配置listener tcps加密 enable SSL encryption for Oracle SQL*Net

一 配置客户端和服务端的wallet

2端配置方法一致，相互添加证书

orapki wallet create -wallet "/u01/oracle/wallet" -pwd Wdkf984jkkgekj434FKFD -auto_login_local

orapki wallet add -wallet "/u01/oracle/wallet" -pwd Wdkf984jkkgekj434FKFD -dn "CN=`hostname`" -keysize 1024 -self_signed -validity 3650

导出证书

orapki wallet export -wallet "/u01/oracle/wallet" -pwd Wdkf984jkkgekj434FKFD -dn "CN=`hostname`" -cert /tmp/`hostname`-certificate.crt

导入证书

orapki wallet add -wallet "/u01/oracle/wallet" -pwd Wdkf984jkkgekj434FKFD -trusted_cert -cert /tmp/ROCKY-20160621P-certificate.crt

验证

orapki wallet display -wallet "/u01/oracle/wallet" -pwd Wdkf984jkkgekj434FKFD

二监听配置

2端sqlnet一致添加

WALLET_LOCATION =

(SOURCE =

(METHOD = FILE)

(METHOD_DATA =

(DIRECTORY = /u01/app/oracle/wallet)

)

)

SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)

SSL_CLIENT_AUTHENTICATION = FALSE

SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)

服务端netca配置listener

客户端添加tnsname

三验证

tnsping ok

sqlplus 登录ok

How to enable SSL encryption for Oracle SQL*Net (Without SSH Authentication)

1) Create a directory to store all our wallets:

oracle@solaris:~$ mkdir /u01/app/oracle/wallet

oracle@solaris112:~$ mkdir /u01/app/oracle/wallet

2) Create a wallet for the primary database. Create an empty wallet with auto login enabled:

oracle@solaris:~$ cd /u01/app/oracle/wallet

oracle@solaris:/u01/app/oracle/wallet$ orapki wallet create -wallet /u01/app/oracle/wallet -auto_login -pwd welcome1

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

oracle@solaris:/u01/app/oracle/wallet$ ls -l /u01/app/oracle/wallet

total 6

-rw------- 1 oracle oinstall 120 Dec 14 23:29 cwallet.sso

-rw-rw-rw- 1 oracle oinstall 0 Dec 14 23:29 cwallet.sso.lck

-rw------- 1 oracle oinstall 75 Dec 14 23:29 ewallet.p12

-rw-rw-rw- 1 oracle oinstall 0 Dec 14 23:29 ewallet.p12.lck

oracle@solaris112:/u01/app/oracle/wallet$ orapki wallet create -wallet /u01/app/oracle/wallet -auto_login -pwd welcome2

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

oracle@solaris112:/u01/app/oracle/wallet$ ls -l /u01/app/oracle/wallet

total 4

-rw------- 1 oracle oinstall 120 Dec 15 07:30 cwallet.sso

-rw-rw-rw- 1 oracle oinstall 0 Dec 15 07:30 cwallet.sso.lck

-rw------- 1 oracle oinstall 75 Dec 15 07:30 ewallet.p12

-rw-rw-rw- 1 oracle oinstall 0 Dec 15 07:30 ewallet.p12.lck

3) Add a self-signed certificate in the wallet (a new pair of private/public keys is created):

oracle@solaris:/u01/app/oracle/wallet$ orapki wallet add -wallet /u01/app/oracle/wallet -dn "CN=solaris.dbaglobe.com" -keysize 1024 -self_signed -validity 365 -pwd welcome1

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

oracle@solaris112:/u01/app/oracle/wallet$ orapki wallet add -wallet /u01/app/oracle/wallet -dn "CN=solaris112.dbaglobe.com" -keysize 1024 -self_signed -validity 365 -pwd welcome2

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

If you display the server's wallet you will see the following requested certificate:

oracle@solaris:/u01/app/oracle/wallet$ orapki wallet display -wallet /u01/app/oracle/wallet Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:

User Certificates:

Subject: CN=solaris.dbaglobe.com

Trusted Certificates:

Subject: CN=solaris.dbaglobe.com

oracle@solaris112:~$ orapki wallet display -wallet /u01/app/oracle/wallet Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:

User Certificates:

Subject: CN=solaris112.dbaglobe.com

Trusted Certificates:

Subject: CN=solaris112.dbaglobe.com

4) Export the certificate:

oracle@solaris:/u01/app/oracle/wallet$ orapki wallet export -wallet /u01/app/oracle/wallet -dn "CN=solaris.dbaglobe.com" -cert /u01/app/oracle/wallet/solaris.dbaglobe.com.txt

