Oracle Linux 7.1 通过systemctl将Weblogic设置为开机自启动

1 说明
设置开机自启动,需要用到systemctl工具。systemctl是一个systemd工具,主要负责控制systemd系统和服务管理器。systemd是一个系统管理守护进程、工具和库的集合,用于取代System V初始进程。Systemd的功能是用于集中管理和配置类UNIX系统。

2 准备
操作系统:Oracle Linux 7.1
systemctl –version : systemd 208
weblogic version:12.2.1.3.0
3 编写系统服务文件
3.1 adminserver 系统服务文件

[root@localhost system]# vi weblogic.service
[Unit]
Description=WebLogic Adminserver Service[Service]
[Service]
Type=simple
WorkingDirectory=/weblogic/Oracle/Middleware/user_projects/domains/base_domain
ExecStart=/weblogic/Oracle/Middleware/user_projects/domains/base_domain/bin/startWebLogic.sh
ExecStop=/weblogic/Oracle/Middleware/user_projects/domains/base_domain/bin/stopWebLogic.sh
User=weblogic
Group=weblogic
[Install]
WantedBy=multi-user.target

3.2 配置weblogic将日志输出到指定文件${DOMAIN_HOME}/admin.log,也就是在以下命令后面加上>”${DOMAIN_HOME}/admin.log” 2>&1

[weblogic@localhost bin]$ vi startWebLogic.sh
if [ "${WLS_REDIRECT_LOG}" = "" ] ; then
        echo "Starting WLS with line:"
        echo "${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} ${LAUNCH_ARGS} -Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WLS_POLICY_FILE} ${JAVA_OPTIONS} ${PROXY_SETTINGS} ${SERVER_CLASS}"
        ${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} ${LAUNCH_ARGS} -Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WLS_POLICY_FILE} ${JAVA_OPTIONS} ${PROXY_SETTINGS} ${SERVER_CLASS} >"${DOMAIN_HOME}/admin.log"  2>&1
else
        echo "Redirecting output from WLS window to ${WLS_REDIRECT_LOG}"
        ${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} ${LAUNCH_ARGS} -Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WLS_POLICY_FILE} ${JAVA_OPTIONS} ${PROXY_SETTINGS} ${SERVER_CLASS}  >"${DOMAIN_HOME}/admin.log"  2>&1

3.3 查看系统服务文件是否被识别

[root@localhost system]# systemctl list-unit-files|grep weblogic
weblogic.service                            disabled

3.4 禁用防火墙和SELinux
[root@localhost system]# setenforce 0
[root@localhost system]# sed -i "/^SELINUX=/s#enforcing#disabled#" /etc/selinux/config
[root@localhost system]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@localhost system]# systemctl is-enabled firewalld
enabled
[root@localhost system]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Fri 2023-03-31 14:11:15 CST; 1h 16min ago
 Main PID: 602 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─602 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Mar 31 14:11:15 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
[root@localhost system]# systemctl stop firewalld
[root@localhost system]# systemctl disable firewalld
rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
rm '/etc/systemd/system/basic.target.wants/firewalld.service'
[root@localhost system]# systemctl is-enabled firewalld
disabled
[root@localhost system]# firewall-cmd --zone=public --list-ports
FirewallD is not running

4 测试系统服务
4.1 启动系统服务

[root@localhost system]# systemctl start weblogic.service

[root@localhost base_domain]# tail -f admin.log
<Mar 31, 2023 3:56:09 PM CST> <Info> <Security> <BEA-090905> <Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true.>
<Mar 31, 2023 3:56:09 PM CST> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG128 to HMACDRBG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true.>
<Mar 31, 2023 3:56:10 PM CST> <Info> <WebLogicServer> <BEA-000377> <Starting WebLogic Server with Java HotSpot(TM) 64-Bit Server VM Version 25.131-b11 from Oracle Corporation.>
<Mar 31, 2023 3:56:10 PM CST> <Info> <RCM> <BEA-2165021> <“ResourceManagement” is not enabled in this JVM. Enable “ResourceManagement” to use the WebLogic Server “Resource Consumption Management” feature. To enable “ResourceManagement”, you must specify the following JVM options in the WebLogic Server instance in which the JVM runs: -XX:+UnlockCommercialFeatures -XX:+ResourceManagement.>
<Mar 31, 2023 3:56:10 PM CST> <Info> <Management> <BEA-141107> <Version: WebLogic Server 12.2.1.3.0 Thu Aug 17 13:39:49 PDT 2017 1882952>
<Mar 31, 2023 3:59:53 PM CST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING.>
<Mar 31, 2023 3:59:53 PM CST> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool.>
<Mar 31, 2023 3:59:53 PM CST> <Info> <WorkManager> <BEA-002942> <CMM memory level becomes 0. Setting standby thread pool size to 256.>
<Mar 31, 2023 4:01:39,810 PM CST> <Notice> <Log Management> <BEA-170019> <The server log file weblogic.logging.FileStreamHandler instance=460171696
Current log file=/weblogic/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/logs/AdminServer.log
Rotation dir=/weblogic/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/logs
is opened. All server side log events will be written to this file.>
<Mar 31, 2023 4:01:40,077 PM CST> <Notice> <Security> <BEA-090946> <Security pre-initializing using security realm: myrealm>
<Mar 31, 2023 4:01:40,771 PM CST> <Notice> <Security> <BEA-090947> <Security post-initializing using security realm: myrealm>
<Mar 31, 2023 4:01:41,826 PM CST> <Notice> <Security> <BEA-090082> <Security initialized using administrative security realm: myrealm>
<Mar 31, 2023 4:01:42,631 PM CST> <Notice> <JMX> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://10.138.130.64:7001/jndi/weblogic.management.mbeanservers.runtime.>

