sky 的个人资料DBA日记照片日志列表更多  |  工具 帮助 |
|
2006/10/25 oracle如何穿越防火墙lp公司已经上了防火墙,想利用防火墙封闭大部分端口,只开放部分有用的端口,以加强数据库的安全性。
数据库为linux+10g。
由于客户端连接数据库时,先连接到listener的端口(1521),然后listener还会重新分配一个随机端口给客户端进程使用。客户端是通过这个端口和数据库通信的。
正式由于这种随机性,使防火墙无法确定关闭哪些端口,因为一旦需要使用的端口被关闭了,客户端就会出现tns-12203或者tns-12535错误。
为了解决这个问题,我在metalink找到了这篇文章,就全文转过来吧。
Oracle Connections and Firewalls When the Oracle client makes a connection to the database e.g. (sqlplus userid/password@alias), it compares the alias name supplied in the sqlplus line and looks for a match in the TNSNAMES.ORA file or Names server. Once it obtains the address for the database server, a connection attempt is made to the server from the client. The Listener is contacted on the database server and port redirection can take place depending on the platform, configuration of the INIT<SID>.ORA file and/or the Oracle product being used. The underlying network layer on the server will obtain a free port from the Operating System (OS) and send back to the client via the Listener the new port assignment. The client will then try to connect to the database on a new port. This is where connection failure normally occurs. A remote Oracle client making a connection to an Oracle database can fail if there is a firewall installed between the client and the server and if port redirection is taking place. The firewall will block the connection to the new port when the Oracle client connects to the database - the client typically fails with Oracle errors ORA-12203 or ORA-12535. The client connection failure is due to port redirection from the Database Server's operating system. Port redirection requires the client to connect to the database using a different port than originally configured in the configuration files. Oracle Multi-Threaded Server (MTS) on Unix platforms, (without specifying the address with the ports in the INIT<SID>.ORA file), Oracle Secure Sockets Layer (SSL) and Windows NT/2000 platforms will cause port redirection. A Net8 level 16 client trace file can verify if the problem is a firewall issue. In the SQLNET.ORA file on the client add the following lines: trace_level_client = 16 trace_file_client = client trace_directory_client = a valid directory and path Save the changes to the SQLNET.ORA file and try connecting with SQL*Plus once to force the error. This will create a trace file. Here are several excerpts from a level 16-trace file of what to look for. The initial packets sent to the listener on port 1521 in trace file. niotns: Calling address: (DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP) (HOST=server1)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=v815.world) (CID=(PROGRAM=D:\V815\BIN\SQLPLUSW.EXE)(HOST=server1)(USER=system)))) nladget: entry nladget: exit nscall: entry nscall: connecting... nsc2addr: entry nttbnd2addr: entry nttbnd2addr: port resolved to 1521 The received packet from the listener telling the client to use 1729 port (search for "NSPTRD"). nscon: recving a packet nsprecv: entry nsbal: entry nsbgetfl: entry nsbgetfl: normal exit nsmal: entry nsmal: 44 bytes at 0xb892d0 nsmal: normal exit nsbal: normal exit nsprecv: reading from transport... nttrd: entry nttrd: socket 232 had bytes read=64 nttrd: exit nsprecv: 64 bytes from transport nsprecv: tlen=64, plen=64, type=5 nsprecv: packet dump nsprecv:00 40 00 00 05 00 00 00 |.@......