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

oracle@solaris112:~$ orapki wallet export -wallet /u01/app/oracle/wallet -dn "CN=solaris112.dbaglobe.com" -cert /u01/app/oracle/wallet/solaris112.dbaglobe.com.txt

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

5) Exchange the server and client their public keys:

oracle@solaris:/u01/app/oracle/wallet$ scp solaris112:/u01/app/oracle/wallet/solaris112.dbaglobe.com.txt .

oracle@solaris:/u01/app/oracle/wallet$ scp /u01/app/oracle/wallet/solaris.dbaglobe.com.txt solaris112:/u01/app/oracle/wallet/

oracle@solaris:/u01/app/oracle/wallet$ orapki wallet add -wallet /u01/app/oracle/wallet -trusted_cert -cert /u01/app/oracle/wallet/solaris112.dbaglobe.com.txt -pwd welcome1

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

oracle@solaris112:~$ orapki wallet add -wallet /u01/app/oracle/wallet -trusted_cert -cert /u01/app/oracle/wallet/solaris.dbaglobe.com.txt -pwd welcome2

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

oracle@solaris:/u01/app/oracle/wallet$ orapki wallet display -wallet /u01/app/oracle/wallet Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:

User Certificates:

Subject: CN=solaris.dbaglobe.com

Trusted Certificates:

Subject: CN=solaris112.dbaglobe.com

Subject: CN=solaris.dbaglobe.com

oracle@solaris112:~$ orapki wallet display -wallet /u01/app/oracle/wallet

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:

User Certificates:

Subject: CN=solaris112.dbaglobe.com

Trusted Certificates:

Subject: CN=solaris.dbaglobe.com

Subject: CN=solaris112.dbaglobe.com

6) Configure the listeners to work with TCPS

oracle@solaris:/u01/app/oracle/wallet$ lsnrctl stop

Edit server side configuration use netmgr. Sample configuration as below:

oracle@solaris:/u01/app/oracle/wallet$ cat /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/listener.ora

SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =

(SOURCE =

(METHOD = FILE)

(METHOD_DATA =

(DIRECTORY = /u01/app/oracle/wallet)

)

)

LISTENER =

(DESCRIPTION_LIST =

(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCP)(HOST = solaris)(PORT = 1521))

)

(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCPS)(HOST = solaris)(PORT = 1531))

)

(DESCRIPTION =

(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))

)

)

ADR_BASE_LISTENER = /u01/app/oracle

oracle@solaris:/u01/app/oracle/wallet$ cat /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)

SSL_VERSION = 0

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =

(SOURCE =

(METHOD = FILE)

(METHOD_DATA =

(DIRECTORY = /u01/app/oracle/wallet)

)

)

ADR_BASE = /u01/app/oracle

oracle@solaris:/u01/app/oracle/wallet$ lsnrctl start

7) Configure the sqlnet.ora & tnsnames.ora on the client

oracle@solaris112:~$ cat /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora

#Parameter for TDE

ENCRYPTION_WALLET_LOCATION =

(SOURCE =

(METHOD = FILE)

(METHOD_DATA =

(DIRECTORY = /u01/app/oracle/wallet)

)

)

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)

SSL_VERSION = 0

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =

(SOURCE =

(METHOD = FILE)

(METHOD_DATA =

(DIRECTORY = /u01/app/oracle/wallet)

)

)

ADR_BASE = /u01/app/oracle

oracle@solaris112:~$ echo "

> ORCL1_TCPS =

> (DESCRIPTION =

> (ADDRESS = (PROTOCOL = TCP)(HOST = solaris)(PORT = 1521))

> (CONNECT_DATA =

> (SERVER = DEDICATED)

> (SERVICE_NAME = orcl1)

> )

> )

>

> " >> /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/tnsnames.ora

8) Check the connectivity

oracle@solaris112:/u01/app/oracle/product/12.1.0/dbhome_1/network/admin$ tnsping ORCL1_TCPS

TNS Ping Utility for Solaris: Version 12.1.0.2.0 - Production on 15-DEC-2014 08:39:03

Copyright (c) 1997, 2014, Oracle. All rights reserved.

Used parameter files:

/u01/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora

Used TNSNAMES adapter to resolve the alias

Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = solaris)(PORT = 1531)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = orcl1)))

OK (20 msec)

oracle@solaris112:~$ sqlplus system/password@orcl1_tcps

SQL*Plus: Release 12.1.0.2.0 Production on Mon Dec 15 08:39:57 2014

Copyright (c) 1982, 2014, Oracle. All rights reserved.

