1:證書制作及達夢數據庫配置SSL參考 https://cdn.modb.pro/db/98970
步驟如下:
1:配置openssl配置文件
配置文件路徑:/etc/pki/tls/openssl.cnf,備份文件,然后修改文件如下內容
[ CA_default ]
dir = /opt/ca # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca-cert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca-key.pem # The private key
x509_extensions = usr_cert # The extensions to add to the cert
2:創建配置文件中對應的主要目錄及文件
[root@localhost ~]# mkdir -p /opt/ca [root@localhost ~]# cd /opt/ca [root@localhost ca]# mkdir {certs,crl,newcerts} [root@localhost ca]# echo "01" > serial [root@localhost ca]# touch index.txt ##創建達夢數據庫服務器和客戶端證書文件存放目錄 [root@localhost ca]# mkdir server_ssl [root@localhost ca]# mkdir client_ssl ##創建SYSDBA用戶客戶端證書存放目錄,其他用戶請創建與用戶名相同的目錄 [root@localhost ca]# mkdir -p client_ssl/SYSDBA
3:生產CA私鑰和根證書
[root@localhost ca]# openssl req -new -x509 -days 3650 -keyout ca-key.pem -out ca-cert.pem -subj "/C=cn/ST=hunan/L=changsha/O=dameng/OU=dev/CN=lw/emailAddress=abc@dm.com" Generating a RSA private key .....................................................................................+++++ ......................................+++++ writing new private key to 'ca-key.pem' Enter PEM pass phrase: #設置CA私鑰的存儲密碼,本次測試設置為123456 Verifying - Enter PEM pass phrase: ----- [root@localhost ca]# ls ca-cert.pem ca-key.pem certs client_ssl crl index.txt newcerts serial server_ssl
##############ca-key.pem 為私鑰文件#####################ca-cert.pem為根證書###################
文件后綴簡要說明:
- .key : 私鑰文件, 也可以使用“.pem”后綴。.pem”后綴時,通常文件包含證書和私鑰中的一種或者多種
- .csr : 證書簽名請求(證書請求文件),含有公鑰信息,certificate signing request的縮寫
- .crl : 證書吊銷列表,Certificate Revocation List的縮寫
4:生產服務器私鑰和被CA簽名的證書
1:生產私鑰文件
[root@localhost ca]# openssl genrsa -out server_ssl/server-key.pem Generating RSA private key, 2048 bit long modulus (2 primes) .................................................................................................................+++++ ..............................................................+++++ e is 65537 (0x010001) ##注意服務器端的私鑰,為了方便不設置加密
2:生產證書簽發申請
[root@localhost ca]# openssl req -new -key server_ssl/server-key.pem -out server_ssl/server.csr -subj "/C=cn/ST=hunan/L=changsha/O=dameng/OU=dev/CN=server/emailAddress=server@dm.com
subj選項說明:
Country Name : 縮寫為“C” 證書持有者所在國家 要求填寫國家代碼
State or Province Name : 縮寫為“ST“ 證書持有者所在州或省份
Locality Name : 縮寫為“L” 證書持有者所在城市
Organization Name : 縮寫為“O“ 證書持有者所屬組織或公司
Organizational Unit Name : 縮寫為“OU” 證書持有者所屬部門
Common Name : 縮寫為“CN“ 證書持有者的通用名
Email Address : 證書持有者的通信郵箱
3:使用根證書和簽發申請生產證書
[root@localhost ca]# openssl ca -days 3650 -in server_ssl/server.csr -out server_ssl/server-cert.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /opt/ca/ca-key.pem: #輸入生成CA私鑰時設置的存儲密碼,上面設置的是123456 Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Aug 11 09:23:40 2021 GMT Not After : Aug 9 09:23:40 2031 GMT Subject: countryName = cn stateOrProvinceName = hunan organizationName = dameng organizationalUnitName = dev commonName = server emailAddress = server@dm.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 46:E9:80:E8:CC:1D:7E:DB:E3:05:FF:8C:3B:77:43:51:9B:16:05:43 X509v3 Authority Key Identifier: keyid:61:05:BE:3F:A9:DE:2D:9A:7F:2A:BA:0E:45:97:47:5B:E8:0C:D7:7E Certificate is to be certified until Aug 9 09:23:40 2031 GMT (3650 days) Sign the certificate? [y/n]:y #輸入y 1 out of 1 certificate requests certified, commit? [y/n]y #輸入y Write out database with 1 new entries Data Base Updated
