配置listener tcps加密 enable SSL encryption for Oracle SQL*Net

一 配置客户端和服务端的wallet

2端配置方法一致,相互添加证书

orapki wallet create -wallet “/u01/oracle/wallet” -pwd Wdkf984jkkgekj434FKFD -auto_login_local

orapki wallet add -wallet “/u01/oracle/wallet” -pwd Wdkf984jkkgekj434FKFD -dn “CN=`hostname`“ -keysize 1024 -self_signed -validity 3650

导出证书
orapki wallet export -wallet “/u01/oracle/wallet” -pwd Wdkf984jkkgekj434FKFD -dn “CN=`hostname`“ -cert /tmp/`hostname`-certificate.crt

导入证书
orapki wallet add -wallet “/u01/oracle/wallet” -pwd Wdkf984jkkgekj434FKFD -trusted_cert -cert /tmp/ROCKY-20160621P-certificate.crt

验证
orapki wallet display -wallet “/u01/oracle/wallet” -pwd Wdkf984jkkgekj434FKFD

二监听配置

2端sqlnet一致添加

WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/wallet)
)
)
SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)

服务端netca配置listener

客户端添加tnsname

三验证

tnsping ok

sqlplus 登录ok

How to enable SSL encryption for Oracle SQL*Net (Without SSH Authentication)

1) Create a directory to store all our wallets:

 

oracle@solaris:~$ mkdir /u01/app/oracle/wallet

 

oracle@solaris112:~$ mkdir /u01/app/oracle/wallet

2) Create a wallet for the primary database. Create an empty wallet with auto login enabled:

 

oracle@solaris:~$ cd /u01/app/oracle/wallet

oracle@solaris:/u01/app/oracle/wallet$ orapki wallet create -wallet /u01/app/oracle/wallet -auto_login -pwd welcome1

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

 

oracle@solaris:/u01/app/oracle/wallet$ ls -l /u01/app/oracle/wallet

total 6

-rw-------   1 oracle   oinstall     120 Dec 14 23:29 cwallet.sso

-rw-rw-rw-   1 oracle   oinstall       0 Dec 14 23:29 cwallet.sso.lck

-rw-------   1 oracle   oinstall      75 Dec 14 23:29 ewallet.p12

-rw-rw-rw-   1 oracle   oinstall       0 Dec 14 23:29 ewallet.p12.lck

 

oracle@solaris112:/u01/app/oracle/wallet$ orapki wallet create -wallet /u01/app/oracle/wallet -auto_login -pwd welcome2

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

 

oracle@solaris112:/u01/app/oracle/wallet$ ls -l /u01/app/oracle/wallet

total 4

-rw-------   1 oracle   oinstall     120 Dec 15 07:30 cwallet.sso

-rw-rw-rw-   1 oracle   oinstall       0 Dec 15 07:30 cwallet.sso.lck

-rw-------   1 oracle   oinstall      75 Dec 15 07:30 ewallet.p12

-rw-rw-rw-   1 oracle   oinstall       0 Dec 15 07:30 ewallet.p12.lck

 

3) Add a self-signed certificate in the wallet (a new pair of private/public keys is created):

 

oracle@solaris:/u01/app/oracle/wallet$ orapki wallet add -wallet /u01/app/oracle/wallet -dn "CN=solaris.dbaglobe.com" -keysize 1024 -self_signed -validity 365 -pwd welcome1

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

 

oracle@solaris112:/u01/app/oracle/wallet$ orapki wallet add -wallet /u01/app/oracle/wallet -dn "CN=solaris112.dbaglobe.com" -keysize 1024 -self_signed -validity 365 -pwd welcome2

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

 

If you display the server’s wallet you will see the following requested certificate:

oracle@solaris:/u01/app/oracle/wallet$ orapki wallet display -wallet /u01/app/oracle/wallet                                                            Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

 

Requested Certificates:

User Certificates:

Subject:        CN=solaris.dbaglobe.com

Trusted Certificates:

Subject:        CN=solaris.dbaglobe.com

 

oracle@solaris112:~$  orapki wallet display -wallet /u01/app/oracle/wallet                                                                             Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

 

Requested Certificates:

User Certificates:

Subject:        CN=solaris112.dbaglobe.com

Trusted Certificates:

Subject:        CN=solaris112.dbaglobe.com

4) Export the certificate:

oracle@solaris:/u01/app/oracle/wallet$ orapki wallet export -wallet /u01/app/oracle/wallet -dn "CN=solaris.dbaglobe.com" -cert /u01/app/oracle/wallet/solaris.dbaglobe.com.txt

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

 

oracle@solaris112:~$ orapki wallet export -wallet /u01/app/oracle/wallet -dn "CN=solaris112.dbaglobe.com" -cert /u01/app/oracle/wallet/solaris112.dbaglobe.com.txt

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

5) Exchange the server and client their public keys:

oracle@solaris:/u01/app/oracle/wallet$ scp solaris112:/u01/app/oracle/wallet/solaris112.dbaglobe.com.txt .

oracle@solaris:/u01/app/oracle/wallet$ scp /u01/app/oracle/wallet/solaris.dbaglobe.com.txt  solaris112:/u01/app/oracle/wallet/

 

oracle@solaris:/u01/app/oracle/wallet$ orapki wallet add -wallet /u01/app/oracle/wallet -trusted_cert -cert /u01/app/oracle/wallet/solaris112.dbaglobe.com.txt -pwd welcome1

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

 

oracle@solaris112:~$ orapki wallet add -wallet /u01/app/oracle/wallet -trusted_cert -cert /u01/app/oracle/wallet/solaris.dbaglobe.com.txt -pwd welcome2

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

 

oracle@solaris:/u01/app/oracle/wallet$ orapki wallet display -wallet /u01/app/oracle/wallet                                                            Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

 

Requested Certificates:

User Certificates:

Subject:        CN=solaris.dbaglobe.com

Trusted Certificates:

Subject:        CN=solaris112.dbaglobe.com

Subject:        CN=solaris.dbaglobe.com

oracle@solaris112:~$ orapki wallet display -wallet /u01/app/oracle/wallet

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

 

Requested Certificates:

User Certificates:

Subject:        CN=solaris112.dbaglobe.com

Trusted Certificates:

Subject:        CN=solaris.dbaglobe.com

Subject:        CN=solaris112.dbaglobe.com

6) Configure the listeners to work with TCPS

 

oracle@solaris:/u01/app/oracle/wallet$ lsnrctl stop

 

Edit server side configuration use netmgr. Sample configuration as below:

 

oracle@solaris:/u01/app/oracle/wallet$ cat /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/listener.ora

SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =

  (SOURCE =

    (METHOD = FILE)

    (METHOD_DATA =

      (DIRECTORY = /u01/app/oracle/wallet)

    )

  )

 

LISTENER =

  (DESCRIPTION_LIST =

    (DESCRIPTION =

      (ADDRESS = (PROTOCOL = TCP)(HOST = solaris)(PORT = 1521))

    )

    (DESCRIPTION =

      (ADDRESS = (PROTOCOL = TCPS)(HOST = solaris)(PORT = 1531))

    )

    (DESCRIPTION =

      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))

    )

  )

 

ADR_BASE_LISTENER = /u01/app/oracle

 

oracle@solaris:/u01/app/oracle/wallet$ cat /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora

 

 

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)

 

SSL_VERSION = 0

 

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

 

SSL_CLIENT_AUTHENTICATION = FALSE

 

WALLET_LOCATION =

  (SOURCE =

    (METHOD = FILE)

    (METHOD_DATA =

      (DIRECTORY = /u01/app/oracle/wallet)

    )

  )

 

ADR_BASE = /u01/app/oracle

 

oracle@solaris:/u01/app/oracle/wallet$ lsnrctl start

 

7) Configure the sqlnet.ora & tnsnames.ora on the client

 

oracle@solaris112:~$ cat /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora

 

