DBA Tips Archive for Oracle

Changes in Configuring External Procedures in Oracle 9.2 (and higher)

by Jeff Hunter, Sr. Database Administrator

Contents

• Introduction
• Changes in Oracle 9.2.0
• Allow External Procedures in ANY Directory (Development)
• Allow Directories in Addition to $ORACLE_HOME/lib (Production)
• Restrict External Procedures to ONLY Specific DDLs (Production)
• About the Author

Introduction

Oracle started support for making external procedure calls from PL/SQL code in Oracle8. An example would be a PL/SQL program calling one or more C routines that are required to perform special-purpose processing. This option remained practically unchanged until Oracle9i (9.2.0).

In version 9.2.0, Oracle decided it was time to tighten up security and make several modifications to this feature. It wasn't until I tried to run several C routines under 9.2.0 that I came up with the following error:

SQL> exec mailx('jhunter@idevelopment.info', 'Testing', 'Testing the extroc configuration'); BEGIN mailx('jhunter@idevelopment.info', 'Testing', 'This is a test from the extproc system'); END; * ERROR at line 1: ORA-28595: Extproc agent : Invalid DLL Path ORA-06512: at "EXTPROC.MAILX", line 0 ORA-06512: at line 1

I finally broke down and starting reading over the Oracle9i Net Services Administrator's Guide Release 2 (9.2) and found the answer as to why this was not working.

This article simply explains some of the changes made in 9.2.0 and what changes you will need to make to your environment to call external procedures.

For a detailed overview on configuring PL/SQL to call external procedures, take a look at my article, "Calling OS Commands from PL/SQL using External Procedures".

Changes in Oracle 9.2.0

In short, Oracle changed the default behavior in 9.2.0 to disallow any external procedure other than those in %ORACLE_HOME%\bin (for Windows) and $ORACLE_HOME/lib (for UNIX).

You can use external procedures in other directories, but you have to add an environment variable called EXTPROC_DLLS to your listener.ora. This environment variable will contain the names of the DDLs (delimited by a colon) that you wish Oracle to have access to.

You will not need to make any modifications to your tnsnames.ora entry for the EXTPROC_CONNECTION_DATA entry.

Allow External Procedures in ANY Directory (Development)

In the case of my development machines, I can set the "ANY" option - meaning my external procedure can be in any DLL in any part of the file system.

SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = /u01/app/oracle/product/10.2.0/db_1) (PROGRAM = extproc) (ENVS="EXTPROC_DLLS=ANY") ) (SID_DESC = (GLOBAL_DBNAME = alexdb.idevelopment.info) (SID_NAME = alexdb) (ORACLE_HOME = /u01/app/oracle/product/10.2.0/db_1) ) ) INBOUND_CONNECT_TIMEOUT_LISTENER = 0 LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = alex.idevelopment.info)(PORT = 1521)) (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0)) ) )

Allow Directories in Addition to $ORACLE_HOME/lib (Production)

In a production environment, you may want to allow DDLs to be loaded not just from $ORACLE_HOME/lib or %ORACLE_HOME%\bin but also allow specific DDLs in other directories.

The example below will allow DDL loads from $ORACLE_HOME/lib or %ORACLE_HOME%\bin and the DDL /u01/app/oracle/dba_scripts/custom/extproc/shell.so.

SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = /u01/app/oracle/product/10.2.0/db_1) (PROGRAM = extproc) (ENVS="EXTPROC_DLLS=/u01/app/oracle/dba_scripts/custom/extproc/shell.so") ) (SID_DESC = (GLOBAL_DBNAME = alexdb.idevelopment.info) (SID_NAME = alexdb) (ORACLE_HOME = /u01/app/oracle/product/10.2.0/db_1) ) ) INBOUND_CONNECT_TIMEOUT_LISTENER = 0 LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = alex.idevelopment.info)(PORT = 1521)) (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0)) ) )

Restrict External Procedures to ONLY Specific DDLs (Production)

To achieve a higher level of security in a production environment, you may want to restrict the DLLs that the extproc agent can load by listing them explicitly in the listener.ora file with the ONLY option.

In this configuration, Oracle will only load the DDLs listed. It WILL NOT load from $ORACLE_HOME/lib (UNIX) or %ORACLE_HOME%\bin (Windows). The example below will ONLY be able to load /u01/app/oracle/dba_scripts/custom/extproc/shell.so.

SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = /u01/app/oracle/product/10.2.0/db_1) (PROGRAM = extproc) (ENVS="EXTPROC_DLLS=ONLY:/u01/app/oracle/dba_scripts/custom/extproc/shell.so") ) (SID_DESC = (GLOBAL_DBNAME = alexdb.idevelopment.info) (SID_NAME = alexdb) (ORACLE_HOME = /u01/app/oracle/product/10.2.0/db_1) ) ) INBOUND_CONNECT_TIMEOUT_LISTENER = 0 LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = alex.idevelopment.info)(PORT = 1521)) (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0)) ) )

About the Author

Jeffrey Hunter is an Oracle Certified Professional, Java Development Certified Professional, Author, and an Oracle ACE. Jeff currently works as a Senior Database Administrator for The DBA Zone, Inc. located in Pittsburgh, Pennsylvania. His work includes advanced performance tuning, Java and PL/SQL programming, developing high availability solutions, capacity planning, database security, and physical / logical database design in a UNIX, Linux, and Windows server environment. Jeff's other interests include mathematical encryption theory, programming language processors (compilers and interpreters) in Java and C, LDAP, writing web-based database administration tools, and of course Linux. He has been a Sr. Database Administrator and Software Engineer for over 17 years and maintains his own website site at: http://www.iDevelopment.info. Jeff graduated from Stanislaus State University in Turlock, California, with a Bachelor's degree in Computer Science.