Wallet作用
从Oracle 10g R2开始, 通过使用Oracle Wallet达到任意用户不使用密码登录数据库(非操作系统认证方式), 这对在shell中要使用用户密码登录数据库进行操作的脚本来说是非常有用的, 可以不暴露用户密码. 比如在Oracle客户端通过mkstore命令设置Wallet认证信息, 然后通过"sqlplus/@connect_string"方式就可以直接连接数据库.
本例是让sysrls用户无需使用密码登录系统, mkstore用法如下:
ORACLE_HOME/bin/mkstore
mkstore [-wrl wrl] [-create] [-createSSO] [-delete] [-deleteSSO] [-list] [-createEntry alias secret] [-viewEntry alias] [-modifyEntry alias secret] [-deleteEntry alias] [-help]
1)安装Oracle Client
2)创建wallet存放目录和修改.bash_profile
mkdir /home/sysrls/wallet
vi .bash_profile
# Oracle Base Directory ORACLE_BASE=/opt/oraapp # Oracle Home Directory - Set this to the correct Oracle Home for the client ORACLE_HOME=/opt/oraapp/client/12.1.0.2_x64_DBAocl030 # Set TNS_ADMIN to point to correct location TNS_ADMIN=$ORACLE_HOME/network/admin/tnsnames.ora # Add the ORACLE_HOME bin directory to the PATH variable PATH=$ORACLE_HOME/bin:$PATH # Add Add the ORACLE_HOME lib directories to the LD_LIBRARY_PATH variable LD_LIBRARY_PATH=${ORACLE_HOME}/lib:${LD_LIBRARY_PATH} # Set LANG & NLS variables appropriately for your region LANG="en_US.UTF-8" # NLS_LANG is of the form Language_country.characterset NLS_LANG="AMERICAN_AMERICA.AL32UTF8" ORA_NLS10=$ORACLE_HOME/nls/data # Export variable to ensure they are set correctly for any sub processes export ORACLE_BASE LANG ORACLE_HOME PATH LD_LIBRARY_PATH NLS_LANG ORA_NLS10 TNS_ADMIN
3)生成wallet
ORACLE_HOME/bin/mkstore -wrl /home/sysrls/wallet -create
Enter password:<输入钱包密码>
Enter password again:<确认钱包密码>
[sysrls@cnl20059850 wallet]$ ll
total 8
-rw-------. 1 sysrls sysrls 581 Jul 18 11:01 cwallet.sso
-rw-rw-rw-. 1 sysrls sysrls 0 Jul 18 10:52 cwallet.sso.lck
-rw-------. 1 sysrls sysrls 536 Jul 18 11:01 ewallet.p12
-rw-rw-rw-. 1 sysrls sysrls 0 Jul 18 10:52 ewallet.p12.lck
4)修改网路配置
vi $ORACLE_HOME/network/admin/tnsnames.ora
CRCDB = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 133.9.207.35)(PORT = 2001)) ) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = CRCDB) ) )
vi ORACLE_HOME/network/admin/sqlnet.ora
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/home/sysrls/wallet))) SQLNET.WALLET_OVERRIDE=TRUE
--创建钱包,或者alter system set encryption key identified by "oracle";
/u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/admin/orcl/wallet/ -create
5)给特定数据库用户生成Credential
$ORACLE_HOME/bin/mkstore -wrl /home/u_test/wallet -createCredential CRCDB wallet test123
6) 确认用户认证信息已经加入到Wallet
$ $ORACLE_HOME/bin/mkstore -wrl $ORACLE_HOME/network/admin/wallet -listCredential
7)维护
生成wallet
mkstore -wrl /home/sysrls/wallet/ -createCredential CRCDB wallet Frank
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Create credential oracle.security.client.connect_string1
查看wallet中的认证信息
[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet -listCredential
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
List credential (index: connect_string username)
1: CRCDB wallet
修改wallet中的认证信息
[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -modifyCredential CRCDB wallet test2
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Modify credential
Modify 1
删除wallet中的认证信息
mkstore -wrl /home/sysrls/wallet -deleteCredential CRCDB
查看wallet中的条目
[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -list
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Oracle Secret Store entries:
oracle.security.client.connect_string1
oracle.security.client.password1
oracle.security.client.username1
--查看wallet中条目的值
mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.connect_string1
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
oracle.security.client.connect_string1 = CRCDB
mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.username1
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
oracle.security.client.username1 = wallet
mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.password1
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
oracle.security.client.password1 = test2
--修改wallet文件的密码
orapki wallet change_pwd -wallet /home/sysrls/wallet/
8)如何生成让wallet仅本机可用
Oracle Wallet is a container that stores authentication and signing credentials.
Trusted certificates are stored in the Oracle Wallet when the wallet is used for security credentials.
