ORACLE wallet配置/管理/使用

    昨天在公司配置數據庫時，向wallet中增長了一個新的數據庫，現實無需輸入用戶名與密碼來登錄數據庫，增長完成後，致使整個監控系統都是報用戶名與密碼的錯誤，沒法登錄來數據庫。可是ORACLE用戶是能正常登錄數據庫，不須要輸入密碼。其實緣由很簡單，由於咱們的監控系統是nagios，而wallet相關的文件的默認權限是600，除ORACLE外其它的用戶都是不能夠讀寫的，正常狀況下咱們是改爲了777的權限，讓其它的用戶也能使用錢包這個功能，當是我對wallet進行新增長一個數據庫時，wallet會本身把cwallet.sso與ewallet.p12文件的權限本身改爲600。這就致使了今天個人悲劇。

    下面是wallet的配置/管理/維護/現象的模擬

1.建立wallet

[oracle@test db_1]$ mkdir wallet
[oracle@test db_1]$ pwd
/u01/app/oracle/product/11.2.0/db_1
[oracle@test db_1]$ mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -create
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
#這裏輸入wallet的密碼，對密碼是有限制條件的
1.密碼長度要是8位以上。
2.密碼最大長度沒有限制。
3.密碼要有字符與數據。
Enter password:

Enter password again:

2.配置wallet到sqlnet.ora中

[oracle@test db_1]$ cat $ORACLE_HOME/network/admin/sqlnet.ora
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
#DIRECTORY這裏就是指定wallet所在的目錄
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/product/11.2.0/db_1/wallet)))
SQLNET.WALLET_OVERRIDE=TRUE

3.查看wallet的命令幫忙

wallet這個很好，由於直接用help就能夠看到命令的幫忙了，不須要咱們再去記複雜的參數，只用記住mkstore這個命令來管理wallet就能夠了。

[oracle@test db_1]$ mkstore -help
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

mkstore [-wrl wrl] [-create] [-createSSO] [-createLSSO] [-createALO] [-delete]
[-deleteSSO] [-list] [-createEntry alias secret] [-viewEntry alias]
[-modifyEntry alias secret] [-deleteEntry alias]
[-createCredential connect_string username password] [-listCredential]
[-modifyCredential connect_string username password] [-deleteCredential connect_string] [-help] [-nologo]

4.增長數據庫到wallet中去，並測試是否成功

3.1#增長net service爲htz scott爲用戶 oracle爲用戶的密碼。
#建議密碼用''引發來，由於在生產環境中的密碼基本上都是特殊字符的。
[oracle@test db_1]$ mkstore -wrl  /u01/app/oracle/product/11.2.0/db_1/wallet -createCredential htz scott 'oracle'
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Create credential oracle.security.client.connect_string1
3.2 #查看是否增長成功。
[oracle@test db_1]$ mkstore -wrl  /u01/app/oracle/product/11.2.0/db_1/wallet -listCredential
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

List credential (index: connect_string username)
1: htz scott
3.3 測試是否能夠實現無須要輸入用戶與密碼登錄
[oracle@test db_1]$ sqlplus /@htz

SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 09:19:15 2012

Copyright (c) 1982, 2010, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
#顯示的是scott，成功了。
SQL> show user;
USER is "SCOTT"
SQL> exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

5.查看entry

#這裏看到咱們增長一個數據進來就會增長3個entries。
#分別是一個鏈接符，一個用戶名，一個密碼。
#當咱們增長了不少數據庫與用戶進來後，數據庫與用戶還有密碼他們是怎麼關聯的呢？其實他們就是經過後面的這個數字來關鍵的。
[oracle@test db_1]$ mkstore -wrl  /u01/app/oracle/product/11.2.0/db_1/wallet -list
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Oracle Secret Store entries:
oracle.security.client.connect_string1
oracle.security.client.password1
oracle.security.client.username1

