oracle wallet实践及常见操作
Wallet作用
从Oracle 10g R2开始, 通过使用Oracle Wallet达到任意用户不使用密码登录数据库(非操作系统认证方式), 这对在shell中要使用用户密码登录数据库进行操作的脚本来说是非常有用的, 可以不暴露用户密码. 比如在Oracle客户端通过mkstore命令设置Wallet认证信息, 然后通过"sqlplus/@connect_string"方式就可以直接连接数据库.
本例是让sysrls用户无需使用密码登录系统, mkstore用法如下:
$ $ORACLE_HOME/bin/mkstore
mkstore [-wrl wrl] [-create] [-createSSO] [-delete] [-deleteSSO] [-list] [-createEntry alias secret] [-viewEntry alias] [-modifyEntry alias secret] [-deleteEntry alias] [-help]
1)安装Oracle Client
2)创建wallet存放目录和修改.bash_profile
mkdir /home/sysrls/wallet
vi .bash_profileORACLE_BASE=/opt/oraapp
ORACLE_HOME=/opt/oraapp/client/12.1.0.2_x64_DBAocl030
TNS_ADMIN=$ORACLE_HOME/network/admin/
PATH=$ORACLE_HOME/bin:$PATH
LD_LIBRARY_PATH=${ORACLE_HOME}/lib:${LD_LIBRARY_PATH}
LANG="en_US.UTF-8"
NLS_LANG="AMERICAN_AMERICA.AL32UTF8"
ORA_NLS10=$ORACLE_HOME/nls/data
export ORACLE_BASE LANG ORACLE_HOME PATH LD_LIBRARY_PATH NLS_LANG ORA_NLS10 TNS_ADMIN
3)生成wallet
$ $ORACLE_HOME/bin/mkstore -wrl /home/sysrls/wallet -create
Enter password:<输入钱包密码>
Enter password again:<确认钱包密码>
[sysrls@cnl20059850 wallet]$ ll
total 8
-rw-------. 1 sysrls sysrls 581 Jul 18 11:01 cwallet.sso
-rw-rw-rw-. 1 sysrls sysrls 0 Jul 18 10:52 cwallet.sso.lck
-rw-------. 1 sysrls sysrls 536 Jul 18 11:01 ewallet.p12
-rw-rw-rw-. 1 sysrls sysrls 0 Jul 18 10:52 ewallet.p12.lck
4)修改网路配置
vi $ORACLE_HOME/network/admin/tnsnames.ora
CRCDB =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 133.9.207.35)(PORT = 2001))
)
(CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = CRCDB)
)
)
$ vi $ORACLE_HOME/network/admin/sqlnet.ora
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/home/sysrls/wallet)))
SQLNET.WALLET_OVERRIDE=TRUE
5)给特定数据库用户生成Credential
$ORACLE_HOME/bin/mkstore -wrl /home/u_test/wallet -createCredential CRCDB wallet test123
5) 确认用户认证信息已经加入到Wallet
$ $ORACLE_HOME/bin/mkstore -wrl $ORACLE_HOME/network/admin/wallet -listCredential
6)如何生成让wallet仅本机可用
Oracle Wallet is a container that stores authentication and signing credentials.
Trusted certificates are stored in the Oracle Wallet when the wallet is used for security credentials.
PeopleSoft enables you to create an Oracle Wallet in two ways:
ORAPKI command line - The ORAPKI tool is available with Oracle database, so this tool can be used only by those users have a license for Oracle database.
OpenSSL utility - Users who do not have a license for Oracle database can use this utility to create their own certificates.
After creating an Oracle Wallet, you must configure SSL for the Workstation Listener and Jolt Listener ports to ensure secure client and server communications.
7)维护
生成wallet
mkstore -wrl /home/sysrls/wallet/ -createCredential CRCDB wallet Frank
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Create credential oracle.security.client.connect_string1
查看wallet中的认证信息
[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet -listCredential
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
List credential (index: connect_string username)
1: CRCDB wallet
[sysrls@cnl20059850 wallet]$
修改wallet中的认证信息
[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -modifyCredential CRCDB wallet test2
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Modify credential
Modify 1
删除wallet中的认证信息
mkstore -wrl /home/sysrls/wallet -deleteCredential CRCDB
查看wallet中的条目
[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -list
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Oracle Secret Store entries:
oracle.security.client.connect_string1
oracle.security.client.password1
oracle.security.client.username1
查看wallet中条目的值
[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.connect_string1
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
oracle.security.client.connect_string1 = CRCDB
[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.username1
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
oracle.security.client.username1 = wallet
[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.password1
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
oracle.security.client.password1 = test2
修改wallet文件的密码
orapki wallet change_pwd -wallet /home/sysrls/wallet/
附带一个带表单维护小脚本
#!/bin/bash
echo -e "Useful action\n"
echo -e "1)create wallet"
echo -e "2)create Credential"
echo -e "3)check the created Credential"
echo -e "4)modify the created Credential"
echo -e "5)delete the created Credential"
echo -e "6)list Credential item"
echo -e "7)list Credential Entry value "
echo -e "8)modify wallet password"
echo -e "9)exit"
read -p "choose your action:" num1
case $num1 in
1)
echo -e "Please enter wallet password:\n"
read -s password
printf "$password\n$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -create
echo -e "wallet create success\n"
;;
2)
echo -e "Please enter wallet password:"
read -s password
read -p "Please enter database tnsname:" tnsname
read -p "Please enter database user:" user
echo -n "Please enter database user's password:"
read -s dbpass
printf "$dbpass\n$dbpass\n$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -createCredential $tnsname $user
echo -e "Credential create success\n"
;;
3)
echo -e "Please enter wallet password:\n"
read -s password
printf "$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -listCredential
;;
4)
echo -e "Please enter wallet password:"
read -s password
read -p "Please enter database tnsname:" tnsname
read -p "Please enter database user:" user
echo -n "Please enter database user's password:"
read -s dbpass
printf "$dbpass\n$dbpass\n$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -modifyCredential $tnsname $user
echo -e "modify Credential success\n"
;;
5)
echo -e "Please enter wallet password:"
read -s password
read -p "Please enter database tnsname:" tnsname
printf "$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -deleteCredential $tnsname
echo -e "delete Credential success\n"
;;
6)
echo -e "Please enter wallet password:"
read -s password
printf "$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -list
;;
7)
echo -e "Please enter wallet password:"
read -s password
read -p "Please enter Entryname type:" type
if [ "$type" == "connect" ];then
printf "$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.connect_string1
fi
if [ "$type" == "user" ];then
printf "$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.username1
fi
if [ "$type" == "password" ];then
printf "$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.password1
fi
;;
8)
/opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/orapki wallet change_pwd -wallet /home/sysrls/wallet/
;;
9)
exit 0esac
上一篇:如何找到MySQL长事务
下一篇:动态sql