Develop Reference

Getting an 'ORA-53203: security violation' when attempting to test HTTP connection

I've been trying to get Oracle to call a REST API. While getting things set up and running we ran into an issue where our code generates an ORA-53203: security violation. In the process of isolating the issue we set up a procedure to test the connection and this, too, generates the same error.
We are using Oracle 12c and we've set up ACE/ACL entries for the host we're testing with for both 'connect' and 'resolve' permissions.
create or replace procedure showTitleTag ( i_url in varchar2 )
AS
l_httpreq UTL_HTTP.req;
l_httpresp UTL_HTTP.resp;
l_text varchar2(32767);
l_response CLOB;
l_title varchar2(32767);
BEGIN
l_httpreq := UTL_HTTP.begin_request(i_url);
l_httpresp := UTL_HTTP.get_response(l_httpreq);
BEGIN
LOOP
UTL_HTTP.read_text(l_httpresp, l_text, 32766);
l_response := l_response || l_text;
END LOOP;
EXCEPTION
WHEN UTL_HTTP.end_of_body THEN
UTL_HTTP.end_response(l_httpresp);
END;
l_title := REGEXP_REPLACE(l_response, '.*<title> ?(.+) ?</title>.*', '\1', 1, 1, 'in');
DBMS_OUTPUT.put_line(l_title);
EXCEPTION
WHEN OTHERS THEN
UTL_HTTP.end_response(l_httpresp);
RAISE;
END;
This code, should give us the contents of the web-page's title tag (we used "http://www.redhat.com" as our test URL). Instead we receive the following errors:
ORA-29273: HTTP request failed
ORA-53203: security violation
ORA-06512: at "APPS.SHOWTITLETAG", line 29
ORA-06512: at line 1

You need to make sure the related access control list (ACL) assigned and the right privilege has been granted to your target host.
If there's no problem with the first, then look
(select a.lower_port, a.upper_port from dba_network_acls a where a.host like '%i_url%')
whether you defined an interval for the ports of your URL, and
contains the port of the target host(s).

oracle trigger for user restriction based on terminal

I want to restrict Oracle users from logging into database except for a couple of terminal. I have written below trigger.
CREATE OR REPLACE TRIGGER TRG_IP_RESTRICT
AFTER LOGON ON DATABASE
DECLARE
V_USER VARCHAR2(30);
V_GRP VARCHAR2(50);
BEGIN
SELECT USER INTO V_USER FROM DUAL;
V_GRP := SYS_CONTEXT('USERENV', 'TERMINAL');
IF V_USER IN ('<list of users>') THEN
IF V_GRP NOT IN ('<list of terminals>') THEN
RAISE_APPLICATION_ERROR(-20001,
'Access Denied by DBA TEAM : ' || V_GRP ||
' on ' || V_USER || ' from ' ||
SYS_CONTEXT('USERENV', 'IP_ADDRESS'));
END IF;
END IF;
END;
Even though it's working fine and going in exception part, which should happen technically. But at the same time, it is allowing the connection instead of showing the error message to the user.
Can someone please help?

Such trigger works only for non-DBA users, none precisely users which do not have adminster database trigger privilege.
Otherwise you may block your entire database.

