查看報錯原因:
▼▼▼
$ oerr ora 24247
24247, 00000, "network access denied by access control list (ACL)"
// *Cause: No access control list (ACL) has been assigned to the target
// host or the privilege necessary to access the target host has not
// been granted to the user in the access control list.
// *Action: Ensure that an access control list (ACL) has been assigned to
// the target host and the privilege necessary to access the target
// host has been granted to the user.
開發人員偶爾會使用這些強大的工具 — 例如,使用 utl_smtp 從數據庫內發送郵件,使用 utl_http 提取可在 PL/SQL程序內處理的 Web 頁面等等。然而,這些工具帶來了巨大的安全風險。使用utl_tcp,數據庫用戶可以到達該主機可到達的任何其他計算機,甚至不會遇到系統提示。這曾是 Voyager蠕蟲的慣用伎倆,該病毒一年前剛騷擾過 Oracle 用戶社區。
為了消除這一風險,很多專家建議撤消“從公網執行”這些程序包的權限。但如果開發人員出于合理原因希望執行這些程序包,該怎么辦?
處理步驟:
1. 確認應用使用的數據庫賬號,需要訪問的web地址和端口
2. 創建ACL
▼▼▼
SQL> execute DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(ACL => utl_http.xml, DESCRIPTION => HTTP Access, PRINCIPAL => XXXXX, IS_GRANT => true, PRIVILEGE => connect, START_DATE => null, END_DATE => null);
PL/SQL procedure successfully completed.
3. 賦權resolve
▼▼▼
SQL> execute DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(ACL => utl_http.xml, PRINCIPAL => XXXXX, IS_GRANT => true, PRIVILEGE => resolve, START_DATE => null, END_DATE => null);
PL/SQL procedure successfully completed.
4. 關聯host和端口
▼▼▼
SQL> execute DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(ACL => utl_http.xml, HOST => 136.22.22.22, LOWER_PORT => 8080, UPPER_PORT => 8090);
PL/SQL procedure successfully completed.
5. 檢查設置
▼▼▼
SQL> SELECT acl,
principal,
privilege,
is_grant,
TO_CHAR(start_date, DD-MON-YYYY) AS start_date,
TO_CHAR(end_date, DD-MON-YYYY) AS end_date
FROM dba_network_acl_privileges;
ACL PRINCIPAL PRIVILEGE IS_GRANT START_DATE END_DATE
------------------------- --------------- ----------------------- ---------- -------------- --------------
/sys/acls/utl_http.xml XXXXX resolve true
/sys/acls/utl_http.xml XXXXX connect true
SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
HOST LOWER_PORT UPPER_PORT ACL
-------------------- ---------- ---------- ----------------------------------------
136.22.22.22 8080 8090 /sys/acls/utl_http.xml
6. 添加其他的web地址
▼▼▼
execute DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(ACL => utl_http.xml, HOST => 136.22.22.22, LOWER_PORT => 8080, UPPER_PORT => 8090);
execute DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(ACL => utl_http.xml, HOST => 136.22.22.23, LOWER_PORT => 3001, UPPER_PORT => null);
execute DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(ACL => utl_http.xml, HOST => 136.22.22.24, LOWER_PORT => 3005, UPPER_PORT => null);
SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
HOST LOWER_PORT UPPER_PORT ACL
-------------------- ---------- ---------- ----------------------------------------
136.22.22.22 8080 8090 /sys/acls/utl_http.xml
136.22.22.23 8080 8090 /sys/acls/utl_http.xml
136.22.22.24 3001 3001 /sys/acls/utl_http.xml
136.22.22.25 3005 3005 /sys/acls/utl_http.xml
7. 應用測試
聯系應用人員檢查測試,3個地址訪問正常,24地址訪問失敗,是目標端防火墻限制導致,聯系相關人員處理解決。
問題解決。
更多精彩干貨分享
點擊下方名片關注
IT那活兒
文章版權歸作者所有,未經允許請勿轉載,若此文章存在違規行為,您可以聯系管理員刪除。
轉載請注明本文地址:http://specialneedsforspecialkids.com/yun/129850.html
摘要:問題九庫控制文件擴展報錯庫的擴展報錯,用的是裸設備,和還是原來大小,主庫的沒有報錯,并且大小沒有變,求解釋。專家解答從報錯可以看出,控制文件從個塊擴展到個塊時報錯,而裸設備最大只支持個塊,無法擴展,可以嘗試將參數改小,避免控制文件報錯。 鏈接描述引言 近期我們在DBASK小程序新關聯了運維之美、高端存儲知識、一森咖記、運維咖啡吧等數據領域的公眾號,歡迎大家閱讀分享。 問答集萃 接下來,...
閱讀 1346·2023-01-11 13:20
閱讀 1684·2023-01-11 13:20
閱讀 1132·2023-01-11 13:20
閱讀 1858·2023-01-11 13:20
閱讀 4100·2023-01-11 13:20
閱讀 2704·2023-01-11 13:20
閱讀 1385·2023-01-11 13:20
閱讀 3597·2023-01-11 13:20