| nsprecv:00 36 28 41 44 44 52 45 |.6(ADDRE| nsprecv:53 53 3D 28 50 52 4F 54 |SS=(PROT| nsprecv:4F 43 4F 4C 3D 74 63 70 |OCOL=tcp| nsprecv:29 28 48 4F 53 54 3D 31 |)(HOST=1| nsprecv:33 38 2E 32 2E 32 31 33 |38.2.213| nsprecv:2E 36 31 29 28 50 4F 52 |.61)(POR| nsprecv:54 3D 31 37 32 39 29 29 |T=1729))| <- port change nsprecv: normal exit nscon: got NSPTRD packet nscon: got 54 bytes connect data nscon: exit (0) The client resolving the connection to port 1729. nscall: connecting... nsc2addr: entry nttbnd2addr: entry nttbnd2addr: port resolved to 1729 nttbnd2addr: using host IP address: 138.2.213.61 nttbnd2addr: exit nsc2addr: normal exit You can see the send packets sent from the client on port 1521 (or your port if different) to the Listener. There will be receive packets returned from the server to the client reflecting a new port assignment. Then the client will send packets again from the client only this time to a different port. The connection will then fail at this point in the trace file. The port that is assigned to the client is randomly chosen by the operating system and cannot be modified. It can be any free port available (usually above port 1024) that the server determines is not is use by any other software or hardware device. Once it is determined that the problem is the firewall causing the connection to fail, the next step is to select a solution to resolve the issue. As both Oracle and firewall are working correctly, there are several solutions to correct the problem to allow the clients to connect to the database. Solution: Firewall Vendor The first solution is to contact the firewall vendor and see if they have an upgrade to allow for Oracle connectivity with OS port redirection. If the firewall software can be upgraded, it is the best solution to follow. Solution: Oracle Connection Manager The second solution is available from Oracle Net8 (8.0.x and above), and requires the configuration of Oracle Connection Manager (CMAN) to allow the clients to connect through a firewall - Note 2077721.6 discusses CMAN in detail including configuration examples). CMAN is an executable that allows clients to connect despite a firewall being in place between the client and server. CMAN is similar to the Listener i that it reads a CMAN.ORA configuration file, which contains an address that Oracle Connection Manager listens for incoming connections, usually default ports of 1610 or 1630. CMAN starts similar to the Listener and will enter a LISTEN state (see netstat). The Oracle client must be Net8 or above and have the following in the TNSNAMES.ORA file. cmantest = (description = (address_list = (address = <- first address is to CMAN (protocol=tcp) (host=hostname or ip of cman) (port=1610) ) (address= <- second address is to Listener (protocol=tcp) (host=hostname or ip of listener) (port=1521) ) ) (connect_data = (sid = sidname)) (source_route = yes) <- This tells the client that it is using ) CMAN and it must take the first two addresses listed. When the client contacts Oracle Connection Manager, CMAN completes the connection with the second address the client brought with it. The second address will point to the host machine where the listener is running. CMAN then uses that address to 'pass' the connection to the Listener and the connection to the database is established. All redirection takes place between CMAN and the database, therefore the Oracle Connection Manager installation should be placed after the firewall but before the database. Several documents exist in MetaLink (http://metalink.oracle.com) that explain Oracle Connection Manager and provide more detailed configurations. This note serves to explain the connection process with firewalls, not to go into detail regarding Oracle Connection Manager. Solution: USE_SHARED_SOCKET A third solution for Windows NT/2000 servers is to set USE_SHARED_SOCKET to TRUE in the Windows registry (see Note 124140.1). This allows the OS to share the listening port (e.g. 1521) and clients then remain using that same port when connecting to the database - no port redirected takes place. Unix platforms can have problems connecting to a database through firewalls if they have implemented Multi-Threaded Server (MTS). MTS Dispatchers will redirect connection ports like the Windows Platforms mentioned above. Solution: Setting MTS ports A workaround for this is to