如何为 Oracle 数据库配置 TLS/TCPS

lixora2025-11-04 20:19

如何为 Oracle 数据库配置 TLS/TCPS

本分步指南介绍了用于在数据库中配置传输层安全性 (TLS) 和启用 TCP over SSL (TCPS) 连接的步骤。

复制代码 
#######################################################################
Environment
#######################################################################

19c Client - rac01.localdomain

12c R2 Database Server - linux01.localdomain


#############################################################################
Create an auto-login wallet on database server
#############################################################################

[oracle@linux01 oracle]$ mkdir -p /u02/app/oracle/wallet

[oracle@linux01 oracle]$ orapki wallet create -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -auto_login_local
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.


#############################################################################
Create a self-signed certificate and load it into the wallet
#############################################################################

[oracle@linux01 oracle]$ orapki wallet add -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -dn "CN=`hostname`" -keysize 1024 -self_signed -validity 3650
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.


#############################################################################
Export the certificate
#############################################################################

[oracle@linux01 oracle]$ orapki wallet export -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -dn "CN=`hostname`" -cert /tmp/`hostname`-certificate.crt
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.




#############################################################################
Edit sqlnet.ora and listener.ora and restart listener
#############################################################################

[oracle@linux01 oracle]$ cd $ORACLE_HOME/network/admin

[oracle@linux01 admin]$ vi sqlnet.ora 

WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = /u02/app/oracle/wallet)
     )
   )

SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)




[oracle@linux01 admin]$ vi listener.ora 

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = linux01.localdomain)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = linux01.localdomain)(PORT = 2484))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
  )

SSL_CLIENT_AUTHENTICATION = FALSE


#############################################################################
Edit sqlnet.ora and listener.ora and restart listener
#############################################################################


[oracle@linux01 admin]$ cd /tmp

[oracle@linux01 tmp]$ scp -rp rac01.localdomain-certificate.crt oracle@192.168.56.200:/tmp
The authenticity of host '192.168.56.200 (192.168.56.200)' can't be established.
RSA key fingerprint is 2a:8e:8d:d5:33:5a:dc:e2:0d:c8:2f:ba:33:85:c4:29.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.200' (RSA) to the list of known hosts.
oracle@192.168.56.200's password: 
rac01.localdomain-certificate.crt                                     
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /u02/app/oracle/wallet)
    )
  )



[oracle@linux01 admin]$ lsnrctl start 

LSNRCTL for Linux: Version 12.2.0.1.0 - Production on 24-JUL-2020 16:30:47

Copyright (c) 1991, 2016, Oracle.  All rights reserved.

Starting /u02/app/oracle/product/12.2.0/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 12.2.0.1.0 - Production
System parameter file is /u02/app/oracle/product/12.2.0/dbhome_1/network/admin/listener.ora
Log messages written to /u02/app/oracle/diag/tnslsnr/linux01/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=linux01.localdomain)(PORT=1521)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=linux01.localdomain)(PORT=2484)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=linux01.localdomain)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 12.2.0.1.0 - Production
Start Date                24-JUL-2020 16:30:47
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u02/app/oracle/product/12.2.0/dbhome_1/network/admin/listener.ora
Listener Log File         /u02/app/oracle/diag/tnslsnr/linux01/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=linux01.localdomain)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=linux01.localdomain)(PORT=2484)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services
The command completed successfully
[oracle@linux01 admin]$ 



#############################################################################
Copy certificate from database server to client machine
#############################################################################

[oracle@linux01 admin]$ cd /tmp

[oracle@linux01 tmp]$ scp -rp rac01.localdomain-certificate.crt oracle@192.168.56.200:/tmp
The authenticity of host '192.168.56.200 (192.168.56.200)' can't be established.
RSA key fingerprint is 2a:8e:8d:d5:33:5a:dc:e2:0d:c8:2f:ba:33:85:c4:29.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.200' (RSA) to the list of known hosts.
oracle@192.168.56.200's password: 
rac01.localdomain-certificate.crt    



#############################################################################
Create an auto-login wallet on client
#############################################################################

[oracle@rac01 oracle]$ mkdir -p /u02/app/oracle/wallet
                                                                                      
[oracle@rac01 oracle]$  orapki wallet create -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -auto_login_local
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.



#############################################################################
Create a self-signed certificate and load it into the wallet
#############################################################################

[oracle@rac01 oracle]$ orapki wallet add -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -dn "CN=client-`hostname`" -keysize 1024 -self_signed -validity 3650
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

    
#############################################################################
Export the certificate
#############################################################################                                     


[oracle@rac01 oracle]$  orapki wallet export -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -dn "CN=client-`hostname`" -cert /tmp/client-`hostname`-certificate.crt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.


