Oracle Wallet

What is Oracle Wallet

Oracle wallet is a password-protected container for authentication and signing credentials, including private keys, certificates and other secrets that you need to secure over time.

How to create Oracle wallets

Wallets are created using OWM or orapki utility.  To use orapki you can run orapki wallet command (orapki wallet create -wallet  )
Password for walet must be strong :

[oracle@orcl]$ orapki wallet create -wallet /u01/app/oracle/product/11.2/db_1/wallets
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Enter password:            
Enter password again: 

[oracle@orcl]$ ls /u01/app/oracle/product/11.2/db_1/wallets/
ewallet.p12

To display the contents of a wallet:

[oracle@orcl wallets]$ orapki wallet display -wallet /u01/app/oracle/product/11.2/db_1/wallets
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:            

Requested Certificates: 
User Certificates:
Trusted Certificates: 
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject:        OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US
[oracle@orcl wallets]$ 

All of these operations also can be performed by Oracle Wallet Manager (OWM) utility.
Just call owm from command line, then select wallet-> open from wallet manager, select wallets directory and type your password.

To create self-signed root certificate use wallet add command:

[oracle@orcl ~]$ orapki wallet add -wallet $ORACLE_HOME/wallets -dn 
"CN=testsecurity Root,O=testsecurity,C=US" -self_signed -validity 365 -keysize 1024
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:            

[oracle@orcl ~]$ 

When you use self_signed keyword your certificate will created immediately because you are acting as the Certificate Authority(CA).
Let’s display self signed certificate from orapki and OWM:

[oracle@orcl ~]$ orapki wallet display -wallet $ORACLE_HOME/wallets
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:            

Requested Certificates: 
User Certificates:
Subject:        CN=testsecurity Root,O=testsecurity,C=US
Trusted Certificates: 
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject:        OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US
Subject:        CN=testsecurity Root,O=testsecurity,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US

In OWM you will see the new certificate as shown bellow:

To create and sign certificate request:

[oracle@orcl ~]$ orapki wallet add -wallet $ORACLE_HOME/wallets -dn "CN=test,O=testsecurity,C=US" -keysize 1024
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
 
Enter wallet password:            
 
[oracle@orcl ~]$ 

 

If look at the contents of the wallet now you’ll see the new certificate request:

[oracle@orcl ~]$ orapki wallet display -wallet $ORACLE_HOME/wallets
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:            

Requested Certificates: 
Subject:        CN=test,O=testsecurity,C=US
User Certificates:
Subject:        CN=testsecurity Root,O=testsecurity,C=US
Trusted Certificates: 
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject:        OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US
Subject:        CN=testsecurity Root,O=testsecurity,C=US
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US

 

Export the certificate request so that you can sign it anywhere:

[oracle@orcl ~]$ orapki wallet export -wallet /u01/app/oracle/product/11.2/db_1/wallets/ -dn "CN=test,O=testsecurity,C=US" -request ./test.req
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:            

[oracle@orcl ~]$ ls -l ./test.req 
-rw-------. 1 oracle oinstall 584 Jun 28 18:53 ./test.req

 

Create signed certificate from request:

[oracle@orcl ~]$ orapki cert create -wallet /u01/app/oracle/product/11.2/db_1/wallets/ -request ./test.req -cert ./test.cert -validity 365
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:            

[oracle@orcl ~]$ ls -l ./test.cert 
-rw-------. 1 oracle oinstall 706 Jun 28 19:28 ./test.cert

 

Certificate file is created but it is not in any wallet. If you display wallet you will not see the certificate there:

[oracle@orcl ~]$ orapki wallet display -wallet /u01/app/oracle/product/11.2/db_1/wallets/
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:            

Requested Certificates: 
Subject:        CN=test,O=testsecurity,C=US
User Certificates:
Subject:        CN=testsecurity Root,O=testsecurity,C=US
Trusted Certificates: 
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject:        OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US
Subject:        CN=testsecurity Root,O=testsecurity,C=US
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US

 

You need to add the certificate into a wallet .Both certificate request and the certificates are text files which you can copy over to any other server:

