Oracle 11.2.0.4 pre PSU Oct18 设置SSL连接

Oracle 11.2.0.4 pre PSU Oct18 设置SSL连接

  • [1 说明](#1 说明)
  • [2 客户端配置jdk环境](#2 客户端配置jdk环境)
  • 3服务器检查oracle数据库补丁
  • 4设置ssl
    • [a 服务器配置wallet](#a 服务器配置wallet)
    • [b 上传测试脚本和配置文件到客户端](#b 上传测试脚本和配置文件到客户端)
    • [c 服务器修改数据库侦听和sqlnet.ora](#c 服务器修改数据库侦听和sqlnet.ora)
    • [d 修改客户端的sqlnet.ora和tnsnames.ora的连接符](#d 修改客户端的sqlnet.ora和tnsnames.ora的连接符)
    • [e 修改java代码的数据连接信息](#e 修改java代码的数据连接信息)
  • [5 sqlplus连接测试](#5 sqlplus连接测试)
  • [6 jdbc测试连接](#6 jdbc测试连接)

1 说明

本文介绍JDBC使用MD5进行SSL加密连接oracle数据库

根据文档《MD5 Certificates Deprecated (Doc ID 2454519.1)》,

打了如下数据库相应补丁后, MD5就失效了。

DB 12.2.0.1, DB 12.1.0.2 + July 2018 PSU or later ,

DB 11.2.0.4 + Oct 2018 PSU or later,

DB 12.1.0.2 + MES415patch,

DB 11.2.0.4 + MES415patch will be impacted by this change.

在此之前还可以使用MD5. 打了上述补丁后,要使用JDBC_TLS 1.2连接。

根据文档 Minimal Configuration for encryption-only SSL using JDBC/thin (Doc ID 1124286.1)

的说明(原文使用的连接是19c,但是19c的文档已经改变, 12c的还有, 链接

https://docs.oracle.com/en/database/oracle/oracle-database/12.2/jjdbc/client-side-security.html#GUID-A0F5D4B2-C3DE-4DE6-A759-A3BF48450031

客户端可以不配置wallet.

2 客户端配置jdk环境

需要 jdk 1.6

文件: jdk-6u211-linux-x64.bin

以root在/usr/local/下执行,解压到/usr/local/jdk1.6.0_211

建立soft link, ln /usr/local/jdk1.6.0_211 jdk.

在oracle用户的PATH 前加入它/usr/local/jdk/bin.

export PATH=/usr/local/jdk/bin:$PATH

3服务器检查oracle数据库补丁

$ORACLE_HOME/OPatch/opatch lspatches.

对于升级了Oct 2018 PSU的11g,参考

4设置ssl

a 服务器配置wallet

以oracle用户登录数据库服务器

解压此压缩包jdbc_ssl_11g_nopatch_client_server_demo_2025-05-16-1245.tar.gz

到/home/oracle/scripts.

然后解压服务器端的包jdbc_ssl_11g_nopatch_server.tar.gz

解压出ssl_md5_only_server_wallet.sh

执行

cd server

./ssl_md5_only_server_wallet.sh

将建立/home/oracle/wallets文件,执行过程中显示使用的md5加密算法。

脚本:

复制代码
nome@manjaro:~/workdir/dev/jdbc_ssl/tmp/server$ cat ssl_md5_only_server_wallet.sh
#!/usr/bin/bash
# 此脚本生成server的wallet. 客户端不需要wallet. ref: https://docs.oracle.com/en/database/oracle/oracle-database/12.2/jjdbc/client-side-security.html#GUID-6AC4159F-9A89-4DE7-B2F8-6E8AC67109CD
#数据库服务器的sqlnet.ora 需要设置SSL_CLIENT_AUTHENTICATION = FALSE

if [ -d /home/oracle/wallets ]; then
        mv /home/oracle/wallets /home/oracle/wallets-`date +%y%m%d-%H%M%S`
fi
mkdir -p /home/oracle/wallets
cd /home/oracle/wallets #进入当前目录

orapki wallet create -wallet ./server_wallet -auto_login -pwd Welcome1_
orapki wallet add -wallet ./server_wallet -dn "CN=server" -keysize 1024 -self_signed -validity 365 -pwd Welcome1_
orapki wallet display -wallet ./server_wallet
orapki wallet export -wallet ./server_wallet -dn "CN=server" -cert ./server_wallet/cert.txt
# check the alg
openssl x509 -noout -text -in ./server_wallet/cert.txt


nome@manjaro:~/workdir/dev/jdbc_ssl/tmp/server$

b 上传测试脚本和配置文件到客户端

登录到客户端,解压到/home/oracle

cd /home/oracle

tar zxvf jdbc_ssl_11g_client_config_demo.tar.gz

将解压到jdbc_ssl目录下。

备份$ORACLE_HOME/network/admin/下缺省的 sqlnet.ora, tnsnames.ora

cd jdbc_ssl

cp *.ora O R A C L E H O M E / n e t w o r k / a d m i n 把 s q l n e t 目录下的文件复制到 ORACLE_HOME/network/admin 把sqlnet目录下的文件复制到 ORACLEHOME/network/admin把sqlnet目录下的文件复制到ORACLE_HOME/network/admin

c 服务器修改数据库侦听和sqlnet.ora

复制代码
[oracle@ora11g scripts]$ cd $ORACLE_HOME/network/admin
[oracle@ora11g admin]$ ls
listener.ora  samples  shrept.lst  sqlnet.ora  tnsnames.ora
[oracle@ora11g admin]$ cat listener.ora 
# listener.ora Network Configuration File: /oracle/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
# Generated by Oracle configuration tools.

