热门搜索
分布式
数据库一体机
云数据库
建设银行
保险核心
密集交易
登录
注册
达梦配置SSL
技术分享/
文章详情
/
达梦配置SSL
zero
2024/03/22
1914
1
0
一、环境信息
操作系统:
[root@cqsrmjcy-cjstjcghlw02 ~]# cat /etc/os-release
NAME="Kylin Linux Advanced Server"
VERSION="V10 (Sword)"
ID="kylin"
VERSION_ID="V10"
PRETTY_NAME="Kylin Linux Advanced Server V10 (Sword)"
ANSI_COLOR="0;31"
openssl版本
[root@cqsrmjcy-cjstjcghlw02 ~]# openssl version
OpenSSL 1.1.1f 31 Mar 2020
java版本
[root@cqsrmjcy-cjstjcghlw02 ~]# java -version
openjdk version "1.8.0_342"
OpenJDK Runtime Environment Bisheng (build 1.8.0_342-b07)
OpenJDK 64-Bit Server VM Bisheng (build 25.342-b07, mixed mode)
二、配置服务端私钥和证书
1)指定ca目录 修改如下 放在/opt/ca下
[ CA_default ]
dir =/opt/ca # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca-cert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca-key.pem# The private key
2)创建相关目录
[root@cqsrmjcy-cjstjcghlw02 tls]# cd /opt/
[root@cqsrmjcy-cjstjcghlw02 opt]# mkdir ca
[root@cqsrmjcy-cjstjcghlw02 opt]# mkdir {certs,crl,newcerts}
[root@cqsrmjcy-cjstjcghlw02 opt]# echo "01" > serial
[root@cqsrmjcy-cjstjcghlw02 opt]# touch index.txt
[root@cqsrmjcy-cjstjcghlw02 opt]# mkdir server_ssl
[root@cqsrmjcy-cjstjcghlw02 opt]# mkdir client_ssl
[root@cqsrmjcy-cjstjcghlw02 opt]# mkdir -p client_ssl/SYSDBA
3)生成CA私钥和根证书
这一步设置服务端私钥存储密码ceshi123,后续生成客户端证书需要
[root@cqsrmjcy-cjstjcghlw02 ca]# openssl req -new -key server_ssl/server-key.pem -out server_ssl/server.csr -subj "/C=cn/ST=hunan/L=changsha/O=dameng/OU=dev/CN=server/emailAddress=server@dm.com"
[root@cqsrmjcy-cjstjcghlw02 ca]# openssl ca -days 3650 -in server_ssl/server.csr -out server_ssl/server-cert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /opt/ca/ca-key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 21 06:35:45 2024 GMT
Not After : Mar 19 06:35:45 2034 GMT
Subject:
countryName = cn
stateOrProvinceName = hunan
organizationName = dameng
organizationalUnitName = dev
commonName = server
emailAddress = server@dm.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
14:0E:65:CB:46:D0:71:D7:17:F7:F9:39:3D:5C:9E:51:82:E8:6C:E7
X509v3 Authority Key Identifier:
keyid:E7:B7:B3:3D:AC:45:2D:08:34:B0:7D:52:4D:AE:4C:DA:D8:D3:5A:32
Certificate is to be certified until Mar 19 06:35:45 2034 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@cqsrmjcy-cjstjcghlw02 ca]# openssl x509 -in server_ssl/server-cert.pem -out server_ssl/server.cer
[root@cqsrmjcy-cjstjcghlw02 ca]# cp ca-cert.pem server_ssl/
[root@cqsrmjcy-cjstjcghlw02 ca]# cp ca-key.pem server_ssl/
三、生成客户端私钥和证书
在clint_ssl下创建与用户名相同的目录存放相关文件
比如生成SYSDBA用户 则 mkdir -p SYSDBA
这里设置的客户端的私钥用于disql odbc等方式方式密码
[root@cqsrmjcy-cjstjcghlw02 ca]# openssl genrsa -aes256 -out client_ssl/SYSDBA/client-key.pem
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................+++++
......................+++++
e is 65537 (0x010001)
Enter pass phrase for client_ssl/SYSDBA/client-key.pem: #test123
Verifying - Enter pass phrase for client_ssl/SYSDBA/client-key.pem: #test123
[root@cqsrmjcy-cjstjcghlw02 ca]# openssl req -new -key client_ssl/SYSDBA/client-key.pem -out client_ssl/SYSDBA/client.csr -subj "/C=cn/ST=hunan/L=changsha/O=dameng/OU=dev/CN=SYSDBA/emailAddress=dmclient@dm.com"
Enter pass phrase for client_ssl/SYSDBA/client-key.pem: test123
[root@cqsrmjcy-cjstjcghlw02 ca]# openssl ca -days 3650 -in client_ssl/SYSDBA/client.csr -out client_ssl/SYSDBA/client-cert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /opt/ca/ca-key.pem: #这里是服务端创建的私钥密码ceshi123
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Mar 21 06:42:07 2024 GMT
Not After : Mar 19 06:42:07 2034 GMT
Subject:
countryName = cn
