一 配置客户端和服务端的wallet
2端配置方法一致,相互添加证书
orapki wallet create -wallet “/u01/oracle/wallet” -pwd Wdkf984jkkgekj434FKFD -auto_login_local
orapki wallet add -wallet “/u01/oracle/wallet” -pwd Wdkf984jkkgekj434FKFD -dn “CN=`hostname`“ -keysize 1024 -self_signed -validity 3650
导出证书
orapki wallet export -wallet “/u01/oracle/wallet” -pwd Wdkf984jkkgekj434FKFD -dn “CN=`hostname`“ -cert /tmp/`hostname`-certificate.crt
导入证书
orapki wallet add -wallet “/u01/oracle/wallet” -pwd Wdkf984jkkgekj434FKFD -trusted_cert -cert /tmp/ROCKY-20160621P-certificate.crt
验证
orapki wallet display -wallet “/u01/oracle/wallet” -pwd Wdkf984jkkgekj434FKFD
二监听配置
2端sqlnet一致添加
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/wallet)
)
)
SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
服务端netca配置listener
客户端添加tnsname
三验证
tnsping ok
sqlplus 登录ok
oracle@solaris:~$ mkdir /u01/app/oracle/wallet
oracle@solaris112:~$ mkdir /u01/app/oracle/wallet
oracle@solaris:~$ cd /u01/app/oracle/wallet
oracle@solaris:/u01/app/oracle/wallet$ orapki wallet create -wallet /u01/app/oracle/wallet -auto_login -pwd welcome1
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
oracle@solaris:/u01/app/oracle/wallet$ ls -l /u01/app/oracle/wallet
total 6
-rw------- 1 oracle oinstall 120 Dec 14 23:29 cwallet.sso
-rw-rw-rw- 1 oracle oinstall 0 Dec 14 23:29 cwallet.sso.lck
-rw------- 1 oracle oinstall 75 Dec 14 23:29 ewallet.p12
-rw-rw-rw- 1 oracle oinstall 0 Dec 14 23:29 ewallet.p12.lck
oracle@solaris112:/u01/app/oracle/wallet$ orapki wallet create -wallet /u01/app/oracle/wallet -auto_login -pwd welcome2
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
oracle@solaris112:/u01/app/oracle/wallet$ ls -l /u01/app/oracle/wallet
total 4
-rw------- 1 oracle oinstall 120 Dec 15 07:30 cwallet.sso
-rw-rw-rw- 1 oracle oinstall 0 Dec 15 07:30 cwallet.sso.lck
-rw------- 1 oracle oinstall 75 Dec 15 07:30 ewallet.p12
-rw-rw-rw- 1 oracle oinstall 0 Dec 15 07:30 ewallet.p12.lck
oracle@solaris:/u01/app/oracle/wallet$ orapki wallet add -wallet /u01/app/oracle/wallet -dn "CN=solaris.dbaglobe.com" -keysize 1024 -self_signed -validity 365 -pwd welcome1
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
oracle@solaris112:/u01/app/oracle/wallet$ orapki wallet add -wallet /u01/app/oracle/wallet -dn "CN=solaris112.dbaglobe.com" -keysize 1024 -self_signed -validity 365 -pwd welcome2
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
If you display the server’s wallet you will see the following requested certificate:
oracle@solaris:/u01/app/oracle/wallet$ orapki wallet display -wallet /u01/app/oracle/wallet Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=solaris.dbaglobe.com
Trusted Certificates:
Subject: CN=solaris.dbaglobe.com
oracle@solaris112:~$ orapki wallet display -wallet /u01/app/oracle/wallet Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=solaris112.dbaglobe.com
Trusted Certificates:
Subject: CN=solaris112.dbaglobe.com
oracle@solaris:/u01/app/oracle/wallet$ orapki wallet export -wallet /u01/app/oracle/wallet -dn "CN=solaris.dbaglobe.com" -cert /u01/app/oracle/wallet/solaris.dbaglobe.com.txt
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
oracle@solaris112:~$ orapki wallet export -wallet /u01/app/oracle/wallet -dn "CN=solaris112.dbaglobe.com" -cert /u01/app/oracle/wallet/solaris112.dbaglobe.com.txt
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
oracle@solaris:/u01/app/oracle/wallet$ scp solaris112:/u01/app/oracle/wallet/solaris112.dbaglobe.com.txt .
