参考(文档ID 1340831.1)、(文档 ID 1453883.1)、(文档ID 1600630.1)
(1)11.2 使用Scan侦听器进行注册
此示例环境是具有三个SCAN侦听器的双节点11.2 RAC集群。COST限制将限制远程注册实例的TCPS注册协议和本地网格代理的IPC。要通过TCPS建立连接,PMON和侦听器必须执行SSL握手。
操作步骤
1、 Oracle wallet: "ewallet.p12"
[oracle@rac1]$ mkdir /u01/app/11.2.0.2/grid/network/admin/cost
[oracle@rac1]$ orapki wallet create -wallet /u01/app/11.2.0.2/grid/network/admin/cost
2、 删除所有众所周知的可信证书
[oracle@rac1]$ orapki wallet remove -trusted_cert_all -wallet /u01/app/11.2.0.2/grid/network/admin/cost
3、 创建自定义信任证书
[oracle@rac1]$ orapki wallet add -wallet /u01/app/11.2.0.2/grid/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650
--查看确认是否存在且唯一
[oracle@rac1]$ orapki wallet display -wallet /u01/app/11.2.0.2/grid/network/admin/cost -summary
Oracle PKI Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=secure_register
Trusted Certificates:
Subject: CN=secure_register
4、 拷贝已创建的cost目录及文件至各个节点相同目录
5、 使用orapki在每个节点上创建一个独特的混淆自动登录文件“cwallet.sso”
[oracle @ rac1] $ orapki wallet create -wallet /u01/app/11.2.0.2/grid/network/admin/cost-auto_login
6、 修改cwallet.sso权限
[oracle @ rac1] $ chmod 640 cwallet.sso
[oracle @ rac1] $ ls -al
-rw-r ----- 1 oracle oinstall 2493 Jul 11 15:18 cwallet.sso
-rw ------- 1 oracle oinstall 2416 Jul 11 15:18 ewallet.p12
7、 更新listener.ora,增加WALLET_LOCATION
[oracle @ rac1] $ vi listener.ora
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/11.2.0.2/grid/network/admin/cost)
)
)
#SECURE_REGISTER_LISTENER =(IPC,TCP)
#SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN2 = (IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)
8、 使用srvctl修改SCAN监听器,增加TCPS:1523
srvctl modify scan_listener -p TCP:1521/TCPS:1523
srvctl stop scan_listener
srvctl start scan_listener
9、 修改sqlnet.ora,增加WALLET_LOCATION
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/11.2.0.2/grid/network/admin/cost)
)
)
10、 修改实例启动参数以使用带有remote_listener的TCPS协议
SQL> alter system set remote_listener='(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=10.141.155.121)(PORT=1523))(ADDRESS=(PROTOCOL=TCPS)(HOST=10.141.155.122)(PORT=1523))(ADDRESS=(PROTOCOL=TCPS)(HOST=10.141.155.120)(PORT=1523)))' scope=both sid='*';
11、 在此处停止并验证所有实例是否正在与扫描侦听器正确在TCPS上注册。如果没有,请回退修改。
12、 取消listener.ora注释字段
SECURE_REGISTER_LISTENER =(IPC,TCP)
SECURE_REGISTER_LISTENER_SCAN1 =(IPC,TCPS)
SECURE_REGISTER_LISTENER_SCAN2 =(IPC,TCPS)
SECURE_REGISTER_LISTENER_SCAN3 =(IPC,TCPS)
13、 重启监听
[oracle @ rac1] $ srvctl stop scan_listener
[oracle @ rac1] $ srvctl start scan_listener
(2)11.2之前的Oracle RAC版本(10.2.0.3 - 11.1)
10g RAC数据库支持本方案同时可参照本地监听修补方案
#前提条件
$ORACLE_HOME/OPatch/opatch lsinventory | grep 12880299
mkdir $ORACLE_HOME/network/admin/cost
ssh rac-2 "mkdir $ORACLE_HOME/network/admin/cost"
orapki wallet create -wallet $ORACLE_HOME/network/admin/cost
orapki wallet add -wallet $ORACLE_HOME/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650
