Oracle DBA Tips Corner

     Return to the Oracle DBA Tips Corner.

Search & Win   click me  


Changes in Configuring External Procedures in Oracle 9.2.0

by Jeff Hunter, Sr. Database Administrator


Contents

  1. Overview
  2. Changes in 9.2.0
  3. Allow external procedures in ANY directory (Development)
  4. Allow directories in addition to $ORACLE_HOME/lib (Production)
  5. Restrict external procedures to ONLY specific DDLs (Production)



Overview

Oracle started support for making external procedure calls from PL/SQL code in Oracle8. An example would be a PL/SQL program calling one or more C routines that are required to perform special-purpose processing. This option remained practically unchanged until Oracle9i (9.2.0).

In version 9.2.0, Oracle decided it was time to tighten up security and make several modifications to this feature. It wasn't until I tried to run several C routines under 9.2.0 that I came up with the following error:

  SQL> exec mailx('JeffreyH@comanage.net', 'Testing', 'Testing the extroc configuration');

  BEGIN mailx('JeffreyH@comanage.net', 'Testing', 'This is a test from the extproc system'); END;
  
  *
  ERROR at line 1:
  ORA-28595: Extproc agent : Invalid DLL Path
  ORA-06512: at "EXTPROC.MAILX", line 0
  ORA-06512: at line 1
I finally broke down and starting reading over the Oracle9i Net Services Administrator's Guide Release 2 (9.2) and found the answer as to why this was not working.

This article simply explains some of the changes made in 9.2.0 and what changes you will need to make to your environment to call external procedures.

For a detailed overview on configuring PL/SQL to call external procedures, take a look at my article, "Calling OS Commands from PL/SQL using External Procedures".



Changes in 9.2.0

In short, Oracle changed the default behavior in 9.2.0 to disallow any external procedure other than those in %ORACLE_HOME%\bin (for Windows) and $ORACLE_HOME/lib (for UNIX).

You can use external procedures in other directories, but you have to add an environment variable called EXTPROC_DLLS to your listener.ora. This environment variable will contain the names of the DDLs (delimited by a colon) that you wish Oracle to have access to.

You will not need to make any modifications to your tnsnames.ora entry for the EXTPROC_CONNECTION_DATA entry.



Allow external procedures in ANY directory (Development)

In the case of my development machines, I can set the "ANY" option - meaning my external procedure can be in any DLL in any part of the file system.

  LISTENER =
    (DESCRIPTION_LIST =
      (DESCRIPTION =
        (ADDRESS_LIST =
          (ADDRESS = (PROTOCOL = TCP)(HOST = sunbuild1.comanage.net)(PORT = 1521))
        )
        (PROTOCOL_STACK =
         (PRESENTATION = TTC)
         (SESSION = NS)
        )
      )
      (DESCRIPTION =
        (ADDRESS_LIST =
          (ADDRESS = (PROTOCOL = TCP)(HOST = sunbuild1.comanage.net)(PORT = 2481))
        )
        (PROTOCOL_STACK =
         (PRESENTATION = GIOP)
         (SESSION = RAW)
        )
      )
      (DESCRIPTION =
        (ADDRESS_LIST =
          (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))
          (ADDRESS = (PROTOCOL = IPC)(KEY = TSBUILD_SUNBUILD1.COMANAGE.NET))
          (ADDRESS = (PROTOCOL = IPC)(KEY = TSBUILD_SUNBUILD1))
          (ADDRESS = (PROTOCOL = IPC)(KEY = ORA901_SUNBUILD1.COMANAGE.NET))
          (ADDRESS = (PROTOCOL = IPC)(KEY = ORA901_SUNBUILD1))
        )
        (PROTOCOL_STACK =
         (PRESENTATION = TTC)
         (SESSION = NS)
        )
      )

    )

  CONNECT_TIMEOUT_LISTENER = 10

  SID_LIST_LISTENER =
    (SID_LIST =
      (SID_DESC =
        (SID_NAME = PLSExtProc)
        (ORACLE_HOME = /u01/app/oracle/product/9.2.0)
        (PROGRAM = extproc)
        (ENVS="EXTPROC_DLLS=ANY")
      )
      (SID_DESC =
        (GLOBAL_DBNAME  = TSBUILD_SUNBUILD1.COMANAGE.NET)
        (SID_NAME       = TSBUILD)
        (ORACLE_HOME    = /u01/app/oracle/product/8.1.7)
      )
      (SID_DESC =
        (GLOBAL_DBNAME  = ORA920_SUNBUILD1.COMANAGE.NET)
        (SID_NAME       = ORA920)
        (ORACLE_HOME    = /u01/app/oracle/product/9.2.0)
      )
    )



Allow directories in addition to $ORACLE_HOME/lib (Production)

In a production environment, you may want to allow DDLs to be loaded not just from $ORACLE_HOME/lib or %ORACLE_HOME%\bin but also allow specific DDLs in other directories.

The example below will allow DDL loads from $ORACLE_HOME/lib or %ORACLE_HOME%\bin and the DDL /u01/app/oracle/common/extproc/shell.so.