oracle@solaris:/u01/app/oracle/wallet$ scp /u01/app/oracle/wallet/solaris.dbaglobe.com.txt solaris112:/u01/app/oracle/wallet/
oracle@solaris:/u01/app/oracle/wallet$ orapki wallet add -wallet /u01/app/oracle/wallet -trusted_cert -cert /u01/app/oracle/wallet/solaris112.dbaglobe.com.txt -pwd welcome1
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
oracle@solaris112:~$ orapki wallet add -wallet /u01/app/oracle/wallet -trusted_cert -cert /u01/app/oracle/wallet/solaris.dbaglobe.com.txt -pwd welcome2
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
oracle@solaris:/u01/app/oracle/wallet$ orapki wallet display -wallet /u01/app/oracle/wallet Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=solaris.dbaglobe.com
Trusted Certificates:
Subject: CN=solaris112.dbaglobe.com
Subject: CN=solaris.dbaglobe.com
oracle@solaris112:~$ orapki wallet display -wallet /u01/app/oracle/wallet
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=solaris112.dbaglobe.com
Trusted Certificates:
Subject: CN=solaris.dbaglobe.com
Subject: CN=solaris112.dbaglobe.com
oracle@solaris:/u01/app/oracle/wallet$ lsnrctl stop
Edit server side configuration use netmgr. Sample configuration as below:
oracle@solaris:/u01/app/oracle/wallet$ cat /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/listener.ora
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/wallet)
)
)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = solaris)(PORT = 1521))
)
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = solaris)(PORT = 1531))
)
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
)
)
ADR_BASE_LISTENER = /u01/app/oracle
oracle@solaris:/u01/app/oracle/wallet$ cat /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
SSL_VERSION = 0
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/wallet)
)
)
ADR_BASE = /u01/app/oracle
oracle@solaris:/u01/app/oracle/wallet$ lsnrctl start
oracle@solaris112:~$ cat /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora
#Parameter for TDE
ENCRYPTION_WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/wallet)
)
)
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
SSL_VERSION = 0
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/wallet)
)
)
ADR_BASE = /u01/app/oracle
oracle@solaris112:~$ echo "
> ORCL1_TCPS =
> (DESCRIPTION =
> (ADDRESS = (PROTOCOL = TCP)(HOST = solaris)(PORT = 1521))
> (CONNECT_DATA =
> (SERVER = DEDICATED)
> (SERVICE_NAME = orcl1)
> )
> )
>
> " >> /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/tnsnames.ora
oracle@solaris112:/u01/app/oracle/product/12.1.0/dbhome_1/network/admin$ tnsping ORCL1_TCPS
TNS Ping Utility for Solaris: Version 12.1.0.2.0 - Production on 15-DEC-2014 08:39:03
Copyright (c) 1997, 2014, Oracle. All rights reserved.
Used parameter files:
/u01/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = solaris)(PORT = 1531)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = orcl1)))
OK (20 msec)
oracle@solaris112:~$ sqlplus system/password@orcl1_tcps
SQL*Plus: Release 12.1.0.2.0 Production on Mon Dec 15 08:39:57 2014
Copyright (c) 1982, 2014, Oracle. All rights reserved.
