Clicky Web Analytics


Posted By ritzy on Tuesday, February 24, 2009
5176 Views 1 Comments

Stunnel basically allows you to create an encrypted channel between two machines using openSSL encryption. If you need to setup encrypted connection between your Oracle client and Oracle server, here are the steps on how to configure stunnel for Oracle with sample configuration files. In this example, we'll use the following:

Oracle Server: testserver-001
Oracle Client: testclient-001
Server Listener Port: 1521
Server Stunnel Port: 11521
Client Stunnel Port: 1600

I've tested this on RHEL4U3 64-bit OS with Oracle database.

1. Ensure stunnel and openssl rpms are installed on both Oracle client and server. Example:

$rpm -qa | grep -i stunnel

$rpm -qa | grep -i openssl

2. Edit /etc/stunnel/stunnel_server.conf as root on testserver-001 as shown below to prepare server side configuration:

service = stunnel-server
cert = /etc/stunnel/bcpstunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 0
output = /tmp/stunnel_server.log
foreground = no
session = 86400
TIMEOUTidle = 3600
client = no

The stunnel server listens for stunnel client requests, decrypts data, and forwards it to the specified localhost port. The port that stunnel listens on is configured via the accept parameter and the port that data is forwarded to is configured via the connect parameter. Each pair of connect and accept parameters must be named.

2. Edit /etc/stunnel/stunnel_server.client as root on testclient-001 as shown below to prepare client side configuration

service = stunnel-client
cert = /etc/stunnel/bcpstunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 0
output = /tmp/stunnel_client.log
foreground = no
session = 86400
TIMEOUTidle = 3600
client = yes
accept = 1600
connect =testserver-001:11521

The stunnel client listens for data on a localhost port, encrypts that data, and forwards the data to an stunnel server process (typically on another machine). A separate localhost port needs to be configured for each secure tunnel you want to create.

3. Generate stunnel certificate on both Oracle client and server. Note the name bcpstunnel.pem used in the stunnel configurations

One each host, you should run the following command as root. Just press enter for the question prompts (i.e. leave blank)
$openssl req -new -x509 -days 3650 -nodes -out bcpstunnel.pem -keyout bcpstunnel.pem

This creates a private key, and self-signed certificate. The arguments are:
-new Generate a new key
-x509 Generate an X509 certificate (self sign)
-days 3650 make this key valid for 10 years, after which it's not to be used any more
-nodes Don't put a password on this key
-out bcpstunnel.pem where to put the SSL certificate
-keyout bcpstunnel.pem put the key in this file

4. Start stunnel server and stunnel client on resp hosts as root
$stunnel /etc/stunnel/stunnel_server.conf
$stunnel /etc/stunnel/stunnel_client.conf
$ps -ef|grep stunnel

5. Verify through tnsping. See below sample TNS configuration
testserver = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1600)) (CONNECT_DATA = (SERVER = DEDICATED)(SERVICE_NAME = testserver)))



Rants & Raves Minimize

  • Gravatar
    Alok Tuesday, August 03, 2010 at 7:59 PM

    Excellent article.

Recommended Oracle DBA Books Minimize


Tag Cloud Minimize

Archive Posts Minimize

    This posting is provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use.

    This posting has nothing to do with my present or past employer.