Configure the Oracle DB Access Control List to avoid error like ORA-24247: network access denied

Symptoms: 

You try to make external connections from the Oracle Database and receive erros like

ORA-24247: network access denied by access control list (ACL)

SQL> select utl_http.request('http://www.yourwebsite.com') from dual;

select utl_http.request('http://www.yourwebsite.com') from dual

*

ERROR at line 1:

ORA-29273: HTTP request failed

ORA-06512: at "SYS.UTL_HTTP", line 1577

ORA-24247: network access denied by access control list (ACL)

ORA-06512: at line 1

Cause: 

The reason is that your database does not have permission to make external connections (through the internet - url or public IP).

So you have to configure explicity what hostname, website or public IP is allowed. Morover, you can be more specific on what port to open and what privilege to do so.

Solution:

First of all, you can make sure if there is any privilege for any database user. Empty resultset (that is default) means no privilege, you have to configure.

To ADD permission:

BEGIN

    DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(

        host => '*',

--      lower_port => 80,

--      upper_port => 80,

        ace => xs$ace_type(privilege_list => xs$name_list('connect','resolve','http'),     -- HERE you can specify the privileges, the three of there are more than enough

                           principal_name => '<YOUR_DATABASE_USER>',           -- HERE you specify the database user that will make the external calls.

                           principal_type => xs_acl.ptype_db));

END;

/

COMMIT;

To REMOVE an existent privilege, in case you need to remove.

begin

dbms_network_acl_admin.remove_host_ace(

  host => '*',

  ace  =>  xs$ace_type(privilege_list => xs$name_list('http'),

                       principal_name => '<YOUR_DATABASE_USER>',

                       principal_type => xs_acl.ptype_db)); 

end;

/

Once added or removed, execute the query above to make sure what permissions and users are configured.

Hope that helps.

Error on Oracle ORDS with the message: The pool named: |default|lo| is invalid and will be ignored: The database password secret in the wallet associated with the pool named

Symptoms: 

After changing some configuration on the Host server - such as hostname - you might see issue on the ORDS page, similar to this:

[WARNING] The pool named: |default|lo| is invalid and will be ignored: The database password secret in the wallet associated with the pool named: |default|lo| is missing

Mapped local pools from /<ORDS_CONFIG_DIR>/databases:

/ords/ default => INVALID

Cause: 

cwallet.sso file got corrupted after changing config on the host server.

Solution:

As cwallet.sso file is corrupted, its required to create a new wallet file using following command.

1> Delete (or backup) /<ORDS_CONFIG_DIR>/databases/default/wallet/cwallet.sso

2> Recreate the cwallet.sso using below command by resetting the password for ORDS_PUBLIC_USER.

cd $ORDS_PATH

ords config secret db.password

Make Sure you should see " The setting named: db.password was set to: ****** in configuration: default "

NOTE: If the exception is given for a user defined pool, then you should provide pool name for resetting the password.

3. Start / Restart ORDS.

References:

   Oracle Support Doc ID 3004436.1

ORA-12791: The oradism utility does not have proper permissions.

 Symptoms: 

You have copied/movied to another disk or location the Oracle binary files that were already installed, after that you cannot startup the instance that raises an error.

Cause: 

During the copy/move of files, it was not preserved the file system permissions.

Solution:

There are couple of reasons why the error can report for a new software installation.

1.) root.sh was not run as part of the installation.

2.) The permissions are not set correctly on oradism or the oracle process.

[oracle@localhost bin]$ ls -ltr $ORACLE_HOME/bin/oracle

-rwxr-x--x 1 grid oinstall 474620976 Feb 9 11:45 /u01/app/21.0.0.0/grid/bin/oracle 

[oracle@localhost bin]$ ls -l oradism

-rwsr-x---. 1 root oinstall 1882760 Oct  7 07:57 oradism

For oracle, the file permission should be 6751

chmod 6751 oracle

For oradism, file permission should be 4750

chmod 4750 oradism

 

3.) The startup command run from another user which is not part of the “oradism” group.

4.) The oracle binary's group is different than oradism's group. Both should match.

[oracle@localhost bin]$ ls -l oracle

-rwsr-s--x. 1 oracle oinstall 536007304 Jan 27 09:13 oracle

[oracle@localhost bin]$ ls -l oradism

-rwsr-x---. 1 root oinstall 1882760 Oct  7 07:57 oradism

 

5.) Another  possible scenario for this problem :

The mount having the oradism binary is having "nosuid" option set.

With which even if the permissions are proper and kernel configurations are fine, the oradism  execution as root user will not be honored by root.

Check the mount (or /etc/fstab) for this case.

Hope this help.

References:

    Doc ID 2929596.1 - ORA-12791 Even if oradism Permissions Seems Correct

Certificate validation failure (missing or misconfigured Wallet)

Symptoms: 

Your Oracle PLSQL routine is trying to access a https website and you get such an error:

Exception in "begin_request":

Error Stack: ORA-29273: HTTP request failed

ORA-29024: Certificate validation failure

ORA-06512: at "SYS.UTL_HTTP", line 380

ORA-06512: at "SYS.UTL_HTTP", line 1189

Backtrace: ORA-06512: at "SYS.UTL_HTTP", line 380

ORA-06512: at "SYS.UTL_HTTP", line 1189

Cause: 

This is because there is no handshaking with encryptation channel between your database connection and the website that only respondes via https.

