配置
根据您的业务和安全需求配置 Oracle Notification Server 代理。
设置 Oracle Notification Server 代理
您可以设置不带钱包和证书的 Oracle Notification Server 代理,也可以使用 SSL 证书和钱包。
此解决方案中使用了以下 Oracle Notification Server 代理配置文件参数:
ExtendedSecurityHeader=<header-name>通知现在可能包含发布者提供的访问标头。证书上名为 CN(Common Name,通用名称)的字段为证书所有者指定名称。客户端的 CN 部分 DN(唯一判别名)随每个客户端连接一起保存。当通知到达服务器时,只有当通知的 CN 列在为 ExtendedSecurityHeader 配置的标头名称中时,客户机才能接收通知。
ExtendedSecurityMode=<mode>none:不要检查任何东西。客户端将始终接收所有通知。
strict:根据通知访问标头(如果存在)检查客户机,否则客户机将不会收到通知。
allowunsecuresubscriber=false如果正常配置安全连接,将拒绝任何不安全的连接尝试。如果此参数设置为 yes,则即使不加密,也仍允许对等端连接,但在此情况下不允许发布。
如果未配置安全连接,则忽略此参数。
- 选项 1 :配置不带 SSL 钱包和证书的 Oracle Notification Server 代理,以在 Oracle Notification Server 代理与 Oracle RAC 节点上的 Oracle Notification Server 之间建立通信。按照以下步骤配置不带钱包和证书的 Oracle Notification Server 代理:
- 在连接管理器主机上设置 Oracle Notification Server 代理。
- 使用以下内容创建
$ORACLE_HOME/opmn/conf/onsproxy.properties文件:setConfigHome:/u01/app/oracle/product/23ai/client_1 debug:true addConfig: localport=6100 addConfig: remoteport=6200 addConfig: allowunsecuresubscriber=true addConfig: extendedsecuritymode=partial addConfig: extendedsecurityheader=none addNetwork: nodes.aaa=10.0.1.13:6200,10.0.1.95:6200 addSubscription: ("eventType=database/event/service") addSubscription: ("eventType=database/event/host") - 验证
$ORACLE_HOME/opmn/conf/ons.config是否包含以下内容:# Generated by ONS Proxy allowpublish=127.0.0.1,::1 extendedsecurityheader=none allowunsecuresubscriber=true localport=6100 remoteport=6200 extendedsecuritymode=partial - 在 CMAN 主机上启动 Oracle Notification Server 代理并检查状态。
[oracle@cman-host ~]$ onsctl proxy start Dec 17, 2024 10:35:20 PM oracle.ons.proxy.Proxy$ProxyConfig <init> INFO: Loading configuration: /u01/app/oracle/product/23ai/client_1/opmn/conf/onsproxy.properties Dec 17, 2024 10:35:21 PM oracle.ons.proxy.Proxy setDefaultConfigHome INFO: ORACLE_CONFIG_HOME set to /u01/app/oracle/product/23ai/client_1 Dec 17, 2024 10:35:21 PM oracle.ons.proxy.Proxy validateProxyConfig INFO: Validating configuration Dec 17, 2024 10:35:21 PM oracle.ons.proxy.Proxy updateProxyConfig INFO: Updating configuration Dec 17, 2024 10:35:21 PM oracle.ons.proxy.Proxy initProxy INFO: Initializing onsctl proxy: ons proxy started - 在
cman-host上启动 Oracle Notification Server 代理时,检查数据库上建立的连接。在 Client Connections(客户机连接)部分中,验证 Oracle CMAN 主机是否已连接到 Oracle RAC 数据库。以下示例显示了在 Oracle Grid Infrastructure 上运行的 Oracle Notification Server 的 CMAN 连接之后的截断输出。您应该在两台 Oracle RAC 计算机上看到来自10.0.0.90的连接。由于此连接是在没有 SSL 证书和钱包的情况下建立的,因此在 Oracle CMAN 连接中看不到CN=cman-host条目。[grid ~]$ onsctl debug Client connections: (8) ID CONNECTION ADDRESS PORT FLAGS SNDQ REF PHA SUB -------- --------------------------------------- ----- ------- ---- --- --- --- 0 internal 0 000044a 0 1 IO 1 2 127.0.0.1 62766 000041a 0 1 IO 1 1 127.0.0.1 62770 000041a 0 1 IO 1 3 127.0.0.1 62768 000041a 0 1 IO 1 4 127.0.0.1 62796 000041a 0 1 IO 1 7 127.0.0.1 62838 000041a 0 1 IO 0 26 ::ffff:10.0.0.90 21876 008042a 0 1 IO 2 request 127.0.0.1 12334 0000e1a 0 1 IO 0
