组织网站建设应该注意什么,什么网站做优化最好,长沙做网站 必看 磐石网络,政务信息系统网站建设规范说明#xff1a;本篇参考eygle老师的作品《Oracle DBA手记4#xff1a;数据安全警示录》#xff0c;特此表示感谢。 3 、Oracle Wallet加密策略Oracle Wallet是一种加密安全策略#xff0c;过去我们在TDE#xff08;Oracle透明加密#xff09;部分研究过这个组件。简单的… 说明本篇参考eygle老师的作品《Oracle DBA手记4数据安全警示录》特此表示感谢。 3 、Oracle Wallet加密策略 Oracle Wallet是一种加密安全策略过去我们在TDEOracle透明加密部分研究过这个组件。简单的说Oracle Wallet就是在本机上配置一个加密配置文件通过SQL命令控制Oracle Wallet的开启关闭状态如果Wallet关闭或者不存在那么一些加密的信息包括TDE和RMAN备份集合数据就不能正常打开。 使用Oracle Wallet应用在RMAN备份中可以实现类似的透明策略。而且备份集合只能在相同的服务器借助Wallet文件才能正确打开。 首先我们需要创建Oracle Wallet。注意笔者使用的GI单实例ASM策略监听器是从Grid里面执行的。 [oracleNCR-Standby-Asm ~]$ lsnrctl status LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 08-JUN-2015 13:49:47 Copyright (c) 1991, 2013, Oracle. All rights reserved. Connecting to (ADDRESS(PROTOCOLtcp)(HOST)(PORT1521)) STATUS of the LISTENER ------------------------ Alias LISTENER Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production Start Date 25-MAY-2015 17:39:56 Uptime 13 days 20 hr. 9 min. 51 sec Trace Level off Security ON: Local OS Authentication SNMP OFF Listener Parameter File /u01/app/grid/product/11.2.0/grid/network/admin/listener.ora Listener Log File /u01/app/grid/diag/tnslsnr/NCR-Standby-Asm/listener/alert/log.xml Listening Endpoints Summary... (DESCRIPTION(ADDRESS(PROTOCOLipc)(KEYEXTPROC1521))) (DESCRIPTION(ADDRESS(PROTOCOLtcp)(HOSTlocalhost)(PORT1521))) Services Summary... Service ASM has 1 instance(s). Instance ASM, status READY, has 1 handler(s) for this service... Service sicsstb has 1 instance(s). Instance sicsstb, status READY, has 1 handler(s) for this service... Service sicsstbXDB has 1 instance(s). Instance sicsstb, status READY, has 1 handler(s) for this service... The command completed successfully 设置wallet目录位置需要修改sqlnet.ora文件加入特定的参数路径信息。注意虽然监听器指向的是Grid目录位置。但是修改的sqlnet.ora文件一定是Oracle Instance目录下的sqlnet.ora文件。否则自动创建秘钥文件过程会失败。 [oracleNCR-Standby-Asm ~]$ cd $ORACLE_HOME/network/admin [oracleNCR-Standby-Asm admin]$ ls -l total 24 drwxrwxr-x 2 oracle oinstall 4096 May 5 10:03 samples -rwxrwxr-x 1 oracle oinstall 381 Dec 17 2012 shrept.lst -rwxrwxr-x 1 oracle oinstall 327 Jun 8 15:32 sqlnet1506083PM3230.bak -rwxrwxr-x 1 oracle oinstall 327 Jun 8 14:29 sqlnet.ora -rwxrwxr-x 1 oracle oinstall 340 Jun 8 15:32 tnsnames1506083PM3230.bak -rwxrwxr-x 1 oracle oinstall 340 Jun 8 16:19 tnsnames.ora [oracleNCR-Standby-Asm admin]$ cat sqlnet.ora # Generated by Oracle configuration tools. NAMES.DIRECTORY_PATH (TNSNAMES, EZCONNECT) ENCRYPTION_WALLET_LOCATION(SOURCE(METHODFILE)(METHOD_DATA(DIRECTORY/u02/app/oracle/admin/sicsstb/WALLET))) 进入sqlplus创建wallet文件。 [oracleNCR-Standby-Asm admin]$ sqlplus /nolog SQL*Plus: Release 11.2.0.4.0 Production on Mon Jun 8 14:29:28 2015 Copyright (c) 1982, 2013, Oracle. All rights reserved. SQL conn / as sysdba Connected. SQL alter system set encryption key authenticated by test; System altered. 确定wallet文件生成。 [oracleNCR-Standby-Asm admin]$ pwd /u02/app/oracle/product/11.2.0/dbhome_1/network/admin [oracleNCR-Standby-Asm admin]$ cd /u02/app/oracle/admin/sicsstb/WALLET [oracleNCR-Standby-Asm WALLET]$ ls -l total 4 -rw-r--r-- 1 oracle asmadmin 2845 Jun 8 14:29 ewallet.p12 尝试关闭开启钱包操作。 SQL alter system set encryption wallet close identified by test; System altered SQL alter system set encryption wallet open identified by test; --把wallet打开了 System altered 配置加密备份过程。 RMAN configure encryption for database on; new RMAN configuration parameters: CONFIGURE ENCRYPTION FOR DATABASE ON; new RMAN configuration parameters are successfully stored RMAN set encryption on; executing command: SET encryption 备份数据库注意此时wallet开启。 