#Parameter for TDE

ENCRYPTION_WALLET_LOCATION =

  (SOURCE =

    (METHOD = FILE)

    (METHOD_DATA =

      (DIRECTORY = /u01/app/oracle/wallet)

    )

  )

 

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)

 

SSL_VERSION = 0

 

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

 

SSL_CLIENT_AUTHENTICATION = FALSE

 

WALLET_LOCATION =

  (SOURCE =

    (METHOD = FILE)

    (METHOD_DATA =

      (DIRECTORY = /u01/app/oracle/wallet)

    )

  )

 

ADR_BASE = /u01/app/oracle

 

oracle@solaris112:~$ echo "

> ORCL1_TCPS =

>   (DESCRIPTION =

>     (ADDRESS = (PROTOCOL = TCP)(HOST = solaris)(PORT = 1521))

>     (CONNECT_DATA =

>       (SERVER = DEDICATED)

>       (SERVICE_NAME = orcl1)

>     )

>   )

>

> " >> /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/tnsnames.ora

 

8) Check the connectivity

 

oracle@solaris112:/u01/app/oracle/product/12.1.0/dbhome_1/network/admin$ tnsping ORCL1_TCPS

 

TNS Ping Utility for Solaris: Version 12.1.0.2.0 - Production on 15-DEC-2014 08:39:03

 

Copyright (c) 1997, 2014, Oracle.  All rights reserved.

 

Used parameter files:

/u01/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora

 

Used TNSNAMES adapter to resolve the alias

Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = solaris)(PORT = 1531)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = orcl1)))

OK (20 msec)

oracle@solaris112:~$ sqlplus system/password@orcl1_tcps

 

SQL*Plus: Release 12.1.0.2.0 Production on Mon Dec 15 08:39:57 2014

 

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

 

Last Successful login time: Mon Dec 15 2014 00:39:21 +08:00

 

Connected to:

Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production

With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

 

SQL>  select sys_context('userenv','network_protocol') from dual;

 

SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')

--------------------------------------------------------------------------------

Tcps

SQL> select userenv('sid') from dual;

 

USERENV('SID')

--------------

            50

SQL> select * from v$session_connect_info where sid=50;

 

       SID    SERIAL# AUTHENTICATION_TYPE        OSUSER

---------- ---------- -------------------------- ------------------------------

NETWORK_SERVICE_BANNER

--------------------------------------------------------------------------------

CLIENT_CHARSET                           CLIENT_CONNEC

---------------------------------------- -------------

CLIENT_OCI_LIBRARY          CLIENT_VERSION

--------------------------- ----------------------------------------

CLIENT_DRIVER                  CLIENT_LOBATTR          CLIENT_REGID     CON_ID

------------------------------ ----------------------- ------------ ----------

        50      14986 DATABASE                   oracle

 

US7ASCII                                 Homogeneous

Home-based                  12.1.0.2.0

SQL*PLUS                       Client Temp Lob Rfc On             0          0

 

        50      14986 DATABASE                   oracle

Authentication service for Solaris: Version 12.1.0.2.0 - Production

US7ASCII                                 Homogeneous

Home-based                  12.1.0.2.0

SQL*PLUS                       Client Temp Lob Rfc On             0          0

 

        50      14986 DATABASE                   oracle

Encryption service for Solaris: Version 12.1.0.2.0 - Production

US7ASCII                                 Homogeneous

Home-based                  12.1.0.2.0

SQL*PLUS                       Client Temp Lob Rfc On             0          0

 

        50      14986 DATABASE                   oracle

Crypto-checksumming service for Solaris: Version 12.1.0.2.0 - Production

US7ASCII                                 Homogeneous

Home-based                  12.1.0.2.0

SQL*PLUS                       Client Temp Lob Rfc On             0          0

 

 

 

Possible errors 1: (To resolve it, include  –pwd parameter)

oracle@solaris:/u01/app/oracle/wallet$ orapki wallet add -wallet /u01/app/oracle/wallet -trusted_cert -cert /u01/app/oracle/wallet/solaris112.dbaglobe.com.txt

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

 

Could not install trusted cert at/u01/app/oracle/wallet/solaris112.dbaglobe.com.txt

PKI-02008: Unable to modify a read-only Auto-login wallet.

