Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC

(Doc ID 1340831.1)

Last updated on SEPTEMBER 15, 2017

Applies to:

Oracle Net Services - Version 10.2.0.3 to 12.1.0.2 [Release 10.2 to 12.1]
Information in this document applies to any platform.


Goal

To demonstrate how the COST parameter "SECURE_REGISTER_listener_name = " is used to restrict instance registration with listeners in RAC environments. With COST restrictions in place only local and  authorized instances having appropriate credentials will be allowed to register. These instructions can be used to address the issues published in Oracle Security Alert CVE-2012-1675 by using COST to restrict connections to only those instances having appropriate credentials.


About COST

The class of secure transports (COST) parameters specify a list of transports that are considered secure for administration and registration of a particular listener. The COST parameters identify which transports are considered secure for that installation and whether the administration of a listener requires secure transports. COST will not affect client connections utilizing other protocols. For more details and for information about other available COST parameters please see the 11.2 Network Administrators Guide and Network Reference.

Oracle versions that support COST

Although not documented in the Oracle 10g Network Administrator Guide COST parameters and functionality are supported as of 10.2.0.3.

In Oracle Database Version 11.2.0.4 the screening of service registration requests from database instances can be performed using the Oracle Listener inherent "Valid Node Checking for Registration" feature. Oracle recommends using the "VNCR" feature in 11.2.0.4 and as an alternative to COST if the implementation is only to regulate database service registration requests with Listeners. If COST parameters are needed for Oracle Database 11.2.0.4 for other or for additional reasons, then they should be used as intended.

Starting with Oracle Database Version 12 the additional configuration of VNCR and COST with scan listeners is not needed since registration is already restricted to the cluster nodes with the new (dynamic) parameter “remote_registration_address = “.  The “remote_registration_address = “ parameter is configured by clusterware and then managed by the CRS agent. Local/cluster-node listeners in Oracle Database 12 utilize VNCR which is also configured and managed by clusterware. As with 11.2.0.4, if additional COST or VNCR features are needed for Oracle Database 12 then they can be configured and used as intended.

For more information information about "Valid Node Checking for Registration" please reference the following links:

Oracle Net 12c: Valid Node Checking For Registration (VNCR) (Doc ID 1600630.1)

Oracle® Database Net Services Reference
12c Release 1 (12.1)
New features overview

Oracle® Clusterware Administration and Deployment Guide
12c Release 1 (12.1)
SCAN Listeners and Service Registration Restriction With Valid Node Checking

 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms