查看报错原因:
▼▼▼
$ oerr ora 24247
24247, 00000, "network access denied by access control list (ACL)"
// *Cause: No access control list (ACL) has been assigned to the target
// host or the privilege necessary to access the target host has not
// been granted to the user in the access control list.
// *Action: Ensure that an access control list (ACL) has been assigned to
// the target host and the privilege necessary to access the target
// host has been granted to the user.
开发人员偶尔会使用这些强大的工具 — 例如,使用 utl_smtp 从数据库内发送邮件,使用 utl_http 提取可在 PL/SQL程序内处理的 Web 页面等等。然而,这些工具带来了巨大的安全风险。使用utl_tcp,数据库用户可以到达该主机可到达的任何其他计算机,甚至不会遇到系统提示。这曾是 Voyager蠕虫的惯用伎俩,该病毒一年前刚骚扰过 Oracle 用户社区。
为了消除这一风险,很多专家建议撤消“从公网执行”这些程序包的权限。但如果开发人员出于合理原因希望执行这些程序包,该怎么办?
处理步骤:
1. 确认应用使用的数据库账号,需要访问的web地址和端口
2. 创建ACL
▼▼▼
SQL> execute DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(ACL => utl_http.xml, DESCRIPTION => HTTP Access, PRINCIPAL => XXXXX, IS_GRANT => true, PRIVILEGE => connect, START_DATE => null, END_DATE => null);
PL/SQL procedure successfully completed.
3. 赋权resolve
▼▼▼
SQL> execute DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(ACL => utl_http.xml, PRINCIPAL => XXXXX, IS_GRANT => true, PRIVILEGE => resolve, START_DATE => null, END_DATE => null);
PL/SQL procedure successfully completed.
4. 关联host和端口
▼▼▼
SQL> execute DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(ACL => utl_http.xml, HOST => 136.22.22.22, LOWER_PORT => 8080, UPPER_PORT => 8090);
PL/SQL procedure successfully completed.
5. 检查设置
▼▼▼
SQL> SELECT acl,
principal,
privilege,
is_grant,
TO_CHAR(start_date, DD-MON-YYYY) AS start_date,
TO_CHAR(end_date, DD-MON-YYYY) AS end_date
FROM dba_network_acl_privileges;
ACL PRINCIPAL PRIVILEGE IS_GRANT START_DATE END_DATE
------------------------- --------------- ----------------------- ---------- -------------- --------------
/sys/acls/utl_http.xml XXXXX resolve true
/sys/acls/utl_http.xml XXXXX connect true
SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
HOST LOWER_PORT UPPER_PORT ACL
-------------------- ---------- ---------- ----------------------------------------
136.22.22.22 8080 8090 /sys/acls/utl_http.xml
6. 添加其他的web地址
▼▼▼
execute DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(ACL => utl_http.xml, HOST => 136.22.22.22, LOWER_PORT => 8080, UPPER_PORT => 8090);
execute DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(ACL => utl_http.xml, HOST => 136.22.22.23, LOWER_PORT => 3001, UPPER_PORT => null);
execute DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(ACL => utl_http.xml, HOST => 136.22.22.24, LOWER_PORT => 3005, UPPER_PORT => null);
SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
HOST LOWER_PORT UPPER_PORT ACL
-------------------- ---------- ---------- ----------------------------------------
136.22.22.22 8080 8090 /sys/acls/utl_http.xml
136.22.22.23 8080 8090 /sys/acls/utl_http.xml
136.22.22.24 3001 3001 /sys/acls/utl_http.xml
136.22.22.25 3005 3005 /sys/acls/utl_http.xml
7. 应用测试
联系应用人员检查测试,3个地址访问正常,24地址访问失败,是目标端防火墙限制导致,联系相关人员处理解决。
问题解决。
更多精彩干货分享
点击下方名片关注
IT那活儿
文章版权归作者所有,未经允许请勿转载,若此文章存在违规行为,您可以联系管理员删除。
转载请注明本文地址:https://www.ucloud.cn/yun/129850.html
摘要:问题九库控制文件扩展报错库的扩展报错,用的是裸设备,和还是原来大小,主库的没有报错,并且大小没有变,求解释。专家解答从报错可以看出,控制文件从个块扩展到个块时报错,而裸设备最大只支持个块,无法扩展,可以尝试将参数改小,避免控制文件报错。 链接描述引言 近期我们在DBASK小程序新关联了运维之美、高端存储知识、一森咖记、运维咖啡吧等数据领域的公众号,欢迎大家阅读分享。 问答集萃 接下来,...
阅读 1348·2023-01-11 13:20
阅读 1687·2023-01-11 13:20
阅读 1137·2023-01-11 13:20
阅读 1863·2023-01-11 13:20
阅读 4104·2023-01-11 13:20
阅读 2709·2023-01-11 13:20
阅读 1388·2023-01-11 13:20
阅读 3600·2023-01-11 13:20