JDBC Thin Connections and Wallets

Autonomous Transaction Processing mandates a secure connection that uses Transport Layer Security (TLSv1.2). Java applications that use JDBC Thin driver require either Oracle Wallet or Java KeyStore (JKS). The wallet and keystore files are included in the client credentials .zip file that is available by clicking DB Connection on the Oracle Cloud Infrastructure console.

JDBC Thin Driver Connection Prerequisites

Applications that use JDBC Thin driver require the Oracle database credentials including the Oracle wallets or Java KeyStore (JKS) files when connecting to an Autonomous Transaction Processing database.

Perform the following steps before connecting to an Autonomous Transaction Processing database:

  1. Provision Autonomous Transaction Processing: Create an Autonomous Transaction Processing database and obtain your database credentials (username and password).
  2. Download Client Credentials: Unzip the wallet_databasename.zip to a secure location. Make sure that only authorized users have access to these files.

    See Download Client Credentials (Wallets) for information on downloading client credentials for Autonomous Transaction Processing.

  3. Verify your JDK version for security: If you are using JDK11, JDK10, or JDK9 then you don’t need to do anything for this step. If your JDK version is less than JDK8u162 then you need to download the JCE Unlimited Strength Jurisdiction Policy Files. Refer to the README file for installation notes. Download the JCE files from Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download.
  4. Check JDBC Driver Version: Download the latest 18.3 JDBC Thin driver (ojdbc8.jar and ucp.jar) from Oracle Database 18c (18.3) JDBC Driver & UCP Downloads. Use the latest 18.3 JDBC driver, or newer, to take advantage of recent enhancements that simplify connections and provide easy steps for configuration. You also need the additional jars: oraclepki.jar, osdt_core.jar, and osdt_cert.jar for use with Oracle wallets.

Using a JDBC URL Connection String with JDBC Thin Driver

The connection string is found in the file tnsnames.ora which is part of the client credentials download. The tnsnames.ora file contains the predefined services identifiable as tpurgent, tp, high, medium, and low. Each service has its own TNS alias and connection string.

See Predefined Database Service Names for Autonomous Transaction Processing for more details.

A sample entry, with dbname_high as the TNS alias and a connection string in tnsnames.ora follows:
dbname_high= (description=
      (address=(protocol=tcps)(port=1522)(host=atp.example.oraclecloud.com))
      (connect_data=(service_name=dbname_high.oraclecloud.com))(security=(ssl_server_cert_dn="CN=atp.oraclecloud.com,OU=Oracle
      US,O=Oracle Corporation,L=Redwood City,ST=California,C=US")))

Set the location of tnsnames.ora with the property TNS_ADMIN in one of the following ways:

  • As part of the connection string (only with the 18.3 or newer JDBC driver)
  • As a system property, -Doracle.net.tns_admin
  • As a connection property (OracleConnection.CONNECTION_PROPERTY_TNS_ADMIN)

Using the 18.3 JDBC driver, the connection string includes the TNS alias and the TNS_ADMIN connection property.

Sample connection string using 18.3 JDBC driver (Linux):

DB_URL="jdbc:oracle:thin:@dbname_high?TNS_ADMIN=/Users/test/wallet_dbname"

Sample connection string using 18.3 JDBC driver (Windows):

DB_URL="jdbc:oracle:thin:@dbname_high?TNS_ADMIN=C:\\Users\\test\\wallet_dbname"

The TNS_ADMIN connection property specifies the following:

  • The location of tnsnames.ora.
  • The location of Oracle Wallet (ewallet.sso, ewallet.p12) or Java KeyStore (JKS) files (truststore.jks, keystore.jks).
  • The location of ojdbc.properties. This file contains the connection properties required to use Oracle Wallets or Java KeyStore (JKS).

Note:

If you are using 12.2.0.1 or older JDBC drivers, then the connection string contains only the TNS alias. To connect using older JDBC drivers:

  • Set the location of the tnsnames.ora, either as a system property with -Doracle.net.tns_admin or as a connection property (OracleConnection.CONNECTION_PROPERTY_TNS_ADMIN).
  • Set the wallet or JKS related connection properties in addition to TNS_ADMIN.

For example, in this case you set the TNS alias in the DB_URL without the TNS_ADMIN part as:

DB_URL=”jdbc:oracle:thin:@dbname_high”

Using a JDBC Connection with 18.3 JDBC Driver

Applications that use JDBC Thin driver can either use Oracle Wallets or Java KeyStore (JKS) to connect to an Autonomous Transaction Processing database.

Using Oracle Wallet

If you choose to use the Oracle Wallet for Java connectivity to Autonomous Transaction Processing using the 18.3 JDBC Thin Driver, do the following:

  1. Make sure that the prerequisites are met: See JDBC Thin Driver Connection Prerequisites for more information.

  2. Verify the connection: You can either use a Java program, a servlet, or IDEs to verify the connection to the Autonomous Transaction Processing database. A simple test is to download DataSourceSample.java or UCPSample.java from JDBC code samples and update the connection URL to have the required TNS alias and pass TNS_ADMIN, providing the path for tnsnames.ora and the wallet files. Also, update the database username and password. For example:

    DB_URL="jdbc:oracle:thin:@dbname_high?TNS_ADMIN=/Users/test/wallet_dbname"
  3. Set the wallet location: The properties file ojdbc.properties is pre-loaded with the wallet related connection property.

    oracle.net.wallet_location=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=${TNS_ADMIN}))

    Note:

    You do not modify the file ojdbc.properties. The value of TNS_ADMIN determines the wallet location.
  4. Compile and Run: Compile and run the sample to get a successful connection. Make sure you have oraclepki.jar , osdt_core.jar, and osdt_cert.jar, in the classpath. For example:

    java –classpath
          ./lib/ojdbc8.jar:./lib/ucp.jar:./lib/oraclepki.jar:./lib/osdt_core.jar:./lib/osdt_cert.jar:. UCPSample

Note:

The auto-login wallet part of Autonomous Transaction Processing downloaded client credentials zip file removes the need for your application to use username/password authentication.

Using Java KeyStore

Follow these steps to connect to Autonomous Transaction Processing using Java KeyStore (JKS) and the 18.3 JDBC Thin Driver:

  1. Make sure that the prerequisites are met: See JDBC Thin Driver Connection Prerequisites for more information.

  2. Ready the database details: You can either use a Java program, a servlet, or IDEs to check the connection to Autonomous Transaction Processing database. A simple test is to download DataSourceSample.java or UCPSample.java from JDBC code samples. In this sample, use the connection URL as shown below. Note that the connection DB_URL contains the TNS alias, for example, dbname_high present in tnsnames.ora. You can provide the path for tnsnames.ora file through TNS_ADMIN property as shown in the URL. Make sure to use the database username and password related to your Autonomous Transaction Processing database.

    DB_URL="jdbc:oracle:thin:@dbname_high?TNS_ADMIN=/Users/test/wallet_dbname"
  3. Set JKS related connection properties: Add the JKS related connection properties to ojdbc.properties file. The keyStore and truststore password are the password specified when you're downloading the client credentials .zip file from the Autonomous Transaction Processing service console.

    To use SSL connectivity instead of Oracle Wallet, specify the keystore and truststore files and their respective password in the ojdbc.properties file as follows:

    
    # Properties for using Java KeyStore (JKS)
    oracle.net.ssl_server_dn_match=true
    javax.net.ssl.trustStore==${TNS_ADMIN}/truststore.jks
    javax.net.ssl.trustStorePassword=password
    javax.net.ssl.keyStore==${TNS_ADMIN}/keystore.jks
    javax.net.ssl.keyStorePassword=password

    Note:

    Make sure to comment the wallet related property in ojdbc.properties. For example:
    
    # Property for using Oracle Wallets
    # oracle.net.wallet_location=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=${TNS_ADMIN}))
  4. Compile and Run: Compile and run the sample to get a successful connection. For example:

    java –classpath ./lib/ojdbc8.jar:./lib/ucp.jar UCPSample

Connecting Using JDBC Thin Driver 12.2 or Older

If you are using the JDBC driver 12.2.0.2 or older, set the Java properties prior to starting the application. Usually you set the properties in the application's startup script.

If you are not able to use the latest 18.3 JDBC drivers, then you can connect to Autonomous Transaction Processing using 12.2.0.2 or other older JDBC drivers. The 12.2 or older JDBC drivers do not support the ojdbc.properties file. With older JDBC driver versions, you need to pass wallets or JKS related properties either as system properties or as connection properties to establish a connection.

