Resolving ORA-12506: TNS:listener rejected connection based on service ACL filtering

Matt MulvaneyMatt Mulvaney
2 min read

I encountered this error when I moved the ADB to a Private End Point and tried to connect to it on a Compute Instance which was on a VCN that had access to the ADB. Weird huh?

If its contactable and on a Private End Point then why is it being blocked? I found out that if I found the external IP of the compute instance…

curl ipconfig.io

… and then added it to public access …

… then it connected. But that is weird; also, this is not the solution; I don’t want public access when I should be able to access it locally.

The solution

The solution is, after moving a Private End Point, to

  1. Re-download the wallet

  2. Add an Associated Private View

Re-Downloaded Wallet

This was my previous wallet tnsnames.ora file

matt_low = (
    description = (
        retry_count = 20
        retry_delay = 3
        address = (
            protocol = tcps
            port = 1522
            host = adb.eu-frankfurt-1.oraclecloud.com
        )
        connect_data = (
            service_name = g4c_matt_low.adb.oraclecloud.com
        )
        security = (
            ssl_server_dn_match = yes
        )
    )
)

and this is my new wallet (notice the new FQDN DB host)

matt_low = (
    description = (
        retry_count = 20
        retry_delay = 3
        address = (
            protocol = tcps
            port = 1522
            host = abcedfghij.adb.eu-frankfurt-1.oraclecloud.com
        )
        connect_data = (
            service_name = g4c_matt_low.adb.oraclecloud.com
        )
        security = (
            ssl_server_dn_match = no
        )
    )
)

and this is my public one (which is a replica of the previous wallet tns)

matt_public_low = (
    description = (
        retry_count = 20
        retry_delay = 3
        address = (
            protocol = tcps
            port = 1522
            host = adb.eu-frankfurt-1.oraclecloud.com
        )
        connect_data = (
            service_name = g4c_matt_low.adb.oraclecloud.com
        )
        security = (
            ssl_server_dn_match = yes
        )
    )
)

Whats happened in the new wallet is that:

  • My previous matt_low has been effectively relocated to matt_public_low and the DB is accessed through the public hostname adb.eu-frankfurt-1.oraclecloud.com

  • A new matt_low has appeared where the host is accessed on a FQDN of abcedfghij.adb.eu-frankfurt-1.oraclecloud.com

Associated Private View

To access this on a compute on another VCN, if the host was an IP address - it would have worked. However its a FQDN, therefore, I also had to create an Assoicated Private View.

To do this, click OCI > Instance > VCN > DNS Resolver > Associated private views > Manage Private Views > Choose a private view > VCN of the ADB > Save Changes

It should look like this:

You should now be able to connect to your ADB on Private End Point.

ENJOY!

What’s the picture? A puddle just here. Visit Yorkshire!

0
Subscribe to my newsletter

Read articles from Matt Mulvaney directly inside your inbox. Subscribe to the newsletter, and don't miss out.

orclapexOracleOracle Autonomous DatabaseOCInetworkingsqlclsqlplusCloud

Written by

Matt Mulvaney
Matt Mulvaney

With around 20 years on the job, Matt is one of the most experienced software developers at Pretius. He likes meeting new people, traveling to conferences, and working on different projects. He’s also a big sports fan (regularly watches Leeds United, Formula 1, and boxing), and not just as a spectator – he often starts his days on a mountain bike, to tune his mind.