当前位置: 首页 > news >正文

如何为 Oracle 数据库配置 TLS/TCPS

news 2025/11/4 7:39:22

如何为 Oracle 数据库配置 TLS/TCPS

本分步指南介绍了用于在数据库中配置传输层安全性 (TLS) 和启用 TCP over SSL (TCPS) 连接的步骤。

#######################################################################
Environment
#######################################################################19c Client - rac01.localdomain12c R2 Database Server - linux01.localdomain#############################################################################
Create an auto-login wallet on database server
#############################################################################[oracle@linux01 oracle]$ mkdir -p /u02/app/oracle/wallet[oracle@linux01 oracle]$ orapki wallet create -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -auto_login_local
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.Operation is successfully completed.#############################################################################
Create a self-signed certificate and load it into the wallet
#############################################################################[oracle@linux01 oracle]$ orapki wallet add -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -dn "CN=`hostname`" -keysize 1024 -self_signed -validity 3650
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.Operation is successfully completed.#############################################################################
Export the certificate
#############################################################################[oracle@linux01 oracle]$ orapki wallet export -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -dn "CN=`hostname`" -cert /tmp/`hostname`-certificate.crt
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.Operation is successfully completed.#############################################################################
Edit sqlnet.ora and listener.ora and restart listener
#############################################################################[oracle@linux01 oracle]$ cd $ORACLE_HOME/network/admin[oracle@linux01 admin]$ vi sqlnet.ora WALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = /u02/app/oracle/wallet)))SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)[oracle@linux01 admin]$ vi listener.ora LISTENER =(DESCRIPTION_LIST =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = linux01.localdomain)(PORT = 1521))(ADDRESS = (PROTOCOL = TCPS)(HOST = linux01.localdomain)(PORT = 2484))(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))))SSL_CLIENT_AUTHENTICATION = FALSE#############################################################################
Edit sqlnet.ora and listener.ora and restart listener
#############################################################################[oracle@linux01 admin]$ cd /tmp[oracle@linux01 tmp]$ scp -rp rac01.localdomain-certificate.crt oracle@192.168.56.200:/tmp
The authenticity of host '192.168.56.200 (192.168.56.200)' can't be established.
RSA key fingerprint is 2a:8e:8d:d5:33:5a:dc:e2:0d:c8:2f:ba:33:85:c4:29.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.200' (RSA) to the list of known hosts.
oracle@192.168.56.200's password: 
rac01.localdomain-certificate.crt                                     
WALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = /u02/app/oracle/wallet)))[oracle@linux01 admin]$ lsnrctl start LSNRCTL for Linux: Version 12.2.0.1.0 - Production on 24-JUL-2020 16:30:47Copyright (c) 1991, 2016, Oracle.  All rights reserved.Starting /u02/app/oracle/product/12.2.0/dbhome_1/bin/tnslsnr: please wait...TNSLSNR for Linux: Version 12.2.0.1.0 - Production
System parameter file is /u02/app/oracle/product/12.2.0/dbhome_1/network/admin/listener.ora
Log messages written to /u02/app/oracle/diag/tnslsnr/linux01/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=linux01.localdomain)(PORT=1521)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=linux01.localdomain)(PORT=2484)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=linux01.localdomain)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 12.2.0.1.0 - Production
Start Date                24-JUL-2020 16:30:47
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u02/app/oracle/product/12.2.0/dbhome_1/network/admin/listener.ora
Listener Log File         /u02/app/oracle/diag/tnslsnr/linux01/listener/alert/log.xml
Listening Endpoints Summary...(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=linux01.localdomain)(PORT=1521)))(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=linux01.localdomain)(PORT=2484)))(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services
The command completed successfully
[oracle@linux01 admin]$ #############################################################################
Copy certificate from database server to client machine
#############################################################################[oracle@linux01 admin]$ cd /tmp[oracle@linux01 tmp]$ scp -rp rac01.localdomain-certificate.crt oracle@192.168.56.200:/tmp
The authenticity of host '192.168.56.200 (192.168.56.200)' can't be established.
RSA key fingerprint is 2a:8e:8d:d5:33:5a:dc:e2:0d:c8:2f:ba:33:85:c4:29.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.200' (RSA) to the list of known hosts.
oracle@192.168.56.200's password: 
rac01.localdomain-certificate.crt    #############################################################################
Create an auto-login wallet on client
#############################################################################[oracle@rac01 oracle]$ mkdir -p /u02/app/oracle/wallet[oracle@rac01 oracle]$  orapki wallet create -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -auto_login_local
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.Operation is successfully completed.#############################################################################
Create a self-signed certificate and load it into the wallet
#############################################################################[oracle@rac01 oracle]$ orapki wallet add -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -dn "CN=client-`hostname`" -keysize 1024 -self_signed -validity 3650
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.Operation is successfully completed.#############################################################################
Export the certificate
#############################################################################                                     [oracle@rac01 oracle]$  orapki wallet export -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -dn "CN=client-`hostname`" -cert /tmp/client-`hostname`-certificate.crt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.Operation is successfully completed.#############################################################################
Copy certificate from client to database server
#############################################################################[oracle@rac01 oracle]$ cd /tmp[oracle@rac01 tmp]$ ls -l client*
-rw------- 1 oracle oinstall  675 Jul 24 16:48 client-rac01.localdomain-certificate.crt[oracle@rac01 tmp]$ scp -rp client-rac01.localdomain-certificate.crt oracle@192.168.56.200:/tmp
oracle@192.168.56.200's password: 
client-rac01.localdomain-certificate.crt                                                           #############################################################################
Load the server certificate into the client wallet  
#############################################################################[oracle@rac01 tmp]$ orapki wallet add -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -trusted_cert -cert /tmp/linux01.localdomain-certificate.crt 
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.Operation is successfully completed.#############################################################################
Check the contents of the client wallet
#############################################################################[oracle@rac01 tmp]$ orapki wallet display -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.Requested Certificates: 
User Certificates:
Subject:        CN=client-rac01.localdomain
Trusted Certificates: 
Subject:        CN=client-rac01.localdomain
Subject:        CN=linux01.localdomain#############################################################################
Load the client certificate into the server wallet  
#############################################################################[oracle@linux01 tmp]$ orapki wallet add -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -trusted_cert -cert /tmp/client-rac01.localdomain-certificate.crt 
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.Operation is successfully completed.#############################################################################
Check the contents of the server wallet
#############################################################################[oracle@linux01 tmp]$ orapki wallet display -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.Requested Certificates: 
User Certificates:
Subject:        CN=linux01.localdomain
Trusted Certificates: 
Subject:        CN=client-rac01.localdomain
Subject:        CN=linux01.localdomain#############################################################################
Edit sqlnet.ora and tnsnames.ora on the client
#############################################################################WALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = /u02/app/oracle/wallet)))SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
~                                                                                   #############################################################################
Edit tnsnames.ora on the client - add TLS and NOTLS TNS entries 
#############################################################################tls =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.56.200)(PORT = 2484))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = cdb1)))notls =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.56.200)(PORT = 1521))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = cdb1)))#############################################################################
Test TLS Connection from client to server 
#############################################################################[oracle@rac01 admin]$ sqlplus system/oracle@tlsSQL*Plus: Release 19.0.0.0.0 - Production on Fri Jul 24 17:48:09 2020
Version 19.6.0.0.0Copyright (c) 1982, 2019, Oracle.  All rights reserved.Last Successful login time: Wed Jul 22 2020 15:19:49 +08:00Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit ProductionSQL> SELECT SYS_CONTEXT('USERENV', 'network_protocol') FROM DUAL;SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
--------------------------------------------------------------------------------
tcps#############################################################################
Test Non TLS Connection from client to server 
#############################################################################[oracle@rac01 admin]$ sqlplus system/oracle@notlsSQL*Plus: Release 19.0.0.0.0 - Production on Sat Jul 25 10:40:53 2020
Version 19.6.0.0.0Copyright (c) 1982, 2019, Oracle.  All rights reserved.Last Successful login time: Fri Jul 24 2020 17:48:09 +08:00Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit ProductionSQL> SELECT SYS_CONTEXT('USERENV', 'network_protocol') FROM DUAL;SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
--------------------------------------------------------------------------------
tcp
http://www.dtcms.com/a/564549.html

