Step by Step Guide: How to Configure SSL/TLS on ORACLE RAC (with SCAN) (Doc ID 1448841.1)

In this Document

  Goal
  Solution
  References

Applies to:

Advanced Networking Option - Version 11.2.0.2 to 12.2.0.1 [Release 11.2 to 12.2]
Oracle Net Services - Version 12.2.1.2.0 to 12.2.1.2.0 [Release 12.2]
Information in this document applies to any platform.

Goal

This document will demonstrate the steps required to configure
SSL/TLS on RAC or SIHA. Instruction is by example and also shows various
methods to check the state of the configuration.

"SSL" in this document refers to either SSL or TLS protocols.

Solution

1) Configure TCPS protocol endpoints.

In Oracle RAC, clients access one of three scan listeners and are
then routed to database listeners. To support SSL all of these listeners
must have TCPS protocol endpoints.
Follow steps 1.1 & 1.2 below to add TCPS endpoints to the database (node) listeners and then the scan listeners.

Before starting, a check of the listener resources shows support for TCP endpoints:

[[email protected] ~]$ crsctl stat res -p |grep ENDPOINTS

ENDPOINTS=TCP:1521            <= database listener
ENDPOINTS=TCP:1521            <= listener_scan1
ENDPOINTS=TCP:1521            <= listener_scan2
ENDPOINTS=TCP:1521            <= listener_scan3

1.1) Adding TCPS endpoints to the Database listener(s)

[[email protected] ~]$ srvctl modify listener -p "TCP:1521/TCPS:1523";

[[email protected] ~]$ srvctl stop listener
[[email protected] ~]$ srvctl start listener

Database listener configuration checks:

[[email protected] ~]$ srvctl config listener
Name: LISTENER
Network: 1, Owner: oracle
Home: <CRS home>
End points: TCP:1521/TCPS:1523

[[email protected] ~]$ lsnrctl status

Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=10.141.155.188)(PORT=1523)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.141.155.183)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.141.155.188)(PORT=1521)))

[[email protected] ~]$ crsctl stat res -p |grep ENDPOINTS

ENDPOINTS=TCP:1521 TCPS:1523  <= database listener
ENDPOINTS=TCP:1521            <= listener_scan1
ENDPOINTS=TCP:1521            <= listener_scan2
ENDPOINTS=TCP:1521            <= listener_scan3

1.2) Adding TCPS endpoints to scan listeners

[[email protected] ~]$ srvctl stop scan_listener
[[email protected] ~]$ srvctl stop scan

-------------------
[[email protected] ~]$ srvctl modify scan_listener -p TCP:1521/TCPS:1523
------------------
- or -
-------------------
[[email protected] ~]$ srvctl remove scan_listener -f
[[email protected] ~]$ srvctl add scan_listener -l LISTENER -p TCP:1521/TCPS:1523
-------------------

[[email protected] ~]$ srvctl start scan
[[email protected] ~]$ srvctl start scan_listener

Scan listener configuration checks:

[[email protected] ~]$ srvctl config scan_listener
SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521/TCPS:1523
SCAN Listener LISTENER_SCAN2 exists. Port: TCP:1521/TCPS:1523
SCAN Listener LISTENER_SCAN3 exists. Port: TCP:1521/TCPS:1523

[[email protected] ~]$ lsnrctl status listener_scan3

Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER_SCAN3)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.141.155.186)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=10.141.155.186)(PORT=1523)))

[[email protected]net-rac1 ~]$ crsctl stat res -p |grep ENDPOINTS

ENDPOINTS=TCP:1521 TCPS:1523  <= database listener
ENDPOINTS=TCP:1521 TCPS:1523  <= listener_scan1
ENDPOINTS=TCP:1521 TCPS:1523  <= listener_scan2
ENDPOINTS=TCP:1521 TCPS:1523  <= listener_scan3

2) Update the "local_listener" startup parameter on each node.

PMON
sends the endpoint values stored in local_listener to the SCAN
listeners so that they can create appropriate service handlers. Add the
TCPS endpoints
for the database/node listener that were created in step 1 to the local_listener startup parameter on each node.

The local listener ip address is unique to each
node. State the local instance sid value when issuing alter system,
e.g., sid=‘instance‘.

2.1) Select a node and identify the local listener endpoints:

[[email protected] admin]$ lsnrctl status |grep PORT

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=10.141.155.188)(PORT=1523)))  <= new TCPS endpoint
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.141.155.183)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.141.155.188)(PORT=1521)))

The TCPS protocol endpoint is easily identified by the PROTOCOL value.

2.2) Before modifying, review the current local_listener value and make note of it.

[[email protected] admin]$ sqlplus "/ as sysdba"

SQL> show parameter local_listener

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
local_listener                       string       (DESCRIPTION=(ADDRESS_LIST=(A
                                                 DDRESS=(PROTOCOL=TCP)(HOST=10.
                                                 141.155.188)(PORT=1521))))

2.3) Add the TCPS endpoint identified in step 2.1 to the
local_listener value. Be sure to also set the sid to the local nodes
instance name. Set the scope to memory so that changes can be verified
before updating the spfile.

SQL> alter
system set
local_listener=‘(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=10.141.155.188)(PORT=1521))(ADDRESS=(PROTOCOL=TCPS)(HOST=10.141.155.188)(PORT=1523))))‘
scope=memory sid=‘NETRAC1‘;

After modification:

SQL> show parameter local_listener;

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
local_listener                       string       (DESCRIPTION=(ADDRESS_LIST=(A
                                                 DDRESS=(PROTOCOL=TCP)(HOST=10.
                                                 141.155.188)(PORT=1521))(ADDRE
                                                 SS=(PROTOCOL=TCPS)(HOST=10.141
                                                 .155.188)(PORT=1523))))

If the RAC cluster is using COST to restrict
instance registration all local/node listener COST value lists must
include TCPS. Without a TCPS rule the scan listeners TCPS handlers will
go into a blocked state.  For more information please see DocID: 1537743.1 "Scan Listener TCPS Service Handlers are Blocked after Implementing COST on an SSL Cluster"

2.4) Once updated in memory PMON notifies the scan listeners (via
registration) of the new local_listener value. Using lsnrctl confirm
that the scan listeners have created service handlers for the new TCPS
endpoints. If the handlers were created properly then commit the change
to the spfile by re-issueing the command with "scope=both" (memory and
spfile). If the scan listeners do not show the new TCPS handlers then
retrace steps and correct any errors. The scan listeners are mirrors of
each other so only one scan listener needs to be checked.

Writing final changes to the spfile:

SQL> alter
system set
local_listener=‘(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=10.141.155.188)(PORT=1521))(ADDRESS=(PROTOCOL=TCPS)(HOST=10.141.155.188)(PORT=1523))))‘
scope=both sid=‘NETRAC1‘;

2.5) Update the remaining nodes until all nodes are properly registering their TCPS endpoints with the scan listeners.

3) Create SSL certificates and wallets for the cluster and also for clients that will be connecting to the cluster over SSL.

The choice and usage of a CA (Certificate
Cuthority) for certificate signing is up to the reader. DocID 1489301.1
provides the steps to emulate a CA environment using orapki if a CA is
not already available in your organization.

To make a successful SSL connection the server and connecting
clients must have unique SSL certificates that are signed by the same
trusted Certificate Authority. Using the method of choice for your
organization create certificate requests for the cluster and then for a
test client that will connect to the database over SSL. Have those
requests signed by the CA and then build wallets using the signed user
certificates and trusted root certificate. (If this is not a familiar
process use DocID 1489301.1).

In this SSL setup example there are two wallets, one for the
cluster and one for a test client. The user DN‘s for those entities and
for the CA are as follows:

Certificate Authority
  DN: CN=Networking/netfl-lablinux1,OU=OSS,O=Oracle,ST=Florida,C=US

RAC Cluster
  DN: C=US,CN=netrac
 
Test Client
  DN: CN=test client

The finished rac cluster (server side) wallet:

[[email protected]]$ orapki wallet display -wallet /tmp/rcwallet/ewallet.p12 -summary

Requested Certificates:
User Certificates:
Subject:        C=US,CN=netrac
Trusted Certificates:
Subject:        CN=Networking/netfl-lablinux1,OU=OSS,O=Oracle,ST=Florida,C=US

The finished client wallet:

[[email protected] client_wallet]$ orapki wallet display -wallet . -summary

Requested Certificates:
User Certificates:
Subject:        CN=test client
Trusted Certificates:
Subject:        CN=Networking/netfl-lablinux1,OU=OSS,O=Oracle,ST=Florida,C=US

Note that the cluster and client wallets have
unique identities but share the same trusted certificate. This is the
proper wallet setup for an SSL connection.

4) Wallet placement and creation of the obfuscated wallet.

The
finished cluster wallet that was created in step 3 should now to be
copied to each node of the cluster. There is no specific rule to wallet
placement except that the wallet location should be accessable by both
the Database (PMON) and by the scan and local listeners which are
normally running out of the GI home.

In this example we have chosen a DB home wallet location on each node:

/u01/app/oracle/product/12.1.0.2/db_1/network/admin/wallet

In addition to the PKCS12 wallet or ewallet.p12, an additional
wallet file named cwallet.sso must also be created. The cwallet.sso is
an obfuscated mirror copy of the ewallet.p12 and is the file that is
accessed by PMON and listeners. If the cwallet.sso is created on the
cluster it can be copied along with the ewallet.p12 to the wallet
directory on each node. The cwallet.sso can also be created on each node
separately if ewallet.p12 is already in place. Use the following
command run from the same location as ewallet.p12 to create cwallet.sso
(you will be prompted for the wallet password).

Syntax: orapki wallet create -wallet [ewallet.p12 location] -auto_login

[[email protected] wallet]$ orapki wallet create -wallet /u01/app/oracle/product/12.1.0.2/db_1/network/admin/wallet -auto_login
Oracle PKI Tool : Version 12.1.0.2.0 - Production
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

[[email protected] wallet]$ ls -al

drwxr-xr-x. 2 oracle oracle 4096 Feb  7 11:12 .
drwxr-xr-x. 5 oracle oracle 4096 Feb 15 11:00 ..
-rw-------. 1 oracle oracle 2549 Feb 15 16:13 cwallet.sso
-rw-------. 1 oracle oracle 2472 Feb  7 11:11 ewallet.p12

5) Define wallet locations in listener.ora and sqlnet.ora.

As
mentioned earlier both PMON and the listener processes of each node
must be able to access the wallets.  Each node‘s sqlnet.ora and
listener.ora will need to have wallet locations defined. This step
should be performed on all nodes.

5.1) Listeners on an 11.2 RAC
cluster will normally run out of the Grid Infrastructure (GI) home. Edit
the $GRID_HOME/network/admin/listener.ora and add the following items:

SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /u01/app/oracle/product/12.1.0.2/db_1/network/admin/wallet)
    )
  )

5.2) Instances on an 11.2 RAC cluster run out of the Database
home. Edit the database $ORACLE_HOME/network/admin/sqlnet.ora and add
the following items:

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)

SSL_VERSION = 0

SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /u01/app/oracle/product/12.1.0.2/db_1/network/admin/wallet)
    )
  )

6) Restart instances and listeners.

With
wallets in place and ora files edited the PMON and listener processes
must be restarted so that they pick up the new wallet settings. With the
restart the instances will also use the local_listener values that were
added in step 2. Re-confirm that scan listeners have the proper tcps
handlers, correct any discrepancies.

Command examples:

srvctl stop listener
srvctl start listener

srvctl stop scan_listener
srvctl start scan_listener

srvctl stop database -d netrac
srvctl start database -d netrac

7) Testing from a cluster node.

With the cluster environment configured for SSL the simplest way to
quickly test is to make an SSL connection on one of the cluster nodes.

7.1) Create a connect descriptor that uses the scan listener TCPS endpoint.

NETRACSSL =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = net-scan)(PORT = 1523))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = NETRAC.us.oracle.com)
    )
  )

7.2) Make a connection with sqlplus and the TCPS connect descriptor.

[[email protected] admin]$ sqlplus mike/[email protected]

SQL*Plus: Release 12.1.0.2.0 Production on Fri Feb 22 17:38:17 2015
Copyright (c) 2004, 2014, Oracle.  All rights reserved.

Connected to:
Oracle Database 12 Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,
Data Mining and Real Application Testing options

SQL>

8) Testing from a remote client.

8.1) Create a wallet directory and  add the location to the clients sqlnet.ora.

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = C:\app\oracle\product\11.2.0\dbhome_1\NETWORK\ADMIN\wallet)
    )
  )

8.2) Move the client wallet created in step 3 to the client wallet directory and create the cwallet.sso.

C:\app\oracle\product\12.1.0.2\dbhome_1\NETWORK\ADMIN\wallet>orapki wallet create -wallet . -auto_login

Enter wallet password:

C:\app\oracle\product\12.1.0.2\dbhome_1\NETWORK\ADMIN\wallet>dir
 Volume in drive C has no label.
 Volume Serial Number is 0865-9427

Directory of C:\app\oracle\product\12.1.0.2\dbhome_1\NETWORK\ADMIN\wallet

03/06/2012  04:01 PM    <DIR>          .
03/06/2012  04:01 PM    <DIR>          ..
02/22/2013  05:53 PM             1,101 cwallet.sso
02/28/2012  02:26 PM             1,024 ewallet.p12

8.3) Create a connect descriptor that uses the scan listener TCPS endpoint.

NETRACSSL =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = net-scan)(PORT = 1523))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = NETRAC.us.oracle.com)
    )
  )

8.4) Make a connection with sqlplus using the TCPS connect descriptor.

C:\app\oracle\product\12.1.0.2\dbhome_1\NETWORK\ADMIN> sqlplus mike/[email protected]

SQL*Plus: Release 12.1.0.2.0 Production on Fri Feb 22 17:56:22 2015
Copyright (c) 2004, 2014, Oracle.  All rights reserved.

Connected to:
Oracle Database 12 Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,
Data Mining and Real Application Testing options

SQL>

References

NOTE:1504785.1 - Listener Does Not Create Handlers for Started Services With Multiple Endpoint Registration (ORA-12520, ORA-12516)
NOTE:1489301.1 - Using Orapki as Certificate Authority
NOTE:1537743.1 - Scan Listener TCPS Service Handlers are Blocked after Implementing COST on an SSL Cluster

Step by Step Guide: How to Configure SSL/TLS on ORACLE RAC (with SCAN) (Doc ID 1448841.1) To Bottom

原文地址:https://www.cnblogs.com/yaoyangding/p/12028168.html

时间: 2024-11-07 18:11:42

Step by Step Guide: How to Configure SSL/TLS on ORACLE RAC (with SCAN) (Doc ID 1448841.1)的相关文章

Configure SSL for SharePoint 2013

? ? ? ? In this tutorial I will show you how to configure SSL for SharePoint 2013. Prerequisites: IIS 8 SharePoint 2013 Windows Server 2012 HTTP Web Application on Port 80 Steps: Create Self Signed Certificate on IIS 8 Import Self Signed Certificate

FreeSWITCH 1.2.5.3 Step by Step Install

Ubuntu: apt-get -y install build-essential automake autoconf git-core wget libtool apt-get -y install libncurses5-dev libtiff-dev libjpeg-dev zlib1g-dev 从 Git 仓库安装: 从代码库安装能让你永远使用最新的版本: git clone git://git.freeswitch.org/freeswitch.git cd freeswitch .