According to the PL/SQL Language Reference:
If the system trigger is a DATABASE LOGON trigger and the user has
ADMINISTER DATABASE TRIGGER privilege, then the user is able to log on
successfully even if the trigger raises an exception. For SCHEMA LOGON
triggers, if the user logging on is the trigger owner or has ALTER ANY
TRIGGER privileges then logon is permitted. Only the trigger action is
rolled back and an error is logged in the trace files and alert log.
You can workaround this restriction by raising an ORA-600 error that will break the entire session. The error message won't be helpful to the user but it at least stops them.
The sample code below will stop absolutely everyone from connecting to the database, even SYSDBA. Be very careful running this. Make sure you have another session connected to the database and run drop trigger TRG_IP_RESTRICT; when you are done testing it.
CREATE OR REPLACE TRIGGER TRG_IP_RESTRICT
AFTER LOGON ON DATABASE
DECLARE
V_USER VARCHAR2(30);
V_GRP VARCHAR2(50);
--Only an ORA-600 error can stop logons for users with either
--"ADMINISTER DATABASE TRIGGER" or "ALTER ANY TRIGGER".
--The ORA-600 also generates an alert log entry and may warn an admin.
internal_exception exception;
pragma exception_init( internal_exception, -600 );
BEGIN
SELECT USER INTO V_USER FROM DUAL;
V_GRP := SYS_CONTEXT('USERENV', 'TERMINAL');
IF V_USER IN ('<list of users>') THEN
IF V_GRP NOT IN ('<list of terminals>') THEN
raise internal_exception;
-- RAISE_APPLICATION_ERROR(-20001,
-- 'Access Denied by DBA TEAM : ' || V_GRP ||
-- ' on ' || V_USER || ' from ' ||
-- SYS_CONTEXT('USERENV', 'IP_ADDRESS'));
END IF;
END IF;
END;
/
With that trigger in place, even DBA users will get this error message when they connect:
ERROR:
ORA-00600: internal error code, arguments: [600], [], [], [], [], [], [], [],
[], [], [], []
ORA-06512: at line 21

ORA-29278: SMTP transient error: Service not available when running UTL_MAIL

We are planning to install the UTL_MAIL Package and we're currently testing the installation steps in our Development Environment.
After sucessfully installing the UTL_MAIL Package Scripts and creating the sufficient PUBLIC Synonyms and Grants,
we are getting the error ORA-29278 when running the test Anonymous Block below:
BEGIN
UTL_MAIL.SEND(sender => 'xxx#oracle.com'
, recipients => 'Migs.Isip.23#gmail.com'
, subject => 'Testmail'
, message => 'Hello');
END;
Full Details of the error Message:
ORA-29278: SMTP transient error: 421 4.3.2 Service not available
ORA-06512: at "SYS.UTL_MAIL", line 662
ORA-06512: at "SYS.UTL_MAIL", line 679
ORA-06512: at line 3
29278. 00000 - "SMTP transient error: %s"
*Cause: A SMTP transient error occurred.
*Action: Correct the error and retry the SMTP operation.
As per research from related links (Send Email Using PLSQL),
i may need to setup the proper access control list (ACL) for this to work. However, upon executing the script below, i'm still getting the same error.
DECLARE
-- ACL name to be used for email access reuse the same value for all
-- future calls
l_acl VARCHAR2 (30) := 'utl_smtp.xml';
-- Oracle user to be given permission to send email
l_principal VARCHAR2 (30) := 'APPS';
-- Name of email server
g_mailhost VARCHAR2 (60) := 'smtprelay.xxxxx.com';
l_cnt INTEGER;
PROCEDURE validate_smtp_server
AS
l_value v$parameter.VALUE%TYPE;
l_parameter v$parameter.name%TYPE := 'smtp_out_server';
BEGIN
SELECT VALUE
INTO l_value
FROM v$parameter
WHERE name = l_parameter;
IF l_value IS NULL
THEN
raise_application_error (
-20001
, 'Oracle parameter '
|| l_parameter
|| ' has not been set'
|| UTL_TCP.crlf
|| 'it s/b smtprelay.alorica.com'
);
END IF;
DBMS_OUTPUT.put_line ('parameter ' || l_parameter || ' value is ' || l_value);
END validate_smtp_server;
PROCEDURE create_if_needed (p_acl IN VARCHAR2)
AS
l_cnt INTEGER;
BEGIN
SELECT COUNT (*) c
INTO l_cnt
FROM dba_network_acls a
WHERE SUBSTR (acl, INSTR (acl, '/', -1) + 1) = p_acl;
IF l_cnt = 0
THEN
DBMS_OUTPUT.put_line ('creating acl ' || p_acl);
DBMS_NETWORK_ACL_ADMIN.create_acl (
acl => p_acl
, description => 'Allow use of utl_smtp'
, principal => l_principal
, is_grant => TRUE
, privilege => 'connect'
);
DBMS_NETWORK_ACL_ADMIN.assign_acl (acl => p_acl, HOST => g_mailhost);
COMMIT;
ELSE
DBMS_OUTPUT.put_line (p_acl || ' acl already exists');
END IF;
END create_if_needed;
PROCEDURE add_if_needed (
p_principal IN VARCHAR2
, p_acl IN VARCHAR2
)
AS
l_cnt INTEGER;
BEGIN
SELECT COUNT (*) c
INTO l_cnt
FROM dba_network_acl_privileges
WHERE SUBSTR (acl, INSTR (acl, '/', -1) + 1) = p_acl
AND principal = p_principal;
IF l_cnt = 0
THEN
DBMS_NETWORK_ACL_ADMIN.add_privilege (
acl => 'utl_smtp.xml'
, principal => p_principal
, is_grant => TRUE
, privilege => 'connect'
);
COMMIT;
DBMS_OUTPUT.put_line ('access to ' || p_acl || ' added for ' || p_principal);
ELSE
DBMS_OUTPUT.put_line (p_principal || ' already has access to ' || p_acl);
END IF;
END add_if_needed;
BEGIN
EXECUTE IMMEDIATE 'grant execute on utl_mail to ' || l_principal;
create_if_needed (p_acl => l_acl);
add_if_needed (p_principal => l_principal, p_acl => l_acl);
DBMS_OUTPUT.put_line ('Verification SQL:');
DBMS_OUTPUT.put_line (' SELECT * FROM dba_network_acls;');
DBMS_OUTPUT.put_line (' SELECT * FROM dba_network_acl_privileges;');
COMMIT;
validate_smtp_server;
END;
What other steps can i take or what other instructions do i need to provide to the DBAs for this?
Oracle Database Version:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
PL/SQL Release 11.2.0.4.0 - Production
"CORE 11.2.0.4.0 Production"
TNS for Solaris: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production
Thank you very much.

