Skip to content

Oracle SSL configuration

To set up SSL configuration for Oracle connections, you need to create a wallet, configure Oracle network files, and adjust connection settings.

Prerequisites:

  • Oracle Client installed
  • Oracle Database Server that supports SSL
  • Access rights to create directories and files
  • A valid SSL certificate from a trusted CA
  • Oracle Wallet Manager for wallet management

Create Oracle wallet

  1. Create a wallet folder

    Create a directory to store your wallet:

    mkdir /opt/oracle/wallet
    
  2. Generate a wallet

    Use the orapki utility to create a wallet:

    $ORACLE_HOME/bin/orapki wallet create -wallet /opt/oracle/wallet -pwd YourWalletPassword -auto_login
    
  3. Add certificates to the wallet

    Choose one of the following:

    • Create and add a self-signed certificate:
    $ORACLE_HOME/bin/orapki wallet add -wallet /opt/oracle/wallet -pwd YourWalletPassword -dn "CN=example.com" -keysize 1024 -self_signed -validity 365
    
    • Add a CA-signed certificate:
    $ORACLE_HOME/bin/orapki wallet add -wallet /opt/oracle/wallet -pwd YourWalletPassword -trusted_cert -cert path_to_root_ca_cert
    

    Tip

    Replace YourWalletPassword, CN=example.com, and path_to_root_ca_cert with your actual values.

  4. Generate JKS files

    Convert the wallet to Java Keystore format:

    $ORACLE_HOME/bin/orapki wallet pkcs12_to_jks -wallet /opt/oracle/wallet -pwd YourWalletPassword -jksKeyStoreLoc /opt/oracle/wallet/oracle_keystore.jks -jksKeyStorepwd YourJKSPassword -jksTrustStoreLoc /opt/oracle/wallet/oracle_truststore.jks -jksTrustStorepwd YourJKSPassword
    

Configure Oracle for SSL

  1. Edit listener.ora

    Example:

    SSL_CLIENT_AUTHENTICATION = FALSE
    
    WALLET_LOCATION =
      (SOURCE =
        (METHOD = FILE)
        (METHOD_DATA =
          (DIRECTORY = /opt/oracle/wallet)
        )
      )
    
    LISTENER =
    (DESCRIPTION_LIST =
      (DESCRIPTION =
        (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
        (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521))
      )
      (DESCRIPTION =
        (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484))
      )
    )
    
    DEDICATED_THROUGH_BROKER_LISTENER = ON
    DIAG_ADR_ENABLED = off
    
  2. Edit sqlnet.ora

    Example:

    WALLET_LOCATION =
      (SOURCE =
        (METHOD = FILE)
        (METHOD_DATA =
          (DIRECTORY = /opt/oracle/wallet)
        )
      )
    
    SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
    SSL_CLIENT_AUTHENTICATION = FALSE
    SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
    
  3. Edit tnsnames.ora

    Example:

    SSL=
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484))
      (CONNECT_DATA =
        (SERVER = DEDICATED)
        (SERVICE_NAME = XE)
      )
    )
    
    XE=
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521))
      (CONNECT_DATA =
        (SERVER = DEDICATED)
        (SERVICE_NAME = XE)
      )
    )
    

    Tip

    Replace 0.0.0.0, 2484, and XE with your server’s IP, SSL port, and service name.

Restart services

  1. Restart the listener

    $ORACLE_HOME/bin/lsnrctl stop
    $ORACLE_HOME/bin/lsnrctl start
    
  2. Restart the database

    $ORACLE_HOME/bin/sqlplus / as sysdba
    shutdown
    startup
    

    Tip

    If running in Docker, use:

    docker restart oracle_container_name
    

Connect to Oracle over SSL

  1. Open DBeaver and create a new connection

    If unsure how, see creating a connection.

  2. Specify the custom JDBC URL

    Example:

    jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=0.0.0.0)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=XE)))
    
  3. Set driver properties

    • javax.net.ssl.trustStorePassword: Password for the truststore
    • javax.net.ssl.trustStoreType: JKS
    • oracle.net.wallet.location: Path to your wallet

  4. Test the connection

    Verify that you can connect over SSL.

Learn more

For general SSL configuration, see SSL overview.