Add the following:
    cdb = (DESCRIPTION=
              (ADDRESS=(PROTOCOL=tcp)(HOST=ebs-ref-db01.skead.no)(PORT=1537))
                    (CONNECT_DATA= (SERVICE_NAME=cdb)
                    (INSTANCE_NAME=cdb))
          )
    
    And you've solved your problem, the connect identifier "cdb" can now be used by Golden Gate connections to the container database. Burleson Consulting has an article about ifile that actually points out eBS as the very reason for the ifile directive:

    According to some Oracle experts, the ifile facility was designed for the init.ora file and ifile is not supported for the listener.ora, sqlnet.ora and protocol.ora files, but Oracle eBusiness Suite (EBS) release 11 uses ifile in their parameter files, ostensibly for reasons of customizations. With a ifile, you can leave the original file intact and not wonder what was added later.
  • Friday, December 9, 2022

    What does the UR = A in tnsnames.ora mean?

    I recently had to connect remotely as sysdba to remote instances when I created Physical Standby Databases using RMAN.

    There were some some connection problems along the way, and this was solved by setting the (UR=A) attribute in the tnsnames.ora entry for the database.

    What exactly is the UR=A attribute and what does it do?

    This is explained very well in a blog post from Ed Chen Logic so rather than explaining the same points all over again, continue reading there.

    But in short, an instance (memory, background processes, but no data files) will inform the listener to block all connections to its corresponding service by default.

    To bypass this restriction, you can add UR=A to the connect descriptor. From the primary server, I will then be able to connect to the standby instance running on prodserver2.oric.no.

    Let's demonstrate it:

    Start the standby database in nomount:
    sqlplus / as sysdba
    startup nomount
    ORACLE instance started.
    
    Total System Global Area 1.2885E+10 bytes
    Fixed Size                  8635096 bytes
    Variable Size            2986347816 bytes
    Database Buffers         9865003008 bytes
    Redo Buffers               24915968 bytes
    
    Start a default listener on the standby server:
    lsnrctl start
    
    Make sure the default service is loaded: wait for a minute, or execute
    alter system register;
    
    Listener status is now:
    Service "proddb01_stby.oric.no" has 1 instance(s).
      Instance "proddb01", status BLOCKED, has 1 handler(s) for this service...
    
    Create a tnsnames.ora entry for connecting to the standby database from the primary server:
    proddb01_stby.oric.no =
      (DESCRIPTION =
        (ADDRESS = (PROTOCOL = TCP)(HOST = proddb02.oric.no)(PORT = 1521))
        (CONNECT_DATA =
          (SERVER = DEDICATED)
          (SERVICE_NAME = proddb01_stby.oric.no)
        )
      )
    
    Test it:
    sqlplus sys/password@proddb01_stby.oric.no as sysdba
    
    Result:
    ORA-12528: TNS:listener: all appropriate instances are blocking new connections
    
    Add the UR=A to the connect_data section:
    proddb01_stby.oric.no =
      (DESCRIPTION =
        (ADDRESS = (PROTOCOL = TCP)(HOST = proddb01.oric.no)(PORT = 1521))
        (CONNECT_DATA =
          (SERVER = DEDICATED)
          (SERVICE_NAME = proddb01_stby.oric.no)
          (UR = A)
        )
      )
    
    And try again:
    sqlplus sys/password@proddb01_stby.oric.no as sysdba
    
    Result:
    SQL*Plus: Release 12.2.0.1.0 Production on Fri Dec 9 16:43:09 2022
    
    Copyright (c) 1982, 2016, Oracle.  All rights reserved.
    
    
    Connected to:
    Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
    
    SQL> select host_name from v$instance;
    
    HOST_NAME
    -----------------
    proddb02.oric.no
    
    SQL> show parameter db_unique
    
    NAME             TYPE      VALUE
    ---------------- --------- --------------
    db_unique_name   string    proddb01_stby
    

    Wednesday, May 22, 2019

    Deprecated security parameter in Oracle 12c: SEC_CASE_SENSITIVE_LOGON


    Oracle states:

    "The use of the Oracle instance initialization parameter SEC_CASE_SENSITIVE_LOGON is deprecated in favor of setting the SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter to 12 to ensure that passwords are treated in a case-sensitive fashion.
    Disabling password case sensitivity is not supported in Exclusive mode (when SQLNET.ALLOWED_LOGON_VERSION_SERVER is set to 12 or 12a.)