4.2 停止系统服务

[root@localhost system]# systemctl stop weblogic.service

5 将服务设置成开机自启动

[root@localhost system]# systemctl enable weblogic.service
ln -s '/etc/systemd/system/weblogic.service' '/etc/systemd/system/multi-user.target.wants/weblogic.service'
[root@localhost system]# systemctl list-unit-files|grep weblogic
weblogic.service                            enabled

反向命令:

[root@localhost system]# systemctl disable weblogic.service
rm '/etc/systemd/system/multi-user.target.wants/weblogic.service'
[root@localhost system]# systemctl list-unit-files|grep weblogic
weblogic.service                            disabled

6 重启服务器并检查weblogic是否自启动

[root@localhost system]#reboot

[root@localhost ~]# ps -ef | grep java
weblogic   721     1  0 16:13 ?        00:00:01 /usr/java/jdk1.8.0_131/bin/java -Dderby.system.home=/weblogic/Oracle/Middleware/user_projects/domains/base_domain/common/db -classpath /weblogic/Oracle/Middleware/wlserver/common/derby/lib/derby.jar:/weblogic/Oracle/Middleware/wlserver/common/derby/lib/derbynet.jar:/weblogic/Oracle/Middleware/wlserver/common/derby/lib/derbytools.jar:/weblogic/Oracle/Middleware/wlserver/common/derby/lib/derbyclient.jar org.apache.derby.drda.NetworkServerControl start
weblogic   722   645  6 16:13 ?        00:01:07 /usr/java/jdk1.8.0_131/bin/java -server -Xms256m -Xmx512m -XX:CompileThreshold=8000 -cp /weblogic/Oracle/Middleware/wlserver/server/lib/weblogic-launcher.jar -Dlaunch.use.env.classpath=true -Dweblogic.Name=AdminServer -Djava.security.policy=/weblogic/Oracle/Middleware/wlserver/server/lib/weblogic.policy -Djava.system.class.loader=com.oracle.classloader.weblogic.LaunchClassLoader -javaagent:/weblogic/Oracle/Middleware/wlserver/server/lib/debugpatch-agent.jar -da -Dwls.home=/weblogic/Oracle/Middleware/wlserver/server -Dweblogic.home=/weblogic/Oracle/Middleware/wlserver/server weblogic.Server
root      3094  3019  0 16:31 pts/0    00:00:00 grep --color=auto java

MySQL 5.7 InnoDB Tablespace Encryption

InnoDB Tablespace Encryption

InnoDB支持对存储file-per-table表空间中的InnoDB表中的数据进行加密。该特性为物理表空间数据文件提供静态加密。

InnoDB表空间加密使用两层加密密钥架构,由主加密密钥和表空间密钥组成。当一个InnoDB表被加密时,表空间密钥被加密并存储在表空间头中。当应用程序或经过认证的用户想要访问加密的表空间数据时,InnoDB使用一个主加密密钥来解密表空间密钥。表空间密钥的解密版本永远不会改变,但主加密密钥可以根据需要改变。此操作称为主键旋转。

InnoDB表空间加密特性依赖于keyring插件进行主加密密钥管理。

所有MySQL版本都提供了keyring_file插件,该插件将主加密密钥数据存储在keyring_file_data配置选项指定的位置的keyring文件中。

非企业版MySQL中的InnoDB表空间加密特性使用keyring_file插件进行加密密钥管理,这并不是一个符合法规的解决方案。安全标准,如PCI,FIPS和其他要求使用密钥管理系统来保护、管理和保护密钥库或硬件安全模块(hsm)中的加密密钥。

MySQL企业版提供了keyring_okv插件,其中包括一个KMIP客户端(KMIP 1.1),它与Oracle密钥库(OKV)一起工作,提供加密密钥管理。当InnoDB表空间加密使用OKV进行加密密钥管理时,该特性被称为“MySQL企业”透明数据加密(TDE)。

一个安全、健壮的加密密钥管理解决方案(如OKV)对于安全性和符合各种安全标准至关重要。在其他好处中,使用密钥库可确保密钥安全存储,永远不会丢失,并且只有授权的密钥管理员知道。密钥库还维护加密密钥历史记录

InnoDB表空间加密支持AES (Advanced encryption Standard)块加密算法。它采用ECB (Electronic Codebook)块加密方式对表空间密钥进行加密CBC (Cipher Block chainaining)块加密方式,用于数据加密

InnoDB表空间加密前提条件

必须安装和配置keyring插件(keyring_file插件或keyring_okv插件)。Keyring插件安装在启动时使用–early-plugin-load选项执行。提前加载可以确保插件在InnoDB存储引擎初始化之前可用。

一次只能启用一个keyring插件。不支持启用多个密匙环插件。

一旦在MySQL实例中创建了加密表,在创建加密表时加载的keyring插件必须在InnoDB初始化之前使用–early-plugin-load选项继续加载。如果不这样做,会导致启动和恢复InnoDB时出现错误。

启用加密模块

mysql> INSTALL PLUGIN keyring_file soname 'keyring_file.so';
Query OK, 0 rows affected (0.09 sec)

创建密钥文件目录

[mysql@localhost ~]$ mkdir -p /mysqldata/mysql/mysql-keyring/
[mysql@localhost ~]$ chown -R mysql:mysql /mysqldata/mysql/mysql-keyring/
[mysql@localhost ~]$ chmod -R 775 /mysqldata/mysql/mysql-keyring/

设置加密key存放路径

mysql> set global keyring_file_data='/mysqldata/mysql/mysql-keyring/keyring';
Query OK, 0 rows affected (0.00 sec)

永久启用设置
上诉两个步骤都是临时的,重启服务都会失效,我们把配置写到配置文件里,确保重启服务后也能生效

[mysqld]
early-plugin-load=keyring_file.so
keyring_file_data=/mysqldata/mysql/mysql-keyring/keyring

查看key的存放路径

mysql> show global variables like '%keyring_file_data%';
+-------------------+----------------------------------------+
| Variable_name     | Value                                  |
+-------------------+----------------------------------------+
| keyring_file_data | /mysqldata/mysql/mysql-keyring/keyring |
+-------------------+----------------------------------------+
1 row in set (0.02 sec)

要验证keyring插件是否处于活动状态,请使用SHOW PLUGINS语句或查询INFORMATION_SCHEMA.PLUGINS表。例如:

mysql> show plugins;
+----------------------------+----------+--------------------+-----------------+---------+
| Name                       | Status   | Type               | Library         | License |
+----------------------------+----------+--------------------+-----------------+---------+
| keyring_file               | ACTIVE   | KEYRING            | keyring_file.so | GPL     |
| binlog                     | ACTIVE   | STORAGE ENGINE     | NULL            | GPL     |
| mysql_native_password      | ACTIVE   | AUTHENTICATION     | NULL            | GPL     |
| sha256_password            | ACTIVE   | AUTHENTICATION     | NULL            | GPL     |
| CSV                        | ACTIVE   | STORAGE ENGINE     | NULL            | GPL     |
| MEMORY                     | ACTIVE   | STORAGE ENGINE     | NULL            | GPL     |
| InnoDB                     | ACTIVE   | STORAGE ENGINE     | NULL            | GPL     |
| INNODB_TRX                 | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_LOCKS               | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_LOCK_WAITS          | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_CMP                 | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_CMP_RESET           | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_CMPMEM              | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_CMPMEM_RESET        | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_CMP_PER_INDEX       | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_CMP_PER_INDEX_RESET | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_BUFFER_PAGE         | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_BUFFER_PAGE_LRU     | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_BUFFER_POOL_STATS   | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_TEMP_TABLE_INFO     | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_METRICS             | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_FT_DEFAULT_STOPWORD | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_FT_DELETED          | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_FT_BEING_DELETED    | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_FT_CONFIG           | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_FT_INDEX_CACHE      | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_FT_INDEX_TABLE      | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_SYS_TABLES          | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_SYS_TABLESTATS      | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_SYS_INDEXES         | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_SYS_COLUMNS         | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_SYS_FIELDS          | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_SYS_FOREIGN         | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_SYS_FOREIGN_COLS    | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_SYS_TABLESPACES     | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_SYS_DATAFILES       | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| INNODB_SYS_VIRTUAL         | ACTIVE   | INFORMATION SCHEMA | NULL            | GPL     |
| MyISAM                     | ACTIVE   | STORAGE ENGINE     | NULL            | GPL     |
| MRG_MYISAM                 | ACTIVE   | STORAGE ENGINE     | NULL            | GPL     |
| PERFORMANCE_SCHEMA         | ACTIVE   | STORAGE ENGINE     | NULL            | GPL     |
| ARCHIVE                    | ACTIVE   | STORAGE ENGINE     | NULL            | GPL     |
| BLACKHOLE                  | ACTIVE   | STORAGE ENGINE     | NULL            | GPL     |
| FEDERATED                  | DISABLED | STORAGE ENGINE     | NULL            | GPL     |
| partition                  | ACTIVE   | STORAGE ENGINE     | NULL            | GPL     |
| ngram                      | ACTIVE   | FTPARSER           | NULL            | GPL     |
+----------------------------+----------+--------------------+-----------------+---------+

mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS
    -> FROM INFORMATION_SCHEMA.PLUGINS
    -> WHERE PLUGIN_NAME LIKE 'keyring%';
+--------------+---------------+
| PLUGIN_NAME  | PLUGIN_STATUS |
+--------------+---------------+
| keyring_file | ACTIVE        |
+--------------+---------------+
1 row in set (0.00 sec)