stateOrProvinceName = hunan
organizationName = dameng
organizationalUnitName = dev
commonName = SYSDBA
emailAddress = dmclient@dm.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
80:B2:56:C1:EF:D3:49:E1:ED:CF:C7:25:F0:F9:8E:F2:7E:28:9F:5D
X509v3 Authority Key Identifier:
keyid:E7:B7:B3:3D:AC:45:2D:08:34:B0:7D:52:4D:AE:4C:DA:D8:D3:5A:32
Certificate is to be certified until Mar 19 06:42:07 2034 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@cqsrmjcy-cjstjcghlw02 ca]# openssl pkcs12 -export -inkey client_ssl/SYSDBA/client-key.pem -in client_ssl/SYSDBA/client-cert.pem -out client_ssl/SYSDBA/client-pkcs.p12
Enter pass phrase for client_ssl/SYSDBA/client-key.pem: #这里test123
Enter Export Password: #这里设置export password
Verifying - Enter Export Password:
#生产jdbc访问文件.keystore 密码Hva@a6d1T
[root@cqsrmjcy-cjstjcghlw02 ca]# keytool -import -alias ca -trustcacerts -file ca-cert.pem -keystore client_ssl/SYSDBA/.keystore -deststorepass Hva@a6d1T -noprompt
Certificate was added to keystore
[root@cqsrmjcy-cjstjcghlw02 ca]# keytool -import -alias server -trustcacerts -file server_ssl/server.cer -keystore client_ssl/SYSDBA/.keystore -deststorepass Hva@a6d1T -noprompt
Certificate was added to keystore
[root@cqsrmjcy-cjstjcghlw02 ca]# keytool -importkeystore -srckeystore client_ssl/SYSDBA/client-pkcs.p12 -srcstorepass Hva@a6d1T -srcstoretype PKCS12 -keystore client_ssl/SYSDBA/.keystore -deststorepass Hva@a6d1T
Importing keystore client_ssl/SYSDBA/client-pkcs.p12 to client_ssl/SYSDBA/.keystore...
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore client_ssl/SYSDBA/.keystore -destkeystore client_ssl/SYSDBA/.keystore -deststoretype pkcs12".
[root@cqsrmjcy-cjstjcghlw02 ca]# cp ca-cert.pem client_ssl/SYSDBA/
四、开启SSL认证
将生成的server_ssl拷贝到 dmdbs/bin下
修改ENABLE_ENCRYPT=1或2
五、部署客户端证书
clinet_ssl拷贝到对应客户端上
六、连接验证
dmdba@cqsrmjcy-cjstjcghlw02 ~]$ disql DMTEST/123456789@10.168.53.5:5236#"{SSL_PATH=/opt/ca/client_ssl/DMTEST,SSL_PWD=dmtest123}"
Server[10.168.53.5:5236]:mode is normal, state is open
login used time : 12.886(ms)
disql V8
SQL>
java连接测试
编译
/home/dmdba/dmdbms/jdk/bin/javac -cp /home/dmdba/dmdbms/drivers/jdbc/DmJdbcDriver18.jar dmDemo.java
运行
/home/dmdba/dmdbms/jdk/bin/java -cp .:/home/dmdba/dmdbms/drivers/jdbc/DmJdbcDriver18.jar dmDemo
连接数据库...
实例化Statement对象...
ID: 1
Goodbye!
测试java代码
[root@cqsrmjcy-cjstjcghlw02 tmp]# cat dmDemo.java
import java.sql.*;
public class dmDemo {
static final String JDBC_DRIVER = "dm.jdbc.driver.DmDriver";
static final String DB_URL = "jdbc:dm://10.168.53.5:5236?sslFilesPath=/opt/ca/client_ssl/DMTEST&sslKeystorePass=Hva@a6d1T";
static final String USER = "DMTEST";
static final String PASS = "123456789";
public static void main(String[] args) {
Connection conn = null;
Statement stmt = null;
try{
Class.forName(JDBC_DRIVER);
System.out.println("连接数据库...");
conn = DriverManager.getConnection(DB_URL,USER,PASS);
System.out.println(" 实例化Statement对象...");
stmt = conn.createStatement();
String sql;
sql = "select 1 ID from dual;";
ResultSet rs = stmt.executeQuery(sql);
while(rs.next()){
int id = rs.getInt("id");
System.out.println("ID: " + id);
}
rs.close();
stmt.close();
conn.close();
}catch(SQLException se){
se.printStackTrace();
}catch(Exception e){
e.printStackTrace();
}finally{
try{
if(stmt!=null) stmt.close();
}catch(SQLException se2){
}
try{
if(conn!=null) conn.close();
}catch(SQLException se){
se.printStackTrace();
}
}
System.out.println("Goodbye!");
}
}
评论
后发表回复
作者
文章
阅读量
获赞
扫一扫
联系客服
联系客服
鄂Copyright © 达梦国产化应用创新实验室
达梦在线服务平台社区用户管理规范
鄂ICP备18017926号-1
达梦在线服务平台社区用户管理规范
鄂ICP备18017926号-1