Stunnel basically allows you to create an encrypted channel between two machines using openSSL encryption. If you need to setup encrypted connection between your Oracle client and Oracle server, here are the steps on how to configure stunnel for Oracle with sample configuration files. In this example, we'll use the following:
Oracle Server: testserver-001
Oracle Client: testclient-001
Server Listener Port: 1521
Server Stunnel Port: 11521
Client Stunnel Port: 1600
Oracle Client: testclient-001
Server Listener Port: 1521
Server Stunnel Port: 11521
Client Stunnel Port: 1600
I've tested this on RHEL4U3 64-bit OS with Oracle 10.2.0.2 database.
1. Ensure stunnel and openssl rpms are installed on both Oracle client and server. Example:
$rpm -qa | grep -i stunnel
stunnel-4.05-3
$rpm -qa | grep -i openssl
openssl-devel-0.9.7a-43.8
openssl-0.9.7a-43.8
openssl-0.9.7a-43.8
openssl096b-0.9.6b-22.42
stunnel-4.05-3
$rpm -qa | grep -i openssl
openssl-devel-0.9.7a-43.8
openssl-0.9.7a-43.8
openssl-0.9.7a-43.8
openssl096b-0.9.6b-22.42
2. Edit /etc/stunnel/stunnel_server.conf as root on testserver-001 as shown below to prepare server side configuration:
service = stunnel-server
cert = /etc/stunnel/bcpstunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 0
output = /tmp/stunnel_server.log
foreground = no
session = 86400
TIMEOUTidle = 3600
client = no
[MYSTUNNEL]
accept=testserver-001:11521
connect=testserver-001:1521
cert = /etc/stunnel/bcpstunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 0
output = /tmp/stunnel_server.log
foreground = no
session = 86400
TIMEOUTidle = 3600
client = no
[MYSTUNNEL]
accept=testserver-001:11521
connect=testserver-001:1521
The stunnel server listens for stunnel client requests, decrypts data, and forwards it to the specified localhost port. The port that stunnel listens on is configured via the accept parameter and the port that data is forwarded to is configured via the connect parameter. Each pair of connect and accept parameters must be named.
2. Edit /etc/stunnel/stunnel_server.client as root on testclient-001 as shown below to prepare client side configuration
service = stunnel-client
cert = /etc/stunnel/bcpstunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 0
output = /tmp/stunnel_client.log
foreground = no
session = 86400
TIMEOUTidle = 3600
client = yes
[MYSTUNNEL]
accept = 1600
connect =testserver-001:11521
cert = /etc/stunnel/bcpstunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 0
output = /tmp/stunnel_client.log
foreground = no
session = 86400
TIMEOUTidle = 3600
client = yes
[MYSTUNNEL]
accept = 1600
connect =testserver-001:11521
The stunnel client listens for data on a localhost port, encrypts that data, and forwards the data to an stunnel server process (typically on another machine). A separate localhost port needs to be configured for each secure tunnel you want to create.
3. Generate stunnel certificate on both Oracle client and server. Note the name bcpstunnel.pem used in the stunnel configurations
One each host, you should run the following command as root. Just press enter for the question prompts (i.e. leave blank)
$openssl req -new -x509 -days 3650 -nodes -out bcpstunnel.pem -keyout bcpstunnel.pem
This creates a private key, and self-signed certificate. The arguments are:
-new Generate a new key
-x509 Generate an X509 certificate (self sign)
-days 3650 make this key valid for 10 years, after which it's not to be used any more
-nodes Don't put a password on this key
-out bcpstunnel.pem where to put the SSL certificate
-keyout bcpstunnel.pem put the key in this file
$openssl req -new -x509 -days 3650 -nodes -out bcpstunnel.pem -keyout bcpstunnel.pem
This creates a private key, and self-signed certificate. The arguments are:
-new Generate a new key
-x509 Generate an X509 certificate (self sign)
-days 3650 make this key valid for 10 years, after which it's not to be used any more
-nodes Don't put a password on this key
-out bcpstunnel.pem where to put the SSL certificate
-keyout bcpstunnel.pem put the key in this file
4. Start stunnel server and stunnel client on resp hosts as root
$stunnel /etc/stunnel/stunnel_server.conf
$stunnel /etc/stunnel/stunnel_client.conf
$ps -ef|grep stunnel
$stunnel /etc/stunnel/stunnel_server.conf
$stunnel /etc/stunnel/stunnel_client.conf
$ps -ef|grep stunnel
5. Verify through tnsping. See below sample TNS configuration
testserver = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1600)) (CONNECT_DATA = (SERVER = DEDICATED)(SERVICE_NAME = testserver)))
testserver = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1600)) (CONNECT_DATA = (SERVER = DEDICATED)(SERVICE_NAME = testserver)))