Oracle11g配置SSL连接

Oracle11g配置SSL连接

𝓓𝓸𝓷 Lv6
  2025-07-09 17:47:49 2025-07-09 17:47:49 Created   2025-07-09 18:43:56 2025-07-09 18:43:56 Updated    

Oracle开启SSL安全连接

一、服务端配置证书

1.创建一个自动登录的wallet
1
2
3
4
5
6
7
8
9
10
11
12
13
su - oracle
$ export WALLET=$ORACLE_BASE/admin/$ORACLE_SID/wallet
$ mkdir $WALLET

$ echo $WALLET
/oracle/app/oracle/admin/dggdszyyj/wallet

$ orapki wallet create -wallet $WALLET -pwd  aM_32$9B015u -auto_login

$ ll $WALLET
total 8
-rw------- 1 oracle oinstall 3589 Jul  9 16:58 cwallet.sso
-rw------- 1 oracle oinstall 3512 Jul  9 16:58 ewallet.p12
2.创建一个自签名证书
1
$ orapki wallet add -wallet $WALLET -pwd aM_32$9B015u -dn "CN=`hostname`" -keysize 2048 -self_signed -validity 3650 -sign_alg sha512
3.查看自签名证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ orapki wallet display -wallet $WALLET -pwd aM_32$9B015u

Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:        CN=host-173-16-214-124
Trusted Certificates:
Subject:        CN=host-173-16-214-124
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
4.导出创建的自签名证书(可选)

导出证书目的是给客户端访问,将导出的证书导入进客户端wallet

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$orapki wallet export -wallet $WALLET -pwd aM_32$9B015u -dn "CN=`hostname`" -cert /tmp/`hostname`-certificate.pem

$ll /tmp/host-173-16-214-124-certificate.pem
-rw------- 1 oracle oinstall 990 Jul  9 17:15 /tmp/host-173-16-214-124-certificate.pem

---查看证书
$cat /tmp/`hostname`-certificate.pem
-----BEGIN CERTIFICATE-----
MIICsDCCAZgCAQAwDQYJKoZIhvcNAQENBQAwHjEcMBoGA1UEAxMTaG9zdC0xNzMtMTYtMjE0LTEy
NDAeFw0yNTA3MDkwOTAwMzBaFw0zNTA3MDcwOTAwMzBaMB4xHDAaBgNVBAMTE2hvc3QtMTczLTE2
LTIxNC0xMjQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMN3nrpOfW41L1fgXYAazt
2O+VD9x4iaOnk1AaVeos9hiCKSyvXwaCc4HDPkrYYdOBQOcW0JEdtqzrFS5hFiH8K7sb7fOmytg0
cxdSsfVIBWUR5mgEJpms7VQyMk02aK/nG8lrjJFt1Q6JigijZiSdagqkOr5W5kz6UeoOH/QP64qk
U+s8T4lVjdVh1Uxp3s4dwESNsVbdWBck3K+YQ62iFg2hYelIEHn27bK79yhV2uRHGR1gtFDf8bS4
qgFLrkQGgtMhIFGoFZpE21HcMMsHp6bMi/3cLdvE4idhwFFWLhnvcV2WfLUdMA7S5vaRlq6xanQh
HY1WqHhc7UxNnpFfAgMBAAEwDQYJKoZIhvcNAQENBQADggEBALZfz11ajWPqRnzVBCgDiac+/7LR
ErvpiYcrGu6JI+O7KU2rGQrVpcl4oVlq8C0J6dIDfMzexAdgmZhOXwbyRtA4s0d+Xc/7ihK5XKAY
fOnlPmxxpXd6tqPwY3wJE56rQsh+qyv0Nj8mfUoAkGWtU4wEd/dLz0VyNyvY69GLbUBGgt8SE+R2
K0GR3kXXdlFr0LEznoSTeSQAT0v7hqo+CK4r+b2NM50qYjJjYK4ohjzUy0TWT7bAJi+2TvsPFU9A
/rWU+LkwrECx9reSxZisZmC/5R7lzl/R9F0M7mhWvXuSSHkJCpmooz7/i2/CADN3aD73EagYVEEj
b94r4F2d6bU=

二、客户端配置证书

客户端配置证书与服务端步骤与服务端完全一样

三、交换证书

双方都需要相互信任, 双方都需要将各自导出的证书导入至对方的wallet中

1.客户端导入服务端证书
1
2
3
4
5
将服务端证书将入到客户端:
c:\>orapki wallet add -wallet "d:\app\oracle\admin\orcl\wallet" -pwd sdf_s87M$2iK -trusted_cert -cert d:\host-173-16-214-124-certificate.pem

查看客户端证书是否存在新导入的服务端证书:
c:\>orapki wallet display -wallet "d:\app\oracle\admin\orcl\wallet"
2.服务端导入客户端证书
1
2
3
4
5
将客户端证书导入到服务端:
$ orapki wallet add -wallet $WALLET -pwd aM_32$9B015u -trusted_cert -cert /tmp/PC-certificate.pem

查看服务端wallet是否成功导入客户端证书:
$ orapki wallet display -wallet $WALLET

四、连接配置

1.服务端配置连接
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
(1) sqlnet.ora配置

vi $ORACLE_HOME/network/admin/sqlnet.ora

WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = /oracle/app/oracle/admin/dggdszyyj/wallet)
     )
   )

SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)

(2) 监听配置

vi $ORACLE_HOME/network/admin/listener.ora

SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =
    (SOURCE =
        (METHOD = FILE)
        (METHOD_DATA =
        (DIRECTORY = /oracle/app/oracle/admin/dggdszyyj/wallet)
        )
    )

LISTENER =
 (ADDRESS_LIST=
      (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.119)(PORT=1521))
      (ADDRESS=(PROTOCOL=tcps)(HOST=192.168.1.119)(PORT=2025))
 )


ADR_BASE_LISTENER = /u01/app/oracle

(3) 重启监听

$ lsnrctl stop
$ lsnrctl start
2.客户端配置连接
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
(1) sqlnet.ora配置

vi $ORACLE_HOME/network/admin/sqlnet.ora

WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = d:\app\oracle\admin\orcl\wallet)
     )
   )

SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)

(2) tnsnames.ora配置

DGGDSZYYJ =
     (DESCRIPTION=
         (ADDRESS=
             (PROTOCOL=TCPS) (HOST=192.168.1.119) (PORT=2025)
     )
     (CONNECT_DATA=
         (SERVER=dedicated)
         (SID=dggdszyyj)
      )
     )

  • Title: Oracle11g配置SSL连接
  • Author: 𝓓𝓸𝓷
  • Created at : 2025-07-09 17:47:49
  • Updated at : 2025-07-09 18:43:56
  • Link: https://www.zhangdong.me/oracle-ssl.html
  • License: This work is licensed under CC BY-NC-SA 4.0.
推荐文章
Oracle TDE透明数据加密 Oracle TDE透明数据加密 Mysql配置SSL Mysql配置SSL Oracle19c重命名CDB Oracle19c重命名CDB
推荐文章
Oracle TDE透明数据加密 Oracle TDE透明数据加密 Mysql配置SSL Mysql配置SSL
评论
  1. 一、服务端配置证书
    1. 1.创建一个自动登录的wallet
    2. 2.创建一个自签名证书
    3. 3.查看自签名证书
    4. 4.导出创建的自签名证书(可选)
  2. 二、客户端配置证书
  3. 三、交换证书
    1. 1.客户端导入服务端证书
    2. 2.服务端导入客户端证书
  4. 四、连接配置
    1. 1.服务端配置连接
    2. 2.客户端配置连接