  LISTENER =
    (DESCRIPTION_LIST =
      (DESCRIPTION =
        (ADDRESS_LIST =
          (ADDRESS = (PROTOCOL = TCP)(HOST = sunbuild1.comanage.net)(PORT = 1521))
        )
        (PROTOCOL_STACK =
         (PRESENTATION = TTC)
         (SESSION = NS)
        )
      )
      (DESCRIPTION =
        (ADDRESS_LIST =
          (ADDRESS = (PROTOCOL = TCP)(HOST = sunbuild1.comanage.net)(PORT = 2481))
        )
        (PROTOCOL_STACK =
         (PRESENTATION = GIOP)
         (SESSION = RAW)
        )
      )
      (DESCRIPTION =
        (ADDRESS_LIST =
          (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))
          (ADDRESS = (PROTOCOL = IPC)(KEY = TSBUILD_SUNBUILD1.COMANAGE.NET))
          (ADDRESS = (PROTOCOL = IPC)(KEY = TSBUILD_SUNBUILD1))
          (ADDRESS = (PROTOCOL = IPC)(KEY = ORA901_SUNBUILD1.COMANAGE.NET))
          (ADDRESS = (PROTOCOL = IPC)(KEY = ORA901_SUNBUILD1))
        )
        (PROTOCOL_STACK =
         (PRESENTATION = TTC)
         (SESSION = NS)
        )
      )

    )

  CONNECT_TIMEOUT_LISTENER = 10

  SID_LIST_LISTENER =
    (SID_LIST =
      (SID_DESC =
        (SID_NAME = PLSExtProc)
        (ORACLE_HOME = /u01/app/oracle/product/9.2.0)
        (PROGRAM = extproc)
        (ENVS="EXTPROC_DLLS=/u01/app/oracle/common/extproc/shell.so")
      )
      (SID_DESC =
        (GLOBAL_DBNAME  = TSBUILD_SUNBUILD1.COMANAGE.NET)
        (SID_NAME       = TSBUILD)
        (ORACLE_HOME    = /u01/app/oracle/product/8.1.7)
      )
      (SID_DESC =
        (GLOBAL_DBNAME  = ORA920_SUNBUILD1.COMANAGE.NET)
        (SID_NAME       = ORA920)
        (ORACLE_HOME    = /u01/app/oracle/product/9.2.0)
      )
    )



Restrict external procedures to ONLY specific DDLs (Production)

To achieve a higher level of security in a production environment, you may want to restrict the DLLs that the extproc agent can load by listing them explicitly in the listener.ora file with the ONLY option

In this configuration, Oracle will only load the DDLs listed. It WILL NOT load from $ORACLE_HOME/lib (UNIX) or %ORACLE_HOME%\bin (Windows). The example below will ONLY be able to load /u01/app/oracle/common/extproc/shell.so.

  LISTENER =
    (DESCRIPTION_LIST =
      (DESCRIPTION =
        (ADDRESS_LIST =
          (ADDRESS = (PROTOCOL = TCP)(HOST = sunbuild1.comanage.net)(PORT = 1521))
        )
        (PROTOCOL_STACK =
         (PRESENTATION = TTC)
         (SESSION = NS)
        )
      )
      (DESCRIPTION =
        (ADDRESS_LIST =
          (ADDRESS = (PROTOCOL = TCP)(HOST = sunbuild1.comanage.net)(PORT = 2481))
        )
        (PROTOCOL_STACK =
         (PRESENTATION = GIOP)
         (SESSION = RAW)
        )
      )
      (DESCRIPTION =
        (ADDRESS_LIST =
          (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))
          (ADDRESS = (PROTOCOL = IPC)(KEY = TSBUILD_SUNBUILD1.COMANAGE.NET))
          (ADDRESS = (PROTOCOL = IPC)(KEY = TSBUILD_SUNBUILD1))
          (ADDRESS = (PROTOCOL = IPC)(KEY = ORA901_SUNBUILD1.COMANAGE.NET))
          (ADDRESS = (PROTOCOL = IPC)(KEY = ORA901_SUNBUILD1))
        )
        (PROTOCOL_STACK =
         (PRESENTATION = TTC)
         (SESSION = NS)
        )
      )

    )

  CONNECT_TIMEOUT_LISTENER = 10

  SID_LIST_LISTENER =
    (SID_LIST =
      (SID_DESC =
        (SID_NAME = PLSExtProc)
        (ORACLE_HOME = /u01/app/oracle/product/9.2.0)
        (PROGRAM = extproc)
        (ENVS="EXTPROC_DLLS=ONLY:/u01/app/oracle/common/extproc/shell.so")
      )
      (SID_DESC =
        (GLOBAL_DBNAME  = TSBUILD_SUNBUILD1.COMANAGE.NET)
        (SID_NAME       = TSBUILD)
        (ORACLE_HOME    = /u01/app/oracle/product/8.1.7)
      )
      (SID_DESC =
        (GLOBAL_DBNAME  = ORA920_SUNBUILD1.COMANAGE.NET)
        (SID_NAME       = ORA920)
        (ORACLE_HOME    = /u01/app/oracle/product/9.2.0)
      )
    )



Copyright (c) 1998-2010 Jeffrey M. Hunter. All rights reserved.

All articles, scripts and material located at the Internet address of http://www.idevelopment.info is the copyright of Jeffrey M. Hunter and is protected under copyright laws of the United States. This document may not be hosted on any other site without my express, prior, written permission. Application to host any of the material elsewhere can be made by contacting me at jhunter@idevelopment.info.

I have made every effort and taken great care in making sure that the material included on my web site is technically accurate, but I disclaim any and all responsibility for any loss, damage or destruction of data or any other property which may arise from relying on it. I will in no case be liable for any monetary damages arising from such loss, damage or destruction.

Last modified on
Saturday, 01-Nov-2003 00:00:00 EST
Page Count: 22010