oraclewallet实践及常⽤维护操作
Wallet作⽤
从Oracle 10g R2开始, 通过使⽤Oracle Wallet达到任意⽤户不使⽤密码登录数据库(⾮操作系统认证⽅式), 这对在shell中要使⽤⽤户密码登录数据库进⾏操作的脚本来说是⾮常有⽤的, 可以不暴露⽤户密码. ⽐如在Oracle客户端通过mkstore命令设置Wallet认证信息, 然后通过"sqlplus/@connect_string"⽅式就可以直接连接数据库.
本例是让sysrls⽤户⽆需使⽤密码登录系统, mkstore⽤法如下:
oracle登录命令ORACLE_HOME/bin/mkstore
mkstore [-wrl wrl] [-create] [-createSSO] [-delete] [-deleteSSO] [-list] [-createEntry alias secret] [-viewEntry alias] [-modifyEntry alias secret] [-deleteEntry alias] [-help]
1)安装Oracle Client
2)创建wallet存放⽬录和修改.bash_profile
mkdir /home/sysrls/wallet
vi .bash_profile
# Oracle Base Directory
ORACLE_BASE=/opt/oraapp
# Oracle Home Directory - Set this to the correct Oracle Home for the client
ORACLE_HOME=/opt/oraapp/client/12.1.0.2_x64_DBAocl030
# Set TNS_ADMIN to point to correct location
TNS_ADMIN=$ORACLE_HOME/network/a
# Add the ORACLE_HOME bin directory to the PATH variable
PATH=$ORACLE_HOME/bin:$PATH
# Add Add the ORACLE_HOME lib directories to the LD_LIBRARY_PATH variable
LD_LIBRARY_PATH=${ORACLE_HOME}/lib:${LD_LIBRARY_PATH}
# Set LANG & NLS variables appropriately for your region
LANG="en_US.UTF-8"
# NLS_LANG is of the form Language_country.characterset
NLS_LANG="AMERICAN_AMERICA.AL32UTF8"
ORA_NLS10=$ORACLE_HOME/nls/data
# Export variable to ensure they are set correctly for any sub processes
export ORACLE_BASE LANG ORACLE_HOME PATH LD_LIBRARY_PATH NLS_LANG ORA_NLS10 TNS_ADMIN
3)⽣成wallet
ORACLE_HOME/bin/mkstore -wrl /home/sysrls/wallet -create
Enter password:<;输⼊钱包密码>
Enter password again:<;确认钱包密码>
[sysrls@cnl20059850 wallet]$ ll
total 8
-rw-------. 1 sysrls sysrls 581 Jul 18 11:01 cwallet.sso
-rw-rw-rw-. 1 sysrls sysrls 0 Jul 18 10:52 cwallet.sso.lck
-rw-------. 1 sysrls sysrls 536 Jul 18 11:01 ewallet.p12
-rw-rw-rw-. 1 sysrls sysrls 0 Jul 18 10:52 ewallet.p12.lck
4)修改⽹路配置
vi $ORACLE_HOME/network/a
CRCDB =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST =133.9.207.35)(PORT =2001))
)
(CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = CRCDB)
)
)
vi ORACLE_HOME/network/a
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/home/sysrls/wallet)))
SQLNET.WALLET_OVERRIDE=TRUE
5)给特定数据库⽤户⽣成Credential
$ORACLE_HOME/bin/mkstore -wrl /home/u_test/wallet -createCredential CRCDB wallet test123
6) 确认⽤户认证信息已经加⼊到Wallet
$ $ORACLE_HOME/bin/mkstore -wrl $ORACLE_HOME/network/admin/wallet -listCredential
7)维护
⽣成wallet
mkstore -wrl /home/sysrls/wallet/ -createCredential CRCDB wallet Frank
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Create credential oracle.t_string1
查看wallet中的认证信息
[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet -listCredential
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
List credential (index: connect_string username)
1: CRCDB wallet
修改wallet中的认证信息
[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -modifyCredential CRCDB wallet test2 Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Modify credential
Modify 1
删除wallet中的认证信息
mkstore -wrl /home/sysrls/wallet -deleteCredential CRCDB
查看wallet中的条⽬
[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -list
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Oracle Secret Store entries:
oracle.t_string1
oracle.security.client.password1
oracle.security.client.username1
查看wallet中条⽬的值
[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.t_string1 Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
oracle.t_string1 = CRCDB
[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.username1
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
oracle.security.client.username1 = wallet
[sysrls@cnl20059850 wallet]$ mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.pass
word1
Oracle Secret Store Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
oracle.security.client.password1 = test2
修改wallet⽂件的密码
orapki wallet change_pwd -wallet /home/sysrls/wallet/
8)如何⽣成让wallet仅本机可⽤
Oracle Wallet is a container that stores authentication and signing credentials.
Trusted certificates are stored in the Oracle Wallet when the wallet is used for security credentials.
PeopleSoft enables you to create an Oracle Wallet in two ways:
ORAPKI command line - The ORAPKI tool is available with Oracle database, so this tool can be used only by those users have a license for Oracle database.
OpenSSL utility - Users who do not have a license for Oracle database can use this utility to create their own certificates.
After creating an Oracle Wallet, you must configure SSL for the Workstation Listener and Jolt Listener ports to ensure secure client and server communications.
附带⼀个带表单维护⼩脚本
#!/bin/bash
echo -e "Useful action\n"
echo -e "1)create wallet"
echo -e "2)create Credential"
echo -e "3)check the created Credential"
echo -e "4)modify the created Credential"
echo -e "5)delete the created Credential"
echo -e "6)list Credential item"
echo -e "7)list Credential Entry value "
echo -e "8)modify wallet password"
echo -e "9)exit"
read -p "choose your action:" num1
case $num1 in
1)
echo -e "Please enter wallet password:\n"
read -s password
printf "$password\n$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -create
echo -e "wallet create success\n"
;;
2)
echo -e "Please enter wallet password:"
read -s password
read -p "Please enter database tnsname:" tnsname
read -p "Please enter database user:" user
echo -n "Please enter database user's password:"
read -s dbpass
printf "$dbpass\n$dbpass\n$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -createCredential $tnsname $user echo -e "Credential create success\n"
;;
3)
echo -e "Please enter wallet password:\n"
read -s password
printf "$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -listCredential
;;
4)
echo -e "Please enter wallet password:"
read -s password
read -p "Please enter database tnsname:" tnsname
read -p "Please enter database user:" user
echo -n "Please enter database user's password:"
read -s dbpass
printf "$dbpass\n$dbpass\n$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -modifyCredential $tnsname $user echo -e "modify Credential success\n"
;;
5)
echo -e "Please enter wallet password:"
read -s password
read -p "Please enter database tnsname:" tnsname
printf "$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -deleteCredential $tnsname
echo -e "delete Credential success\n"
;;
6)
echo -e "Please enter wallet password:"
read -s password
printf "$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -list
;;
7)
echo -e "Please enter wallet password:"
read -s password
read -p "Please enter Entryname type:" type
if [ "$type" == "connect" ];then
printf "$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.t_string1
fi
if [ "$type" == "user" ];then
printf "$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wallet/ -viewEntry oracle.security.client.username1
fi
if [ "$type" == "password" ];then
printf "$password\n" | /opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/mkstore -wrl /home/sysrls/wall
et/ -viewEntry oracle.security.client.password1
fi
;;
8)
/opt/oraapp/client/12.1.0.2_x64_DBAocl030/bin/orapki wallet change_pwd -wallet /home/sysrls/wallet/
;;
9)
exit 0
esac
Processing math: 100%
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论