If you are using VNC (Valid Node Checking) to implement a TNS firewall in non-CDB Oracle database architecture and wondering if there is a way to perform the same thing in Multitenant Architecture (CDB)…..Yes…through  a package DBMS_SFW_ACL_ADMIN  and its under the account: DBSFWUSER

The account has three tables: ACL$_OBJ , EXADIRECT_ACL , IP_ACL

First, you need to add your listener.ora file the following:

LOCAL_REGISTRATION_ADDRESS_LISTENER=ON

The firewall On clause means only connection coming validated against ACL will be accepted, others will be rejected. This is documented in the package specification comments as follows:

Running the following SQL Query in the CDB$root will provide the information of the services available:

SELECT service_id,name,network_name,pdb FROM   cdb_services;

To configure PDB Level Access, execute the following in CDB$root:

BEGIN

  dbsfwuser.DBMS_SFW_ACL_ADMIN.ip_add_pdb_ace(‘pdb_test2‘,’192.142.56.136‘);

  dbsfwuser.DBMS_SFW_ACL_ADMIN.commit_acl;

END;

/

In the package specification you can see the list of procedures included within the package to provide a guide what input parameters are required :

Checking ACL has been added:

To remove access control entry:

BEGIN

  dbsfwuser.DBMS_SFW_ACL_ADMIN.IP_REMOVE_PDB_ACE(‘pdb_test2′,’192.142.56.136’);

  dbsfwuser.DBMS_SFW_ACL_ADMIN.commit_acl;

END;

/