Once you’ve started a listener, anyone with access to the Listener Control utility can stop it or make changes to it. You can protect your listener from unauthorized changes, and yourself from unwanted surprises, by password protecting your listener. Passwords may be encrypted or unencrypted. Once you configure a listener to require a password, you won’t be able to make any changes to that listener without first using the Listener Control utility’s SET PASSWORD command to supply the password that the listener requires.
Unencrypted passwords are the easiest
to implement. To establish an unencrypted password for your listener,
add a PASSWORDS parameter to your
file. Remember to append the
listener name to the parameter name. The following example defines
two passwords for the listener named PRODUCTION_LISTENER:
PASSWORDS_PRODUCTION_LISTENER = (secret, bigsecret)
You can place any number of passwords in the list. The passwords are all equal in terms of what they allow. Any one of the passwords may be used to control the listener’s operation. If you’re just defining one password, the parentheses are optional. For example:
PASSWORDS_PRODUCTION_LISTENER = secret
If you omit the parentheses from a list of passwords, you can run into some strange behavior. Consider the following two examples:
PASSWORDS_PRODUCTION_LISTENER = secret,bigsecret PASSWORDS_PRODUCTION_LISTENER = secret, bigsecret
The first example, while it appears to set two passwords, in reality
sets just one. That one password will be
secret,bigsecret. Since there are no spaces in
the password, the Listener Control utility will actually allow you to
set that password using the command SET PASSWORD
secret,bigsecret. The second example is similar to the
first, but has a space following the comma. You’ll be able to
start the listener, but you’ll be unable to stop it using the
Listener Control utility because the SET PASSWORD command won’t
allow you to set a password that contains an embedded space.
You’ll be forced to kill the listener process from the
operating-system prompt. To avoid problems such as these, it’s
best to always enclose your password list within parentheses.
Encrypted passwords aren’t set
listener.ora. Instead, you must use
the Listener Control utility’s
CHANGE_PASSWORD command after the
listener has been started. The CHANGE_PASSWORD command works like
most operating-system password commands. First it asks for your old
password, then it asks you to enter your new password twice to guard
against typos. For example:
CHANGE_PASSWORDOld password: New password: Reenter new password: Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=donna.gennick.org) (PORT=1521))(PROTOCOL_STACK=(PRESENTATION=TTC)(SESSION=NS))) Password changed for LISTENER The command completed successfully
As you can see, the listener does not echo your passwords to the screen as you type them. If you are setting a password for the first time, and you therefore have no previous password, then just press ENTER when you’re prompted for the old password.
If you have previously set an unencrypted password, you won’t be able to use the CHANGE_PASSWORD command to set a new encrypted password. Entering your unencrypted password as the old password won’t work because the Listener Control utility treats it as an encrypted password.
One way to change from an unencrypted to an encrypted password is to
stop your listener, remove the PASSWORDS parameter from your
listener.ora file, restart your listener, and
then issue a CHANGE_PASSWORD command. The downside to this approach
is that you need to stop your listener. You can work around that, and
make the change while the listener runs, by following these steps:
listener.orafile and remove the PASSWORDS parameter.
Run the Listener Control utility.
Use the SET PASSWORD command to specify a valid password. Remember, your listener is still running, so the unencrypted password(s) that you deleted in Step 1 are still in effect.
Issue the RELOAD command to cause the listener to reread
listener.ora. Since there is no longer a PASSWORDS parameter, your listener no longer requires a password.
Issue the CHANGE_PASSWORD command, press ENTER to bypass the prompt for the old password, and enter your new password.
This process will work while the listener is running and, when you’re done, you’ll have established an encrypted password. The RELOAD command used in Step 4 is described in more detail later in this chapter. See Section 188.8.131.52.
If you have a password set for a listener, you will be prevented from stopping the listener or making changes to it unless you’ve first entered a valid password using the Listener Control utility’s SET PASSWORD command. The following list shows the specific Listener Control utility commands that won’t execute:
RELOAD SERVICES SET LOG_DIRECTORY SET LOG_FILE SET TRC_DIRECTORY SET TRC_FILE SET STARTUP_WAITTIME SHOW DIRECT_HANDOFF SHOW SAVE_CONFIG_ON_STOP STOP SPAWN TRACE
Oddly enough, you can’t execute the SHOW DIRECT_HANDOFF and SHOW SAVE_CONFIG_ON_STOP commands without a password, yet you can execute the corresponding SET commands.
If you do try to execute one of these commands without first supplying a valid password, you’ll get an error such as the one shown in the following example:
STOPConnecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=donna.gennick.org) (PORT=1521))(PROTOCOL_STACK=(PRESENTATION=TTC)(SESSION=NS))) TNS-01169: The listener has not recognized the password
With respect to this example, before stopping the listener, you must first use the SET PASSWORD command to enter a valid listener password. How you do that depends on whether or not your password is encrypted.
The important thing to note here is that you must put your password on the command line as an argument to the SET PASSWORD command.
If your password is encrypted, then you must issue the SET PASSWORD command without an argument, and you must let the Listener Control utility prompt you for a password. For example:
SET PASSWORDPassword: The command completed successfully