Stunnel Security for Oracle

Oracle has integrated modern Transport Layer Security (TLS) network encryption into its eponymous database product, and TLS usage no longer requires the Advanced Security option beginning with the 10.2 database release. Legacy configurations lacking TLS exchange encrypted passwords, but the session payload is transmitted in clear text and is intercepted easily by anyone with control over the intermediate network. Databases holding sensitive content should avoid clear-text traffic configurations.

It is possible to use the stunnel utility to wrap the Oracle Transparent Network Substrate (TNS) Listener "invisibly" with TLS encryption as an isolated process, and this configuration appears to be compatible both with Oracle's sqlplus command-line utility and with database links that are used for distributed transactions between multiple database instances. There are several benefits to stunnel over the TNS Listener's native TLS implementation:

  • The stunnel utility can be far less expensive. Older Oracle database releases required the Advanced Security option to use TLS, which is licensed at $15,000 per CPU according to the latest pricing, but TLS is now included with Standard Edition SE2.

  • The stunnel utility and the associated dependent libraries (that is, OpenSSL) are patched far more often, and updates can be applied immediately with no database "bounce" if stunnel is used in an "inetd" configuration. Oracle issued eight total patched versions of OpenSSL in 2015 for Oracle Linux 7. Database patches are issued only four times per year at regular quarterly intervals and require instance bounces/outages. An urgent SSL/TLS update will have lengthy delays when implemented as a database patch (due in part to an overabundance of caution by most DBAs), but will be far easier to apply as a simple OS utility patch with no downtime. For this reason, security-sensitive code that may require immediate updates should be kept out of the database server whenever possible. The stunnel utility meets this requirement very well.

  • The stunnel utility can run as a separate user and group inside a "chroot jail" that has limited visibility to the rest of the system. Oracle's server TLS implementation runs with the full privilege of the TNS Listener. A compromise of the TLS engine can be drastically less dangerous if it is confined within a chroot() jail. Privilege separation and chroot() are well-recognized security techniques, and many security-sensitive installations likely will disable listener TLS for this reason alone.

Let's proceed with adding stunnel TLS services to Oracle.

Server Configuration

I am assuming that the reader is familiar with Oracle databases and the procedures to start up an instance and the TLS Listener. For reference, let's assume that a database SID "mydb" is running, and an example listener dæmon is launched on the IP address 1.2.3.4 with the following commands:


export ORACLE_SID=mydb ORACLE_HOME=~oracle/Ora12c/db

$ORACLE_HOME/bin/lsnrctl start

The listener will generate a startup message similar to the output below:


LSNRCTL for Linux: Version 12.1.0.2.0 - Production on
 ↪19-FEB-2016 13:18:55

Copyright (c) 1991, 2014, Oracle.  All rights reserved.

Starting /home/oracle/Ora12c/db/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 12.1.0.2.0 - Production
System parameter file is /home/oracle/Ora12c/db/network/
↪admin/listener.ora
Log messages written to /home/oracle/Ora12c/diag/tnslsnr/
↪HOSTNAME/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=1.2.3.4)
↪(PORT=1521)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=1.2.3.4)
↪(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias             LISTENER
Version           TNSLSNR for Linux: Version 12.1.0.2.0 - Production
Start Date        19-FEB-2016 13:18:55
Uptime            0 days 0 hr. 0 min. 0 sec
Trace Level       off
Security          ON: Local OS Authentication
SNMP              OFF
Parameter File    /home/oracle/Ora12c/db/network/admin/listener.ora
Listener Log File /home/oracle/Ora12c/diag/tnslsnr/HOSTNAME/listener/
↪alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=1.2.3.4)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC)))
Services Summary...
Service "mydb" has 1 instance(s).
  Instance "mydb", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully

It is important that the listener not engage in "port redirection" of clients to separate server ports (most commonly seen in MTS/Shared Server). Any feature causing the TNS Listener to engage in such activity must be disabled.

______________________

Charles Fisher has an electrical engineering degree from the University of Iowa and works as a systems and database administrator for a Fortune 500 mining and manufacturing corporation.