RMAN backup database; Starting backup at 08-JUN-15 using channel ORA_DISK_1 篇幅原因有省略…… Starting Control File and SPFILE Autobackup at 08-JUN-15 piece handleRECO/sicsstb/autobackup/2015_06_08/s_881858264.262.881858265 commentNONE Finished Control File and SPFILE Autobackup at 08-JUN-15 备份操作是成功的但是如果我们关闭了钱包备份操作如何呢 SQL alter system set encryption wallet close identified by test; System altered 备份过程 RMAN backup database; Starting backup at 08-JUN-15 using channel ORA_DISK_1 channel ORA_DISK_1: starting full datafile backup set 篇幅原因有省略…… RMAN-00571: RMAN-00569: ERROR MESSAGE STACK FOLLOWS RMAN-00571: RMAN-03009: failure of backup command on ORA_DISK_1 channel at 06/08/2015 16:39:38 ORA-19914: unable to encrypt backup ORA-28365: wallet is not open 恢复过程测试。 RMAN startup mount; connected to target database (not started) Oracle instance started database mounted Total System Global Area 1603411968 bytes Fixed Size 2253664 bytes Variable Size 1006636192 bytes Database Buffers 587202560 bytes Redo Buffers 7319552 bytes RMAN restore database; Starting restore at 08-JUN-15 allocated channel: ORA_DISK_1 channel ORA_DISK_1: SID131 device typeDISK 篇幅原因有省略…… RMAN-00571: RMAN-00569: ERROR MESSAGE STACK FOLLOWS RMAN-00571: RMAN-03002: failure of restore command at 06/08/2015 16:41:19 ORA-19870: error while restoring backup piece RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t163709_0.261.881858229 ORA-19913: unable to decrypt backup ORA-28365: wallet is not open 不开钱包就不能进行还原。 SQL alter system set encryption wallet open identified by test; System altered RMAN restore database; Starting restore at 08-JUN-15 using channel ORA_DISK_1 channel ORA_DISK_1: starting datafile backup set restore 篇幅原因有省略……. channel ORA_DISK_1: restored backup piece 1 channel ORA_DISK_1: restore complete, elapsed time: 00:00:35 Finished restore at 08-JUN-15 RMAN recover database; Starting recover at 08-JUN-15 using channel ORA_DISK_1 starting media recovery media recovery complete, elapsed time: 00:00:01 Finished recover at 08-JUN-15 这种方式比较适合本地数据恢复如果本地异地恢复结合的方式建议使用第三种混合策略。 4、混合加密策略 混合加密策略其实就是前面两种策略的集合。如果本地备份恢复就可以使用wallet进行透明操作。如果是异地恢复可以使用密码策略。 首先设置encryption参数。 RMAN set encryption off; executing command: SET encryption RMAN set encryption on identified by test; --注意此处没有only了。 executing command: SET encryption 重启还原。 RMAN shutdown immediate; database closed database dismounted Oracle instance shut down RMAN startup mount; connected to target database (not started) Oracle instance started database mounted Total System Global Area 1603411968 bytes Fixed Size 2253664 bytes Variable Size 1006636192 bytes Database Buffers 587202560 bytes Redo Buffers 7319552 bytes RMAN restore database; Starting restore at 08-JUN-15 allocated channel: ORA_DISK_1 channel ORA_DISK_1: SID131 device typeDISK channel ORA_DISK_1: starting datafile backup set restore channel ORA_DISK_1: specifying datafile(s) to restore from backup set channel ORA_DISK_1: restoring datafile 00001 to DATA/sicsstb/datafile/system.267.881856977 channel ORA_DISK_1: restoring datafile 00002 to DATA/sicsstb/datafile/sysaux.268.881856977 channel ORA_DISK_1: restoring datafile 00003 to DATA/sicsstb/datafile/undotbs1.269.881856977 channel ORA_DISK_1: restoring datafile 00004 to DATA/sicsstb/datafile/users.270.881856977 channel ORA_DISK_1: reading from backup piece RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t163709_0.261.881858229 RMAN-00571: RMAN-00569: ERROR MESSAGE STACK FOLLOWS RMAN-00571: RMAN-03002: failure of restore command at 06/08/2015 16:47:42 ORA-19870: error while restoring backup piece RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t163709_0.261.881858229 ORA-19913: unable to decrypt backup ORA-28365: wallet is not open 启动钱包。 SQL alter system set encryption wallet open identified by test; System altered 之后恢复正常。 5、结论 安全是当今信息技术的一个大课题需要从技术、管理、制度和人员多层面进行配置规划设置标准的流程规范。
