查看报错原因:
▼▼▼$ oerr ora 2424724247, 00000, "network access denied by access control list (ACL)"// *Cause: No access control list (ACL) has been assigned to the target// host or the privilege necessary to access the target host has not// been granted to the user in the access control list.// *Action: Ensure that an access control list (ACL) has been assigned to// the target host and the privilege necessary to access the target// host has been granted to the user.
开发人员偶尔会使用这些强大的工具 — 例如,使用 utl_smtp 从数据库内发送邮件,使用 utl_http 提取可在 PL/SQL程序内处理的 Web 页面等等。然而,这些工具带来了巨大的安全风险。使用utl_tcp,数据库用户可以到达该主机可到达的任何其他计算机,甚至不会遇到系统提示。这曾是 Voyager蠕虫的惯用伎俩,该病毒一年前刚骚扰过 Oracle 用户社区。
为了消除这一风险,很多专家建议撤消“从公网执行”这些程序包的权限。但如果开发人员出于合理原因希望执行这些程序包,该怎么办?
处理步骤:
1. 确认应用使用的数据库账号,需要访问的web地址和端口
2. 创建ACL
▼▼▼SQL> execute DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(ACL => 'utl_http.xml', DESCRIPTION => 'HTTP Access', PRINCIPAL => 'XXXXX', IS_GRANT => true, PRIVILEGE => 'connect', START_DATE => null, END_DATE => null);PL/SQL procedure successfully completed.
3. 赋权resolve
▼▼▼SQL> execute DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(ACL => 'utl_http.xml', PRINCIPAL => 'XXXXX', IS_GRANT => true, PRIVILEGE => 'resolve', START_DATE => null, END_DATE => null);PL/SQL procedure successfully completed.
4. 关联host和端口
▼▼▼SQL> execute DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(ACL => 'utl_http.xml', HOST => '136.22.22.22, LOWER_PORT => 8080, UPPER_PORT => 8090);PL/SQL procedure successfully completed.
5. 检查设置
▼▼▼SQL> SELECT acl, principal, privilege, is_grant, TO_CHAR(start_date, 'DD-MON-YYYY') AS start_date, TO_CHAR(end_date, 'DD-MON-YYYY') AS end_date FROM dba_network_acl_privileges;ACL PRINCIPAL PRIVILEGE IS_GRANT START_DATE END_DATE------------------------- --------------- ----------------------- ---------- -------------- --------------/sys/acls/utl_http.xml XXXXX resolve true/sys/acls/utl_http.xml XXXXX connect trueSELECT host, lower_port, upper_port, acl FROM dba_network_acls;HOST LOWER_PORT UPPER_PORT ACL-------------------- ---------- ---------- ----------------------------------------136.22.22.22 8080 8090 sys/acls/utl_http.xml
6. 添加其他的web地址
▼▼▼execute DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(ACL => 'utl_http.xml', HOST => '136.22.22.22', LOWER_PORT => 8080, UPPER_PORT => 8090);execute DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(ACL => 'utl_http.xml', HOST => '136.22.22.23', LOWER_PORT => 3001, UPPER_PORT => null);execute DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(ACL => 'utl_http.xml', HOST => '136.22.22.24', LOWER_PORT => 3005, UPPER_PORT => null);SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;HOST LOWER_PORT UPPER_PORT ACL-------------------- ---------- ---------- ----------------------------------------136.22.22.22 8080 8090 sys/acls/utl_http.xml136.22.22.23 8080 8090 /sys/acls/utl_http.xml136.22.22.24 3001 3001 /sys/acls/utl_http.xml136.22.22.25 3005 3005 /sys/acls/utl_http.xml
7. 应用测试
联系应用人员检查测试,3个地址访问正常,24地址访问失败,是目标端防火墙限制导致,联系相关人员处理解决。
问题解决。
更多精彩干货分享
点击下方名片关注
IT那活儿
文章转载自IT那活儿,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
