Oracle 11.2.0.4 pre PSU Oct18 設置SSL連接
- 1 說明
- 2 客戶端配置jdk環境
- 3服務器檢查oracle數據庫補丁
- 4設置ssl
- a 服務器配置wallet
- b 上傳測試腳本和配置文件到客戶端
- c 服務器修改數據庫偵聽和sqlnet.ora
- d 修改客戶端的sqlnet.ora和tnsnames.ora的連接符
- e 修改java代碼的數據連接信息
- 5 sqlplus連接測試
- 6 jdbc測試連接
1 說明
本文介紹JDBC使用MD5進行SSL加密連接oracle數據庫
根據文檔《MD5 Certificates Deprecated (Doc ID 2454519.1)》,
打了如下數據庫相應補丁后, MD5就失效了。
DB 12.2.0.1, DB 12.1.0.2 + July 2018 PSU or later ,
DB 11.2.0.4 + Oct 2018 PSU or later,
DB 12.1.0.2 + MES415patch,
DB 11.2.0.4 + MES415patch will be impacted by this change.
在此之前還可以使用MD5. 打了上述補丁后,要使用JDBC_TLS 1.2連接。
根據文檔 Minimal Configuration for encryption-only SSL using JDBC/thin (Doc ID 1124286.1)
的說明(原文使用的連接是19c,但是19c的文檔已經改變, 12c的還有, 鏈接
https://docs.oracle.com/en/database/oracle/oracle-database/12.2/jjdbc/client-side-security.html#GUID-A0F5D4B2-C3DE-4DE6-A759-A3BF48450031
客戶端可以不配置wallet.
2 客戶端配置jdk環境
需要 jdk 1.6
文件: jdk-6u211-linux-x64.bin
以root在/usr/local/下執行,解壓到/usr/local/jdk1.6.0_211
建立soft link, ln /usr/local/jdk1.6.0_211 jdk.
在oracle用戶的PATH 前加入它/usr/local/jdk/bin.
export PATH=/usr/local/jdk/bin:$PATH
3服務器檢查oracle數據庫補丁
$ORACLE_HOME/OPatch/opatch lspatches.
對于升級了Oct 2018 PSU的11g,參考
- How To Configure Oracle JDBC Thin Driver To Connect To Database Using
TLS v1.2 (Doc ID 2436911.1), - https://blogs.oracle.com/developers/post/ssl-connection-to-oracle-db-using-jdbc-tlsv12-jks-or-oracle-wallets-122-and-lower
4設置ssl
a 服務器配置wallet
以oracle用戶登錄數據庫服務器
解壓此壓縮包jdbc_ssl_11g_nopatch_client_server_demo_2025-05-16-1245.tar.gz
到/home/oracle/scripts.
然后解壓服務器端的包jdbc_ssl_11g_nopatch_server.tar.gz
解壓出ssl_md5_only_server_wallet.sh
執行
cd server
./ssl_md5_only_server_wallet.sh
將建立/home/oracle/wallets文件,執行過程中顯示使用的md5加密算法。
腳本:
nome@manjaro:~/workdir/dev/jdbc_ssl/tmp/server$ cat ssl_md5_only_server_wallet.sh
#!/usr/bin/bash
# 此腳本生成server的wallet. 客戶端不需要wallet. ref: https://docs.oracle.com/en/database/oracle/oracle-database/12.2/jjdbc/client-side-security.html#GUID-6AC4159F-9A89-4DE7-B2F8-6E8AC67109CD
#數據庫服務器的sqlnet.ora 需要設置SSL_CLIENT_AUTHENTICATION = FALSEif [ -d /home/oracle/wallets ]; thenmv /home/oracle/wallets /home/oracle/wallets-`date +%y%m%d-%H%M%S`
fi
mkdir -p /home/oracle/wallets
cd /home/oracle/wallets #進入當前目錄orapki wallet create -wallet ./server_wallet -auto_login -pwd Welcome1_
orapki wallet add -wallet ./server_wallet -dn "CN=server" -keysize 1024 -self_signed -validity 365 -pwd Welcome1_
orapki wallet display -wallet ./server_wallet
orapki wallet export -wallet ./server_wallet -dn "CN=server" -cert ./server_wallet/cert.txt
# check the alg
openssl x509 -noout -text -in ./server_wallet/cert.txtnome@manjaro:~/workdir/dev/jdbc_ssl/tmp/server$b 上傳測試腳本和配置文件到客戶端
登錄到客戶端,解壓到/home/oracle
cd /home/oracle
tar zxvf jdbc_ssl_11g_client_config_demo.tar.gz
將解壓到jdbc_ssl目錄下。
備份$ORACLE_HOME/network/admin/下缺省的 sqlnet.ora, tnsnames.ora
cd jdbc_ssl
cp *.ora O R A C L E H O M E / n e t w o r k / a d m i n 把 s q l n e t 目錄下的文件復制到 ORACLE_HOME/network/admin 把sqlnet目錄下的文件復制到 ORACLEH?OME/network/admin把sqlnet目錄下的文件復制到ORACLE_HOME/network/admin
c 服務器修改數據庫偵聽和sqlnet.ora
[oracle@ora11g scripts]$ cd $ORACLE_HOME/network/admin
[oracle@ora11g admin]$ ls
listener.ora samples shrept.lst sqlnet.ora tnsnames.ora
[oracle@ora11g admin]$ cat listener.ora
# listener.ora Network Configuration File: /oracle/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora
# Generated by Oracle configuration tools.LISTENER =(DESCRIPTION_LIST =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = ora11g)(PORT = 1521))(ADDRESS = (PROTOCOL = TCPS)(HOST = ora11g)(PORT = 2484))(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))))ADR_BASE_LISTENER = /oracle/app/oracleSSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = /home/oracle/wallets/server_wallet)))
SSL_CIPHER_SUITES= (SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA)[oracle@ora11g admin]$ cat sqlnet.ora
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = /home/oracle/wallets/client_wallet)
# (DIRECTORY = /home/oracle/wallets/server_wallet)))SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS, NTS)SSL_CIPHER_SUITES= (SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA)
[oracle@ora11g admin]$
主要加入WALLET設置和TCPS的連接地址和端口。
d 修改客戶端的sqlnet.ora和tnsnames.ora的連接符
[oracle@source ~]$ cd $ORACLE_HOME/network/admin
[oracle@source admin]$ cat sqlnet.ora
# sqlnet.ora Network Configuration File: /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)ADR_BASE = /u01/app/oracleSSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = /home/oracle/wallets/client_wallet)
# (DIRECTORY = /home/oracle/wallets/server_wallet)))SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS, NTS)SSL_CIPHER_SUITES= (SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA)
[oracle@source admin]$ cat tnsnames.ora
orcl = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.56.91)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = orcl)))
orcldg = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.56.92)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = orcldg)))
dup = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.56.92)(PORT = 1525))) (CONNECT_DATA = (SERVICE_NAME = orcldg)))testssl =(DESCRIPTION =(ADDRESS = (PROTOCOL = TCPS)(HOST = 192.168.56.110)(PORT = 2484))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = dvlp)))[oracle@source admin]$
e 修改java代碼的數據連接信息
[oracle@source admin]$ cd
[oracle@source ~]$ cd jdbc_ssl/
[oracle@source jdbc_ssl]$ ls
ojdbc6.jar run.sh SSLTest.class SSLTest.java SSLTest.java.def tmp
[oracle@source jdbc_ssl]$ cat SSLTest.java
import java.sql.*;
import java.util.Properties;
import oracle.jdbc.pool.OracleDataSource;public class SSLTest {
public static void main(String[] args) throws SQLException {
Connection conn = getConnection();
conn.close();
}public static Connection getConnection() throws SQLException {
OracleDataSource ods = new OracleDataSource();
ods.setURL("jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.56.110)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=dvlp)))");
Properties props = new Properties();
props.setProperty("user", "system");
props.setProperty("password", "oracle");
//props.setProperty("oracle.net.ssl_cipher_suites","(SSL_RSA_WITH_AES_512_CBC_SHA)");
props.setProperty("oracle.net.ssl_cipher_suites","(SSL_DH_anon_WITH_RC4_128_MD5)");
//props.setProperty("oracle.net.ssl_cipher_suites","(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5,SSL_RSA_WITH_AES_128_CBC_SHA)");
//SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA)ods.setConnectionProperties(props);Connection conn = ods.getConnection();
DatabaseMetaData dbmd = conn.getMetaData();
System.out.println(dbmd.getDatabaseProductVersion());
System.out.println("JDBC driver: " + dbmd.getDriverVersion());
System.out.println("JDBC URL: " + dbmd.getURL());
conn.setAutoCommit(false);
return conn;
}
}
5 sqlplus連接測試
[oracle@source admin]$ sqlplus system/oracle@testssl
SQL*Plus: Release 11.2.0.4.0 Production on Tue May 13 15:02:51 2025
Copyright ? 1982, 2013, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SYSTEM@testssl>exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
[oracle@source admin]$
6 jdbc測試連接
[oracle@source jdbc_ssl]$ cat run.sh
#cp 1SSLTest.java SSLTest.java
javac -cp ojdbc6.jar SSLTest.java
java -cp .:ojdbc6.jar SSLTest
[oracle@source jdbc_ssl]$ ./run.sh
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
JDBC driver: 11.2.0.1.0
JDBC URL: jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.56.110)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=dvlp)))
[oracle@source jdbc_ssl]$
產品體驗報告)
![[Java][Leetcode simple] 13. 羅馬數字轉整數](http://pic.xiahunao.cn/[Java][Leetcode simple] 13. 羅馬數字轉整數)
:排座椅)
——海康威視相機測試)
)