Last Successful login time: Mon Dec 15 2014 00:39:21 +08:00

Connected to:

Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production

With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL> select sys_context('userenv','network_protocol') from dual;

SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')

---

Tcps

SQL> select userenv('sid') from dual;

USERENV('SID')

---

50

SQL> select * from v$session_connect_info where sid=50;

SID SERIAL# AUTHENTICATION_TYPE OSUSER

---

NETWORK_SERVICE_BANNER

---

CLIENT_CHARSET CLIENT_CONNEC

---

CLIENT_OCI_LIBRARY CLIENT_VERSION

---

CLIENT_DRIVER CLIENT_LOBATTR CLIENT_REGID CON_ID

---

50 14986 DATABASE oracle

US7ASCII Homogeneous

Home-based 12.1.0.2.0

SQL*PLUS Client Temp Lob Rfc On 0 0

50 14986 DATABASE oracle

Authentication service for Solaris: Version 12.1.0.2.0 - Production

US7ASCII Homogeneous

Home-based 12.1.0.2.0

SQL*PLUS Client Temp Lob Rfc On 0 0

50 14986 DATABASE oracle

Encryption service for Solaris: Version 12.1.0.2.0 - Production

US7ASCII Homogeneous

Home-based 12.1.0.2.0

SQL*PLUS Client Temp Lob Rfc On 0 0

50 14986 DATABASE oracle

Crypto-checksumming service for Solaris: Version 12.1.0.2.0 - Production

US7ASCII Homogeneous

Home-based 12.1.0.2.0

SQL*PLUS Client Temp Lob Rfc On 0 0

Possible errors 1: (To resolve it, include --pwd parameter)

oracle@solaris:/u01/app/oracle/wallet$ orapki wallet add -wallet /u01/app/oracle/wallet -trusted_cert -cert /u01/app/oracle/wallet/solaris112.dbaglobe.com.txt

Oracle PKI Tool : Version 12.1.0.2

Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Could not install trusted cert at/u01/app/oracle/wallet/solaris112.dbaglobe.com.txt

PKI-02008: Unable to modify a read-only Auto-login wallet.

Possible errors 2: (To resolve it, use different port number for TCP and TCPS)

oracle@solaris:/u01/app/oracle/wallet$ lsnrctl start

LSNRCTL for Solaris: Version 12.1.0.2.0 - Production on 15-DEC-2014 00:02:21

Copyright (c) 1991, 2014, Oracle. All rights reserved.

Starting /u01/app/oracle/product/12.1.0/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Solaris: Version 12.1.0.2.0 - Production

System parameter file is /u01/app/oracle/product/12.1.0/dbhome_1/network/admin/listener.ora

Log messages written to /u01/app/oracle/diag/tnslsnr/solaris/listener/alert/log.xml

Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=solaris)(PORT=1521)))

Error listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=solaris)(PORT=1521)))

TNS-12542: TNS:address already in use

TNS-12560: TNS:protocol adapter error

TNS-00512: Address already in use

Solaris Error: 125: Address already in use

Listener failed to start. See the error message(s) above...

Possible errors 3: (To resolve it, use proper wallet location)

oracle@solaris112:~$ sqlplus system/p_ssw0rd@orcl1_tcps

SQL*Plus: Release 12.1.0.2.0 Production on Mon Dec 15 08:14:21 2014

Copyright (c) 1982, 2014, Oracle. All rights reserved.

ERROR:

ORA-28759: failure to open file

oracle@solaris112:~$ tnsping orcl1_tcps

TNS Ping Utility for Solaris: Version 12.1.0.2.0 - Production on 15-DEC-2014 08:14:50

Copyright (c) 1997, 2014, Oracle. All rights reserved.

Used parameter files:

/u01/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora

Used TNSNAMES adapter to resolve the alias

Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = solaris)(PORT = 1531)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = orcl1)))

TNS-12560: TNS:protocol adapter error

1.1. OracleListener静态服务配置与动态服务注册　　1.1.1 什么是服务注册

先温习几个基本概念：Oracle实例、Oracle数据库、Oracle Server、Oracle服务：

Oracle实例=Oracle SGA内存+Oracle后台进程

Oracle数据库=核心文件（Data file,control file,logfile）

OracleServer=Oracle实例+Oracle数据库

在HA环境中，ORACLE Server=1个ORACLE实例+1个Oracle数据库，在两台主机的RAC环境中，ORACLEServer=2个ORACLE实例+1个Oracle数据库。

Oracle服务：对外提供服务，1个Oracle数据库可以有多个服务。如果需要执行连接时故障转移或负载均衡，或者想要在RAC中配置在实 例之间透明地分布连接，那么使用service_names参数将是必要的。为启用这些功能，您只需要将每个实例的数据库参数文件中的 service_names设置为同一个值，并在客户端连接请求的service_name设置中引用该值。

