达梦8数据库之ssl加密设置
1:证书制作及达梦数据库配置SSL参考 https://cdn.modb.pro/db/98970
步骤如下:
1:配置openssl配置文件
配置文件路径:/etc/pki/tls/openssl.cnf,备份文件,然后修改文件如下内容
[ CA_default ]
dir = /opt/ca # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca-cert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca-key.pem # The private key
x509_extensions = usr_cert # The extensions to add to the cert
2:创建配置文件中对应的主要目录及文件
[root@localhost ~]# mkdir -p /opt/ca [root@localhost ~]# cd /opt/ca [root@localhost ca]# mkdir {certs,crl,newcerts} [root@localhost ca]# echo "01" > serial [root@localhost ca]# touch index.txt ##创建达梦数据库服务器和客户端证书文件存放目录 [root@localhost ca]# mkdir server_ssl [root@localhost ca]# mkdir client_ssl ##创建SYSDBA用户客户端证书存放目录,其他用户请创建与用户名相同的目录 [root@localhost ca]# mkdir -p client_ssl/SYSDBA
3:生产CA私钥和根证书
[root@localhost ca]# openssl req -new -x509 -days 3650 -keyout ca-key.pem -out ca-cert.pem -subj "/C=cn/ST=hunan/L=changsha/O=dameng/OU=dev/CN=lw/emailAddress=abc@dm.com" Generating a RSA private key .....................................................................................+++++ ......................................+++++ writing new private key to 'ca-key.pem' Enter PEM pass phrase: #设置CA私钥的存储密码,本次测试设置为123456 Verifying - Enter PEM pass phrase: ----- [root@localhost ca]# ls ca-cert.pem ca-key.pem certs client_ssl crl index.txt newcerts serial server_ssl
##############ca-key.pem 为私钥文件#####################ca-cert.pem为根证书###################
文件后缀简要说明:
- .key : 私钥文件, 也可以使用“.pem”后缀。.pem”后缀时,通常文件包含证书和私钥中的一种或者多种
- .csr : 证书签名请求(证书请求文件),含有公钥信息,certificate signing request的缩写
- .crl : 证书吊销列表,Certificate Revocation List的缩写
4:生产服务器私钥和被CA签名的证书
1:生产私钥文件
[root@localhost ca]# openssl genrsa -out server_ssl/server-key.pem Generating RSA private key, 2048 bit long modulus (2 primes) .................................................................................................................+++++ ..............................................................+++++ e is 65537 (0x010001) ##注意服务器端的私钥,为了方便不设置加密
2:生产证书签发申请
[root@localhost ca]# openssl req -new -key server_ssl/server-key.pem -out server_ssl/server.csr -subj "/C=cn/ST=hunan/L=changsha/O=dameng/OU=dev/CN=server/emailAddress=server@dm.com
subj选项说明:
Country Name : 缩写为“C” 证书持有者所在国家 要求填写国家代码
State or Province Name : 缩写为“ST“ 证书持有者所在州或省份
Locality Name : 缩写为“L” 证书持有者所在城市
Organization Name : 缩写为“O“ 证书持有者所属组织或公司
Organizational Unit Name : 缩写为“OU” 证书持有者所属部门
Common Name : 缩写为“CN“ 证书持有者的通用名
Email Address : 证书持有者的通信邮箱
3:使用根证书和签发申请生产证书
[root@localhost ca]# openssl ca -days 3650 -in server_ssl/server.csr -out server_ssl/server-cert.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /opt/ca/ca-key.pem: #输入生成CA私钥时设置的存储密码,上面设置的是123456 Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Aug 11 09:23:40 2021 GMT Not After : Aug 9 09:23:40 2031 GMT Subject: countryName = cn stateOrProvinceName = hunan organizationName = dameng organizationalUnitName = dev commonName = server emailAddress = server@dm.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 46:E9:80:E8:CC:1D:7E:DB:E3:05:FF:8C:3B:77:43:51:9B:16:05:43 X509v3 Authority Key Identifier: keyid:61:05:BE:3F:A9:DE:2D:9A:7F:2A:BA:0E:45:97:47:5B:E8:0C:D7:7E Certificate is to be certified until Aug 9 09:23:40 2031 GMT (3650 days) Sign the certificate? [y/n]:y #输入y 1 out of 1 certificate requests certified, commit? [y/n]y #输入y Write out database with 1 new entries Data Base Updated