必须启用innodb_file_per_table选项(默认值)。InnoDB表空间加密只支持每表一个文件的表空间。或者,您可以指定TABLESPACE=’innodb_file_per_table’选项,用于创建加密表或修改现有表以启用加密。

mysql> show variables like '%innodb_file_per_table%';
+-----------------------+-------+
| Variable_name         | Value |
+-----------------------+-------+
| innodb_file_per_table | ON    |
+-----------------------+-------+
1 row in set (0.01 sec)

在对生产数据使用InnoDB表空间加密特性之前,请确保已采取措施防止丢失主加密密钥。如果主加密密钥丢失,则无法恢复加密表空间文件中存储的数据。如果您正在使用keyring_file插件,建议您在创建第一个加密表之后以及主密钥旋转前后立即创建keyring文件的备份。keyring文件位置由keyring_file_data配置选项定义。如果您正在使用keyring_okv插件,请确保您已经执行了必要的keyring_okv插件和Oracle密钥库(OKV)配置。

开启和关闭InnoDB表空间加密

要为一个新的InnoDB表启用加密,在create table语句中指定encryption选项。

mysql> CREATE TABLE t1 (c1 INT) ENCRYPTION='Y';
Query OK, 0 rows affected (0.01 sec)

要对现有的InnoDB表启用加密,请在alter table语句中指定encryption选项。

mysql> alter table abc encryption='y';
Query OK, 1 row affected (0.04 sec)
Records: 1  Duplicates: 0  Warnings: 0

mysql> show create table abc;
+-------+-------------------------------------------------------------------------------------------------------------------------+
| Table | Create Table                                                                                                            |
+-------+-------------------------------------------------------------------------------------------------------------------------+
| abc   | CREATE TABLE `abc` (
  `a` int(11) NOT NULL,
  PRIMARY KEY (`a`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ENCRYPTION='y' |
+-------+-------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

使用alter table设置encryption =’N’来禁用InnoDB表的加密功能

mysql> alter table abc encryption='n';
Query OK, 1 row affected (0.02 sec)
Records: 1  Duplicates: 0  Warnings: 0

mysql> show create table abc;
+-------+-------------------------------------------------------------------------------------------------------------------------+
| Table | Create Table                                                                                                            |
+-------+-------------------------------------------------------------------------------------------------------------------------+
| abc   | CREATE TABLE `abc` (
  `a` int(11) NOT NULL,
  PRIMARY KEY (`a`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ENCRYPTION='n' |
+-------+-------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

InnoDB表空间加密和主密钥轮换
主加密密钥应该定期轮换,只要您怀疑密钥可能已被泄露。

主密钥轮换是一个原子的实例级操作。每次轮换主加密密钥时,MySQL实例中的所有表空间密钥都将重新加密并保存回各自的表空间头中。作为原子操作,一旦启动轮换操作,所有表空间密钥都必须重新加密成功。如果主密钥轮换因服务器故障而中断,InnoDB将在服务器重启时前滚该操作。

轮换主加密密钥只会更改主加密密钥并重新加密表空间密钥。它不解密或重新加密相关的表空间数据

轮换主加密密钥,执行以下命令:

[root@localhost ~]# cd /mysqldata/mysql/mysql-keyring/
[root@localhost mysql-keyring]# ll
total 4
-rw-r-----. 1 mysql mysql 155 Mar  3 17:20 keyring

mysql> ALTER INSTANCE ROTATE INNODB MASTER KEY;
Query OK, 0 rows affected (0.00 sec)

[root@localhost mysql-keyring]# ll
total 4
-rw-r-----. 1 mysql mysql 283 Mar 10 15:58 keyring

alter instance rotate innodb master key支持并发DML。但是,它不能与create table … encryption或alter table … encryption操作一起并发执行,采用锁来防止这些语句并发执行时可能产生的冲突。如果一个冲突的语句正在运行,那么它必须在另一个语句运行之前完成。

InnoDB表空间加密与恢复
ALTER INSTANCE ROTATE INNODB MASTER KEY语句仅在主数据库和从数据库所运行的MySQL版本支持表空间加密特性的复制环境中被支持。

成功的ALTER INSTANCE ROTATE INNODB MASTER KEY语句被写入二进制日志,用于在slave上复制。

如果一个ALTER INSTANCE ROTATE INNODB MASTER KEY语句失败,它不会被记录到二进制日志中,也不会被复制到slave上。

如果keyring插件安装在主节点上而从节点没有安装,复制ALTER INSTANCE ROTATE INNODB MASTER KEY操作失败。

如果keyring_file插件同时安装在主服务器和从服务器上,但是从服务器上没有keyring文件,假设keyring文件数据没有缓存在内存中,复制的ALTER INSTANCE ROTATE INNODB MASTER KEY语句将在从服务器上创建keyring文件。如果可用的话,ALTER INSTANCE INNODB MASTER KEY使用缓存在内存中的keyring文件数据。