- 选项 2 :为了安全起见,请设置具有钱包和 SSL 证书的 Oracle Notification Server 代理。SSL 需要自签名证书或来自可信提供程序的证书颁发机构 (Certificate Authority,CA) 来建立客户机/服务器连接。SSL 充当数字护照,通过使用公钥和私钥来验证您的凭据和最终 Web 服务器的凭据。两个身份都经过验证后,SSL 将通过 HTTPS 授予安全连接。此过程使用 SSL 证书来执行。
注意:
如果使用由证书颁发机构(如 Verisign)颁发的用户证书,则无需向客户机推出证书。在添加用户证书之前,将 CA 根证书和链中的任何中间证书作为可信证书添加到 wallet。- 在 Oracle RAC 节点上创建 Oracle wallet 和自签名证书。以
root用户身份在其中一个 Oracle RAC 节点上运行以下命令:mkdir -p /u01/app/wallet_dir chown grid:oinstall /u01/app/wallet_dir chmod 750 /u01/app/wallet_dir - 以
grid用户身份运行以下命令:$ORACLE_HOME/bin/orapki wallet create -wallet /u01/app/wallet_dir -pwd <Replace With Your Password> -auto_login $ORACLE_HOME/bin/orapki wallet display -wallet /u01/app/wallet_dir $ORACLE_HOME/bin/orapki wallet add -wallet /u01/app/wallet_dir -pwd <Replace With Your Password> -dn "CN=racnode-scan.sub12161926541.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US" -keysize 2048 -self_signed -validity 365 $ORACLE_HOME/bin/orapki wallet add -wallet /u01/app/wallet_dir -pwd <Replace With Your Password> -dn "CN=racnode-scan,OU=ST,O=Oracle,ST=California,C=US" -keysize 2048 -self_signed -validity 365 $ORACLE_HOME/bin/orapki wallet display -wallet /u01/app/wallet_dir [grid@racnode1 ~]$ $ORACLE_HOME/bin/orapki wallet display -wallet /u01/app/wallet_dir Oracle PKI Tool Release 23.0.0.0.0 - Production Version 23.0.0.0.0 Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Subject: CN=racnode-scan.sub12161926541.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US Subject: CN=racnode-scan,OU=ST,O=Oracle,ST=California,C=US Trusted Certificates: Subject: CN=racnode-scan,OU=ST,O=Oracle,ST=California,C=US Subject: CN=racnode-scan.sub12161926541.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US - 在连接管理器主机上创建 wallet 和自签名证书。将 Oracle Notification Server 代理配置为在 CMAN 环境上运行并与在 CMAN 和 RAC 节点上运行的 Oracle Notification Server 服务器通信时,需要 SSL 证书以确保安全通信。
注意:
根据您的环境密码策略更改密码。 - 以下是使用 SSL 证书配置 Oracle Notification Server 代理的分步过程。以
root用户身份运行以下命令:mkdir -p /u01/app/oracle/wallet_dir chown oracle:oinstall /u01/app/oracle/wallet_dir chmod 750 /u01/app/oracle/wallet_dir以oracle用户身份运行以下命令:$ORACLE_HOME/bin/orapki wallet create -wallet /u01/app/oracle/wallet_dir -pwd <Replace With Your Password> -auto_login $ORACLE_HOME/bin/orapki wallet display -wallet /u01/app/oracle/wallet_dir以oracle用户身份创建自签名证书:$ORACLE_HOME/bin/orapki wallet add -wallet /u01/app/oracle/wallet_dir -pwd <Replace With Your Password> "CN=cman-host.sub12161926540.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US" -keysize 2048 -self_signed -validity 365 $ORACLE_HOME/bin/orapki wallet add -wallet /u01/app/oracle/wallet_dir -pwd REPLACE WITH YOUR PASSWORD> -dn "CN=cman-host,OU=ST,O=Oracle,ST=California,C=US" -keysize 2048 -self_signed -validity 365创建 wallet 后,以oracle用户身份显示 wallet。您将看不到任何条目,因为尚未创建证书。[oracle@cman-host ~] $ $ORACLE_HOME/bin/orapki wallet display -wallet /u01/app/oracle/wallet_dir Oracle PKI Tool Release 23.0.0.0.0 - Production Version 23.0.0.0.0 Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Subject: CN=cman-host.sub12161926540.