服务注册就是将数据库作为一个服务注册到监听程序；无论何时启动一个数据库，默认地都有两条信息注册到监听器中：数据库服务器对应的实例和服务。

客户端不需要知道数据库名和实例名，只需要知道该数据库对外提供的服务名就可以申请连接到数据库。

在数据库服务器启动过程中，数据库服务器会向监听程序注册相应的服务。

1.1.2 动态注册

动态注册是在instance启动的时候PMON进程根据init.ora中的instance_name,service_names两个参数将实例和服务动态注册到listener中。

首先要在init.ora中指定instance_name,service_names两个参数的值。在不指定这两个参数时，系统会取默认值（实例值那么它将取init.ora文件中的db_name的值，服务名取db_name+db_domain）。

需要注意的是，动态注册时，服务的注册不仅包括service_names的注册，如果service_names不包括缺省的 db_name+db_domain,也会将该值注册进来。您可以在service_names参数中指定多个服务值，值之间用逗号格开，这对于共享服务 器配置是很有用的。

由于PMON进程1分钟执行一次，因此如果listener晚于Oracle Server启动，那么最长需要等到1分钟PMON会将这些服务注册到listener进程中。

采取动态注册方法时，不需要有listener.ora,该文件是指定静态配置使用。如果有该文件，那么该文件中不能有关于该数据库的静态配置信息，只能有类似如下信息：

SID_LIST_LISTENER=

（SID_LIST =

（SID_DESC =

（SID_NAME =PLSExtProc）

（ORACLE_HOME =...）

（PROGRAM =extproc）

）

）

否则将被当做静态注册，动态注册的特性失效（PMON自动注册会失效，使用altersystem register也注册不进去），但是如果如果使用了local_listener时，我的经验是除了在tnsnames.ora中配置，还需要在 listener.ora中配置，此时可以动态注册。

动态注册默认只注册到默认的监听器上（名称是LISTENER、端口是1521、协议是 TCP），因为pmon只会动态注册port等于1521的监听。如果需要向非默认监听注册，则需要配置local_listener参数，并将监听的信 息添加到tnsnames.ora文件中（或者配置local_listener参数的值为LOCAL_LISTENER='（ADDRESS = （PROTOCOL = TCP）（HOST =xxx.xxx.xxx.xxx）（PORT = 1522）））。 注意，是tnsnames.ora 文件， 因为pmon在动态注册监听时要从tnsnames.ora中读取相关信息。　　LISTENER =

（DESCRIPTION =

（ADDRESS = （PROTOCOL = TCP）（HOST = DaveDai）（PORT = 1522））

）

然后以sys用户运行（这里也可以直接修改init文件）：

SQL> alter system set local_listener=listener scope=both;

SQL> alter system register;

或者：

SQL> alter system set LOCAL_LISTENER='（ADDRESS = （PROTOCOL = TCP）（HOST = xxx.xxx.xxx.xxx）（PORT = 1522））';

1.1.3 静态注册

静态注册就是实例启动时读取listener.ora文件的配置，将实例和服务注册到监听程序。

静态注册时，listener.ora中的GLOBAL_DBNAME向外提供服务名，listener.ora中的SID_NAME提供注册的实例名。

采取静态注册方法时，listener.ora中的内容如下：

SID_LIST_LISTENER =

（SID_LIST =

（SID_DESC =

（SID_NAME = PLSExtProc）

（ORACLE_HOME = D:/oracle/product/10.2.0/db_1）

（PROGRAM = extproc）

）

（SID_DESC =

（GLOBAL_DBNAME =orcl）

（ORACLE_HOME = D:/oracle/product/10.2.0/db_1）

（SID_NAME =orcl）

）

（SID_DESC =

（GLOBAL_DBNAME =orcl1）

（ORACLE_HOME = D:/oracle/product/10.2.0/db_1）

（SID_NAME =orcl）

）

）

该文件表明数据库是单实例的，实例名为orcl,向外提供了两个服务：orcl和orcl1

静态监听：

oracle实例运行后，监听程序启动时，根据listener.ora的配置注册相应的服务。

其中global_dbname对应的是oracle对外的服务名，即初始化参数里的service_names

而sid_name对应的是oralce实例的名称，即初始化参数里的instance_name

1.1.4 查询某服务是静态注册还是动态注册

可以使用命令lsnrctl status来查看某服务是静态注册还是动态注册。

实例状态为UNKNOWN值时表明此服务是静态注册的设置。这时监听器用来表明它不知道关于该实例的任何信息，只有当客户发出连接请求时，它才检查该实例是否存在。

动态注册的数据库通过状态信息中的状态READY或状态BLOCKED（对于一个备用数据库）来指明。不管关闭何时数据库，动态注册的数据库都 会动态地从监听器注销，而与之相关的信息将从状态列表中消失。这样，不管数据库是在运行还是已经关闭，监听器总是知道它的状态。该信息将被用于连接请求的 回退（fallback）和负载平衡