kingbase openssl身份鉴别使用指导

最新推荐文章于 2024-07-22 15:12:37 发布
最新推荐文章于 2024-07-22 15:12:37 发布
阅读量282 收藏
点赞数
文章标签: 数据库
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/gamhlit1/article/details/133315959
版权

数字证书制作:
使用说明:文中黑色粗体字为用户输入命令

  1. 查看openssl 版本
    test@Kylin:~/pkg/8.0.0025/db/bin/ca$ openssl verison
    openssl: /home/test/pkg/8.0.0025/db/lib/libssl.so.1.0.0: version `OPENSSL_1.0.2’ not found (required by openssl)
    openssl: /home/test/pkg/8.0.0025/db/lib/libcrypto.so.1.0.0: version `OPENSSL_1.0.2’ not found (required by openssl)
    openssl: /home/test/pkg/8.0.0025/db/lib/libcrypto.so.1.0.0: version `OPENSSL_1.0.2g’ not found (required by openssl)

出现上述缺少链接库问题,是因为LD_LIBRARY_PATH用的是数据库的lib,置空后正常,
test@Kylin:~/pkg/8.0.0025/db/bin/ca$ export LD_LIBRARY_PATH=
test@Kylin:~/pkg/8.0.0025/db/bin/ca$ openssl version
OpenSSL 1.0.2g 1 Mar 2016

  1. CA证书制作:
    test@Kylin:~/pkg/8.0.0025/db/bin/ca$ openssl req -newkey rsa:2048 -keyout ca.key -keyform PEM -out ca.csr -outform PEM
    Generating a 2048 bit RSA private key
    …+++
    …+++
    writing new private key to ‘ca.key’
    Enter PEM pass phrase:123456
    Verifying - Enter PEM pass phrase: 123456

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:KB
Organizational Unit Name (eg, section) []:KB
Common Name (e.g. server FQDN or YOUR name) []:CA
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
test@Kylin:~/pkg/8.0.0025/db/bin/ca$ openssl x509 -req -in ca.csr -out ca.crt -signkey ca.key -days 3650
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=KB/OU=KB/CN=CA
Getting Private key
Enter pass phrase for ca.key:123456
3. Root证书制作:
test@Kylin:~/pkg/8.0.0025/db/bin/ca$ openssl req -newkey rsa:2048 -keyout root.key -keyform PEM -out root.csr -outform PEM
Generating a 2048 bit RSA private key
…+++
…+++
writing new private key to ‘root.key’
Enter PEM pass phrase:123456
Verifying - Enter PEM pass phrase:123456

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:KB
Organizational Unit Name (eg, section) []:KB
Common Name (e.g. server FQDN or YOUR name) []:ROOT
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

test@Kylin:~/pkg/8.0.0025/db/bin/ca$ openssl x509 -req -in root.csr -out root.crt -signkey root.key -days 3650
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=KB/OU=KB/CN=ROOT
Getting Private key
Enter pass phrase for root.key:123456

  1. 生成服务器证书:
    test@Kylin:~/pkg/8.0.0025/db/bin/ca$ openssl genrsa -des3 -out server.key 1024
    Generating RSA private key, 1024 bit long modulus
    …++++++
    .++++++
    e is 65537 (0x10001)
    Enter pass phrase for server.key:123456
    Verifying - Enter pass phrase for server.key:123456

test@Kylin:~/pkg/8.0.0025/db/bin/ca$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:KB
Organizational Unit Name (eg, section) []:KB
Common Name (e.g. server FQDN or YOUR name) []:SERVER
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

***拷贝openssl配置文件到当前目录:
cp /etc/ssl/openssl.cnf ./
test@Kylin:~/pkg/8.0.0025/db/bin/ca$ openssl x509 -sha1 -req -in server.csr -CA root.crt -CAkey root.key -CAcreateserial -out server.crt -outform PEM -days 3650 -passin pass:123456 -extfile ./openssl.cnf -extensions v3_req
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=KB/OU=KB/CN=SERVER
Getting CA Private Key

