Oracle 11g Error: Network access denied by access control list (ACL)

From Oracle 11g network packages like UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, and UTL_INADDR which can be used to access external network resources, are more restricted and secured. Oracle 11g introduced Fine-Grained Access to these packages by creating an Access Control List to use any external network resource through these packages. Before this any user who had an execute privilege on these packages was able to do anything to any network resource like web and local mail servers etc. But now a user needs a little more than just an execute privilege on the network packages.

ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1722
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at line 1

How to configure Access Control List

We need to configure an Access Control List (ACL) and grant "connect" privilege on that ACL to our user. Then we need to assign host to this ACL and any other host to which user needs access.

DBMS_NETWORK_ACL_ADMIN.CREATE_ACL () - Creates a new Access Control List. Following are the parameters that it takes.
Acl => Name of the Access Control List. This is a XML file which will be created in /sys/acls directory by default.
Description => Description of the ACL.
Principal => Name of the user or role (case sensitive) to whom the permissions are being granted or denied.
is_grant => TRUE or FALSE, whether to grant access or deny access
Privilege => connect or resolve (lowercase always). Will the user be able to connect to the network resource or just could resolve the network address
start_date => Start date (optional) of the access to the user
end_date => End date (optional) of the access to the user

Example:-

BEGIN
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL (
ACL => 'YourUser_utl_http.xml',
DESCRIPTION => 'Allow to call http url',
PRINCIPAL => 'YourUser',
IS_GRANT => TRUE,
PRIVILEGE => 'connect'
);
COMMIT;
END;

Add a privilege to Access Control List

First access to the ACL to any user is granted when the ACL is created with the CREATE_ACL procedure. If any other user or role needs permission on the ACL you may user the procedure ADD_PRIVILEGE.
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE ()
Add access for more users or roles in an already existing ACL. It takes similar parameters as CREATE_ACL procedure except there is no description parameter and a new parameter position which is used in ADD_PRIVILEGE but not in CREATE_ACL.
The position parameter decides the precedence of the rights for multiple users. When granting access to multiple roles and user set the precedence appropriately.

Example:-

BEGIN
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE (
ACL => 'YourUser_utl_http.xml',
PRINCIPAL => 'YourUser',
IS_GRANT => TRUE,
PRIVILEGE => 'resolve'
);
COMMIT;
END;

Assign a network host to Access Control List

DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL ()-Assigns a network host local or remote to an ACL. It takes the following parameters:
acl=> Name of the Access Control List.
host=> Name of the host.
lower_port=> Lower port (optional) from the range of ports allowed on this host.
upper_port=> Upper port (optional) from the range of ports allowed on this host

Example:-

BEGIN
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL (
ACL => 'YourUser_utl_http.xml',
HOST => 'Your domain name eg. www.xyz.com',
LOWER_PORT => 60,
UPPER_PORT => 8080
);
COMMIT;
END;

Hope this is Helpful

Comments