• Oracle wallet配置登陆凭证


    Wallet作用
    从Oracle 10g R2开始, 通过使用Oracle Wallet达到任意用户不使用密码登录数据库(非操作系统认证方式), 这对在shell中要使用用户密码登录数据库进行操作的脚本来说是非常有用的, 可以不暴露用户密码. 比如在Oracle客户端通过mkstore命令设置Wallet认证信息, 然后通过"sqlplus/@connect_string"方式就可以直接连接数据库.
     
    本例是让sysrls用户无需使用密码登录系统, mkstore用法如下:
    ORACLE_HOME/bin/mkstore
    mkstore [-wrl wrl] [-create] [-createSSO] [-delete] [-deleteSSO] [-list] [-createEntry alias secret] [-viewEntry alias] [-modifyEntry alias secret] [-deleteEntry alias] [-help]
    1)安装Oracle Client
    2)创建wallet存放目录和修改.bash_profile
    mkdir /home/sysrls/wallet
    vi .bash_profile
     
    # Oracle Base Directory ORACLE_BASE=/opt/oraapp # Oracle Home Directory - Set this to the correct Oracle Home for the client ORACLE_HOME=/opt/oraapp/client/12.1.0.2_x64_DBAocl030 # Set TNS_ADMIN to point to correct location TNS_ADMIN=$ORACLE_HOME/network/admin/tnsnames.ora # Add the ORACLE_HOME bin directory to the PATH variable PATH=$ORACLE_HOME/bin:$PATH # Add Add the ORACLE_HOME lib directories to the LD_LIBRARY_PATH variable LD_LIBRARY_PATH=${ORACLE_HOME}/lib:${LD_LIBRARY_PATH} # Set LANG & NLS variables appropriately for your region LANG="en_US.UTF-8" # NLS_LANG is of the form Language_country.characterset NLS_LANG="AMERICAN_AMERICA.AL32UTF8" ORA_NLS10=$ORACLE_HOME/nls/data # Export variable to ensure they are set correctly for any sub processes export ORACLE_BASE LANG ORACLE_HOME PATH LD_LIBRARY_PATH NLS_LANG ORA_NLS10 TNS_ADMIN
     
    3)生成wallet
    ORACLE_HOME/bin/mkstore -wrl /home/sysrls/wallet -create
    Enter password:<输入钱包密码>
    Enter password again:<确认钱包密码>
    [sysrls@cnl20059850 wallet]$ ll
    total 8
    -rw-------. 1 sysrls sysrls 581 Jul 18 11:01 cwallet.sso
    -rw-rw-rw-. 1 sysrls sysrls 0 Jul 18 10:52 cwallet.sso.lck
    -rw-------. 1 sysrls sysrls 536 Jul 18 11:01 ewallet.p12
    -rw-rw-rw-. 1 sysrls sysrls 0 Jul 18 10:52 ewallet.p12.lck
    4)修改网路配置
    vi $ORACLE_HOME/network/admin/tnsnames.ora
     
    CRCDB = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 133.9.207.35)(PORT = 2001)) ) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = CRCDB) ) )
     
    vi ORACLE_HOME/network/admin/sqlnet.ora
    WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/home/sysrls/wallet))) SQLNET.WALLET_OVERRIDE=TRUE
     
    --创建钱包,或者alter system set encryption key identified by "oracle"; 
    /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/admin/orcl/wallet/ -create
     
    5)给特定数据库用户生成Credential
    $ORACLE_HOME/bin/mkstore -wrl /home/u_test/wallet -createCredential CRCDB wallet test123
     
    6) 确认用户认证信息已经加入到Wallet
    $ $ORACLE_HOME/bin/mkstore -wrl $ORACLE_HOME/network/admin/wallet -listCredential
     
    7)维护
    生成wallet
    mkstore -wrl /home/sysrls/wallet/ -createCredential CRCDB wallet Frank
     
    Oracle Secret Store Tool : Version 12.1.0.2
    Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
    Enter wallet password: 
    Create credential oracle.security.client.connect_string1
     
    查看wallet中的认证信息
    [sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet -listCredential
     
    Oracle Secret Store Tool : Version 12.1.0.2
    Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
    Enter wallet password: 
    List credential (index: connect_string username)
    1: CRCDB wallet
     
