原文链接:
https://blogs.oracle.com/database/how-to-create-a-database-link-from-an-autonomous-data-warehouse-to-a-database-cloud-service-instance-v1-v2
如何创建从Oracle ATP(自治数据仓库)到数据库云服务实例的数据库链接
自治数据仓库(ADW)现在支持到任何可从ADW实例(包括数据库云服务(DBCS)和其他ADW/ATP实例)访问的数据库的传出数据库链接。要将数据库链接与ADW一起使用,必须将目标数据库配置为使用TCP/IP和SSL(TCPS)身份验证。由于ADW和ATP在默认情况下都使用TCPS身份验证,因此在这些服务之间建立数据库链接非常简单,只需几个步骤。另一方面,在没有配置TCPS身份验证的数据库中(例如在DBCS中)启用TCPS身份验证需要一些额外的步骤,这些步骤需要仔细遵循配置逻辑。在本文中,我将尝试演示如何创建从ADW实例到DBCS实例的数据库链接,包括启用TCPS身份验证的步骤。下面是我们将要遵循的步骤的概要:
-
在DBCS中启用TCPS身份验证
-
通过TCPS从客户端连接到DBCS实例
-
创建从ADW到DBCS的DB链路
用root用户设置wallet目录:
-
[root@dbcs0604 u01]$ mkdir -p /u01/server/wallet
-
[root@dbcs0604 u01]$ mkdir -p /u01/client/wallet
-
[root@dbcs0604 u01]$ mkdir /u01/certificate
-
[root@dbcs0604 /]# chown -R oracle:oinstall /u01/server
-
[root@dbcs0604 /]# chown -R oracle:oinstall /u01/client
-
[root@dbcs0604 /]# chown -R oracle:oinstall /u01/certificate
用Oracle用户创建服务器wallet:
-
[oracle@dbcs0604 ~]$ cd /u01/server/wallet/
-
[oracle@dbcs0604 wallet]$ orapki wallet create -wallet ./ -pwd Oracle123456 -auto_login
-
Oracle PKI Tool Release 18.0.0.0.0 - Production
-
Version 18.1.0.0.0
-
Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
-
-
Operation is successfully completed.
用Oracle用户创建服务器认证:
-
[oracle@dbcs0604 wallet]$ orapki wallet add -wallet ./ -pwd Oracle123456 -dn "CN=dbcs" -keysize 1024 -self_signed -validity 3650 -sign_alg sha256
-
Oracle PKI Tool Release 18.0.0.0.0 - Production
-
Version 18.1.0.0.0
-
Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
-
-
Operation is successfully completed.
用Oracle用户创建客户端wallet:
-
[oracle@dbcs0604 wallet]$ cd /u01/client/wallet/
-
[oracle@dbcs0604 wallet]$ orapki wallet create -wallet ./ -pwd Oracle123456 -auto_login
-
Oracle PKI Tool Release 18.0.0.0.0 - Production
-
Version 18.1.0.0.0
-
Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
-
-
Operation is successfully completed.
在服务器和客户端wallet之间交换证书(导出/导入证书)
使用oracle用户导出服务器证书:
-
[oracle@dbcs0604 wallet]$ orapki wallet export -wallet ./ -pwd Oracle123456 -dn "CN=dbcs" -cert /tmp/server.crt
-
Oracle PKI Tool Release 18.0.0.0.0 - Production
-
Version 18.1.0.0.0
-
Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
-
-
Operation is successfully completed.
用Oracle用户导出客户端认证:
-
[oracle@dbcs0604 wallet]$ orapki wallet export -wallet ./ -pwd Oracle123456 -dn "CN=ctuzla-mac" -cert /tmp/client.crt
-
Oracle PKI Tool Release 18.0.0.0.0 - Production
-
Version 18.1.0.0.0
-
Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
-
-
Operation is successfully completed.
