Oracle SSL configuration

To set up SSL configuration for Oracle connections, you need to create a wallet, configure Oracle network files, and adjust connection settings.

Prerequisites:

Oracle Client installed
Oracle Database Server that supports SSL
Access rights to create directories and files
A valid SSL certificate from a trusted CA
Oracle Wallet Manager for wallet management

Create Oracle wallet

Create a wallet folder

Create a directory to store your wallet:
```
mkdir /opt/oracle/wallet
```

Generate a wallet

Use the orapki utility to create a wallet:

$ORACLE_HOME/bin/orapki wallet create -wallet /opt/oracle/wallet -pwd YourWalletPassword -auto_login

Add certificates to the wallet

Choose one of the following:

Create and add a self-signed certificate:

$ORACLE_HOME/bin/orapki wallet add -wallet /opt/oracle/wallet -pwd YourWalletPassword -dn "CN=example.com" -keysize 1024 -self_signed -validity 365

Add a CA-signed certificate:

$ORACLE_HOME/bin/orapki wallet add -wallet /opt/oracle/wallet -pwd YourWalletPassword -trusted_cert -cert path_to_root_ca_cert

Tip

Replace YourWalletPassword, CN=example.com, and path_to_root_ca_cert with your actual values.

Generate JKS files

Convert the wallet to Java Keystore format:

$ORACLE_HOME/bin/orapki wallet pkcs12_to_jks -wallet /opt/oracle/wallet -pwd YourWalletPassword -jksKeyStoreLoc /opt/oracle/wallet/oracle_keystore.jks -jksKeyStorepwd YourJKSPassword -jksTrustStoreLoc /opt/oracle/wallet/oracle_truststore.jks -jksTrustStorepwd YourJKSPassword

Configure Oracle for SSL

Edit listener.ora

Example:

SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /opt/oracle/wallet)
    )
  )

LISTENER =
(DESCRIPTION_LIST =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
    (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521))
  )
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484))
  )
)

DEDICATED_THROUGH_BROKER_LISTENER = ON
DIAG_ADR_ENABLED = off

Edit sqlnet.ora

Example:

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /opt/oracle/wallet)
    )
  )

SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)

Edit tnsnames.ora

Example:

SSL=
(DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484))
  (CONNECT_DATA =
    (SERVER = DEDICATED)
    (SERVICE_NAME = XE)
  )
)

XE=
(DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521))
  (CONNECT_DATA =
    (SERVER = DEDICATED)
    (SERVICE_NAME = XE)
  )
)

Tip

Replace 0.0.0.0, 2484, and XE with your server’s IP, SSL port, and service name.

Restart services

Restart the listener

$ORACLE_HOME/bin/lsnrctl stop
$ORACLE_HOME/bin/lsnrctl start

Restart the database

$ORACLE_HOME/bin/sqlplus / as sysdba
shutdown
startup

Tip

If running in Docker, use:

docker restart oracle_container_name

Connect to Oracle over SSL

Open DBeaver and create a new connection

If unsure how, see creating a connection.

Specify the custom JDBC URL

Example:

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=0.0.0.0)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=XE)))

Set driver properties
- javax.net.ssl.trustStorePassword: Password for the truststore
- javax.net.ssl.trustStoreType: JKS
- oracle.net.wallet.location: Path to your wallet
Test the connection

Verify that you can connect over SSL.

Learn more

For general SSL configuration, see SSL overview.