    See this post for an example used during implementation

    Documentation here

    Wednesday, January 2, 2019

    How to setup Oracle Network Integrity



    Encryption will protect your data from being read in clear text, when in transition.
    However, data can still be tampered with and arrive modified at the receiver's end.

    To protect against modification, you need to ensure the integrity of the data being sent over the network.

    Data integrity protection from Oracle works independently from the encryption process. In other words, you can use both encryption and checksuming together or either one separately.

    To implement network integrity, add the following to your server’s sqlnet.ora file:
    SQLNET.CRYPTO_CHECKSUM_SERVER = requested
    SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA256, SHA384, SHA512, SHA1, MD5)
    
    All of the hash algorithms in the list create a checksum that changes if the data is altered in any way.

    The value "requested" in the CRYPTO_CHECKSUM_SERVER instructs the Oracle server that calculating checksums when sending network packets to the client is desirable, but not required. Other valid settings are "required", "accepted" and "rejected". See the documentation for details.

    The list of available encryption algorithms are stated in the CRYPTO_CHECKSUM_TYPE_SERVER, and the first one common to both client and server in the list will be selected. During my tests, the SHA256 was selected.

    More information is to be found in the official documentation

    Thursday, October 18, 2018

    What is the meaning of the "10G 11G 12C" value in DBA_USERS.PASSWORD_VERSIONS?


    Since I wrote my post What is the meaning of the "10G 11G" value in DBA_USERS.PASSWORD_VERSIONS?, Oracle 12c added yet another value to this column.

    It's now common to see the string

    PASSWORD_VERSIONS
    10G 11G 12C

    when you query the password_versions column of dba_users view.

    What does it mean?

    It's a list of password versions that was generated at the time the account was created.
    This list will look a little different depending on your setting of the parameter SQLNET.ALLOWED_LOGON_VERSION_SERVER in your $TNS_ADMIN/sqlnet.ora at the time of account creation.

    Oracle explains:

    "The PASSWORD_VERSIONS column shows the list of password versions that exist for the account. 10G refers to the earlier case-insensitive Oracle password DES-based version, 11G refers to the SHA-1 version, and 12C refers to the SHA-2-based SHA-512 version."


    In my 12.2 database, I have set the following parameter in my $TNS_ADMIN/sqlnet.ora file:
    SQLNET.ALLOWED_LOGON_VERSION_SERVER=11
    

    to allow older clients to connect.

    When I then create a user with the CREATE USER statement, it will automatically generate all three password versions. Since my SQLNET.ALLOWED_LOGON_VERSION_SERVER was set to 11 at the time of creation, my password will indeed by case-sensitive, since case sensitive password was introduced in version 11.1 of the Oracle software.

    If I adjust the parameter sqlnet.ora parameter:
    SQLNET.ALLOWED_LOGON_VERSION_SERVER=12
    

    and drop/recreate the user, my password version will have changed:

    PASSWORD_VERSIONS
    11G 12C

    The setting of SQLNET.ALLOWED_LOGON_VERSION have the following effects:

    SQLNET.ALLOWED_LOGON_VERSION_SERVER=11 will keep generating 10G, 11G and 12c password versions
    SQLNET.ALLOWED_LOGON_VERSION_SERVER=12 will generate both 11G and 12C password versions, and also remove the 10G password version.
    SQLNET.ALLOWED_LOGON_VERSION_SERVER=12a will generate only 12c password versions

    Oracle call these three settings Greatest level of compatibility, Medium level of security, and Highest level of security, respectivly.

    If you for some reason want the old-school case-insensitive password versions to apply, set your SQLNET.ALLOWED_LOGON_VERSION_SERVER to 10 or lower, and make sure the parameter sec_case_sensitive_logon is set to FALSE.

    Any user created after setting SQLNET.ALLOWED_LOGON_VERSION_SERVER to 10 or lower, will be able to logon using case-insensitive passwords.



    Thursday, August 9, 2018

    How to connect to a PDB using jdbc

    Before you connect to a PDB using jdbc, make sure you have added the following to your database server's $TNS_ADMIN/listener.ora file:

    USE_SID_AS_SERVICE_<listener_nam>=on

    Restart or reload the listener. You should now be able to connect to the service_name representing your .

