网页设计网站官网莆田房产网

说明

oracle 11g 从PSU 2018Oct（含）及之后的补丁不支持MD5. 要使用JDBC SSL要使用TSL1.2.

update: 2025.05.21. 把jks文件放到jks目录下。而不是lib. wallets_2_jks.sh自动建立此目录。并把jks文件生成在此目录.
生成wallet时，把validate改为3650（10年） -validity 3650

1. 为什么用TSL 1.2

• https://blogs.oracle.com/developers/post/ssl-connection-to-oracle-db-using-jdbc-tlsv12-jks-or-oracle-wallets-122-and-lower#Wallets

提到:
JDK 7 and JDK 8 releases support TLSv1.2 protocol. The other protocols such as TLSv1.1, TLSv1, SSLv3, and SSLv2 have security vulnerabilities and the recommendation is to use the latest standard version TLSv1.2 and use more secure SSL cipher suites. Follow these pre-requisites below to use TLSv1.2.

TLS 1.2是比较稳定的版本。建议使用它。

2. 使用TSL 1.2 ,需要什么环境

1) ojdbc8.jar

上文提到， 需要ojdbc8.jar, (是jdbc 12.2.0.1 的ojdbc8.jar).
注意，这里的12.2.0.1,不是数据库的版本。 而是JDBC Drivers的版本号。更多版本参看：

• https://www.oracle.com/database/technologies/appdev/jdbc-drivers-archive.html

实际从19c的$ORACLE_HOME/jdbc下得到ojdbc8.jar. 看其readme：

Oracle JDBC Drivers release 12.2.0.1.0 production Readme.txt
==========================================================

如果从Oracle数据库12cR2的$ORACLE_HOME/jdbc下，看其readme：
Oracle JDBC Drivers release 12.1.0.1.0 production Readme.txt
==========================================================

2) java环境。

需要JDK9 or JDK8u162或者以上
实际使用版本：1.8.0_391.

#cd /usr/local; tar zxvf jdk-8u391-linux-x64.tar.gz
#ln -s /usr/local/jdk1.8.0_391 jdk并设置oracle的PATH
export PATH=/usr/local/jdk/bin:$ORACLE_HOME/bin:$PATH
java -version 确认版本是1.8
[oracle@RHEL8 trace]$ which java
/usr/local/jdk/bin/java
[oracle@RHEL8 trace]$ java -version
java version "1.8.0_391"
Java(TM) SE Runtime Environment (build 1.8.0_391-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.391-b13, mixed mode)

3. 如何确认jdbc版本和Oracle数据库的支持情况？

文档： How To Configure Oracle JDBC Thin Driver To Connect To Database Using TLS v1.2 (Doc ID 2436911.1)
文档 Starting With Oracle JDBC Drivers - Installation, Certification, and More! (Doc ID 401934.1)

从oracle客户端和数据库之间兼容表：

• Client / Server Interoperability Support Matrix for Different Oracle
  Versions (Doc ID 207303.1)

可以看到：
Client
Version Server Version
23ai 21c 19c 18c 12.2.0 12.1.0 11.2.0
23ai#11 Yes Yes Yes No No No No
21c Yes Yes Yes Was Was Yes#12 No
19c Yes Yes Yes Was Was Yes#12 Yes#9
18c No Was Was Was Was Was Was#9
12.2.0 No Was Was Was Was Was Was#9
12.1.0 No Yes#12 Yes#12 Was Was Yes#12 Yes#12
11.2.0 No No Yes#9 Was#9 Was#9 Yes#12 Yes#9

数据库 11.2.0 ，客户端可以是 11.2.0, 直到 19c.

4. 其他参考文档

1）TLS Connection String For JDBC Thin Driver Without A Wallet (Doc ID 2970468.1)
把wallet的内容转化为jks

5. 步骤

先在数据库服务器上测试。

1） 生成数据库服务器的wallet

[oracle@RHEL8 scripts]$ cat ssl_sha256_onlyserver.sh
if [ -d /home/oracle/wallets ]; thenmv /home/oracle/wallets /home/oracle/wallets-`date +%y%m%d-%H%M%S`
fi
mkdir -p /home/oracle/wallets
cd /home/oracle/wallets #进入当前目录orapki wallet create -wallet ./server_wallet -auto_login -pwd Welcome1_
orapki wallet add -wallet ./server_wallet -sign_alg sha256 -dn "CN=server" -keysize 1024 -self_signed -validity 365 -pwd Welcome1_
orapki wallet display -wallet ./server_wallet
orapki wallet export -wallet ./server_wallet -dn "CN=server" -cert ./server_wallet/cert.txt# check the alg
openssl x509 -noout -text -in ./server_wallet/cert.txt

注意，如果以前使用了wallets方式，那么修改了/u01/app/oracle/product/11.2.0/db_1/jdk/jre/lib/security/java.security.
如果以前备份过，可以覆盖修改后的。

