RAC庫修復方案
方案一:Securing registration with Scan listeners
1.創建wallet
在任意一個Oracle實例節點使用Oracle用戶執行創建wallet操作
先創建一個cost目錄,可以放在${ORACLE_HOME}/network/admin/目錄下
mkdir –p ${ORACLE_HOME}/network/admin/cost
orapki wallet create -wallet /opt/app/oracle/11.2.0/db_1/network/admin/cost
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter password:[提示輸入密碼,請設置一個密碼]
Enter password again: [提示輸入密碼,請設置一個密碼]
2.刪除wallet中的信任證書
orapki wallet remove -trusted_cert_all -wallet /opt/app/oracle/11.2.0/db_1/network/admin/cost
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password: [提示輸入密碼,即上述設置的密碼]
3.創建一個自定義的證書
orapki wallet add -wallet /opt/app/oracle/11.2.0/db_1/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password: [提示輸入密碼,即上述設置的密碼]
說明:
Keysize指定key的大小,取值為512, 1024, or 2048bit
Validity指定證書的有效時間,單位為天
4.查看wallet
確認只包含了一個用戶證書和信任證書
orapki wallet display -wallet /opt/app/oracle/11.2.0/db_1/network/admin/cost
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password: [提示輸入密碼,即上述設置的密碼]
[返回結果如下]:
Requested Certificates:
User Certificates:
Subject: CN=secure_register
Trusted Certificates:
Subject: CN=secure_register
5.scp wallet文件到其他節點
scp ewallet.p12 oracle@HXE-DB2:/opt/app/oracle/11.2.0/db_1/network/admin/cost/
6.創建sso文件
orapki wallet create -wallet /opt/app/oracle/11.2.0/db_1/network/admin/cost -auto_login
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password: [提示輸入密碼,即上述設置的密碼]
7.修改文件權限
chmod 640 cwallet.sso
ls -l
-rw-r----- 1 oracle oinstall 2485 Aug 17 16:15 cwallet.sso
-rw------- 1 oracle oinstall 2408 Aug 17 15:54 ewallet.p12
8.配置監聽文件
使用grid用戶在每個節點的grid_home下的listener.ora文件中追加wallet信息和加入secure_register_listener_scan1相關信息
LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))) # line added by Agent
LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))) # line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN1=ON # line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON # line added by Agent
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /opt/app/oracle/11.2.0/db_1/network/admin/cost)
)
)
#SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
#[紅色部分為新增內容]
9.使用srvctl命令修改scan監聽的配置
srvctl config scan_listener ###查看當前配置
SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521
srvctl modify scan_listener -p TCP:1521/TCPS:1523 ###修改配置包括TCPS協議,設置前記得看下1523端口是否有被占用
srvctl stop scan_listener ###停監聽
srvctl start scan_listener ###啟監聽
srvctl config scan_listener ###確認當前配置已經修改完成
SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521/TCPS:1523
10.修改sqlnet.ora文件
在Oracle實例的sqlnet.ora文件中添加配置信息,使用Oracle用戶執行
more $ORACLE_HOME/network/admin/sqlnet.ora
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /opt/app/oracle/11.2.0/db_1/network/admin/cost)
)
)
11.修改remote_listener參數
當前的remote參數格式為:host:port,需要改成包含scan IP和端口的格式
獲取當前的scan IP
srvctl config scan
SCAN name: HXE-DB-scan, Network: 1/xxx.xx.xx.x/255.255.254.0/eth0
SCAN VIP name: scan1, IP: /hostname/xxx.xx.xx.xxx
Sqlplus窗口下修改remote參數:
alter system set remote_listener='(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=xxx.xx.xx.xxx)(PORT=1523)))' scope=both sid='*';
12.啟用COST
編輯grid_home下的listener.ora文件,打開#SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)的注釋部分
13.重啟監聽
srvctl stop scan_listener
srvctl start scan_listener
方案二:通過打補丁確保asm和數據庫注冊到本地監聽
1獲取bug:12880299的補丁,
https://support.oracle.com/epmos/faces/PatchSearchResults?_adf.ctrl-state=1aopm6ywfj_58&_afrLoop=185732594495777 有Linux和aix對應的補丁程序
2上傳補丁程序到數據庫服務器
3解壓補丁程序
unzip p12880299_112030_Linux-x86-64.zip
4停rac集群
執行如下步驟:
關閉數據庫,grid用戶執行srvctl命令
srvctl stop database -d <sid>
srvctl status database -d <sid>
停止集群服務,以root用戶執行
cd /opt/app/grid/11.2.0/bin
./crsctl stop cluster -all
查看節點狀態(grid用戶)
crs_stat -t -v
停止HAS,以root用戶執行
cd /opt/app/grid/11.2.0/bin
./crsctl stop has -f
以上has啟動命令需要在每個節點分別執行
5在每個節點進入opatch目錄執行
$ORACLE_HOME/OPatch/opatch apply -oh /opt/app/grid/11.2.0 -local /home/grid/soft/12880299
如果有遇到“OUI-67073:ApplySession failed: ApplySession failed to prepare the system. ApplySession was not able to create the patch_storage area: /opt/app/grid/11.2.0/.patch_storage/12880299_May_3_2012_14_51_04”如下報錯情況,請切換到root用戶下執行perl ${GRID_HOME}/crs/installrootcrs.pl -unlock -crshome /opt/app/grid/11.2.0/ 解鎖目錄,再執行上述步驟
6執行完成使用root用戶執行
${GRID_HOME}/crs/install/rootcrs.pl –patch
7啟動數據庫實例(切換到grid用戶執行)
srvctl start database -d <sid>
8配置監聽文件
在grid的listener.ora文件中加上如下內容
SECURE_REGISTER_LISTENER = (IPC,TCP)
SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
9重啟監聽
srvctl stop listener
srvctl start listener
單實例庫修復方案
方案一:無需打patch
1.停監聽
lsnrctl stop LISTENER
2.在listener.ora文件中加如下標記為紅色內容:
LISTENER.ORA
------------
LISTENER_PROD =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = REGISTER)) #這一行如果已存在,則無需添加
(ADDRESS = (PROTOCOL = TCP)(HOST = <hostname>)(PORT = 1551))
)
)
SECURE_REGISTER_LISTENER = (IPC) #LISTENER這個地方改為當前的監聽名稱
3.啟動監聽
lsnrctl start LISTENER
4.設置local_listener參數為IPC方式
alter system set local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))' scope = both;
5.查看監聽狀態看看實例是否注冊到監聽中了
lsnrctl status LISTENER
如果沒有,則到數據庫中執行alter system register;
方法二:需要停庫打補丁
1.停庫、停監聽
2.打補丁12880299
3.在監聽文件中增加如下內容
SECURE_REGISTER_LISTENER = (IPC) #LISTENER這個地方改為當前的監聽名稱
4.啟動監聽、數據庫