ITPub博客

首页 > Linux操作系统 > Linux操作系统 > oracle 10g保护Database Control

oracle 10g保护Database Control

原创 Linux操作系统 作者:xuelu2000 时间:2011-04-01 15:42:40 0 删除 编辑
oracle 10g保护Database Control
1、安装完10.2.0.4后,按照最后的安装界面提示执行以下命令进行保护database control:
步骤:停掉dabase control;配置EMKEY;保护database control;保护EMKEY.
emctl stop dbconsole
emctl config emkey -repos -sysman_pwd
emctl secure dbconsole -sysman_pwd
emctl config emkey -remove_from_repos -sysman_pwd

emkey是保护database control的必需,其含义如下:
The emkey is an encryption key that is used to encrypt and decrypt sensitive data in Enterprise Manager such as host passwords, database passwords and others. By default, the emkey is stored in the $ORACLE_HOME/sysman/config/emkey.ora file. The location of this file can be changed.
During startup, the Oracle Management Service checks the status of the emkey. If the emkey has been properly configured, it uses it encrypting and decrypting data.
The emkey is a random number that is generated during the installation of the Oracle Management Repository and is stored in a table. When the Oracle Management Service is installed, the emkey is copied from the Management Repository to the emkey.ora file and stored in the ORACLE_HOME/sysman/config/ directory of each Oracle Management Service.
After the emkey has been copied, you must remove it from the Management Repository as it is not considered secure. 
If it is not removed, data such as database passwords, server passwords and other sensitive information can be easily decrypted. 
To remove the emkey from the Management Repository, enter the following command:
$prompt> emctl config emkey - remove_from_repos

参考文档:
http://download.oracle.com/docs/cd/B19306_01/em.102/b40002/security2.htm#sthref425

2、如已经配置完毕emkey,可直接通过以下secure语句进行保护
To configure security for the Database Control:
1)Stop the Database Control by entering the following command in the ORACLE_HOME/bin directory (UNIX) or the ORACLE_HOME\bin (Windows):
$PROMPT> ./emctl stop dbconsole (UNIX)
$PROMPT> emctl stop dbconsole (Windows)

2)Change directory to the ORACLE_HOME/bin directory or the ORACLE_HOME\bin (Windows) and enter the following emctl command
$PROMPT> ./emctl secure dbconsole (UNIX)
$PROMPT> emctl secure dbconsole (Windows)

执行结果如下:
C:\Users\Administrator>emctl secure dbconsole
Oracle Enterprise Manager 10g Database Control Release 10.2.0.1.0
Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.
http://xuel-HP:1158/em/console/aboutApplication
Enter Enterprise Manager Root Password :
********
Enter Agent Registration password :
********
Enter a Hostname for this OMS : xuel-HP

Checking Repository...   Done.
Checking Repository for an existing Enterprise Manager Root Key...   Done.
Generating Enterprise Manager Root Key (this takes a minute)...   Done.
Fetching Root Certificate from the Repository...   Done.
Generating Registration Password Verifier in the Repository...   Done.
Updating HTTPS port in emoms.properties file...   Done.
Generating Java Keystore...认证已添加至keystore中
认证回复已安装在 keystore中
   Done.
Securing OMS ...   Done.
Generating Oracle Wallet Password for Agent....   Done.
Generating wallet for Agent ...    Done.
Copying the wallet for agent use...    Done.
Storing agent key in repository...   Done.
Storing agent key for agent ...   Done.
Configuring Agent...
Configuring Agent for HTTPS...   Done.
EMD_URL set in C:\oracle\product\10.2.0\db_1/xuel-HP_ORCL/sysman/config/emd.prop
erties
Configuring Agent ...   Done.
Configuring Key store..   Done.

启动DBCONSOLE出错:
C:\Users\Administrator>emctl start dbconsole
Oracle Enterprise Manager 10g Database Control Release 10.2.0.1.0
Copyright (c) 1996, 2005 Oracle Corporation.  All rights reserved.
https://xuel-HP:1158/em/console/aboutApplication
Starting Oracle Enterprise Manager 10g Database Control ...OracleDBConsoleORCL
服务正在启动 ........................................
OracleDBConsoleORCL 服务无法启动。

发生服务特定错误: 2.