2) 把wallet转化为jks

参考文档Doc ID 2970468.1

[oracle@testdb1 server_setup]$ cat wallets_2_jks.sh
CURRENT_PATH=$(pwd)
echo $CURRENT_PATH
if [ ! -d $CURRENT_PATH/../jks ]; thenmkdir $CURRENT_PATH/../jks
fi
cd  /home/oracle/wallets && orapki wallet pkcs12_to_jks -wallet ./server_wallet -pwd Welcome1_ -jksTrustStoreLoc $CURRENT_PATH/../jks/truststore.jks -jksTrustStorepwd Welcome1_ -jksKeyStoreLoc $CURRENT_PATH/../jks/keystore.jks -jksKeyStorepwd Welcome1_

3) 配置侦听

添加tpcs的端口

SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = /home/oracle/wallets/server_wallet)))LISTENER =(DESCRIPTION_LIST =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = RHEL8.localdomain)(PORT = 1521)))(DESCRIPTION =(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521)))(DESCRIPTION =(ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.56.89)(PORT = 2484))))ADR_BASE_LISTENER = /u01/app/oracle修改sqlnet.oraNAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)ADR_BASE = /u01/app/oracleSSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = /home/oracle/wallets/server_wallet)))SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS, NTS)

4) 重启侦听

lsnrctl stop
lsnrctl start

5) 修改测试java程序

下载测试程序，

• https://github.com/oracle-samples/oracle-db-examples/blob/main/java/jdbc/ConnectionSamples/DataSourceSample.java

修改连接符, 用户名密码

final static String DB_URL = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(PORT=2484)(HOST=192.168.56.89))"+ "(CONNECT_DATA=(SERVICE_NAME=orcl))"+ "(SECURITY=(SSL_SERVER_CERT_DN=\"CN = server\")))";// For ATP and ADW - use the TNS Alias name along with the TNS_ADMIN when using 18.3 JDBC driver// final static String DB_URL="jdbc:oracle:thin:@wallet_dbname?TNS_ADMIN=/Users/test/wallet_dbname";// In case of windows, use the following URL// final static String DB_URL="jdbc:oracle:thin:@wallet_dbname?TNS_ADMIN=C:/Users/test/wallet_dbname";final static String DB_USER = "system";final static String DB_PASSWORD = "oracle";

6) 准备测试数据employees表

为systme用户建表employees,测试使用

sqlplus system/oracle
create table employees(first_name varchar2(10), last_name varchar2(10));
insert into employees values('a','a')
commit;

7) 测试脚本run.sh

[oracle@testdb1 jdbc_tsl_jks]$ cat run.sh
javac -cp .:ojdbc8.jar DataSourceSample.java
java -cp .:ojdbc8.jar \
-Doracle.net.ssl_server_dn_match="false" \
-Djavax.net.ssl.trustStore="/home/oracle/jdbc_tsl/jks/truststore.jks" \
-Djavax.net.ssl.trustStorePassword="Welcome1_" \
-Djavax.net.ssl.trustStoreType="JKS" \
-Djavax.net.ssl.keyStore="/home/oracle/jdbc_tsl/jks/keystore.jks" \
-Djavax.net.ssl.keyStoreType="JKS" \
-Djavax.net.ssl.keyStorePassword="Welcome1_" DataSourceSample
#-Djavax.net.debug=all \
#-Djavax.net.debug=ssl,handshake \

使用了前面生成的jks文件，密码，调试时可以加上最后的debug参数

8) 测试

[oracle@RHEL8 jdbc_tsl]$ ./run.sh
Driver Name: Oracle JDBC driver
Driver Version: 19.9.0.0.0
Default Row Prefetch Value is: 20
Database Username is: SYSTEMFIRST_NAME  LAST_NAME
---------------------
a a

6. 在客户端测试

1)

把/home/oracle/jdbc_tls压缩复制到客户端并解压到相同的/home/oracle/jdb_tls目录。
这里面包含了jks文件。
不需要复制wallets和sqlnet.ora

2)客户端安装jdk 1.8,

#cd /usr/local; tar zxvf jdk-8u391-linux-x64.tar.gz
#ln -s /usr/local/jdk1.8.0_391 jdk

并设置oracle的PATH
export PATH=/usr/local/jdk/bin:$ORACL{E}_{H}OME/bin:$PATH
java -version 确认版本是1.8

3)客户端测试

[oracle@hol jdbc_tsl]$ ./run.sh
Driver Name: Oracle JDBC driver
Driver Version: 19.9.0.0.0
Default Row Prefetch Value is: 20
Database Username is: SYSTEMFIRST_NAME  LAST_NAME
---------------------
a a

7. 其他错误分析

https://www.oracle.com/database/technologies/application-development/jdbc-eecloud-troubleshooting-tips.html