specify the port in the MTS parameters of the INIT<SID>.ORA file (see Note 1016349.102). This allows the Dispatcher to use the port specified and will not select a random port. Ensure the user-defined MTS port/s are opened on the firewall. The following example shows the ports set to 2450 and 3125. Set these parameters according to your individual systems. This solution will also work for Windows. Example: mts_dispatchers="(address=(protocol=tcp)(host=hostname)(port=2450))(dispatchers=1)" mts_dispatchers="(address=(protocol=tcp)(host=hostname)(port=3125))(dispatchers=1)" Opening ports 2450 and 3125 on the firewall will allow clients to connect to Oracle. SSL Using SSL will cause Port redirection. The workaround is to select and set the ports using MTS in the INIT<SID>.ORA . RELATED DOCUMENTS ----------------- Note 1016349.102 Configuring Oracle MTS with Firewalls Note 66382.1 Firewalls, Windows NT and Redirections Note 124140.1 How to configure USE_SHARED_SOCKET on Windows NT/2000 2006/10/24 r52重装时的未知设备未知在:Intel(R) 82801FBM LPC Interface Controller - 2641
安装NSC TPM 驱动程序之后就可以了。
这个应该是r52内置的安全芯片 2006/10/18 9i和rman的一个bug :ora-600 [20516]rman故障解决一列
rman报错,rman-6181(
文件已经保存到目录:“C:\Program Files\Tencent\QQ\1106800\MyRecvFiles”,在打开文件前,推荐您对文件进行病毒扫描,转存至QQ网络硬盘
同学会 14:41:53
我前期就是把data-protector安装到两个小型机上了。都装了oracle9.0.1的数据库 同学会 14:43:21 这两个小型机一个是****一个是#### ****上作为catalog数据库建立了rman的帐户 ####作为target database建立了test的帐户(有sysdba的权限) sky 14:43:14 9i版本是啥? 企业版还是标准版? 同学会 14:43:44 好像是标准版 sky 14:43:40 RMAN-06181: multiple channels requires Enterprise Edition 看这个感觉像是版本限制 同学会 14:44:09 如何产看是标准版还是企业版呢? sky 14:44:05 你在rman的脚本里有多个allocate channel的语句,分配了多个channel sky 14:44:37 select * from v$version; 同学会 14:45:07 多少个channel好像是惠普data-protector自己分配的channel 同学会 14:45:45 select * from v$version;这个语句是查catalog数据库还是target数据库呢? sky 14:45:37 如果是标准版,一次只能分派一个。如果是hp的软件自动分配的,让他修改配置 sky 14:45:54 应该是target sky 14:46:17 yj8201> oerr rman 6181 6181, 1, "multiple channels require Oracle8 Enterprise Edition" // *Cause: Attempt to allocate more than 1 channel in a job. // *Action: Remove all except one ALLOCATE CHANNEL command. 同学会 14:46:57 SQL> select * from v$version; BANNER
---------------------------------------------------------------- Oracle9i Release 9.0.1.0.0 - 64bit Production PL/SQL Release 9.0.1.0.0 - Production CORE 9.0.1.0.0 Production TNS for HPUX: Version 9.0.1.0.0 - Production NLSRTL Version 9.0.1.0.0 - Production 同学会 14:47:16 这个是标准版吗? sky 14:47:51 应该是。如果是企业版,应该有enterprise字样:) 同学会 14:49:05 那就是标准版 sky 14:49:35 那就应该是这个原因。如果脚本不是手工写的,你和hp沟通一下,让他们改配置:) 同学会 14:49:46 我想问一下catalog还需要企业版吗?好像catalog数据库我装的是标准版 sky 14:49:59 catalog应该没啥限制 同学会 14:50:22 哦。 sky 14:50:27 :) 同学会 14:51:25 我正在跟惠普沟通 sky 14:51:26 :) 完事告诉我一声,呵呵 同学会 14:52:28 哈。她现在去查了 同学会 14:52:48
那么catalog数据库有没有什么企业版和标准版之说 sky 14:53:02 catalog应该就是用来存储一些备份的信息的,所以我觉得不应该有限制 sky 14:53:13 呵呵,又开始忙了:) 同学会 14:54:07 你还是要帮我确认一下,因为如果测试成功的话,我今晚要在结算系统进行集成 sky 14:54:15 ok:) 同学会 14:54:49 看看rman的备份,对catalog数据库有没有标准版还是企业版有区别吗 同学会 15:02:40 还是有错误,给你发过去 sky 15:02:39 嗯 同学会要发送给您文件“rman.txt(4KB)”,您是要接收,另存为 还是 谢绝该文件
您同意了接收文件“rman.txt”,正在建立连接,如果要中止接收文件,请按取消
文件已经保存到目录:“C:\Program Files\Tencent\QQ\1106800\MyRecvFiles”,在打开文件前,推荐您对文件进行病毒扫描,转存至QQ网络硬盘
rman脚本:
run {
allocate channel 'dev_0' type 'sbt_tape' parms 'ENV=(OB2BARTYPE=Oracle8,OB2APPNAME=ora3th,OB2BARLIST=test)'; backup incremental level <incr_level> format 'test<ora3th_%s:%t:%p>.dbf' database; sql 'alter system archive log current'; backup format 'test<ora3th_%s:%t:%p>.dbf' archivelog all; backup format 'test<ora3th_%s:%t:%p>.dbf' current controlfile; } # omnidb -session 2006/10/18-10 -report
[Normal] From: BSM@b2000 "test" Time: 10/18/06 15:19:25 OB2BAR application on "l1000_2" successfully started. ob2rman.exe started with arguments:
-backup -full Recovery Manager: Release 9.0.1.0.0 - 64bit Production
(c) Copyright 2001 Oracle Corporation. All rights reserved.