  1. 生成用户usystem证书:

test@Kylin:~/pkg/8.0.0025/db/bin/ca$ openssl genrsa -des3 -out usystem.key 1024
Generating RSA private key, 1024 bit long modulus
…++++++
…++++++
e is 65537 (0x10001)
Enter pass phrase for usystem.key:123456
Verifying - Enter pass phrase for usystem.key:123456

test@Kylin:~/pkg/8.0.0025/db/bin/ca$ openssl req -new -key usystem.key -out usystem.csr
Enter pass phrase for usystem.key:123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:KB
Organizational Unit Name (eg, section) []:KB
Common Name (e.g. server FQDN or YOUR name) []:SYSTEM
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
test@Kylin:~/pkg/8.0.0025/db/bin/ca$ openssl x509 -sha1 -req -in usystem.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out usystem.crt -outform PEM -days 3650 -passin pass:123456 -extfile ./openssl.cnf -extensions v3_req
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=KB/OU=KB/CN=SYSTEM
Getting CA Private Key
6. 生成kingbase证书:
test@Kylin:~/pkg/8.0.0025/db/bin/ca$ openssl genrsa -des3 -out kingbase.key 1024
Generating RSA private key, 1024 bit long modulus
…++++++
…++++++
e is 65537 (0x10001)
Enter pass phrase for kingbase.key:123456
Verifying - Enter pass phrase for kingbase.key: 123456
test@Kylin:~/pkg/8.0.0025/db/bin/ca$ openssl req -new -key kingbase.key -out kingbase.csr
Enter pass phrase for kingbase.key:123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:KB
Organizational Unit Name (eg, section) []:KB
Common Name (e.g. server FQDN or YOUR name) []:KINGBASE
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
test@Kylin:~/pkg/8.0.0025/db/bin/ca$ openssl x509 -sha1 -req -in kingbase.csr -CA root.crt -CAkey root.key -CAcreateserial -out kingbase.crt -outform PEM -days 3650 -passin pass:123456 -extfile ./openssl.cnf -extensions v3_req
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=KB/OU=KB/CN=KINGBASE
Getting CA Private Key

  1. 生成userver证书:
    test@Kylin:~/pkg/8.0.0025/db/bin/ca$ openssl genrsa -des3 -out userver.key 1024
    Generating RSA private key, 1024 bit long modulus
    …++++++
    …++++++
    e is 65537 (0x10001)
    Enter pass phrase for userver.key:123456
    Verifying - Enter pass phrase for userver.key:123456
    test@Kylin:~/pkg/8.0.0025/db/bin/ca$ openssl req -new -key userver.key -out userver.csr
    Enter pass phrase for userver.key:123456
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:KB
Organizational Unit Name (eg, section) []:KB
Common Name (e.g. server FQDN or YOUR name) []:SERVER
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
test@Kylin:~/pkg/8.0.0025/db/bin/ca$ openssl x509 -sha1 -req -in userver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out userver.crt -outform PEM -days 3650 -passin pass:123456 -extfile ./openssl.cnf -extensions v3_req
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=KB/OU=KB/CN=SERVER
Getting CA Private Key
连接测试

  1. 数据准备:
    a) 在kingbase.conf中增加 ssl=on;
    b) 在sys_hba.conf中,host修改为 hostssl,MD5修改为ukpwd ;
    c) 把 所有的 crt和key 文件权限改为 600;
    d) 把 ca.crt、root.crt、server.crt、userver.crt、server.key、userver.key 放到 数据库目录下;
    e) 把 ca.crt、root.crt、kingbase.crt、usyssao.crt、usyssso.crt、usystem.crt 、kingbase.key、usyssao.key、usyssso.key、usystem.key 放到bin目录下;

  2. 启动数据库:
    test@Kylin:~/pkg/8.0.0025/db/bin$ ./kingbase -D ca_data/
    LOG: 转存许可证信息…
    LOG: 许可证版本:2.0
    LOG: 产品线:ES
    LOG: 产品版本:8.0.0
    LOG: 版本类型:ME
    LOG: 操作系统:LNX
    LOG: 体系结构:X64
    LOG: 浮动日期模式:是
    LOG: 基准日期:2019-09-26
    LOG: 许可证有效时间:180天
    LOG: 最大连接数:无限制
    LOG: 用户信息:V8
    LOG: 试用模式:否
    LOG: 网卡物理地址检查模式:否
    LOG: 网卡物理地址:
    LOG: IPV4地址检查模式:否
    LOG: IPV4地址:
    LOG: 序列号:1e763e91-cb914c9a-dfe158e5-f462527b
    sh: /home/test/pkg/8.0.0025/db/lib/libtinfo.so.5: no version information available (required by sh)
    please enter the server key password:123456
    LOG: SSL 的证书吊销列表文件"/home/test/pkg/8.0.0025/db/bin/ca_data/root.crl"未找到,忽略:没有那个文件或目录
    DETAIL: 证书将不予核对吊销列表
    LOG: the encrypt device is opened
    LOG: 数据库系统已关闭在 2019-09-27 16:39:46 CST
    LOG: checkpoint record is at 1/1DB9050
    LOG: redo record is at 1/1DB9050; undo record is at 0/0; shutdown TRUE
    LOG: 下一个事务ID: 0/269; 下一个OID: 31827
    LOG: 下一个 MultiXactId: 1; 下一个 MultiXactOffset: 0
    LOG: 数据库系统准备接受连接

