文章详细介绍了瀚高数据库安全版v4.5.8在Centos7.9系统上的安装步骤,包括关闭防火墙和SELINUX,修改时区,安装依赖,配置hosts和操作系统limits,安装数据库,初始化数据,拷贝SSL证书,创建密码文件,配置客户端验证,启动数据库,配置参数,修改密码有效期,关闭审计功能,以及使用服务启动数据库等操作。
目录
瀚高数据库安全版v4.5.8安装步骤
1 前言
1.1 环境说明
演示环境如下:
CPU: x86_64(虚拟机)
操作系统:Centos 7.9
数据库介质:hgdb-see-4.5.8-db43858.x86_64.rpm
2 安装前准备
2.1 关闭防火墙
systemctl stop firewalld.service
systemctl disable firewalld.service
systemctl status firewalld.service
systemctl stop NetworkManager.service
systemctl disable NetworkManager.service
systemctl status NetworkManager.service2.2 关闭SELINUX
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
setenforce 0
cat /etc/selinux/config | grep SELINUX=disabled
getenforce2.3 检查主机名
[root@admin ~]# hostnamectl status
Static hostname: admin
Icon name: computer-vm
Chassis: vm
Machine ID: db00f5696086714a8e91e14ca5b0f968
Boot ID: 6ea2afb6c99845ea9a213f35914af42c
Virtualization: kvm
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-1160.el7.x86_64
Architecture: x86-642.4 修改时区
#修改时区
[root@admin ~]# timedatectl list-timezones
[root@admin ~]# timedatectl set-timezone Asia/Shanghai
#修改时间
[root@admin ~]# date -s "20230606 09:26:00"2.5 安装系统软件包
配置 yum 源:
[root@admin ~]# cat /etc/yum.repos.d/highgo.repo
[rhel]
name=rhel
baseurl=file:///media/cdrom
enabled=1
gpgcheck=0
[root@hgdb ~]# mkdir /media/cdrom
[root@hgdb ~]# mount /dev/cdrom /media/cdrom
mount: /dev/sr0 is write-protected, mounting read-only2.6 安装依赖包
[root@admin ~]# yum clean all
[root@admin ~]# yum list
[root@admin ~]# yum install vim wget readline readline-devel zlib zlib-devel openssl openssl-devel pam-devel libxml2-devel libxslt-devel python-devel tcl-devel gcc gcc-c++ rsync -y2.7 配置 hosts
[root@admin ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.80.123 admin2.8 配置操作系统 limits
以下参数值仅用于示例,测试或生产环境请根据系统资源情况对相关参数进行调整。
[root@admin ~]# vi /etc/security/limits.conf
#for hgdb-see v4.5.8
highgo soft core unlimited
highgo hard nproc unlimited
highgo soft nproc unlimited
highgo hard memlock unlimited
highgo hard nofile 1024000
highgo soft memlock unlimited
highgo soft nofile 1024000
highgo hard stack 65536
highgo soft stack 65536参数生效
[root@admin ~]# sysctl -p3 数据库安装
3.1 rpm包安装
安全版数据库rpm格式的介质需使用 root 用户安装和维护数据库。在HGDB-SEE V4.5安装包中,包含了集群功能模块。使用一个安装包既可安装单机,也可配置集群环境。以下rpm包安装步骤以安全版 V4.5.8为例。
3.1.1 安装数据库单机
(1)使用 root 用户安装 rpm 包:
*注意:安全版V4.5.7以及之前的版本默认安装路径为:/opt/
安全版V4.5.8以及后续版本默认安装路径为:/opt/highgo/
[root@admin ~]# rpm -ivh hgdb-see-4.5.8-db43858.x86_64.rpm
Preparing... ################################# [100%]
Updating / installing...
1:hgdb-see-4.5.8-db43858 ################################# [100%]
Created symlink from /etc/systemd/system/multi-user.target.wants/hgdb-see-4.5.8.service to /usr/lib/systemd/system/hgdb-see-4.5.8.service.
Created symlink from /etc/systemd/system/graphical.target.wants/hgdb-see-4.5.8.service to /usr/lib/systemd/system/hgdb-see-4.5.8.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/hgproxy.service to /usr/lib/systemd/system/hgproxy.service.