I was able to resolve this by contacting our System Administrator and asking for the details of the Mail Server.
Turns out, if we'll only be sending the email internally, we are advised to use a different server mail.xxx.xxx.xxxx since its not going to be blocked by the firewall.
On the other hand, if we'll be sending email externally, another server is involved smtprelay.xxxxx.com
and this involves an extra step of Whitelisting the External Servers to be sent to.
As i checked in V$PARAMETER, we were using the smtprelay.xxxxx.com server and decided to try the other server mail.xxx.xxx.xxxx.
I issued the Alter command as below:
alter system set smtp_out_server = 'mail.xxx.xxx.xxxx';
and ran the anonymous block and was able to recieve the email successfully.
BEGIN
UTL_MAIL.SEND(sender => 'xxx#oracle.com'
, recipients => 'Migs.Isip.23#gmail.com'
, subject => 'Testmail'
, message => 'Hello');
END;

I came up with SMTP email challenges for 19c database. I was able to solve it. Below is the complete solution:-
Give grant to corresponding schema name for utl_tcp,utl_smtp and utl_http.
grant execute on utl_tcp to schemaname;
grant execute on utl_smtp to schemaname;
grant execute on utl_http to schemaname;
CREATE_ACL using DBMS_NETWORK_ACL_ADMIN sys package:-
BEGIN
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL (
acl => '/sys/acls/utl_http.xml',
description => 'Allowing SMTP Connection',
principal => 'SCHEMANAME',
is_grant => TRUE,
privilege => 'connect',
start_date => SYSTIMESTAMP,
end_date => NULL);
COMMIT;
END;
/
ADD_PRIVILEGE to schema using DBMS_NETWORK_ACL_ADMIN package:-
BEGIN
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(
acl => '/sys/acls/utl_http.xml',
principal => 'SCHEMANAME',
is_grant => true,
privilege => 'resolve');
COMMIT;
END;
/
ASSIGN_ACL to mail server using DBMS_NETWORK_ACL_ADMIN package:-
BEGIN
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL (
acl => '/sys/acls/utl_http.xml',
host => 'mailhostname');
COMMIT;
END;
/