用Oracle用户将客户端认证导入服务器wallet:
-
[oracle@dbcs0604 wallet]$ cd /u01/server/wallet/
-
[oracle@dbcs0604 wallet]$ orapki wallet add -wallet ./ -pwd Oracle123456 -trusted_cert -cert /tmp/client.crt
-
Oracle PKI Tool Release 18.0.0.0.0 - Production
-
Version 18.1.0.0.0
-
Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
-
-
Operation is successfully completed.
用Oracle用户将服务器认证导入到客户端的wallet:
-
[oracle@dbcs0604 wallet]$ cd /u01/client/wallet/
-
[oracle@dbcs0604 wallet]$ orapki wallet add -wallet ./ -pwd Oracle123456 -trusted_cert -cert /tmp/server.crt
-
Oracle PKI Tool Release 18.0.0.0.0 - Production
-
Version 18.1.0.0.0
-
Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
-
-
Operation is successfully completed.
用Oracle用户调整服务器wallet的权限
我们需要设置服务器wallet的权限,以便在启用TCPS端点后重新启动监听器时可以访问它。
-
[oracle@dbcs0604 wallet]$ cd /u01/server/wallet
-
[oracle@dbcs0604 wallet]$ chmod 640 cwallet.sso
在服务器和客户端网络文件中添加wallet位置
使用自签名证书和交换证书创建服务器和客户端wallet是TCPS配置的初始步骤。我们现在需要修改服务器和客户端网络文件,以便它们指向相应的wallet位置,并准备好使用TCPS协议。在我的案例中,这些文件是这样的:
服务器端$ORACLE\u HOME/network/admin/sqlnet.ora文件属主为grid:
-
# sqlnet.ora Network Configuration File: /u01/app/18.0.0.0/grid/network/admin/sqlnet.ora
-
# Generated by Oracle configuration tools.
-
-
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
-
-
wallet_location =
-
(SOURCE=
-
(METHOD=File)
-
(METHOD_DATA=
-
(DIRECTORY=/u01/server/wallet)))
-
-
SSL_SERVER_DN_MATCH=(ON)
服务器端 $ORACLE_HOME/network/admin/listener.ora 文件属主为grid
-
wallet_location =
-
(SOURCE=
-
(METHOD=File)
-
(METHOD_DATA=
-
(DIRECTORY=/u01/server/wallet)))
-
-
LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))) # line added by Agent
-
ASMNET1LSNR_ASM=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=ASMNET1LSNR_ASM)))) # line added by Agent
-
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_ASMNET1LSNR_ASM=ON # line added by Agent
-
VALID_NODE_CHECKING_REGISTRATION_ASMNET1LSNR_ASM=SUBNET # line added by Agent
-
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON # line added by Agent
-
VALID_NODE_CHECKING_REGISTRATION_LISTENER=SUBNET # line added by Agent
服务器端$ORACLE_HOME/network/admin/tnsnames.ora文件属主为oracle用户
-
# tnsnames.ora Network Configuration File: /u01/app/oracle/product/18.0.0.0/dbhome_1/network/admin/tnsnames.ora
-
# Generated by Oracle configuration tools.
-
-
LISTENER_CDB1 =
-
(ADDRESS = (PROTOCOL = TCPS)(HOST = dbcs0604)(PORT = 1521))
-
-
-
CDB1_IAD1W9 =
-
(DESCRIPTION =
-
(ADDRESS = (PROTOCOL = TCPS)(HOST = dbcs0604)(PORT = 1521))
-
(CONNECT_DATA =
-
(SERVER = DEDICATED)
-
(SERVICE_NAME = cdb1_iad1w9.sub05282047220.vcnctuzla.oraclevcn.com)
-
)
-
(SECURITY= (SSL_SERVER_CERT_DN="CN=dbcs"))
-
)
-
-
PDB1 =
-
(DESCRIPTION =
-
(ADDRESS = (PROTOCOL = TCPS)(HOST = dbcs0604)(PORT = 1521))
-
(CONNECT_DATA =
-
(SERVER = DEDICATED)
-
(SERVICE_NAME = pdb1.sub05282047220.vcnctuzla.oraclevcn.com)
-
)
-
(SECURITY= (SSL_SERVER_CERT_DN="CN=dbcs"))
-
)
将TCPS端点添加到数据库监听器
现在我们已经完成了wallet和网络文件的配置,我们可以进入下一步,即为数据库监听器配置TCPS端点。因为我们的监听器是使用grid用户配置的,所以我们将使用srvctl命令来修改并重新启动它。步骤如下:
-
[grid@dbcs0604 ~]$ srvctl modify listener -p "TCPS:1521"
-
[grid@dbcs0604 ~]$ srvctl stop listener
-
[grid@dbcs0604 ~]$ srvctl start listener
-
[grid@dbcs0604 ~]$ srvctl stop database -database cdb1_iad1w9
-
[grid@dbcs0604 ~]$ srvctl start database -database cdb1_iad1w9
-
[grid@dbcs0604 ~]$ lsnrctl status
-
-
LSNRCTL for Linux: Version 18.0.0.0.0 - Production on 05-JUN-2019 16:07:24
-
-
Copyright (c) 1991, 2018, Oracle. All rights reserved.
