Prepare for TLS Walletless Connections

You can connect your database applications or tools to an Autonomous Database on Dedicated Exadata Infrastructure without a wallet. Connecting an application without a wallet (TLS) provides security for authentication and encryption, and security is enforced using a security certificate that is trusted by the client operating system (OS).

TCPS connection without using a client wallet will only work when the following requirements are met:
  1. One-way TLS connections are enabled.

    By default, one-way TLS connections are enabled when you provision an AVMC. See Create an Autonomous Exadata VM Cluster for more information.

  2. Server SSL certificate is trusted by the client operating system.

    Use a (BYOC) digital SSL certificate signed by a well-known public CA so that it is trusted by the client OS by default. If the digital certificate is not signed by a well-known public CA such as Digicert, manually add the certificate so the client OS trusts it.

    For example, in a Linux environment, add the certificate presented by the server to the /etc/ssl/certs/ca-bundle.crt file.

To bring your own certificate (BYOC), follow the steps described below:

Additional Information

The high-level steps involved in getting an SSL certificate from a public CA are:
  1. Create a wallet.

    WALLET_PWD=<password>
    
    CERT_DN="CN=atpd-exa-xjg2g-scan.subnetadbd.vncadbdexacs.oraclevcn.com,OU=FOR TESTING PURPOSES ONLY,O=Oracle Corporation,L=Redwood City,ST=California,C=US"
    CERT_VALIDITY=365
    KEY_SIZE=2048
    SIGN_ALG="sha256"
    WALLET_DIR=$PWD
    ASYM_ALG="RSA"
    
    $ORACLE_HOME/bin/orapki wallet create -wallet $WALLET_DIR -pwd $WALLET_PWD -auto_login
  2. Create a signing request (this creates a private key inside the wallet and a requested certificate)
    $ORACLE_HOME/bin/orapki wallet add -wallet $WALLET_DIR -dn "$CERT_DN" -pwd $WALLET_PWD
          -keysize $KEY_SIZE -sign_alg $SIGN_ALG -validity $CERT_VALIDITY -asym_alg $ASYM_ALG
  3. Export the signing request
    $ORACLE_HOME/bin/orapki wallet export -wallet $WALLET_DIR -dn "$CERT_DN" -request
          $WALLET_DIR/cert.csr
  4. Send the signing request file cert.csr to the public CA for the CA to validate it and send back the user/leaf certificate and the chain.

  5. Add the user certificate and the chain (root + intermediate certificates) in the wallet
    $ORACLE_HOME/bin/orapki wallet add -wallet $WALLET_DIR -pwd $WALLET_PWD  -trusted_cert -cert
          $WALLET_DIR/root.crt$ORACLE_HOME/bin/orapki wallet add -wallet $WALLET_DIR -pwd $WALLET_PWD  -trusted_cert -cert
          $WALLET_DIR/intermediate.crt$ORACLE_HOME/bin/orapki wallet add -wallet $WALLET_DIR -pwd $WALLET_PWD -user_cert -cert
          $WALLET_DIR/usercert.crt
  6. Upload the user certificate, chain certificates and the private key to the Oracle Cloud Infrastructure (OCI) Certificate Service. You can get the private key from the wallet using the following command:
    openssl pkcs12 -in $WALLET_DIR/ewallet.p12 -out $WALLET_DIR/private.pem -nocerts