密码错误频繁登陆引起的“library cache lock”或“row cache lock”等待

时间 2021-04-12

标签数据库安全 session app ide this spa .net code orm 栏目 SQL 繁體版

原文原文链接

密码错误频繁登陆引起的”library cache lock”或”row cache lock”等待数据库

对于正常的系统，因为密码的更改，可能存在某些被遗漏的客户端，不断重复尝试使用错误密码登陆数据库，从而引发数据库内部长时间的”library cache lock”或”row cache lock”的等待，这种情形很是常见。这种现象在Oracle 10.2和11.1中体现的等待事件为：”row cache lock”，而在Oracle 11.2中体现的等待事件为：”library cache lock”。

row cache lock等待事件的处理：http://blog.itpub.net/26736162/viewspace-2139754/

安全

在 Oracle 11g 中，为了提高安全性，Oracle 引入了『密码延迟验证』的新特性。这个特性的做用是，若是用户输入了错误的密码尝试登陆，那么随着登陆错误次数的增长，每次登陆前验证的时间也会增长，以此减缓可能对于数据库重复的口令尝试***。session

可是对于正常的系统，因为口令的更改，可能存在某些被遗漏的客户端，不断重复尝试，从而引发数据库内部长时间的 Library Cache Lock的等待，这种情形很是常见。app

若是遇到这一类问题，能够经过Event 28401关闭这个特性，从而消除此类影响，如下命令将修改设置在参数文件中：ide

ALTER SYSTEM SET EVENT =this

'28401 TRACE NAME CONTEXT FOREVER, LEVEL 1' SCOPE = SPFILE;spa

出现这类问题很是典型的AWR报告呈现以下，首先在 TOP 5 中，你可能看到显著的 Library Cache Lock 的等待，如下范例来自11.2.0.3.0版本的真实状况：
.net

在这类状况下，时间模型 - Time Model 中会显示以下指标，其中 connection management call elapsed time 占据了主要的DB Time，这个等待直接代表是在创建数据库链接时产生的：
code

这类问题，在Oracle的11g中是常见和肯定的，在MOS上能够找到相应的记录：High 'library cache lock' Wait Time Due to Invalid Login Attempts(1309738.1）此外Oracle 11g开启了密码大小写验证，若是从Oracle 10g升级过来，须要特别的小心这个变化，经过初始化参数SEC_CASE_SENSITIVE_LOGON 能够来控制这个特性。orm

High 'library cache lock' Wait Time Due to Invalid Login Attempts (文档 ID 1309738.1)

类型: 状态: 上次主更新: 上次更新:

PROBLEM PUBLISHED 2017-8-2 2017-8-2

In this Document

Symptoms

Changes

Cause

Solution

References

APPLIES TO:

Oracle Database - Enterprise Edition - Version 10.2.0.5 and later
Information in this document applies to any platform.

SYMPTOMS

'Library cache lock' or 'row cache lock' can be observed when concurrent users login with wrong password to the database.
The 'row cache lock' is seen in 10.2 and 11.1 while the 'library cache lock' is seen in 11.2.
ASH Report displays
- High Percentage of execution time attributed to Connection Management:
- High percentage of calls of type OAUTH
Stack contains one of the following functions:
kziavua
kziaia
kziasfc
Checking the exclusive holder from DBA_DDL_LOCKS, a session may be seen holding a lock type (kglhdnsp) 79 on object (kglnaobj) 5:
SQL> select * from dba_ddl_locks where mode_held='Exclusive';
SESSION_ID OWNER NAME TYPE MODE_HELD MODE_REQU
---------- --------- ---------- ---------- --------- ---------
612 5 79 Exclusive None

If AUDIT_TRAIL is enabled, login failures can be checked by running SQLs similar to the following:
Checks for entries in the last 7 days in DBA_AUDIT_TRAIL with error ORA-1017 invalid username/password; logon denied
select username, os_username, userhost, client_id, trunc(timestamp), count(*) fa
iled_logins
from dba_audit_trail
where returncode = 1017
and timestamp > sysdate - 7
group by username, os_username, userhost, client_id, trunc(timestamp);

Checks for entries in the last 7 days in DBA_AUDIT_SESSION where an error was returned
select username, os_username, userhost, timestamp, returncode
from sys.dba_audit_session
where returncode != 0
and timestamp > sysdate - 7;

CHANGES

Many users with wrong password try to login to the database simultaneously

CAUSE

A hang is possible in earlier versions of RDBMS as a result of an unpublished bug fixed in the following versions:

    12.1.0.1 (Base Release)
    11.2.0.2 (Server Patch Set)
    11.1.0.7 Patch 42 on Windows Platforms

Document 9776608.8 Bug 9776608 - Hang from concurrent login to same account with a wrong password

Even with this fix, numerous failed logins attempts can cause row cache lock waits and/or library cache lock waits.

This was reported in:

Bug 11742803 LOTS OF 'LIBRARY CACHE LOCK' DURING USER LOGON AUTHENTICATION

This was closed as not a bug because there is an intentional wait when a login fails.

SOLUTION

In Oracle 11g Release 11.1.0.7, the wait is disabled unconditionally

In Oracle 11g Release 2 and higher, in order to disable the wait between login failures the event 28401 needs to be explicitly enabled:

The event can be set as follows:

alter system set event ="28401 TRACE NAME CONTEXT FOREVER, LEVEL 1" scope=spfile;

To unset the event, set as follows:

SQL> Alter system set event= '28401 trace name context off' scope=spfile ;

For more information see:

Document:7715339.8 Logon failures causes "row cache lock" waits - Allow disable of logon delay

The following functions match per above bug:

nanosleep nanosleep kziasfc kpolnb kpoauth

Note: Care should be taken when setting this event, as this is disabling the sleep time which can leave the system more vulnerable.

For databases using MTS, a further enhancement has been created in:

Bug 19867671 - LIBRARY CACHE LOCK CAUSED BY WRONG PASSWORD LOGIN <=====This bug is superseded by following bug:
Bug 20016491 : DB12.2SEC: LOCK_DATE NOT RESET EVEN AFTER A/C UNLOCKED POST PWD_LOCK_TIME ELAPSE

as setting the event is not as effective as it is for dedicated systems. The following enhancement is included in 12.2:

"The failed login counter will be disabled entirely for any user that has the setting UNLIMITED for their account's FAILED_LOGIN_ATTEMPTS password profile setting."

Bug:19867671 LIBRARY CACHE LOCK CAUSED BY WRONG PASSWORD LOGIN

To find which Session is Holding a Particular Library Cache Lock, review following note:

Document 122793.1 How to Find which Session is Holding a Particular Library Cache Lock

REFERENCES

BUG:11742803 - LOTS OF 'LIBRARY CACHE LOCK' DURING USER LOGON AUTHENTICATION NOTE:7715339.8 - Bug 7715339 - Logon failures causes "row cache lock" waits - Allow disable of logon delay BUG:19867671 - LIBRARY CACHE LOCK CAUSED BY WRONG PASSWORD LOGIN