Securing a Listener

Once you’ve started a listener, anyone with access to the Listener Control utility can stop it or make changes to it. You can protect your listener from unauthorized changes, and yourself from unwanted surprises, by password protecting your listener. Passwords may be encrypted or unencrypted. Once you configure a listener to require a password, you won’t be able to make any changes to that listener without first using the Listener Control utility’s SET PASSWORD command to supply the password that the listener requires.

Setting an Unencrypted Password

Unencrypted passwords are the easiest to implement. To establish an unencrypted password for your listener, add a PASSWORDS parameter to your listener.ora file. Remember to append the listener name to the parameter name. The following example defines two passwords for the listener named PRODUCTION_LISTENER:


You can place any number of passwords in the list. The passwords are all equal in terms of what they allow. Any one of the passwords may be used to control the listener’s operation. If you’re just defining one password, the parentheses are optional. For example:


If you omit the parentheses from a list of passwords, you can run into some strange behavior. Consider the following two examples:


The first example, while it appears to set two passwords, in reality sets just one. That one password will be secret,bigsecret. Since there are no spaces in the password, the Listener Control utility will actually allow you to set that password using the command SET PASSWORD secret,bigsecret. The second example is similar to the first, but has a space following the comma. You’ll be able to start the listener, but you’ll be unable to stop it using the Listener Control utility because the SET PASSWORD command won’t allow you to set a password that contains an embedded space. You’ll be forced to kill the listener process from the operating-system prompt. To avoid problems such as these, it’s best to always enclose your password list within parentheses.

Setting an Encrypted Password

Encrypted passwords aren’t set by editing listener.ora. Instead, you must use the Listener Control utility’s CHANGE_PASSWORD command after the listener has been started. The CHANGE_PASSWORD command works like most operating-system password commands. First it asks for your old password, then it asks you to enter your new password twice to guard against typos. For example:

Old password:
New password:
Reenter new password:
Password changed for LISTENER
The command completed successfully

As you can see, the listener does not echo your passwords to the screen as you type them. If you are setting a password for the first time, and you therefore have no previous password, then just press ENTER when you’re prompted for the old password.

If you have previously set an unencrypted password, you won’t be able to use the CHANGE_PASSWORD command to set a new encrypted password. Entering your unencrypted password as the old password won’t work because the Listener Control utility treats it as an encrypted password.

One way to change from an unencrypted to an encrypted password is to stop your listener, remove the PASSWORDS parameter from your listener.ora file, restart your listener, and then issue a CHANGE_PASSWORD command. The downside to this approach is that you need to stop your listener. You can work around that, and make the change while the listener runs, by following these steps:

  1. Edit your listener.ora file and remove the PASSWORDS parameter.

  2. Run the Listener Control utility.

  3. Use the SET PASSWORD command to specify a valid password. Remember, your listener is still running, so the unencrypted password(s) that you deleted in Step 1 are still in effect.

  4. Issue the RELOAD command to cause the listener to reread listener.ora. Since there is no longer a PASSWORDS parameter, your listener no longer requires a password.

  5. Issue the CHANGE_PASSWORD command, press ENTER to bypass the prompt for the old password, and enter your new password.

This process will work while the listener is running and, when you’re done, you’ll have established an encrypted password. The RELOAD command used in Step 4 is described in more detail later in this chapter. See Section

Using the SET PASSWORD Command

If you have a password set for a listener, you will be prevented from stopping the listener or making changes to it unless you’ve first entered a valid password using the Listener Control utility’s SET PASSWORD command. The following list shows the specific Listener Control utility commands that won’t execute:



Oddly enough, you can’t execute the SHOW DIRECT_HANDOFF and SHOW SAVE_CONFIG_ON_STOP commands without a password, yet you can execute the corresponding SET commands.

If you do try to execute one of these commands without first supplying a valid password, you’ll get an error such as the one shown in the following example:

TNS-01169: The listener has not recognized the password

With respect to this example, before stopping the listener, you must first use the SET PASSWORD command to enter a valid listener password. How you do that depends on whether or not your password is encrypted.

SET PASSWORD for unencrypted passwords

If your password is unencrypted, then you should use the following form of the SET PASSWORD command:

SET PASSWORD your_password

The important thing to note here is that you must put your password on the command line as an argument to the SET PASSWORD command.

SET PASSWORD for encrypted passwords

If your password is encrypted, then you must issue the SET PASSWORD command without an argument, and you must let the Listener Control utility prompt you for a password. For example:

The command completed successfully

Whether or not you allow the SET PASSWORD command to prompt you for a password is how the Listener Control utility distinguishes between your entering an encrypted versus an unencrypted password.

Get Oracle Net8 Configuration and Troubleshooting now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.