PeopleSoft enables you to create an Oracle Wallet in two ways:
ORAPKI command line - The ORAPKI tool is available with Oracle database, so this tool can be used only by those users have a license for Oracle database.
OpenSSL utility - Users who do not have a license for Oracle database can use this utility to create their own certificates.
After creating an Oracle Wallet, you must configure SSL for the Workstation Listener and Jolt Listener ports to ensure secure client and server communications.
#维护小脚本,应该用dos2unix转换或者在linux中手工编辑
#!/bin/bash
echo -e "Useful action
"
echo -e "1)create wallet"
echo -e "2)create Credential"
echo -e "3)check the created Credential"
echo -e "4)modify the created Credential"
echo -e "5)delete the created Credential"
echo -e "6)list Credential item"
echo -e "7)list Credential Entry value "
echo -e "8)modify wallet password"
echo -e "9)exit"
read -p "choose your action:" num1
case $num1 in
1)
echo -e "Please enter wallet password:
"
read -s password
printf "$password
$password
" | /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet/ -create
echo -e "wallet create success
"
;;
2)
echo -e "Please enter wallet password:"
read -s password
read -p "Please enter database tnsname:" tnsname
read -p "Please enter database user:" user
echo -n "Please enter database user's password:"
read -s dbpass
printf "$dbpass
$dbpass
$password
" | /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet/ -createCredential $tnsname $user
echo -e "Credential create success
"
;;
3)
echo -e "Please enter wallet password:
"
read -s password
printf "$password
" | /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet/ -listCredential
;;
4)
echo -e "Please enter wallet password:"
read -s password
read -p "Please enter database tnsname:" tnsname
read -p "Please enter database user:" user
echo -n "Please enter database user's password:"
read -s dbpass
printf "$dbpass
$dbpass
$password
" | /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet/ -modifyCredential $tnsname $user
echo -e "modify Credential success
"
;;
5)
echo -e "Please enter wallet password:"
read -s password
read -p "Please enter database tnsname:" tnsname
printf "$password
" | /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet/ -deleteCredential $tnsname
echo -e "delete Credential success
"
;;
6)
echo -e "Please enter wallet password:"
read -s password
printf "$password
" | /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet/ -list
;;
7)
echo -e "Please enter wallet password:"
read -s password
read -p "Please enter Entryname type:" type
if [ "$type" == "connect" ];then
printf "$password
" | /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet/ -viewEntry oracle.security.client.connect_string1
fi
if [ "$type" == "user" ];then
printf "$password
" | /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet/ -viewEntry oracle.security.client.username1
fi
if [ "$type" == "password" ];then
printf "$password
" | /u01/app/oracle/product/11.2/db_1/bin/mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet/ -viewEntry oracle.security.client.password1
fi
;;
8)
/u01/app/oracle/product/11.2/db_1/bin/orapki wallet change_pwd -wallet /u01/app/oracle/product/11.2/db_1/wallet/
;;
9)
exit 0
esac
------------------------------------------------------------------------------------------------------------------------------------------------
Oracle wallet配置登陆凭证
向wallet中增加了一个新的数据库,现实无需输入用户名与密码来登陆数据库,增加完成后,导致整个监控系统都是报用户名与密码的错误,无法登陆来数据库。但是Oracle用户是能正常登陆数据库,不需要输入密码。其实原因很简单,因为我们的监控系统是nagios,而wallet相关的文件的默认权限是600,除ORACLE外其它的用户都是不可以读写的,正常情况下我们是改成了777的权限,让其它的用户也能使用钱包这个功能,我对wallet进行新增加一个数据库时,wallet会自己把cwallet.sso与ewallet.p12文件的权限自己改成600。这就导致了今天我的悲剧。
vi $ORACLE_HOME/network/admin/tnsnames.ora 追加
htzb =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = source)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = orcl)
)
)
htz =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = source)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = orcl)
)
)
sqlplus / as sysdba
alter system set wallet open identified by oracle;
alter database open;
alter user scott identified by oracle account unlock;
select status,database_status from v$instance;
1.创建wallet
cd /u01/app/oracle/product/11.2/db_1
mkdir wallet
#输入wallet的密码,1.密码长度要是8位以上。2.密码最大长度没有限制。3.密码要有字符与数据。
