如何为 Oracle 数据库配置 TLS/TCPS

lixora2025-11-04 20:19

如何为 Oracle 数据库配置 TLS/TCPS

本分步指南介绍了用于在数据库中配置传输层安全性 (TLS) 和启用 TCP over SSL (TCPS) 连接的步骤。

复制代码 
#######################################################################
Environment
#######################################################################

19c Client - rac01.localdomain

12c R2 Database Server - linux01.localdomain


#############################################################################
Create an auto-login wallet on database server
#############################################################################

[oracle@linux01 oracle]$ mkdir -p /u02/app/oracle/wallet

[oracle@linux01 oracle]$ orapki wallet create -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -auto_login_local
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.


#############################################################################
Create a self-signed certificate and load it into the wallet
#############################################################################

[oracle@linux01 oracle]$ orapki wallet add -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -dn "CN=`hostname`" -keysize 1024 -self_signed -validity 3650
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.


#############################################################################
Export the certificate
#############################################################################

[oracle@linux01 oracle]$ orapki wallet export -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -dn "CN=`hostname`" -cert /tmp/`hostname`-certificate.crt
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.




#############################################################################
Edit sqlnet.ora and listener.ora and restart listener
#############################################################################

[oracle@linux01 oracle]$ cd $ORACLE_HOME/network/admin

[oracle@linux01 admin]$ vi sqlnet.ora 

WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = /u02/app/oracle/wallet)
     )
   )

SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)




[oracle@linux01 admin]$ vi listener.ora 

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = linux01.localdomain)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = linux01.localdomain)(PORT = 2484))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
  )

SSL_CLIENT_AUTHENTICATION = FALSE


#############################################################################
Edit sqlnet.ora and listener.ora and restart listener
#############################################################################


[oracle@linux01 admin]$ cd /tmp

[oracle@linux01 tmp]$ scp -rp rac01.localdomain-certificate.crt oracle@192.168.56.200:/tmp
The authenticity of host '192.168.56.200 (192.168.56.200)' can't be established.
RSA key fingerprint is 2a:8e:8d:d5:33:5a:dc:e2:0d:c8:2f:ba:33:85:c4:29.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.200' (RSA) to the list of known hosts.
oracle@192.168.56.200's password: 
rac01.localdomain-certificate.crt                                     
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /u02/app/oracle/wallet)
    )
  )



[oracle@linux01 admin]$ lsnrctl start 

LSNRCTL for Linux: Version 12.2.0.1.0 - Production on 24-JUL-2020 16:30:47

Copyright (c) 1991, 2016, Oracle.  All rights reserved.

Starting /u02/app/oracle/product/12.2.0/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 12.2.0.1.0 - Production
System parameter file is /u02/app/oracle/product/12.2.0/dbhome_1/network/admin/listener.ora
Log messages written to /u02/app/oracle/diag/tnslsnr/linux01/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=linux01.localdomain)(PORT=1521)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=linux01.localdomain)(PORT=2484)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=linux01.localdomain)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 12.2.0.1.0 - Production
Start Date                24-JUL-2020 16:30:47
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u02/app/oracle/product/12.2.0/dbhome_1/network/admin/listener.ora
Listener Log File         /u02/app/oracle/diag/tnslsnr/linux01/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=linux01.localdomain)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=linux01.localdomain)(PORT=2484)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services
The command completed successfully
[oracle@linux01 admin]$ 



#############################################################################
Copy certificate from database server to client machine
#############################################################################

[oracle@linux01 admin]$ cd /tmp

[oracle@linux01 tmp]$ scp -rp rac01.localdomain-certificate.crt oracle@192.168.56.200:/tmp
The authenticity of host '192.168.56.200 (192.168.56.200)' can't be established.
RSA key fingerprint is 2a:8e:8d:d5:33:5a:dc:e2:0d:c8:2f:ba:33:85:c4:29.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.200' (RSA) to the list of known hosts.
oracle@192.168.56.200's password: 
rac01.localdomain-certificate.crt    



#############################################################################
Create an auto-login wallet on client
#############################################################################

[oracle@rac01 oracle]$ mkdir -p /u02/app/oracle/wallet
                                                                                      
[oracle@rac01 oracle]$  orapki wallet create -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -auto_login_local
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.



#############################################################################
Create a self-signed certificate and load it into the wallet
#############################################################################

[oracle@rac01 oracle]$ orapki wallet add -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -dn "CN=client-`hostname`" -keysize 1024 -self_signed -validity 3650
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

    
#############################################################################
Export the certificate
#############################################################################                                     


[oracle@rac01 oracle]$  orapki wallet export -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -dn "CN=client-`hostname`" -cert /tmp/client-`hostname`-certificate.crt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.