ssh rac-2 "orapki wallet add -wallet $ORACLE_HOME/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650"
orapki wallet display -wallet $ORACLE_HOME/network/admin/cost
scp ewallet.p12 rac-2:$ORACLE_HOME/network/admin/cost
orapki wallet create -wallet $ORACLE_HOME/network/admin/cost -auto_login
ssh rac-2 "orapki wallet create -wallet $ORACLE_HOME/network/admin/cost -auto_login"
vi $ORACLE_HOME/network/admin/listener.ora
LISTENER_RAC1 =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS =(PROTOCOL = IPC)(KEY = EXTPROC1))
(ADDRESS =(PROTOCOL = TCP)(HOST = rac1-vip.us.oracle.com)(PORT = 1521))
#增加 ADDRESS =(PROTOCOL = TCPS)(HOST = rac1-vip.us.oracle.com)(PORT = 1523))
(ADDRESS =(PROTOCOL = TCP)(HOST = 192.168.203.210)(PORT = 1521))
)
)
#增加
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/product/10.2/db/network/admin/cost)
)
)
#SECURE_REGISTER_LISTENER_RAC1 = (TCP,TCPS)
srvctl stop listener -n rac-2
srvctl start listener -n rac-2
lsnrctl status
vi $ORACLE_HOME/network/admin/sqlnet.ora
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/product/10.2.0/db_1/network/admin/cost)
)
)
sqlplus "/ as sysdba"
SQL> show parameter remote_listener
NAME TYPE VALUE
remote_listener string listeners_rac
vi $ORACLE_HOME/network/admin/listener.ora
#增加/修改(根据show parameter remote_listener结果修改)
LISTENERS_RAC =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = rac1-vip.us.oracle.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = rac2-vip.us.oracle.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = rac1-vip.us.oracle.com)(PORT = 1523))
(ADDRESS = (PROTOCOL = TCPS)(HOST = rac2-vip.us.oracle.com)(PORT = 1523)))
#取消注释
#SECURE_REGISTER_LISTENER_RAC1 = (TCP,TCPS)
srvctl stop listener -n rac-2
srvctl start listener -n rac-2
lsnrctl status
(3)版本11.2.0.4至12.2.0.1
注意:对于Oracle 11.2.0.4,VALID_NODE_CHECKING_REGISTRATION _listener_name默认为OFF,必须设置为ON 才能启用阻止远程注册尝试的功能。
VALID_NODE_CHECKING_REGISTRATION _listener_name
值:
OFF / 0 - 禁用VNCR
ON / 1 / LOCAL - 默认值。启用VNCR。所有本地机器IP都可以注册。
SUBNET / 2 - 子网中的所有计算机都允许注册。
REGISTRATION_INVITED_NODES _listener-name
值是有效的IP,有效主机,使用CIDR表示法的子网(对于ip4 / 6)或对于ipv4的通配符()。例如:REGISTRATION_INVITED_NODES_Listener =(net-vm1,127.98.45.209,127.42.5。)
1、更新listener.ora
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_MGMTLSNR=ON # line added by Agent
ADMIN_RESTRICTIONS_ADMIN=ON ENABLE_GLOBAL_DYNAMIC_ENDPOINT_EBSPRD01=ON # line added by Agent
VALID_NODE_CHECKING_REGISTRATION_MGMTLSNR=SUBNET # line added by Agent
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=OFF # line added by Agent
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=OFF # line added by Agent
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=OFF # line added by Agent
VALID_NODE_CHECKING_REGISTRATION_LISTENER = SUBNET
REGISTRATION_INVITED_NODES_LISTENER=(net-vm1, 127.98.45.209, 127.42.5.*)
2、重启监听
(4)单机版本
1、更新listener.ora,增加SECURE_REGISTER_LISTENER
SECURE_REGISTER_LISTENER =(IPC,TCP)
2、重启监听