Last Successful login time: Mon Dec 15 2014 00:39:21 +08:00
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options
SQL> select sys_context('userenv','network_protocol') from dual;
SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
--------------------------------------------------------------------------------
Tcps
SQL> select userenv('sid') from dual;
USERENV('SID')
--------------
50
SQL> select * from v$session_connect_info where sid=50;
SID SERIAL# AUTHENTICATION_TYPE OSUSER
---------- ---------- -------------------------- ------------------------------
NETWORK_SERVICE_BANNER
--------------------------------------------------------------------------------
CLIENT_CHARSET CLIENT_CONNEC
---------------------------------------- -------------
CLIENT_OCI_LIBRARY CLIENT_VERSION
--------------------------- ----------------------------------------
CLIENT_DRIVER CLIENT_LOBATTR CLIENT_REGID CON_ID
------------------------------ ----------------------- ------------ ----------
50 14986 DATABASE oracle
US7ASCII Homogeneous
Home-based 12.1.0.2.0
SQL*PLUS Client Temp Lob Rfc On 0 0
50 14986 DATABASE oracle
Authentication service for Solaris: Version 12.1.0.2.0 - Production
US7ASCII Homogeneous
Home-based 12.1.0.2.0
SQL*PLUS Client Temp Lob Rfc On 0 0
50 14986 DATABASE oracle
Encryption service for Solaris: Version 12.1.0.2.0 - Production
US7ASCII Homogeneous
Home-based 12.1.0.2.0
SQL*PLUS Client Temp Lob Rfc On 0 0
50 14986 DATABASE oracle
Crypto-checksumming service for Solaris: Version 12.1.0.2.0 - Production
US7ASCII Homogeneous
Home-based 12.1.0.2.0
SQL*PLUS Client Temp Lob Rfc On 0 0
oracle@solaris:/u01/app/oracle/wallet$ orapki wallet add -wallet /u01/app/oracle/wallet -trusted_cert -cert /u01/app/oracle/wallet/solaris112.dbaglobe.com.txt
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Could not install trusted cert at/u01/app/oracle/wallet/solaris112.dbaglobe.com.txt
PKI-02008: Unable to modify a read-only Auto-login wallet.
oracle@solaris:/u01/app/oracle/wallet$ lsnrctl start
LSNRCTL for Solaris: Version 12.1.0.2.0 - Production on 15-DEC-2014 00:02:21
Copyright (c) 1991, 2014, Oracle. All rights reserved.
Starting /u01/app/oracle/product/12.1.0/dbhome_1/bin/tnslsnr: please wait...
TNSLSNR for Solaris: Version 12.1.0.2.0 - Production
System parameter file is /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/listener.ora
Log messages written to /u01/app/oracle/diag/tnslsnr/solaris/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=solaris)(PORT=1521)))
Error listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=solaris)(PORT=1521)))
TNS-12542: TNS:address already in use
TNS-12560: TNS:protocol adapter error
TNS-00512: Address already in use
Solaris Error: 125: Address already in use
Listener failed to start. See the error message(s) above...
oracle@solaris112:~$ sqlplus system/p_ssw0rd@orcl1_tcps
SQL*Plus: Release 12.1.0.2.0 Production on Mon Dec 15 08:14:21 2014
Copyright (c) 1982, 2014, Oracle. All rights reserved.
ERROR:
ORA-28759: failure to open file
oracle@solaris112:~$ tnsping orcl1_tcps
TNS Ping Utility for Solaris: Version 12.1.0.2.0 - Production on 15-DEC-2014 08:14:50
Copyright (c) 1997, 2014, Oracle. All rights reserved.