    修改wallet中的认证信息
    [sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -modifyCredential CRCDB wallet test2
     
    Oracle Secret Store Tool : Version 12.1.0.2
    Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
    Enter wallet password: 
    Modify credential 
    Modify 1
     
    删除wallet中的认证信息
    mkstore -wrl /home/sysrls/wallet -deleteCredential CRCDB
     
    查看wallet中的条目
    [sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -list
     
    Oracle Secret Store Tool : Version 12.1.0.2
    Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
    Enter wallet password: 
    Oracle Secret Store entries: 
    oracle.security.client.connect_string1
    oracle.security.client.password1
    oracle.security.client.username1
     
    --查看wallet中条目的值
    mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.connect_string1
     
    Oracle Secret Store Tool : Version 12.1.0.2
    Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
    Enter wallet password: 
    oracle.security.client.connect_string1 = CRCDB
     
    mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.username1
     
    Oracle Secret Store Tool : Version 12.1.0.2
    Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
    Enter wallet password: 
    oracle.security.client.username1 = wallet
     
    mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.password1
     
    Oracle Secret Store Tool : Version 12.1.0.2
    Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
    Enter wallet password: 
    oracle.security.client.password1 = test2
     
    --修改wallet文件的密码
    orapki wallet change_pwd -wallet /home/sysrls/wallet/
     
    8)如何生成让wallet仅本机可用
    Oracle Wallet is a container that stores authentication and signing credentials.
    Trusted certificates are stored in the Oracle Wallet when the wallet is used for security credentials.
    PeopleSoft enables you to create an Oracle Wallet in two ways:
    ORAPKI command line - The ORAPKI tool is available with Oracle database, so this tool can be used only by those users have a license for Oracle database.
    OpenSSL utility - Users who do not have a license for Oracle database can use this utility to create their own certificates.
    After creating an Oracle Wallet, you must configure SSL for the Workstation Listener and Jolt Listener ports to ensure secure client and server communications.
     
    #维护小脚本,应该用dos2unix转换或者在linux中手工编辑
     
    #!/bin/bash
     
    echo -e "Useful action "
    echo -e "1)create wallet"
    echo -e "2)create Credential"
    echo -e "3)check the created Credential"
    echo -e "4)modify the created Credential"
    echo -e "5)delete the created Credential"
    echo -e "6)list Credential item"
    echo -e "7)list Credential Entry value "
    echo -e "8)modify wallet password"
    echo -e "9)exit"
    read -p "choose your action:" num1
    case $num1 in
     
    1)
    echo -e "Please enter wallet password: "
    read -s password
    printf "$password $password " | /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet/ -create
    echo -e "wallet create success "
    ;;
    2)
    echo -e "Please enter wallet password:"
    read -s password
    read -p "Please enter database tnsname:" tnsname
    read -p "Please enter database user:" user
    echo -n "Please enter database user's password:"
    read -s dbpass
    printf "$dbpass $dbpass $password " | /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet/ -createCredential $tnsname $user
    echo -e "Credential create success "
    ;;
    3)
    echo -e "Please enter wallet password: "
    read -s password
    printf "$password " | /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet/ -listCredential
    ;;
    4)
    echo -e "Please enter wallet password:"
    read -s password
    read -p "Please enter database tnsname:" tnsname
    read -p "Please enter database user:" user
    echo -n "Please enter database user's password:"
    read -s dbpass
    printf "$dbpass $dbpass $password " | /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet/ -modifyCredential $tnsname $user
    echo -e "modify Credential success "
    ;;
    5)
    echo -e "Please enter wallet password:"
    read -s password
    read -p "Please enter database tnsname:" tnsname
    printf "$password " | /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet/ -deleteCredential $tnsname
    echo -e "delete Credential success "
    ;;
    6)
    echo -e "Please enter wallet password:"
    read -s password
    printf "$password " | /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet/ -list
    ;;
    7)
    echo -e "Please enter wallet password:"
    read -s password
    read -p "Please enter Entryname type:" type
    if [ "$type" == "connect" ];then
    printf "$password " | /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet/ -viewEntry oracle.security.client.connect_string1
    fi
    if [ "$type" == "user" ];then
    printf "$password " | /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet/ -viewEntry oracle.security.client.username1
    fi
    if [ "$type" == "password" ];then
    printf "$password " | /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet/ -viewEntry oracle.security.client.password1
    fi
    ;;
    8)
    /u01/app/oracle/product/11.2/db_1/bin/orapki wallet change_pwd -wallet /u01/app/oracle/product/11.2/db_1/wallet/
    ;;
    9)
    exit 0
    esac
    ------------------------------------------------------------------------------------------------------------------------------------------------
    Oracle wallet配置登陆凭证
    向wallet中增加了一个新的数据库,现实无需输入用户名与密码来登陆数据库,增加完成后,导致整个监控系统都是报用户名与密码的错误,无法登陆来数据库。但是Oracle用户是能正常登陆数据库,不需要输入密码。其实原因很简单,因为我们的监控系统是nagios,而wallet相关的文件的默认权限是600,除ORACLE外其它的用户都是不可以读写的,正常情况下我们是改成了777的权限,让其它的用户也能使用钱包这个功能,我对wallet进行新增加一个数据库时,wallet会自己把cwallet.sso与ewallet.p12文件的权限自己改成600。这就导致了今天我的悲剧。
     