Using Oracle Wallet

If you choose to use the Oracle Wallet for Java connectivity to Autonomous Transaction Processing using 12.2 or older JDBC Drivers, do the following:

  1. Make sure that the prerequisites are met: See JDBC Thin Driver Connection Prerequisites for more information.

  2. Verify the connection: You can either use a Java program, a servlet, or IDEs to verify the connection to the Autonomous Transaction Processing database. A simple test is to download DataSourceSample.java or UCPSample.java from JDBC code samples and update the connection URL to have the required TNS alias. Also, update the database username and password. For example:

    DB_URL="jdbc:oracle:thin:@dbname_high”
  3. Set the wallet location: Add the OraclePKIProvider at the end of the provider list in the file java.security (this file is part of your JRE install located at $JRE_HOME/jre/lib/security/java.security) which typically looks like:

    security.provider.14=oracle.security.pki.OraclePKIProvider
  4. Compile and Run: Compile and run the sample to get a successful connection. Make sure to have oraclepki.jar , osdt_core.jar, and osdt_cert.jar, in the classpath. Also, you need to pass the connection properties. Update the properties with the location where tnsnames.ora and wallet files are located.

    java –classpath 
    ./lib/ojdbc8.jar:./lib/ucp.jar:./lib/oraclepki.jar:./lib/osdt_core.jar:./lib/osdt_cert.jar:.
    -Doracle.net.tns_admin=/users/test/wallet_dbname  
    -Doracle.net.ssl_server_dn_match=true  
    -Doracle.net.ssl_version=1.2  (Not required for 12.2)
    -Doracle.net.wallet_location= “(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/users/test/wallet_dbname)))” 
    UCPSample

Note:

These are Windows system examples. Add a \ continuation character if you are setting –D properties on multiple lines on UNIX ( Linux or a Mac).

Using Java KeyStore

Follow these steps to connect to Autonomous Transaction Processing using Java KeyStore (JKS) and the 12.2 or older JDBC Thin Driver.

  1. Make sure that the prerequisites are met: See JDBC Thin Driver Connection Prerequisites for more information.

  2. Verify the connection: You can either use a Java program, a servlet, or IDEs to verify the connection to the Autonomous Transaction Processing database. A simple test is to download DataSourceSample.java or UCPSample.java from JDBC code samples and update the connection URL to have the required TNS alias and pass TNS_ADMIN, providing the path for tnsnames.ora and update the connection URL to have the required TNS alias. Also, update the database username and password. For example:

    DB_URL="jdbc:oracle:thin:@dbname_high”
  3. Compile and Run:: Compile and run the sample to get a successful connection. You need to pass the connection properties as shown below. Update the properties with the location where tnsnames.ora and JKS files are placed. If you want to pass these connection properties programmatically then refer to DataSourceForJKS.java. For example:

    java 
    -Doracle.net.tns_admin=/users/test/wallet_dbname
    -Djavax.net.ssl.trustStore=truststore.jks
    -Djavax.net.ssl.trustStorePassword=**********
    -Djavax.net.ssl.keyStore=keystore.jks    
    -Djavax.net.ssl.keyStorePassword=************   
    -Doracle.net.ssl_server_dn_match=true    
    -Doracle.net.ssl_version=1.2 // Not required for 12.2

JDBC Thin Connections with an HTTP Proxy

If the client is behind a firewall and your network configuration requires an HTTP proxy to connect to the internet, you need to use the JDBC Thin Client 18.1 or higher which enables connections through HTTP proxies.

To connect to Autonomous Transaction Processing through an HTTPS proxy, open and update your tnsnames.ora file. Add the HTTP proxy hostname(https_proxy) and port (https_proxy_port) to the connection string. Replace the values with your HTTPS proxy information. For example:

  1. Add the HTTP proxy hostname and port to the connection definitions in tnsnames.ora. You need to add the https_proxy and https_proxy_port parameters in the address section of connection definitions. For example, the following sets the HTTP proxy to proxyhostname and the HTTP proxy port to 80; replace these values with your HTTP proxy information:

ATPC1_high =
       (description=
             (address=
                   (https_proxy=proxyhostname)(https_proxy_port=80)(protocol=tcps)(port=1522)(host=atp.example.oraclecloud.com)
             )
             (connect_data=(service_name=atpc1_high.atp.oraclecloud.com)
             )
             (security=(ssl_server_cert_dn="atp.example.oraclecloud.com,OU=Oracle BMCS US,O=Oracle Corporation,L=Redwood City,ST=California,C=US")
             )
       )

Notes:

  • JDBC Thin client versions earlier than 18.1 do not support connections through HTTP proxy.

  • Successful connection depends on specific proxy configurations and the performance of data transfers would depend on proxy capacity. Oracle does not recommend using this feature in Production environments where performance is critical.

  • Configuring tnsnames.ora for the HTTP proxy may not be enough depending on your organization's network configuration and security policies. For example, some networks require a username and password for the HTTP proxy.

  • In all cases, contact your network administrator to open outbound connections to hosts in the oraclecloud.com domain using the relevant port without going through an HTTP proxy.