[oracle@orcl ~]$ cat test.cert 
-----BEGIN CERTIFICATE-----
MIIB3zCCAUgCAQAwDQYJKoZIhvcNAQEEBQAwPjELMAkGA1UEBhMCVVMxFDASBgNVBAoTC2RiYXNl
Y3VyaXR5MRkwFwYDVQQDExBkYmFzZWN1cml0eSBSb290MB4XDTE1MDYyODE0MjgwNloXDTE2MDYy
NzE0MjgwNlowMjELMAkGA1UEBhMCVVMxFDASBgNVBAoTC2RiYXNlY3VyaXR5MQ0wCwYDVQQDEwR0
ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvmRabzSLBNcL6GjYK4baLezp3yAq9bGGI
jqAGG4T/XNX0kpIEG3jV9xcrMCiInC56YjZ8FuC1ITmdqqlfn9BxE/ImGJcHLCVJtxXL8GDDqiZK
hgCoT16vOYbIaq4VpQJPwqttaK2JEnlRMUcTkemhMa5NzfmJHmB9p9NI/FG/hwIDAQABMA0GCSqG
SIb3DQEBBAUAA4GBADNUZX4MdP8tPYAxR/dpzQiDAJwrG6ohtSRmLbvRsBHyB86d0pM03yt4bAW5
5QLebXH5VVkzOVaizBDrN/gfL8WJlf/qoMCntGxudOT1Wdn3osGRPOhsT/+q+yBnPribcOCz7N9T
E2aZhJYACULMZfh2n/Jk477/O90CXUfn8mRZ
-----END CERTIFICATE-----
[oracle@orcl ~]$ cat test.req 
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBcTCB2wIBADAyMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLZGJhc2VjdXJpdHkxDTALBgNVBAMT
BHRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK+ZFpvNIsE1wvoaNgrhtot7OnfICr1s
YYiOoAYbhP9c1fSSkgQbeNX3FyswKIicLnpiNnwW4LUhOZ2qqV+f0HET8iYYlwcsJUm3FcvwYMOq
JkqGAKhPXq85hshqrhWlAk/Cq21orYkSeVExRxOR6aExrk3N+YkeYH2n00j8Ub+HAgMBAAGgADAN
BgkqhkiG9w0BAQQFAAOBgQB+v4nCX/9HhCoqdimfznyVxPeDg6uspLo1uteqxPBkmqSyASWxafob
h+tZaFXY7cDw0VFlycjuot5wCWLqXejMpnAmGiJwi6VgziJt7TUpfJw6k3Ga1uarRCV22OWpNt43
tWvApcY0Z4MJXjFFzCpFFI8teeA146i422Zln0HgWQ==
-----END NEW CERTIFICATE REQUEST-----
[oracle@orcl ~]$ 

 

You can add the certificate  either as a user certificate or as a trusted certificate. For example , to add the certificate as user certificate:

[oracle@orcl ~]$ orapki wallet add -wallet /u01/app/oracle/product/11.2/db_1/wallets/ -user_cert -cert ./test.cert 
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:            

[oracle@orcl ~]$ 

 

Now certificates will show up in the user session:

[oracle@orcl ~]$ orapki wallet display -wallet /u01/app/oracle/product/11.2/db_1/wallets/
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:            

Requested Certificates: 
User Certificates:
Subject:        CN=test,O=testsecurity,C=US
Subject:        CN=testsecurity Root,O=testsecurity,C=US
Trusted Certificates: 
Subject:        OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject:        CN=testsecurity Root,O=testsecurity,C=US
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US
[oracle@orcl ~]$ 

 

If you want to this certificate to be part of trust  hierarchy you can add it as a trusted certificate  into the wallet:

[oracle@orcl ~]$ orapki wallet add -wallet /u01/app/oracle/product/11.2/db_1/wallets/ -trusted_cert -cert ./test.cert 
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter wallet password: 

 

The certificate will now show up in the trusted certificate section:

[oracle@orcl ~]$ orapki wallet display -wallet /u01/app/oracle/product/11.2/db_1/wallets/
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:            

Requested Certificates: 
User Certificates:
Subject:        CN=test,O=testsecurity,C=US
Subject:        CN=testsecurity Root,O=testsecurity,C=US
Trusted Certificates: 
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject:        CN=testsecurity Root,O=testsecurity,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject:        CN=test,O=testsecurity,C=US
Subject:        OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
[oracle@orcl ~]$ 

