我对OracleDB相当陌生。我正在研究在不提供用户名和密码的情况下将客户端应用程序连接到服务器上的Oracle数据库。我的理解是否正确,即使用orapki钱包可以实现这一点?我正在用我的笔记本电脑作为客户端和服务器来测试这一点。
我使用orapki来为客户端和服务器端创建钱包,如下所示:
Create Server Wallet :
orapki wallet create -wallet "C:/app/wallet" -pwd Welcome1 -auto_login
orapki wallet add -wallet "C:/app/wallet" -pwd Welcome1 -dn "CN=MyHostName" -keysize 1024 -self_signed -validity 3650 -sign_alg sha256
orapki wallet export -wallet "C:/app/wallet" -pwd Welcome1 -dn "CN=MyHostName" -cert C:/app/wallet/MyHostName-certificate.crt
Create Client Wallet: [I choose CN name to match username for oracleDB login name, i.e., abcd]
orapki wallet create -wallet "C:/app/client_wallet" -pwd Welcome1 -auto_login
orapki wallet add -wallet "C:/app/client_wallet" -pwd Welcome1 -dn "CN=abcd" -keysize 1024 -self_signed -validity 3650 -sign_alg sha256
orapki wallet export -wallet "C:/app/client_wallet" -pwd Welcome1 -dn "CN=abcd" -cert C:/app/client_wallet/abcd-certificate.crt
将证书从一侧加载到另一侧的钱包中。
Load the server certificate into the client wallet.
orapki wallet add -wallet "C:/app/client_wallet" -pwd Welcome1 -trusted_cert -cert C:/app/wallet/MyHostName-certificate.crt
Load the Client certificate into the server wallet.
orapki wallet add -wallet "C:/app/wallet" -pwd Welcome1 -trusted_cert -cert C:/app/client_wallet/abcd-certificate.crt
显示钱包显示以下结果:
Server Wallet:
orapki wallet display -wallet "C:/app/wallet" -pwd Welcome1
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=MyHostName
Trusted Certificates:
Subject: CN=abcd
Subject: CN=MyHostName
Client Wallet:
orapki wallet display -wallet "C:/app/client_wallet" -pwd Welcome1
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=abcd
Trusted Certificates:
Subject: CN=MyHostName
Subject: CN=abcd
我从上面的理解是,服务器和客户端现在相互信任,因此有利于建立连接。
服务器设置文件如下所示:
tnsnames.ora
TCP_ACTIVE =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = MyHostName)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = orcl)
)
)
TCPS_ACTIVE =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = MyHostName)(PORT = 1522))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = orcl)
)
)
listener.ora
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:appwallet)
)
)
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = CLRExtProc)
(ORACLE_HOME = C:appMyUserproduct12.1.0dbhome_2)
(PROGRAM = extproc)
(ENVS = "EXTPROC_DLLS=ONLY:C:appMyUserproduct12.1.0dbhome_2binoraclr12.dll")
)
)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = MyHostName)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = MyHostName)(PORT = 1522))
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
)
)
sqlnet.ora
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS)
SQLNET.WALLET_OVERRIDE = FALSE
#SSL_VERSION = 0
TRACE_LEVEL_CLIENT = SUPPORT
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:appwallet)
)
)
#SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
我有一个简单的c++测试客户端使用OCCI,设置文件如下所示
tnsnames.ora
TCP_ACTIVE =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = MyHostName)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = orcl)
)
)
TCPS_ACTIVE =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = MyHostName)(PORT = 1522))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = orcl)
)
)
sqlnet.ora
TRACE_LEVEL_CLIENT=support
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = C:appclient_wallet)
)
)
SSL_CLIENT_AUTHENTICATION =TRUE
SSL_SERVER_DN_MATCH=OFF
TRACE_LEVEL_CLIENT = 16
TRACE_FILE_CLIENT = client_trace
TRACE_TIMESTAMP_CLIENT = ON
TRACE_DIRECTORY_CLIENT = C:Client
DIAG_ADR_ENABLED=ON
我的服务器侦听器服务状态如下所示:
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=MyHostName)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for 64-bit Windows: Version 12.1.0.2.0 - Production
Start Date 24-OCT-2019 19:46:17
Uptime 0 days 21 hr. 31 min. 25 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File C:appMyUserproduct12.1.0dbhome_2networkadminlistener.ora
Listener Log File C:appMyUserdiagtnslsnrMyHostNamelisteneralertlog.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=MyHostName)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=MyHostName)(PORT=1522)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\.pipeEXTPROC1521ipc)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=MyHostName)(PORT=5500))(Security=(my_wallet_directory=C:appwallet))(Presentation=HTTP)(Session=RAW))
Services Summary...
Service "CLRExtProc" has 1 instance(s).
Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "orcl" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "orclXDB" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
The command completed successfully
当我尝试使用连接字符串">TCP_ACTIVE"连接到服务器并提供用户名和密码时,我能够正常连接
Environment *env = Environment::createEnvironment();
Connection *conn = env->createConnection(m_username.c_str(), m_password.c_str(), m_dbConnectionString.c_str());
"conn"中的连接似乎已经形成,并且能够使用它成功地运行简单的查询。
但是,当我尝试使用TCPS_ACTIVE连接字符串连接到服务器时,只有当我提供用户名和密码时,我才能连接。以下是当我没有提供用户名和密码时收到的错误消息:
ORA-01017: invalid username/password; logon denied
我很好奇是否可以使用钱包而不使用用户名和密码连接到服务器?如果是,我应该如何设置它进行测试?
谢谢
附言:我也研究过类似的问题,但我不明白这个设定是怎么做的。
我的用户似乎需要在外部标识为"CN=abcd"才能工作。使用管理员登录转到SQL Developer并运行:
alter user abcd identified externally as 'CN=abcd';
以上代码可以在不使用密码的情况下连接。