为Oracle配置SSL连接

时间:2019-01-04 09:58:44

标签: oracle ssl ssl-certificate

我正在尝试通过ODBC为Oracle配置SSL加密的连接。我在互联网上进行搜索,发现此配置的一组类似步骤,并且在服务器端进行更改后,最新的配置文件如下:

sqlnet.ora

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)

SSL_VERSION = 3.1

SQLNET.ENCRYPTION_SERVER = requested

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

SSL_CLIENT_AUTHENTICATION = TRUE

SQLNET.CRYPTO_SEED = 'VALIDSEED111'

SQLNET.ENCRYPTION_TYPES_SERVER= (AES256, RC4_256, AES192, 3DES168,
AES128, RC4_128, 3DES112, RC4_56, DES, RC4_40, DES40)

WALLET_LOCATION =   (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /home/oracle/oracle/product/10.2.0/db_1/bin)
    )   )

SSL_CIPHER_SUITES= (SSL_RSA_WITH_RC4_128_MD5)

listener.ora

SID_LIST_LISTENER =   (SID_LIST =
    (SID_DESC =
      (SID_NAME = PLSExtProc)
      (ORACLE_HOME = /home/oracle/oracle/product/10.2.0/db_1)
      (PROGRAM = extproc)
    )   )

SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =   (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /home/oracle/oracle/product/10.2.0/db_1/bin)
    )   )

LISTENER =   (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
    )
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = localhost.localdomain)(PORT = 1521))
    )
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCPS)(HOST = localhost.localdomain)(PORT = 1531))
    )   )

我还通过执行以下命令在更新了listener.ora文件之后重新启动了监听器:

lsnrctl stop
lsnrctl start

客户端侧更改后的最新配置文件如下:

sqlnet.ora

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)

SSL_VERSION = 3.1

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

SSL_CLIENT_AUTHENTICATION = TRUE

SQLNET.ENCRYPTION_TYPES_CLIENT= (AES256, RC4_256, AES192, 3DES168,
AES128, RC4_128, 3DES112, RC4_56, DES, RC4_40, DES40)

WALLET_LOCATION =   (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = C\app\oracle\product\11.2.0\client_1\BIN\owm\wallets)
    )   )

SSL_CIPHER_SUITES= (SSL_RSA_WITH_RC4_128_MD5)

ADR_BASE = C:\app\oracle\product\11.2.0\client_1\log

tnsnames.ora

ORCL43 =   (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCPS)(HOST = XX.XX.XX.XX)(PORT = 1531))
    )
    (CONNECT_DATA =
      (SERVICE_NAME = orcl)
    )
    (SECURITY=
      (SSL_SERVER_CERT_DN="cn=TGL,cn=OracleContext,c=IN,o=PQR")
    )   )

listener.ora

SSL_CLIENT_AUTHENTICATION = FALSE

LISTENER =   (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = XX.XX.XX.XX)(PORT = 1521))   )

ADR_BASE_LISTENER = C:\app\oracle\product\11.2.0\client_1\log

当我尝试使用“ ORCL43”通过SQL Plus连接Oracle数据库时,出现“ ORA-12560:TNS:协议适配器错误”。

请让我知道我在哪里做错了。

请帮助我。

1 个答案:

答案 0 :(得分:0)

确保listener.ora(服务器端)和tnsnames.ora(客户端)都包含相同的HOST和PORT值。在您的情况下,如果服务器和客户端都位于不同的计算机中(即具有不同的地址),请在“主机”字段中为这两个文件使用服务器地址。

理想情况下,这应该可以解决您面临的问题。

此外,正如其他人在评论中所建议的那样,您应该从文件中删除密码套件选项,或者至少使用那些被认为是安全的密码套件。另外,要启用SSL,不需要SQLNET.ENCRYPTION_SERVER。此标志用于配置oracle本机网络加密。

这是一些示例文件,我正在使用这些文件为oracledb 12c启用2路SSL(相互认证)。

客户端

tnsnames.ora

PDBORCL =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.255.255.255)(PORT = 2848))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = pdborcl)
    )
    (SECURITY=
    (SSL_SERVER_CERT_DN="cn=localhost,c=IN"))
  )

sqlnet.ora

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)

SSL_VERSION = 0

SSL_SERVER_DN_MATCH = Yes

SSL_EXTENDED_KEY_USAGE="SSL" (# not a required option, check the docs for usages. They have explained it nicely)
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = C:\wallet)
    )
  )

ADR_BASE = C:\app\OracleHomeUser1\product\12.1.0\dbhome_1\log

服务器端

listener.ora

SID_LIST_LISTENER =
  (SID_LIST =
    (SID_DESC =
      (SID_NAME = CLRExtProc)
      (ORACLE_HOME = C:\app\OracleHomeUser1\product\12.1.0\dbhome_1)
      (PROGRAM = extproc)
      (ENVS = "EXTPROC_DLLS=ONLY:C:\app\OracleHomeUser1\product\12.1.0\dbhome_1\bin\oraclr12.dll")
    )
  )

SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = C:\wallet)
    )
  )

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCPS)(HOST = 10.255.255.255)(PORT = 2848))
    )
  )

ADR_BASE_LISTENER = C:\app\OracleHomeUser1\product\12.1.0\dbhome_1\log

sqlnet.ora

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)

SSL_VERSION = 0

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

SSL_CLIENT_AUTHENTICATION = TRUE

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = C:\wallet)
    )
  )

ADR_BASE = C:\app\OracleHomeUser1\product\12.1.0\dbhome_1\log