文章目录
- 一、环境信息
- 二、配置过程
- 1.创建证书
- 2.监听配置
- 2.1.配置sqlnet.ora
- 2.2.配置listener.ora文件
- 2.3.配置tnsnames.ora文件
- 2.4.重载监听
- 3.数据库本地测试
- 3.1. tcps登录测试
- 3.2.日志监控
一、环境信息
操作系统:Linux
版本信息:Oracle 19c
参考文档:https://www.cnblogs.com/zhj5418/p/14957264.html
二、配置过程
1.创建证书
--oracle用户下操作
mkdir /home/oracle/wallet
orapki wallet create -wallet "/home/oracle/wallet" -pwd WalletPasswd123 -auto_login_local
--创建一个自签名证书并将其加载到
orapki wallet add -wallet "/home/oracle/wallet" -pwd WalletPasswd123 -dn "CN=`hostname`" -keysize 1024 -self_signed -validity 3650
--检查wallet的内容,需要注意的是自签名证书既是用户也是可信证书
orapki wallet display -wallet "/home/oracle/wallet" -pwd WalletPasswd123
--导出证书,以便稍后将其加载到客户的wallet中
orapki wallet export -wallet "/home/oracle/wallet" -pwd WalletPasswd123 -dn "CN=`hostname`" -cert /tmp/`hostname`-certificate.crt
--检查证书是否已按预期导出
cat /tmp/`hostname`-certificate.crt
2.监听配置
2.1.配置sqlnet.ora
将以下内容添加到“$ORACLE_HOME/network/admin/sqlnet.ora”文件中
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)WALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = /home/oracle/wallet)))
SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
#SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CLIENT_AUTHENTICATION = TRUE
DIAG_ADR_ENABLED = OFF
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
ADR_BASE = /u01/app/oracle
2.2.配置listener.ora文件
将监听配置为接受SSL/TLS加密连接。编辑“$ORACLE_HOME/network/admin/listener.ora”文件,添加wallet信息以及TCPS内容
SSL_CLIENT_AUTHENTICATION = FALSEWALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = /home/oracle/wallet)))LISTENER =(DESCRIPTION_LIST =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = p19c)(PORT = 1521))(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))(ADDRESS = (PROTOCOL = TCPS)(HOST = p19c)(PORT = 2484))(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC2484))))
DIAG_ADR_ENABLED_LISTENER = OFF
ADR_BASE_LISTENER = /u01/app/oracle
TRACE_LEVEL_LISTENER=user
2.3.配置tnsnames.ora文件
将以下内容加入到“$ORACLE_HOME/network/admin/tnsnames.ora”文件
TCPS1 =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCPS)(HOST = p19c)(PORT = 2484))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = p19c)))
2.4.重载监听
lsnrctl reload
lsnrctl status
3.数据库本地测试
3.1. tcps登录测试
sqlplus zyy/123@TCPS1
3.2.日志监控
cd /u01/app/oracle/product/19.3.0/network/log/
tail -f listener.ora
Oracle配置tcps加密连接已经配置成功。