2) Oracle 11.2 RAC - Securing ASM and Database registration with the Local (node) listener.
In a RAC environment, and without the patch for bug:12880299, an IPC restriction on the local/node listener will cause the scan listener TCP handlers to block and not allow incoming client connections. The patch not only fixes this issue but also allows for registration from only the local node over TCP provided that TCP is listed as a secure transport for registration.
2.1) Obtain and apply the patch for bug:12880299. The patch should be applied to both the grid and rdbms homes on each node in the cluster.
2.2) Add COST IPC and TCP protocol restrictions to the listener.ora on each node.
Edit the grid home listener.ora and add SECURE_REGISTER_LISTENER = (IPC,TCP) to the existing list of scan listener restrictions.
In 11.2 RAC the grid agent uses the IPC protocol to create and manage node listeners so both IPC and TCP restrictions must be enabled. SECURE_REGISTER_LISTENER = (IPC,TCP) SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS) SECURE_REGISTER_LISTENER_SCAN2 = (IPC,TCPS) SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)
If the local listener is configured with a TCPS endpoint used for client/server SSL connectivity then TCPS must also be set in the local listeners COST restriction. Without this addition the scan listener TCPS service handlers will block connections. Client/server SSL Example: SECURE_REGISTER_LISTENER = (IPC,TCP,TCPS) SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS) SECURE_REGISTER_LISTENER_SCAN2 = (IPC,TCPS) SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)
2.3) To activate the COST restriction use srvctl to re-start all instance/local listeners. (This action only needs to be performed on one node, all local listeners will restart.) [oracle@rac1 ~]$ srvctl stop listener [oracle@rac1 ~]$ srvctl start listener
To verify that COST restrictions are functioning appropriately please refer to DocID:1453883.1, section 3, "Verifying that COST is working".