相关文章:

  • 阿里云网站备案注销吗大数据做网站
  • pc网站做app京东湖北网站推广服务
  • 测试环境与正式环境同样的机器显示不同的网络问题
  • HTTP_HTTPS协议
  • Linux高效备份:tar与gzip完全指南
  • Java中的File类
  • 四、Linux设备驱动介绍
  • 视频生成模型发展历程:从GAN到Sora的技术革命之路
  • SQL之表的查改(下)
  • CV论文速递: 覆盖医学影像分析、视频理解与生成、3D场景理解与定位等方向! (10.27-10.31)
  • Redis(四):缓存击穿及其解决方案(SpringBoot+mybatis-plus)
  • 突破局域网限制,Websocket 服务远程访问cpolar新方案
  • 科普网站建设方案网站容易被百度收录
  • 深圳营销网站建设服务wordpress 语言选择器
  • 广西建设厅关公网站中国能建电子商务平台
  • 9.OpenStack管理(三)
  • 大模型应用02 || 检索增强生成Retrieval-Augmented Generation || RAG概念、应用以及现有挑战
  • 【春秋云镜】CVE-2018-19518
  • [手机AI开发sdk] 安卓上的Linux环境
  • Pandas-之时间序列处理
  • 用 Spark Shell 做交互式数据分析从入门到自包含应用
  • WindowsXP Window7等老系统和Linux Ubuntu等系统在VM虚拟机中安装VM Toools工具实现宿主机虚拟机共用粘贴板
  • 第十二章:终极叩问:我是谁,我往何方?(3)
  • 校园网站建设的缺陷怎么做考试资料网站
  • 【Android Studio】webview 组件在android TV中进行加载,始终是客户端网页的方式进行加载,解决?
  • 应对不规则负载的异步ML模型服务AWS架构设计
  • Docker、Kubernetes与AWS中控机是什么?
  • AWS Bedrock + DeepSeek-R1:开启企业级 AI 开发的新篇章
  • C++ 类似pytorch的库,工具包,或者机器学习的生态
  • 关于手表的网站精品课程网站的建设