What has been changed in Oracle Database 12c with Network ACLs?
Starting from 12c, network access control in the Oracle database is implemented using Real Application Security access control lists (ACLs). Existing 11g network ACLs in XDB will be migrated. Existing procedures and functions of the DBMS_NETWORK_ACL_ADMIN PL/SQL package and catalog views have been deprecated and replaced with new equivalents
In 12c, a network privilege can be granted by appending an access control entry (ACE) to a host ACL using DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE. If you append an ACE to a host that has no existing host ACL, a new host ACL will be created implicitly. If the host ACL already exists, the ACE will be appended to the existing ACL.
(both paragraphs taken from MOS Note: 2078710.1)
What happens during/after upgrade?
- Existing network ACLs will be migrated from XDB in Oracle 11g to Real Application Security in Oracle 12c.
All privileges of the existing ACLs will be preserved
- Existing ACLs will be renamed
- Mapping between the old / new names is reflected in DBA_ACL_NAME_MAP.
Issues before/during Database Upgrade?
First of all the current preupgrd.sql does not warn you correctly if such ACLs exist. This fix gets added to the preupgrd.sql. But you’ll need to download the most recent version from MOS Note 884522.1. The one from January 2015 does not have it yet. But this is addressed and will be implemented soon.
Here’s an issue which happened to one of my very experienced colleagues from Oracle Consulting in an upgrade project:
“Customer had network ACLs defined and Privileges (resolve,connect) granted for several hosts to several DB
users in 220.127.116.11.
With the first DB, we observed the ACL renaming as you described it, but, much worse: 4 out of 9 privileges granted
were completely gone away after the upgrade performed by DBUA (to 18.104.22.168.4). We then were able to evaluate the missing privileges and re-grant them again. Warned by that, for the next databases to be upgraded, we copied all the 22.214.171.124 content of the DBA_NETWORK_ACLS and DBA_NETWORK_ACL_PRIVILEGES to helper tables in order to be able to restore lost privileges (which was a good idea, as in one of the databases, only 87 out of 240 formerly existing privileges survived the upgrade).”
Check for existing Network ACLs before the upgrade or get the most recent preupgrd.sql once it contains the check.
Preserve the existing network ACLs and privileges (DBA_NETWORK_ACLS and DBA_NETWORK_ACL_PRIVILEGES) in a intermediate staging table to have the possibility to restore them afterwards in case the automatic migration fails or does not happen.
If you encounter a situation where your Network ACLs don’t get migrated correctly, disappear and/or don’t exist in the mapping table DBA_ACL_NAME_MAP afterwards please open an SR and let Oracle Support check. There are known issues with mappings and migrations not done correctly (find some bugs below) so needs to be verified if you have hit a known issue or encountered a new one.
- MOS Note: 2078710.1
Changes in Network ACLs after Upgrading from Oracle DB 11g to 12c
- Bug# 22061588
PREUPGRADE TOOL DOES NOT ALERT ABOUT THE NETWORK ACL MIGRATION IN 11.X TO 12C
- Patch# 17532734
ORA-28104: INPUT VALUE FOR DB USER OR ROLE IS NOT VALID ON UPGRADE
- Bug# 20369415
UPGRADE TO 12C FAILS – XDB ERROR ORA-1830 ORA-6512: AT “SYS.XS_OBJECT_MIGRATION
- Oracle Database 12c – Security Guide
Changes to Configuring Fine-Grained Access to Services and Wallets
- Oracle Database 11g – Security Guide
Managing Fine-Grained Access to External Network Services
- Oracle Database 11g/12c- App Developer Guide
- Oracle Database 12c – App Developer Guide
DBMS_NETWORK_ACL_ADMIN – Deprecated Subprograms:
- Oracle Base (Tim Hall) – Fine Grained Access to Network Services in Oracle 11.1
- Oracle Base (Tim Hall) – Fine Grained Access to Network Services in Oracle 12,1
- Pythian (Don Seiler) – Setting Up Network ACLs in Oracle 11g for Dummies