Created symlink from /etc/systemd/system/graphical.target.wants/hgproxy.service to /usr/lib/systemd/system/hgproxy.service.安装完成后,会在/opt目录下生成安装目录
[root@admin ~]# cd /opt/highgo/
[root@admin highgo]# ll
total 0
drwxr-xr-x 4 root root 80 Jun 6 09:19 hgdbconfig
drwxr-xr-x 10 root root 118 Jun 6 09:20 hgdbdeveloper
drwxr-xr-x 9 root root 107 Jun 6 09:19 hgdb-see-4.5.8
drwxr-xr-x 5 root root 55 Jun 6 09:20 hgproxy
[root@admin highgo]# cd hgdb-see-4.5.8/
[root@admin hgdb-see-4.5.8]# ls
bin conf etc icon include lib REVISION share(2)环境变量生效
安全版 V4.5.7 以及之前的版本,安装完毕后会在/opt/HighGo4.5.8-see/etc 目录下生成一个名为 highgodb.env 的文件,内容如下所示,执行 source 命令使之生效。安全版 V4.5.8 以及后续版本,数据库安装完毕后会在/opt/highgo/hgdb-see-4.5.8/etc目录下生成一个名为 hgdbenv.sample 的环境变量示例文件,您可根据需要修改该示例文件,并使其生效。
[root@admin etc]# cat hgdbenv.sample
#WARNING! This is a template file, please modify it as needed
export HG_BASE=/opt/highgo
export HGDB_HOME=/opt/highgo/hgdb-see-4.5.8
export PGPORT=5866
export PGDATABASE=highgo
export PATH=$HGDB_HOME/bin:$PATH
export PGDATA=$HGDB_HOME/data
[root@admin etc]# source hgdbenv.sample注:从 HGDB-SEE V4.5.4 版本开始,highgodb.env 文件中不再提供 LD_LIBRARY_PATH环境变量,用户也无需手动配置该变量
3.3 初始化数据库
[root@admin ~]# cd /opt/highgo/hgdb-see-4.5.8/bin
[root@admin bin]# initdb -D ../data -e sm4 -c "echo 12345678" > /opt/highgo/hgdb-see-4.5.8/bin/initdb.log
#-e选项表示启用 FDE 功能使用国密算法 sm4 进行数据加密
#-c 选项表示输入一个命令,形成密钥的一部分
Enter new sysdba password:
Enter it again:
Enter new syssao password:
Enter it again:
Enter new syssso password:
Enter it again:
2023-06-06 15:11:41.877 CST [12316] LOG: Switchover the SSHA Role. Current is NONE
2023-06-06 15:11:42.350 CST [12319] LOG: data encryption performed by sm4
2023-06-06 15:11:42.362 CST [12319] LOG: Switchover the SSHA Role. Current is NONE
initdb: warning: enabling "sm3" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.你可以通过编辑 pg_hba.conf 更改或你下次
执行 initdb 时使用 -A或者--auth-local和--auth-host选项.
也可使用 pwfile文件设置密码
#编辑 pwfile文件
[root@hgdb bin]# cd etc
[root@hgdb etc]# vi passwdfile
#分别输入 sysdba、syssao、syssso三个用户的密码,对应三行记录
Hello@123
Hello@123
Hello@123#初始化 data目录
[root@hgdb etc]# initdb -D ../data -e sm4 -c "echo 12345678" –pwfile= passwdfile > /opt/highgo/hgdb-see-4.5.8/bin/initdb.log或者
安全版v4.5支持国密算法sm3、sm4,如果要支持国密算法,可以按照以下命令执行:
initdb -A sm3 -e sm4 -c "echo 12345678" -D $PGDATA --pwfile=/opt/highgo/hgdb-see-4.5.8/etc/5866 -E 'UTF8'如果不想使用国密算法,则执行以下命令来初始化:
initdb -A md5 -D $PGDATA --pwfile=/opt/highgo/hgdb-see-4.5.8/etc/5866 -E 'UTF8'输出内容示例:
[root@admin ~]# initdb -A md5 -D $PGDATA --pwfile=/opt/highgo/hgdb-see-4.5.8/etc/5866 -E 'UTF8'
The files belonging to this database system will be owned by user "root".
This user must also own the server process.
The database cluster will be initialized with locale "en_US.UTF-8".
The default text search configuration will be set to "english".
Data page checksums are disabled.
