如何使用oracle db 19c创建从windows客户端到另一台windows机器的ssl/tls连接?
目标:我试图建立到oracle 19c数据库的ssl连接,以捕获为另一个项目生成的网络流量,但我经历了一段时间。任何帮助都将不胜感激。提前谢谢。
症状:tcp 3路握手成功启动SYN,SYN确认字符,但侦听器立即关闭它与FIN确认字符优美的连接。
TNS-12560:TNS:协议适配器错误
TNS-00540:SSL协议适配器故障
我用过sqlplus和toad。
到端口1521的非ssl连接在sqlplus和蟾蜍上运行良好。
侦听器。ora(服务器)
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = CLRExtProc)
(ORACLE_HOME = C:\App\db_home)
(PROGRAM = extproc)
(ENVS = "EXTPROC_DLLS=ONLY:C:\App\db_home\bin\oraclr19.dll")
)
)
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\App\db_home\wallet)
)
)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = WIN-10-ORACL-DB)(PORT = 1521))
)
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = WIN-10-ORACL-DB)(PORT = 2484))
)
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
)
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC2484))
)
)
ADR_BASE_LISTENER = C:\App\db_home\log
sqlnet.ora(服务器)
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)
SSL_VERSION = 3.1
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SSL_CLIENT_AUTHENTICATION = FALSE
SQLNET.ENCRYPTION_TYPES_SERVER= (AES256)
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\App\db_home\wallet)
)
)
SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_GCM_SHA384)
ADR_BASE = C:\App\db_home\log
tnsnames.ora(服务器)
ORACLR_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(Key = EXTPROC1521))
(ADDRESS = (PROTOCOL = IPC)(Key = EXTPROC2484))
)
(CONNECT_DATA =
(SID = CLRExtProc)
(PRESENTATION = RO)
)
)
LISTENER_ORCL =
(ADDRESS = (PROTOCOL = TCP)(HOST = WIN-10-ORACL-DB)(PORT = 1521))
ORCL =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = WIN-10-ORACL-DB)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = WIN-10-ORACL-DB)(PORT = 2484))
)
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = orcl.greenbuff.local)
)
)
sqlnet.ora(客户)
SQLNET.AUTHENTICATION_SERVICE = (TCPS, NTS)
SSL_VERSION= 3.1
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\oracle\instant_client_19_6\network\wallet)
)
)
ADR_BASE = C:\oracle\instant_client_19_6\network\log
NAMES.DIRECTORY_PATH=(EZCONNECT,TNSNAMES)
LOG_DIRECTORY_CLIENT=C:\oracle\instantclient_19_6\network\log
LOG_FILE_CLIENT=sqlnet_log
SQLNET.EXPIRE_TIME=3
TRACE_FILELEN_CLIENT=100
TRACE_FILENO_CLIENT=3
TRACE_LEVEL_CLIENT=support
TRACE_TIMESTAMP_CLIENT=ON
TRACE_UNIQUE_CLIENT=ON
USE_DEDICATED_SERVER=OFF
TNS名称。ora(客户端)
REMOTE_SSL_DB =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = 172.20.191.102)(PORT = 2484))
(CONNECT_DATA=
(SERVER = DEDICATED)
(SERVICE_NAME = orcl.greenbuff.local)
)
)
REMOTE_DB =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 172.20.191.102)(PORT = 1521))
(CONNECT_DATA=
(SERVER = DEDICATED)
(SERVICE_NAME = orcl.greenbuff.local)
)
)
共有3个答案
我在Windows上也有同样的问题。参考pmdba的评论,根本原因是侦听器帐户没有读取钱包文件的权限,因为我在WireShark中看到了应用程序数据,即SSL握手完成。在添加完全权限后,它对我有效。
更新:添加官方参考:关于设置Oracle钱包的权限和关于手动设置文件系统ACL
由于Oracle数据库服务现在在标准Windows用户帐户下运行,因此Oracle数据库服务可能无法访问文件,除非文件系统访问控制列表(ACL)授予对该文件的访问权限。
虽然Oracle安装会以某种方式配置ACL,以确保您不必手动更改ACL以用于典型用途,但有必要手动更改ACL,例如,手动升级数据库和Oracle base以外的数据库文件,或授予对文件系统中钱包的访问权。
手动设置文件系统ACL的规则有:
>
要允许Oracle数据库服务访问文件,请执行以下操作:当Windows用户帐户用作Oracle Home用户时,授予Oracle Home用户对该文件的访问权限。如果Windows内置帐户用作Oracle Home用户,则无需此类权限,因为Oracle数据库服务在管理帐户下运行。
要允许Oracle Grid Listeners services访问文件,请授予对该文件的ORA_Grid_Listeners组的访问权限。
要允许Oracle服务从客户端访问文件,请执行以下操作:当Windows用户帐户用作客户端主页的Oracle主页用户时,授予该文件的Oracle主页用户访问权限。如果Windows内置帐户用作Oracle Home用户,则授予对该文件的ORA\u HOMENAME\u SVCSID组的访问权限。
