本文共 7801 字,大约阅读时间需要 26 分钟。
Oracle 11g introduces more secure and fine grained access on network packages like UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP and UTL_INADDR, i.e. an execute privilege on these packages is not enough to access an external network resource using these packages. You have to configure ACL (Access Control List), assign the network host and port to it and grant connect privilege to the users through this ACL .
Please see:
These ACLs are XML files which are stored in the XML Database repository inside the database itself, which means that XML Database must be installed in the database to use the network PL/SQL packages. XML Database is installed automatically when you create a database using DBCA with default options. However, if you unselect/uncheck the XML Database option in DBCA while creating the database, XML Database won't installed.
A few days ago I ran into this problem. We upgraded one of our development database from oracle 10gR2 to 11gR1 recently. After the upgrade the application was broken very badly. Any user trying to login to the application was getting the error below:
ORA-24248: XMLDB extensible security not installed ORA-06512: at "SYS.UTL_INADDR", line 19 ORA-06512: at "SYS.UTL_INADDR", line 40 ORA-06512: at line 1
After I investigated, I found that that in one of Java classes in the application, where a connection was being established to the databases, a query was being executed like this.
SELECT global_name,utl_inaddr.get_host_address FROM global_name;
When I saw UTL_INADDR being called, I realized instantly that we need an ACL for this call and ACL needs XML Database. The error above is quite self explanatory. I went ahead and verified the existence of Oracle XML Database and found the following:
SQL> select comp_name from dba_registry;COMP_NAME----------------------------------------OWBOracle Application ExpressOracle Enterprise ManagerOLAP CatalogSpatialOracle MultimediaOracle TextOracle Expression FilterOracle Rules ManagerOracle Workspace ManagerOracle Database Catalog ViewsOracle Database Packages and TypesJServer JAVA Virtual MachineOracle XDKOracle Database Java PackagesOLAP Analytic WorkspaceOracle OLAP API17 rows selected.
As can be seen from the output of the above query, we were missing Oracle XML Database. I was able to reproduce the problem in sqlplus.
SQL> conn scott/tigerConnected.SQL> select global_name,utl_inaddr.get_host_address from global_name;select global_name,utl_inaddr.get_host_address from global_name *ERROR at line 1:ORA-24248: XML DB extensible security not installedORA-06512: at "SYS.UTL_INADDR", line 19ORA-06512: at "SYS.UTL_INADDR", line 40ORA-06512: at line 1SQL>
$ cd $ORACLE_HOME/rdbms/admin$ sqlplus / as sysdbaConnected to:Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - ProductionWith the Partitioning, OLAP, Data Mining and Real Application Testing optionsSQL> spool install_xml_db.logSQL> @catqm xdb sysaux temp YES-- xdb is the password for XML Database repository schema-- sysaux is the default tablespace for XML Database repository schema.-- temp is the default temporary tablespace for XML Database repository schema.-- YES is for using secure files for xdb$resource...[output trimmed]...SQL> declare 2 suf varchar2(26); 3 stmt varchar2(2000); 4 begin 5 select toksuf into suf from xdb.xdb$ttset where flags = 0; 6 stmt := 'grant all on XDB.X$PT' || suf || ' to DBA'; 7 execute immediate stmt; 8 stmt := 'grant all on XDB.X$PT' || suf || ' to SYSTEM WITH GRANT OPTION'; 9 execute immediate stmt; 10 end; 11 /PL/SQL procedure successfully completed.SQL>spool off
The XML Database installation is complete. I opened the install_xml_db.log and didn't find any significant errors in it. Then I verified from dba_registry again to see the status of XML Database installed.
SQL> select comp_name , status from dba_registry;COMP_NAME STATUS---------------------------------------- --------------------------------------------Oracle XML Database VALIDOWB VALIDOracle Application Express VALIDOracle Enterprise Manager VALIDOLAP Catalog VALIDSpatial VALIDOracle Multimedia VALIDOracle Text VALIDOracle Expression Filter VALIDOracle Rules Manager VALIDOracle Workspace Manager VALIDOracle Database Catalog Views VALIDOracle Database Packages and Types VALIDJServer JAVA Virtual Machine VALIDOracle XDK VALIDOracle Database Java Packages VALIDOLAP Analytic Workspace VALIDOracle OLAP API VALID18 rows selected.SQL>
The status should be VALID to indicate that the installation was successfull. Then I tested the UTL_INADDR again.
SQL> conn scott/tigerConnected.SQL> select global_name,utl_inaddr.get_host_address from global_name;select global_name,utl_inaddr.get_host_address from global_name *ERROR at line 1:ORA-24247: network access denied by access control list (ACL)ORA-06512: at "SYS.UTL_INADDR", line 19ORA-06512: at "SYS.UTL_INADDR", line 40ORA-06512: at line 1
As you see now the ORA-24248 is gone because we have XML Database installed. Now we are seeing ORA-24247, which means we can't access any network host using UTL_INADDR unless we allow access to this host via ACL.
SQL> conn / as sysdbaConnected.BEGIN DBMS_NETWORK_ACL_ADMIN.CREATE_ACL ( acl =>'my_application_acl.xml', description => 'ACL for users of my application.', principal => 'SCOTT', is_grant => TRUE, privilege => 'resolve', start_date => null, end_date => null );END;/PL/SQL procedure successfully completed./* All that UTL_INADDR.get_host_address does is resolve the host and return the IP Address. DBMS_NETWORK_ACL_ADMIN.CREATE_ACL creates an ACL and grant privilege to a user or role to that ACL. For the sake of this article I am using SCOTT as the grantee of the privilege resolve but in my application I granted this privilege to a role which was assigned to all the application users. So through that role all the users were granted resole privilege to this ACL.*/BEGIN DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL ( acl =>'my_application_acl.xml', host => 'localhost', lower_port => null, upper_port => null );END;/PL/SQL procedure successfully completed./* When UTL_INADDR.get_host_address is invoked without a host name specified with it, it sends the request to localhost. So we need to assign our ACL to the host "localhost".*/commit;SQL> conn scott/tigerConnected.SQL> set lines 10000SQL> column global_name format a20SQL> column get_host_address format a15SQL> select global_name,utl_inaddr.get_host_address from global_name;GLOBAL_NAME GET_HOST_ADDRES-------------------- ---------------ORA11G.HOME.COM 127.0.0.1SQL>
As you can see above, SCOTT is now able to get server's IP Adress using utl_inaddr.get_host_address. And this solves our problem with the application.
$ cd $ORACLE_HOME/rdbms/admin$ sqlplus / as sysdbaConnected to:Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - ProductionWith the Partitioning, OLAP, Data Mining and Real Application Testing optionsSQL> @catnoqm.sql-- This will uninstall the Oracle XML Database.
See also:
From http://oracleflash.com/40/ORA-24248-XMLDB-extensible-security-not-installed.html
and Thanks Zahid Karim
转载地址:http://xzyagz.baihongyu.com/