注:上面缺失root.crl警告信息不影响功能正常使用。
3. 连接测试:
a) 正常连接测试:
test@Kylin:~/pkg/8.0.0025/db/bin$ ./isql -p19940 -USYSTEM -d TEST -b ./kingbase.crt -r ./root.crt -k ./kingbase.key -g usystem.crt -G usystem.key -p19970
用户密码 SYSTEM:123456
Enter the password of client key:123456
please input the usb token pin:123456
欢迎使用 isql 8.0.0.0025 release 64 bit, Kingbase 交互式终端.

本次登录信息:
用户名: SYSTEM
主机: [local]
登录时间: 2019-09-27 16:42:57.052739+08

这是你第一次登录.

本次登录和最后一次登录之间的失败次数: 0

密码的过期时间没有设置.

类型: \h SQL帮助命令
? isql帮助命令
\g 将之前的SQL语句发往服务器执行
\q 退出

TEST=#

b) 异常连接测试(用户密码错误):
test@Kylin:~/pkg/8.0.0025/db/bin$ ./isql -p19940 -USYSTEM -d TEST -b ./kingbase.crt -r ./root.crt -k ./kingbase.key -g usystem.crt -G usystem.key -p19970
用户密码 SYSTEM:123
Enter the password of client key:123456
please input the usb token pin:123456
isql: FATAL: 用户"SYSTEM"的口令认证失败

c) 异常连接测试(pin码错误):
test@Kylin:~/pkg/8.0.0025/db/bin$ ./isql -p19940 -USYSTEM -d TEST -b ./kingbase.crt -r ./root.crt -k ./kingbase.key -g usystem.crt -G usystem.key -p19970
用户密码 SYSTEM:123456
Enter the password of client key:123456
please input the usb token pin:1234
isql: could not read usbkey key file, maybe wrong pin code