DBeaver投诉(客户端错误示例):
javax.net.ssl.SSLException: closing inbound before receiving peer's close_notify
at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
at java.base/sun.security.ssl.SSLEngineImpl.closeInbound(Unknown Source)
at oracle.net.nt.SSLSocketChannel.fill(SSLSocketChannel.java:534)
at oracle.net.nt.SSLSocketChannel.read(SSLSocketChannel.java:161)
at oracle.net.ns.NIOHeader.readHeaderBuffer(NIOHeader.java:82)
at oracle.net.ns.NIOPacket.readNIOPacket(NIOPacket.java:252)
at oracle.net.ns.NSProtocolNIO.negotiateConnection(NSProtocolNIO.java:118)
at oracle.net.ns.NSProtocol.connect(NSProtocol.java:317)
at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1438)
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:518)
at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:688)
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:39)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:691)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.lambda$0(JDBCDataSource.java:184)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.openConnection(JDBCDataSource.java:203)
at org.jkiss.dbeaver.ext.oracle.model.OracleDataSource.openConnection(OracleDataSource.java:168)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCExecutionContext.connect(JDBCExecutionContext.java:103)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCRemoteInstance.initializeMainContext(JDBCRemoteInstance.java:100)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCRemoteInstance.<init>(JDBCRemoteInstance.java:59)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.initializeRemoteInstance(JDBCDataSource.java:111)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.<init>(JDBCDataSource.java:99)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.<init>(JDBCDataSource.java:91)
at org.jkiss.dbeaver.ext.oracle.model.OracleDataSource.<init>(OracleDataSource.java:86)
at org.jkiss.dbeaver.ext.oracle.OracleDataSourceProvider.openDataSource(OracleDataSourceProvider.java:147)
at org.jkiss.dbeaver.registry.DataSourceDescriptor.connect(DataSourceDescriptor.java:898)
at org.jkiss.dbeaver.runtime.jobs.ConnectJob.run(ConnectJob.java:70)
at org.jkiss.dbeaver.runtime.jobs.ConnectJob.runSync(ConnectJob.java:98)
at org.jkiss.dbeaver.ui.actions.datasource.DataSourceHandler.connectToDataSource(DataSourceHandler.java:113)
at org.jkiss.dbeaver.ui.actions.datasource.UIServiceConnectionsImpl.initConnection(UIServiceConnectionsImpl.java:70)
at org.jkiss.dbeaver.model.navigator.DBNDataSource.initializeNode(DBNDataSource.java:158)
at org.jkiss.dbeaver.model.navigator.DBNDatabaseNode.getChildren(DBNDatabaseNode.java:225)
at org.jkiss.dbeaver.model.navigator.DBNDatabaseNode.getChildren(DBNDatabaseNode.java:1)
at org.jkiss.dbeaver.model.navigator.DBNUtils.getNodeChildrenFiltered(DBNUtils.java:78)
at org.jkiss.dbeaver.ui.navigator.database.load.TreeLoadService.evaluate(TreeLoadService.java:49)
at org.jkiss.dbeaver.ui.navigator.database.load.TreeLoadService.evaluate(TreeLoadService.java:1)
at org.jkiss.dbeaver.ui.LoadingJob.run(LoadingJob.java:88)
at org.jkiss.dbeaver.ui.LoadingJob.run(LoadingJob.java:72)
at org.jkiss.dbeaver.model.runtime.AbstractJob.run(AbstractJob.java:105)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
icacls显示或修改指定文件上的自主访问控制列表(DACL),并将存储的DACL应用于指定目录中的文件。
C:\Programs\admin\wallet> icacls .