Data encryption is disabled.
creating directory /opt/highgo/hgdb-see-4.5.8/data ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting default time zone ... Asia/Shanghai
creating configuration files ... ok
running bootstrap script ... 2023-06-06 09:36:18.839 CST [26935] LOG: Switchover the SSHA Role. Current is NONE
ok
performing post-bootstrap initialization ... 2023-06-06 09:36:19.193 CST [26937] LOG: Switchover the SSHA Role. Current is NONE
ok
syncing data to disk ... ok
Success. You can now start the database server using:
hg_sslkeygen.sh /opt/highgo/hgdb-see-4.5.8/data
pg_ctl -D /opt/highgo/hgdb-see-4.5.8/data -l logfile start4 拷贝ssl证书
该过程会将$HGDB_HOME/etc 下的 server.crt、server.key 文件拷贝到 data 目录下并修
改文件权限为 600。该命令不支持使用$PGDATA 方式指定数据目录。也可手动拷贝这
两个文件并修改权限。
[root@admin bin]# hg_sslkeygen.sh /opt/highgo/hgdb-see-4.5.8/data
Setting the ssl configuration to /opt/highgo/hgdb-see-4.5.8/data
Generating RSA private key, 2048 bit long modulus
..........................................................................+++
..........................................................+++
e is 65537 (0x10001)5 创建数据库用户免密登录使用的密码文件
为了方便备份恢复或着psql命令,我们可以创建免密登录:
cat > /root/.pgpass <<EOF
# host:port:database:user:password
localhost:5866:*:sysdba:Hello@123456
localhost:5866:*:syssao:Hello@123456
localhost:5866:*:syssso:Hello@123456
EOF
# 修改权限(必需)
chmod 0600 /root/.pgpass6 配置客户端验证
其他主机客户端想连接到数据库服务,则需要配置客户端验证文件pg_hba.conf,命令如下:
# 允许所有IP的主机可以连接该数据库。
cat >> /opt/highgo/hgdb-see-4.5.8/data/pg_hba.conf <<EOF
################################ add by Highgo at `date +%Y-%m-%d_%H:%M:%S` for hgdb start ################################
# IPv4 local connections:
host all all 0.0.0.0/0 sm3
################################ add by Highgo at `date +%Y-%m-%d_%H:%M:%S` for hgdb end ##################################
EOF注意:如果前面初始化用的是md5校验密码,需要将sm3改为md5,如果要生效,需要重启数据库服务,切记。
7 启动数据库
接下来,我们就可以启动数据库了,命令如下:
pg_ctl start8 配置标准参数
# 注意:根据实际物理内存,修改shared_buffers为物理内存的1/4。
psql highgo sysdba <<EOF
alter system set listen_addresses = '*';
alter system set max_connections = 2000;
alter system set work_mem='16MB';
alter system set shared_buffers = '1GB';
alter system set checkpoint_completion_target = 0.8;
alter system set log_destination = 'csvlog';
alter system set logging_collector = on;
alter system set log_directory = 'hgdb_log';
alter system set log_filename = 'highgodb_%d.log';
alter system set log_rotation_age = '1d';
alter system set log_rotation_size = 0;
alter system set log_truncate_on_rotation = on;
alter system set log_statement = 'ddl';
alter system set log_connections=on;
alter system set log_disconnections=on;
alter system set checkpoint_timeout='30min';
alter system set maintenance_work_mem='1GB';
alter system set archive_mode = on;
alter system set archive_timeout = '30min';
alter system set archive_command = 'cp %p /data/highgo/hgdbbak/archive/%f';
alter system set log_line_prefix = '%m [%p] %a %u %d %r %h';
alter system set nls_length_semantics = 'char';
EOF9 修改密码默认有效期为永久
安装完,默认密码有效期是7天,三权用户的有效期也是7天,需要执行以下命令来改为永久:
psql highgo syssso <<EOF
select set_secure_param('hg_idcheck.pwdvaliduntil','0');
alter user current_user password 'Hello@123' valid until 'infinity';
\c - sysdba
alter user current_user password 'Hello@123';
\c - syssao
alter user current_user password 'Hello@123';
EOF
# 同时将免密文件中的旧密码也替换了
sed -i 's/Hello@123456/Hello@123/g' /root/.pgpass
pg_ctl restart10 关闭审计功能
需要提前沟通好(等保分保需要开启审计):
psql highgo syssao <<EOF
select set_audit_param('hg_audit','off');
EOF
pg_ctl restart11 使用服务启动数据库
数据库安装过程会自动配置好数据库服务文件,单机环境可以直接使用,改用服务启动:
pg_ctl stop
systemctl start hgdb-see-4.5.8.service12 授权文件操作
安装完后,默认是一个月的试用期,如果需要延长,请联系瀚高商务人员申请更长的授权。安全版v4.5.8的授权文件操作与以往版本完全不一样,操作命令如下:
# 将授权文件 hgdb.lic 传到服务器上,执行以下命令修改权限。
chmod 0600 hgdb.lic
# 查看授权信息
hg_lic -c -F hgdb.lic
# 加载授权文件
hg_lic -l -F hgdb.lic 
扫一扫
667
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
