Stunnel is a program that acts as a proxy that removes, wraps, and encrypts the network communication using SSL thought tunnelling. It is suitable mainly to be used by DBAs for remote database administration or for encrypting communication (log transport) with DataGuard. In this recipe we will encrypt a connection between nodeorcl5 and nodeorcl1 using stunnel.
All steps will be performed on nodeorcl1 and nodeorcl5.
As a prerequisite download and install stunnel from http://www.stunnel.org/downloads.html both on nodeorcl1 and nodeorcl5.
- We will start to configure stunnel as a service. Download
stunnel_RC_scriptfrom http://www.gaztronics.net/rc/stunnel.php and copy it to/etc/init.d. - Next, change the owner permissions for stunnel to
rootand define it as a service as follows:[root@nodeorcl1 stunnel]# chown root:root /etc/init.dstunnel [root@nodeorcl1 stunnel]# chkconfig --add stunnel
- Because stunnel will forward from a listening port to an accept port we have to enable port forwarding by modifying the
ipv4.ip_forwardnetwork parameter, recycle the kernel parameters as follows:- To make it persistent, open
/etc/sysctl.conf:net.ipv4.ip_forward=1 - save the file
- recycle all kernel parameters
sysctl -por apply on the fly
sysctl -w net.ipv4.ip_forward=1
- To make it persistent, open
- Next, generate a self-signed certificate with one year validity on
nodeorcl1andnodeorcl5. Press Enter for each step as follows:[root@nodeorcl1 stunnel]# openssl req -new -x509 -days 365 -nodes -out orastunnel.pem -keyout /etc/stunnel/orastunnel.pem Generating a 1024 bit RSA private key ........................++++++ ..............++++++ Country Name (2 letter code) [GB]: State or Province Name (full name) [Berkshire]: Locality Name (eg, city) [Newbury]: Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: [root@nodeorcl1 stunnel]# [root@nodeorcl5 stunnel]# openssl req -new -x509 -days 365 -nodes -out orastunnel.pem -keyout /etc/stunnel/orastunnel.pem ………………………………………………………………………………………………………………………………………….. [root@nodeorcl5 stunnel]#
- Next, we will configure stunnel on the server side
nodeorcl5. Create a file called/etc/stunnel/stunnel.confand add the following entries:cert = /etc/stunnel/orastunnel.pem output = /tmp/stunnelnodeorcl1.log client = no [ORASTUNNEL] accept=nodeorcl1:28999 connect=nodeorcl1:1521
- Create the same file on
nodeorcl5and add the following entries:client = yes cert = /etc/stunnel/oracert.pem output = /tmp/stunnelclient.log [ORASTUNNEL] accept=1950 connect = nodeorcl1:28999
- Next, start the stunnel service on
nodeorcl1andnodeorcl5as follows:[root@nodeorcl1 stunnel]# service stunnel start Starting stunnel: [ OK ] [root@nodeorcl1 stunnel]# [root@nodeorcl1 stunnel]# service stunnel start Starting stunnel: [ OK ] [root@nodeorcl1 stunnel]#
- Create a new network service named
HACKDN_STUNNELin $ORACLE_HOME/network/admin/tnsnames.oralocated onnodeorcl5:HACKDB_STUNNEL = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1950)) ) (CONNECT_DATA = (SERVICE_NAME = HACKDB) ) )
- Next, connect to the
HACKDBdatabase using theHACKDB_STUNNELservice to test the tunnel:[oraclient@nodeorcl1 ~]#sqlplus HR@HACKDB_STUNNEL SQL*Plus: Release 11.2.0.3.0 Production on Tue Aug 28 09:12:58 2012 Copyright (c) 1982, 2011, Oracle. All rights reserved. Enter password: Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL>
The configuration of stunnel is stored in our case in /etc/stunnel.conf. The cert parameter points to the self-signed certificate. The accept parameter on nodeorcl1 represents the port on which the communication will be forwarded. The connect parameter is the real port on which the listener listens. The connect parameter on nodeorcl is identical with the forwarded port used on nodeorcl1; this will be in fact the connection port. The accept port will be the port on which we can connect from nodeorcl5 and is used for defining the network service. The client parameter shows that this node will be the client node.
For more details about stunnel, check the stunnel documentation at http://www.stunnel.org/docs.html.