 

Possible errors 2: (To resolve it, use different port number for TCP and TCPS)

 

oracle@solaris:/u01/app/oracle/wallet$ lsnrctl start

 

LSNRCTL for Solaris: Version 12.1.0.2.0 - Production on 15-DEC-2014 00:02:21

 

Copyright (c) 1991, 2014, Oracle.  All rights reserved.

 

Starting /u01/app/oracle/product/12.1.0/dbhome_1/bin/tnslsnr: please wait...

 

TNSLSNR for Solaris: Version 12.1.0.2.0 - Production

System parameter file is /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/listener.ora

Log messages written to /u01/app/oracle/diag/tnslsnr/solaris/listener/alert/log.xml

Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=solaris)(PORT=1521)))

Error listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=solaris)(PORT=1521)))

TNS-12542: TNS:address already in use

 TNS-12560: TNS:protocol adapter error

  TNS-00512: Address already in use

   Solaris Error: 125: Address already in use

 

Listener failed to start. See the error message(s) above...

 

Possible errors 3: (To resolve it, use proper wallet location)

 

oracle@solaris112:~$ sqlplus system/p_ssw0rd@orcl1_tcps

 

SQL*Plus: Release 12.1.0.2.0 Production on Mon Dec 15 08:14:21 2014

 

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

 

ERROR:

ORA-28759: failure to open file

 

oracle@solaris112:~$ tnsping orcl1_tcps

 

TNS Ping Utility for Solaris: Version 12.1.0.2.0 - Production on 15-DEC-2014 08:14:50

 

Copyright (c) 1997, 2014, Oracle.  All rights reserved.

 

Used parameter files:

/u01/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora

 

Used TNSNAMES adapter to resolve the alias

Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = solaris)(PORT = 1531)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = orcl1)))

TNS-12560: TNS:protocol adapter error

1.1. OracleListener静态服务配置与动态服务注册  1.1.1 什么是服务注册
  先温习几个基本概念:Oracle实例、Oracle数据库、Oracle Server、Oracle服务:
  Oracle实例=Oracle SGA内存+Oracle后台进程
  Oracle数据库=核心文件(Data file,control file,logfile)
  OracleServer=Oracle实例+Oracle数据库
  在HA环境中,ORACLE Server=1个ORACLE实例+1个Oracle数据库,在两台主机的RAC环境中,ORACLEServer=2个ORACLE实例+1个Oracle数据库。
  Oracle服务:对外提供服务,1个Oracle数据库可以有多个服务。如果需要执行连接时故障转移或负载均衡,或者想要在RAC中配置在实 例之间透明地分布连接,那么使用service_names参数将是必要的。为启用这些功能,您只需要将每个实例的数据库参数文件中的 service_names设置为同一个值,并在客户端连接请求的service_name设置中引用该值。
  服务注册就是将数据库作为一个服务注册到监听程序;无论何时启动一个数据库,默认地都有两条信息注册到监听器中:数据库服务器对应的实例和服务。
  客户端不需要知道数据库名和实例名,只需要知道该数据库对外提供的服务名就可以申请连接到数据库。
  在数据库服务器启动过程中,数据库服务器会向监听程序注册相应的服务。
  1.1.2 动态注册
  动态注册是在instance启动的时候PMON进程根据init.ora中的instance_name,service_names两个参数将实例和服务动态注册到listener中。
  首先要在init.ora中指定instance_name,service_names两个参数的值。在不指定这两个参数时,系统会取默认值(实例值那么它将取init.ora文件中的db_name的值,服务名取db_name+db_domain)。
  需要注意的是,动态注册时,服务的注册不仅包括service_names的注册,如果service_names不包括缺省的 db_name+db_domain,也会将该值注册进来。您可以在service_names参数中指定多个服务值,值之间用逗号格开,这对于共享服务 器配置是很有用的。
  由于PMON进程1分钟执行一次,因此如果listener晚于Oracle Server启动,那么最长需要等到1分钟PMON会将这些服务注册到listener进程中。
  采取动态注册方法时,不需要有listener.ora,该文件是指定静态配置使用。如果有该文件,那么该文件中不能有关于该数据库的静态配置信息,只能有类似如下信息:
  SID_LIST_LISTENER=
  (SID_LIST =
  (SID_DESC =
  (SID_NAME =PLSExtProc)
  (ORACLE_HOME =…)
  (PROGRAM =extproc)
  )
  )

