Using Class of Secure Transport (COST) to Restrict Instance Registration (Doc ID 1453883.1)

Last updated on SEPTEMBER 26, 2016

Applies to:

Oracle Net Services - Version 10.2.0.3 to 12.1.0.2 [Release 10.2 to 12.1]
Oracle Database - Enterprise Edition - Version 10.2.0.3 to 12.1.0.2 [Release 10.2 to 12.1]
Oracle Database - Standard Edition - Version 10.2.0.3 to 12.1.0.2 [Release 10.2 to 12.1]
Information in this document applies to any platform.

Goal

To demonstrate how the COST parameter "SECURE_REGISTER_listener_name =" is used to restrict instance registration with database listeners. With this COST restriction in place only local instances will be allowed to register. These instructions can be used to address the issues published in Oracle Security Alert CVE-2012-1675 by using COST to restrict connections to only local instances.

About COST

The class of secure transports (COST) parameters specify a list of transports that are considered secure for administration and registration of a particular listener. The COST parameters identify which transports are considered secure for that installation and whether the administration of a listener requires secure transports. COST will not affect client connections utilizing other protocols. For more details and for information about other available COST parameters please see the 11.2 Network Administrators Guide and Network Reference.

About the IPC Protocol

IPC protocol support is similar to BEQ protocol support in that it can only be used when the client program and the Oracle server are installed on the same system. IPC protocol support differs from BEQ protocol support in that it can be used with Oracle Shared Server configurations. IPC protocol support requires a listener for its operation. For more information about IPC please see Doc ID 29232.1 "IPC Explained".

Oracle versions that support COST

Although not documented in the Oracle 10g Network Administration Guides COST parameters and functionality are supported as of 10.2.0.3.

Starting with Oracle Database Version 11.2.0.4 and Oracle Database 12c (12.1.0.1), the screening of service registration requests from database instances is performed using the Oracle Listener inherent "Valid Node Checking for Registration" feature. Oracle recommends using the "VNCR" feature in 11.2.0.4 and 12c as an alternative to COST if the implementation is only to regulate database service registration requests with Listeners. If COST parameters are needed for Oracle Database 11.2.0.4 or 12c for other or for additional reasons, then they should be used as intended.

For more information information about "Valid Node Checking for Registration" in 11.2.0.4 and 12c please reference the following links:

Oracle Net 12c: Valid Node Checking For Registration (VNCR) (Doc ID 1600630.1)

Oracle® Database Net Services Reference
12c Release 1 (12.1)
New features overview

Oracle® Clusterware Administration and Deployment Guide
12c Release 1 (12.1)
SCAN Listeners and Service Registration Restriction With Valid Node Checking

 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms