|
|
昨天在公司配置数据库时,向wallet中增加了一个新的数据库,现实无需输入用户名与密码来登陆数据库,增加完成后,导致整个监控系统都是报用户名与密码的错误,无法登陆来数据库。但是ORACLE用户是能正常登陆数据库,不需要输入密码。其实原因很简单,因为我们的监控系统是nagios,而wallet相关的文件的默认权限是600,除ORACLE外其它的用户都是不可以读写的,正常情况下我们是改成了777的权限,让其它的用户也能使用钱包这个功能,当是我对wallet进行新增加一个数据库时,wallet会自己把cwallet.sso与ewallet.p12文件的权限自己改成600。这就导致了今天我的悲剧。
下面是wallet的配置/管理/维护/现象的模拟
1.创建wallet
- [oracle@test db_1]$ mkdir wallet
- [oracle@test db_1]$ pwd
- /u01/app/oracle/product/11.2.0/db_1
- [oracle@test db_1]$ mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -create
- Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
- #这里输入wallet的密码,对密码是有限制条件的
- 1.密码长度要是8位以上。
- 2.密码最大长度没有限制。
- 3.密码要有字符与数据。
- Enter password:
- Enter password again:
2.配置wallet到sqlnet.ora中
- [oracle@test db_1]$ cat $ORACLE_HOME/network/admin/sqlnet.ora
- NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
- #DIRECTORY这里就是指定wallet所在的目录
- WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/product/11.2.0/db_1/wallet)))
- SQLNET.WALLET_OVERRIDE=TRUE
3.查看wallet的命令帮忙
wallet这个很好,因为直接用help就可以看到命令的帮忙了,不需要我们再去记复杂的参数,只用记住mkstore这个命令来管理wallet就可以了。
- [oracle@test db_1]$ mkstore -help
- Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
- mkstore [-wrl wrl] [-create] [-createSSO] [-createLSSO] [-createALO] [-delete]
- [-deleteSSO] [-list] [-createEntry alias secret] [-viewEntry alias]
- [-modifyEntry alias secret] [-deleteEntry alias]
- [-createCredential connect_string username password] [-listCredential]
- [-modifyCredential connect_string username password] [-deleteCredential connect_string] [-help] [-nologo]
4.增加数据库到wallet中去,并测试是否成功
- 3.1#增加net service为htz scott为用户 oracle为用户的密码。
- #建议密码用''引起来,因为在生产环境中的密码基本上都是特殊字符的。
- [oracle@test db_1]$ mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -createCredential htz scott 'oracle'
- Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
- Enter wallet password:
- Create credential oracle.security.client.connect_string1
- 3.2 #查看是否增加成功。
- [oracle@test db_1]$ mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -listCredential
- Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
- Enter wallet password:
- List credential (index: connect_string username)
- 1: htz scott
- 3.3 测试是否可以实现无需要输入用户与密码登陆
- [oracle@test db_1]$ sqlplus /@htz
- SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 09:19:15 2012
- Copyright (c) 1982, 2010, Oracle. All rights reserved.
- Connected to:
- Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
- With the Partitioning, OLAP, Data Mining and Real Application Testing options
- #显示的是scott,成功了。
- SQL> show user;
- USER is "SCOTT"
- SQL> exit
- Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
- With the Partitioning, OLAP, Data Mining and Real Application Testing options
5.查看entry
- #这里看到我们增加一个数据进来就会增加3个entries。
- #分别是一个连接符,一个用户名,一个密码。
- #当我们增加了很多数据库与用户进来后,数据库与用户还有密码他们是怎么关联的呢?其实他们就是通过后面的这个数字来关键的。
- [oracle@test db_1]$ mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -list
- Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
- Enter wallet password:
- Oracle Secret Store entries:
- oracle.security.client.connect_string1
- oracle.security.client.password1
- oracle.security.client.username1
6.创建默认用户与密码
这样可以实现,登陆所以的数据库都可以使用默认的用户与密码
- 6.1 #创建默认的用户。
- [oracle@test db_1]$ mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -createEntry oracle.security.client.default_username scott
- Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
- Enter wallet password:
- 6.2 #创建默认用户的密码。
- [oracle@test db_1]$ mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -createEntry oracle.security.client.default_password oracle
- Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
- Enter wallet password:
- 6.3 #查看是否创建成功
- [oracle@test db_1]$ mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -list
- Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
- Enter wallet password:
- Oracle Secret Store entries:
- oracle.security.client.connect_string1
- oracle.security.client.default_password
- oracle.security.client.default_username
- oracle.security.client.password1
- oracle.security.client.username1
7.当默认用户与手动增加的数据库信息到wallet中时,那一个生效呢?
下面我们测试一下,当wallet里面创建了默认的用户与密码时,手动再增加一个增加的信息到wallet时,到底是默认用户还是手动增加的生效呢?其实是手动增加的生效。
- 7.1 #由于默认用户增加的SCOTT普通用户,所以这里我们增加sys这个用户来做测试,net service名是htzb
- [oracle@test db_1]$ mkstore -wrl $ORACLE_HOME/wallet -createCredential htzb sys 'oracle'
- Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
- Enter wallet password:
- Create credential oracle.security.client.connect_string1
- 7.2 #登陆测试。
- 这里没有增加as sysdba就是为了能区别普通用户与sys用户登陆的区别。如果是sys用户生效,就会报没有增加as sysdba登陆,如果是scott这个默认用户生效,就会登陆成功。
- [oracle@test db_1]$ sqlplus /@htzb
- SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 09:33:07 2012
- Copyright (c) 1982, 2010, Oracle. All rights reserved.
- #这里报错,说明手动增加的SYS用户的生效。默认用户没有生效
- ERROR:
- ORA-28009: connection as SYS should be as SYSDBA or SYSOPER
- Enter user-name:
- 7.3 #这里我们再登陆htz,登陆成功。说明我们默认用户在其它的net service是生效的。
- [oracle@test db_1]$ sqlplus /@htz
- SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 09:33:23 2012
- Copyright (c) 1982, 2010, Oracle. All rights reserved.
- Connected to:
- Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
- With the Partitioning, OLAP, Data Mining and Real Application Testing options
- SQL> exit
- Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
- With the Partitioning, OLAP, Data Mining and Real Application Testing options
- 7.4 #以sys as sysdba登陆成功
- [oracle@test db_1]$ sqlplus /@htzb as sysdba
- SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 09:33:30 2012
- Copyright (c) 1982, 2010, Oracle. All rights reserved.
- Connected to:
- Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
- With the Partitioning, OLAP, Data Mining and Real Application Testing options
- SQL> show user
- USER is "SYS"
8.下面测试的是通过mkstore修改wallet中的内容后,导致wallet相关的文件,权限自动改成600.
- 8.1 #把wallet的文件权限改成777
- [oracle@test db_1]$ chmod 777 $ORACLE_HOME/wallet/*
- [oracle@test db_1]$ ls -l $ORACLE_HOME/wallet
- total 16
- -rwxrwxrwx 1 oracle oinstall 4565 Sep 8 09:38 cwallet.sso
- -rwxrwxrwx 1 oracle oinstall 4488 Sep 8 09:38 ewallet.p12
- 8.2 #手动在wallet中增加一个net service的配置信息
- [oracle@test db_1]$ mkstore -wrl $ORACLE_HOME/wallet -deleteCredential htz
- Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
- Enter wallet password:
- Delete credential
- Delete 2
- 8.3 #再次查看权限时发现权限已经自己改成了600了
- [oracle@test db_1]$ ls -l $ORACLE_HOME/wallet
- total 16
- -rw------- 1 oracle oinstall 4205 Sep 8 09:39 cwallet.sso
- -rw------- 1 oracle oinstall 4128 Sep 8 09:39 ewallet.p12
9. 当用户的密码发生变化的时候需要修改wallet中的密码
- [oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -modifyCredential htz scott 'oracleoracle';
- Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
- Enter wallet password:
- Modify credential
- Modify 1
10.查看wallet中有那些认证的信息
- [oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -listCredential
- Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
- Enter wallet password:
- List credential (index: connect_string username)
- 1: htz scott
11 从wallet删除一个net service的配置信息
- [oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -deleteCredential htz
- Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
- Enter wallet password:
- Delete credential
- Delete 1
12.修改默认的用户名
修改默认的用户名的密码的方法也一样。
- [oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -viewEntry oracle.security.client.default_username
- Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
- Enter wallet password:
- oracle.security.client.default_username = scott
- [oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -modifyEntry oracle.security.client.default_username
- Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
- Your secret/Password is missing in the command line
- Enter your secret/Password:
- Re-enter your secret/Password:
- Enter wallet password:
- [oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -viewEntry oracle.security.client.default_username
- Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
- Enter wallet password:
- oracle.security.client.default_username = oracle
13 删除默认的用户名
- [oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -deleteEntry oracle.security.client.default_username
- Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
- Enter wallet password:
我们一般的维护就这么多。
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2018-9-21 13:37:39
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