RMAN>
connected to target database: ORA3TH (DBID=1631638046) RMAN>
connected to recovery catalog database RMAN>
RMAN> run { 2> allocate channel 'dev_0' type 'sbt_tape' 3> parms 'ENV=(OB2BARTYPE=Oracle8,OB2APPNAME=ora3th,OB2BARLIST=test,OB2BARHOSTNAME=l1000_2)'; 4> backup incremental level 0 5> format 'test<ora3th_%s:%t:%p>.dbf' 6> database; 7> sql 'alter system archive log current'; 8> backup 9> format 'test<ora3th_%s:%t:%p>.dbf' 10> archivelog all; 11> backup 12> format 'test<ora3th_%s:%t:%p>.dbf' 13> current controlfile; 14> } allocated channel: dev_0 channel dev_0: sid=12 devtype=SBT_TAPE channel dev_0: Data Protector A.05.50/PHSS_35224/PHSS_35225/DPSOL_00241 Starting backup at 10/18/2006 [15:37:56]
channel dev_0: starting incremental level 0 datafile backupset channel dev_0: specifying datafile(s) in backupset including current controlfile in backupset input datafile fno=00001 name=/oracle/app/oracle/product/9.0.1/oradata/ora3th/system01.dbf input datafile fno=00002 name=/oracle/app/oracle/product/9.0.1/oradata/ora3th/undotbs01.dbf input datafile fno=00004 name=/oracle/app/oracle/product/9.0.1/oradata/ora3th/indx01.dbf input datafile fno=00006 name=/oracle/app/oracle/product/9.0.1/oradata/ora3th/users01.dbf input datafile fno=00003 name=/oracle/app/oracle/product/9.0.1/oradata/ora3th/cwmlite01.dbf input datafile fno=00005 name=/oracle/app/oracle/product/9.0.1/oradata/ora3th/tools01.dbf channel dev_0: starting piece 1 at 10/18/2006 [15:37:57] released channel: dev_0 RMAN-00571: =========================================================== RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS =============== RMAN-00571: =========================================================== RMAN-00579: the following error occurred at 10/18/2006 15:38:23 RMAN-03006: non-retryable error occurred during execution of command: backup RMAN-12004: unhandled exception during command execution on channel dev_0 RMAN-10035: exception raised in RPC: ORA-00600: internal error code, arguments: [20516], [krbb.c], [1603], [524288], [6144], [], [], [] RMAN-10031: ORA-19583 occurred during call to DBMS_BACKUP_RESTORE.BACKUPPIECECREATE RMAN> **end-of-file**
RMAN>
Recovery Manager complete.
