使用自签名证书的SSL (linux_db19 win_客户端)
配置服务器端
mkdir -p /u01/app/oracle/walletorapki wallet create -wallet "/u01/app/oracle/wallet" -pwd WalletPasswd123 -auto_loginorapki wallet add -wallet "/u01/app/oracle/wallet" -pwd WalletPasswd123 -dn "CN=`hostname`" -keysize 1024 -self_signed -validity 3650orapki wallet display -wallet "/u01/app/oracle/wallet" -pwd WalletPasswd123orapki wallet export -wallet "/u01/app/oracle/wallet" -pwd WalletPasswd123 -dn "CN=`hostname`" -cert /tmp/`hostname`-certificate.crtcat /tmp/`hostname`-certificate.crt配置客户端
mkdir -p h:\app\oracle\walletorapki wallet create -wallet "h:\app\oracle\wallet" -pwd WalletPasswd123 -auto_loginorapki wallet add -wallet "h:\app\oracle\wallet" -pwd WalletPasswd123 -dn "CN=%computername%" -keysize 1024 -self_signed -validity 3650orapki wallet display -wallet "h:\app\oracle\wallet" -pwd WalletPasswd123orapki wallet export -wallet "h:\app\oracle\wallet" -pwd WalletPasswd123 -dn "CN=%computername%" -cert c:\%computername%-certificate.crtmore c:\%computername%-certificate.crtorapki wallet add -wallet "h:\app\oracle\wallet" -pwd WalletPasswd123 -trusted_cert -cert c:\lihao.local-certificate.crtorapki wallet display -wallet "h:\app\oracle\wallet" -pwd WalletPasswd123orapki wallet add -wallet "/u01/app/oracle/wallet" -pwd WalletPasswd123 -trusted_cert -cert /tmp/WIN-9JSKV9NSSQS-certificate.crtorapki wallet display -wallet "/u01/app/oracle/wallet" -pwd WalletPasswd123修改 sqlnet.ora 增加内容
$ORACLE_HOME/network/admin/sqlnet.ora
WALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = /u01/app/oracle/wallet)))SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)listener.ora
SSL_CLIENT_AUTHENTICATION = FALSEWALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = /u01/app/oracle/wallet)))LISTENER =(DESCRIPTION_LIST =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = lihao.local)(PORT = 1521))(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))(ADDRESS = (PROTOCOL = TCPS)(HOST = lihao.local)(PORT = 2484))))ADR_BASE_LISTENER = /u01/app/oraclelsnrctl stop
lsnrctl start客户端配置
H:\app\client\Administrator\product\19.0.0\client_1\network\admin
sqlnet.oraWALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = h:\app\oracle\wallet)))SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)tnsnames.ora配置pdb1_ssl=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=lihao.local)(PORT=2484))(CONNECT_DATA=(SERVER=dedicated)(SERVICE_NAME=pdb1)))创建用户
CREATE USER test IDENTIFIED BY test CONTAINER=CURRENT;
GRANT CREATE SESSION TO test CONTAINER=CURRENT;
自动登录钱包 不应该加local
mkdir -p /u01/app/oracle/wallet
orapki wallet create -wallet "/u01/app/oracle/wallet" -pwd WalletPasswd123 -auto_login_local
创建自签名证书并将其加载到钱包中
orapki wallet add -wallet "/u01/app/oracle/wallet" -pwd WalletPasswd123
-dn "CN=`hostname`" -keysize 1024 -self_signed -validity 3650
检查钱包的内容
orapki wallet display -wallet "/u01/app/oracle/wallet" -pwd WalletPasswd123
导出证书
orapki wallet export -wallet "/u01/app/oracle/wallet" -pwd WalletPasswd123 -dn "CN=`hostname`" -cert /tmp/`hostname`-certificate.crt
cat /tmp/`hostname`-certificate.crt
相互写入host文件
相互能PING通
配置客户端
mkdir -p h:\app\oracle\wallet
创建一个新的自动登录钱包
orapki wallet create -wallet "h:\app\oracle\wallet" -pwd WalletPasswd123 -auto_login_local
创建自签名证书并将其加载到钱包中
orapki wallet add -wallet "h:\app\oracle\wallet" -pwd WalletPasswd123 -dn "CN=%computername%" -keysize 1024 -self_signed -validity 3650
orapki wallet display -wallet "h:\app\oracle\wallet" -pwd WalletPasswd123
导出证书,以便稍后将其加载到服务器中
orapki wallet export -wallet "h:\app\oracle\wallet" -pwd WalletPasswd123 -dn "CN=%computername%" -cert c:\%computername%-certificate.crt
more c:\%computername%-certificate.crt
将服务器证书加载到客户端钱包中
orapki wallet add -wallet "h:\app\oracle\wallet" -pwd WalletPasswd123 -trusted_cert -cert c:\lihao.local-certificate.crt
检查客户端钱包的内容
orapki wallet display -wallet "h:\app\oracle\wallet" -pwd WalletPasswd123
将客户端证书加载到服务器钱包中
放到tmp文件中
访问共享文件
orapki wallet add -wallet "/u01/app/oracle/wallet" -pwd WalletPasswd123 -trusted_cert -cert /tmp/WIN-9JSKV9NSSQS-certificate.crt
orapki wallet display -wallet "/u01/app/oracle/wallet" -pwd WalletPasswd123
提供钱包的路径。
启用“所有”身份验证服务(包括 TLS/SSL),而不是仅允许数据库用户/密码身份验证。
禁用对等方证书的身份验证。现在我们只想加密通信。
启用一组密码套件。默认值为“无”,因此必须明确提供一组密码
配置侦听器
在端口 2484 上添加 TCPS 协议的条目
H:\app\client\Administrator\product\19.0.0\client_1\network\admin
sqlplus sys/AAbb1234@pdb1 as sysdba
CREATE USER test IDENTIFIED BY test CONTAINER=CURRENT;
GRANT CREATE SESSION TO test CONTAINER=CURRENT;
重新测试
下一篇:C# 获取当前设备硬件信息