Solution:

All you need to do is to download the cert files from the https website you are trying to access (preferebly via firefox that is much easier to download).

Figure 1

Figure 2.

Figure 3.

• So now, go to your server and create a specific directory for your wallet and create one:

mkdir /u01/oracle-wallet -p

• Copy your certificate files to this folder

cp $STAGE_DIR/certificados/*.pem /u01/oracle-wallet

• Create the wallet

cd /u01/oracle-wallet

orapki wallet create -wallet https_wallet -pwd <create_new_password> -auto_login

• Add the certificate files to the wallet

cd /u01/oracle-wallet

orapki wallet add -wallet https_wallet -cert <your-cert-file>.pem -trusted_cert -pwd <set_your_password_created>

• List all added certificates into the wallet

cd /u01/oracle-wallet/https_wallet

orapki wallet display -wallet .

• Certainly you will need to configure the ACL (Access Control List) from your database, adjusting the code below.

$ sqlplus system/<password_user>

BEGIN

    DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(

        host => '*',

        ace => xs$ace_type(privilege_list => xs$name_list('connect','resolve','http'),

                           principal_name => '<YOUR_SCHEMA_HERE>',

                           principal_type => xs_acl.ptype_db));

END;

/

• To test that is working, adapt your code to include the wallet path and password, such example:

DECLARE

  req   UTL_HTTP.req;

  resp  UTL_HTTP.resp;

BEGIN

  UTL_HTTP.SET_WALLET('file:<wallet_path_here>', '<your_password>';

  req := UTL_HTTP.begin_request('https://<https_address>');

  resp := UTL_HTTP.get_response(req);

  UTL_HTTP.end_response(resp);

END;

/

Hope this help.

ORA-01722 While Creating new APEX Interactive Grid Or Interactive Report

Symptoms: 

While trying to create new Interactive Grids or Interactive Reports in APEX applications, everything works as expected until the SAVE button is clicked and the following error message is displayed:

ORA-01722: invalid number

The problem appears to be only with Save but not with the query during runtime.

Cause: 

The issue appears due to the reason that the action is being performed through a language other than English through the browser plugin.

Solution:

Append the string &p_lang=en to the URL in the browser address bar

Reload the page designer and test the behavior.

In order to get rid of this error, Customer need to install the language components for the corresponding language.

And belive, it works!

Source: ORA-01722 While Creating new Interactive Grid Or Interactive Report (MOS Doc ID 2859399.1)

Grant java privileges to run under Oracle Database

Symptoms:
You have a java code running under Oracle Database and needs to adjust the privileges to run the code.


Cause:
Some exemple of errors when trying to execute your java code:

"the Permission ("java.io.FilePermission" "/u01/data/yourfile.dat" "write") has not been granted to <YOUR-USER>. The PL/SQL to grant this is dbms_java.grant_permission( '<YOUR-USER>', 'SYS:java.io.FilePermission', '/u01/data/yourfile.dat', 'write' )"

or 

"the Permission ("java.net.SocketPermission" "localhost:0" "listen,resolve") has not been granted to <YOUR-USER>. The PL/SQL to grant this is dbms_java.grant_permission( '<YOUR-USER>', 'SYS:java.net.SocketPermission', 'localhost:0', 'listen,resolve' )"

Solution:
Set the variables according to your needs and give the privileges:

begin
  dbms_java.grant_permission( '<YOUR-USER>', 'SYS:java.io.FilePermission', '/u01/data/-', 'read,write,delete' );

  dbms_java.grant_permission( '<YOUR-USER>', 'SYS:java.net.SocketPermission', '*', 'accept,listen,connect,resolve' );
end;
/


Note:

A pathname that ends in "/*" (where "/" is the file separator character,File.separatorChar) indicates a directory and all the files contained in that directory.

A pathname that ends with "/-" indicates a directory and (recursively) all files and subdirectories contained in that directory.


Hope this helps.

When starting Oracle Listener gets an error TNS-00525: Insufficient privilege for operation

Symptoms:
When trying to start the Oracle Listener, it returns an error regarding permission but not clear on the logs what it is:

TNSLSNR for Linux: Version 19.0.0.0.0 - Production
System parameter file is /u01/ora19c/product/19.3.0/network/admin/listener.ora
Log messages written to /u01/ora19c/diag/tnslsnr/sandbox19js/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=sandbox19js)(PORT=1521)))
Error listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
TNS-12555: TNS:permission denied
 TNS-12560: TNS:protocol adapter error
  TNS-00525: Insufficient privilege for operation
   Linux Error: 1: Operation not permitted

Cause:
In the directory /var/tmp/.oracle there exist some socket files which do not belong to UNIX user oracle and group dba, but to another user.
When the Listener process starts, it tries to create the following socket files:
  /var/tmp/.oracle/s#<pid>.1
  /var/tmp/.oracle/s#<pid>.2
  /var/tmp/.oracle/sREGISTER
where <pid> is the ID of the operating system process for the Listener.

Solution:
As UNIX user root, delete all socket files from directory /var/tmp/.oracle
Then as oracle owner UNIX user, starts the Listener by executing the command "lsnrctl start".