Oracle配置tcps加密協議

1、Oracle用戶下操作，創建證書

　　 mkdir /home/oracle/wallet
    orapki wallet create -wallet "/home/oracle/wallet" -pwd WalletPasswd123 -auto_login_local
    創建一個自簽名證書並將其加載到
    $ orapki wallet add -wallet "/home/oracle/wallet" -pwd WalletPasswd123 -dn "CN=`hostname`" -keysize 1024 -self_signed -validity 3650  
    檢查wallet的內容，需要注意的是自簽名證書既是用戶也是可信證書    
    $ orapki wallet display -wallet "/home/oracle/wallet" -pwd WalletPasswd123    
    導出證書，以便稍后將其加載到客戶的wallet中    
    $ orapki wallet export -wallet "/home/oracle/wallet" -pwd WalletPasswd123 -dn "CN=`hostname`" -cert /tmp/`hostname`-certificate.crt   
    檢查證書是否已按預期導出    
    $ cat /tmp/`hostname`-certificate.crt

2、監聽配置

1、在服務器上，將以下內容添加到“$ORACLE_HOME/network/admin/sqlnet.ora”文件中
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = /home/oracle/wallet)
     )
   )
SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
#SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CLIENT_AUTHENTICATION = TRUE
DIAG_ADR_ENABLED = OFF
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
ADR_BASE = /opt/app/oracle

2、將監聽配置為接受SSL/TLS加密連接。編輯“$ORACLE_HOME/network/admin/listener.ora”文件，添加wallet信息以及TCPS內容

SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =
    (SOURCE =
        (METHOD = FILE)
        (METHOD_DATA =
        (DIRECTORY = /home/oracle/wallet)
        )
    )

LISTENER =
    (DESCRIPTION_LIST =
        (DESCRIPTION =
        (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.132.13)(PORT = 1521))
        (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
        (ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.132.13)(PORT = 2484))
        (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC2484))
    )
    )
DIAG_ADR_ENABLED_LISTENER = OFF
ADR_BASE_LISTENER = /opt/app/oracle
TRACE_LEVEL_LISTENER=user
      

[oracle@db2 ~]$ cat /opt/app/oracle/product/11.2.0/dbhome_1/network/admin/tnsnames.ora
ORA11N =
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST =192.168.132.13)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = orcl11g.us.oracle.com)
      (SID = icdc)
    )
    )
 
TCPS1 =
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.132.13)(PORT = 2484))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = orcl11g.us.oracle.com)
      (SID = icdc)
    )
    )


　　重啟監聽　

　　　　$ lsnrctl stop
　　　　$ lsnrctl start

　　　　```好像是 lsnrctl reload 也可以的，不用stop再start```

3、數據庫本地測試

1、tcps登錄測試
[oracle@db2 ~]$ sqlplus bjxq/bjxqww2sq2z@TCPS1
2、日志監控
[oracle@db2 ~]$ tail -f  /opt/app/oracle/product/11.2.0/dbhome_1/network/log/listener.log

 

 4、總結

　　Oracle配置tcps加密連接已經配置成功，至於業務連接需要開發配合，需要將crt文件轉換為jks證書等等，不說了……