Introduction
Real database security is not limited to password policies or user access levels. If the database is exposed to connections from any IP or unknown system, all those security layers become ineffective. We need to build a wall around the database—allowing only the systems we explicitly trust to connect. Oracle provides this capability through the sqlnet.ora configuration file.
Why You Should Restrict Connections
In most environments, the database resides on a network where multiple servers have potential access to it. These could include a standby server, application servers, or monitoring tools such as Oracle Enterprise Manager (OEM). But having an open listener port accessible to all IPs poses a serious risk. Any entity with valid credentials can attempt to connect to the database. By enabling a whitelist in sqlnet.ora, we can specify which IP addresses are allowed, preventing unauthorized connections before authentication even begins.
Steps to Enable the Whitelist
To restrict incoming connections, three parameters must be configured in sqlnet.ora:
TCP.VALIDNODE_CHECKING = YES
TCP.INVITED_NODES = (192.168.188.3, 127.0.0.1, 192.168.188.61)
With this configuration, only the IPs listed under TCP.INVITED_NODES are allowed to connect. All other addresses are blocked.
In this example:
192.168.188.61 is the server tehran1
192.168.188.62 is the server tehran2
192.168.188.3 hosts a CDB that contains a PDB named oraclepdb
127.0.0.1 is used for local server connections
Location of the sqlnet.ora File
If the listener is running under the database software owner (for example, oracle), the file should be placed in the Oracle Home network directory, such as:
/u01/app/oracle/product/19c/dbhome/sqlnet.ora
If the listener is managed by Grid Infrastructure, the file should be placed in the Grid Home network directory, for example:
/u01/app/19c/grid/network/admin/sqlnet.ora
In our test environment, the following homes exist:
cat /etc/oratab
+ASM:/u01/app/19c/grid:N
orcl:/u01/app/oracle/product/19c/dbhome:N
vahidcdb:/u01/app/oracle/product/19c/dbhome:N
The listener always reads its network configuration from its own home, not from the database home. To confirm the active listener home, run the following command:
lsnrctl status | grep "Listener Parameter File"
Example output:
Listener Parameter File /u01/app/19c/grid/network/admin/listener.ora
You should edit or create sqlnet.ora in the same directory.
Applying the Changes
After modifying sqlnet.ora, reload the listener to apply the new configuration without stopping it:
lsnrctl reload
If necessary, you can fully restart the listener:
lsnrctl stop
lsnrctl start
Security and Operational Notes
In environments with Data Guard or RAC, make sure to include all related server IPs in the whitelist to prevent issues with redo transport or inter-node communication.
If you place sqlnet.ora in the wrong home (for example, the database home while the listener runs from the grid home), the configuration will have no effect. Always verify the active listener path.
The sqlnet.log file will show which connection attempts were allowed or rejected. I tested this setup in a SINGLE instance environment and plan to test it in RAC soon. If you want to use it in production, test it in your RAC test environment first.
Connection Test
From the tehran2 server, before enabling the whitelist, we test connectivity to the database:
[oracle@tehran2 dbhome]$ tnsping oraclepdb
...
OK (10 msec)
[oracle@tehran2 dbhome]$ sqlplus sys@oraclepdb as sysdba
...
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.25.0.0.0
After applying the whitelist changes, the connection test shows:
[oracle@tehran2 dbhome]$ tnsping oraclepdb
TNS-12547: TNS:lost contact
[oracle@tehran2 dbhome]$ sqlplus sys@oraclepdb as sysdba
ORA-12547: TNS:lost contact
The connection is now denied, confirming that the whitelist configuration works as expected.
Conclusion
With just a few lines in sqlnet.ora, you can prevent most unauthorized connections. This is, in effect, building a real wall around your database. From now on, even if someone knows the password, without an authorized IP they cannot reach the database. Correctly configuring sqlnet.ora and reloading the listener is one of the simplest yet most effective steps toward securing Oracle Database connections.