Oracle SSL configuration

To set up SSL configuration for Oracle connections, you need to create a wallet, configure Oracle network files, and adjust connection settings.

Prerequisites:

• Oracle Client installed
• Oracle Database Server that supports SSL
• Access rights to create directories and files
• A valid SSL certificate from a trusted CA
• Oracle Wallet Manager for wallet management

Create Oracle wallet

1. Create a wallet folder

   Create a directory to store your wallet:

   mkdir /opt/oracle/wallet
   

2. Generate a wallet

   Use the orapki utility to create a wallet:

   $ORACLE_HOME/bin/orapki wallet create -wallet /opt/oracle/wallet -pwd YourWalletPassword -auto_login
   

3. Add certificates to the wallet

   Choose one of the following:

   • Create and add a self-signed certificate:

   $ORACLE_HOME/bin/orapki wallet add -wallet /opt/oracle/wallet -pwd YourWalletPassword -dn "CN=example.com" -keysize 1024 -self_signed -validity 365
   

   • Add a CA-signed certificate:

   $ORACLE_HOME/bin/orapki wallet add -wallet /opt/oracle/wallet -pwd YourWalletPassword -trusted_cert -cert path_to_root_ca_cert
   

   Tip

   Replace YourWalletPassword, CN=example.com, and path_to_root_ca_cert with your actual values.

4. Generate JKS files

   Convert the wallet to Java Keystore format:

   $ORACLE_HOME/bin/orapki wallet pkcs12_to_jks -wallet /opt/oracle/wallet -pwd YourWalletPassword -jksKeyStoreLoc /opt/oracle/wallet/oracle_keystore.jks -jksKeyStorepwd YourJKSPassword -jksTrustStoreLoc /opt/oracle/wallet/oracle_truststore.jks -jksTrustStorepwd YourJKSPassword
   

Configure Oracle for SSL

1. Edit listener.ora

   Example:

   SSL_CLIENT_AUTHENTICATION = FALSE
   
   WALLET_LOCATION =
     (SOURCE =
       (METHOD = FILE)
       (METHOD_DATA =
         (DIRECTORY = /opt/oracle/wallet)
       )
     )
   
   LISTENER =
   (DESCRIPTION_LIST =
     (DESCRIPTION =
       (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
       (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521))
     )
     (DESCRIPTION =
       (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484))
     )
   )
   
   DEDICATED_THROUGH_BROKER_LISTENER = ON
   DIAG_ADR_ENABLED = off
   

2. Edit sqlnet.ora

   Example:

   WALLET_LOCATION =
     (SOURCE =
       (METHOD = FILE)
       (METHOD_DATA =
         (DIRECTORY = /opt/oracle/wallet)
       )
     )
   
   SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ)
   SSL_CLIENT_AUTHENTICATION = FALSE
   SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
   

3. Edit tnsnames.ora

   Example:

   SSL=
   (DESCRIPTION =
     (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484))
     (CONNECT_DATA =
       (SERVER = DEDICATED)
       (SERVICE_NAME = XE)
     )
   )
   
   XE=
   (DESCRIPTION =
     (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521))
     (CONNECT_DATA =
       (SERVER = DEDICATED)
       (SERVICE_NAME = XE)
     )
   )
   

   Tip

   Replace 0.0.0.0, 2484, and XE with your server’s IP, SSL port, and service name.

Restart services

1. Restart the listener

   $ORACLE_HOME/bin/lsnrctl stop
   $ORACLE_HOME/bin/lsnrctl start
   

2. Restart the database

   $ORACLE_HOME/bin/sqlplus / as sysdba
   shutdown
   startup
   

   Tip

   If running in Docker, use:

   docker restart oracle_container_name
   

Connect to Oracle over SSL

1. Open Team Edition and create a new connection

   If unsure how, see creating a connection.

2. Specify the custom JDBC URL

   Example:

   jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=0.0.0.0)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=XE)))
   

3. Set driver properties

   • javax.net.ssl.trustStorePassword: Password for the truststore
   • javax.net.ssl.trustStoreType: JKS
   • oracle.net.wallet.location: Path to your wallet

   

4. Test the connection

   Verify that you can connect over SSL.

Learn more

For general SSL configuration, see SSL overview.