    Here is a screenshot from SQuirrel SQL client running on Ubuntu, connecting to a PDB running on a Virtual Box with CentOS and Oracle 12.1:



















    The entire connection string is

    jdbc:oracle:thin:@lx01oric.oric.no:1521:pdbveg1.oric.no
    

    Friday, April 13, 2018

    A solution for ORA-28040



    When connecting to Oracle 12c databases you may get

    ERROR:
    ORA-28040: No matching authentication protocol
    

    upon login.

    The error is defined as follows:

    28040, 0000, "No matching authentication protocol"
    Cause: There was no acceptable authentication protocol for either client or server.

    Action: The administrator should set the values of the SQLNET.ALLOWED_LOGON_VERSION_SERVER and SQLNET.ALLOWED_LOGON_VERSION_CLIENT parameters, on both the client and on the server, to values that match the minimum version software supported in the system. This error is also raised when the client is authenticating to a user account which was created without a verifier suitable for the client software version. In this situation, that account's password must be reset, in order for the required verifier to be generated and allow authentication to proceed successfully.


    Solution: edit your $TNS_ADMIN/sqlnet.ora file to include this directive:

    SQLNET.ALLOWED_LOGON_VERSION_SERVER=8
    

    which will allow older clients to connect. Oracle claims that the default value after an upgrade to Oracle 12.1 is 11, but I have found that the parameter needs to be explicitly set in the server's sqlnet.ora file before older clients are allowed.

    Note that the parameter SQLNET.ALLOWED_LOGON_VERSION_CLIENT is relevant only when the database server itself acts like a client against other database servers. Consequeltly, unless I know for certain that a database server is actually used as a client against other remote database servers, I will specify them like this for my Oracle 12c database servers:

    SQLNET.ALLOWED_LOGON_VERSION_SERVER=11
    SQLNET.ALLOWED_LOGON_VERSION_CLIENT=12
    


    Check the Oracle documentation for more info

    Thursday, February 4, 2016

    How to create and start a service with dbms_service



    Create the service. The first parameter name is the service name, can be up to 64 characters long.
    The second parameter is the network name of the service as used in SQLNet connect descriptors for client connections
    # sqlplus / as sysdba
    SQL> exec dbms_service.create_service(service_name=>'online_users', network_name=>'online_users');
    

    Start the service:
    SQL> exec dbms_service.start_service('online_users');
    

    Update the service_names parameter. Without this, your new service would exist, but have to be manually started with every database restart:
    SQL> alter system set service_names='proddb01, online_users' scope=both;
    

    Check the parameter settings:
    show parameter service
    
    NAME                                 TYPE                              VALUE
    ------------------------------------ --------------------------------- ------------------------------
    service_names                        string                            online_users, proddb01
    

    A typical connect string when using JDBC would be
    connect string : jdbc:oracle:thin:@//prodserver01:1521/online_users
    

    If you are relying on tns naming, in other words, using a local tnsnames.ora file, make sure you set up your tnsnames.ora correctly.
    The following is an example of a tnsnames.ora entry for the service we just created:
    online_users =
      (DESCRIPTION =
        (ADDRESS = (PROTOCOL = TCP)(HOST = myserver.mydomain.com)(PORT = 1521))
        (CONNECT_DATA =
          (SERVER = DEDICATED)
          (SERVICE_NAME = online_users)
        )
      )
    

    Note: If you have specified a value for the database parameter domain_name, you need to add this to the SERVICE_NAME-clause of your tnsnames.ora entry, otherwise you will have trouble connecting:
    show parameter domain
    
    NAME                                 TYPE        VALUE
    ------------------------------------ ----------- ------------------------------
    db_domain                            string      mydomain.com
    

    In the case shown above, we have indeed specified a value for domain_name, and therefore the service_name will inherit this value by default.
    So make sure you specify the FQDN in the SERVICE_NAME clause for your tnsnames.ora entry, like this:
    (SERVICE_NAME = online_users.mydomain.com)
    