4:將證書格式轉換成x509格式
[root@localhost ca]# openssl x509 -in server_ssl/server-cert.pem -out server_ssl/server.cer [root@localhost ca]# ll server_ssl/ -rw-r--r-- 1 root root 1395 8月 11 17:28 server.cer -rw-r--r-- 1 root root 4544 8月 11 17:23 server-cert.pem -rw-r--r-- 1 root root 1033 8月 11 17:13 server.csr -rw------- 1 root root 1675 8月 11 17:06 server-key.pem
5:將CA自簽名的證書拷貝到server_ssl目錄
[root@localhost ca]# cp ca-cert.pem server_ssl/
[root@localhost ca]# cp ca-key.pem server_ssl/
5:生產客戶端用戶私鑰和被CA簽名的證書
1:生產私鑰文件
[root@localhost ca]# openssl genrsa -aes256 -out client_ssl/SYSDBA/client-key.pem Generating RSA private key, 2048 bit long modulus (2 primes) ............................+++++ ..+++++ e is 65537 (0x010001) Enter pass phrase for client_ssl/SYSDBA/client-key.pem: #設置私鑰密碼,本次測試設置為dameng ####備注 如果使用disql鏈接的時候需要使用此密碼 Verifying - Enter pass phrase for client_ssl/SYSDBA/client-key.pem: #再輸入一次 #-aes256表示使用AES算法對產生的私鑰加密
2:生產證書簽發申請
[root@localhost ca]# openssl req -new -key client_ssl/SYSDBA/client-key.pem -out client_ssl/SYSDBA/client.csr -subj "/C=cn/ST=hunan/L=changsha/O=dameng/OU=dev/CN=SYSDBA/emailAddress=dmclient@dm.com" Enter pass phrase for client_ssl/SYSDBA/client-key.pem: #輸入上一步生成私鑰文件時設置的密碼
3:使用根證書和簽發申請生產證書
[root@localhost ca]# openssl ca -days 365 -in client_ssl/SYSDBA/client.csr -out client_ssl/SYSDBA/client-cert.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /opt/ca/ca-key.pem: #輸入設置的CA私鑰存儲密碼 ##############最開始設置的CA密碼 123456 Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Aug 11 09:39:23 2021 GMT Not After : Aug 11 09:39:23 2022 GMT Subject: countryName = cn stateOrProvinceName = hunan organizationName = dameng organizationalUnitName = dev commonName = SYSDBA emailAddress = dmclient@dm.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: E1:BB:5E:A0:E6:7C:38:40:FD:BB:6B:B8:2E:6E:2C:46:1C:E3:AF:1C X509v3 Authority Key Identifier: keyid:61:05:BE:3F:A9:DE:2D:9A:7F:2A:BA:0E:45:97:47:5B:E8:0C:D7:7E Certificate is to be certified until Aug 11 09:39:23 2022 GMT (365 days) Sign the certificate? [y/n]:y #輸入y 1 out of 1 certificate requests certified, commit? [y/n]y #輸入y Write out database with 1 new entries Data Base Updated
4:將生成的X509格式的client-key.pem和client-cert.pem合並轉換為pkcs12格式的文件client-pkcs.p12
[root@localhost ca]# openssl pkcs12 -export -inkey client_ssl/SYSDBA/client-key.pem -in client_ssl/SYSDBA/client-cert.pem -out client_ssl/SYSDBA/client-pkcs.p12 Enter pass phrase for client_ssl/SYSDBA/client-key.pem: #輸入之前設置的客戶端私鑰存儲密碼(dameng) Enter Export Password: #設置export password,本次測試設置為abc123 ####### Verifying - Enter Export Password: #再輸入一次
5:生成JDBC訪問需要的.keystore文件 導入所有證書到keystore文件,並設置keystore文件密碼為abc123(-deststorepass)