Network access denied by access control list (ACL) in Oracle Database 11g

Recently we have switched from Oracle 10g to 11g, and only now I noticed that my mailing function does not work, I now get an error:
ORA-24247: network access denied by access control list (ACL)
So I did a bit of googling and was able to figure out that a new feature in Oracle 11g is now restricting users from using certain packages including utl_smtp. Because I am looking for a quick solution I did not read Oracle documentation, but instead I went looking for easier solutions and came across this tutorial:
https://www.pythian.com/blog/setting-up-network-acls-in-oracle-11g-for-dummies/
I messed around with it a little bit, but because I did not know any better I think I added two seperate configuration .xml files. So first part of my question is - HOW DO I REMOVE IT?
Second question is:
After adding some grants to my user I try to test to see if it worked, but I soon realised it did not:
SELECT DECODE(
DBMS_NETWORK_ACL_ADMIN.check_privilege('netacl.xml', 'TEST1', 'connect'),
1, 'GRANTED', 0, 'DENIED', NULL) privilege
FROM dual;
Returns:
PRIVILE
-------
DENIED
WHY?(THIS HAS BEEN SORTED)
Third part of the question - after reading it was denied I try to fix it like:
BEGIN
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE('netacl.xml' ,'TEST1', TRUE, 'connect');
END;
But that gives me an error:
Ora19279 - XQuery dynamic type mismatch.....(more text meaning nothing to me).
WHY?(I FIGURED OUT, THAT ERROR HAPPENS WHEN YOU GRANT SAME PERMISSION TO SAME USER SECOND TIME)
UPDATE
I have followed the suggested answer by kevinsky below and have learned quite a bit in the process, however I still have a problem. I still get the ORA-24247: network access denied by access control list (ACL). Because I did everything else as suggested, I am starting to think that the problem could be that first configuration file which I added, but cannot remove now because I cannot remember its name. If anyone can help me I would appreciate that very much.
RESULTS OF(I was trying out a few different things so):
select * from dba_network_acls;
Returns
* | 25 | 25 | /sys/acls/utl_smtp.xml| ACLID...
myservername.com | 25 | 25 | /sys/acls/utl_smtp.xml| ACLID...
myDBName | 25 | 25 | /sys/acls/utl_smtp.xml| ACLID...
mailServerDomainName | 25 | 25 | /sys/acls/utl_smtp.xml| ACLID...
mailserver.myDomain.local | 25 | 25 | /sys/acls/utl_smtp.xml| ACLID...