数论之高次同余方程(Baby Step Giant Step + 拓展BSGS)

什么叫高次同余方程?说白了就是解决这样一个问题: A^x=B(mod C),求最小的x值. baby step giant step算法 题目条件:C是素数(事实上,A与C互质就可以.为什么?在BSGS算法中是要求a^m在%c条件下的逆元的,如果a.c不互质根本就没有逆元.) 如果x有解,那么0<=x<C,为什么? 我们可以回忆一下欧拉定理: 对于c是素数的情况,φ(c)=c-1 那么既然我们知道a^0=1,a^φ(c)=1(在%c的条件下).那么0~φ(c)必定是一个循环节(不一定是最小的)

Git Step by Step – (8) Git的merge和rebase

前面一篇文章中提到了"git pull"等价于"git fetch"加上"git merge",然后还提到了pull命令支持rebase模式,这篇文章就介绍一下merge和rebase之间有什么差别. 由于我们主要是想看看merge跟rebase之间的区别,这里就是用本地仓库的分支进行演示了. merge 其实在介绍分支的那篇文章中已经介绍过了一些分支merge的内容,这里就进行一些补充和总结. 下面我们基于本地一个仓库开始介绍,当前仓库的分支情

C# 2012 step by step 学习笔记8 CHAPTER 9 Creating Value types with enumerations and Structures

C# 2012 step by step 学习笔记8 CHAPTER 9 Creating Value types with enumerations and Structures things about 1. Declare an enumeration type. 2. Create and use an enumeration type. 3. Declare a structure type. 4. Create and use a structure type. 5. Explain

Linux Booting Process: A step by step tutorial for understanding Linux boot sequence

One of the most remarkable achievement in the history of mankind is computers. Another amazing fact about this remarkable achievement called computers is that its a collection of different electronic components, and they work together in coordination

C++开发WPF,Step by Step

示例代码 使用C++来开发WPF,主要是如何在MFC(Win32)的窗口中Host WPF的Page.下面我就做个详细的介绍. 一.创建工程, 由于MFC的Wizard会生成很多用不到的代码,所以我准备从一个空的工程开始创建一个MFC的工程. a)         打开VS2005,菜单File->New->Projects-, 左面选择Visual C++->Win32,右面选择Win32 Console Application,给工程起个名字CPlusPlus_WPF, Ok进入下一

数据库设计 Step by Step (1)——扬帆启航

引言:一直在从事数据库开发和设计工作,也看了一些书籍,算是略有心得.很久之前就想针 对关系数据库设计进行整理.总结,但因为种种原因迟迟没有动手,主要还是惰性使然.今天也算是痛下决心开始这项卓绝又令我兴奋的工作.这将是一个系列的文 章,我将以讲座式的口吻展开讨论(个人偷懒,这里的总结直接拿去公司培训新人用). 系列的第一讲我们先来回答下面几个问题 数据库是大楼的根基 大多数程序员都很急切,在了解基本需求之后希望很快的进入到编码阶段(可能只有产出代码才能反映工作量),对于数据库设计思考得比较少. 这

数据库设计 Step by Step (2)——数据库生命周期

引言:数据库设计 Step by Step (1)得到这么多朋友的关注着实出乎了我的意外.这也坚定了我把这一系列的博文写好的决心.近来工作上的事务比较繁重,加之我期望这个系列的文章能尽可能的系统.完整,需要花很多时间整理.思考数据库设计的各种资料,所以文章的更新速度可能会慢一些,也希望大家能够谅解. 系列的第二讲我们将站在高处俯瞰一下数据库的生命周期,了解数据库设计的整体流程 数据库生命周期 大家对软件生命周期较为熟悉,数据库也有其生命周期,如下图所示. 图(1)数据库生命周期 数据库的生命周期