主页 / 问题 / 1208378
Accepted
Sova Kefirova
Asked:2021-11-23 03:59:11 +0000 UTC2021-11-23 03:59:11 +0000 UTC

Oracle 中的 SSL 身份验证

  • 772

我正在尝试设置 Oracle 的 SSL 相互身份验证。windows server 2008R2 上的数据库,上面是 Active Directory,地址为 192.168.56.12。Windows 7 客户端,地址 192.168.56.11。listener.ora 服务器:

TRACE_LEVEL_LISTENER = ADMIN
TRACE_FILE_LISTENER = listener
TRACE_DIRECTORY_LISTENER = C:/app/Kefir/product/12.2.0/dbhome_1/network/trace
LOG_FILE_LISTENER = listener
LOG_DIRECTORY_LISTENER = C:/app/Kefir/product/12.2.0/dbhome_1/network/log
LOGGING_LISTENER = ON
 
SID_LIST_SSL_LISTENER =
  (SID_LIST =
    (SID_DESC =
 (GLOBAL_DBNAME = ORCL)
 (SID_NAME = ORCL)
 (ORACLE_HOME = C:/app/Kefir/product/12.2.0/dbhome_1)
    )
  )
 
#SSL_CLIENT_AUTHENTICATION = FALSE
SSL_LISTENER =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.56.12)(PORT = 2484))
  )
WALLET_LOCATION = (SOURCE=
     (METHOD = FILE)
     (METHOD_DATA =
    (DIRECTORY=C:/wallet_server
     )))

sqlnet.ora 服务器:

SQLNET.AUTHENTICATION_SERVICES= (TCPS, BEQ, NTS)
 
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SSL_CLIENT_AUTHENTICATION = TRUE
SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5)
SSL_VERSION = 0
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
 (DIRECTORY = C:/wallet_server)
    )
  )
TRACE_DIRECTORY_SERVER = C:/app/Kefir/product/12.2.0/dbhome_1/network/trace
trace_level_server = SUPPORT
TRACE_FILE_server = trace_server

sqlnet.ora 客户端:

WALLET_LOCATION = (SOURCE=
     (METHOD = FILE)
     (METHOD_DATA =
    (DIRECTORY=C:/client_wallet
     )))
SSL_VERSION = 0
SQLNET.AUTHENTICATION_SERVICES = (TCPS,BEQ,NTS)
SSL_SERVER_DN_MATCH = TRUE
SSL_CIPHER_SUITES= (SSL_RSA_EXPORT_WITH_RC4_40_MD5)
SSL_CLIENT_AUTHENTICATION = TRUE
NAMES.DIRECTORY_PATH= (TNSNAMES,EZCONNECT)
TRACE_DIRECTORY_CLIENT = C:/client_wallet
trace_level_client = USER
TRACE_FILE_CLIENT = trace_user

tnsnames.ora 客户端

orcl =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.56.12)(PORT = 2484))
    (CONNECT_DATA=
 (SERVER = DEDICATED)
 (SERVICE_NAME=ORCL)
    )
    (SECURITY=(SSL_SERVER_CERT_DN="CN=WIN-SFJD57T6M7B.myora.local"))#доменное имя сервера

我正在尝试连接 在此处输入图像描述

lsnrctl 状态 在此处输入图像描述

端口是 5500,即使 listener.ora 设置为 2484。我重新启动监听器,现在端口是 1521。那我该如何更改呢? 该怎么办?在此处输入图像描述 在此处输入图像描述

oracle

1 个回答

  1. Best Answer

    检查了TC使用的教程。检查时,我转向了文档的以下章节:
    配置安全套接字层身份验证数据库网络服务参考
    结果 - 配置检查了可操作性。

    分步说明

    可用的:

    • db.local.net- 数据库服务器
    • app.local.net- 带有即时客户端的机器
    • 使用默认参数,所以所有配置文件几乎都是空
      的,客户端将通过easy connect连接数据库没有任何问题