    vi $ORACLE_HOME/network/admin/tnsnames.ora 追加
     
    htzb =
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = source)(PORT = 1521))
    (CONNECT_DATA =
    (SERVER = DEDICATED)
    (SERVICE_NAME = orcl)
    )
    )
     
    htz =
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = source)(PORT = 1521))
    (CONNECT_DATA =
    (SERVER = DEDICATED)
    (SERVICE_NAME = orcl)
    )
    )
     
    sqlplus / as sysdba
    alter system set wallet open identified by oracle;
    alter database open;
    alter user scott identified by oracle account unlock;
    select status,database_status from v$instance;
     
    1.创建wallet
    cd /u01/app/oracle/product/11.2/db_1
    mkdir wallet
    #输入wallet的密码,1.密码长度要是8位以上。2.密码最大长度没有限制。3.密码要有字符与数据。
    --产生cwallet.sso、ewallet.p12;alter system set encryption key(wallet执行后不能再执行)产生ewallet.p12
    --cwallet.sso用于账号登陆凭证
    mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet -create
     
    SQL> select * from v$encryption_wallet;
     
    WRL_TYPE
    --------------------
    WRL_PARAMETER
    --------------------------------------------------------------------------------
    STATUS
    ------------------
    file
    /u01/app/oracle/product/11.2/db_1/wallet
    OPEN_NO_MASTER_KEY
     
    2.配置wallet到sqlnet.ora中
     
    vi $ORACLE_HOME/network/admin/sqlnet.ora
     
    NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
    #DIRECTORY这里就是指定wallet所在的目录
    WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/product/11.2/db_1/wallet)))
    SQLNET.WALLET_OVERRIDE=TRUE
     
    3.查看wallet的命令帮忙
    [oracle@test db_1]$ mkstore -help
     
    Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
    Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
     
    mkstore [-wrl wrl] [-create] [-createSSO] [-createLSSO] [-createALO] [-delete]
    [-deleteSSO] [-list] [-createEntry alias secret] [-viewEntry alias]
    [-modifyEntry alias secret] [-deleteEntry alias]
    [-createCredential connect_string username password] [-listCredential]
    [-modifyCredential connect_string username password] [-deleteCredential connect_string] [-help] [-nologo]
     
    4.增加数据库到wallet中去,并测试是否成功
     
    3.1#增加net service为htz scott为用户 oracle为用户的密码。
    #建议密码用''引起来,因为在生产环境中的密码基本上都是特殊字符的。
    mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet -createCredential htz scott 'oracle'
     
    3.2 #查看是否增加成功。
    mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -listCredential
     
    List credential (index: connect_string username)
    1: htz scott
     
    3.3 测试是否可以实现无需要输入用户与密码登陆
    sqlplus /@htz
    show user;
     
    5.查看entry
     
    #这里看到我们增加一个数据进来就会增加3个entries。
    #分别是一个连接符,一个用户名,一个密码。
    #当我们增加了很多数据库与用户进来后,数据库与用户还有密码他们是怎么关联的呢?其实他们就是通过后面的这个数字来关键的。
    mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet -list
     
    Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
    Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
     
    Enter wallet password:
     