. BUILTIN\Administrators:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
FANG-PC\ORA_OraDB19Home1_SVCACCTS:(I)(OI)(CI)(F)
FANG-PC\joy:(I)(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
C:\Programs\admin\wallet> icacls ./*
cwallet.sso BUILTIN\Administrators:(R,W,D,WDAC)
Everyone:(F)
cwallet.sso.lck BUILTIN\Administrators:(R,W,D,WDAC)
Everyone:(F)
ewallet.p12 BUILTIN\Administrators:(R,W,D,WDAC)
Everyone:(F)
ewallet.p12.lck BUILTIN\Administrators:(R,W,D,WDAC)
Everyone:(F)
Successfully processed 4 files; Failed processing 0 files
注意所有人:(F)所有文件的都是我后来添加的。
C:\Programs\admin>lsnrctl status LISTENER_TCP_TCPS
LSNRCTL for 64-bit Windows: Version 19.0.0.0.0 - Production on 29-NOV-2021 22:56:41
Copyright (c) 1991, 2019, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=fang-pc)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER_TCP_TCPS
Version TNSLSNR for 64-bit Windows: Version 19.0.0.0.0 - Production
Start Date 29-NOV-2021 22:37:23
Uptime 0 days 0 hr. 19 min. 20 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File C:\Programs\WINDOWS.X64_193000_db_home\network\admin\listener.ora
Listener Log File C:\Programs\WINDOWS.X64_193000_db_home\log\diag\tnslsnr\fang-pc\listener_tcp_tcps\alert\log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=fang-pc)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=fang-pc)(PORT=2484)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=fang-pc)(PORT=5500))(Security=(my_wallet_directory=C:\PROGRAMS\admin\orcl\xdb_wallet))(Presentation=HTTP)(Session=RAW))
Services Summary...
Service "52448234712340b69f274bcc790ecfe0" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "7ff434d4927c40dcaaf7eeb756b1d39d" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "orcl" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "orclXDB" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "orclpdb" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
The command completed successfully
C:\Programs\admin> netstat -ano | findstr "PID LISTENING" | findstr "PID :1521 :2484"
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:1521 0.0.0.0:0 LISTENING 11160
TCP 0.0.0.0:2484 0.0.0.0:0 LISTENING 11160
TCP [::]:1521 [::]:0 LISTENING 11160
TCP [::]:2484 [::]:0 LISTENING 11160
:: taskkill /f /fi "SERVICES eq <service_short_name>"
C:\Programs\admin> tasklist /fi "PID eq 11160"
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
tnslsnr.exe 11160 Services 0 24,432 K
C:\Programs\admin> wmic service where "ProcessID=11160" get CreationClassName,Name
CreationClassName Name
Win32_Service OracleOraDB19Home1TNSListenerLISTENER_TCP_TCPS
此外,注意orapki钱包导出来自ewallet. p12的证书,如果它不只是在DN中包含CN。我发现客户端刚刚收到CN=orcl而不是CN=ORCL, O=Company0, C=US(O=Company0, C=US丢失)。
C:\Programs\admin> orapki wallet export -wallet "C:\Programs\admin\wallet" -pwd xxx_password -dn "CN=ORCL" -cert tmp.crt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Please check DN, could not found certificate with matching DN.
