oracle wallet實踐及常用維護操作

本文轉載自查看原文 2019-07-24 11:28 848 Oracle

Wallet作用

從Oracle 10g R2開始, 通過使用Oracle Wallet達到任意用戶不使用密碼登錄數據庫(非操作系統認證方式), 這對在shell中要使用用戶密碼登錄數據庫進行操作的腳本來說是非常有用的, 可以不暴露用戶密碼. 比如在Oracle客戶端通過mkstore命令設置Wallet認證信息, 然后通過"sqlplus/@connect_string"方式就可以直接連接數據庫.

本例是讓sysrls用戶無需使用密碼登錄系統, mkstore用法如下:

$ $ORACLE_HOME/bin/mkstore

mkstore [-wrl wrl] [-create] [-createSSO] [-delete] [-deleteSSO] [-list] [-createEntry alias secret] [-viewEntry alias] [-modifyEntry alias secret] [-deleteEntry alias] [-help]

1)安裝Oracle Client

2)創建wallet存放目錄和修改.bash_profile
mkdir /home/sysrls/wallet
vi .bash_profile

# Oracle Base Directory
ORACLE_BASE=/opt/oraapp
# Oracle Home Directory - Set this to the correct Oracle Home for the client
ORACLE_HOME=/opt/oraapp/client/12.1.0.2_x64_DBAocl030
# Set TNS_ADMIN to point to correct location
TNS_ADMIN=$ORACLE_HOME/network/admin/tnsnames.ora
# Add the ORACLE_HOME bin directory to the PATH variable
PATH=$ORACLE_HOME/bin:$PATH
# Add Add the ORACLE_HOME lib directories to the LD_LIBRARY_PATH variable
LD_LIBRARY_PATH=${ORACLE_HOME}/lib:${LD_LIBRARY_PATH}
# Set LANG & NLS variables appropriately for your region
LANG="en_US.UTF-8"
# NLS_LANG is of the form Language_country.characterset
NLS_LANG="AMERICAN_AMERICA.AL32UTF8"
ORA_NLS10=$ORACLE_HOME/nls/data
# Export variable to ensure they are set correctly for any sub processes
export ORACLE_BASE LANG ORACLE_HOME PATH LD_LIBRARY_PATH NLS_LANG ORA_NLS10 TNS_ADMIN

3)生成wallet
$ $ORACLE_HOME/bin/mkstore -wrl /home/sysrls/wallet -create

Enter password:<輸入錢包密碼>

Enter password again:<確認錢包密碼>

[sysrls@cnl20059850 wallet]$ ll
total 8
-rw-------. 1 sysrls sysrls 581 Jul 18 11:01 cwallet.sso
-rw-rw-rw-. 1 sysrls sysrls 0 Jul 18 10:52 cwallet.sso.lck
-rw-------. 1 sysrls sysrls 536 Jul 18 11:01 ewallet.p12
-rw-rw-rw-. 1 sysrls sysrls 0 Jul 18 10:52 ewallet.p12.lck

4)修改網路配置
vi $ORACLE_HOME/network/admin/tnsnames.ora

CRCDB =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 133.9.207.35)(PORT = 2001))
)
(CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = CRCDB)
)
)

$ vi $ORACLE_HOME/network/admin/sqlnet.ora

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/home/sysrls/wallet)))

SQLNET.WALLET_OVERRIDE=TRUE

5)給特定數據庫用戶生成Credential

$ORACLE_HOME/bin/mkstore -wrl /home/u_test/wallet -createCredential CRCDB wallet test123

6) 確認用戶認證信息已經加入到Wallet

$ $ORACLE_HOME/bin/mkstore -wrl $ORACLE_HOME/network/admin/wallet -listCredential

7)維護
生成wallet

mkstore -wrl /home/sysrls/wallet/ -createCredential CRCDB wallet Frank

Enter wallet password:
Create credential oracle.security.client.connect_string1

查看wallet中的認證信息

[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet -listCredential

Enter wallet password:
List credential (index: connect_string username)
1: CRCDB wallet

修改wallet中的認證信息

[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -modifyCredential CRCDB wallet test2