--产生cwallet.sso、ewallet.p12;alter system set encryption key(wallet执行后不能再执行)产生ewallet.p12
--cwallet.sso用于账号登陆凭证
mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet -create
SQL> select * from v$encryption_wallet;
WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
/u01/app/oracle/product/11.2/db_1/wallet
OPEN_NO_MASTER_KEY
2.配置wallet到sqlnet.ora中
vi $ORACLE_HOME/network/admin/sqlnet.ora
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
#DIRECTORY这里就是指定wallet所在的目录
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/product/11.2/db_1/wallet)))
SQLNET.WALLET_OVERRIDE=TRUE
3.查看wallet的命令帮忙
[oracle@test db_1]$ mkstore -help
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
mkstore [-wrl wrl] [-create] [-createSSO] [-createLSSO] [-createALO] [-delete]
[-deleteSSO] [-list] [-createEntry alias secret] [-viewEntry alias]
[-modifyEntry alias secret] [-deleteEntry alias]
[-createCredential connect_string username password] [-listCredential]
[-modifyCredential connect_string username password] [-deleteCredential connect_string] [-help] [-nologo]
4.增加数据库到wallet中去,并测试是否成功
3.1#增加net service为htz scott为用户 oracle为用户的密码。
#建议密码用''引起来,因为在生产环境中的密码基本上都是特殊字符的。
mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet -createCredential htz scott 'oracle'
3.2 #查看是否增加成功。
mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -listCredential
List credential (index: connect_string username)
1: htz scott
3.3 测试是否可以实现无需要输入用户与密码登陆
sqlplus /@htz
show user;
5.查看entry
#这里看到我们增加一个数据进来就会增加3个entries。
#分别是一个连接符,一个用户名,一个密码。
#当我们增加了很多数据库与用户进来后,数据库与用户还有密码他们是怎么关联的呢?其实他们就是通过后面的这个数字来关键的。
mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet -list
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Oracle Secret Store entries:
oracle.security.client.connect_string1
oracle.security.client.password1
oracle.security.client.username1
6.创建默认用户与密码
这样可以实现,登陆所以的数据库都可以使用默认的用户与密码
6.1 #创建默认的用户。
mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet -createEntry oracle.security.client.default_username scott
6.2 #创建默认用户的密码。
mkstore -wrl /u01/app/oracle/product/11.2/db_1/wallet -createEntry oracle.security.client.default_password oracle
6.3 #查看是否创建成功
mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -list
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Oracle Secret Store entries:
oracle.security.client.connect_string1
oracle.security.client.default_password
oracle.security.client.default_username
oracle.security.client.password1
oracle.security.client.username1
7.当默认用户与手动增加的数据库信息到wallet中时,那一个生效呢?
下面我们测试一下,当wallet里面创建了默认的用户与密码时,手动再增加一个信息到wallet时,到底是默认用户还是手动增加的生效呢?其实是手动增加的生效。
7.1 #由于默认用户增加的SCOTT普通用户,所以这里我们增加sys这个用户来做测试,net service名是htzb
mkstore -wrl $ORACLE_HOME/wallet -createCredential htzb sys 'oracle'
7.2 #登陆测试。
这里没有增加as sysdba就是为了能区别普通用户与sys用户登陆的区别。如果是sys用户生效,就会报没有增加as sysdba登陆,如果是scott这个默认用户生效,就会登陆成功。
[oracle@test db_1]$ sqlplus /@htzb
SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 09:33:07 2012
Copyright (c) 1982, 2010, Oracle. All rights reserved.
#这里报错,说明手动增加的SYS用户的生效。默认用户没有生效
ERROR:
ORA-28009: connection as SYS should be as SYSDBA or SYSOPER
Enter user-name:
7.3 #这里我们再登陆htz,登陆成功。说明我们默认用户在其它的net service是生效的。
sqlplus /@htz
exit
7.4 #以sys as sysdba登陆成功
sqlplus /@htzb as sysdba
show user
8.下面测试的是通过mkstore修改wallet中的内容后,导致wallet相关的文件,权限自动改成600.
8.1 #把wallet的文件权限改成777
chmod 777 $ORACLE_HOME/wallet/*
ls -l $ORACLE_HOME/wallet
8.2 #手动在wallet中增加一个net service的配置信息
[oracle@test db_1]$ mkstore -wrl $ORACLE_HOME/wallet -deleteCredential htz
8.3 #再次查看权限时发现权限已经自己改成了600了
ls -l $ORACLE_HOME/wallet
9. 当用户的密码发生变化的时候需要修改wallet中的密码
mkstore -wrl $ORACLE_HOME/wallet -modifyCredential htz scott 'oracleoracle';
10.查看wallet中有那些认证的信息
mkstore -wrl $ORACLE_HOME/wallet -listCredential
11 从wallet删除一个net service的配置信息
[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -deleteCredential htz
12.修改默认的用户名
修改默认的用户名的密码的方法也一样。
[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -viewEntry oracle.security.client.default_username
--oracle.security.client.default_username = scott
mkstore -wrl $ORACLE_HOME/wallet -modifyEntry oracle.security.client.default_username
mkstore -wrl $ORACLE_HOME/wallet -viewEntry oracle.security.client.default_username
--oracle.security.client.default_username = oracle
13 删除默认的用户名
[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -deleteEntry oracle.security.client.default_username