Setting Listener Passwords With an Oracle 10g or Newer Listener (Doc ID 260986.1)

Last updated on MAY 08, 2017

Applies to:

Oracle Net Services - Version 10.1.0.2 to 11.2.0.4 [Release 10.1 to 11.2]
Information in this document applies to any platform.
Checked for relevance on 8-MAY-2017

Goal

How to set a password for 10g and newer listeners leaving the default OS authentication mechanism in place.

In Oracle 10g and newer versions of the listener, the listener is secure out of the box. There should be no need to set a listener password to prohibit privileged LSNRCTL commands from being executed.

Beginning with version 10g, the listener now uses local OS authentication. As long as one runs LSNRCTL privileged commands (stop, status, etc) as the same user who started the listener, that user will be able to fully administer the running listener without providing a password.


This security feature is enabled by default and can be identified at listener
startup, or when issuing a LSNRCTL STATUS command, by the following output:

Security ON: Local OS Authentication

If the TNSListener is started as the "oracle" user and the user "sales" attempts
to administer the listener, or if "oracle" on a different node attempts to
administer the listener, the following error will be returned:

TNS-01190: The user is not authorized to execute the requested listener command



The following commands are all privileged:

 SAVE_CONFIG, STOP, TRACE, SPAWN, RELOAD,
 
 SET {LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SAVE_CONFIG_STOP_ON, 
 TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME}

 SHOW {RULES, TRC_DIRECTORY, LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, 
 SNMP_VISIBLE, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME, 
 SAVE_CONFIG_STOP_ON}

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms