ORA-24247: network access denied by access control list

Applies to:

PL/SQL - Version 11.1.0.6 and later
Information in this document applies to any platform.
***Checked for relevance on 26-Jun-20136***

Prior to 11gR1 you were able to run PL/SQL code making calls to the following Oracle Supplied Packages without error.

• UTL_TCP
• UTL_HTTP
• UTL_SMTP
• UTL_MAIL

After moving to 11gR1 or later you are now experiencing a form of the following error message...

ORA-24247: network access denied by access control list (ACL)

In 11gR1 the Oracle Database enhanced the level of security when users attempt to access External Network Services by implementing Access Control Lists (ACL) using the new DBMS_NETWORK_ACL_ADMIN package.  The PL/SQL packages listed above were affected.  For more information on this change to Oracle Database Security please review the following

 

Solution

To resolve this error, connect to the database as a user with DBA privileges and issue the following script which will grant a user access to External Network Services.  Be sure to replace the name of user SCOTT with the name of the user in which you want to grant access.  This value is case-sensitive.

BEGIN

  -- Only uncomment the following line if ACL "network_services.xml" has already been created
  --DBMS_NETWORK_ACL_ADMIN.DROP_ACL('network_services.xml');

  DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(
    acl => 'network_services.xml',
    description => 'NETWORK ACL',
    principal => 'SCOTT',
    is_grant => true,
    privilege => 'connect');

  DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(
    acl => 'network_services.xml',
    principal => 'SCOTT',
    is_grant => true,
    privilege => 'resolve');

  DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(
    acl => 'network_services.xml',
    host => '*');

  COMMIT;

END;

 

 

 

Elapsed: 00:00:00.01

11:19:36 sys@warehous>BEGIN

11:20:20   2  DBMS_NETWORK_ACL_ADMIN.CREATE_ACL (

11:20:20   3  acl => 'mailserver_acl.xml',

11:20:20   4  description => 'Network connection permission for ACCT_MGR',

11:20:20   5  principal => 'DW001', -- Must be in upper case

11:20:20   6  is_grant => TRUE,

11:20:20   7  privilege => 'connect');

11:20:20   8  END;

11:20:20   9  /

 

BEGIN

DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL (

acl => 'mailserver_acl.xml',

host => '*',

 

PL/SQL procedure successfully completed.

 

Elapsed: 00:00:00.04

11:20:20 sys@warehous>11:20:20 sys@warehous>11:20:20   2  11:20:20   3  11:20:20   4  11:20:20   5  lower_port => 25,

11:20:20   6  upper_port => 25);

11:20:20   7  END;

11:20:20   8  /

 

PL/SQL procedure successfully completed.

 

Elapsed: 00:00:00.09

11:20:26 sys@warehous>

11:20:28 sys@warehous>

11:20:29 sys@warehous>commit;

 

Commit complete.

 

15:15:30 sys@warehous>select host, lower_port, upper_port, acl from dba_network_acls;

 

HOST                           LOWER_PORT UPPER_PORT ACL

------------------------------ ---------- ---------- --------------------------------------------------

*                                      25         25 /sys/acls/mailserver_acl.xml

 

15:17:26 sys@warehous>select acl,

15:17:47   2         principal,

15:17:47   3         privilege,

15:17:47   4         is_grant

15:17:47   5    from dba_network_acl_privileges;

 

 

ACL                                                PRINCIPAL                      PRIVILE IS_GRANT

-------------------------------------------------- ------------------------------ ------- --------------------

/sys/acls/mailserver_acl.xml                       DW001                          connect true