ORACLE wallet配置/管理/使用

    昨天在公司配置数据库时，向wallet中增长了一个新的数据库，现实无需输入用户名与密码来登录数据库，增长完成后，致使整个监控系统都是报用户名与密码的错误，没法登录来数据库。可是ORACLE用户是能正常登录数据库，不须要输入密码。其实缘由很简单，由于咱们的监控系统是nagios，而wallet相关的文件的默认权限是600，除ORACLE外其它的用户都是不能够读写的，正常状况下咱们是改为了777的权限，让其它的用户也能使用钱包这个功能，当是我对wallet进行新增长一个数据库时，wallet会本身把cwallet.sso与ewallet.p12文件的权限本身改为600。这就致使了今天个人悲剧。

    下面是wallet的配置/管理/维护/现象的模拟

1.建立wallet

[oracle@test db_1]$ mkdir wallet
[oracle@test db_1]$ pwd
/u01/app/oracle/product/11.2.0/db_1
[oracle@test db_1]$ mkstore -wrl /u01/app/oracle/product/11.2.0/db_1/wallet -create
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
#这里输入wallet的密码，对密码是有限制条件的
1.密码长度要是8位以上。
2.密码最大长度没有限制。
3.密码要有字符与数据。
Enter password:

Enter password again:

2.配置wallet到sqlnet.ora中

[oracle@test db_1]$ cat $ORACLE_HOME/network/admin/sqlnet.ora
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
#DIRECTORY这里就是指定wallet所在的目录
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/product/11.2.0/db_1/wallet)))
SQLNET.WALLET_OVERRIDE=TRUE

3.查看wallet的命令帮忙

wallet这个很好，由于直接用help就能够看到命令的帮忙了，不须要咱们再去记复杂的参数，只用记住mkstore这个命令来管理wallet就能够了。

[oracle@test db_1]$ mkstore -help
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

mkstore [-wrl wrl] [-create] [-createSSO] [-createLSSO] [-createALO] [-delete]
[-deleteSSO] [-list] [-createEntry alias secret] [-viewEntry alias]
[-modifyEntry alias secret] [-deleteEntry alias]
[-createCredential connect_string username password] [-listCredential]
[-modifyCredential connect_string username password] [-deleteCredential connect_string] [-help] [-nologo]

4.增长数据库到wallet中去，并测试是否成功

3.1#增长net service为htz scott为用户 oracle为用户的密码。
#建议密码用''引发来，由于在生产环境中的密码基本上都是特殊字符的。
[oracle@test db_1]$ mkstore -wrl  /u01/app/oracle/product/11.2.0/db_1/wallet -createCredential htz scott 'oracle'
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Create credential oracle.security.client.connect_string1
3.2 #查看是否增长成功。
[oracle@test db_1]$ mkstore -wrl  /u01/app/oracle/product/11.2.0/db_1/wallet -listCredential
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

List credential (index: connect_string username)
1: htz scott
3.3 测试是否能够实现无须要输入用户与密码登录
[oracle@test db_1]$ sqlplus /@htz

SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 09:19:15 2012

Copyright (c) 1982, 2010, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
#显示的是scott，成功了。
SQL> show user;
USER is "SCOTT"
SQL> exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

5.查看entry

#这里看到咱们增长一个数据进来就会增长3个entries。
#分别是一个链接符，一个用户名，一个密码。
#当咱们增长了不少数据库与用户进来后，数据库与用户还有密码他们是怎么关联的呢？其实他们就是经过后面的这个数字来关键的。
[oracle@test db_1]$ mkstore -wrl  /u01/app/oracle/product/11.2.0/db_1/wallet -list
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Oracle Secret Store entries:
oracle.security.client.connect_string1
oracle.security.client.password1
oracle.security.client.username1

