我正在尝试配置Oracle 12实例以允许(以后强制)SSL加密连接(仅加密,不进行身份验证)。
我确实喜欢在SSL With Oracle JDBC Thin Driver中描述:
从listener.ora更改
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = myhost)(PORT = 1521))
)
)
到
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = myhost)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = myhost)(PORT = 2484))
)
)
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/tmp/oracle_wallet_tmp)))
SSL_CLIENT_AUTHENTICATION=FALSE
并将最后两行添加到sqlnet.ora。
然后我用
创建了钱包orapki wallet create -wallet /tmp/oracle_wallet_tmp -pwd test1234
并使用
重新启动监听器lsnrctl stop
lsnrctl start
非加密会话仍然可以正常工作。 但是
但是当我尝试通过JDBC在加密连接上进行连接时,我得到了
Exception in thread "main" java.sql.SQLRecoverableException: I/O-Fehler: Received fatal alert: handshake_failure
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:682)
at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:711)
at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:385)
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:30)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:558)
at java.sql.DriverManager.getConnection(DriverManager.java:571)
at java.sql.DriverManager.getConnection(DriverManager.java:187)
at orassl.Orassl.<init>(Orassl.java:23)
at orassl.Orassl.main(Orassl.java:38)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at oracle.net.ns.Packet.send(Packet.java:419)
at oracle.net.ns.ConnectPacket.send(ConnectPacket.java:241)
at oracle.net.ns.NSProtocolStream.negotiateConnection(NSProtocolStream.java:151)
at oracle.net.ns.NSProtocol.connect(NSProtocol.java:263)
at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1360)
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:486)
... 8 more
侦听器日志文件listener/alert/log.xml仅告诉我
<msg time='2014-03-04T14:03:19.906+01:00' org_id='oracle' comp_id='tnslsnr'
type='UNKNOWN' level='16' host_id='myhost'
host_addr='hostip'>
<txt>04-MAR-2014 14:03:19 * <unknown connect data> * 12561
</txt>
</msg>
<msg time='2014-03-04T14:03:19.907+01:00' org_id='oracle' comp_id='tnslsnr'
type='UNKNOWN' level='16' host_id='myhost'
host_addr='hostip'>
<txt>TNS-12561: TNS:unknown error
</txt>
</msg>
<msg time='2014-03-04T14:03:19.933+01:00' org_id='oracle' comp_id='tnslsnr'
type='UNKNOWN' level='16' host_id='myhost'
host_addr='hostip'>
<txt>04-MAR-2014 14:03:19 * <unknown connect data> * 12561
</txt>
</msg>
<msg time='2014-03-04T14:03:19.933+01:00' org_id='oracle' comp_id='tnslsnr'
type='UNKNOWN' level='16' host_id='myhost'
host_addr='hostip'>
<txt>TNS-12561: TNS:unknown error
</txt>
</msg>
客户端连接以下内容:
props.setProperty("oracle.net.ssl_cipher_suites", "(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_DH_anon_WITH_DES_CBC_SHA)");
props.setProperty("user", "dbuser");
props.setProperty("password", "dbpass");
final Connection c= DriverManager.getConnection("jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=hostip)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=mysid)))", props );
我还有什么问题?
答案 0 :(得分:1)
我发现SSL工作的两个要点(使用SQLDeveloper的JDBC,sqlplus命令)
有关匿名DH密码的文件评论对12c无效,您应该使用标准密码 - 在我的情况下,在服务器SSL_CIPHER_SUITES上发表评论sqlnet.ora并且listner.ora成功了。
在数据库中,您必须明确地将local_listener参数设置为支持SSL的值。为简单起见,您可以将您的LISTENER配置从listener.ora复制到$ORACLE_HOME/network/admin/tnsnames.ora,然后将local_listener设置为该值,例如alter system set local_listener='LISTENER';
256位AES密码不能与Java一起开箱即用 - 你必须安装Java Cryptography Extension(JCE)
如果您可以访问Metalink,请注意762286.1,“使用SSL与Oracle的JDBC THIN驱动程序(Doc ID 762286.1)使用SSL的端到端示例”可能有所帮助。
还有一个提示:由于XML往往有点难以阅读,因此可以检查trace子目录下的纯文本日志文件。例如/u01/app/diag/tnslsnr/$HOST/listener/trace/listener.log。