请键入 NET HELPMSG 3547 以获得更多的帮助。

检查emdb.nohup文件,发现:
The agentTZRegion value in C:\oracle\product\10.2.0\db_1\xuel-HP_ORCL/sysman/config/emd.properties is not in agreement with what agent thinks it should be.Please verify your environment to make sure that TZ setting has not changed since the last start of the agent.

修订emd.properties文件中的agentTZRegion=Asia/Shanghai后,重新启动DBCONSOLE仍然报错。
错误信息同上。

检查emaget.trc文件,发现以下错误信息:
2011-03-31 19:28:37 Thread-1908 ERROR ssl: Open wallet failed, ret = 28750

Google一下,发现此问题是由于enterprise manager database control组件的根CA证书授权过期造成的,其证书到期日为2010年12月31日,2011年安装此版本数据库都会出现这个问题,官方的解决方案是打Patch 8350262。

3、下载补丁Patch 8350262
此补丁要求的版本为10.2.0.4。
打完补丁后,按照提示执行以下命令仍然启动不了:
emctl secure dbconsole -reset

google了很多方法,但都没解决掉。
后来通过重建Database Control management repository的方式终于解决此问题。
emca -deconfig dbcontrol db -repos drop

emca -config dbcontrol db -repos recreate

emctl start dbconsole

执行过程如下:
c:\>emca -deconfig dbcontrol db -repos drop

EMCA 开始于 2011-4-1 12:09:15
EM Configuration Assistant, 10.2.0.1.0 正式版
版权所有 (c) 2003, 2005, Oracle。保留所有权利。

输入以下信息:
数据库 SID: ORCL
监听程序端口号: 1521
SYS 用户的口令:
SYSMAN 用户的口令:
SYSMAN 用户的口令:
是否继续? [是(Y)/否(N)]: y
2011-4-1 12:09:33 oracle.sysman.emcp.EMConfig perform
信息: 正在将此操作记录到 C:\oracle\product\10.2.0\db_1\cfgtoollogs\emca\ORCL\emc
a_2011-04-01_12-09-15-下午.log。
2011-4-1 12:09:36 oracle.sysman.emcp.EMDBPreConfig performDeconfiguration
警告: 此数据库的 EM 尚未配置。无法执行特定于 EM 的操作。
2011-4-1 12:09:36 oracle.sysman.emcp.EMReposConfig dropRepository
信息: 正在删除 EM 资料档案库 (此操作可能需要一段时间)...
2011-4-1 12:09:43 oracle.sysman.emcp.EMReposConfig invoke
信息: 已成功删除资料档案库
已成功完成 Enterprise Manager 的配置
EMCA 结束于 2011-4-1 12:09:45

c:\>emca -config dbcontrol db -repos recreate

EMCA 开始于 2011-4-1 12:09:51
EM Configuration Assistant, 10.2.0.1.0 正式版
版权所有 (c) 2003, 2005, Oracle。保留所有权利。

输入以下信息:
数据库 SID: ORCL
监听程序端口号: 1521
SYS 用户的口令:
DBSNMP 用户的口令:
SYSMAN 用户的口令:
SYSMAN 用户的口令: 通知的电子邮件地址 (可选):
通知的发件 (SMTP) 服务器 (可选):
-----------------------------------------------------------------

已指定以下设置

数据库 ORACLE_HOME ................ C:\oracle\product\10.2.0\db_1

数据库主机名 ................ xuel-HP
监听程序端口号 ................ 1521
数据库 SID ................ ORCL
通知的电子邮件地址 ...............
通知的发件 (SMTP) 服务器 ...............