    Oracle Secret Store entries:
    oracle.security.client.connect_string1
    oracle.security.client.password1
    oracle.security.client.username1
     
    6.创建默认用户与密码
    这样可以实现,登陆所以的数据库都可以使用默认的用户与密码
    6.1 #创建默认的用户。
    mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet -createEntry oracle.security.client.default_username scott
     
    6.2 #创建默认用户的密码。
    mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet -createEntry oracle.security.client.default_password oracle
     
    6.3 #查看是否创建成功
    mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -list
     
    Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
    Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
     
    Enter wallet password:
     
    Oracle Secret Store entries:
    oracle.security.client.connect_string1
    oracle.security.client.default_password
    oracle.security.client.default_username
    oracle.security.client.password1
    oracle.security.client.username1
     
    7.当默认用户与手动增加的数据库信息到wallet中时,那一个生效呢?
    下面我们测试一下,当wallet里面创建了默认的用户与密码时,手动再增加一个信息到wallet时,到底是默认用户还是手动增加的生效呢?其实是手动增加的生效。
    7.1 #由于默认用户增加的SCOTT普通用户,所以这里我们增加sys这个用户来做测试,net service名是htzb
    mkstore -wrl $ORACLE_HOME/wallet -createCredential htzb sys 'oracle'
     
    7.2 #登陆测试。
    这里没有增加as sysdba就是为了能区别普通用户与sys用户登陆的区别。如果是sys用户生效,就会报没有增加as sysdba登陆,如果是scott这个默认用户生效,就会登陆成功。
    [oracle@test db_1]$ sqlplus /@htzb
     
    SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 09:33:07 2012
    Copyright (c) 1982, 2010, Oracle. All rights reserved.
    #这里报错,说明手动增加的SYS用户的生效。默认用户没有生效
    ERROR:
    ORA-28009: connection as SYS should be as SYSDBA or SYSOPER
    Enter user-name:
     
    7.3 #这里我们再登陆htz,登陆成功。说明我们默认用户在其它的net service是生效的。
    sqlplus /@htz
    exit
     
    7.4 #以sys as sysdba登陆成功
    sqlplus /@htzb as sysdba
    show user
     
    8.下面测试的是通过mkstore修改wallet中的内容后,导致wallet相关的文件,权限自动改成600.
    8.1 #把wallet的文件权限改成777
    chmod 777 $ORACLE_HOME/wallet/*
    ls -l $ORACLE_HOME/wallet
     
    8.2 #手动在wallet中增加一个net service的配置信息
    [oracle@test db_1]$ mkstore -wrl $ORACLE_HOME/wallet -deleteCredential htz
     
    8.3 #再次查看权限时发现权限已经自己改成了600了
    ls -l $ORACLE_HOME/wallet
     
    9. 当用户的密码发生变化的时候需要修改wallet中的密码
    mkstore -wrl $ORACLE_HOME/wallet -modifyCredential htz scott 'oracleoracle';
     
    10.查看wallet中有那些认证的信息
    mkstore -wrl $ORACLE_HOME/wallet -listCredential
     
    11 从wallet删除一个net service的配置信息
    [oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -deleteCredential htz
     
    12.修改默认的用户名
    修改默认的用户名的密码的方法也一样。
    [oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -viewEntry oracle.security.client.default_username
     
    --oracle.security.client.default_username = scott
     
    mkstore -wrl $ORACLE_HOME/wallet -modifyEntry oracle.security.client.default_username
     
    mkstore -wrl $ORACLE_HOME/wallet -viewEntry oracle.security.client.default_username
     
    --oracle.security.client.default_username = oracle
     
    13 删除默认的用户名
     
    [oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -deleteEntry oracle.security.client.default_username
    
    
  • 相关阅读:
    POJ 1611 : The Suspects (普通并查集)
    深入解析 Dubbo 3.0 服务端暴露全流程
    智能搜索推荐一体化营收增长解决方案
    云上应用系统数据存储架构演进
    EMR on ACK 全新发布,助力企业高效构建大数据平台
    介绍一下闭包和闭包常用场景?
    BFC
    高斯消元学习笔记
    云虚拟主机如何设置域名解析
    Centos7.3安装openJDK
  • 原文地址:https://www.cnblogs.com/buffercache/p/14035582.html
Copyright © 2020-2023  润新知