    1. 在数据库服务器上,您需要为证书创建钱包(也为客户端创建,因为它缺少必要的实用程序),并向其中添加自签名证书:

      $ cd $ORACLE_BASE

$ orapki wallet create -wallet  wallet/ -pwd Wallet0Pass -auto_login
$ orapki wallet add -wallet wallet/ -pwd Wallet0Pass \
    -dn CN=db.local.net \
    -keysize 2048 -self_signed -validity 365 # ok

$ orapki wallet create -wallet  wallet.app/ -pwd Wallet0Pass -auto_login
$ orapki wallet add -wallet wallet.app/ -pwd Wallet0Pass \
      -dn CN=app.local.net \
      -keysize 2048 -self_signed -validity 365

    2. 添加的证书必须导出并作为可信证书添加到另一个钱包:

      $ orapki wallet export -wallet wallet/     -dn CN=db.local.net  -cert db.crt -pwd Wallet0Pass
$ orapki wallet export -wallet wallet.app/ -dn CN=app.local.net -cert app.crt -pwd Wallet0Pass

$ orapki wallet add -wallet     wallet -trusted_cert -cert app.crt -pwd Wallet0Pass
$ orapki wallet add -wallet wallet.app -trusted_cert -cert db.crt -pwd Wallet0Pass

    3. 在数据库服务器上,将以下内容添加到配置文件中:

      sqlnet.ora:

      NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
WALLET_LOCATION = (SOURCE = (METHOD = FILE)
    (METHOD_DATA = (DIRECTORY = /app/oracle/wallet))
)
SQLNET.AUTHENTICATION_SERVICES = ALL
SSL_CLIENT_AUTHENTICATION = TRUE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)

      监听器.ora:

      WALLET_LOCATION = (SOURCE = (METHOD = FILE)
    (METHOD_DATA = (DIRECTORY = /app/oracle/wallet))
)
SSL_CLIENT_AUTHENTICATION = TRUE
LISTENER = (DESCRIPTION_LIST = (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP) (HOST = db.local.net)(PORT = 1521))
    (ADDRESS = (PROTOCOL = TCPS)(HOST = db.local.net)(PORT = 1544)))
)

      您需要重新启动侦听器:

      $ lsnrctl stop
$ lsnrctl start
$ lsnrctl status
[...]
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=db.local.net)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
[...]
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=db.local.net)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=db.local.net)(PORT=1544)))
The listener supports no services
The command completed successfully

      参数中未指定的可用数据库服务SID_LIST_LISTENER将在一分钟内自动注册。

    4. 在带有客户端的机器上,您需要以任何可能的方式scp从数据库服务器复制钱包(我使用了实用程序)。然后添加配置文件:

      $ scp -r root@dbsrv:/app/oracle/wallet.app/ ./wallet

      sqlnet.ora:

      NAMES.DIRECTORY_PATH = (TNSNAMES, EZCONNECT)
WALLET_LOCATION = (SOURCE = (METHOD = FILE)
    (METHOD_DATA = (DIRECTORY = d:\app\oracle\wallet))
)
SQLNET.AUTHENTICATION_SERVICES = ALL
SSL_CLIENT_AUTHENTICATION = TRUE
SSL_SERVER_DN_MATCH = TRUE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)

      tnsnames.ora:

      pdb1s = (DESCRIPTION = 
    (ADDRESS = (PROTOCOL = TCPS)(HOST = dbsrv.local.net)(PORT = 1544))
    (CONNECT_DATA = (SERVER = DEDICATED)(SERVICE_NAME = pdb1))
    (SECURITY = (SSL_SERVER_CERT_DN = "CN=db.local.net"))
)

    5. 结果,已建立连接的协议为TCPS

      $ sqlplus -l me/me@pdb1s

SQL> select sys_context ('userenv','network_protocol') proto from dual;

PROTO
--------------------------------------------------------------------------------
tcps
    • 3

相关问题