解决rman备份脚本中密码明文的问题--wallet

前面有一篇文章描述了rman备份脚本，里边提到了脚本中的明文密码不安全的问题。

这里使用wallet技术，设置密码。除了设置wallet密码的人，其他人也无法知道连接密码。这样就解决密码明文不安全的问题了。

rman备份脚本：http://blog.csdn.net/laven54/article/details/11892141

实验过程：

1.创建wallet

$ORACLE_HOME/bin/mkstore -wrl $ORACLE_HOME/network/admin/wallet -create
Enter password:<输入wallet密码>


2.创建连接串(一个连接串只能对应一个用户)
rman_connect =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = nascds18.cn.oracle.com)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = R10203)
)
)


3. 加入用户认证信息到Wallet
其中db_utest是前面设置的网路连接串, "oracle"是用户sys的密码.
$ORACLE_HOME/bin/mkstore -wrl $ORACLE_HOME/network/admin/wallet -createCredential rman_connect sys "oracle"
Enter wallet password:<输入wallet密码>
Create credential oracle.security.client.connect_string1


4. 查看rman用户是否被加入到wallet中
$ORACLE_HOME/bin/mkstore -wrl $ORACLE_HOME/network/admin/wallet -listCredential
Enter wallet password:<输入wallet密码> 
List credential (index: connect_string username)
1: rman_connect sys (显示sys已经被加入到wallet中)


5. 加入Wallet位置信息到sqlnet.ora
$ vi $ORACLE_HOME/network/admin/sqlnet.ora
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/opt/oracle/products/10.2.0.3/network/admin/wallet)))
SQLNET.WALLET_OVERRIDE=TRUE


6. 链接测试


[oracle@nascds18 admin]$ rman target /@rman_connect


Recovery Manager: Release 10.2.0.3.0 - Production on Mon Sep 23 12:52:23 2013
Copyright (c) 1982, 2005, Oracle. All rights reserved.
connected to target database: R10203 (DBID=2226792988)


RMAN> exit

Recovery Manager complete.

----------------------

mkstore用法：

dg-primary:/oracle/product/11gR2/db/network/admin> mkstore
Oracle Secret Store Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.


mkstore [-wrl wrl] [-create] [-createSSO] [-createLSSO] [-createALO] [-delete] [-deleteSSO] [-list] [-createEntry alias secret] [-viewEntry alias] [-modifyEntry alias secret] [-deleteEntry alias] [-createCredential connect_string username password] [-listCredential] [-modifyCredential connect_string username password] [-deleteCredential connect_string] [-help] [-nologo]

createCredential 是创建字符串对于的密码

modifyCredential 是修改字符串对于的密码

deleteCredential 是删除字符串对于的密码

listCredential  是列出当前有哪些用户设置了密码

——————————

测试的插曲：

使用rman target /@rman_connect 没问题，可是换成sqlplus /@rman_connect 就报错：

dg-primary:/oracle/product/11gR2/db/network/admin> rman target /@rman_connect2


Recovery Manager: Release 11.2.0.3.0 - Production on Sun Sep 22 22:49:10 2013


Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.


connected to target database: EBAI (DBID=2009644852)


RMAN> 

dg-primary:/oracle/product/11gR2/db/network/admin> sqlplus /@rman_connect2


SQL*Plus: Release 11.2.0.3.0 Production on Sun Sep 22 22:47:33 2013


Copyright (c) 1982, 2011, Oracle.  All rights reserved.


ERROR:
ORA-28009: connection as SYS should be as SYSDBA or SYSOPER

RMAN connections to a database are specified and authenticated in the same way as SQL*Plus connections to a database. The only difference is that RMAN connections to a target or auxiliary database require the SYSDBA privilege. The AS SYSDBA keywords are implied for target and auxiliary connections and cannot be explicitly specified.

说明，在rman连接数据库时sys用户不需要”显式“指明 ”as SYSDBA“关键字。 但是在sqlplus登陆数据库时，sys用户必须指明，这个是区别，以前看见了但是没有太在意呢

___________________________________________________________________________________

版权所有，文章允许转载，但必须以链接方式注明源地址，否则追究法律责任!

Author:   laven54 (lurou)

Email:    laven54@163.com

Blog:      http://blog.csdn.net/laven54

QQ群： 164734649  可以到群里来提问，Oracle相关的问题我都很感兴趣