Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC
(Doc ID 1340831.1)
Last updated on JULY 02, 2021
Applies to:Oracle Net Services - Version 10.2.0.3 to 188.8.131.52 [Release 10.2 to 11.2]
Advanced Networking Option - Version 10.2.0.3 to 184.108.40.206 [Release 10.2 to 11.2]
Oracle Database - Enterprise Edition - Version 220.127.116.11 to 18.104.22.168 [Release 11.2]
Information in this document applies to any platform.
To demonstrate how the COST parameter "SECURE_REGISTER_listener_name = " is used to restrict instance registration with listeners in RAC environments. With COST restrictions in place only local and authorized instances having appropriate credentials will be allowed to register. These instructions can be used to address the issues published in Oracle Security Alert CVE-2012-1675 by using COST to restrict connections to only those instances having appropriate credentials.
The class of secure transports (COST) parameters specify a list of transports that are considered secure for administration and registration of a particular listener. The COST parameters identify which transports are considered secure for that installation and whether the administration of a listener requires secure transports. COST will not affect client connections utilizing other protocols. For more details and for information about other available COST parameters please see the 11.2 Network Administrators Guide and Network Reference.
Oracle versions that support COST
Although not documented in the Oracle 10g Network Administrator Guide COST parameters and functionality are supported as of 10.2.0.3.
Starting with Oracle Database Version 12 the additional configuration of VNCR and COST with scan listeners is not needed since registration is already restricted to the cluster nodes with the new (dynamic) parameter “remote_registration_address = “. The “remote_registration_address = “ parameter is configured by clusterware and then managed by the CRS agent. Local/cluster-node listeners in Oracle Database 12 utilize VNCR which is also configured and managed by clusterware. As with 22.214.171.124, if additional COST or VNCR features are needed for Oracle Database 12 then they can be configured and used as intended.
For more information information about "Valid Node Checking for Registration" please reference the following links:
Oracle Net 12c: Valid Node Checking For Registration (VNCR) (Doc ID 1600630.1)
Oracle® Database Net Services Reference
12c Release 1 (12.1)
New features overview
Oracle® Clusterware Administration and Deployment Guide
12c Release 1 (12.1)
SCAN Listeners and Service Registration Restriction With Valid Node Checking
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document