  否则将被当做静态注册,动态注册的特性失效(PMON自动注册会失效,使用altersystem register也注册不进去),但是如果如果使用了local_listener时,我的经验是除了在tnsnames.ora中配置,还需要在 listener.ora中配置,此时可以动态注册。

动态注册默认只注册到默认的监听器上(名称是LISTENER、端口是1521、协议是 TCP),因为pmon只会动态注册port等于1521的监听。如果需要向非默认监听注册,则需要配置local_listener参数,并将监听的信 息添加到tnsnames.ora文件中(或者配置local_listener参数的值为LOCAL_LISTENER=’(ADDRESS = (PROTOCOL = TCP)(HOST =xxx.xxx.xxx.xxx)(PORT = 1522)))。 注意,是tnsnames.ora 文件, 因为pmon在动态注册监听时要从tnsnames.ora中读取相关信息。  LISTENER =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCP)(HOST = DaveDai)(PORT = 1522))
  )
  然后以sys用户运行(这里也可以直接修改init文件):
  SQL> alter system set local_listener=listener scope=both;
  SQL> alter system register;
  或者:
  SQL> alter system set LOCAL_LISTENER=’(ADDRESS = (PROTOCOL = TCP)(HOST = xxx.xxx.xxx.xxx)(PORT = 1522))’;
  1.1.3 静态注册
  静态注册就是实例启动时读取listener.ora文件的配置,将实例和服务注册到监听程序。
  静态注册时,listener.ora中的GLOBAL_DBNAME向外提供服务名,listener.ora中的SID_NAME提供注册的实例名。
  采取静态注册方法时,listener.ora中的内容如下:
  SID_LIST_LISTENER =
  (SID_LIST =
  (SID_DESC =
  (SID_NAME = PLSExtProc)
  (ORACLE_HOME = D:/oracle/product/10.2.0/db_1)
  (PROGRAM = extproc)
  )
  (SID_DESC =
  (GLOBAL_DBNAME =orcl)
  (ORACLE_HOME = D:/oracle/product/10.2.0/db_1)
  (SID_NAME =orcl)
  )
  (SID_DESC =
  (GLOBAL_DBNAME =orcl1)
  (ORACLE_HOME = D:/oracle/product/10.2.0/db_1)
  (SID_NAME =orcl)
  )
  )
  该文件表明数据库是单实例的,实例名为orcl,向外提供了两个服务:orcl和orcl1
  静态监听:
  oracle实例运行后,监听程序启动时,根据listener.ora的配置注册相应的服务。
  其中global_dbname对应的是oracle对外的服务名,即初始化参数里的service_names
  而sid_name对应的是oralce实例的名称,即初始化参数里的instance_name
  1.1.4 查询某服务是静态注册还是动态注册
  可以使用命令lsnrctl status来查看某服务是静态注册还是动态注册。
  实例状态为UNKNOWN值时表明此服务是静态注册的设置。这时监听器用来表明它不知道关于该实例的任何信息,只有当客户发出连接请求时,它才检查该实例是否存在。
  动态注册的数据库通过状态信息中的状态READY或状态BLOCKED(对于一个备用数据库)来指明。不管关闭何时数据库,动态注册的数据库都 会动态地从监听器注销,而与之相关的信息将从状态列表中消失。这样,不管数据库是在运行还是已经关闭,监听器总是知道它的状态。该信息将被用于连接请求的 回退(fallback)和负载平衡

你可能感兴趣的:(oracle,数据库)