如何创建从Oracle ATP数据库云服务实例的数据库链接

2350阅读 0评论2021-01-27 jackson198574
分类:Oracle

原文链接:

https://blogs.oracle.com/database/how-to-create-a-database-link-from-an-autonomous-data-warehouse-to-a-database-cloud-service-instance-v1-v2


如何创建从Oracle ATP(自治数据仓库)到数据库云服务实例的数据库链接

自治数据仓库(ADW)现在支持到任何可从ADW实例(包括数据库云服务(DBCS)和其他ADW/ATP实例)访问的数据库的传出数据库链接。要将数据库链接与ADW一起使用,必须将目标数据库配置为使用TCP/IP和SSL(TCPS)身份验证。由于ADW和ATP在默认情况下都使用TCPS身份验证,因此在这些服务之间建立数据库链接非常简单,只需几个步骤。另一方面,在没有配置TCPS身份验证的数据库中(例如在DBCS中)启用TCPS身份验证需要一些额外的步骤,这些步骤需要仔细遵循配置逻辑。在本文中,我将尝试演示如何创建从ADW实例到DBCS实例的数据库链接,包括启用TCPS身份验证的步骤。下面是我们将要遵循的步骤的概要:

在DBCS中启用TCPS身份验证

DBCS实例默认使用TCP/IP协议。在DBCS中配置tcp需要手动执行几个步骤。因为我们将修改默认监听器以使用TCPS,并且它是在grid user下配置的,所以我们将同时使用oracle和grid用户。以下是在DBCS中启用TCP所需的步骤:

为服务器和客户端创建具有自签名证书的wallet

作为启用TCPS身份验证的一部分,我们需要为服务器和客户端创建单独的钱包。每个钱包都必须有自己的证书,以便相互交换。在本例中,我将使用自签名证书。客户端钱包和证书可以在客户端创建;但是,稍后我将在服务器中创建客户端钱包和证书并将它们移动到本地系统。有关详细信息,请参阅配置安全套接字层身份验证。让我们开始。。。

配置安全套接字层身份验证配置:

https://docs.oracle.com/en/database/oracle/oracle-database/18/dbseg/configuring-secure-sockets-layer-authentication.html


root用户设置wallet目录:

点击(此处)折叠或打开

  1. [root@dbcs0604 u01]$ mkdir -p /u01/server/wallet
  2. [root@dbcs0604 u01]$ mkdir -p /u01/client/wallet
  3. [root@dbcs0604 u01]$ mkdir /u01/certificate
  4. [root@dbcs0604 /]# chown -R oracle:oinstall /u01/server
  5. [root@dbcs0604 /]# chown -R oracle:oinstall /u01/client
  6. [root@dbcs0604 /]# chown -R oracle:oinstall /u01/certificate

Oracle用户创建服务器wallet:

点击(此处)折叠或打开

  1. [oracle@dbcs0604 ~]$ cd /u01/server/wallet/
  2. [oracle@dbcs0604 wallet]$ orapki wallet create -wallet ./ -pwd Oracle123456 -auto_login
  3. Oracle PKI Tool Release 18.0.0.0.0 - Production
  4. Version 18.1.0.0.0
  5. Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
  6.  
  7. Operation is successfully completed.

Oracle用户创建服务器认证:

点击(此处)折叠或打开

  1. [oracle@dbcs0604 wallet]$ orapki wallet add -wallet ./ -pwd Oracle123456 -dn "CN=dbcs" -keysize 1024 -self_signed -validity 3650 -sign_alg sha256
  2. Oracle PKI Tool Release 18.0.0.0.0 - Production
  3. Version 18.1.0.0.0
  4. Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
  5.  
  6. Operation is successfully completed.

Oracle用户创建客户端wallet

点击(此处)折叠或打开

  1. [oracle@dbcs0604 wallet]$ cd /u01/client/wallet/
  2. [oracle@dbcs0604 wallet]$ orapki wallet create -wallet ./ -pwd Oracle123456 -auto_login
  3. Oracle PKI Tool Release 18.0.0.0.0 - Production
  4. Version 18.1.0.0.0
  5. Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
  6.  
  7. Operation is successfully completed.

在服务器和客户端wallet之间交换证书(导出/导入证书)

使用oracle用户导出服务器证书:

点击(此处)折叠或打开

  1. [oracle@dbcs0604 wallet]$ orapki wallet export -wallet ./ -pwd Oracle123456 -dn "CN=dbcs" -cert /tmp/server.crt
  2. Oracle PKI Tool Release 18.0.0.0.0 - Production
  3. Version 18.1.0.0.0
  4. Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
  5.  
  6. Operation is successfully completed.