I did this upgrade and it was hours of work. It all has to be redone differently for version 12. Every procedure call must have a commit. The general idea is that you create an access,add details, grant privileges. You must know:
your mailserver name and port
whether you need a user and password to access it (probably not)
the user who will be calling the mail package, easier if they own the mail package too
/*create the access permission to connect*/
BEGIN
DBMS_NETWORK_ACL_ADMIN.create_acl (
acl => 'utl_smtp.xml',
description => 'access to smtp email',
principal => 'YourUser',
is_grant => TRUE,
privilege => 'connect',
start_date => SYSTIMESTAMP,
end_date => NULL);
COMMIT;
END;
--add the privilege to resolve names
BEGIN
DBMS_NETWORK_ACL_ADMIN.add_privilege (
acl => 'utl_smtp.xml',
principal => 'YourUser',
is_grant => TRUE,
privilege => 'resolve');
COMMIT;
END;
--assign your mailserver
BEGIN
DBMS_NETWORK_ACL_ADMIN.assign_acl (
acl => 'utl_smtp.xml',
host => 'mailserver.YourDomain.local',
lower_port => 25,
upper_port => NULL);
commit;
END;
BEGIN
DBMS_NETWORK_ACL_ADMIN.assign_acl (
acl => 'utl_smtp.xml',
host => 'YourDBName',
lower_port => 25,
upper_port => NULL);
COMMIT;
END;
--more housekeeping
alter system set smtp_out_server = 'mailserver.YourDomain.local:25' scope = both;
--make sure the user can access the smtp packages
GRANT EXECUTE ON UTL_TCP TO YourUser;
GRANT EXECUTE ON UTL_SMTP TO YourUser;
GRANT EXECUTE ON UTL_MAIL TO YourUser;
--check your work
select * from dba_network_acls;
--verify permissions for your user
SELECT DECODE(
DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE(
'utl_smtp.xml', 'YourUser', 'resolve'),
1, 'GRANTED', 0, 'DENIED', NULL) PRIVILEGE
FROM DUAL;
--if you have created access permissions you wish to delete
--using the information from the select use this to delete what you don't want
exec DBMS_NETWORK_ACL_ADMIN.DROP_ACL ('acl_utl_smtp.xml');
--for more troubleshooting try this barebones mail procedure, run with your user. Copied from [here][1]
DECLARE
v_From VARCHAR2(80) := 'oracle#mycompany.com';
v_Recipient VARCHAR2(80) := 'test#mycompany.com';
v_Subject VARCHAR2(80) := 'test subject';
v_Mail_Host VARCHAR2(30) := 'mail.mycompany.com';
v_Mail_Conn utl_smtp.Connection;
crlf VARCHAR2(2) := chr(13)||chr(10);
BEGIN
v_Mail_Conn := utl_smtp.Open_Connection(v_Mail_Host, 25);
utl_smtp.Helo(v_Mail_Conn, v_Mail_Host);
utl_smtp.Mail(v_Mail_Conn, v_From);
utl_smtp.Rcpt(v_Mail_Conn, v_Recipient);
utl_smtp.Data(v_Mail_Conn,
'Date: ' || to_char(sysdate, 'Dy, DD Mon YYYY hh24:mi:ss') || crlf ||
'From: ' || v_From || crlf ||
'Subject: '|| v_Subject || crlf ||
'To: ' || v_Recipient || crlf ||
crlf ||
'some message text'|| crlf || -- Message body
'more message text'|| crlf
);
utl_smtp.Quit(v_mail_conn);
EXCEPTION
WHEN utl_smtp.Transient_Error OR utl_smtp.Permanent_Error then
raise_application_error(-20000, 'Unable to send mail', TRUE);
END;

PLSQL package installation

Anybody here knows how to install a PLSQL package in Oracle 11g?
I am trying to use these two packages:
DBMS_NETWORK_ACL_ADMIN
DBMS_NETWORK_ACL_UTILITY
I am using Oracle Application Express and so far SQL is not able to identify these.
Thank you.

