Prepare for TLS Walletless Connections
You can connect your database applications or tools to an Autonomous Database on Dedicated Exadata Infrastructure without a wallet. Connecting an application without a wallet (TLS) provides security for authentication and encryption, and security is enforced using a security certificate that is trusted by the client operating system (OS).
-
One-way TLS connections are enabled.
By default, one-way TLS connections are enabled when you provision an AVMC. See Create an Autonomous Exadata VM Cluster for more information.
-
Server SSL certificate is trusted by the client operating system.
Use a (BYOC) digital SSL certificate signed by a well-known public CA so that it is trusted by the client OS by default. If the digital certificate is not signed by a well-known public CA such as Digicert, manually add the certificate so the client OS trusts it.
For example, in a Linux environment, add the certificate presented by the server to the
/etc/ssl/certs/ca-bundle.crt
file.
- Get an SSL certificate from a public CA, such as Digicert. See Additional Information for detailed instructions.
-
Seed the SSL certificate using the OCI Certificate Service. Refer to Creating a Certificate.
These certificates must be signed and must be in the PEM format, that is, their file extension must be .pem, .cer, or .crt only.
- Add the SSL certificate to your AVMC from the Manage Certificates dialog accessible from the AVMC Details page. Refer to Manage Security Certificates for an Autonomous Exadata VM Cluster.
Parent topic: Connect to Autonomous Database
Additional Information
-
Create a wallet.
WALLET_PWD=<password> CERT_DN="CN=atpd-exa-xjg2g-scan.subnetadbd.vncadbdexacs.oraclevcn.com,OU=FOR TESTING PURPOSES ONLY,O=Oracle Corporation,L=Redwood City,ST=California,C=US" CERT_VALIDITY=365 KEY_SIZE=2048 SIGN_ALG="sha256" WALLET_DIR=$PWD ASYM_ALG="RSA" $ORACLE_HOME/bin/orapki wallet create -wallet $WALLET_DIR -pwd $WALLET_PWD -auto_login
-
Create a signing request (this creates a private key inside the wallet and a requested certificate)
$ORACLE_HOME/bin/orapki wallet add -wallet $WALLET_DIR -dn "$CERT_DN" -pwd $WALLET_PWD -keysize $KEY_SIZE -sign_alg $SIGN_ALG -validity $CERT_VALIDITY -asym_alg $ASYM_ALG
-
Export the signing request
$ORACLE_HOME/bin/orapki wallet export -wallet $WALLET_DIR -dn "$CERT_DN" -request $WALLET_DIR/cert.csr
-
Send the signing request file cert.csr to the public CA for the CA to validate it and send back the user/leaf certificate and the chain.
-
Add the user certificate and the chain (root + intermediate certificates) in the wallet
$ORACLE_HOME/bin/orapki wallet add -wallet $WALLET_DIR -pwd $WALLET_PWD -trusted_cert -cert $WALLET_DIR/root.crt$ORACLE_HOME/bin/orapki wallet add -wallet $WALLET_DIR -pwd $WALLET_PWD -trusted_cert -cert $WALLET_DIR/intermediate.crt$ORACLE_HOME/bin/orapki wallet add -wallet $WALLET_DIR -pwd $WALLET_PWD -user_cert -cert $WALLET_DIR/usercert.crt
-
Upload the user certificate, chain certificates and the private key to the Oracle Cloud Infrastructure (OCI) Certificate Service. You can get the private key from the wallet using the following command:
openssl pkcs12 -in $WALLET_DIR/ewallet.p12 -out $WALLET_DIR/private.pem -nocerts
Parent topic: Prepare for TLS Walletless Connections