Stunnel Security for Oracle

Database Link

With two or more Oracle database servers, sessions and transactions can be initiated between them to gather and modify data in "two-phase commits". Linkages between accounts and servers are established with the command below (if you have moved tcps hosts into your TNSNAMES.ORA, you can reference them here also):


SQL> CREATE DATABASE LINK MyDBLink
 CONNECT TO RemoteUser
 IDENTIFIED BY PassWord
 USING '(description=
  (address=
   (protocol=tcps)
   (host=1.2.3.4)
   (port=1522)
  )
  (connect_data=(sid=mydb)))';

Database link created.

Once the link is established, remote tables can be suffixed by the link name (which can be joined to other local or remote tables):


SQL> SELECT COUNT(*) FROM ALL_OBJECTS@MyDBLink;

  COUNT(*)
----------
     1851

Server Verification

It may be necessary for keys to be verified on either side of the connection to assure authorized use. The native Oracle TLS implementation requires all keys subject to verification to be signed by a recognized CA (the CA's public keys may need to be added to the certificate store used by Oracle).

Note that stunnel also can verify keys and act as a client as well as a server. The stunnel verification options are much more flexible than Oracle's, and if CA signatures are not desired but TLS verification is mandated, then Oracle's TLS should be disabled entirely.

In the examples below, let's assume that the server's public key has a CA signature. To extract that public key, the following awk pattern is useful:


awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/' \
        /etc/pki/tls/certs/stunnel.pem > /tmp/pkey

Move the /tmp/pkey file to the client, then load it into the wallet:


$ORACLE_HOME/bin/orapki wallet add -wallet /home/oracle/wallet \
        -pwd SECRET123 -trusted_cert -cert /tmp/pkey

After loading the key, verify that it is now present in the wallet:


$ORACLE_HOME/bin/orapki wallet display -wallet /home/oracle/wallet \
        -pwd SECRET123

The key should appear in the Trusted Certificates section:


Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All
rights reserved.

Requested Certificates:
User Certificates:
Subject:        CN=%yourdb%
Trusted Certificates:
Subject: EmailAddress=linus@posix.org,CN=1.2.3.4,OU=Widget
 ↪Division,O=ACME Corporation,L=Chicago,ST=IL,C=US
Subject:        CN=%yourdb%

The client can verify the server keys with the SSL_SERVER_CERT_DN clause in the TNS descriptor:


$ORACLE_HOME/bin/sqlplus fishecj@'(description=
(address=
 (protocol=tcps)
 (host=1.2.3.4)
 (port=1522)
)
(connect_data=
 (sid=mydb)
 (security=(SSL_SERVER_CERT_DN="CN=1.2.3.4,OU=Widget Division,
↪O=ACME Corporation,L=Chicago,ST=IL,C=US")
)))'

If the CA signature is not recognized, the sqlplus login will fail with the following:


ERROR:
ORA-29024: Certificate validation failure

Additionally, stunnel will record the following in /var/log/secure:


LOG7: SSL alert (read): fatal: unknown CA
LOG3: SSL_accept: 14094418: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

Such errors indicate that the CA is not properly loaded into the bundle used by the database.

Conclusion

Oracle database security has received pointed criticism through the years and releases, which has slowly improved the architecture and closed exploitable weaknesses. For many, these improvements are inadequate in both speed and scope. In such cases, stunnel is a valuable tool for authentication, isolation and privacy of critical data within Oracle.

Other Articles by Charles Fisher

"Cipher Security: How to Harden TLS and SSH", LJ, September 2015.

"Infinite BusyBox with systemd", LJ, March 2015.

"Strengthening Diffie-Hellman in SSH and TLS", LinuxJournal.com, October 29, 2015.

"Secure File Transfer", LJ, January 2016.

______________________

Charles Fisher has an electrical engineering degree from the University of Iowa and works as a systems and database administrator for a Fortune 500 mining and manufacturing corporation.