Jul 28, 2016 ByCharles Fisher
in Databases Encryption HOWTOs Oracle Security
Oracle has integrated modern Transport Layer Security (TLS) network encryption into its eponymous database product, and TLS usage no longer requires the Advanced Security option beginning with the 10.2 database release. Legacy configurations lacking TLS exchange encrypted passwords, but the session payload is transmitted in clear text and is intercepted easily by anyone with control over the intermediate network. Databases holding sensitive content should avoid clear-text traffic configurations.
It is possible to use the stunnel utility to wrap the Oracle Transparent Network Substrate (TNS) Listener "invisibly" with TLS encryption as an isolated process, and this configuration appears to be compatible both with Oracle's sqlplus command-line utility and with database links that are used for distributed transactions between multiple database instances. There are several benefits to stunnel over the TNS Listener's native TLS implementation:
The stunnel utility can be far less expensive. Older Oracle database releases required the Advanced Security option to use TLS, which is licensed at $15,000 per CPU according to the latest pricing , but TLS is now included with Standard Edition SE2 .
The stunnel utility and the associated dependent libraries (that is, OpenSSL) are patched far more often, and updates can be applied immediately with no database "bounce" if stunnel is used in an "inetd" configuration. Oracle issued eight total patched versions of OpenSSL in 2015 for Oracle linux 7. Database patches are issued only four times per year at regular quarterly intervals and require instance bounces/outages. An urgent SSL/TLS update will have lengthy delays when implemented as a database patch (due in part to an overabundance of caution by most DBAs), but will be far easier to apply as a simple OS utility patch with no downtime. For this reason, security-sensitive code that may require immediate updates should be kept out of the database server whenever possible. The stunnel utility meets this requirement very well.
The stunnel utility can run as a separate user and group inside a "chroot jail" that has limited visibility to the rest of the system. Oracle's server TLS implementation runs with the full privilege of the TNS Listener. A compromise of the TLS engine can be drastically less dangerous if it is confined within a chroot() jail. Privilege separation and chroot() are well-recognized security techniques, and many security-sensitive installations likely will disable listener TLS for this reason alone.
Let's proceed with adding stunnel TLS services to Oracle.Server Configuration
I am assuming that the reader is familiar with Oracle databases and the procedures to start up an instance and the TLS Listener. For reference, let's assume that a database SID "mydb" is running, and an example listener dmon is launched on the IP address 188.8.131.52 with the following commands:export ORACLE_SID=mydb ORACLE_HOME=~oracle/Ora12c/db $ORACLE_HOME/bin/lsnrctl start
The listener will generate a startup message similar to the output below:LSNRCTL for Linux: Version 184.108.40.206.0 - Production on 19-FEB-2016 13:18:55 Copyright (c) 1991, 2014, Oracle. All rights reserved. Starting /home/oracle/Ora12c/db/bin/tnslsnr: please wait... TNSLSNR for Linux: Version 220.127.116.11.0 - Production System parameter file is /home/oracle/Ora12c/db/network/ admin/listener.ora Log messages written to /home/oracle/Ora12c/diag/tnslsnr/ HOSTNAME/listener/alert/log.xml Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=18.104.22.168) (PORT=1521))) Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC))) Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=22.214.171.124) (PORT=1521))) STATUS of the LISTENER ------------------------ Alias LISTENER Version TNSLSNR for Linux: Version 126.96.36.199.0 - Production Start Date 19-FEB-2016 13:18:55 Uptime 0 days 0 hr. 0 min. 0 sec Trace Level off Security ON: Local OS Authentication SNMP OFF Parameter File /home/oracle/Ora12c/db/network/admin/listener.ora Listener Log File /home/oracle/Ora12c/diag/tnslsnr/HOSTNAME/listener/ alert/log.xml Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=188.8.131.52)(PORT=1521))) (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC))) Services Summary... Service "mydb" has 1 instance(s). Instance "mydb", status UNKNOWN, has 1 handler(s) for this service... The command completed successfully
It is important that the listener not engage in "port redirection" of clients to separate server ports (most commonly seen in MTS/Shared Server). Any feature causing the TNS Listener to engage in such activity must be disabled.1 2 3 4 next last Charles Fis