在公司配置数据库时,向wallet中增加了一个新的数据库,现实无需输入用户名与密码来登陆数据库,增加完成后,导致整个监控系统都是报用户名与密码的错误,无法登陆来数据库。但是Oracle用户是能正常登陆数据库,不需要输入密码。其实原因很简单,因为我们的监控系统是nagios,而wallet相关的文件的默认权限是600,除ORACLE外其它的用户都是不可以读写的,正常情况下我们是改成了777的权限,让其它的用户也能使用钱包这个功能,当是我对wallet进行新增加一个数据库时,wallet会自己把cwallet.sso与ewallet.p12文件的权限自己改成600。这就导致了今天我的悲剧。
下面是wallet的配置/管理/维护/现象的模拟
1.创建wallet
[oracle@test db_1]$ mkdir wallet [oracle@test db_1]$ pwd /u01/app/oracle/product/11.2.0/db_1 [oracle@test db_1]$ mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -create Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. #这里输入wallet的密码,对密码是有限制条件的 1.密码长度要是8位以上。 2.密码最大长度没有限制。 3.密码要有字符与数据。 Enter password: Enter password again:
2.配置wallet到sqlnet.ora中
[oracle@test db_1]$ cat $ORACLE_HOME/network/admin/sqlnet.ora NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT) #DIRECTORY这里就是指定wallet所在的目录WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/product/11.2.0/db_1/wallet))) SQLNET.WALLET_OVERRIDE=TRUE
3.查看wallet的命令帮忙
wallet这个很好,因为直接用help就可以看到命令的帮忙了,不需要我们再去记复杂的参数,只用记住mkstore这个命令来管理wallet就可以了。
[oracle@test db_1]$ mkstore -help Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. mkstore [-wrl wrl] [-create] [-createSSO] [-createLSSO] [-createALO] [-delete] [-deleteSSO] [-list] [-createEntry alias secret] [-viewEntry alias] [-modifyEntry alias secret] [-deleteEntry alias] [-createCredential connect_string username password] [-listCredential] [-modifyCredential connect_string username password] [-deleteCredential connect_string] [-help] [-nologo]
4.增加数据库到wallet中去,并测试是否成功
3.1#增加net service为htz scott为用户 oracle为用户的密码。 #建议密码用''引起来,因为在生产环境中的密码基本上都是特殊字符的。 [oracle@test db_1]$ mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -createCredential htz scott 'oracle' Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Enter wallet password: Create credential oracle.security.client.connect_string1 3.2 #查看是否增加成功。 [oracle@test db_1]$ mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -listCredential Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Enter wallet password: List credential (index: connect_string username) 1: htz scott 3.3 测试是否可以实现无需要输入用户与密码登陆 [oracle@test db_1]$ sqlplus /@htz SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 09:19:15 2012 Copyright (c) 1982, 2010, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options #显示的是scott,成功了。 SQL> show user; USER is "SCOTT" SQL> exit Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options
5.查看entry
#这里看到我们增加一个数据进来就会增加3个entries。 #分别是一个连接符,一个用户名,一个密码。 #当我们增加了很多数据库与用户进来后,数据库与用户还有密码他们是怎么关联的呢?其实他们就是通过后面的这个数字来关键的。 [oracle@test db_1]$ mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -list Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Enter wallet password: Oracle Secret Store entries: oracle.security.client.connect_string1 oracle.security.client.password1 oracle.security.client.username1
6.创建默认用户与密码
这样可以实现,登陆所以的数据库都可以使用默认的用户与密码
6.1 #创建默认的用户。 [oracle@test db_1]$ mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -createEntry oracle.security.client.default_username scott Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Enter wallet password: 6.2 #创建默认用户的密码。 [oracle@test db_1]$ mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -createEntry oracle.security.client.default_password oracle Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Enter wallet password: 6.3 #查看是否创建成功 [oracle@test db_1]$ mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -list Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Enter wallet password: Oracle Secret Store entries: oracle.security.client.connect_string1 oracle.security.client.default_password oracle.security.client.default_username oracle.security.client.password1 oracle.security.client.username1
7.当默认用户与手动增加的数据库信息到wallet中时,那一个生效呢?