Used parameter files:
/u01/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = solaris)(PORT = 1531)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = orcl1)))
TNS-12560: TNS:protocol adapter error
1.1. OracleListener静态服务配置与动态服务注册 1.1.1 什么是服务注册
先温习几个基本概念:Oracle实例、Oracle数据库、Oracle Server、Oracle服务:
Oracle实例=Oracle SGA内存+Oracle后台进程
Oracle数据库=核心文件(Data file,control file,logfile)
OracleServer=Oracle实例+Oracle数据库
在HA环境中,ORACLE Server=1个ORACLE实例+1个Oracle数据库,在两台主机的RAC环境中,ORACLEServer=2个ORACLE实例+1个Oracle数据库。
Oracle服务:对外提供服务,1个Oracle数据库可以有多个服务。如果需要执行连接时故障转移或负载均衡,或者想要在RAC中配置在实 例之间透明地分布连接,那么使用service_names参数将是必要的。为启用这些功能,您只需要将每个实例的数据库参数文件中的 service_names设置为同一个值,并在客户端连接请求的service_name设置中引用该值。
服务注册就是将数据库作为一个服务注册到监听程序;无论何时启动一个数据库,默认地都有两条信息注册到监听器中:数据库服务器对应的实例和服务。
客户端不需要知道数据库名和实例名,只需要知道该数据库对外提供的服务名就可以申请连接到数据库。
在数据库服务器启动过程中,数据库服务器会向监听程序注册相应的服务。
1.1.2 动态注册
动态注册是在instance启动的时候PMON进程根据init.ora中的instance_name,service_names两个参数将实例和服务动态注册到listener中。
首先要在init.ora中指定instance_name,service_names两个参数的值。在不指定这两个参数时,系统会取默认值(实例值那么它将取init.ora文件中的db_name的值,服务名取db_name+db_domain)。
需要注意的是,动态注册时,服务的注册不仅包括service_names的注册,如果service_names不包括缺省的 db_name+db_domain,也会将该值注册进来。您可以在service_names参数中指定多个服务值,值之间用逗号格开,这对于共享服务 器配置是很有用的。
由于PMON进程1分钟执行一次,因此如果listener晚于Oracle Server启动,那么最长需要等到1分钟PMON会将这些服务注册到listener进程中。
采取动态注册方法时,不需要有listener.ora,该文件是指定静态配置使用。如果有该文件,那么该文件中不能有关于该数据库的静态配置信息,只能有类似如下信息:
SID_LIST_LISTENER=
(SID_LIST =
(SID_DESC =
(SID_NAME =PLSExtProc)
(ORACLE_HOME =…)
(PROGRAM =extproc)
)
)
否则将被当做静态注册,动态注册的特性失效(PMON自动注册会失效,使用altersystem register也注册不进去),但是如果如果使用了local_listener时,我的经验是除了在tnsnames.ora中配置,还需要在 listener.ora中配置,此时可以动态注册。
动态注册默认只注册到默认的监听器上(名称是LISTENER、端口是1521、协议是 TCP),因为pmon只会动态注册port等于1521的监听。如果需要向非默认监听注册,则需要配置local_listener参数,并将监听的信 息添加到tnsnames.ora文件中(或者配置local_listener参数的值为LOCAL_LISTENER=’(ADDRESS = (PROTOCOL = TCP)(HOST =xxx.xxx.xxx.xxx)(PORT = 1522)))。 注意,是tnsnames.ora 文件, 因为pmon在动态注册监听时要从tnsnames.ora中读取相关信息。 LISTENER =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = DaveDai)(PORT = 1522))
)
然后以sys用户运行(这里也可以直接修改init文件):
SQL> alter system set local_listener=listener scope=both;
SQL> alter system register;
或者:
SQL> alter system set LOCAL_LISTENER=’(ADDRESS = (PROTOCOL = TCP)(HOST = xxx.xxx.xxx.xxx)(PORT = 1522))’;
1.1.3 静态注册
静态注册就是实例启动时读取listener.ora文件的配置,将实例和服务注册到监听程序。
静态注册时,listener.ora中的GLOBAL_DBNAME向外提供服务名,listener.ora中的SID_NAME提供注册的实例名。
采取静态注册方法时,listener.ora中的内容如下:
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = D:/oracle/product/10.2.0/db_1)
(PROGRAM = extproc)
)
(SID_DESC =
(GLOBAL_DBNAME =orcl)
(ORACLE_HOME = D:/oracle/product/10.2.0/db_1)
(SID_NAME =orcl)
)
(SID_DESC =
(GLOBAL_DBNAME =orcl1)
(ORACLE_HOME = D:/oracle/product/10.2.0/db_1)
(SID_NAME =orcl)
)
)
该文件表明数据库是单实例的,实例名为orcl,向外提供了两个服务:orcl和orcl1
静态监听:
oracle实例运行后,监听程序启动时,根据listener.ora的配置注册相应的服务。
其中global_dbname对应的是oracle对外的服务名,即初始化参数里的service_names
而sid_name对应的是oralce实例的名称,即初始化参数里的instance_name
1.1.4 查询某服务是静态注册还是动态注册
可以使用命令lsnrctl status来查看某服务是静态注册还是动态注册。
实例状态为UNKNOWN值时表明此服务是静态注册的设置。这时监听器用来表明它不知道关于该实例的任何信息,只有当客户发出连接请求时,它才检查该实例是否存在。
动态注册的数据库通过状态信息中的状态READY或状态BLOCKED(对于一个备用数据库)来指明。不管关闭何时数据库,动态注册的数据库都 会动态地从监听器注销,而与之相关的信息将从状态列表中消失。这样,不管数据库是在运行还是已经关闭,监听器总是知道它的状态。该信息将被用于连接请求的 回退(fallback)和负载平衡