Oracle Connection Manager (cman) registration_invited_nodes and registration_excluded_nodes

We make use Oracle Connection Manager to control client access to our database servers, it’s pretty cool technology that I’m always surprised how few people are aware of its existence.

Our installed version is 12.1, and this is unable to communicate with our newly upgraded 12.2 instance, so I have been working through installing the latest version.  On starting the instance up, I noticed that no services were being registered, and the log contained multiple entries like the following:

Listener(VNCR option 1) rejected Registration request from destination
23-MAR-2017 14:37:37 * service_register_NSGR * 1182
TNS-01182: Listener rejected registration of service ""

This functionality is described here:

Starting with this release, valid node checking for registration is enabled by default in Oracle Connection Manager. By default, only the databases on local node are allowed to register with Oracle Connection Manager. The databases on remote node can be permitted or denied to register with Oracle Connection Manager through the use of parameters REGISTRATION_INVITED_NODES and REGISTRATION_EXCLUDED_NODES.

Check out the examples for these parameters in the documentation:

REGISTRATION_EXCLUDED_NODES = (10.1.26.*, 10.16.40.0/24, \
                                       2001:DB8:3eff:fe38, node2)
REGISTRATION_INVITED_NODES = (10.1.35.*, 10.1.34.0/24, \
                                       2001:DB8:fe38:7303, node1)

Based on that example I updated the cman.ora configuration to include a valid node. Note that 255.255.255.255 is just an example for testing. Note also that I have configured cman to listen on a non-default port, 999, rather than the default of 1521.

cman_vmhklftdbocmdv2.alpha.lftltd.net =
(configuration=
  (address=(protocol=tcp)(host=vmhklftdbocmdv2.alpha.lftltd.net)(port=999))
  (parameter_list =
    (registration_invited_nodes = (255.255.255.255))
    (connection_statistics=yes)
    (log_level=user)
    (trace_level=user)
    (trace_filelen=1000)
    (trace_fileno=3)
    (idle_timeout=14400)
  )
  (rule_list=
    (rule= (src=vmhklftdbocmdv2.alpha.lftltd.net)(dst=::1)(srv=cmon)(act=accept))
     )
)

Note when I run connection manager, it has picked up the default port of 1521, rather than 999 which I specified:

-bash-4.1$ cmctl

CMCTL for Linux: Version 12.2.0.1.0 - Production on 23-MAR-2017 16:08:03

Copyright (c) 1996, 2016, Oracle.  All rights reserved.

Welcome to CMCTL, type "help" for information.

CMCTL> administer
Current instance CMAN_vmhklftdbocmdv2.alpha.lftltd.net is not yet started
Connections refer to (ADDRESS=(PROTOCOL=TCP)(HOST=vmhklftdbocmdv2)(PORT=1521)).
The command completed successfully.
CMCTL:CMAN_vmhklftdbocmdv2.alpha.lftltd.net> 

Basically what has happened is that cman has parsed the cman.ora file, and it doesn’t like the invited_nodes list to be in parentheses. Rather than throwing out an error it just continues with default values.
I remove the brackets, and adding an extra IP address just for fun:

    (registration_invited_nodes = 1.1.1.1, 255.255.255.255)

When connecting now, observe that the settings from the parameter file are being used (note the non-default port, 999):

-bash-4.1$ cmctl

CMCTL for Linux: Version 12.2.0.1.0 - Production on 23-MAR-2017 16:12:16

Copyright (c) 1996, 2016, Oracle.  All rights reserved.

Welcome to CMCTL, type "help" for information.

CMCTL> administer
Current instance CMAN_vmhklftdbocmdv2.alpha.lftltd.net is not yet started
Connections refer to (DESCRIPTION=(address=(protocol=tcp)(host=vmhklftdbocmdv2.alpha.lftltd.net)(port=999))).
The command completed successfully.
CMCTL:CMAN_vmhklftdbocmdv2.alpha.lftltd.net> 

I observed the same behavior with REGISTRATION_EXCLUDED_NODES.
While I was in the area, I also noticed that the described default value for VALID_NODE_CHECKING_REGISTRATION appears to be wrong. The documentation specified that the default value is off, which contradicts the previously highlighted section of the documentation, and my own testing.

I’m off to file a couple of documentation bugs…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s