Installing PLSQL packages for DBMS_NETWORK_ACL_ADMIN
You can check whether they exist first, run this as user sys:
select *
from dba_objects
where name = ...
If they don't exist on Oracle RDBMS (I don't know whether maybe express edition excludes them, but that seems illogical), your database is not installed well. The easiest way is to re-install the database. In that case you don't need to replace the software, only create a new database.
The advanced way is to reinstall parts of the data dictionary. If you have never done it before, you can assume that the database will end up corrupt. You can try for instance executing ?/dbs/catqm.sql.
Replace ? by the path where ORACLE_HOME lives and then rdbms/admin. Such as $ORACLE_HOME/rdbms/admin on Linux. Remember to close the database for other users.
Maintaining ACL
The extra comments led to the conclusion that ACL are missing. This is the approach I use to maintain them in a package. Please be careful, even 11.2.0.3 has a bad habit of often crashing the session of the connected user on ACL maintenance despite preventive measures.
Warning! This script allows access to all ports between 1 and 32767. You probably want to restrict this to applicable ports for your application. For ease of use I've pasted it here for all 32K ports.
Warning 2! Maintenance of ACL can be non-trivial and can lead to security risks (which we gracefully accepted upto release 11 of Oracle :-). Involve your sysadmin or networkadmin in case of doubt.
--
-- When ORA-24247 errors continue despite creation of a network ACL,
-- first remove the ACL fully as user SYS using:
--
-- begin
-- dbms_network_acl_admin.drop_acl('/sys/acls/invantive-producer.xml');
-- end;
--
-- This occurs incidentally on Oracle 11g R1.
--
prompt Create Access Control Lists.
declare
l_principal varchar2(30) := upper('&&itgen_user_owner_login');
l_acl varchar2(300);
l_acl_full_path varchar2(300);
l_dummy pls_integer;
--
-- To temporary disable this code, sometimes it causes installation
-- issues.
--
l_skip_acl_maintenance boolean := false;
--
-- To temporarily disable granting the ACL access.
--
l_skip_acl_grants boolean := false;
begin
l_acl := 'invantive-producer.xml';
l_acl_full_path := '/sys/acls/' || l_acl;
--
if not l_skip_acl_maintenance
then
--
-- Drop superfluous network ACLs for users and roles that no longer exist.
--
-- Dropping network ACLs is tricky. Queries on the view dba_network_acls
-- often lead to ORA-600. This query seems to work reliable on Oracle 11g R1.
--
-- First delete all ACL privileges for which no ACL exists.
-- During this, we will ignore problems.
--
for r in
( select nae.acl
, nae.principal
from dba_network_acl_privileges nae
where nae.principal
not in
( select usr.username
from dba_users usr
union all
select rle.role
from dba_roles rle
)
)
loop
begin
dbms_network_acl_admin.delete_privilege
( r.acl
, r.principal
);
dbms_output.put_line('Dropped superfluous ACL ' || r.acl || ' for ' || r.principal || '.');
exception
when others
then
dbms_output.put_line('Ignoring error ' || sqlerrm);
end;
end loop;
--
-- Then try another time, not ignoring problems.
--
for r in
( select nae.acl
, nae.principal
from dba_network_acl_privileges nae
where nae.principal
not in
( select usr.username
from dba_users usr
union all
select rle.role
from dba_roles rle
)
)
loop
dbms_network_acl_admin.delete_privilege
( r.acl
, r.principal
);
dbms_output.put_line('Dropped superfluous ACL ' || r.acl || ' for ' || r.principal || '.');
end loop;
--
-- Now create new network ACL when it does not yet exist.
--
begin
select 1
into l_dummy
from resource_view rvw
where rvw.any_path = l_acl_full_path
;
dbms_output.put_line('ACL ' || l_acl || ' already present. No action.');
exception
when no_data_found
then
dbms_network_acl_admin.create_acl
( acl => l_acl
, description => 'Normal Access by Invantive Producer'
, principal => 'SYS'
, is_grant => true
, privilege => 'connect'
, start_date => null
, end_date => null
);
dbms_network_acl_admin.assign_acl
( acl => l_acl
, host => '*'
, lower_port => 1 /* ATTENTION! You may want to tighten this! */
, upper_port => 32767 /* ATTENTION! You may want to tighten this! */
);
dbms_output.put_line('Created ACL ' || l_acl || ' for port 1 till 32767.');
end;
else
dbms_output.put_line('Skipped maintenance of Access Control Lists.');
end if;
--
if not l_skip_acl_grants
then
--
-- Update the privilges for the ACL when not correct.
--
for r_usr
in
( select l_principal principal
from dual
union all
--
-- Any unspecified Invantive schema.
--
-- For SYS, itgen_schemas_r can contain multiple rows.
--
select sma_r.name principal
from itgen_schemas_r sma_r
)
loop
begin
select 1
into l_dummy
from dba_network_acl_privileges nae
where nae.acl = l_acl_full_path
and nae.principal = r_usr.principal
and nae.privilege = 'connect'
and nae.is_grant = 'true'
and nae.invert = 'false'
and nae.start_date is null
and nae.end_date is null
;
dbms_output.put_line('Connect privileges already granted to ' || l_principal || '. No action.');
exception
when no_data_found
then
dbms_network_acl_admin.add_privilege
( acl => l_acl
, principal => l_principal
, is_grant => true
, privilege => 'connect'
, start_date => null
, end_date => null
);
dbms_output.put_line('Connect privileges granted to ' || l_principal || '.');
end;
end loop;
--
commit;
else
dbms_output.put_line('Skipped grants of Access Control Lists.');
end if;
end;
/