-
-
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))
-
STATUS of the LISTENER
-
------------------------
-
Alias LISTENER
-
Version TNSLSNR for Linux: Version 18.0.0.0.0 - Production
-
Start Date 05-JUN-2019 16:05:50
-
Uptime 0 days 0 hr. 1 min. 34 sec
-
Trace Level off
-
Security ON: Local OS Authentication
-
SNMP OFF
-
Listener Parameter File /u01/app/18.0.0.0/grid/network/admin/listener.ora
-
Listener Log File /u01/app/grid/diag/tnslsnr/dbcs0604/listener/alert/log.xml
-
Listening Endpoints Summary...
-
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER)))
-
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=10.0.0.4)(PORT=1521)))
-
Services Summary...
-
Service "867e3020a52702dee053050011acf8c0.sub05282047220.vcnctuzla.oraclevcn.com" has 1 instance(s).
-
Instance "cdb1", status READY, has 2 handler(s) for this service...
-
Service "8a8e0ea41ac27e2de0530400000a486a.sub05282047220.vcnctuzla.oraclevcn.com" has 1 instance(s).
-
Instance "cdb1", status READY, has 2 handler(s) for this service...
-
Service "cdb1XDB.sub05282047220.vcnctuzla.oraclevcn.com" has 1 instance(s).
-
Instance "cdb1", status READY, has 1 handler(s) for this service...
-
Service "cdb1_iad1w9.sub05282047220.vcnctuzla.oraclevcn.com" has 1 instance(s).
-
Instance "cdb1", status READY, has 2 handler(s) for this service...
-
Service "pdb1.sub05282047220.vcnctuzla.oraclevcn.com" has 1 instance(s).
-
Instance "cdb1", status READY, has 2 handler(s) for this service...
-
The command completed successfully
请注意,在第一步中,我们将TCPS端点添加到默认监听器的端口1521。也可以保持端口1521的原样,并将TCPS端点添加到不同的端口(例如1523)。
通过TCPS从客户端连接到DBCS实例
我们现在应该配置TCPS身份验证。在开始测试之前,让我们先看看客户端网络文件(请注意tnsnames.ora中的DBCS实例的公共IP地址):
客户端tnsnames.ora文件
-
CDB1 =
-
(DESCRIPTION =
-
(ADDRESS = (PROTOCOL = TCPS)(HOST = 132.145.151.208)(PORT = 1521))
-
(CONNECT_DATA =
-
(SERVER = DEDICATED)
-
(SERVICE_NAME = cdb1_iad1w9.sub05282047220.vcnctuzla.oraclevcn.com)
-
)
-
(SECURITY= (SSL_SERVER_CERT_DN="CN=dbcs"))
-
)
-
-
PDB1 =
-
(DESCRIPTION =
-
(ADDRESS = (PROTOCOL = TCPS)(HOST = 132.145.151.208)(PORT = 1521))
-
(CONNECT_DATA =
-
(SERVER = DEDICATED)
-
(SERVICE_NAME = pdb1.sub05282047220.vcnctuzla.oraclevcn.com)
-
)
-
