Bug series: 11g new features, ORA-24247, ACL, external network packages, NULLs

Oracle 11G has a new security:

DBA has to configure ACL’s (package DBMS_NETWORK_ACL_ADMIN ) else Oracle throws “ORA-24247: network access denied by access control list (ACL)” error if your application depends on “external network services” (Oracle’s talk) packages (like UTL_TCP/HTTP, DBMS_LDAP, etc.)

This is well documented in Oracle’s upgrade guide (because people need to upgrade), new features guide, security guide, satellite tools like APEX guides.

However, ORA-24247 can be misleading. It may have nothing to do with ACLs which are correctly configured by DBA.

This is the case:

ACL’s is configured as ‘*’ (allow database user to connect and/or resolve to any host)

But the ORA-24247 still keeps throwing.

And the answer is: check parameters passed into network calls for NULL values.

Example, ORA-24247 keeps throwing if hostname is null:

l_session := sys.dbms_ldap.init(hostname => NULL, portnum => l_ldap_port);

This is an application bug of course but DBA and Oracle 11g are blamed first after getting ORA-24247.

Theory of the case:

NULL’s are special. They introduce complexity and unexpected phenomena. Some theoreticians argue nulls must not be in the databases. Anyway, they are and must be handled accordingly.

Another aspect of the case is: read the (bleeped) manual. It clearly states that ACL’s allow access only to CONFIGURED hosts.

In my case a star (‘*’) was configured which means “all hosts” but NULL host (surprisingly) is not in (ALL HOSTS).

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s