Known Issues When Apparently Correctly Configured ACLs Fail Don't Prevent the ORA-24247 Error
(Doc ID 1074843.1)
Last updated on AUGUST 29, 2023
Applies to:
Oracle Database - Enterprise Edition - Version 11.2.0.1 and laterInformation in this document applies to any platform.
Symptoms
This note tries to put together known issues when ACLs that are correctly configured don't allow the access to the requested network services and the service access attempts fail with
ORA-24247: network access denied by access control list (ACL)
1. The ACL is configured for a synonym or the IP of the invoked service name.
The ACL privileges check does not do any (reverse) name resolution, if the ACL is configured for an IP, using the hostname will not work and vice versa.
Example 1.
This example presents the incorrect setting and what to do to address the problem.
12. The user being granted the ACL privilege was previously identified globally.
If a user that is identified globally is switched to database authentication, the ACL ceases to work.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| 1. The ACL is configured for a synonym or the IP of the invoked service name. |
| 2. ACL for utl_inaddr.get_host_name or utl_inaddr.get_host_address without parameters is not functional |
| 3. The ACLs are not functional when accessed services are behind a proxy. |
| 4. Granting the ACL via roles does not work when the service is requested through from a PLSQL procedure |
| 5. Calling a PLSQL in another schema fails with ORA-24247 despite the granted ACL privilege to the invoker. |
| 6. Multiple ACLs defined for the same host, using wildcards for different orders of precedence. |
| 7. ACL properly defined, yet DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE shows that the user is not allowed to use the ACL. |
| 8. (RAC specific): Dropping a user account which has been granted ACL permissions causes other accounts using the same ACL to throw ORA-24247 errors |
| 9. ACLs don't work when granted through roles |
| 10. http_proxy environment variable is set at database level. |
| 11. There is no ACL configured for local wallet access |
| 12. The user being granted the ACL privilege was previously identified globally. |
| Cause |
| 1. The ACL is configured for a synonym or the IP of the invoked service name. |
| 2. ACL for utl_inaddr.get_host_name or utl_inaddr.get_host_address without parameters is not functional, with IP or service name |
| 3.The ACLs are not functional when accessed services are behind a proxy. |
| 4. Granting the ACL via roles does not work when the service is requested through from a PLSQL procedure |
| 5. Calling a PLSQL in another schema fails with ORA-24247 despite the granted ACL privilege to the invoker. |
| 6. Multiple ACLs defined for the same host, using wildcards for different orders of precedence. |
| 7. ACL properly defined, yet DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE shows that the user is not allowed to use the ACL. |
| 8. (RAC specific): Dropping a user account which has been granted ACL permissions causes other accounts using the same ACL to throw ORA-24247 errors |
| 9. ACLs don't work when granted through roles |
| 10. http_proxy environment variable is set at database level. |
| 11. There is no ACL configured for local wallet access |
| 12. The user being granted the ACL privilege was previously identified globally. |
| Solution |
| 1. The ACL is configured for a synonym or the IP of the invoked service name. |
| 2. ACL for utl_inaddr.get_host_name or utl_inaddr.get_host_address without parameters is not functional |
| 3. The ACLs are not functional when accessed services are behind a proxy. |
| 4. Granting the ACL via roles does not work when the service is called from a PLSQL procedure. |
| 5. Calling a PLSQL in another schema fails with ORA-24247 despite the granted ACL privilege to the invoker. |
| 6. Multiple ACLs defined for the same host, using wildcards for different orders of precedence. |
| 7. ACL properly defined, yet DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE shows that the user is not allowed to use the ACL. |
| 8. (RAC specific): Dropping a user account which has been granted ACL permissions causes other accounts using the same ACL to throw ORA-24247 errors |
| 9. ACLs don't work when granted through roles |
| 10. http_proxy environment variable is set at database level. |
| 11. There is no ACL configured for local wallet access |
| 12. The user being granted the ACL privilege was previously identified globally. |
| References |