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US Subject: CN=cman-host,OU=ST,O=Oracle,ST=California,C=US Trusted Certificates: Subject: CN=cman-host,OU=ST,O=Oracle,ST=California,C=US Subject: CN=cman-host.sub12161926540.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US - 在 Google Cloud 的客户端计算机上创建 wallet 和自签名证书。由于 CMAN 主机上的 Oracle Notification Server 代理配置有 SSL wallet,因此客户机还必须配置有自签名 SSL 证书的 wallet 以建立安全连接。在这种情况下,客户机主机上安装了 Oracle 客户机,该客户机提供了创建和管理 wallet 所需的工具。以
root用户身份运行以下命令:mkdir -p /u01/app/client/wallet_dir chown oracle:oinstall /u01/app/client/wallet_dir chmod 750 /u01/app/client/wallet_dir以oracle用户身份运行以下命令:$ORACLE_HOME/bin/orapki wallet create -wallet /u01/app/client/wallet_dir -pwd <Replace With Your Password>-auto_login $ORACLE_HOME/bin/orapki wallet display -wallet /u01/app/client/wallet_dir以oracle用户身份创建自签名证书:$ORACLE_HOME/bin/orapki wallet add -wallet /u01/app/client/wallet_dir -pwd <Replace With Your Password> -dn "CN=client-host.c.oraoperator-on-gke.internal,OU=ST,O=Oracle,ST=California,C=US" -keysize 2048 -self_signed -validity 365 $ORACLE_HOME/bin/orapki wallet add -wallet /u01/app/client/wallet_dir -pwd <Replace With Your Password>-dn "CN=client-host,OU=ST,O=Oracle,ST=California,C=US" -keysize 2048 -self_signed -validity 365创建 wallet 后,以oracle用户身份显示 wallet。您将看不到任何条目,因为尚未创建证书。[oracle@client-host ~]$ $ORACLE_HOME/bin/orapki wallet display -wallet /u01/app/client/wallet_dir Oracle PKI Tool Release 23.0.0.0.0 - Production Version 23.0.0.0.0 Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Subject: CN=client-host.c.oraoperator-on-gke.internal,OU=ST,O=Oracle,ST=California,C=US Subject: CN=client-host,OU=ST,O=Oracle,ST=California,C=US Trusted Certificates: Subject: CN=client-host.c.oraoperator-on-gke.internal,OU=ST,O=Oracle,ST=California,C=US Subject: CN=client-host,OU=ST,O=Oracle,ST=California,C=US - 在 Oracle RAC 上设置 wallet 和 SSL 证书并配置 CMAN 和客户机后,使用以下过程在连接管理器和 Oracle RAC 节点 1 上导出自签名证书:以
grid用户身份在 Oracle RAC 节点 1 上运行以下命令:$ORACLE_HOME/bin/orapki wallet export -wallet /u01/app/wallet_dir -pwd <Replace With Your Password> -dn "CN=racnode-scan,OU=ST,O=Oracle,ST=California,C=US" -cert "/tmp/scan_app1.crt" $ORACLE_HOME/bin/orapki wallet export -wallet /u01/app/wallet_dir -pwd <Replace With Your Password> -dn "CN=racnode-scan.sub12161926541.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US" -cert "/tmp/scan_app2.crt"以oracle用户身份在 Oracle RAC 节点 1 上运行以下命令:$ORACLE_HOME/bin/orapki wallet export -wallet /u01/app/oracle/wallet_dir -pwd <Replace With Your Password> -dn "CN=cman-host,OU=ST,O=Oracle,ST=California,C=US" -cert "/tmp/cman1.crt" $ORACLE_HOME/bin/orapki wallet export -wallet /u01/app/oracle/wallet_dir -pwd <Replace With Your Password> -dn "CN=cman-host.sub12161926540.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US" -cert "/tmp/cman2.crt" - 导出证书后,导入证书,以便 CMAN Oracle Notification Server 代理可以使用 Oracle RAC Oracle Notification Server 进行握手。将连接管理器 wallet 复制到 Oracle RAC 节点 1 并导入证书:
scp /tmp/cman* grid@racnode1.sub12161926541.onsproxyvcn.oraclevcn.com:/tmp/ $ORACLE_HOME/bin/orapki wallet add -wallet /u01/app/wallet_dir -pwd <Replace With Your Password> -trusted_cert -cert /tmp/cman1.crt $ORACLE_HOME/bin/orapki wallet add -wallet /u01/app/wallet_dir -pwd <Replace With Your Password> -trusted_cert -cert /tmp/cman2.crt将钱包从 Oracle RAC Node1 复制到 CMAN 主机并导入证书:scp grid@racnode1.sub12161926541.onsproxyvcn.oraclevcn.com:/tmp/scan_app* /tmp/ $ORACLE_HOME/bin/orapki wallet add -wallet /u01/app/oracle/wallet_dir -pwd <Replace With Your Password> -trusted_cert -cert /tmp/scan_app1.crt $ORACLE_HOME/bin/orapki wallet add -wallet /u01/app/oracle/wallet_dir -pwd <Replace With Your Password> -trusted_cert -cert /tmp/scan_app2.crt - 将 wallet 从 Oracle RAC 节点 1 复制到 Oracle RAC 节点 2:以
root用户身份在 Oracle RAC 节点 1 上运行以下命令:mkdir -p /u01/app/wallet_dir chown grid:oinstall /u01/app/wallet_dir chmod 750 /u01/app/wallet_dirscp grid@racnode1.sub12161926541.onsproxyvcn.oraclevcn.com:/u01/app/wallet_dir/* /u01/app/wallet_dir以grid用户身份在 Oracle RAC 节点 1 上运行以下命令:[grid@racnode1 ~]$ $ORACLE_HOME/bin/orapki wallet display -wallet /u01/app/wallet_dir Oracle PKI Tool Release 23.0.0.0.0 - Production Version 23.0.0.0.0 Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Subject: CN=racnode-scan.sub12161926541.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US Subject: CN=racnode-scan,OU=ST,O=Oracle,ST=California,C=US Trusted Certificates: Subject: CN=racnode-scan,OU=ST,O=Oracle,ST=California,C=US Subject: CN=cman-host,OU=ST,O=Oracle,ST=California,C=US Subject: CN=cman-host.sub12161926540.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US Subject: CN=racnode-scan.sub12161926541.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US [grid@racnode2 ~]$ $ORACLE_HOME/bin/orapki wallet display -wallet /u01/app/wallet_dir Oracle PKI Tool Release 23.0.0.0.0 - Production Version 23.0.0.0.0 Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Subject: CN=racnode-scan.sub12161926541.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US Subject: CN=racnode-scan,OU=ST,O=Oracle,ST=California,C=USTrusted Certificate Subject: CN=racnode-scan,OU=ST,O=Oracle,ST=California,C=US Subject: CN=cman-host,OU=ST,O=Oracle,ST=California,C=US Subject: CN=cman-host.sub12161926540.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US Subject: CN=racnode-scan.sub12161926541.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US - 按照以下步骤将 wallet 从 Google Cloud 中的客户端计算机复制到 OCI 上的 CMAN 计算机:运行以下命令以导出
client-host计算机上的钱包:$ORACLE_HOME/bin/orapki wallet export -wallet /u01/app/client/wallet_dir -pwd <Replace With Your Password> -dn "CN=client-host,OU=ST,O=Oracle,ST=California,C=US" -cert "/tmp/cert_app1.crt" $ORACLE_HOME/bin/orapki wallet export -wallet /u01/app/client/wallet_dir -pwd <Replace With Your Password> -dn "CN=client-host.c.oraoperator-on-gke.internal,OU=ST,O=Oracle,ST=California,C=US" -cert "/tmp/cert_app2.crt"将 wallet 从client-host复制到/tmp目录下的cman-host:scp -i /tmp/gcp oracle@client-host.c.oraoperator-on-gke.internal:/tmp/cert_app* /tmp/将 CMAN wallet 从cman-host复制到/tmp目录下的client-host:scp -i /tmp/gcp /tmp/cman* oracle@client-host.c.oraoperator-on-gke.internal:/tmp/ - 运行以下命令以导入