-----------------------------------------------------------------
是否继续? [是(Y)/否(N)]: y
2011-4-1 12:10:11 oracle.sysman.emcp.EMConfig perform
信息: 正在将此操作记录到 C:\oracle\product\10.2.0\db_1\cfgtoollogs\emca\ORCL\emc
a_2011-04-01_12-09-51-下午.log。
2011-4-1 12:10:20 oracle.sysman.emcp.EMReposConfig dropRepository
信息: 正在删除 EM 资料档案库 (此操作可能需要一段时间)...
2011-4-1 12:10:23 oracle.sysman.emcp.EMReposConfig invoke
信息: 已成功删除资料档案库
2011-4-1 12:10:24 oracle.sysman.emcp.EMReposConfig createRepository
信息: 正在创建 EM 资料档案库 (此操作可能需要一段时间)...
2011-4-1 12:11:49 oracle.sysman.emcp.EMReposConfig invoke
信息: 已成功创建资料档案库
2011-4-1 12:12:00 oracle.sysman.emcp.util.DBControlUtil secureDBConsole
信息: 正在保护 Database Control (此操作可能需要一段时间)...
2011-4-1 12:12:21 oracle.sysman.emcp.util.DBControlUtil secureDBConsole
信息: 已成功保护 Database Control。
2011-4-1 12:12:21 oracle.sysman.emcp.util.DBControlUtil startOMS
信息: 正在启动 Database Control (此操作可能需要一段时间)...
2011-4-1 12:13:01 oracle.sysman.emcp.EMDBPostConfig performConfiguration
信息: 已成功启动 Database Control
2011-4-1 12:13:01 oracle.sysman.emcp.EMDBPostConfig performConfiguration
信息: >>>>>>>>>>> Database Control URL 为 https://xuel-HP:1158/em <<<<<<<<<<<
已成功完成 Enterprise Manager 的配置
EMCA 结束于 2011-4-1 12:13:01

c:\>emctl start dbconsole
Oracle Enterprise Manager 10g Database Control Release 10.2.0.4.0
Copyright (c) 1996, 2007 Oracle Corporation.  All rights reserved.
https://xuel-HP:1158/em/console/aboutApplication
Starting Oracle Enterprise Manager 10g Database Control ...请求的服务已经启动。

请键入 NET HELPMSG 2182 以获得更多的帮助。


c:\>emctl stop dbconsole
Oracle Enterprise Manager 10g Database Control Release 10.2.0.4.0
Copyright (c) 1996, 2007 Oracle Corporation.  All rights reserved.
https://xuel-HP:1158/em/console/aboutApplication
OracleDBConsoleORCL 服务正在停止................................................
...............................................................
OracleDBConsoleORCL 服务已成功停止。


c:\>emctl stop dbconsole
Oracle Enterprise Manager 10g Database Control Release 10.2.0.4.0
Copyright (c) 1996, 2007 Oracle Corporation.  All rights reserved.
https://xuel-HP:1158/em/console/aboutApplication
没有启动 OracleDBConsoleORCL 服务。

请键入 NET HELPMSG 3521 以获得更多的帮助。


c:\>emctl start dbconsole
Oracle Enterprise Manager 10g Database Control Release 10.2.0.4.0
Copyright (c) 1996, 2007 Oracle Corporation.  All rights reserved.
https://xuel-HP:1158/em/console/aboutApplication
Starting Oracle Enterprise Manager 10g Database Control ...OracleDBConsoleORCL
服务正在启动 ................
OracleDBConsoleORCL 服务已经启动成功。

4、通过secure/unsecure命令分别以保护/非保护方式启动
1)以非保护方式启动
emctl stop dbconsole
emctl unsecure dbconsole
emctl start dbconsole

执行过程如下:
c:\>emctl stop dbconsole
Oracle Enterprise Manager 10g Database Control Release 10.2.0.4.0
Copyright (c) 1996, 2007 Oracle Corporation.  All rights reserved.
https://xuel-HP:1158/em/console/aboutApplication
OracleDBConsoleORCL 服务正在停止.................
OracleDBConsoleORCL 服务已成功停止。


c:\>emctl unsecure dbconsole
Oracle Enterprise Manager 10g Database Control Release 10.2.0.4.0
Copyright (c) 1996, 2007 Oracle Corporation.  All rights reserved.
https://xuel-HP:1158/em/console/aboutApplication
Configuring DBConsole for HTTP...   Done.
DBCONSOLE already stopped...   Done.
Agent is already stopped...   Done.
Unsecuring dbconsole...   Started.
DBConsole is now unsecured...  Done.
Unsecuring dbconsole...  Sucessful.