注:-b kingbase用户证书,-r root用户证书,-k kingbase用户的key -g 指定的是用户证书,-G 指定对应的key,

gamhlit1
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
Efcore 使用KingbaseES数据库
Kingbase_的博客
12-07 1601
Kdbndp.EntityFrameworkCore.KingbaseES介绍 1.1. 背景 微软为了支持.NET 开发人员使用 .NET 对象处理数据库的对象关系映射程序 (O/RM),开发出了一种(O/RM) 框架Entity Framework。它不要求提供开发人员通常需要编写的大部分数据访问代码。Entity Framework目前支持两个版本:Entity Framework 6 和 Entity Framework Core。 1.1.1. Entity Framework 6 (EF6) .
kingbase SQL使用注意事项.txt
08-27
kingbase SQL使用注意事项,个人整理涉及到的部分,有需要的同学自行下载!
Kingbase设置SSL登录
kingstone96888的博客
09-04 276
服务器确保安装openssl在data目录下,创建自签名的证书配置kingbase.conf文件配置sys_hba.conf文件重启数据库服务器客户端证书。
等保2.0数据库测评之(​KingbaseES)人大金仓
小贝壳
09-08 4674
等保2.0数据库测评之(​KingbaseES)人大金仓
Kingbase安全之身份验证
kingstone96888的博客
01-03 1444
弱口令扫描是由数据库管理员对弱口令字典进行配置后,既可以在创建或修改用户口令时对口令进行弱口令检查,也可以由数据库管理员进行对数据库用户口令的弱口令扫描。KingbaseES通过插件的方式来进行来源限制。这种方式更为灵活,当数据库的实用场景需要进行口令的复杂度管理时,加载插件即可。1.当弱口令扫描与口令复杂度功能同时开启时,且检查的口令既属于弱口令,又不符合口令复杂度要求,报错提示的内容与两个功能的加载顺序相关,报错提示会显示写在 shared_preload_libraries 中靠前的插件的提示内容。
kingbase安全之强身份验证
kingstone96888的博客
01-03 1404
¶。
kingbase使用积累
love_zhang_xin的专栏
04-24 1668
1、默认模式的修改 mySqlName为我的数据库名称,schemaName为我希望设置的默认模式名称。同时设置sys_user等与系统同名表,自动使用默认模式的。 alter DATABASE mySqlName set search_path TO schemaName,"$USER",MY_SCHRMA,sys_catalog; show search_path; 2、kingbase数据库文件的备份与导入 D:\Program Files\Kingbase\ES\V8\Server\b
kingbase客户端工具安装和使用
月生的静心苑
10-17 9561
;kingbase客户端工具是人大金仓提供的连接KES数据库的图形化客户端工具。它是基于JAVA语言开发的能运行在不同操作系统平台上的图形工具,用于访问、配置、控制和管理 KingbaseES 数据库服务器。它不仅可以用于开发工程师进行数据库项目开发,还为DBA提供了丰富的运维功能,其中包括: - 管理和配置KingbaseES数据库服务器。 - 管理各种KingbaseES数据库对象。 - 进行KingbaseES数据库的安全管理。 - 调用查询分析器执行和测试SQL语句。
Kingbase中Oracle_FDW 使用介绍
dx的专栏
07-07 291
转载于Kingbase 研究院 本文以例子的形式介绍 KingbaseES(Postgresql)数据库如何通过 oracle_fdw 扩展访问Oracle数据库。以下例子在PG12.3 与 KingbaseES V8R6进行过实际验证。一、准备数据 1、Oracle端 IP:192.168.237.42, SID:SOGG ,数据库用户:user01 / user01 SQL> create table t1(id integer,name char(9));2、KingbaseES 端 IP:192.1
kingbase-使用ISQL连接数据库
myhost_的专栏
01-02 846
kingbase v7 金仓数据库
使用ODBC接口技术连接KingBase数据库的驱动
07-30
使用ODBC接口技术连接KingBase数据库时,首先需要安装KingBase的ODBC驱动程序。这个驱动程序是KingBase数据库系统与ODBC兼容的桥梁,它提供了必要的API,使得ODBC应用可以与KingBase数据库进行交互。通常,驱动...
使用DBeaver客户端连接金仓KingbaseES数据库操作参考.pdf
09-02
使用 DBeaver 客户端连接 KingbaseES 数据库操作参考 以下是使用 DBeaver 客户端连接 KingbaseES 数据库操作的详细参考指南: 1. DBeaver 安装 DBeaver 是免费开源的连接数据库客户端工具,可以在官网 ...
Kingbase 逻辑复制工具使用和部署手册.pdf
02-22
Kingbase 逻辑复制工具使用和部署手册…
使用Python连接KingBase(数据库)的库
07-30
使用Python连接KingBase(数据库)的库
OAuth2.0 or Spring Session or 单点登录流程
qq_53374893的博客
07-20 329
一句话精辟解释: 在过滤器放行的时候,偷偷的把原生的 request 和 response 对象换成了它的实现,也就是 调用getSession 的时候拿到的 其实是对redis 操作的Session。但其他的操作还是使用原生的,只不过重写的方法,调用的是子类的,也就是往 redis 里放入 Session,把原生的操作给替换了!分布式Session原理,使用子域名,的时候放入父域名的 JsessionId 然后将这个ID 的所存的内容放入Redis ,这样实现不同域名共享同一sessionID.
基于JSP的高校信息资源共享平台
最新发布
heye0910032的博客
07-22 469
高校信息资源共享平台的开发和实现,为高校信息资源的管理和共享提供了一个有效的解决方案。通过使用JSP技术和MySQL数据库,本系统实现了一个稳定、安全、易用的高校信息资源管理平台。虽然在开发过程中遇到了一些技术挑战,但通过不断学习和实践,最终完成了一个能够满足用户需求的系统。未来,我们将继续优化系统功能,提升用户体验,以期达到更高的应用价值和社会效益。高校信息资源共享平台的开发和实现,为高校信息资源的管理和共享提供了一个有效的解决方案。
Linux -软件安装
z2331198564653的博客
07-18 881
项目开发好需要部署,而项目本身可能依赖其他软件。这时在部署项目时就需要安装依赖的软件。比如: jdk mysql tomcat redis rabbitmq es等。
MySQL(事务、索引)&&MyBatis
hycccccch的博客
07-19 704
事务指的是一组操作的集合,是一个不可分割的工作单位。事务会将所有的操作作为一个整体一起向系统提交或撤销操作请求,即这些操作要么同时成功,要么同时失败默认MySQL的事务是自动提交,即当执行一条DML语句时,MySQL会立即隐式的提交事务开启事务后运行事务不会对数据改变,commit后才会改变数据如果有命令发生错误,需要进行rollback进行回滚、
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值