6.建立默认用户与密码

这样能够实现，登录因此的数据库均可以使用默认的用户与密码

6.1 #建立默认的用户。
[oracle@test db_1]$ mkstore -wrl  /u01/app/oracle/product/11.2.0/db_1/wallet -createEntry  oracle.security.client.default_username scott
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
6.2 #建立默认用户的密码。
[oracle@test db_1]$ mkstore -wrl  /u01/app/oracle/product/11.2.0/db_1/wallet -createEntry  oracle.security.client.default_password oracle
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
6.3 #查看是否建立成功
[oracle@test db_1]$ mkstore -wrl  /u01/app/oracle/product/11.2.0/db_1/wallet -list
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Oracle Secret Store entries:
oracle.security.client.connect_string1
oracle.security.client.default_password
oracle.security.client.default_username
oracle.security.client.password1
oracle.security.client.username1

7.当默认用户与手动增长的数据库信息到wallet中时，那一个生效呢？

下面咱们测试一下，当wallet里面建立了默认的用户与密码时，手动再增长一个增长的信息到wallet时，究竟是默认用户仍是手动增长的生效呢？实际上是手动增长的生效。

7.1 #因为默认用户增长的SCOTT普通用户，因此这里咱们增长sys这个用户来作测试，net service名是htzb
[oracle@test db_1]$ mkstore -wrl $ORACLE_HOME/wallet -createCredential htzb sys 'oracle'
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Create credential oracle.security.client.connect_string1
7.2 #登录测试。
这里没有增长as sysdba就是为了能区别普通用户与sys用户登录的区别。若是是sys用户生效，就会报没有增长as sysdba登录，若是是scott这个默认用户生效，就会登录成功。
[oracle@test db_1]$ sqlplus /@htzb

SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 09:33:07 2012

Copyright (c) 1982, 2010, Oracle.  All rights reserved.
#这里报错，说明手动增长的SYS用户的生效。默认用户没有生效
ERROR:
ORA-28009: connection as SYS should be as SYSDBA or SYSOPER


Enter user-name:
7.3 #这里咱们再登录htz，登录成功。说明咱们默认用户在其它的net service是生效的。
[oracle@test db_1]$ sqlplus /@htz

SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 09:33:23 2012

Copyright (c) 1982, 2010, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

7.4 #以sys as sysdba登录成功
[oracle@test db_1]$ sqlplus /@htzb as sysdba

SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 09:33:30 2012

Copyright (c) 1982, 2010, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> show user
USER is "SYS"

8.下面测试的是经过mkstore修改wallet中的内容后，致使wallet相关的文件，权限自动改为600.

8.1 #把wallet的文件权限改为777
[oracle@test db_1]$ chmod 777 $ORACLE_HOME/wallet/*
[oracle@test db_1]$ ls -l $ORACLE_HOME/wallet
total 16
-rwxrwxrwx 1 oracle oinstall 4565 Sep  8 09:38 cwallet.sso
-rwxrwxrwx 1 oracle oinstall 4488 Sep  8 09:38 ewallet.p12
8.2 #手动在wallet中增长一个net service的配置信息
[oracle@test db_1]$ mkstore -wrl $ORACLE_HOME/wallet -deleteCredential htz
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Delete credential
Delete 2
8.3 #再次查看权限时发现权限已经本身改为了600了
[oracle@test db_1]$ ls -l $ORACLE_HOME/wallet
total 16
-rw------- 1 oracle oinstall 4205 Sep  8 09:39 cwallet.sso
-rw------- 1 oracle oinstall 4128 Sep  8 09:39 ewallet.p12

9. 当用户的密码发生变化的时候须要修改wallet中的密码

[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -modifyCredential htz scott 'oracleoracle';
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Modify credential
Modify 1

10.查看wallet中有那些认证的信息

[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -listCredential
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

List credential (index: connect_string username)
1: htz scott

11 从wallet删除一个net service的配置信息

[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -deleteCredential  htz
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Delete credential
Delete 1

12.修改默认的用户名

修改默认的用户名的密码的方法也同样。

[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -viewEntry oracle.security.client.default_username
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

oracle.security.client.default_username = scott
[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -modifyEntry oracle.security.client.default_username
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Your secret/Password is missing in the command line
Enter your secret/Password:

Re-enter your secret/Password:

Enter wallet password:

[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -viewEntry oracle.security.client.default_username
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

oracle.security.client.default_username = oracle

13 删除默认的用户名

[oracle@test ~]$ mkstore -wrl $ORACLE_HOME/wallet -deleteEntry oracle.security.client.default_username
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

咱们通常的维护就这么多。