c:\>emctl start dbconsole
Oracle Enterprise Manager 10g Database Control Release 10.2.0.4.0
Copyright (c) 1996, 2007 Oracle Corporation.  All rights reserved.
http://xuel-HP:1158/em/console/aboutApplication
Starting Oracle Enterprise Manager 10g Database Control ...OracleDBConsoleORCL
服务正在启动 ................
OracleDBConsoleORCL 服务已经启动成功。

1)以非保护方式启动
emctl stop dbconsole
emctl secure dbconsole
emctl start dbconsole

执行过程如下:
c:\>emctl stop dbconsole
Oracle Enterprise Manager 10g Database Control Release 10.2.0.4.0
Copyright (c) 1996, 2007 Oracle Corporation.  All rights reserved.
http://xuel-HP:1158/em/console/aboutApplication
OracleDBConsoleORCL 服务正在停止..............
OracleDBConsoleORCL 服务已成功停止。


c:\>emctl secure dbconsole
Oracle Enterprise Manager 10g Database Control Release 10.2.0.4.0
Copyright (c) 1996, 2007 Oracle Corporation.  All rights reserved.
http://xuel-HP:1158/em/console/aboutApplication
Enter Enterprise Manager Root password :
********
Enter a Hostname for this OMS : xuel-HP

DBCONSOLE already stopped...   Done.
Agent is already stopped...   Done.
Securing dbconsole...   Started.
Checking Repository...   Invalid Password.

c:\>emctl secure dbconsole -sysman_pwd system
Oracle Enterprise Manager 10g Database Control Release 10.2.0.4.0
Copyright (c) 1996, 2007 Oracle Corporation.  All rights reserved.
http://xuel-HP:1158/em/console/aboutApplication
DBCONSOLE already stopped...   Done.
Agent is already stopped...   Done.
Securing dbconsole...   Started.
Checking Repository...   Done.
Checking Em Key...   Done.
Checking Repository for an existing Enterprise Manager Root Key...   Done.
Fetching Root Certificate from the Repository...   Done.
Updating HTTPS port in emoms.properties file...   Done.
Generating Java Keystore...认证已添加至keystore中
认证回复已安装在 keystore中
   Done.
Securing OMS ...   Done.
Generating Oracle Wallet Password for Agent....   Done.
Generating wallet for Agent ...    Done.
Copying the wallet for agent use...    Done.
Storing agent key in repository...   Done.
Storing agent key for agent ...   Done.
Configuring Agent...
Configuring Agent for HTTPS in DBCONSOLE mode...   Done.
EMD_URL set in C:\oracle\product\10.2.0\db_1/xuel-HP_ORCL/sysman/config/emd.prop
erties
   Done.
Configuring Key store..   Done.
Securing dbconsole...   Sucessful.

c:\>emctl start dbconsole
Oracle Enterprise Manager 10g Database Control Release 10.2.0.4.0
Copyright (c) 1996, 2007 Oracle Corporation.  All rights reserved.
https://xuel-HP:1158/em/console/aboutApplication
Starting Oracle Enterprise Manager 10g Database Control ...OracleDBConsoleORCL
服务正在启动 ................
OracleDBConsoleORCL 服务已经启动成功。

小结:
保护database control的步骤:
1)配置emkey
2)emctl secure
3)打补丁
4)重建Database Control management repository
5)如出现端口号被占用的情况,请直接查找emagent进程并杀掉,重新执行出错的命令。
6)即使启动或停掉dbconsole成功,在后台日志也会出现错误或警告,比如ERROR http: 928: Error initializing SSL connection for incoming request,WARN  http: snmehl_connect: connect failed to (xuel-HP:3938): 由于目标计算机积极拒绝,无法连接,应该没关系。

参考文档:
http://download.oracle.com/docs/cd/B12037_01/em.101/b12013/security2.htm#i1042301
http://download.oracle.com/docs/cd/B19306_01/em.102/b40002/security2.htm#sthref425
http://download.oracle.com/docs/cd/E11882_01/server.112/e17120/dbcontrol002.htm
http://openwares.net/database/x64_oracle_10g_emdbconsole_error.html
http://www.linuxidc.com/Linux/2011-01/31708.htm

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/95233/viewspace-691469/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论

注册时间:2009-03-23

  • 博文量
    89
  • 访问量
    238466