    The command
    lsnrctl services

    will show you how the services are automatically registered with the listener.
    The first 3 services are automatically created and always created by default with any Oracle installation. The last service registered with the listener is the one we created manually previously in this post:
    Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=myserver.mydomain.com)(PORT=1521)))
    Services Summary...
    Service "proddb01" has 1 instance(s).
      Instance "proddb01", status UNKNOWN, has 1 handler(s) for this service...
        Handler(s):
          "DEDICATED" established:0 refused:0
             LOCAL SERVER
    Service "proddb01.mydomain.com" has 1 instance(s).
      Instance "proddb01", status READY, has 1 handler(s) for this service...
        Handler(s):
          "DEDICATED" established:1 refused:0 state:ready
             LOCAL SERVER
    Service "proddb01XDB.mydomain.com" has 1 instance(s).
      Instance "proddb01", status READY, has 1 handler(s) for this service...
        Handler(s):
          "D000" established:0 refused:0 current:0 max:1022 state:ready
             DISPATCHER 
             (ADDRESS=(PROTOCOL=tcp)(HOST=myserver.mydomain.com)(PORT=19394))
    Service "online_users.mydomain.com" has 1 instance(s).
      Instance "proddb01", status READY, has 1 handler(s) for this service...
        Handler(s):
          "DEDICATED" established:3 refused:0 state:ready
             LOCAL SERVER
    


    If for some reason the service is not registered automatically with the listener within reasonable time, you can try to force a registration, like this:
    alter system register;
    


    If your listener is running on the default port 1521, there should be no need to touch your listener configuration, except stop/start/reload.
    If you use a non-default listener configuration, such as a port != 1521 or a listener name != LISTENER, you need to configure the parameter local_listener.
    In the exammple below, I configure the listener to run on port 1526 instead of 1521:
    alter system set local_listener='(address=(protocol=tcp)(host=myserver)(port=1526))' scope=both;
    
    Once again, note that in this case, the parameter db_domain is set so you only need to include the server name, not the domain name. If you do use the FQDN, it doesn't make any difference to your setup.





    Verify that your connection can be used by using sqlplus to create a connection:
    sqlplus scott/tiger@online_users
    SQL> select sys_context('userenv','SERVICE_NAME') FROM DUAL;
    
    SYS_CONTEXT('USERENV','SERVICE_NAME')
    --------------------------------------------------------------------------------
    online_users.mydomain.com
    



    To remove a service:
    -- stop the service
    SQL> exec dbms_service.stop_service('online_users');
    
    -- after stopping the service, it may be deleted
    SQL> exec dbms_service.delete_service('online_users');
    
    PL/SQL procedure successfully completed.
    




    A useful query for checking relevant parameters:
    set lines 200
    column name format a30
    column network_name format a30
    column value format a60
    
    select name,value
    from v$system_parameter
    where name in ('service_names','db_domain','local_listener');
    
    SELECT name,
           network_name
    FROM   v$active_services
    ORDER BY 1;
    

    Thursday, May 21, 2015

    Valid formats for JDBC URLs

    Format for JDBC URL with SID:

    •jdbc:oracle:thin:@host:1521:sid
    •jdbc:oracle:thin:user/password@host:1521:sid

    Format for JDBC URL with Service Name:

    •jdbc:oracle:thin:@//host:1521/servicename
    •jdbc:oracle:thin:user/password@//host:1521/servicename

    The difference is in the use of slashes (/) and colons (:)

    Source: Oracle Documentation, note 832455.1

    Tuesday, March 24, 2015

    How to use the nmap tool for Oracle networking troubleshooting

    The Network exploration tool and security / port skanner (nmap) came in handy as I was checking the prerequisites for a Golden Gate installation.

    We had to open ports in a firewall between the two servers to allow the Golden Gate Manager processes on each side to communicate with one another.

    Initially, the ports seemed to be closed even though the firewall administrator claimed it was open.

    Oracle Golden Gate needs two-way communication over the designated manager port, which by default is 7809.

    So I used nmap to prove that it was indeed closed.

    When the nmap status is closed or filtered, the man pages explains their state as


    "Closed ports have no application listening on them, though they could open up at any time. Ports are classified as unfiltered when they are responsive to nmap's probes, but nmap cannot determine whether they are open or closed.

    Filtered ports means that a firewall, filter, or other network obstacle is blocking the port so that nmap cannot tell whether it is open or closed."