Limit connections to listener by source

If you want to limit access to database from specific host names or ip addresses you must use feature called valid node checking. This feature allows you to define two lists :

• invited nodes – defines a set of nodes from which connections will be accepted
• excluded_nodes – defines a list from which connections will be rejected

If you use invited_nodes then any node not in this list will be rejected by listener or if you use excluded_nodes then any node not in this list will be accepted by the listener. If you both of these lists, then invited_nodes take precedence over the excluded_nodes. To test invited_nodes list you must add following lines to the sqlnet.ora file:

[oracle@orcl ~]$ vi /u01/app/oracle/product/11.2/db_1/network/admin/sqlnet.ora 
# sqlnet.ora Network Configuration File: /u01/app/oracle/product/11.2/db_1/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.
ADR_BASE = /u01/app/oracle
tcp.validnode_checking=YES
tcp.invited_nodes=(ValehPC,192.168.100.13)

[oracle@orcl u01]$ lsnrctl stop
[oracle@orcl u01]$ lsnrctl start

After changes applied, when you try to connect from any node apart from these two you will get an error like bellow:

when trying to connect with SQL Plus

C:UsersValeh>sqlplus test/test@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.100.177)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=db11g)))

SQL*Plus: Release 11.2.0.1.0 Production on Thu Jun 18 05:01:57 2015

Copyright (c) 1982, 2010, Oracle.  All rights reserved.

ERROR:
ORA-12537: TNS:connection closed

when trying connect with Oracle SQL Developer

Secure access to listener

Listener-ə müraciətin təhlükəsiz təşkili listenerin vacib təhlükəsizlik tədirləridən biridir, çunki serverinizə şəbəkə vasitəsilə hücum təşkil edib listeneri ələ keçirən şəxslər listeneri idarə edərək sizin sizin DB-nı sondürə bilər. Lsnrctl vasitəsilə listeneri idarə etməyin qarşısını almaq üçün şifrə təyin olunmalıdır. Əgər lsnrctl status komandasının nəticəsində Security sətrində OFF yazılıbsa deməli listener üçün şifrə təyin olunmamışdır.Oracle 10g and 11g-də listener  üçün susmaya görə Local OS authentication adlanan təhlükəsizlik növü təyin olunur. Local OS authentication o deməkdir ki, siz listeneri  idarə edə bilmək üçün listenerin işlədiyi host-a login olmuş olmalısınız. Biz bunu lsnrctl status komandasını işlədərək  aşağıdakı nəticədə görə bilərik

[pcsh lang=”plain” tab_size=”4″ message=”” hl_lines=”” provider=”manual”]

[oracle@orcl ~]$ lsnrctl status

LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 09-JUN-2015 01:44:59

::::::::::::::output trimmed::::::::::::::

------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.1.0 - Production
Start Date                09-JUN-2015 01:17:51
Uptime                    0 days 0 hr. 27 min. 8 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
::::::::::::::output trimmed::::::::::::::

[/pcsh]

Local OS Authentication-un ləğv edilməsi

Local OS Authentication ləğv etmək üçün listener.ora faylını redaktə edərək local_os_authentication_LISTENER parameterinə OFF  qiymətini mənimsətmək lazımdır:

[pcsh lang=”plain” tab_size=”4″ message=”” hl_lines=”” provider=”manual”]

[oracle@orcl ~]$ vi /u01/app/oracle/product/11.2/db_1/network/admin/listener.ora
#---- OUTPUT TRIMMED ----#
local_os_authentication_LISTENER=off
 

[/pcsh]

Listener-ə açıq tekst formatında şifrənin təyini

Listener-ə açığ text tipli şifrə təyin etmək üçün $ORACLE_HOME/network/admin/listener.ora faylını redaktə edib PASSWORDS_{LISTENER_ADI}=sizinşifrə sətrini əlavə etmək lazımdır.
Biz həmşinin listener-ə bir neçə şifrədə təyin edə bilərik:   PASSWORDS_LISTENER=(password1,password2)

Nümunə:

[pcsh lang=”plain” tab_size=”4″ message=”” hl_lines=”” provider=”manual”]

[oracle@orcl ~]$ vi /u01/app/oracle/product/11.2/db_1/network/admin/listener.ora

# listener.ora Network Configuration File: /u01/app/oracle/product/11.2/db_1/network/admin/listener.ora
# Generated by Oracle configuration tools.