[Major] From: ob2rman.exe@L1000_2 "ora3th" Time: 10/18/06 15:38:23 Backup of Oracle database finished with error. 1. Check Data Protector errors and follow Data Protector troubleshooting procedure. 2. Check Oracle RMAN errors. If the Data Protector error is reported please check the following files: a) /var/opt/omni/log/oracle8.log on L1000_2 b) <Oracle8 user dump directory>/sbtio.log on L1000_2 c) /var/opt/omni/log/debug.log on L1000_2 Note that Oracle RMAN errors are not reported in the above files. [Normal] From: ob2rman.exe@L1000_2 "ora3th" Time: 10/18/06 15:38:23
RMAN script saved in /var/opt/omni/tmp/RMAN_test_input.rman file. [Normal] From: BSM@b2000 "test" Time: 10/18/06 15:19:58
OB2BAR application on "l1000_2" disconnected. [Critical] From: BSM@b2000 "test" Time: 10/18/06 15:19:58
None of the Disk Agents completed successfully. Session has failed. [Normal] From: BSM@b2000 "test" Time: 10/18/06 15:19:58
Backup Statistics: Session Queuing Time (hours) 0.00 ---------------------------------------- Completed Disk Agents ........ 0 Failed Disk Agents ........... 0 Aborted Disk Agents .......... 0 ---------------------------------------- Disk Agents Total ........... 0 ======================================== Completed Media Agents ....... 0 Failed Media Agents .......... 0 Aborted Media Agents ......... 0 ---------------------------------------- Media Agents Total .......... 0 ======================================== Mbytes Total ................. 0 MB Used Media Total ............. 0 Disk Agent Errors Total ...... 0 同学会 15:04:16
这是dp的rman脚本 同学会要发送给您文件“rman script.txt(0KB)”,您是要接收,另存为 还是 谢绝该文件
同学会 15:05:10
你看一下是否有问题 您同意了接收文件“rman script.txt”,正在建立连接,如果要中止接收文件,请按取消
文件已经保存到目录:“C:\Program Files\Tencent\QQ\1106800\MyRecvFiles”,在打开文件前,推荐您对文件进行病毒扫描,转存至QQ网络硬盘
同学会 15:18:32
怎么样? sky 15:18:41 这次和上次不一样,这次是一个600的错误引起的 同学会 15:19:11 600?是不是很严重的错误 sky 15:19:04 我在查600的错误呢。你让他再试试 sky 15:19:15 有些600可以忽略:) 同学会 15:20:00 我在试一次啊 同学会 15:20:04 等一下 sky 15:20:20 你再sqlplus里执行show parameter db_block_size,把,结果给我 同学会 15:21:00 在那个数据库中执行,是catalog数据库还是target数据库? sky 15:20:57 target 同学会要发送给您文件“rman.txt(4KB)”,您是要接收,另存为 还是 谢绝该文件
您同意了接收文件“rman.txt”,正在建立连接,如果要中止接收文件,请按取消
文件已经保存到目录:“C:\Program Files\Tencent\QQ\1106800\MyRecvFiles”,在打开文件前,推荐您对文件进行病毒扫描,转存至QQ网络硬盘
sky 15:23:42
可能是遇到了一个bug:( sky 15:23:52 sky 15:20:20 你再sqlplus里执行show parameter db_block_size,把,结果给我 同学会 15:24:27 SQL> show parameter db_block_size; NAME TYPE VALUE
------------------------------------ ----------- ------------------------------ db_block_size integer 6144 同学会 15:24:33 SQL> show parameter db_block_size; NAME TYPE VALUE
------------------------------------ ----------- ------------------------------ db_block_size integer 6144 sky 15:24:28 就是这个bug 同学会 15:24:46 什么bug? sky 15:24:50 使用6k的block,用rman备份的时候就会有这个错误 同学会 15:25:10 哦,能解决吗? 同学会 15:25:18 手工能该一下解决吗 sky 15:25:11 除非升级,或者使用2k,4k,8k。。。重建库,没有别的办法 同学会 15:25:38 我做的是一个测试的库。没在生产机 sky 15:25:46 你看看生产机上如果不是6k的block,可能就没有问题 sky 15:26:01
PROBLEM: . 这是bug描述 NAME TYPE VALUE ------------------------------------ ------- ------------------------------ db_block_size integer 8192 sky 15:28:06 不行。你的数据库里面的block size是6k。如果想改这个,只能重新建库 2006/10/10 grub隐藏菜单今天安装红帽4,发现启动时需要按一下键盘才能进入grub菜单。
启动后,到/boot/grub下,打开grub.conf,发现了一行“hidemenu”。注释掉后就不要“press any key”了。
应该是我安装的时候无意中选中了什么隐藏菜单之类的选项导致的。 |
||||||||||||||||||||||||||||||||||||||||||
|
|