cman-host计算机上的client-host钱包:$ORACLE_HOME/bin/orapki wallet add -wallet /u01/app/oracle/wallet_dir -pwd <Replace With Your Password> -trusted_cert -cert /tmp/cert_app1.crt $ORACLE_HOME/bin/orapki wallet add -wallet /u01/app/oracle/wallet_dir -pwd <Replace With Your Password> -trusted_cert -cert /tmp/cert_app2.crt [oracle@cman-host ~]$ $ORACLE_HOME/bin/orapki wallet display -wallet /u01/app/oracle/wallet_dirOracle PKI Tool Release 23.0.0.0.0 - Production Version 23.0.0.0.0 Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Subject: CN=cman-host,OU=ST,O=Oracle,ST=California,C=US Subject: CN=cman-host.sub12161926540.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US Trusted Certificates: Subject: CN=client-host.c.oraoperator-on-gke.internal,OU=ST,O=Oracle,ST=California,C=US Subject: CN=racnode-scan.sub12161926541.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US Subject: CN=cman-host,OU=ST,O=Oracle,ST=California,C=US Subject: CN=cman-host.sub12161926540.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US Subject: CN=racnode-scan,OU=ST,O=Oracle,ST=California,C=US Subject: CN=client-host,OU=ST,O=Oracle,ST=California,C=US运行以下命令将cman-host的钱包导入到client-host计算机:$ORACLE_HOME/bin/orapki wallet add -wallet /u01/app/client/wallet_dir -pwd <Replace With Your Password> -trusted_cert -cert /tmp/cman1.crt $ORACLE_HOME/bin/orapki wallet add -wallet /u01/app/client/wallet_dir -pwd <Replace With Your Password> -trusted_cert -cert /tmp/cman2.crt [oracle@client-host ~]$ $ORACLE_HOME/bin/orapki wallet display -wallet /u01/app/client/wallet_dir Oracle PKI Tool Release 23.0.0.0.0 - Production Version 23.0.0.0.0 Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Subject: CN=client-host.c.oraoperator-on-gke.internal,OU=ST,O=Oracle,ST=California,C=US Subject: CN=client-host,OU=ST,O=Oracle,ST=California,C=USTrusted Certificates: Subject: CN=cman-host,OU=ST,O=Oracle,ST=California,C=US Subject: CN=client-host.c.oraoperator-on-gke.internal,OU=ST,O=Oracle,ST=California,C=US Subject: CN=cman-host.sub12161926540.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US Subject: CN=client-host,OU=ST,O=Oracle,ST=California,C=US - 在 Oracle RAC 节点上设置 Oracle Notification Server 。以
grid用户身份运行以下命令,以禁止与 wallet 中的 CN 不匹配的连接与 Oracle Notification Server 并仅允许连接到可信客户机。$ORACLE_HOME/bin/crsctl modify res ora.ons -attr "ALLOW_UNSECURE_SUBSCRIBER=no" -unsupported $ORACLE_HOME/bin/srvctl modify nodeapps -clientdata /u01/app/wallet_dir/cwallet.sso $ORACLE_HOME/opmn/bin/onsctl reload运行此命令以grid用户身份检查 Oracle RAC 节点 1 和 Oracle RAC 节点 2 上的配置:[grid@racnode1 ~]$ cat /u01/app/23.0.0.0/grid/opmn/conf/ons.config.racnode1 usesharedinstall=true allowgroup=true localport=6100 # line added by Agent remoteport=6200 # line added by Agent nodes=racnode1-priv:6200,racnode2-priv:6200 # line added by Agent walletfile=/u01/app/grid/crsdata/racnode1/onswallet/ # line added by Agent allowunsecuresubscriber=no # line added by Agent [grid@racnode2 ~]$ cat /u01/app/23.0.0.0/grid/opmn/conf/ons.config.racnode2 usesharedinstall=true allowgroup=true localport=6100 # line added by Agent remoteport=6200 # line added by Agent nodes=racnode1-priv:6200,racnode2-priv:6200 # line added by Agent walletfile=/u01/app/grid/crsdata/racnode2/onswallet/ # line added by Agent allowunsecuresubscriber=no # line added by Agent运行此命令以grid用户身份在两个 Oracle RAC 节点上检查 wallet。[grid@racnode1 ~]$ $ORACLE_HOME/bin/orapki wallet display -wallet /u01/app/grid/crsdata/racnode1/onswallet Oracle PKI Tool Release 23.0.0.0.0 - Production Version 23.0.0.0.0 Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Subject: CN=racnode-scan.sub12161926541.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US Subject: CN=racnode-scan,OU=ST,O=Oracle,ST=California,C=USTrusted Certificates: Subject: CN=racnode-scan,OU=ST,O=Oracle,ST=California,C=US Subject: CN=cman-host,OU=ST,O=Oracle,ST=California,C=US Subject: CN=cman-host.sub12161926540.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US Subject: CN=racnode-scan.sub12161926541.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US [grid@racnode2 ~]$ $ORACLE_HOME/bin/orapki wallet display -wallet /u01/app/grid/crsdata/racnode2/onswallet Oracle PKI Tool Release 23.0.0.0.0 - Production Version 23.0.0.0.0 Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Subject: CN=racnode-scan.sub12161926541.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US ubject: CN=racnode-scan,OU=ST,O=Oracle,ST=California,C=USTrusted Certificates: Subject: CN=racnode-scan,OU=ST,O=Oracle,ST=California,C=US Subject: CN=cman-host,OU=ST,O=Oracle,ST=California,C=US Subject: CN=cman-host.sub12161926540.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US Subject: CN=racnode-scan.sub12161926541.onsproxyvcn.oraclevcn.com,OU=ST,O=Oracle,ST=California,C=US
- 在 Oracle RAC 节点上创建 Oracle wallet 和自签名证书。以
- 在连接管理器主机上设置 Oracle Notification Server 代理。使用以下内容创建
$ORACLE_HOME/opmn/conf/onsproxy.properties文件:setConfigHome: /u01/app/oracle/product/23ai/client_1 debug: true addConfig: localport=6100 addConfig: remoteport=6200 addConfig: walletfile=/u01/app/oracle/wallet_dir addNetwork: nodes.aaa=10.0.1.13:6200,10.0.1.95:6200|walletfile=/u01/app/oracle/wallet_dir/cwallet.sso addSubscription: ("eventType=database/event/service") addSubscription: ("eventType=database/event/host")使用以下内容创建$ORACLE_HOME/opmn/conf/ons.config:# Generated by ONS Proxy allowpublish=127.0.0.1,::1 extendedsecurityheader=tenant_id allowunsecuresubscriber=false walletfile=/u01/app/oracle/wallet_dir localport=6100 remoteport=6400 =strict - 检查在数据库中建立的连接。检查在
cman-host上启动 Oracle Notification Server 代理时在数据库结束时建立的连接。 - 使用客户机主机名称更新租户 ID 。在此情况下,使用
SYSDBA特权登录到SQLPLUS并使用客户机主机client-host的名称更新 Tenant ID 。 - 使用
SYSDBA特权登录到SQLPLUS,并使用 Client Host Machine (如本例中的client-host)的名称更新 Tenant ID 。注意:
确保它与客户端 Wallet CN 中使用的名称匹配。SQL> alter session set container=ORCLPDB; Session altered SQL> alter pluggable database orclpdb tenant_id = 'client-host'; Pluggable database altered. SQL> select con_id, name, tenant_id from v$pdbs where name = 'ORCLPDB'; CON_ID NAME TENANT_ID ---------- ------------- ------------------------ 3 ORCLPDB client-host
创建 Oracle RAC 数据库服务
创建 Oracle RAC 数据库服务并测试从 Oracle RAC 主机到 Oracle RAC 数据库的连接。在客户机上启动应用程序,使用 Oracle RAC 和 ONS 连接与在 CMAN 主机上运行的 Oracle Notification Server 建立与 Oracle RAC 数据库的 SQL 连接。模拟数据库服务器上的服务启动和停止事件,并检查在客户机上收到的 FAN 事件。
按照以下步骤创建和启动数据库服务:
- 以
oracle用户身份运行以下命令以创建数据库服务。su - oracle srvctl add service -d ORCLCDB_8p7_phx -preferred ORCLCDB1,ORCLCDB2 -s raconssvc2 -pdb ORCLPDB -notification TRUE - 运行以下命令以启动数据库服务:
[oracle@racnode1 ~]$ srvctl start service -d ORCLCDB_8p7_phx -s raconssvc2 - 运行以下命令以重置
system用户的密码。根据您的环境策略使用 <PASSWORD>:SQL> alter user system identified by <PASSWORD>;User altered. - 按照以下步骤从
cman-host计算机连接到数据库:[oracle@cman-host ~]$ $ORACLE_HOME/bin/sqlplus system/<PASSWORD>@//cman-host.sub12161926540.onsproxyvcn.oraclevcn.com:1521/raconssvc2.sub12161926541.onsproxyvcn.oraclevcn.com SQL*Plus: Release 23.0.0.0.0 - for Oracle Cloud and Engineered Systems on Thu Dec 19 01:49:12 2024 Version 23.5.0.24.07 Copyright (c) 1982, 2024, Oracle. All rights reserved. Last Successful login time: Wed Dec 18, 2024, 00:59:27 +00:00 Connected to:Oracle Database 23ai EE Extreme Perf Release 23.0.0.0.0 - for Oracle Cloud and Engineered Systems Version 23.6.0.24.10 SQL> - 按照以下步骤从
client-host计算机连接到数据库:[oracle@client-host ~]$ $ORACLE_HOME/bin/sqlplus system//<PASSWORD>@//cman-host.sub12161926540.onsproxyvcn.oraclevcn.com:1521/raconssvc2.sub12161926541.onsproxyvcn.oraclevcn.com注意:
在继续执行下一步之前,请确保连接成功。
在客户机主机上配置 fanWatcher
按照以下步骤在客户机主机上配置
FANWatcher:
- 复制
fanWatcher代码并将其暂存在/tmp/app文件夹下的client-host计算机上。[oracle@client-host response]$ mkdir /tmp/app [oracle@client-host response]$ export CLASSPATH="/tmp/app:$ORACLE_HOME/opmn/lib/ons.jar:$ORACLE_HOME/jlib/oraclepki.jar:$ORACLE_HOME/jlib/osdt_core.jar:$ORACLE_HOME/jlib/osdt_cert.jar:$ORACLE_HOME/jdbc/lib/ojdbc8.jar:." [oracle@client-host ~]$ cd /tmp/app/ [oracle@client-host app]$ ls -rlt total 8 -rw-r--r--. 1 oracle oinstall 6434 Dec 17 21:00 fanWatcher.java - 设置
fanWatcher.java文件。[oracle@client-host app]$ javac fanWatcher.java Note: fanWatcher.java uses or overrides a deprecated API. Note: Recompile with -Xlint:deprecation for details. [oracle@client-host app]$[oracle@client-host app]$ [oracle@client-host app]$ export user=system [oracle@client-host app]$ export password=<PASSWORD> [oracle@client-host app]$ export url='jdbc:oracle:thin:@cman-host.sub12161926540.onsproxyvcn.oraclevcn.com:1521/raconssvc2' [oracle@client-host app]$ $ORACLE_HOME/jdk/bin/java -Doracle.ons.walletfile=/u01/app/client/wallet_dir -classpath ${CLASSPATH} fanWatcher "nodes=cman-host.sub12161926540.onsproxyvcn.oraclevcn.com:6200" Subscribing to events of type: Opening FAN Subscriber Window ...