Oracle 11g Database Network Security

Access Control List

Asim Jamal
Database Administrator
 Oracle 11g Database Network Security

With ACL's, Oracle offers more fine-grained access control for users to access
external network resources. The packages UTL_MAIL, UTL_SMTP, UTL_HTTP,
UTL_TCP etc. allow communication beyond the database server to the outside
world, but when access is granted all hosts can be accessed. This can be
interpreted as a security flaw as no login is required when using UTL_TCP .
DBA's are advised to revoke the execute privileges from public on these kind of
packages.

Since Oracle 11g, the Access Control List is introduced. You not only can
control who has access to these packages by granting, but now you can also
control which resources they can call.
For instance, when a user is granted to send emails using UTL_MAIL, you can
also control that the user is only able to send through a specified mail server.
At first this looks like a obstacle (ORA-24247), but since the Voyager worm
struck Oracle databases a year ago, it is introduced as an extra security
measurement.

I. Configuration of UTL_MAIL :
The UTL_MAIL package is disabled by default in Oracle 11g .It needs to be
enabled to use the utility .
Execute the following statements as SYS to enable it .

SQL> @?/rdbms/admin/utlmail.sql
SQL>@?/rdbms/admin/prvtmail.plb
SQL>alter system set smtp_out_server = '<smtp host>'
scope=spfile;
SQL> shutdown immediate
SQL> startup

ACL :Access Control List

The ACL is created as a file and it's file name is used as the key in the process of
adding and removing privileges.
1. Create ACL and privileges :

It needs to create an ACL as SYS (or any other user with

DBMS_NETWORK_ACL_ADMIN execute granted), this will hold the privileges. .
An ACL must be created with atleast one privilege, so start with the “connect” p
rivilege for user XYZ and also a role could be added as a principal.

Begin
dbms_network_acl_admin.create_acl
(acl=> 'utl_mail.xml',
description => 'Allow mail to be send',
principal => 'SCOTT',
is_grant=> TRUE,
privilege => 'connect' );
commit;
end;

2.Adding a Privilege :

The ACL is created now & more privileges can be added like “resolve”

begin
dbms_network_acl_admin.add_privilege
( acl=> 'utl_mail.xml',
principal => 'SCOTT',
is_grant => TRUE,
privilege => 'resolve' );
commit;
end;

3. Assign a ACL :

Now XYZ has been assigned the connect & resolve privilege ,it needs to be
assigned which resources the user is allowed to connect .

begin
dbms_network_acl_admin.assign_acl
( acl =>'utl_mail.xml',
host => 'smtp server host name or address' );
commit;
end;
SQL > grant execute on utl_mail to ‘XYZ’;

II. Configuration of UTL_SMTP :

To configure UTL_SMTP first execute the following scripts.

SQL> @?/rdbms/admin/utlsmtp.sql
SQL>@?/rdbms/admin/prvtmail.plb
SQL>alter system set smtp_out_server = '<smtp host>'
scope=spfile;
SQL> shutdown immediate
SQL> startup

1. Create ACL and privileges :

It needs to create an ACL as SYS (or any other user with
DBMS_NETWORK_ACL_ADMIN execute granted), this will hold the privileges. .
An ACL must be created with atleast one privilege, so start with the “connect”
privilege for user XYZ and also a role could be added as a principal.

begin
dbms_network_acl_admin.create_acl (
acl => 'utl_smtp.xml',
description => 'utl_smtp',
principal => 'XYZ',
is_grant => TRUE,
privilege => 'connect',
start_date => SYSTIMESTAMP,
end_date => null
);
commit;
end;

2. Adding a Privilege :

The ACL is created now & more privileges can be added like “resolve”

begin
dbms_network_acl_admin.add_privilege
( acl=> 'utl_smtp',
principal => 'XYZ’
is_grant => TRUE,
privilege => 'resolve' );
commit;end;
3. Assign a ACL :

Now XYZ has been assigned the connect & resolve privilege ,it needs to be
assigned which resources the user is allowed to connect .

begin
dbms_network_acl_admin.assign_acl
( acl =>'utl_smtp',
host => 'smtp server host name or address' );
commit;
end;
SQL > grant execute on utl_smtp to ‘XYZ’;

4. To check proper configuration :

Begin
utl_mail.send
(sender => ‘scott@tiger.com',
recipients => 'xyz@abc.com’,
message => 'Hello World');
commit;
end;
If mail is sent then UTL_MAIL & UTL_SMTP are properly
configured.

III. Configuration of UTL_HTTP :

1. Create ACL and privileges :

It needs to create an ACL as SYS (or any other user with
DBMS_NETWORK_ACL_ADMIN execute granted), this will hold the privileges. .
An ACL must be created with atleast one privilege, so start with the “connect”
privilege for user XYZ and also a role could be added as a principal.

begin
dbms_network_acl_admin.create_acl (
acl => 'utl_http.xml',
description => 'HTTP Access',
principal => 'XYZ',
is_grant => TRUE,
privilege => 'connect',
start_date => null,
end_date => null
);
2. Adding a Privilege :

The ACL is created now & more privileges can be added like “resolve”

dbms_network_acl_admin.add_privilege (
acl => 'utl_http.xml',
principal => 'XYZ',
is_grant => TRUE,
privilege => 'resolve',
start_date => null,
end_date => null
);

3. Assign a ACL :

Now XYZ has been assigned the connect & resolve privilege ,it needs to be
assigned which resources the user is allowed to connect .

dbms_network_acl_admin.assign_acl (
acl => 'utl_http.xml',
host => 'www.xyz.com',
lower_port => 80,
upper_port => 80
);
Commit;
End;

If any port other than Port 80 is used in above example

,then it will give error as only Port 80 is given access.

All this steps are required for the configuration of

Database Network Security and the outbound mails could be
send easily .

References :

Oracle Database 11g : The Complete Reference by Kevin Loney