识别使用InnoDB表空间加密的表
当在CREATE TABLE或ALTER TABLE语句中指定了ENCRYPTION选项时,它将记录在INFORMATION_SCHEMA.TABLES的CREATE_OPTIONS字段中。可以查询该字段以识别MySQL实例中的加密表。

mysql> SELECT TABLE_SCHEMA, TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES
    -> WHERE CREATE_OPTIONS LIKE '%ENCRYPTION="Y"%';
+--------------+------------+-------------------------------------------------------+
| TABLE_SCHEMA | TABLE_NAME | CREATE_OPTIONS                                        |
+--------------+------------+-------------------------------------------------------+
| test         | t1         | ENCRYPTION="Y"                                        |
| test         | ts02       | row_format=COMPRESSED KEY_BLOCK_SIZE=4 ENCRYPTION="Y" |
| test         | ts03       | COMPRESSION="zlib" ENCRYPTION="Y"                     |
+--------------+------------+-------------------------------------------------------+
3 rows in set (0.42 sec)

InnoDB表空间加密使用说明
a.如果服务器在正常运行期间退出或停止,建议使用之前配置的相同加密设置重新启动服务器。

b.第一个主加密密钥是在对第一个新表或现有表进行加密时生成的。

c.主密钥轮换会重新加密表空间密钥,但不会改变表空间密钥本身。要更改表空间密钥,必须使用alter table tbl_name encryption禁用并重新启用表加密,这是一个ALGORITHM=COPY操作来重建表。

d.Keyring_file插件使用说明
如果keyring文件为空或缺失,第一次执行ALTER INSTANCE ROTATE INNODB MASTER KEY将创建一个主加密密钥。

卸载keyring_file插件不会删除现有的keyring文件。

建议不要将keyring文件与表空间数据文件放在同一个目录下。keyring文件的位置由keyring_file_data选项指定。

在运行时修改keyring_file_data选项或使用新的keyring_file_data设置重新启动服务器可能导致以前加密的表不可访问,从而导致数据丢失。

InnoDB表空间加密限制
.系统目前只支持AES (Advanced Encryption Standard)加密算法。InnoDB表空间加密使用ECB (Electronic Codebook)块加密方式对表空间密钥进行加密,使用CBC (Cipher block Chaining)块加密方式对数据进行加密。

.修改表的ENCRYPTION属性是一个ALGORITHM=COPY操作。不支持ALGORITHM=INPLACE。

.InnoDB表空间加密只支持存储在file-per-table表空间中的InnoDB表。存储在其他InnoDB表空间类型中的表不支持加密,包括普通表空间、系统表空间、undo log表空间和临时表空间。

.不能将加密表从file-per-table表空间移动或复制到不支持的InnoDB表空间类型。

.表空间加密只适用于表空间中的数据。重做日志、undo日志或二进制日志中的数据不加密。

.目前不支持直接从keyring_file插件迁移到keyring_okv插件,反之亦然。更改密匙环插件需要解密表,卸载当前的密匙环插件,安装和配置其他密匙环插件,并重新加密表。

Oracle Linux 7.1 静默安装Weblogic 12.2.1.3

安装前准备
下载软件
Java SE 8 (jdk-linux-x64.tar.gz)
WebLogic Server 12cR2 (12.2.1) (fmw_12.2.1.3.0_wls.jar)

1.创建weblogic用户
[root@localhost java]# id weblogic
id: weblogic: no such user
[root@localhost java]# groupadd weblogic
[root@localhost java]# useradd -g weblogic weblogic
[root@localhost java]# passwd weblogic
Changing password for user weblogic.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

2.安装java
[root@localhost soft]# mkdir -p /usr/java
[root@localhost soft]# tar -zxvf jdk-linux-x64.tar.gz -C /usr/java

3.配置JAVA_HOME
[root@localhost ~]# cd /usr/java
[root@localhost java]# ll
total 4
drwxr-xr-x. 8 10 143 4096 Mar 15 2017 jdk1.8.0_131
[root@localhost java]# cp /etc/profile /etc/profile20230309
[root@localhost java]# vi /etc/profile
# /etc/profile

# System wide environment and startup programs, for login setup
# Functions and aliases go in /etc/bashrc

# It’s NOT a good idea to change this file unless you know what you
# are doing. It’s much better to create a custom.sh shell script in
# /etc/profile.d/ to make custom changes to your environment, as this
# will prevent the need for merging in future updates.

pathmunge () {
case “:${PATH}:” in
*:”$1″:*)
;;
*)
if [ “$2” = “after” ] ; then
PATH=$PATH:$1
else
PATH=$1:$PATH
fi
esac
}

if [ -x /usr/bin/id ]; then
if [ -z “$EUID” ]; then
# ksh workaround
EUID=`id -u`
UID=`id -ru`
fi
USER=”`id -un`”
LOGNAME=$USER
MAIL=”/var/spool/mail/$USER”
fi

# Path manipulation
if [ “$EUID” = “0” ]; then
pathmunge /usr/sbin
pathmunge /usr/local/sbin
else
pathmunge /usr/local/sbin after
pathmunge /usr/sbin after
fi

