如何为 Oracle 数据库配置 TLS/TCPS

如何为 Oracle 数据库配置 TLS/TCPS

本分步指南介绍了用于在数据库中配置传输层安全性 (TLS) 和启用 TCP over SSL (TCPS) 连接的步骤。

复制代码
#######################################################################
Environment
#######################################################################

19c Client - rac01.localdomain

12c R2 Database Server - linux01.localdomain


#############################################################################
Create an auto-login wallet on database server
#############################################################################

[oracle@linux01 oracle]$ mkdir -p /u02/app/oracle/wallet

[oracle@linux01 oracle]$ orapki wallet create -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -auto_login_local
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.


#############################################################################
Create a self-signed certificate and load it into the wallet
#############################################################################

[oracle@linux01 oracle]$ orapki wallet add -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -dn "CN=`hostname`" -keysize 1024 -self_signed -validity 3650
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.


#############################################################################
Export the certificate
#############################################################################

[oracle@linux01 oracle]$ orapki wallet export -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -dn "CN=`hostname`" -cert /tmp/`hostname`-certificate.crt
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.




#############################################################################
Edit sqlnet.ora and listener.ora and restart listener
#############################################################################

[oracle@linux01 oracle]$ cd $ORACLE_HOME/network/admin

[oracle@linux01 admin]$ vi sqlnet.ora 

WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = /u02/app/oracle/wallet)
     )
   )

SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)




[oracle@linux01 admin]$ vi listener.ora 

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = linux01.localdomain)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = linux01.localdomain)(PORT = 2484))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
  )

SSL_CLIENT_AUTHENTICATION = FALSE


#############################################################################
Edit sqlnet.ora and listener.ora and restart listener
#############################################################################


[oracle@linux01 admin]$ cd /tmp

[oracle@linux01 tmp]$ scp -rp rac01.localdomain-certificate.crt oracle@192.168.56.200:/tmp
The authenticity of host '192.168.56.200 (192.168.56.200)' can't be established.
RSA key fingerprint is 2a:8e:8d:d5:33:5a:dc:e2:0d:c8:2f:ba:33:85:c4:29.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.200' (RSA) to the list of known hosts.
oracle@192.168.56.200's password: 
rac01.localdomain-certificate.crt                                     
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /u02/app/oracle/wallet)
    )
  )



[oracle@linux01 admin]$ lsnrctl start 

LSNRCTL for Linux: Version 12.2.0.1.0 - Production on 24-JUL-2020 16:30:47

Copyright (c) 1991, 2016, Oracle.  All rights reserved.

Starting /u02/app/oracle/product/12.2.0/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 12.2.0.1.0 - Production
System parameter file is /u02/app/oracle/product/12.2.0/dbhome_1/network/admin/listener.ora
Log messages written to /u02/app/oracle/diag/tnslsnr/linux01/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=linux01.localdomain)(PORT=1521)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=linux01.localdomain)(PORT=2484)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=linux01.localdomain)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 12.2.0.1.0 - Production
Start Date                24-JUL-2020 16:30:47
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u02/app/oracle/product/12.2.0/dbhome_1/network/admin/listener.ora
Listener Log File         /u02/app/oracle/diag/tnslsnr/linux01/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=linux01.localdomain)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=linux01.localdomain)(PORT=2484)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services
The command completed successfully
[oracle@linux01 admin]$ 



#############################################################################
Copy certificate from database server to client machine
#############################################################################

[oracle@linux01 admin]$ cd /tmp

[oracle@linux01 tmp]$ scp -rp rac01.localdomain-certificate.crt oracle@192.168.56.200:/tmp
The authenticity of host '192.168.56.200 (192.168.56.200)' can't be established.
RSA key fingerprint is 2a:8e:8d:d5:33:5a:dc:e2:0d:c8:2f:ba:33:85:c4:29.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.200' (RSA) to the list of known hosts.
oracle@192.168.56.200's password: 
rac01.localdomain-certificate.crt    



#############################################################################
Create an auto-login wallet on client
#############################################################################

[oracle@rac01 oracle]$ mkdir -p /u02/app/oracle/wallet
                                                                                      
[oracle@rac01 oracle]$  orapki wallet create -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -auto_login_local
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.