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = orcl.localdomain)(PORT = 1521))
    )
  )

ADR_BASE_LISTENER = /u01/app/oracle

#clear type password
PASSWORDS_LISTENER=(test123,test654)

[/pcsh]

Listenerə heşlənmiş şifrənin təyin olunması

Listenerə heşlənmiş şifrə təyin etmək və ya redaktə etmək və yadda saxlamaq üçün set password, change_password və save_config komandalarından aşağıdakı qaydada istifadə etmək lazımdır :

[pcsh lang=”plain” tab_size=”4″ message=”” hl_lines=”” provider=”manual”]

#using set password
LSNRCTL> set password
Password: 
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl.localdomain)(PORT=1521)))
No changes to save for LISTENER.
The command completed successfully
LSNRCTL> 

#using change password
LSNRCTL> change_password 
Old password:  
New password:  
Reenter new password:  
Connecting to 
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl.localdomain)(PORT=1521))) 
Password changed for LISTENER 
The command completed successfully 
LSNRCTL> save_config 
Connecting to 
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl.localdomain)(PORT=1521))) 
Saved LISTENER configuration parameters. 
Listener Parameter File   /u01/app/oracle/product/11.2/db_1/network/admin/listener.ora 
Old Parameter File   /u01/app/oracle/product/11.2/db_1/network/admin/listener.bak 
The command completed successfully 

[/pcsh]

Şifrə təyin edildikdən sonra  security sətri ​Password or Local OS authentication yazısına dəyişir.

[pcsh lang=”plain” tab_size=”4″ message=”” hl_lines=”” provider=”manual”]

LSNRCTL> status 
::::::::::::::output trimmed:::::::::::::: 
Security                  ON: Password or Local OS Authentication 
SNMP                      OFF 
::::::::::::::output trimmed:::::::::::::: 

[/pcsh]

Şifrə listener.ora faylında heşlənmiş formatda saxlanılır, listener.ora faylının işinə baxmaqla bunu görmək olar:

[pcsh lang=”plain” tab_size=”4″ message=”” hl_lines=”” provider=”manual”]

 
[oracle@orcl ~]$ vi /u01/app/oracle/product/11.2/db_1/network/admin/listener.ora 
 
LISTENER = 
  (DESCRIPTION_LIST = 
    (DESCRIPTION = 
      (ADDRESS = (PROTOCOL = TCP)(HOST = orcl.localdomain)(PORT = 1521)) 
    ) 
  ) 
ADR_BASE_LISTENER = /u01/app/oracle 
 
#----ADDED BY TNSLSNR 09-JUN-2015 01:56:41--- 
PASSWORDS_LISTENER = 9BD20802761D432E 
#-------------------------------------------- 

[/pcsh]

Listener üçün təyin olunmuş şifrəni ləğv etmək üçün aşağıdakı addımları etmək lazımdır:

İlk olaraq listeneri aşağıdakı komanda vasitəsilə dayandırıq

[pcsh lang=”plain” tab_size=”4″ message=”” hl_lines=”” provider=”manual”]

LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC0)))
The command completed successfully
LSNRCTL>   

[/pcsh]

Daha sonra listener.ora faylını redaktə edərək şifrə olan sətri silirik və listeneri restart edirik.
Securing access to the listener is a one of the important aspects of listener security, because if the attacker can access to control the lsnrctl he can shut down your database. To limit access to the ability to control the listener through the lsnrctl you must set a password. If a security row is OFF in the result of the lsnrctl status command it means that there is no password set for the listener. In Oracle 10g and 11g the listener is securing by default using an option called Local OS authentication. Local OS authentication means that, you can control the listener if you are logged on to the account on the host where the listener is running. You can see it with lsnrctl status command:

[pcsh lang=”plain” tab_size=”4″ message=”” hl_lines=”” provider=”manual”]

[oracle@orcl ~]$ lsnrctl status

LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 09-JUN-2015 01:44:59

::::::::::::::output trimmed::::::::::::::