HOSTNAME=`/usr/bin/hostname 2>/dev/null`
HISTSIZE=1000
if [ “$HISTCONTROL” = “ignorespace” ] ; then
export HISTCONTROL=ignoreboth
else
export HISTCONTROL=ignoredups
fi

export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL

# By default, we want umask to get set. This sets it for login shell
# Current threshold for system reserved uid/gids is 200
# You could check uidgid reservation validity in
# /usr/share/doc/setup-*/uidgid file
if [ $UID -gt 199 ] && [ “`id -gn`” = “`id -un`” ]; then
umask 002
else
umask 022
fi

for i in /etc/profile.d/*.sh ; do
if [ -r “$i” ]; then
if [ “${-#*i}” != “$-” ]; then
. “$i”
else
. “$i” >/dev/null
fi
fi
done

#java
JAVA_HOME=/usr/java/jdk1.8.0_131
PATH=$JAVA_HOME/bin:$PATH
CLASSPATH=$JAVA_HOME/jre/lib/ext:$JAVA_HOME/lib/tools.jar
export PATH JAVA_HOME CLASSPATH
“/etc/profile” 82L, 1906C written
[root@localhost java]# source /etc/profile

4.查看java -version
[root@localhost java]# java -version
java version “1.8.0_131”
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)

5.创建目录,并设定权限
[weblogic@localhost weblogic]$ mkdir -p /weblogic/Oracle/Middleware
[weblogic@localhost weblogic]$ chmod -R 775 /weblogic/Oracle/Middleware

[root@localhost soft]# vi /etc/profile
#weblogic
export MW_HOME=/weblogic/Oracle/Middleware
export WLS_HOME=$MW_HOME/wlserver
export WL_HOME=$WLS_HOME

[root@localhost ~]# source /etc/profile
[root@localhost ~]# echo

[root@localhost ~]# echo $MW_HOME
/weblogic/Oracle/Middleware
[root@localhost ~]# su – weblogic
Last login: Fri Mar 10 07:56:30 CST 2023 on pts/1
[weblogic@localhost ~]$ java -version
java version “1.8.0_131″
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)
[weblogic@localhost ~]$ echo $MW_HOME
/weblogic/Oracle/Middleware

安装weblogic软件
6.创建响应文件
编辑文件/weblogic/wls.rsp
[weblogic@localhost weblogic]$ vi wls.rsp
[ENGINE]
Response File Version=1.0.0.0.0
[GENERIC]
ORACLE_HOME=/weblogic/Oracle/Middleware
INSTALL_TYPE=WebLogic Server
MYORACLESUPPORT_USERNAME=
MYORACLESUPPORT_PASSWORD=<SECURE VALUE>
DECLINE_SECURITY_UPDATES=true
SECURITY_UPDATES_VIA_MYORACLESUPPORT=false
PROXY_HOST=
PROXY_PORT=
PROXY_USER=
PROXY_PWD=<SECURE VALUE>
COLLECTOR_SUPPORTHUB_URL=

7.指定Oracle的库存位置
编辑文件/weblogic/oraInst.loc
[weblogic@localhost weblogic]$ vi oraInst.loc

inventory_loc=/weblogic/oraInventory

inst_group=weblogic

[weblogic@localhost weblogic]$ mkdir -p /weblogic/oraInventory
[weblogic@localhost weblogic]$ ll
total 819548
-r-xr-xr-x. 1 weblogic weblogic 839208313 Aug 22 2017 fmw_12.2.1.3.0_wls.jar
drwxrwxr-x. 3 weblogic weblogic 23 Mar 10 08:00 Oracle
-rw-rw-r–. 1 weblogic weblogic 59 Mar 9 15:34 oraInst.loc
drwxrwxr-x. 2 weblogic weblogic 6 Mar 10 08:11 oraInventory
-rw-rw-r–. 1 weblogic weblogic 342 Mar 10 08:09 wls.rsp

8.安装weblogic
[weblogic@localhost weblogic]$ java -Xmx1024m -jar /weblogic/fmw_12.2.1.3.0_wls.jar -silent -responseFile /weblogic/wls.rsp -invPtrLoc /weblogic/oraInst.loc
Launcher log file is /tmp/OraInstall2023-03-10_08-16-04AM/launcher2023-03-10_08-16-04AM.log.
Extracting the installer . . . . . . . Done
Checking if CPU speed is above 300 MHz. Actual 2000.000 MHz Passed
Checking swap space: must be greater than 512 MB. Actual 8063 MB Passed
Checking if this platform requires a 64-bit JVM. Actual 64 Passed (64-bit not required)
Checking temp space: must be greater than 300 MB. Actual 81295 MB Passed
Preparing to launch the Oracle Universal Installer from /tmp/OraInstall2023-03-10_08-16-04AM
Log: /tmp/OraInstall2023-03-10_08-16-04AM/install2023-03-10_08-16-04AM.log
Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
Reading response file..
Skipping Software Updates
Starting check : CertifiedVersions
Expected result: One of oracle-6, oracle-7, redhat-7, redhat-6, SuSE-11, SuSE-12
Actual Result: oracle-7.1
Check complete. The overall result of this check is: Passed
CertifiedVersions Check: Success.