    Port 1521 was opened, as requested from the firewall team:
    [root@myserver2 ~]#  nmap -p 1521 myserver1
    Starting Nmap 5.51 ( http://nmap.org ) at 2015-03-24 14:02 CET
    
    Nmap scan report for myserver1 (159.216.45.70)
    Host is up (0.0018s latency).
    rDNS record for 159.216.45.70: myserver1.mydomain.no
    PORT     STATE SERVICE
    1521/tcp open  oracle
    

    Port 7809 was closed, as seen by the output below:
    [root@myserver2 ~]# nmap -p 7809 myserver1 
    
    Starting Nmap 5.51 ( http://nmap.org ) at 2015-03-24 15:14 CET
    Nmap scan report for myserver1 (159.216.45.70)
    Host is up.
    rDNS record for 159.216.45.70: myserver1.mydomain.no
    PORT     STATE    SERVICE
    7809/tcp filtered unknown
    
    Nmap done: 1 IP address (1 host up) scanned in 2.08 seconds
    

    Later, the port range 7809-7820 was opened, as can be seen below. Note that there is no activity on ports 7810-7820 so they are for the time being marked as closed:
    root@myserver2 ~]# nmap  -p 7809-7820 myserver1
    
    Starting Nmap 5.51 ( http://nmap.org ) at 2015-03-24 15:48 CET
    Nmap scan report for myserver1(159.216.45.70)
    Host is up (0.0024s latency).
    rDNS record for 159.216.45.70: myserver1.mydomain.no
    
    PORT     STATE  SERVICE
    7809/tcp open   unknown
    7810/tcp closed unknown
    7811/tcp closed unknown
    7812/tcp closed unknown
    7813/tcp closed unknown
    7814/tcp closed unknown
    7815/tcp closed unknown
    7816/tcp closed unknown
    7817/tcp closed unknown
    7818/tcp closed unknown
    7819/tcp closed unknown
    7820/tcp closed unknown
    

    Friday, January 23, 2015

    What is the difference between a BEQUEATH connection and an IPC connection?

    A bequeath connection
  • runs on your local host
  • bypasses the listener
  • the protocol creates the server process for you directly

    An IPC (Inter-Process Communication) connection
  • will use the native protocol on each OS, but uses the generic term "IPC" for all of them
  • can only be used when the Client and Server reside on the same host
  • can only be used by having the Client connect through the Oracle Listener
  • the Database Listener must be configured to listen on an IPC endpoint
  • the listener spawns the server process for you

    Example setup:
    Listener.ora
     LISTENER =
       (DESCRIPTION_LIST =
         (DESCRIPTION =
           (ADDRESS = (PROTOCOL = TCP)(HOST = myserver)(PORT = 1521))
           (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
         )
       )
    

    tnsnames.ora:
    proddb01_ipc =
       (DESCRIPTION =
         (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
         (CONNECT_DATA =
           (SERVER = DEDICATED)
           (SERVICE_NAME = proddb01)
         )
       )
    
    Connect to your database locally:
    sqlplus /nolog
    SQL*Plus: Release 11.2.0.4.0. Production on Thu Jan 22 15:35:44 2015
    
    Copyright (c) 1982,2013, Oracle. All rights reserved.
    
    SQL> connect scott/tiger
    Connected.
    
    From another window, create another session:
    sqlplus /nolog
    SQL*Plus: Release 11.2.0.4.0. Production on Thu Jan 22 15:35:44 2015
    
    Copyright (c) 1982,2013, Oracle. All rights reserved.
    
    SQL> connect scott/tiger@proddb01_ipc
    Connected.
    

    Check the connections and their types:
    SELECT S.SID, S.OSUSER,S.PROGRAM,S.USERNAME,S.MACHINE, SCI.NETWORK_SERVICE_BANNER,S.LOGON_TIME,S.STATUS
     FROM V$SESSION S INNER JOIN V$SESSION_CONNECT_INFO SCI
     ON S.SID = SCI.SID
     WHERE S.USERNAME = UPPER('scott')
     AND SCI.NETWORK_SERVICE_BANNER LIKE '%IPC%'
     OR  SCI.NETWORK_SERVICE_BANNER LIKE INITCAP('%BEQ%')
     AND S.TYPE <> 'BACKGROUND'
     ORDER BY LOGON_TIME;
    