Enter wallet password:
Modify credential
Modify 1

刪除wallet中的認證信息

mkstore -wrl /home/sysrls/wallet -deleteCredential CRCDB

查看wallet中的條目

[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -list

Enter wallet password:
Oracle Secret Store entries:
oracle.security.client.connect_string1
oracle.security.client.password1
oracle.security.client.username1

查看wallet中條目的值

[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.connect_string1

Enter wallet password:
oracle.security.client.connect_string1 = CRCDB

[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.username1

Enter wallet password:
oracle.security.client.username1 = wallet

[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.password1

Enter wallet password:
oracle.security.client.password1 = test2

修改wallet文件的密碼

orapki wallet change_pwd -wallet /home/sysrls/wallet/

8)如何生成讓wallet僅本機可用
Oracle Wallet is a container that stores authentication and signing credentials.

Trusted certificates are stored in the Oracle Wallet when the wallet is used for security credentials.

PeopleSoft enables you to create an Oracle Wallet in two ways:

ORAPKI command line - The ORAPKI tool is available with Oracle database, so this tool can be used only by those users have a license for Oracle database.

OpenSSL utility - Users who do not have a license for Oracle database can use this utility to create their own certificates.

After creating an Oracle Wallet, you must configure SSL for the Workstation Listener and Jolt Listener ports to ensure secure client and server communications.

附帶一個帶表單維護小腳本

#!/bin/bash

echo -e "Useful action\n"
echo -e "1)create wallet"
echo -e "2)create Credential"
echo -e "3)check the created Credential"
echo -e "4)modify the created Credential"
echo -e "5)delete the created Credential"
echo -e "6)list Credential item"
echo -e "7)list Credential Entry value "
echo -e "8)modify wallet password"
echo -e "9)exit"
read -p "choose your action:" num1
case $num1 in

    1)
    echo -e "Please enter wallet password:\n"
    read -s password
    printf "$password\n$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -create
    echo -e "wallet create success\n"
    ;;
    2)
    echo -e "Please enter wallet password:"
    read -s password
    read -p "Please enter database tnsname:" tnsname
    read -p "Please enter database user:" user
    echo -n "Please enter database user's password:" 
    read -s dbpass
    printf "$dbpass\n$dbpass\n$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -createCredential $tnsname $user 
    echo -e "Credential create success\n"
    ;;
    3)
    echo -e "Please enter wallet password:\n"
    read -s password
    printf "$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -listCredential
    ;;
    4)
    echo -e "Please enter wallet password:"
    read -s password
    read -p "Please enter database tnsname:" tnsname
    read -p "Please enter database user:" user
    echo -n "Please enter database user's password:"
    read -s dbpass
    printf "$dbpass\n$dbpass\n$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -modifyCredential $tnsname $user
    echo -e "modify Credential success\n"
    ;;
    5)
    echo -e "Please enter wallet password:"
    read -s password
    read -p "Please enter database tnsname:" tnsname
    printf "$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -deleteCredential $tnsname
    echo -e "delete Credential success\n"
    ;;
    6)
    echo -e "Please enter wallet password:"
    read -s password
    printf "$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -list
    ;;
    7)
    echo -e "Please enter wallet password:"
    read -s password
    read -p "Please enter Entryname type:" type
    if [ "$type" == "connect" ];then
    printf "$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.connect_string1
    fi
    if [ "$type" == "user" ];then
    printf "$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.username1
    fi
    if [ "$type" == "password" ];then
    printf "$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.password1
    fi
    ;;
    8)
    /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/orapki wallet change_pwd -wallet /home/sysrls/wallet/
    ;;
    9)
    exit 0
esac

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 Oracle 11gR2 RAC 常用維護操作說明 oracle Wallet的使用 WAS維護常用操作 Ceph常用維護操作 oracle wallet使用步驟 Oracle RAC 常用維護工具和命令 Teamcenter Oracle數據庫維護最佳實踐 Oracle基礎維護01-常用管理命令總結 Oracle以及SDE維護常用命令-查看表空間等 oracle 12C CDB下開啟wallet