4:将证书格式转换成x509格式
[root@localhost ca]# openssl x509 -in server_ssl/server-cert.pem -out server_ssl/server.cer [root@localhost ca]# ll server_ssl/ -rw-r--r-- 1 root root 1395 8月 11 17:28 server.cer -rw-r--r-- 1 root root 4544 8月 11 17:23 server-cert.pem -rw-r--r-- 1 root root 1033 8月 11 17:13 server.csr -rw------- 1 root root 1675 8月 11 17:06 server-key.pem
5:将CA自签名的证书拷贝到server_ssl目录
[root@localhost ca]# cp ca-cert.pem server_ssl/
[root@localhost ca]# cp ca-key.pem server_ssl/
5:生产客户端用户私钥和被CA签名的证书
1:生产私钥文件
[root@localhost ca]# openssl genrsa -aes256 -out client_ssl/SYSDBA/client-key.pem Generating RSA private key, 2048 bit long modulus (2 primes) ............................+++++ ..+++++ e is 65537 (0x010001) Enter pass phrase for client_ssl/SYSDBA/client-key.pem: #设置私钥密码,本次测试设置为dameng ####备注 如果使用disql链接的时候需要使用此密码 Verifying - Enter pass phrase for client_ssl/SYSDBA/client-key.pem: #再输入一次 #-aes256表示使用AES算法对产生的私钥加密
2:生产证书签发申请
[root@localhost ca]# openssl req -new -key client_ssl/SYSDBA/client-key.pem -out client_ssl/SYSDBA/client.csr -subj "/C=cn/ST=hunan/L=changsha/O=dameng/OU=dev/CN=SYSDBA/emailAddress=dmclient@dm.com" Enter pass phrase for client_ssl/SYSDBA/client-key.pem: #输入上一步生成私钥文件时设置的密码
3:使用根证书和签发申请生产证书
[root@localhost ca]# openssl ca -days 365 -in client_ssl/SYSDBA/client.csr -out client_ssl/SYSDBA/client-cert.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /opt/ca/ca-key.pem: #输入设置的CA私钥存储密码 ##############最开始设置的CA密码 123456 Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Aug 11 09:39:23 2021 GMT Not After : Aug 11 09:39:23 2022 GMT Subject: countryName = cn stateOrProvinceName = hunan organizationName = dameng organizationalUnitName = dev commonName = SYSDBA emailAddress = dmclient@dm.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: E1:BB:5E:A0:E6:7C:38:40:FD:BB:6B:B8:2E:6E:2C:46:1C:E3:AF:1C X509v3 Authority Key Identifier: keyid:61:05:BE:3F:A9:DE:2D:9A:7F:2A:BA:0E:45:97:47:5B:E8:0C:D7:7E Certificate is to be certified until Aug 11 09:39:23 2022 GMT (365 days) Sign the certificate? [y/n]:y #输入y 1 out of 1 certificate requests certified, commit? [y/n]y #输入y Write out database with 1 new entries Data Base Updated
4:将生成的X509格式的client-key.pem和client-cert.pem合并转换为pkcs12格式的文件client-pkcs.p12
[root@localhost ca]# openssl pkcs12 -export -inkey client_ssl/SYSDBA/client-key.pem -in client_ssl/SYSDBA/client-cert.pem -out client_ssl/SYSDBA/client-pkcs.p12 Enter pass phrase for client_ssl/SYSDBA/client-key.pem: #输入之前设置的客户端私钥存储密码(dameng) Enter Export Password: #设置export password,本次测试设置为abc123 ####### Verifying - Enter Export Password: #再输入一次
5:生成JDBC访问需要的.keystore文件 导入所有证书到keystore文件,并设置keystore文件密码为abc123(-deststorepass)