下面我们测试一下,当wallet里面创建了默认的用户与密码时,手动再增加一个增加的信息到wallet时,到底是默认用户还是手动增加的生效呢?其实是手动增加的生效。
7.1 #由于默认用户增加的SCOTT普通用户,所以这里我们增加sys这个用户来做测试,net service名是htzb [oracle@test db_1]$ mkstore -wrl $ORACLE_HOME/wallet -createCredential htzb sys 'oracle' Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Enter wallet password: Create credential oracle.security.client.connect_string1 7.2 #登陆测试。 这里没有增加as sysdba就是为了能区别普通用户与sys用户登陆的区别。如果是sys用户生效,就会报没有增加as sysdba登陆,如果是scott这个默认用户生效,就会登陆成功。 [oracle@test db_1]$ sqlplus /@htzb SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 09:33:07 2012 Copyright (c) 1982, 2010, Oracle. All rights reserved. #这里报错,说明手动增加的SYS用户的生效。默认用户没有生效 ERROR: ORA-28009: connection as SYS should be as SYSDBA or SYSOPER Enter user-name: 7.3 #这里我们再登陆htz,登陆成功。说明我们默认用户在其它的net service是生效的。 [oracle@test db_1]$ sqlplus /@htz SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 09:33:23 2012 Copyright (c) 1982, 2010, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> exit Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options 7.4 #以sys as sysdba登陆成功 [oracle@test db_1]$ sqlplus /@htzb as sysdba SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 09:33:30 2012 Copyright (c) 1982, 2010, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> show user USER is "SYS"
8.下面测试的是通过mkstore修改wallet中的内容后,导致wallet相关的文件,权限自动改成600.
8.1 #把wallet的文件权限改成777 [oracle@test db_1]$ chmod 777 $ORACLE_HOME/wallet/* [oracle@test db_1]$ ls -l $ORACLE_HOME/wallet total 16 -rwxrwxrwx 1 oracle oinstall 4565 Sep 8 09:38 cwallet.sso -rwxrwxrwx 1 oracle oinstall 4488 Sep 8 09:38 ewallet.p12 8.2 #手动在wallet中增加一个net service的配置信息 [oracle@test db_1]$ mkstore -wrl $ORACLE_HOME/wallet -deleteCredential htz Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Enter wallet password: Delete credential Delete 2 8.3 #再次查看权限时发现权限已经自己改成了600了 [oracle@test db_1]$ ls -l $ORACLE_HOME/wallet total 16 -rw------- 1 oracle oinstall 4205 Sep 8 09:39 cwallet.sso -rw------- 1 oracle oinstall 4128 Sep 8 09:39 ewallet.p12
9. 当用户的密码发生变化的时候需要修改wallet中的密码
[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -modifyCredential htz scott 'oracleoracle'; Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Enter wallet password: Modify credential Modify 1
10.查看wallet中有那些认证的信息
[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -listCredential Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Enter wallet password: List credential (index: connect_string username) 1: htz scott
11 从wallet删除一个net service的配置信息
[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -deleteCredential htz Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Enter wallet password: Delete credential Delete 1
12.修改默认的用户名
修改默认的用户名的密码的方法也一样。
[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -viewEntry oracle.security.client.default_username Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Enter wallet password: oracle.security.client.default_username = scott [oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -modifyEntry oracle.security.client.default_username Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Your secret/Password is missing in the command line Enter your secret/Password: Re-enter your secret/Password: Enter wallet password: [oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -viewEntry oracle.security.client.default_username Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Enter wallet password: oracle.security.client.default_username = oracle
13 删除默认的用户名
[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -deleteEntry oracle.security.client.default_username Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Enter wallet password:
我们一般的维护就这么多。
