RAC库修复方案
方案一:Securing registration with Scan listeners
1.创建wallet
在任意一个Oracle实例节点使用Oracle用户执行创建wallet操作
先创建一个cost目录,可以放在${ORACLE_HOME}/network/admin/目录下
mkdir –p ${ORACLE_HOME}/network/admin/cost
orapki wallet create -wallet /opt/app/oracle/11.2.0/db_1/network/admin/cost
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter password:[提示输入密码,请设置一个密码]
Enter password again: [提示输入密码,请设置一个密码]
2.删除wallet中的信任证书
orapki wallet remove -trusted_cert_all -wallet /opt/app/oracle/11.2.0/db_1/network/admin/cost
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password: [提示输入密码,即上述设置的密码]
3.创建一个自定义的证书
orapki wallet add -wallet /opt/app/oracle/11.2.0/db_1/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password: [提示输入密码,即上述设置的密码]
说明:
Keysize指定key的大小,取值为512, 1024, or 2048bit
Validity指定证书的有效时间,单位为天
4.查看wallet
确认只包含了一个用户证书和信任证书
orapki wallet display -wallet /opt/app/oracle/11.2.0/db_1/network/admin/cost
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password: [提示输入密码,即上述设置的密码]
[返回结果如下]:
Requested Certificates:
User Certificates:
Subject: CN=secure_register
Trusted Certificates:
Subject: CN=secure_register
5.scp wallet文件到其他节点
scp ewallet.p12 oracle@HXE-DB2:/opt/app/oracle/11.2.0/db_1/network/admin/cost/
6.创建sso文件
orapki wallet create -wallet /opt/app/oracle/11.2.0/db_1/network/admin/cost -auto_login
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password: [提示输入密码,即上述设置的密码]
7.修改文件权限
chmod 640 cwallet.sso
ls -l
-rw-r----- 1 oracle oinstall 2485 Aug 17 16:15 cwallet.sso
-rw------- 1 oracle oinstall 2408 Aug 17 15:54 ewallet.p12
8.配置监听文件
使用grid用户在每个节点的grid_home下的listener.ora文件中追加wallet信息和加入secure_register_listener_scan1相关信息
LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))) # line added by Agent
LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))) # line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN1=ON # line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON # line added by Agent
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /opt/app/oracle/11.2.0/db_1/network/admin/cost)
)
)
#SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
#[红色部分为新增内容]
9.使用srvctl命令修改scan监听的配置
srvctl config scan_listener ###查看当前配置
SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521
srvctl modify scan_listener -p TCP:1521/TCPS:1523 ###修改配置包括TCPS协议,设置前记得看下1523端口是否有被占用
srvctl stop scan_listener ###停监听
srvctl start scan_listener ###启监听
srvctl config scan_listener ###确认当前配置已经修改完成
SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521/TCPS:1523
10.修改sqlnet.ora文件
在Oracle实例的sqlnet.ora文件中添加配置信息,使用Oracle用户执行
more $ORACLE_HOME/network/admin/sqlnet.ora
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /opt/app/oracle/11.2.0/db_1/network/admin/cost)
)
)
11.修改remote_listener参数
当前的remote参数格式为:host:port,需要改成包含scan IP和端口的格式
获取当前的scan IP
srvctl config scan
SCAN name: HXE-DB-scan, Network: 1/xxx.xx.xx.x/255.255.254.0/eth0
SCAN VIP name: scan1, IP: /hostname/xxx.xx.xx.xxx
Sqlplus窗口下修改remote参数:
alter system set remote_listener='(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=xxx.xx.xx.xxx)(PORT=1523)))' scope=both sid='*';
12.启用COST
编辑grid_home下的listener.ora文件,打开#SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)的注释部分
13.重启监听
srvctl stop scan_listener
srvctl start scan_listener
方案二:通过打补丁确保asm和数据库注册到本地监听
1获取bug:12880299的补丁,
https://support.oracle.com/epmos/faces/PatchSearchResults?_adf.ctrl-state=1aopm6ywfj_58&_afrLoop=185732594495777 有Linux和aix对应的补丁程序
2上传补丁程序到数据库服务器
3解压补丁程序
unzip p12880299_112030_Linux-x86-64.zip
4停rac集群
执行如下步骤:
关闭数据库,grid用户执行srvctl命令
srvctl stop database -d <sid>
srvctl status database -d <sid>
停止集群服务,以root用户执行
cd /opt/app/grid/11.2.0/bin
./crsctl stop cluster -all
查看节点状态(grid用户)
crs_stat -t -v
停止HAS,以root用户执行
cd /opt/app/grid/11.2.0/bin
./crsctl stop has -f
以上has启动命令需要在每个节点分别执行
5在每个节点进入opatch目录执行
$ORACLE_HOME/OPatch/opatch apply -oh /opt/app/grid/11.2.0 -local /home/grid/soft/12880299
如果有遇到“OUI-67073:ApplySession failed: ApplySession failed to prepare the system. ApplySession was not able to create the patch_storage area: /opt/app/grid/11.2.0/.patch_storage/12880299_May_3_2012_14_51_04”如下报错情况,请切换到root用户下执行perl ${GRID_HOME}/crs/installrootcrs.pl -unlock -crshome /opt/app/grid/11.2.0/ 解锁目录,再执行上述步骤
6执行完成使用root用户执行
${GRID_HOME}/crs/install/rootcrs.pl –patch
7启动数据库实例(切换到grid用户执行)
srvctl start database -d <sid>
8配置监听文件
在grid的listener.ora文件中加上如下内容
SECURE_REGISTER_LISTENER = (IPC,TCP)
SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
9重启监听
srvctl stop listener
srvctl start listener
单实例库修复方案
方案一:无需打patch
1.停监听
lsnrctl stop LISTENER
2.在listener.ora文件中加如下标记为红色内容:
LISTENER.ORA
------------
LISTENER_PROD =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = REGISTER)) #这一行如果已存在,则无需添加
(ADDRESS = (PROTOCOL = TCP)(HOST = <hostname>)(PORT = 1551))
)
)
SECURE_REGISTER_LISTENER = (IPC) #LISTENER这个地方改为当前的监听名称
3.启动监听
lsnrctl start LISTENER
4.设置local_listener参数为IPC方式
alter system set local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))' scope = both;
5.查看监听状态看看实例是否注册到监听中了
lsnrctl status LISTENER
如果没有,则到数据库中执行alter system register;
方法二:需要停库打补丁
1.停库、停监听
2.打补丁12880299
3.在监听文件中增加如下内容
SECURE_REGISTER_LISTENER = (IPC) #LISTENER这个地方改为当前的监听名称
4.启动监听、数据库