Oracle 11G has a new security:
DBA has to configure ACL’s (package DBMS_NETWORK_ACL_ADMIN ) else Oracle throws “ORA-24247: network access denied by access control list (ACL)” error if your application depends on “external network services” (Oracle’s talk) packages (like UTL_TCP/HTTP, DBMS_LDAP, etc.)
This is well documented in Oracle’s upgrade guide (because people need to upgrade), new features guide, security guide, satellite tools like APEX guides.
However, ORA-24247 can be misleading. It may have nothing to do with ACLs which are correctly configured by DBA.
This is the case:
ACL’s is configured as ‘*’ (allow database user to connect and/or resolve to any host)
But the ORA-24247 still keeps throwing.
And the answer is: check parameters passed into network calls for NULL values.
Example, ORA-24247 keeps throwing if hostname is null:
l_session := sys.dbms_ldap.init(hostname => NULL, portnum => l_ldap_port);
This is an application bug of course but DBA and Oracle 11g are blamed first after getting ORA-24247.
Theory of the case:
NULL’s are special. They introduce complexity and unexpected phenomena. Some theoreticians argue nulls must not be in the databases. Anyway, they are and must be handled accordingly.
Another aspect of the case is: read the (bleeped) manual. It clearly states that ACL’s allow access only to CONFIGURED hosts.
In my case a star (‘*’) was configured which means “all hosts” but NULL host (surprisingly) is not in (ALL HOSTS).
Q.E.D.