6.建立默認用戶與密碼

這樣能夠實現，登錄因此的數據庫均可以使用默認的用戶與密碼

6.1 #建立默認的用戶。
[oracle@test db_1]$ mkstore -wrl  /u01/app/oracle/product/11.2.0/db_1/wallet -createEntry  oracle.security.client.default_username scott
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
6.2 #建立默認用戶的密碼。
[oracle@test db_1]$ mkstore -wrl  /u01/app/oracle/product/11.2.0/db_1/wallet -createEntry  oracle.security.client.default_password oracle
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
6.3 #查看是否建立成功
[oracle@test db_1]$ mkstore -wrl  /u01/app/oracle/product/11.2.0/db_1/wallet -list
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Oracle Secret Store entries:
oracle.security.client.connect_string1
oracle.security.client.default_password
oracle.security.client.default_username
oracle.security.client.password1
oracle.security.client.username1

7.當默認用戶與手動增長的數據庫信息到wallet中時，那一個生效呢？

下面咱們測試一下，當wallet裏面建立了默認的用戶與密碼時，手動再增長一個增長的信息到wallet時，究竟是默認用戶仍是手動增長的生效呢？實際上是手動增長的生效。

7.1 #因爲默認用戶增長的SCOTT普通用戶，因此這裏咱們增長sys這個用戶來作測試，net service名是htzb
[oracle@test db_1]$ mkstore -wrl $ORACLE_HOME/wallet -createCredential htzb sys 'oracle'
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Create credential oracle.security.client.connect_string1
7.2 #登錄測試。
這裏沒有增長as sysdba就是爲了能區別普通用戶與sys用戶登錄的區別。若是是sys用戶生效，就會報沒有增長as sysdba登錄，若是是scott這個默認用戶生效，就會登錄成功。
[oracle@test db_1]$ sqlplus /@htzb

SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 09:33:07 2012

Copyright (c) 1982, 2010, Oracle.  All rights reserved.
#這裏報錯，說明手動增長的SYS用戶的生效。默認用戶沒有生效
ERROR:
ORA-28009: connection as SYS should be as SYSDBA or SYSOPER


Enter user-name:
7.3 #這裏咱們再登錄htz，登錄成功。說明咱們默認用戶在其它的net service是生效的。
[oracle@test db_1]$ sqlplus /@htz

SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 09:33:23 2012

Copyright (c) 1982, 2010, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

7.4 #以sys as sysdba登錄成功
[oracle@test db_1]$ sqlplus /@htzb as sysdba

SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 09:33:30 2012

Copyright (c) 1982, 2010, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> show user
USER is "SYS"

8.下面測試的是經過mkstore修改wallet中的內容後，致使wallet相關的文件，權限自動改爲600.

8.1 #把wallet的文件權限改爲777
[oracle@test db_1]$ chmod 777 $ORACLE_HOME/wallet/*
[oracle@test db_1]$ ls -l $ORACLE_HOME/wallet
total 16
-rwxrwxrwx 1 oracle oinstall 4565 Sep  8 09:38 cwallet.sso
-rwxrwxrwx 1 oracle oinstall 4488 Sep  8 09:38 ewallet.p12
8.2 #手動在wallet中增長一個net service的配置信息
[oracle@test db_1]$ mkstore -wrl $ORACLE_HOME/wallet -deleteCredential htz
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Delete credential
Delete 2
8.3 #再次查看權限時發現權限已經本身改爲了600了
[oracle@test db_1]$ ls -l $ORACLE_HOME/wallet
total 16
-rw------- 1 oracle oinstall 4205 Sep  8 09:39 cwallet.sso
-rw------- 1 oracle oinstall 4128 Sep  8 09:39 ewallet.p12

9. 當用戶的密碼發生變化的時候須要修改wallet中的密碼

[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -modifyCredential htz scott 'oracleoracle';
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Modify credential
Modify 1

10.查看wallet中有那些認證的信息

[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -listCredential
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

List credential (index: connect_string username)
1: htz scott

11 從wallet刪除一個net service的配置信息

[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -deleteCredential  htz
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Delete credential
Delete 1

12.修改默認的用戶名

修改默認的用戶名的密碼的方法也同樣。

[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -viewEntry oracle.security.client.default_username
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

oracle.security.client.default_username = scott
[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -modifyEntry oracle.security.client.default_username
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Your secret/Password is missing in the command line
Enter your secret/Password:

Re-enter your secret/Password:

Enter wallet password:

[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -viewEntry oracle.security.client.default_username
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

oracle.security.client.default_username = oracle

13 刪除默認的用戶名

[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -deleteEntry oracle.security.client.default_username
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

咱們通常的維護就這麼多。