Oracle用户导出客户端认证:

点击(此处)折叠或打开

  1. [oracle@dbcs0604 wallet]$ orapki wallet export -wallet ./ -pwd Oracle123456 -dn "CN=ctuzla-mac" -cert /tmp/client.crt
  2. Oracle PKI Tool Release 18.0.0.0.0 - Production
  3. Version 18.1.0.0.0
  4. Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
  5.  
  6. Operation is successfully completed.

Oracle用户将客户端认证导入服务器wallet

点击(此处)折叠或打开

  1. [oracle@dbcs0604 wallet]$ cd /u01/server/wallet/
  2. [oracle@dbcs0604 wallet]$ orapki wallet add -wallet ./ -pwd Oracle123456 -trusted_cert -cert /tmp/client.crt
  3. Oracle PKI Tool Release 18.0.0.0.0 - Production
  4. Version 18.1.0.0.0
  5. Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
  6.  
  7. Operation is successfully completed.



Oracle用户将服务器认证导入到客户端的wallet

点击(此处)折叠或打开

  1. [oracle@dbcs0604 wallet]$ cd /u01/client/wallet/
  2. [oracle@dbcs0604 wallet]$ orapki wallet add -wallet ./ -pwd Oracle123456 -trusted_cert -cert /tmp/server.crt
  3. Oracle PKI Tool Release 18.0.0.0.0 - Production
  4. Version 18.1.0.0.0
  5. Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
  6.  
  7. Operation is successfully completed.

Oracle用户调整服务器wallet的权限

我们需要设置服务器wallet的权限,以便在启用TCPS端点后重新启动监听器时可以访问它。

点击(此处)折叠或打

  1. [oracle@dbcs0604 wallet]$ cd /u01/server/wallet
  2. [oracle@dbcs0604 wallet]$ chmod 640 cwallet.sso



在服务器和客户端网络文件中添加wallet位置

使用自签名证书和交换证书创建服务器和客户端walletTCPS配置的初始步骤。我们现在需要修改服务器和客户端网络文件,以便它们指向相应的wallet位置,并准备好使用TCPS协议。在我的案例中,这些文件是这样的:

服务器端$ORACLE\u HOME/network/admin/sqlnet.ora文件属主为grid:

点击(此处)折叠或打开

  1. # sqlnet.ora Network Configuration File: /u01/app/18.0.0.0/grid/network/admin/sqlnet.ora
  2. # Generated by Oracle configuration tools.
  3.  
  4. NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
  5.  
  6. wallet_location =
  7.  (SOURCE=
  8.   (METHOD=File)
  9.   (METHOD_DATA=
  10.    (DIRECTORY=/u01/server/wallet)))
  11.  
  12. SSL_SERVER_DN_MATCH=(ON)



服务器端 $ORACLE_HOME/network/admin/listener.ora 文件属主为grid

点击(此处)折叠或打开

  1. wallet_location =
  2.  (SOURCE=
  3.   (METHOD=File)
  4.   (METHOD_DATA=
  5.    (DIRECTORY=/u01/server/wallet)))
  6.  
  7. LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER))))            # line added by Agent
  8. ASMNET1LSNR_ASM=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=ASMNET1LSNR_ASM))))              # line added by Agent
  9. ENABLE_GLOBAL_DYNAMIC_ENDPOINT_ASMNET1LSNR_ASM=ON               # line added by Agent
  10. VALID_NODE_CHECKING_REGISTRATION_ASMNET1LSNR_ASM=SUBNET         # line added by Agent
  11. ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON              # line added by Agent
  12. VALID_NODE_CHECKING_REGISTRATION_LISTENER=SUBNET                # line added by Agent

服务器端$ORACLE_HOME/network/admin/tnsnames.ora文件属主为oracle用户

点击(此处)折叠或打开

  1. # tnsnames.ora Network Configuration File: /u01/app/oracle/product/18.0.0.0/dbhome_1/network/admin/tnsnames.ora
  2. # Generated by Oracle configuration tools.
  3.  
  4. LISTENER_CDB1 =
  5.   (ADDRESS = (PROTOCOL = TCPS)(HOST = dbcs0604)(PORT = 1521))
  6.  
  7.  
  8. CDB1_IAD1W9 =
  9.   (DESCRIPTION =
  10.     (ADDRESS = (PROTOCOL = TCPS)(HOST = dbcs0604)(PORT = 1521))
  11.     (CONNECT_DATA =
  12.       (SERVER = DEDICATED)
  13.       (SERVICE_NAME = cdb1_iad1w9.sub05282047220.vcnctuzla.oraclevcn.com)
  14.     )
  15.     (SECURITY= (SSL_SERVER_CERT_DN="CN=dbcs"))
  16.   )
  17.  
  18. PDB1 =
  19.   (DESCRIPTION =
  20.     (ADDRESS = (PROTOCOL = TCPS)(HOST = dbcs0604)(PORT = 1521))
  21.     (CONNECT_DATA =
  22.       (SERVER = DEDICATED)
  23.       (SERVICE_NAME = pdb1.sub05282047220.vcnctuzla.oraclevcn.com)
  24.     )
  25.     (SECURITY= (SSL_SERVER_CERT_DN="CN=dbcs"))
  26.   )


TCPS端点添加到数据库监听

现在我们已经完成了wallet和网络文件的配置,我们可以进入下一步,即为数据库监听器配置TCPS端点。因为我们的监听器是使用grid用户配置的,所以我们将使用srvctl命令来修改并重新启动它。步骤如下:

点击(此处)折叠或打开

  1. [grid@dbcs0604 ~]$ srvctl modify listener -p "TCPS:1521"
  2. [grid@dbcs0604 ~]$ srvctl stop listener
  3. [grid@dbcs0604 ~]$ srvctl start listener
  4. [grid@dbcs0604 ~]$ srvctl stop database -database cdb1_iad1w9
  5. [grid@dbcs0604 ~]$ srvctl start database -database cdb1_iad1w9
  6. [grid@dbcs0604 ~]$ lsnrctl status
  7.  
  8. LSNRCTL for Linux: Version 18.0.0.0.0 - Production on 05-JUN-2019 16:07:24
  9.  
  10. Copyright (c) 1991, 2018, Oracle.  All rights reserved.
  11.  
  12. Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))
  13. STATUS of the LISTENER
  14. ------------------------
  15. Alias                     LISTENER
  16. Version                   TNSLSNR for Linux: Version 18.0.0.0.0 - Production
  17. Start Date                05-JUN-2019 16:05:50
  18. Uptime                    0 days 0 hr. 1 min. 34 sec
  19. Trace Level               off
  20. Security                  ON: Local OS Authentication
  21. SNMP                      OFF
  22. Listener Parameter File   /u01/app/18.0.0.0/grid/network/admin/listener.ora
  23. Listener Log File         /u01/app/grid/diag/tnslsnr/dbcs0604/listener/alert/log.xml
  24. Listening Endpoints Summary...
  25.   (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER)))
  26.   (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=10.0.0.4)(PORT=1521)))
  27. Services Summary...
  28. Service "867e3020a52702dee053050011acf8c0.sub05282047220.vcnctuzla.oraclevcn.com" has 1 instance(s).
  29.   Instance "cdb1", status READY, has 2 handler(s) for this service...
  30. Service "8a8e0ea41ac27e2de0530400000a486a.sub05282047220.vcnctuzla.oraclevcn.com" has 1 instance(s).
  31.   Instance "cdb1", status READY, has 2 handler(s) for this service...
  32. Service "cdb1XDB.sub05282047220.vcnctuzla.oraclevcn.com" has 1 instance(s).
  33.   Instance "cdb1", status READY, has 1 handler(s) for this service...
  34. Service "cdb1_iad1w9.sub05282047220.vcnctuzla.oraclevcn.com" has 1 instance(s).
  35.   Instance "cdb1", status READY, has 2 handler(s) for this service...
  36. Service "pdb1.sub05282047220.vcnctuzla.oraclevcn.com" has 1 instance(s).
  37.   Instance "cdb1", status READY, has 2 handler(s) for this service...
  38. The command completed successfully



请注意,在第一步中,我们将TCPS端点添加到默认监听器的端口1521。也可以保持端口1521的原样,并将TCPS端点添加到不同的端口(例如1523)。

通过TCPS从客户端连接到DBCS实例

我们现在应该配置TCPS身份验证。在开始测试之前,让我们先看看客户端网络文件(请注意tnsnames.oraDBCS实例的公共IP地址):

客户端tnsnames.ora文件

点击(此处)折叠或打开

  1. CDB1 =
  2.   (DESCRIPTION =
  3.     (ADDRESS = (PROTOCOL = TCPS)(HOST = 132.145.151.208)(PORT = 1521))
  4.     (CONNECT_DATA =
  5.       (SERVER = DEDICATED)
  6.       (SERVICE_NAME = cdb1_iad1w9.sub05282047220.vcnctuzla.oraclevcn.com)
  7.     )
  8.     (SECURITY= (SSL_SERVER_CERT_DN="CN=dbcs"))
  9.   )
  10.      
  11. PDB1 =
  12.   (DESCRIPTION =
  13.     (ADDRESS = (PROTOCOL = TCPS)(HOST = 132.145.151.208)(PORT = 1521))
  14.     (CONNECT_DATA =
  15.       (SERVER = DEDICATED)
  16.       (SERVICE_NAME = pdb1.sub05282047220.vcnctuzla.oraclevcn.com)
  17.     )
  18.     (SECURITY= (SSL_SERVER_CERT_DN="CN=dbcs"))
  19.    )

