ORA-24247: network access denied by access control list

本文详细介绍了在迁移至Oracle 11gR1后,由于安全性增强导致的PL/SQL调用外部网络服务时遇到的网络访问拒绝错误。提供了通过DBMS_NETWORK_ACL_ADMIN包为特定用户授予访问权限的解决方案,并通过示例代码演示了如何创建、分配和授权网络访问。包括为邮件服务器创建独立的ACL和授权端口范围的步骤。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

Applies to:

PL/SQL - Version 11.1.0.6 and later
Information in this document applies to any platform.
***Checked for relevance on 26-Jun-20136***

Prior to 11gR1 you were able to run PL/SQL code making calls to the following Oracle Supplied Packages without error.

  • UTL_TCP
  • UTL_HTTP
  • UTL_SMTP
  • UTL_MAIL

After moving to 11gR1 or later you are now experiencing a form of the following error message...

ORA-24247: network access denied by access control list (ACL)

In 11gR1 the Oracle Database enhanced the level of security when users attempt to access External Network Services by implementing Access Control Lists (ACL) using the new DBMS_NETWORK_ACL_ADMIN package.  The PL/SQL packages listed above were affected.  For more information on this change to Oracle Database Security please review the following

 

Solution

To resolve this error, connect to the database as a user with DBA privileges and issue the following script which will grant a user access to External Network Services.  Be sure to replace the name of user SCOTT with the name of the user in which you want to grant access.  This value is case-sensitive.

BEGIN

  -- Only uncomment the following line if ACL "network_services.xml" has already been created
  --DBMS_NETWORK_ACL_ADMIN.DROP_ACL('network_services.xml');

  DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(
    acl => 'network_services.xml',
    description => 'NETWORK ACL',
    principal => 'SCOTT',
    is_grant => true,
    privilege => 'connect');

  DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(
    acl => 'network_services.xml',
    principal => 'SCOTT',
    is_grant => true,
    privilege => 'resolve');

  DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(
    acl => 'network_services.xml',
    host => '*');

  COMMIT;

END;

 

 

 

Elapsed: 00:00:00.01

11:19:36 sys@warehous>BEGIN

11:20:20   2  DBMS_NETWORK_ACL_ADMIN.CREATE_ACL (

11:20:20   3  acl => 'mailserver_acl.xml',

11:20:20   4  description => 'Network connection permission for ACCT_MGR',

11:20:20   5  principal => 'DW001', -- Must be in upper case

11:20:20   6  is_grant => TRUE,

11:20:20   7  privilege => 'connect');

11:20:20   8  END;

11:20:20   9  /

 

BEGIN

DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL (

acl => 'mailserver_acl.xml',

host => '*',

 

PL/SQL procedure successfully completed.

 

Elapsed: 00:00:00.04

11:20:20 sys@warehous>11:20:20 sys@warehous>11:20:20   2  11:20:20   3  11:20:20   4  11:20:20   5  lower_port => 25,

11:20:20   6  upper_port => 25);

11:20:20   7  END;

11:20:20   8  /

 

PL/SQL procedure successfully completed.

 

Elapsed: 00:00:00.09

11:20:26 sys@warehous>

11:20:28 sys@warehous>

11:20:29 sys@warehous>commit;

 

Commit complete.

 

15:15:30 sys@warehous>select host, lower_port, upper_port, acl from dba_network_acls;

 

HOST                           LOWER_PORT UPPER_PORT ACL

------------------------------ ---------- ---------- --------------------------------------------------

*                                      25         25 /sys/acls/mailserver_acl.xml

 

15:17:26 sys@warehous>select acl,

15:17:47   2         principal,

15:17:47   3         privilege,

15:17:47   4         is_grant

15:17:47   5    from dba_network_acl_privileges;

 

 

ACL                                                PRINCIPAL                      PRIVILE IS_GRANT

-------------------------------------------------- ------------------------------ ------- --------------------

/sys/acls/mailserver_acl.xml                       DW001                          connect true

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值