#############################################################################
Copy certificate from client to database server
#############################################################################


[oracle@rac01 oracle]$ cd /tmp

[oracle@rac01 tmp]$ ls -l client*
-rw------- 1 oracle oinstall  675 Jul 24 16:48 client-rac01.localdomain-certificate.crt

[oracle@rac01 tmp]$ scp -rp client-rac01.localdomain-certificate.crt oracle@192.168.56.200:/tmp
oracle@192.168.56.200's password: 
client-rac01.localdomain-certificate.crt                                                           

       
#############################################################################
Load the server certificate into the client wallet  
#############################################################################


[oracle@rac01 tmp]$ orapki wallet add -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -trusted_cert -cert /tmp/linux01.localdomain-certificate.crt 
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.


#############################################################################
Check the contents of the client wallet
#############################################################################

[oracle@rac01 tmp]$ orapki wallet display -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
User Certificates:
Subject:        CN=client-rac01.localdomain
Trusted Certificates: 
Subject:        CN=client-rac01.localdomain
Subject:        CN=linux01.localdomain


#############################################################################
Load the client certificate into the server wallet  
#############################################################################

[oracle@linux01 tmp]$ orapki wallet add -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -trusted_cert -cert /tmp/client-rac01.localdomain-certificate.crt 
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.


#############################################################################
Check the contents of the server wallet
#############################################################################

[oracle@linux01 tmp]$ orapki wallet display -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
User Certificates:
Subject:        CN=linux01.localdomain
Trusted Certificates: 
Subject:        CN=client-rac01.localdomain
Subject:        CN=linux01.localdomain


#############################################################################
Edit sqlnet.ora and tnsnames.ora on the client
#############################################################################


WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = /u02/app/oracle/wallet)
     )
   )

SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
~                                                                                   

#############################################################################
Edit tnsnames.ora on the client - add TLS and NOTLS TNS entries 
#############################################################################


tls =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.56.200)(PORT = 2484))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = cdb1)
    )
  )

notls =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.56.200)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = cdb1)
    )
  )


#############################################################################
Test TLS Connection from client to server 
#############################################################################


[oracle@rac01 admin]$ sqlplus system/oracle@tls

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Jul 24 17:48:09 2020
Version 19.6.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

Last Successful login time: Wed Jul 22 2020 15:19:49 +08:00

Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL> SELECT SYS_CONTEXT('USERENV', 'network_protocol') FROM DUAL;

SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
--------------------------------------------------------------------------------
tcps



#############################################################################
Test Non TLS Connection from client to server 
#############################################################################

[oracle@rac01 admin]$ sqlplus system/oracle@notls

SQL*Plus: Release 19.0.0.0.0 - Production on Sat Jul 25 10:40:53 2020
Version 19.6.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

Last Successful login time: Fri Jul 24 2020 17:48:09 +08:00

Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL> SELECT SYS_CONTEXT('USERENV', 'network_protocol') FROM DUAL;

SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
--------------------------------------------------------------------------------
tcp
相关推荐
姚远Oracle ACE5 小时前
Oracle AWR案例分析:备库太慢,拖垮了主库性能
数据库·oracle
YYAugenstern5 小时前
Oracle常用
数据库·oracle
Gauss松鼠会5 小时前
【openGauss】构建一个兼容Oracle模式支持创建package的openGauss的docker镜像
数据库·docker·oracle·opengauss
珊珊而川15 小时前
MAC-SQL 算法一
数据库·sql·oracle
一只小bit1 天前
MySQL 索引:从聚簇到普通索引,如何加快查询效率?
数据库·mysql·oracle
dlhto1 天前
Oracle Linux 9 的 MySQL 8.0 完整安装与远程连接配置
linux·mysql·oracle
bbmmqq1 天前
根据角色ID获取完整角色信息(异步)
数据库·spring·oracle
问道飞鱼2 天前
【数据库知识】PGSQL常见命令行与函数
数据库·oracle·pgsql
xrkhy2 天前
微服务之ShardingSphere
数据库·微服务·oracle
热门推荐
01GitHub 镜像站点02《大数据技术原理与应用》实验报告三 熟悉HBase常用操作03UV安装并设置国内源04综合整理:pdf预览显示:你尝试预览的文件可能对你的计算机有害。如果你信任此文件以及其来源,请打开此文件以看其内容,如何解决以正常预览文件05BongoCat - 跨平台键盘猫动画工具06Linux下V2Ray安装配置指南07npm使用国内淘宝镜像的方法08jdk21下载、安装(Windows、Linux、macOS)09NVIDIA显卡驱动、CUDA、cuDNN 和 TensorRT 版本匹配指南10GitLab 零基础入门指南:从安装到项目管理全流程