------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.1.0 - Production
Start Date                09-JUN-2015 01:17:51
Uptime                    0 days 0 hr. 27 min. 8 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
::::::::::::::output trimmed::::::::::::::

[/pcsh]

Disable Local OS Authentication

To disable Local OS Authentication you must set local_os_authentication_LISTENER parameter to OFF in listener.ora file:

[pcsh lang=”plain” tab_size=”4″ message=”” hl_lines=”” provider=”manual”]

[oracle@orcl ~]$ vi /u01/app/oracle/product/11.2/db_1/network/admin/listener.ora
#---- OUTPUT TRIMMED ----#
local_os_authentication_LISTENER=off
 

[/pcsh]

Setting clear text format  password for listener

To set a listener password in clear text format open the  $ORACLE_HOME/network/admin/listener.ora file and add a line to this file with the following format: PASSWORDS_{LISTENER_NAME}=yourpassword
If you want, you  can set multiple passwords for listener:   PASSWORDS_LISTENER=(password1,password2)

for example:

[pcsh lang=”plain” tab_size=”4″ message=”” hl_lines=”” provider=”manual”]

[oracle@orcl ~]$ vi /u01/app/oracle/product/11.2/db_1/network/admin/listener.ora

# listener.ora Network Configuration File: /u01/app/oracle/product/11.2/db_1/network/admin/listener.ora
# Generated by Oracle configuration tools.

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = orcl.localdomain)(PORT = 1521))
    )
  )

ADR_BASE_LISTENER = /u01/app/oracle

#clear type password
PASSWORDS_LISTENER=(test123,test654)

[/pcsh]

Setting an encrypted  password for listener

To set, change and save password you can use set password or change_password and save_config commands as shown above :

[pcsh lang=”plain” tab_size=”4″ message=”” hl_lines=”” provider=”manual”]

#using set password
LSNRCTL> set password
Password: 
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl.localdomain)(PORT=1521)))
No changes to save for LISTENER.
The command completed successfully
LSNRCTL> 

#using change password
LSNRCTL> change_password 
Old password:  
New password:  
Reenter new password:  
Connecting to 
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl.localdomain)(PORT=1521))) 
Password changed for LISTENER 
The command completed successfully 
LSNRCTL> save_config 
Connecting to 
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl.localdomain)(PORT=1521))) 
Saved LISTENER configuration parameters. 
Listener Parameter File   /u01/app/oracle/product/11.2/db_1/network/admin/listener.ora 
Old Parameter File   /u01/app/oracle/product/11.2/db_1/network/admin/listener.bak 
The command completed successfully 

[/pcsh]

After setting password  security option of the listener changes to ​Password or Local OS authentication

[pcsh lang=”plain” tab_size=”4″ message=”” hl_lines=”” provider=”manual”]

LSNRCTL> status 
::::::::::::::output trimmed:::::::::::::: 
Security                  ON: Password or Local OS Authentication 
SNMP                      OFF 
::::::::::::::output trimmed:::::::::::::: 

[/pcsh]

The password is saved in listener.ora file as a hashed entry, you can check what was generated by looking in the listener.ora file:

[pcsh lang=”plain” tab_size=”4″ message=”” hl_lines=”” provider=”manual”]

 
[oracle@orcl ~]$ vi /u01/app/oracle/product/11.2/db_1/network/admin/listener.ora 
 
LISTENER = 
  (DESCRIPTION_LIST = 
    (DESCRIPTION = 
      (ADDRESS = (PROTOCOL = TCP)(HOST = orcl.localdomain)(PORT = 1521)) 
    ) 
  ) 
ADR_BASE_LISTENER = /u01/app/oracle 
 
#----ADDED BY TNSLSNR 09-JUN-2015 01:56:41--- 
PASSWORDS_LISTENER = 9BD20802761D432E 
#-------------------------------------------- 

[/pcsh]

To remove the listener password you should  do the following:

First stop the listener

[pcsh lang=”plain” tab_size=”4″ message=”” hl_lines=”” provider=”manual”]

LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC0)))
The command completed successfully
LSNRCTL>   

[/pcsh]

Then edit the listener.ora file and remove the lines added above and restart the listener.