    And here is the output. Notice how the first session (.. / as sysdba) results in a Bequeath session, while the other one ( ...@proddb_ipc) results in a session using IPC:

    SIDOSUSERPROGRAMUSERNAMEMACHINENETWORK_SERVICE_BANNERLOGON_TIMESTATUS
    9
    oraclesqlplus@myserver.mydomain.com (TNS V1-V3)SCOTTmyserver.mydomain.comOracle Bequeath NT Protocol Adapter for Linux: Version 11.2.0.4.0 - Production22.01.2015 15:35:49INACTIVE
    1160
    oraclesqlplus@myserver.mydomain.com (TNS V1-V3)SCOTTmyserver.mydomain.comUnix Domain Socket IPC NT Protocol Adaptor for Linux: Version 11.2.0.4.0 - Production22.01.2015 15:40:44INACTIVE















  • Friday, May 23, 2014

    How to set up a standard listener on port 1521

    Recently I have seen cases where customers have defined multiple listeners in the $TNS_ADMIN/listener.ora file, but nontheless have started only the default listener called "LISTENER".

    Unless you actually start the separate listeners, they will not do you any good. Each listener must be configured to listen to different ports and then started explicitly, as follows:

    If desirable to run separate listeners, configure your listener.ora as follows:
    SID_LIST_LISTENER_PRODDB01 =
      (SID_LIST =
         (SID_DESC =
           (SID_NAME = PRODDB01)
           (ORACLE_HOME = /u01/oracle/product/11202)
       )
    )
     
    LISTENER_PRODDB01 =
      (DESCRIPTION_LIST =
         (DESCRIPTION =
            (ADDRESS = (PROTOCOL = TCP)(HOST = myhost)(PORT =1521))
            (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
          )
      )
     
    SID_LIST_LISTENER_PRODDB02 =
      (SID_LIST =
        (SID_DESC =
          (SID_NAME = PRODDB02)
          (ORACLE_HOME = /u01/oracle/product/11202)
         )
      )
     
    LISTENER_PRODDB02 =
      (DESCRIPTION_LIST =
         (DESCRIPTION =
            (ADDRESS = (PROTOCOL = TCP)(HOST = myhost)(PORT=1526))
            (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1526))
         )
     )
     

    Then start each listener:

    LSNRCTL> set current_listener LISTENER_PRODDB01
    Current Listener is LISTENER_PRODDB01
    LSNRCTL> start
    LSNRCTL> set current_listener LISTENER_PRODDB02
    Current Listener is LISTENER_PRODDB01
    LSNRCTL> start
    
    After having started all LISTENERS, check that they are running (on unix):
    ps -ef | grep LISTEN|grep -v grep
    
     oracle 7864350 1 0 15:41:47 - 0:12 /u01/oracle/product/11203/bin/tnslsnr LISTENER_PRODDB01 -inherit
     oracle 7864350 1 0 15:41:47 - 0:12 /u01/oracle/product/11203/bin/tnslsnr LISTENER_PRODDB02 -inherit
    

    If you only specify one - 1 - listener per server, you can set it up to listen for incoming Connections for multiple databases, as specified in the SID_LIST:

    SID_LIST_LISTENER =
     (SID_LIST =
       (SID_DESC =
          (SID_NAME =PRODDB01)
          (ORACLE_HOME = /u01/oracle/product/11202)
        )
       (SID_DESC =
         (SID_NAME =PRODDB02)
         (ORACLE_HOME = /u01/oracle/product/11202)
       )
    )
    
    LISTENER =
     (DESCRIPTION_LIST =
        (DESCRIPTION =
           (ADDRESS = (PROTOCOL = TCP)(HOST = myhost)(PORT = 1521))
           (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
         )
     )
    

    I prefer using a $TNS_ADMIN/listener.ora file consequently. It makes it easier to configure the listener later.
    I recommomed the following lines to be added to 11gR2 listeners:

    DIAG_ADR_ENABLED=on             <-- Use the ADR as base for all future logging and tracing of the listener
    ADR_BASE_LISTENER = /u01/oracle <-- The value of Your $ORACLE_BASE variable goes here
    LOGGING_LISTENER=off            <-- Turn logging on only if needed
    TRACE_LEVEL_LISTENER=off        <-- Turn tracing on only if needed