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = ora11g)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = ora11g)(PORT = 2484))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
  )

ADR_BASE_LISTENER = /oracle/app/oracle

SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /home/oracle/wallets/server_wallet)
    )
  )
SSL_CIPHER_SUITES= (SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA)


[oracle@ora11g admin]$ cat sqlnet.ora
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /home/oracle/wallets/client_wallet)
#      (DIRECTORY = /home/oracle/wallets/server_wallet)
    )
  )

SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS, NTS)

SSL_CIPHER_SUITES= (SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA)

oracle@ora11g admin$

主要加入WALLET设置和TCPS的连接地址和端口。

d 修改客户端的sqlnet.ora和tnsnames.ora的连接符

复制代码
[oracle@source ~]$ cd $ORACLE_HOME/network/admin
[oracle@source admin]$ cat sqlnet.ora
# sqlnet.ora Network Configuration File: /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

ADR_BASE = /u01/app/oracle

SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /home/oracle/wallets/client_wallet)
#      (DIRECTORY = /home/oracle/wallets/server_wallet)
    )
  )

SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS, NTS)

SSL_CIPHER_SUITES= (SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA)

[oracle@source admin]$ cat tnsnames.ora
orcl = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.56.91)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = orcl)))
orcldg = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.56.92)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = orcldg)))
dup = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.56.92)(PORT = 1525))) (CONNECT_DATA = (SERVICE_NAME = orcldg)))

testssl =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.56.110)(PORT = 2484))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = dvlp)
    )
  )

[oracle@source admin]$ 

e 修改java代码的数据连接信息

复制代码
[oracle@source admin]$ cd
[oracle@source ~]$ cd jdbc_ssl/
[oracle@source jdbc_ssl]$ ls
ojdbc6.jar  run.sh  SSLTest.class  SSLTest.java  SSLTest.java.def  tmp
[oracle@source jdbc_ssl]$ cat SSLTest.java
import java.sql.*;
import java.util.Properties;
import oracle.jdbc.pool.OracleDataSource;

public class SSLTest {
public static void main(String[] args) throws SQLException {
Connection conn = getConnection();
conn.close();
}

public static Connection getConnection() throws SQLException {
OracleDataSource ods = new OracleDataSource();
ods.setURL("jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.56.110)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=dvlp)))");
Properties props = new Properties();
props.setProperty("user", "system");
props.setProperty("password", "oracle");
//props.setProperty("oracle.net.ssl_cipher_suites","(SSL_RSA_WITH_AES_512_CBC_SHA)");
props.setProperty("oracle.net.ssl_cipher_suites","(SSL_DH_anon_WITH_RC4_128_MD5)");
//props.setProperty("oracle.net.ssl_cipher_suites","(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5,SSL_RSA_WITH_AES_128_CBC_SHA)");
//SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA)

ods.setConnectionProperties(props);


Connection conn = ods.getConnection();
DatabaseMetaData dbmd = conn.getMetaData();
System.out.println(dbmd.getDatabaseProductVersion());
System.out.println("JDBC driver: " + dbmd.getDriverVersion());
System.out.println("JDBC URL: " + dbmd.getURL());
conn.setAutoCommit(false);
return conn;
}
}

5 sqlplus连接测试

oracle@source admin$ sqlplus system/oracle@testssl

SQL*Plus: Release 11.2.0.4.0 Production on Tue May 13 15:02:51 2025

Copyright © 1982, 2013, Oracle. All rights reserved.

Connected to:

Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

SYSTEM@testssl>exit

Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

oracle@source admin$

6 jdbc测试连接

oracle@source jdbc_ssl$ cat run.sh

#cp 1SSLTest.java SSLTest.java

javac -cp ojdbc6.jar SSLTest.java

java -cp .:ojdbc6.jar SSLTest

oracle@source jdbc_ssl$ ./run.sh

Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

JDBC driver: 11.2.0.1.0

JDBC URL: jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.56.110)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=dvlp)))

oracle@source jdbc_ssl$

相关推荐
Albert Tan8 小时前
Oracle EBS 外部应用节点-OOM
oracle·oracle ebs
一十九的酒11 小时前
Oracle 12c 标准版无缝升级企业版实战记录
数据库·oracle·标准版切换到企业版
2501_9423895514 小时前
特斯拉的车辆摄像头每四天为AI训练集采集的数据量
人工智能·hadoop·zookeeper·oracle·时序数据库·memcache
山峰哥16 小时前
数据库工程与SQL优化实战指南‌
数据库·sql·oracle·深度优先·宽度优先
宠友信息18 小时前
Spring Boot与异步审核构建仿小红书源码内容发布全流程
java·数据库·spring boot·redis·mysql·oracle·uni-app
—Miss. Z—21 小时前
计算机二级MySQL选择题考点Ⅱ
数据库·mysql·oracle
Irene199121 小时前
数据迁移,源端探查(以 Oracle 为例)的三种实现层次:工具化(MTK)、脚本化(最主流方式)和手工查询(测试学习)
oracle·数据迁移·源端探查
矜持的左手21 小时前
硬件故障后数据文件大小不对故障处理—Oracle碎片扫描恢复
数据库·oracle
欢呼的太阳1 天前
数据库设计Step by Step (10)——范式化
服务器·数据库·oracle
多巴胺梦想家2 天前
数据库恢复技术:当灾难来临
网络·数据库·oracle