[root@localhost ca]# keytool -import -alias ca -trustcacerts -file ca-cert.pem -keystore client_ssl/SYSDBA/.keystore -deststorepass abc123 -noprompt 证书已添加到密钥库中 [root@localhost ca]# keytool -import -alias server -trustcacerts -file server_ssl/server.cer -keystore client_ssl/SYSDBA/.keystore -deststorepass abc123 -noprompt 证书已添加到密钥库中 [root@localhost ca]# keytool -importkeystore -srckeystore client_ssl/SYSDBA/client-pkcs.p12 -srcstorepass abc123 -srcstoretype PKCS12 -keystore client_ssl/SYSDBA/.keystore -deststorepass abc123 正在将密钥库 client_ssl/SYSDBA/client-pkcs.p12 导入到 client_ssl/SYSDBA/.keystore... 已成功导入别名 1 的条目。 已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消 Warning: JKS 密钥库使用专用格式。建议使用 "keytool -importkeystore -srckeystore client_ssl/SYSDBA/.keystore -destkeystore client_ssl/SYSDBA/.keystore -deststoretype pkcs12" 迁移到行业标准格式 PKCS12。
执行上面警告的内容:(可选)
[root@localhost ca]# keytool -importkeystore -srckeystore client_ssl/SYSDBA/.keystore -destkeystore client_ssl/SYSDBA/.keystore -deststoretype pkcs12 输入源密钥库口令: #输入之前的export password,abc123 已成功导入别名 ca 的条目。 已成功导入别名 1 的条目。 已成功导入别名 server 的条目。 已完成导入命令: 3 个条目成功导入, 0 个条目失败或取消 Warning: 已将 "client_ssl/SYSDBA/.keystore" 迁移到 Non JKS/JCEKS。将 JKS 密钥库作为 "client_ssl/SYSDBA/.keystore.old" 进行了备份。
6:将CA自签名的证书拷贝到client_ssl/SYSDBA目录中
[root@localhost ca]# cp ca-cert.pem client_ssl/SYSDBA/ [root@localhost ca]# ls -la client_ssl/SYSDBA/ drwxr-xr-x 2 root root 128 8月 11 18:07 . drwxr-xr-x 3 root root 20 8月 11 16:54 .. -rw-r--r-- 1 root root 1383 8月 11 18:07 ca-cert.pem -rw-r--r-- 1 root root 4546 8月 11 17:39 client-cert.pem -rw-r--r-- 1 root root 1037 8月 11 17:37 client.csr -rw------- 1 root root 1766 8月 11 17:34 client-key.pem -rw------- 1 root root 2589 8月 11 17:49 client-pkcs.p12 -rw-r--r-- 1 root root 4363 8月 11 18:06 .keystore
6:部署server端将/opt/ca/server_ssl整个目录拷贝到达梦数据库安装目录下的bin目录下,默认在bin目录下存在server_ssl目录。可以先将默认的server_ssl目录重命名,然后拷贝。
[root@localhost ca]# cd /home/dmdba/dmdbms/bin [root@localhost bin]# mv server_ssl server_ssl_bak2 [root@localhost bin]# cp /opt/ca/server_ssl ./ -r [root@localhost bin]# chmod -R 777 server_ssl [root@localhost bin]# ll server_ssl -rwxrwxrwx 1 root root 1383 8月 11 18:11 ca-cert.pem -rwxrwxrwx 1 root root 1854 8月 11 18:11 ca-key.pem -rwxrwxrwx 1 root root 1395 8月 11 18:11 server.cer -rwxrwxrwx 1 root root 4544 8月 11 18:11 server-cert.pem -rwxrwxrwx 1 root root 1033 8月 11 18:11 server.csr -rwxrwxrwx 1 root root 1675 8月 11 18:11 server-key.pem
7:部署client客户端
将/opt/ca/client_ssl整个目录拷贝到客户端机器上。如果是Linux机器,需要注意目录权限,可以将整个目录设置为777权限。 chmod 777 -R client_ssl 如果是通过jdbc接口来加密访问数据库,是使用的.keystore文件; 如果是通过ODBC或者其他方式加密访问数据库,那么是使用ca-cert.pem、client-cert.pem和client-key.pem三个文件
2:数据库执行打开ssl验证
SF_SET_SYSTEM_PARA_VALUE('COMM_ENCRYPT_NAME','RC4',1,2); SF_SET_SYSTEM_PARA_VALUE('ENABLE_ENCRYPT',2,1,2); 执行完毕后需要重启数据服务
3:disql工具登录
@localhost bin]$ ./disql SYSDBA/SYSDBA@192.168.15.35:5236#"{SSL_PATH=/opt/ca/client_ssl/SYSDBA,SSL_PWD=dameng}"
服务器[192.168.15.35:5236]:处于普通打开状态
登录使用时间 : 10.115(ms)
disql V8
SQL>
###或者使用
[dmdba@localhost bin]$ ./disql /nolog
disql V8
SQL> login
服务名:192.168.15.35
用户名:SYSDBA
密码:
SSL路径:/opt/ca/client_ssl/SYSDBA
SSL密码:
UKEY名称:
UKEY PIN码:
MPP类型:
是否读写分离(y/n):
协议类型:
服务器[192.168.15.35:5236]:处于普通打开状态
登录使用时间 : 9.059(ms)
SQL>