[root@localhost ca]# keytool -import -alias ca -trustcacerts -file ca-cert.pem -keystore client_ssl/SYSDBA/.keystore -deststorepass abc123 -noprompt 證書已添加到密鑰庫中 [root@localhost ca]# keytool -import -alias server -trustcacerts -file server_ssl/server.cer -keystore client_ssl/SYSDBA/.keystore -deststorepass abc123 -noprompt 證書已添加到密鑰庫中 [root@localhost ca]# keytool -importkeystore -srckeystore client_ssl/SYSDBA/client-pkcs.p12 -srcstorepass abc123 -srcstoretype PKCS12 -keystore client_ssl/SYSDBA/.keystore -deststorepass abc123 正在將密鑰庫 client_ssl/SYSDBA/client-pkcs.p12 導入到 client_ssl/SYSDBA/.keystore... 已成功導入別名 1 的條目。 已完成導入命令: 1 個條目成功導入, 0 個條目失敗或取消 Warning: JKS 密鑰庫使用專用格式。建議使用 "keytool -importkeystore -srckeystore client_ssl/SYSDBA/.keystore -destkeystore client_ssl/SYSDBA/.keystore -deststoretype pkcs12" 遷移到行業標准格式 PKCS12。
執行上面警告的內容:(可選)
[root@localhost ca]# keytool -importkeystore -srckeystore client_ssl/SYSDBA/.keystore -destkeystore client_ssl/SYSDBA/.keystore -deststoretype pkcs12 輸入源密鑰庫口令: #輸入之前的export password,abc123 已成功導入別名 ca 的條目。 已成功導入別名 1 的條目。 已成功導入別名 server 的條目。 已完成導入命令: 3 個條目成功導入, 0 個條目失敗或取消 Warning: 已將 "client_ssl/SYSDBA/.keystore" 遷移到 Non JKS/JCEKS。將 JKS 密鑰庫作為 "client_ssl/SYSDBA/.keystore.old" 進行了備份。
6:將CA自簽名的證書拷貝到client_ssl/SYSDBA目錄中
[root@localhost ca]# cp ca-cert.pem client_ssl/SYSDBA/ [root@localhost ca]# ls -la client_ssl/SYSDBA/ drwxr-xr-x 2 root root 128 8月 11 18:07 . drwxr-xr-x 3 root root 20 8月 11 16:54 .. -rw-r--r-- 1 root root 1383 8月 11 18:07 ca-cert.pem -rw-r--r-- 1 root root 4546 8月 11 17:39 client-cert.pem -rw-r--r-- 1 root root 1037 8月 11 17:37 client.csr -rw------- 1 root root 1766 8月 11 17:34 client-key.pem -rw------- 1 root root 2589 8月 11 17:49 client-pkcs.p12 -rw-r--r-- 1 root root 4363 8月 11 18:06 .keystore
6:部署server端將/opt/ca/server_ssl整個目錄拷貝到達夢數據庫安裝目錄下的bin目錄下,默認在bin目錄下存在server_ssl目錄。可以先將默認的server_ssl目錄重命名,然后拷貝。
[root@localhost ca]# cd /home/dmdba/dmdbms/bin [root@localhost bin]# mv server_ssl server_ssl_bak2 [root@localhost bin]# cp /opt/ca/server_ssl ./ -r [root@localhost bin]# chmod -R 777 server_ssl [root@localhost bin]# ll server_ssl -rwxrwxrwx 1 root root 1383 8月 11 18:11 ca-cert.pem -rwxrwxrwx 1 root root 1854 8月 11 18:11 ca-key.pem -rwxrwxrwx 1 root root 1395 8月 11 18:11 server.cer -rwxrwxrwx 1 root root 4544 8月 11 18:11 server-cert.pem -rwxrwxrwx 1 root root 1033 8月 11 18:11 server.csr -rwxrwxrwx 1 root root 1675 8月 11 18:11 server-key.pem
7:部署client客戶端
將/opt/ca/client_ssl整個目錄拷貝到客戶端機器上。如果是Linux機器,需要注意目錄權限,可以將整個目錄設置為777權限。 chmod 777 -R client_ssl 如果是通過jdbc接口來加密訪問數據庫,是使用的.keystore文件; 如果是通過ODBC或者其他方式加密訪問數據庫,那么是使用ca-cert.pem、client-cert.pem和client-key.pem三個文件
2:數據庫執行打開ssl驗證
SF_SET_SYSTEM_PARA_VALUE('COMM_ENCRYPT_NAME','RC4',1,2); SF_SET_SYSTEM_PARA_VALUE('ENABLE_ENCRYPT',2,1,2); 執行完畢后需要重啟數據服務
3:disql工具登錄
@localhost bin]$ ./disql SYSDBA/SYSDBA@192.168.15.35:5236#"{SSL_PATH=/opt/ca/client_ssl/SYSDBA,SSL_PWD=dameng}"
服務器[192.168.15.35:5236]:處於普通打開狀態
登錄使用時間 : 10.115(ms)
disql V8
SQL>
###或者使用
[dmdba@localhost bin]$ ./disql /nolog
disql V8
SQL> login
服務名:192.168.15.35
用戶名:SYSDBA
密碼:
SSL路徑:/opt/ca/client_ssl/SYSDBA
SSL密碼:
UKEY名稱:
UKEY PIN碼:
MPP類型:
是否讀寫分離(y/n):
協議類型:
服務器[192.168.15.35:5236]:處於普通打開狀態
登錄使用時間 : 9.059(ms)
SQL>