ORA-24248 XMLDB extensible security not installed - ORA-24247: network access denied by access control list (ACL)

FranklinFaces.com - Oracle & SQL Server Database Forums for all IT Professionals

Home

Members

Calendar

Who's On

Welcome Guest ( Login | Register )

ORA-24248 XMLDB extensible security not installed

We found the correct way to install the xml database piece.

Oracle 11g introduces more secure and fine grained access on network packages like UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP and UTL_INADDR,

i.e. an execute privilege on these packages is not enough to access an external network resource using these packages.

You have to configure ACL (Access Control List), assign the network host and port to it and grant connect privilege to the users through this ACL.

First check to see what you have installed:

SQL> select comp_name from dba_registry;

As can be seen from the output of the above query, you will be missing Oracle XML Database.

Here is how to install :

Install XML Database: Oracle 11g Enterprise Edition

$ cd $ORACLE_HOME/rdbms/admin$ sqlplus / as sysdba

Connected to:Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> spool install_xml.log

SQL> @catqm xdb sysaux temp NO

-- xdb is the password for XML Database repository schema

-- sysaux is the default tablespace for XML Database repository schema.

-- temp is the default temporary tablespace for XML Database repository schema.

-- YES is for using secure files for xdb$resource

...[output trimmed]...

SQL> declare

2    suf  varchar2(26);

3    stmt varchar2(2000);

4  begin

5    select toksuf into suf from xdb.xdb$ttset where flags = 0;

6    stmt := 'grant all on XDB.X$PT' || suf || ' to DBA';

7    execute immediate stmt;

8    stmt := 'grant all on XDB.X$PT' || suf || ' to SYSTEM WITH GRANT OPTION';

9    execute immediate stmt;

10  end;

11  /

PL/SQL procedure successfully completed.

SQL>spool off

The XML Database installation is complete.

Open the install_xml.log and check for any significant errors in it.

Then verify from dba_registry again to see the status of XML Database installed as follows:

SQL> select comp_name , status from dba_registry;

COMP_NAME                                STATUS

---------------------------------------- --------------------------------------------

Oracle XML Database                      VALID

Oracle Enterprise Manager                VALID

OLAP Catalog                             VALID

Oracle Database Catalog Views            VALID

Oracle Database Packages and Types       VALID

JServer JAVA Virtual Machine             VALID

Oracle Database Java Packages            VALID

7 rows selected.

SQL>

The status should be VALID to indicate that the installation was successfull.

After this, you should not get the ORA-24248 XMLDB extensible security not installed

error message again.

Hope this helps.

Thanks,

Posted 1/21/2011 3:18:29 PM

Post #523

Admin

ORA-24248 XMLDB extensible security not installed

To uninstall XML Database follow these steps:

Uninstall XML Database: Oracle 11g Enterprise Edition

$ cd $ORACLE_HOME/rdbms/admin

$ sqlplus / as sysdba

Connected to:Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> @catnoqm.sql

-- This will uninstall the Oracle XML Database.

Posted 2/1/2011 4:48:54 PM

Post #532

Admin

ORA-24247: network access denied by access control list (ACL)

RESOLVED:

We are getting this error –

2011-01-26 10:45:15,444 <ERROR> [TP-Processor8] - <SEC-MARKET> <com.bhfe.loading:make()> could not make a FORCED deal: java.sql.SQLException:

ORA-24247: network access denied by access control list (ACL)

ORA-06512: at "SYS.UTL_TCP", line 17

ORA-06512: at "SYS.UTL_TCP", line 246

ORA-06512: at "SYS.UTL_SMTP", line 127

ORA-06512: at "LOADSCHEMA.SID_LIST_AR_T", line 138

ORA-04088: error during execution of trigger 'LOADSCHEMA.SID_LIST_AR_T'

To Resolve this issue, in Oracle 11g, there is new security feature for fine grain auditing.

You need to enable access in the access control list in order for this to work:

BEGIN

-- Only uncomment the following line if ACL "network_services.xml" has already been created

--DBMS_NETWORK_ACL_ADMIN.DROP_ACL('network_service.xml');

DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(

acl => 'network_services.xml',

description => 'FTP ACL',

principal => 'LOADSCHEMA',

is_grant => true,

privilege => 'connect');

DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(

acl => 'network_services.xml',

principal => 'LOADSCHEMA',

is_grant => true,

privilege => 'resolve');

DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(

acl => 'network_services.xml',

host => '*');

COMMIT;

END;

Posted 2/1/2011 4:50:31 PM

Post #533

Admin

This is what oracle says:

ORA-24247 Using UTL_TCP, UTL_HTTP, UTL_SMTP and UTL_MAIL with11gR1 or Later [ID 1209644.1]
Modified 05-NOV-2010 Type PROBLEM Status PUBLISHED

In this Document
  Symptoms
  Cause
  Solution

Applies to:

PL/SQL - Version: 11.1.0.6 and later [Release: 11.1 and later ]
Information in this document applies to any platform.

Symptoms

Prior to 11gR1 you were able to run PL/SQL code making calls to the following Oracle Supplied Packages without error...

UTL_TCP
UTL_HTTP
UTL_SMTP
UTL_MAIL

After moving to 11gR1 or later you are now experiencing a form of the following error message...

ORA-24247: network access denied by access control list (ACL)

Cause

In 11gR1 the Oracle Database enhanced the level of security when users attempt to access External Network Services by implementing Access Control Lists (ACL) using the new DBMS_NETWORK_ACL_ADMIN package. The PL/SQL packages listed above were affected. For more information on this change to Oracle Database Security please review the following links:

Solution

To resolve this error, connect to the database as a user with DBA privileges and issue the following script which will grant a user or role access to External Network Services. Be sure to replace the name of user SCOTT with the name of the user or role in which you want to grant access. This value is case-sensitive.

BEGIN

  -- Only uncomment the following line if ACL "network_services.xml" has already been created
  --DBMS_NETWORK_ACL_ADMIN.DROP_ACL('network_service.xml');

  DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(
    acl => 'network_services.xml',
    description => 'FTP ACL',
    principal => 'SCOTT',
    is_grant => true,
    privilege => 'connect');

  DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(
    acl => 'network_services.xml',
    principal => 'SCOTT',
    is_grant => true,
    privilege => 'resolve');

  DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(
    acl => 'network_services.xml',
    host => '*');

  COMMIT;

END;

NOTE: Be sure to replace the two (2) occurrences of user SCOTT in the script above with the user or role you want to grant permissions to. The name of the user or role is case-sensitive. By default all users and roles default to uppercase unless specifically created with case-sensitivity.

After running this script, the user or role should no longer receive the error message.

NOTE: While this note simply grants a user or role the proper permissions to access ALL external network services, you can further limit this to specific external network services through the call to DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL by changing the value for the host parameter. For more information about setting the value of host for specific network services see the documentation on DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL.

Show Related Information Related
Products
Oracle Database Products > Oracle Database > Application Development > PL/SQL
Errors
ORA-24247

« Prev Topic | Next Topic »

Reading This Topic

Active Users: 0 (0 guests, 0 members, 0 anonymous members)

No members currently viewing this topic.

Forum Moderators: silencer

Permissions

All times are GMT -5:00, Time now is 7:04pm

Contextual Links