Skip to content
Home » Oracle » How to Make a WhiteList for DB Connection

How to Make a WhiteList for DB Connection

Database Whitelist

If there's only a few clients that use the database, we can make a whitelist to explicitly accept those clients.

We take 2 steps to achieve our goal.

1. Exclude Clients in SQLNET.ORA

We should add clients from connection at Oracle network level, which works with the listener.

[oracle@test ~]$ cd $ORACLE_HOME/network/admin
[oracle@test admin]$ vi sqlnet.ora
...
TCP.VALIDNODE_CHECKING=YES
TCP.INVITED_NODES=(10.1.1.104, 192.168.*, dns.example.com, 10.10.0.0/16)

TCP.VALIDNODE_CHECKING must be YES and the parameter of TCP.INVITED_NODES accepts any of the followings:

  • Specific IP address
  • IPV4 with wild card
  • Hostname
  • CIDR notation for IPV4 and IPV6

RAC DB

For RAC databases, we should add them at grid level.

[grid@primary01 ~]$ cd $ORACLE_HOME/network/admin
[grid@primary01 admin]$ vi sqlnet.ora
...
TCP.VALIDNODE_CHECKING=YES
TCP.INVITED_NODES=(10.1.1.104, 192.168.*, dns.example.com, 10.10.0.0/16)

2. Restart Listener

To take settings effect immediately, we should restart listener.

[oracle@test admin]$ lsnrctl stop; lsnrctl start

RAC DB

For RAC databases, we should restart the listener by srvctl.

[grid@primary01 admin]$ srvctl stop listener; srvctl start listener; srvctl status listener
Listener LISTENER is enabled
Listener LISTENER is running on node(s): primary01,primary02

From now on, the listener inspects every source before establishing the database connection.

In contrast to whitelist, we can make a blacklist to block unwanted database connections.

2 thoughts on “How to Make a WhiteList for DB Connection”

Leave a Reply

Your email address will not be published. Required fields are marked *