Stunnel is a program that acts as a proxy that removes, wraps, and encrypts the network communication using SSL thought tunnelling. It is suitable mainly to be used by DBAs for remote database administration or for encrypting communication (log transport) with DataGuard. In this recipe we will encrypt a connection between nodeorcl5
and nodeorcl1
using stunnel.
All steps will be performed on nodeorcl1
and nodeorcl5
.
As a prerequisite download and install stunnel from http://www.stunnel.org/downloads.html both on nodeorcl1
and nodeorcl5
.
stunnel_RC_script
from http://www.gaztronics.net/rc/stunnel.php and copy it to /etc/init.d
.root
and define it as a service as follows:[root@nodeorcl1 stunnel]# chown root:root /etc/init.dstunnel [root@nodeorcl1 stunnel]# chkconfig --add stunnel
ipv4.ip_forward
network parameter, recycle the kernel parameters as follows:/etc/sysctl.conf
:net.ipv4.ip_forward=1
sysctl -p
or apply on the fly
sysctl -w net.ipv4.ip_forward=1
nodeorcl1
and nodeorcl5
. Press Enter for each step as follows:[root@nodeorcl1 stunnel]# openssl req -new -x509 -days 365 -nodes -out orastunnel.pem -keyout /etc/stunnel/orastunnel.pem Generating a 1024 bit RSA private key ........................++++++ ..............++++++ Country Name (2 letter code) [GB]: State or Province Name (full name) [Berkshire]: Locality Name (eg, city) [Newbury]: Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: [root@nodeorcl1 stunnel]# [root@nodeorcl5 stunnel]# openssl req -new -x509 -days 365 -nodes -out orastunnel.pem -keyout /etc/stunnel/orastunnel.pem ………………………………………………………………………………………………………………………………………….. [root@nodeorcl5 stunnel]#
nodeorcl5
. Create a file called /etc/stunnel/stunnel.conf
and add the following entries:cert = /etc/stunnel/orastunnel.pem output = /tmp/stunnelnodeorcl1.log client = no [ORASTUNNEL] accept=nodeorcl1:28999 connect=nodeorcl1:1521
nodeorcl5
and add the following entries:client = yes cert = /etc/stunnel/oracert.pem output = /tmp/stunnelclient.log [ORASTUNNEL] accept=1950 connect = nodeorcl1:28999
nodeorcl1
and nodeorcl5
as follows:[root@nodeorcl1 stunnel]# service stunnel start Starting stunnel: [ OK ] [root@nodeorcl1 stunnel]# [root@nodeorcl1 stunnel]# service stunnel start Starting stunnel: [ OK ] [root@nodeorcl1 stunnel]#
HACKDN_STUNNEL
in $ORACLE_HOME/network/admin/tnsnames.ora
located on nodeorcl5
:HACKDB_STUNNEL = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1950)) ) (CONNECT_DATA = (SERVICE_NAME = HACKDB) ) )
HACKDB
database using the HACKDB_STUNNEL
service to test the tunnel:[oraclient@nodeorcl1 ~]#sqlplus HR@HACKDB_STUNNEL SQL*Plus: Release 11.2.0.3.0 Production on Tue Aug 28 09:12:58 2012 Copyright (c) 1982, 2011, Oracle. All rights reserved. Enter password: Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL>
The configuration of stunnel is stored in our case in /etc/stunnel.conf
. The cert
parameter points to the self-signed certificate. The accept
parameter on nodeorcl1
represents the port on which the communication will be forwarded. The connect
parameter is the real port on which the listener listens. The connect
parameter on nodeorcl
is identical with the forwarded port used on nodeorcl1
; this will be in fact the connection port. The accept port will be the port on which we can connect from nodeorcl5
and is used for defining the network service. The client
parameter shows that this node will be the client node.
For more details about stunnel, check the stunnel documentation at http://www.stunnel.org/docs.html.
3.139.97.53