#############################################################################
Create a self-signed certificate and load it into the wallet
#############################################################################

[oracle@rac01 oracle]$ orapki wallet add -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -dn "CN=client-`hostname`" -keysize 1024 -self_signed -validity 3650
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

    
#############################################################################
Export the certificate
#############################################################################                                     


[oracle@rac01 oracle]$  orapki wallet export -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -dn "CN=client-`hostname`" -cert /tmp/client-`hostname`-certificate.crt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.


#############################################################################
Copy certificate from client to database server
#############################################################################


[oracle@rac01 oracle]$ cd /tmp

[oracle@rac01 tmp]$ ls -l client*
-rw------- 1 oracle oinstall  675 Jul 24 16:48 client-rac01.localdomain-certificate.crt

[oracle@rac01 tmp]$ scp -rp client-rac01.localdomain-certificate.crt oracle@192.168.56.200:/tmp
oracle@192.168.56.200's password: 
client-rac01.localdomain-certificate.crt                                                           

       
#############################################################################
Load the server certificate into the client wallet  
#############################################################################


[oracle@rac01 tmp]$ orapki wallet add -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -trusted_cert -cert /tmp/linux01.localdomain-certificate.crt 
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.


#############################################################################
Check the contents of the client wallet
#############################################################################

[oracle@rac01 tmp]$ orapki wallet display -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
User Certificates:
Subject:        CN=client-rac01.localdomain
Trusted Certificates: 
Subject:        CN=client-rac01.localdomain
Subject:        CN=linux01.localdomain


#############################################################################
Load the client certificate into the server wallet  
#############################################################################

[oracle@linux01 tmp]$ orapki wallet add -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -trusted_cert -cert /tmp/client-rac01.localdomain-certificate.crt 
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.


#############################################################################
Check the contents of the server wallet
#############################################################################

[oracle@linux01 tmp]$ orapki wallet display -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
User Certificates:
Subject:        CN=linux01.localdomain
Trusted Certificates: 
Subject:        CN=client-rac01.localdomain
Subject:        CN=linux01.localdomain


#############################################################################
Edit sqlnet.ora and tnsnames.ora on the client
#############################################################################


WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = /u02/app/oracle/wallet)
     )
   )

SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
~                                                                                   

#############################################################################
Edit tnsnames.ora on the client - add TLS and NOTLS TNS entries 
#############################################################################


tls =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.56.200)(PORT = 2484))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = cdb1)
    )
  )

notls =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.56.200)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = cdb1)
    )
  )


#############################################################################
Test TLS Connection from client to server 
#############################################################################


[oracle@rac01 admin]$ sqlplus system/oracle@tls

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Jul 24 17:48:09 2020
Version 19.6.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

Last Successful login time: Wed Jul 22 2020 15:19:49 +08:00

Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL> SELECT SYS_CONTEXT('USERENV', 'network_protocol') FROM DUAL;

SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
--------------------------------------------------------------------------------
tcps



#############################################################################
Test Non TLS Connection from client to server 
#############################################################################

[oracle@rac01 admin]$ sqlplus system/oracle@notls

SQL*Plus: Release 19.0.0.0.0 - Production on Sat Jul 25 10:40:53 2020
Version 19.6.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

Last Successful login time: Fri Jul 24 2020 17:48:09 +08:00

Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL> SELECT SYS_CONTEXT('USERENV', 'network_protocol') FROM DUAL;

SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
--------------------------------------------------------------------------------
tcp
相关推荐
ClouGence9 天前
Oracle 数据同步为什么会出现数据不一致?长事务是常被忽略的原因
数据库·后端·oracle
ClouGence15 天前
Oracle CDC 架构优化:从主库直连到 DataGuard 备库同步
数据库·后端·oracle
曹牧16 天前
Oracle EXPLAIN PLAN
数据库·oracle
贤时间16 天前
codex 助力oracle ebs 开发
数据库·oracle
秉承初心16 天前
PostgreSQL 数据性能瓶颈突破实战
数据库·postgresql·oracle
Curvatureflight16 天前
MySQL 深分页越来越慢?从 LIMIT OFFSET 改成游标分页
数据库·oracle
XZ-07000116 天前
MySQL事务
数据库·mysql·oracle
tiancaijiben16 天前
阿里云函数计算FC如何实现网站的定时任务与自动化
数据库·oracle·dba
xfhuangfu16 天前
Oracle 19c 多租户体系架构介绍
数据库·oracle·架构
杨云龙UP16 天前
Spotlight 接入 Oracle 数据库监控操作指南 2026-06-16
数据库·oracle·性能监控·预警·阈值·spotlight·瓶颈分析