Starting check : CheckJDKVersion
Expected result: 1.8.0_131
Actual Result: 1.8.0_131
Check complete. The overall result of this check is: Passed
CheckJDKVersion Check: Success.

Validations are enabled for this session.
Verifying data
Copying Files
Percent Complete : 10
Percent Complete : 20
Percent Complete : 30
Percent Complete : 40
Percent Complete : 50
Percent Complete : 60
Percent Complete : 70
Percent Complete : 80
Percent Complete : 90
Percent Complete : 100

The installation of Oracle Fusion Middleware 12c WebLogic Server and Coherence 12.2.1.3.0 completed successfully.
Logs successfully copied to /weblogic/oraInventory/logs.

9.创建domain域名

[weblogic@localhost bin]$ ./wlst.sh
WARNING: This is a deprecated script. Please invoke the wlst.sh script under oracle_common/common/bin.

Initializing WebLogic Scripting Tool (WLST) …

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

wls:/offline> readTemplate(‘/weblogic/Oracle/Middleware/wlserver/common/templates/wls/wls.jar’)
WARNING: The readTemplate is deprecated. Use selectTemplate followed by loadTemplates in place of readTemplate.
wls:/offline/base_domain>cd(‘Servers/AdminServer’)
wls:/offline/base_domain/Server/AdminServer>set(‘ListenAddress’,”)
wls:/offline/base_domain/Server/AdminServer>set(‘ListenPort’, 7001)
wls:/offline/base_domain/Server/AdminServer>cd(‘/’)
wls:/offline/base_domain>cd(‘Security/base_domain/User/weblogic’)
wls:/offline/base_domain/Security/base_domain/User/weblogic>cmo.setPassword(‘Xxzx$7817600’)
wls:/offline/base_domain/Security/base_domain/User/weblogic>setOption(‘OverwriteDomain’, ‘true’)
wls:/offline/base_domain/Security/base_domain/User/weblogic>writeDomain(‘/weblogic/Oracle/Middleware/user_projects/domains/base_domain’)
wls:/offline/base_domain/Security/base_domain/User/weblogic>closeTemplate()
wls:/offline>exit()

Exiting WebLogic Scripting Tool.

10.启动weblogic
修改weblogic端口号和IP
[weblogic@localhost config]$ vi config.xml
….
<server>
<name>AdminServer</name>
<listen-port>7001</listen-port>
<iiop-enabled>false</iiop-enabled>
<listen-address>10.13.13.4</listen-address>
</server>
…..

设置免密启动/weblogic/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/security目录下,编辑文件boot.properties
[weblogic@localhost security]$ cat boot.properties
# Generated by Configuration Wizard on Fri Mar 10 09:20:49 CST 2023
username={AES}m1DMhibRLp4hckxgycOV3fFtVs309buJFfJPxHa162Q=
password={AES}1UeQbtMNEYL40/c37MYUTfpPIoON7ql50cD/tparxp0=
[weblogic@localhost security]$ vi boot.properties
# Generated by Configuration Wizard on Fri Mar 10 09:20:49 CST 2023
username=weblogic
password=Xxzx$7817600

