Update Network Options to Allow TLS or Require Only Mutual TLS (mTLS) Authentication on Autonomous Database
Describes how to update the secure client connection authentication options, Mutual TLS (mTLS) and TLS.
- Network Access Prerequisites for TLS Connections
Describes the network access configuration prerequisites for TLS connections. - Update your Autonomous Database Instance to Allow both TLS and mTLS Authentication
If your Autonomous Database instance is configured to only allow mTLS connections, you can update the instance to allow both mTLS and TLS connections. - Update your Autonomous Database Instance to Require mTLS and Disallow TLS Authentication
If your Autonomous Database instance is configured to allow TLS connections, you can update the instance to require mTLS connections and disallow TLS connections.
Network Access Prerequisites for TLS Connections
Describes the network access configuration prerequisites for TLS connections.
To allow an Autonomous Database instance to use TLS connections, either ACLs must be defined or a private endpoint must be configured:
-
When an Autonomous Database instance is configured to operate over the public internet, one or more Access Control Lists (ACLs) must be defined before you use TLS authentication to connect to the database. To validate that ACLs are defined, in the Network area on the Autonomous Database Details page view the Access Control List field. This field shows Enabled when ACLs are defined and shows Disabled when ACLs are not defined.
See Configuring Network Access with Access Control Rules (ACLs) for more information.
-
When an Autonomous Database instance is configured with a private endpoint you can use TLS authentication to connect to the database. To validate that a private endpoint is defined, in the Network area on the Autonomous Database Details page view the Access type field. This field shows Virtual Cloud Network when a private endpoint is defined.
See Configure Network Access with Private Endpoints for more information.
When an Autonomous Database instance is configured with the network access type: Secure access from everywhere, you can only use TLS connections to connect to the database if you specify ACLs to restrict access.
Update your Autonomous Database Instance to Allow both TLS and mTLS Authentication
When you update your configuration to allow both mTLS and TLS, you can use both authentication types at the same time and connections are no longer restricted to require mTLS authentication.
You can allow TLS connections when network access is configured as follows:
-
With network access configured with ACLs defined.
-
With network access configured with a private endpoint defined.
When you configure your Autonomous Database instance network access with ACLs or a private endpoint, the ACLs or the private endpoint apply for both mTLS and TLS connections.
Perform the network access configuration prerequisites. See Network Access Prerequisites for TLS Connections for more information.
Perform the following steps as necessary:
-
Open the Oracle Cloud Infrastructure Console by clicking the
next to Oracle Cloud.
- From the Oracle Cloud Infrastructure left navigation menu click Oracle Database and then, depending on your workload click one of: Autonomous Data Warehouse, Autonomous JSON Database, or Autonomous Transaction Processing.
-
On the Autonomous Databases page select your Autonomous Database from the links under the Display name column.
To change the Autonomous Database instance to allow TLS authentication, do the following:
- To change the value to allow TLS authentication, deselect Require mutual TLS (mTLS) authentication.
After you define ACLs or configure a private endpoint and the Mutual TLS (mTLS) Authentication field shows Not Required, the ACLs or the private endpoint you specify apply to all connection types (mTLS and TLS).
Depending on the type of client, TLS connections have the following support with Autonomous Database:
-
If the client is connecting with JDBC Thin using TLS authentication, the client can connect without providing a wallet. See Connect with JDBC Thin Driver for more information.
-
If the client is connecting with managed ODP.NET or ODP.NET Core versions 19.13 or 21.4 (or above) using TLS authentication, the client can connect without providing a wallet. See Connect Microsoft .NET, Visual Studio Code, and Visual Studio Without a Wallet for more information.
-
If the client is connecting with SQLNet and Oracle Call Interface (OCI), and for certain other connection types with TLS authentication, the clients must provide the CA certificate in a wallet. See Prepare for Oracle Call Interface, ODBC, and JDBC OCI Connections Using TLS Authentication and Connect SQL*Plus Without a Wallet for more information.
Update your Autonomous Database Instance to Require mTLS and Disallow TLS Authentication
If your Autonomous Database instance is configured to allow TLS connections, you can update the instance to require mTLS connections and disallow TLS connections.
When you update an Autonomous Database instance to require Mutual TLS (mTLS) connections, existing TLS connections are disconnected.
Perform the following steps as necessary:
-
Open the Oracle Cloud Infrastructure Console by clicking the
next to Oracle Cloud.
- From the Oracle Cloud Infrastructure left navigation menu click Oracle Database and then, depending on your workload click one of: Autonomous Data Warehouse, Autonomous JSON Database, or Autonomous Transaction Processing.
-
On the Autonomous Databases page select your Autonomous Database from the links under the Display name column.
To change the Autonomous Database instance to require mTLS authentication and to not allow TLS authentication, do the following:
- Select Require mutual TLS (mTLS) authentication.