C:\Programs\admin> orapki wallet display -wallet C:\Programs\admin\wallet -pwd xxx_password
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=ORCL,O=Company0,C=US
Trusted Certificates:
Subject: CN=ORCL,O=Company0,C=US
C:\Programs\admin> openssl s_client -showcerts -connect 10.23.56.58:2484 2>NUL <NUL | openssl x509 > Desktop/orcl.crt
Java语言
public class Test {
public static void main(String[] args) throws Exception {
System.setProperty("javax.net.debug", "all");
// System.setProperty("javax.net.ssl.trustStore", "my-store.jks");
// System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");
}
}
sqlnet.ora
# sqlnet.ora Network Configuration File: C:\Programs\WINDOWS.X64_193000_db_home\NETWORK\ADMIN\sqlnet.ora
# Generated by Oracle configuration tools.
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)
SSL_VERSION=0
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SSL_CLIENT_AUTHENTICATION = FALSE
TRACE_LEVEL_SERVER = USER
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:\Programs\admin\wallet)
)
)
SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256)
ADR_BASE = C:\Programs\WINDOWS.X64_193000_db_home\log
我遇到了同样的问题。最终为我解决的是在. sso和. pk钱包文件中添加服务号的权限,如果Oracle数据库安装了虚拟账户,则Oracle数据库使用该服务号。即NT Service\OracleService和NTService\OracleListener(这两个帐户)。
启用两个帐户的完全控制权限后。sso和。pk钱包文件,我能够建立连接。进行上述更改后,您可以保留SSL\U版本=0。客户端和服务器可以协商最佳可用协议
注意:此答案特定于windows,但最初建议在linux计算机上为同一类型的问题分配权限
截至2021 2月5日。不要使用oracle提供的wallet manager。仅使用orapki。由于某些原因,使用wallet manager时总是会拧紧TCPS连接,并且由于无法打开文件错误,尽管已向虚拟帐户(如果有)提供了所有必需的权限
SSL\U版本=3.1无效。SSL的有效值为“3.0”,TLS的有效值为“1.0”、“1.1”、“1.2”。建议使用TLS,因为它是最强的。
https://docs.oracle.com/en/database/oracle/oracle-database/19/netrf/parameters-for-the-sqlnet.ora.html#GUID-A2A81CEE-162D-4602-8315-990C8CC9E9E2
-
问题内容: 我正在尝试使用Docker API从另一台机器连接到docker守护进程。我能够成功执行以下命令: 但是当我使用真实的IP地址时不是: 为什么使用非本地IP时无法连接? 我在Vagrantfile中使用带有以下内容的Vagrant VM: 以下是iptables: 问题答案: 遇到类似的问题,在这里我没有看到的一件事是您需要启动docker来侦听网络和unix套接字。主机上的所有常规d
-
由于SSL配置错误,队列管理器jmsdemo无法用于客户端连接。 (AMQ4199)由于SSL 配置错误,队列管理器jmsdemo无法用于客户端连接。(AMQ4199)严重程度:30(严重错误)说明:用户正试图使用安全连接连接到远程队列管理器。响应:检查目标队列管理器和本地SSL信任存储区的SSL配置。 b)以下错误信息提取为“AMQERR01”错误文件(来自服务器端) 谢谢JK
-
问题内容: Docker容器可以通过哪个IP地址连接到Windows版Docker(在Windows 10上)上的主机?您如何找到此IP地址? 例如:您有一个服务在Windows 10计算机上的端口1234上运行。容器中的程序必须访问此服务。程序应使用哪个IP地址连接到主机? 问题答案: 简短的回答 :在大多数情况下,您需要 10.0.75.1 。 在适用于Windows的Docker中,容器通过
-
docker容器可以在哪个IP地址上连接到它在docker for Windows(在Windows 10上)上的主机?如何找到这个IP地址?
-
问题内容: 是否可以使用其他用户帐户在Windows上创建新进程?我知道有一个上下文菜单“运行方式”,但我想从Java中进行操作。我有用户名和密码。 问题答案: 您需要使用Java本机接口(JNI)编写DLL,因为您不能使用纯Java代码来执行此操作。 DLL本身需要调用 CreateProcessAsUser 函数在另一个用户的上下文中创建一个进程。要成功创建该过程,您需要提供对该函数的访问令牌
-
我正在尝试连接到MBean服务器。我需要编写JMX客户端应用程序。这是用于客户端应用程序的代码。但我有一个例外 检索RMIServer存根失败:javax.naming.ServiceUnavailableException[根异常为java.rmi.ConnectException:连接拒绝主机:localhost;嵌套异常为: 谁能帮我把这个修好。 我使用以下参数运行了这段代码。 dcom.s