[[weblogic@localhost bin]$ ./startWebLogic.sh
.
.
JAVA Memory arguments: -Xms256m -Xmx512m -XX:CompileThreshold=8000
.
CLASSPATH=/usr/java/jdk1.8.0_131/lib/tools.jar:/weblogic/Oracle/Middleware/wlserver/server/lib/weblogic.jar:/weblogic/Oracle/Middleware/wlserver/../oracle_common/modules/thirdparty/ant-contrib-1.0b3.jar:/weblogic/Oracle/Middleware/wlserver/modules/features/oracle.wls.common.nodemanager.jar::/weblogic/Oracle/Middleware/wlserver/common/derby/lib/derbynet.jar:/weblogic/Oracle/Middleware/wlserver/common/derby/lib/derbyclient.jar:/weblogic/Oracle/Middleware/wlserver/common/derby/lib/derby.jar:/usr/java/jdk1.8.0_131/jre/lib/ext:/usr/java/jdk1.8.0_131/lib/tools.jar
.
PATH=/weblogic/Oracle/Middleware/user_projects/domains/base_domain/bin:/weblogic/Oracle/Middleware/wlserver/server/bin:/weblogic/Oracle/Middleware/wlserver/../oracle_common/modules/thirdparty/org.apache.ant/1.9.8.0.0/apache-ant-1.9.8/bin:/usr/java/jdk1.8.0_131/jre/bin:/usr/java/jdk1.8.0_131/bin:/usr/java/jdk1.8.0_131/bin:/usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/weblogic/.local/bin:/home/weblogic/bin
.
***************************************************
* To start WebLogic Server, use a username and *
* password assigned to an admin-level user. For *
* server administration, use the WebLogic Server *
* console at http://hostname:port/console *
***************************************************
Starting WLS with line:
/usr/java/jdk1.8.0_131/bin/java -server -Xms256m -Xmx512m -XX:CompileThreshold=8000 -cp /weblogic/Oracle/Middleware/wlserver/server/lib/weblogic-launcher.jar -Dlaunch.use.env.classpath=true -Dweblogic.Name=AdminServer -Djava.security.policy=/weblogic/Oracle/Middleware/wlserver/server/lib/weblogic.policy -Djava.system.class.loader=com.oracle.classloader.weblogic.LaunchClassLoader -javaagent:/weblogic/Oracle/Middleware/wlserver/server/lib/debugpatch-agent.jar -da -Dwls.home=/weblogic/Oracle/Middleware/wlserver/server -Dweblogic.home=/weblogic/Oracle/Middleware/wlserver/server weblogic.Server
<Mar 10, 2023 10:10:21 AM CST> <Info> <Security> <BEA-090905> <Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true.>
<Mar 10, 2023 10:10:21 AM CST> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG128 to HMACDRBG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true.>
<Mar 10, 2023 10:10:22 AM CST> <Info> <WebLogicServer> <BEA-000377> <Starting WebLogic Server with Java HotSpot(TM) 64-Bit Server VM Version 25.131-b11 from Oracle Corporation.>
<Mar 10, 2023 10:10:22 AM CST> <Info> <RCM> <BEA-2165021> <“ResourceManagement” is not enabled in this JVM. Enable “ResourceManagement” to use the WebLogic Server “Resource Consumption Management” feature. To enable “ResourceManagement”, you must specify the following JVM options in the WebLogic Server instance in which the JVM runs: -XX:+UnlockCommercialFeatures -XX:+ResourceManagement.>
<Mar 10, 2023 10:10:23 AM CST> <Info> <Management> <BEA-141107> <Version: WebLogic Server 12.2.1.3.0 Thu Aug 17 13:39:49 PDT 2017 1882952>
<Mar 10, 2023 10:12:23 AM CST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING.>
<Mar 10, 2023 10:12:23 AM CST> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool.>
<Mar 10, 2023 10:12:23 AM CST> <Info> <WorkManager> <BEA-002942> <CMM memory level becomes 0. Setting standby thread pool size to 256.>
<Mar 10, 2023 10:13:37,658 AM CST> <Notice> <Log Management> <BEA-170019> <The server log file weblogic.logging.FileStreamHandler instance=414943286
Current log file=/weblogic/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/logs/AdminServer.log
Rotation dir=/weblogic/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/logs
is opened. All server side log events will be written to this file.>
<Mar 10, 2023 10:13:37,911 AM CST> <Notice> <Security> <BEA-090946> <Security pre-initializing using security realm: myrealm>
<Mar 10, 2023 10:13:38,607 AM CST> <Notice> <Security> <BEA-090947> <Security post-initializing using security realm: myrealm>
<Mar 10, 2023 10:13:39,600 AM CST> <Notice> <Security> <BEA-090082> <Security initialized using administrative security realm: myrealm>
<Mar 10, 2023 10:13:39,664 AM CST> <Notice> <Security> <BEA-090083> <Storing boot identity in the file: /weblogic/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/security/boot.properties.>
<Mar 10, 2023 10:19:50,908 AM CST> <Notice> <JMX> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://10.13.13.4:7001/jndi/weblogic.management.mbeanservers.runtime.>
<Mar 10, 2023 10:19:50,949 AM CST> <Notice> <JMX> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://10.13.13.4:7001/jndi/weblogic.management.mbeanservers.domainruntime.>
<Mar 10, 2023 10:19:50,966 AM CST> <Notice> <JMX> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://10.13.13.4:7001/jndi/weblogic.management.mbeanservers.edit.>
<Mar 10, 2023 10:21:52,707 AM CST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STANDBY.>
<Mar 10, 2023 10:21:52,708 AM CST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING.>
<Mar 10, 2023 10:21:52,785 AM CST> <Notice> <Log Management> <BEA-170036> <The Logging monitoring service timer has started to check for logged message counts every 30 seconds.>
<Mar 10, 2023 10:21:53,221 AM CST> <Notice> <Log Management> <BEA-170027> <The server has successfully established a connection with the Domain level Diagnostic Service.>
<Mar 10, 2023 10:21:53,401 AM CST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to ADMIN.>
<Mar 10, 2023 10:21:53,509 AM CST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RESUMING.>
<Mar 10, 2023 10:21:53,608 AM CST> <Notice> <WebLogicServer> <BEA-000331> <Started the WebLogic Server Administration Server “AdminServer” for domain “base_domain” running in development mode.>
<Mar 10, 2023 10:21:53,615 AM CST> <Notice> <WebLogicServer> <BEA-000360> <The server started in RUNNING mode.>
<Mar 10, 2023 10:21:53,615 AM CST> <Notice> <Server> <BEA-002613> <Channel “Default” is now listening on 10.13.13.4:7001 for protocols iiop, t3, ldap, snmp, http.>
<Mar 10, 2023 10:21:53,616 AM CST> <Notice> <Server> <BEA-002613> <Channel “Default” is now listening on 10.13.13.4:7001 for protocols iiop, t3, ldap, snmp, http.>
<Mar 10, 2023 10:21:53,628 AM CST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING.>