Prepare for TLS Walletless Connections

You can connect your database applications or tools to an Autonomous Database on Dedicated Exadata Infrastructure without a wallet. Connecting an application without a wallet (TLS) provides security for authentication and encryption, and security is enforced using a security certificate that is trusted by the client operating system (OS).

TCPS connection without using a client wallet will only work when the following requirements are met:

One-way TLS connections are enabled.

By default, one-way TLS connections are enabled when you provision an AVMC. See Create an Autonomous Exadata VM Cluster for more information.
Server SSL certificate is trusted by the client operating system.

Use a (BYOC) digital SSL certificate signed by a well-known public CA so that it is trusted by the client OS by default. If the digital certificate is not signed by a well-known public CA such as Digicert, manually add the certificate so the client OS trusts it.

For example, in a Linux environment, add the certificate presented by the server to the /etc/ssl/certs/ca-bundle.crt file.

To bring your own certificate (BYOC), follow the steps described below:

Get an SSL certificate from a public CA, such as Digicert. See Additional Information for detailed instructions.
Seed the SSL certificate using the OCI Certificate Service. Refer to Creating a Certificate.

These certificates must be signed and must be in the PEM format, that is, their file extension must be .pem, .cer, or .crt only.
Add the SSL certificate to your AVMC from the Manage Certificates dialog accessible from the AVMC Details page. Refer to Manage Security Certificates for an Autonomous Exadata VM Cluster.

Additional Information

Parent topic: Connect to Autonomous Database

Additional Information

The high-level steps involved in getting an SSL certificate from a public CA are:

Create a wallet.

WALLET_PWD=<password>

CERT_DN="CN=atpd-exa-xjg2g-scan.subnetadbd.vncadbdexacs.oraclevcn.com,OU=FOR TESTING PURPOSES ONLY,O=Oracle Corporation,L=Redwood City,ST=California,C=US"
CERT_VALIDITY=365
KEY_SIZE=2048
SIGN_ALG="sha256"
WALLET_DIR=$PWD
ASYM_ALG="RSA"

$ORACLE_HOME/bin/orapki wallet create -wallet $WALLET_DIR -pwd $WALLET_PWD -auto_login

Create a signing request (this creates a private key inside the wallet and a requested certificate)

$ORACLE_HOME/bin/orapki wallet add -wallet $WALLET_DIR -dn "$CERT_DN" -pwd $WALLET_PWD
      -keysize $KEY_SIZE -sign_alg $SIGN_ALG -validity $CERT_VALIDITY -asym_alg $ASYM_ALG

Export the signing request

$ORACLE_HOME/bin/orapki wallet export -wallet $WALLET_DIR -dn "$CERT_DN" -request
      $WALLET_DIR/cert.csr

Send the signing request file cert.csr to the public CA for the CA to validate it and send back the user/leaf certificate and the chain.

Add the user certificate and the chain (root + intermediate certificates) in the wallet

$ORACLE_HOME/bin/orapki wallet add -wallet $WALLET_DIR -pwd $WALLET_PWD  -trusted_cert -cert
      $WALLET_DIR/root.crt$ORACLE_HOME/bin/orapki wallet add -wallet $WALLET_DIR -pwd $WALLET_PWD  -trusted_cert -cert
      $WALLET_DIR/intermediate.crt$ORACLE_HOME/bin/orapki wallet add -wallet $WALLET_DIR -pwd $WALLET_PWD -user_cert -cert
      $WALLET_DIR/usercert.crt

Upload the user certificate, chain certificates and the private key to the Oracle Cloud Infrastructure (OCI) Certificate Service. You can get the private key from the wallet using the following command:
```
openssl pkcs12 -in $WALLET_DIR/ewallet.p12 -out $WALLET_DIR/private.pem -nocerts
```

Parent topic: Prepare for TLS Walletless Connections

Oracle Cloud Infrastructure Documentation

Additional Information