#############################################################################
Copy certificate from client to database server
#############################################################################


[oracle@rac01 oracle]$ cd /tmp

[oracle@rac01 tmp]$ ls -l client*
-rw------- 1 oracle oinstall  675 Jul 24 16:48 client-rac01.localdomain-certificate.crt

[oracle@rac01 tmp]$ scp -rp client-rac01.localdomain-certificate.crt oracle@192.168.56.200:/tmp
oracle@192.168.56.200's password: 
client-rac01.localdomain-certificate.crt                                                           

       
#############################################################################
Load the server certificate into the client wallet  
#############################################################################


[oracle@rac01 tmp]$ orapki wallet add -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -trusted_cert -cert /tmp/linux01.localdomain-certificate.crt 
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.


#############################################################################
Check the contents of the client wallet
#############################################################################

[oracle@rac01 tmp]$ orapki wallet display -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
User Certificates:
Subject:        CN=client-rac01.localdomain
Trusted Certificates: 
Subject:        CN=client-rac01.localdomain
Subject:        CN=linux01.localdomain


#############################################################################
Load the client certificate into the server wallet  
#############################################################################

[oracle@linux01 tmp]$ orapki wallet add -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787 -trusted_cert -cert /tmp/client-rac01.localdomain-certificate.crt 
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.


#############################################################################
Check the contents of the server wallet
#############################################################################

[oracle@linux01 tmp]$ orapki wallet display -wallet "/u02/app/oracle/wallet" -pwd DreamLiner787
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
User Certificates:
Subject:        CN=linux01.localdomain
Trusted Certificates: 
Subject:        CN=client-rac01.localdomain
Subject:        CN=linux01.localdomain


#############################################################################
Edit sqlnet.ora and tnsnames.ora on the client
#############################################################################


WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = /u02/app/oracle/wallet)
     )
   )

SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
~                                                                                   

#############################################################################
Edit tnsnames.ora on the client - add TLS and NOTLS TNS entries 
#############################################################################


tls =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.56.200)(PORT = 2484))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = cdb1)
    )
  )

notls =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.56.200)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = cdb1)
    )
  )


#############################################################################
Test TLS Connection from client to server 
#############################################################################


[oracle@rac01 admin]$ sqlplus system/oracle@tls

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Jul 24 17:48:09 2020
Version 19.6.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

Last Successful login time: Wed Jul 22 2020 15:19:49 +08:00

Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL> SELECT SYS_CONTEXT('USERENV', 'network_protocol') FROM DUAL;

SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
--------------------------------------------------------------------------------
tcps



#############################################################################
Test Non TLS Connection from client to server 
#############################################################################

[oracle@rac01 admin]$ sqlplus system/oracle@notls

SQL*Plus: Release 19.0.0.0.0 - Production on Sat Jul 25 10:40:53 2020
Version 19.6.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

Last Successful login time: Fri Jul 24 2020 17:48:09 +08:00

Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL> SELECT SYS_CONTEXT('USERENV', 'network_protocol') FROM DUAL;

SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
--------------------------------------------------------------------------------
tcp
相关推荐
jnrjian3 天前
ORA-01017 查找机器名 用户名 以及library cache lock 参数含义
数据库·oracle
TTc_3 天前
oracle中的union和union all有什么区别?
数据库·oracle
山峰哥3 天前
吃透 SQL 优化:告别慢查询,解锁数据库高性能
服务器·数据库·sql·oracle·性能优化·编辑器
南 阳3 天前
Python从入门到精通day37
数据库·python·oracle
轩情吖3 天前
MySQL库的操作
android·数据库·mysql·oracle·字符集·数据库操作·编码集
脱发的老袁3 天前
【数据库】Oracle手动清理归档日志
数据库·oracle
jnrjian3 天前
Oracle 共享池 库缓存下的 Library Cache Lock
数据库·缓存·oracle
新缸中之脑4 天前
在Reddit上探索未满足的需求
数据库·oracle
light blue bird4 天前
产线多并发客户端指令操作场景组件
jvm·oracle·.net·winform
坐吃山猪4 天前
Neo4j04_数据库事务
数据库·oracle·neo4j
热门推荐
01GitHub 镜像站点02【OpenClaw 本地实战 Ep.3】突破瓶颈:强制修改 openclaw.json 解锁 32k 上下文记忆03OpenClaw 使用和管理 MCP 完全指南04OpenClaw + 飞书(Feishu)环境搭建指南05Clawdbot部署教程:解决‘gateway token missing’授权问题的完整步骤06Window 10部署openclaw报错node.exe : npm error code 12807OpenClaw优化飞书API 额度已耗尽问题08Claude Code + GLM4.7 避坑指南:解决 Unable to connect to Anthropic services09AI 规范驱动开发“三剑客”深度对比:Spec-Kit、Kiro 与 OpenSpec 实战指南10OpenClaw 接入阿里云百炼 Coding Plan 指南