(SECURITY= (SSL_SERVER_CERT_DN="CN=dbcs"))
-
)
客户端sqlnet.ora文件
-
WALLET_LOCATION =
-
(SOURCE =
-
(METHOD = FILE)
-
(METHOD_DATA =
-
(DIRECTORY = /Users/cantuzla/Desktop/wallet)
-
)
-
)
-
-
SSL_SERVER_DN_MATCH=(ON)
为了从客户端连接到DBCS实例,您需要在OCI中的虚拟云网络(VCN)的安全列表中为要使用的端口(例如1521)添加入口规则,如下所示:
我们现在可以尝试在DBCS实例(CDB1)中建立到PDB1的客户端连接:
-
ctuzla-mac:~ cantuzla$ cd Desktop/InstantClient/instantclient_18_1/
-
ctuzla-mac:instantclient_18_1 cantuzla$ ./sqlplus /nolog
-
-
SQL*Plus: Release 18.0.0.0.0 Production on Wed Jun 5 09:39:56 2019
-
Version 18.1.0.0.0
-
-
Copyright (c) 1982, 2018, Oracle. All rights reserved.
-
-
SQL> connect c##dbcs/DBcs123_#@PDB1
-
Connected.
-
SQL> select * from dual;
-
-
D
-
-
-
X
创建从ADW到DBCS的DB链接
我们现在在DBCS实例中有了一个有效的TCPS身份验证。以下是文档中的步骤,我们将按照这些步骤创建从ADW到DBCS的数据库链接:
·复制目标数据库wallet(客户端wallet)cwallet.sso文件我们在/u01/client/wallet)中为目标数据库创建的对象存储。
·创建凭据,以访问存储对象的对象存储区cwallet.sso文件. 有关详细信息,请参阅创建凭证过程。
·使用DBMS_CLOUD.GET_OBJECT将目标数据库wallet上传到ADW上的data_pump_dir目录:
-
SQL> BEGIN
-
DBMS_CLOUD.GET_OBJECT(
-
credential_name => 'OBJ_STORE_CRED',
-
object_uri => 'https://objectstorage.us-phoenix-1.oraclecloud.com/n/adwctraining8/b/target-wallet/o/cwallet.sso',
-
directory_name => 'DATA_PUMP_DIR');
-
END;
-
/
-
-
PL/SQL procedure successfully completed.
在ADW上创建访问目标数据库的凭据。使用DBMS_CLOUD.CREATE_CREDENTIAL指定的用户名和密码是用于创建数据库链接的目标数据库的凭据。确保用户名字幕均由大写字母组成。对于本例,我将使用在DBCS实例中创建的C##DBCS公共用户:
-
SQL> BEGIN
-
DBMS_CLOUD.CREATE_CREDENTIAL(
-
credential_name => 'DBCS_LINK_CRED',
-
username => 'C##DBCS',
-
password => 'DBcs123_#');
-
END;
-
/
-
-
PL/SQL procedure successfully completed.
使用DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK创建到目标数据库的数据库链接
-
SQL> BEGIN
-
DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK(
-
db_link_name => 'DBCSLINK',
-
hostname => '132.145.151.208',
-
port => '1521',
-
service_name => 'pdb1.sub05282047220.vcnctuzla.oraclevcn.com',
-
ssl_server_cert_dn => 'CN=dbcs',
-
credential_name => 'DBCS_LINK_CRED');
-
END;
-
/
使用已创建的数据库链接访问目标数据库:
-
SQL> select * from dual@DBCSLINK;
-
-
D
-
-
-
X
就这样!在这篇博文中,我们讨论了如何在DBCS中启用TCPS身份验证,以及如何创建从ADW到DBCS实例的传出数据库链接。尽管我们关注的是DBCS配置,但在ADW和任何其他Oracle数据库之间建立数据库链接时,也可以应用这些步骤。
阅读(2364) | 评论(0) | 转发(0) |