客户端sqlnet.ora文件


点击(此处)折叠或打开

  1. WALLET_LOCATION =
  2.    (SOURCE =
  3.      (METHOD = FILE)
  4.      (METHOD_DATA =
  5.        (DIRECTORY = /Users/cantuzla/Desktop/wallet)
  6.      )
  7.    )
  8.  
  9. SSL_SERVER_DN_MATCH=(ON)

为了从客户端连接到DBCS实例,您需要在OCI中的虚拟云网络(VCN)的安全列表中为要使用的端口(例如1521)添加入口规则,如下所示:



我们现在可以尝试在DBCS实例(CDB1)中建立到PDB1的客户端连接:


点击(此处)折叠或打开

  1. ctuzla-mac:~ cantuzla$ cd Desktop/InstantClient/instantclient_18_1/
  2. ctuzla-mac:instantclient_18_1 cantuzla$ ./sqlplus /nolog
  3.  
  4. SQL*Plus: Release 18.0.0.0.0 Production on Wed Jun 5 09:39:56 2019
  5. Version 18.1.0.0.0
  6.  
  7. Copyright (c) 1982, 2018, Oracle.  All rights reserved.
  8.  
  9. SQL> connect c##dbcs/DBcs123_#@PDB1
  10. Connected.
  11. SQL> select * from dual;
  12.  
  13. D
  14. -
  15. X



创建从ADWDBCSDB链接

我们现在在DBCS实例中有了一个有效的TCPS身份验证。以下是文档中的步骤,我们将按照这些步骤创建从ADWDBCS的数据库链接:

·复制目标数据库wallet(客户端walletcwallet.sso文件我们在/u01/client/wallet)中为目标数据库创建的对象存储。

·创建凭据,以访问存储对象的对象存储区cwallet.sso文件. 有关详细信息,请参阅创建凭证过程。

·使用DBMS_CLOUD.GET_OBJECT将目标数据库wallet上传到ADW上的data_pump_dir目录:

点击(此处)折叠或打开

  1. SQL> BEGIN
  2.   DBMS_CLOUD.GET_OBJECT(
  3.     credential_name => 'OBJ_STORE_CRED',
  4.     object_uri => 'https://objectstorage.us-phoenix-1.oraclecloud.com/n/adwctraining8/b/target-wallet/o/cwallet.sso',
  5.     directory_name => 'DATA_PUMP_DIR');
  6. END;
  7. /   
  8.  
  9. PL/SQL procedure successfully completed.


ADW上创建访问目标数据库的凭据。使用DBMS_CLOUD.CREATE_CREDENTIAL指定的用户名和密码是用于创建数据库链接的目标数据库的凭据。确保用户名字幕均由大写字母组成。对于本例,我将使用在DBCS实例中创建的C##DBCS公共用户:

点击(此处)折叠或打开

  1. SQL> BEGIN
  2.   DBMS_CLOUD.CREATE_CREDENTIAL(
  3.     credential_name => 'DBCS_LINK_CRED',
  4.     username => 'C##DBCS',
  5.     password => 'DBcs123_#');
  6. END;
  7. /   
  8.  
  9. PL/SQL procedure successfully completed.


使用DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK创建到目标数据库的数据库链接

点击(此处)折叠或打开

  1. SQL> BEGIN
  2.   DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK(
  3.     db_link_name => 'DBCSLINK',
  4.     hostname => '132.145.151.208',
  5.     port => '1521',
  6.     service_name => 'pdb1.sub05282047220.vcnctuzla.oraclevcn.com',
  7.     ssl_server_cert_dn => 'CN=dbcs',
  8.     credential_name => 'DBCS_LINK_CRED');
  9. END;



 使用已创建的数据库链接访问目标数据库:

点击(此处)折叠或打开

  1. SQL> select * from dual@DBCSLINK;
  2.  
  3. D
  4. -
  5. X

就这样!在这篇博文中,我们讨论了如何在DBCS中启用TCPS身份验证,以及如何创建从ADWDBCS实例的传出数据库链接。尽管我们关注的是DBCS配置,但在ADW和任何其他Oracle数据库之间建立数据库链接时,也可以应用这些步骤。


上一篇:如何创建从Oracle ATP数据库云服务实例的数据库链接
下一篇:2020年自治数据库专用Exadata基础设施使用进度报告