Rotate Wallets for Autonomous Database

Wallet rotation lets you invalidate existing client certification keys for a database instance or for all Autonomous Database instances in a region.

You may want to rotate wallets for any of the following reasons:

  • If your organization's policies require regular client certification key rotation.
  • When a client certification key or a set of keys is suspected to be compromised.

There are two options for client certification key rotation:

  • Per-database with Instance Wallet selected:
    • For the database whose certification key is rotated, any existing database specific instance wallets will be void. After you rotate a wallet you have to download a new wallet to connect to the database.
    • Regional wallets containing all database certification keys continue to work.
    • All user sessions are terminated for the database whose wallet is rotated. User session termination begins after wallet rotation completes, however this process does not happen immediately.
  • Regional level with Regional Wallet selected:
    • For the region whose certification key is rotated, both regional and database specific instance wallets will be void. After you rotate a wallet you have to download new regional or instance wallets to connect to any database in the region.
    • All user sessions are terminated for the databases in the region whose wallet is rotated. User session termination begins after wallet rotation completes, however this process does not happen immediately.

Note:

If you want to terminate all connections immediately after the wallet rotation completes, Oracle recommends that you stop and then start your instance(s). This provides the highest level of security for your database.

To rotate the client certification key for a given database or for all Autonomous Databases in a region:

  1. Navigate to the Autonomous Database details page.
  2. Click DB Connection.
  3. On the Database Connection page select the Wallet Type:
    • Instance Wallet: Wallet rotation for a single database only; this provides a database-specific wallet rotation.
    • Regional Wallet: Wallet rotation for all Autonomous Databases for a given tenant and region (this option rotates the client certification key for all service instances that a cloud account owns).
  4. Click Rotate Wallet.
  5. Enter the name as shown in the dialog to confirm the wallet rotation.
  6. In the Rotate Wallet dialog, click Rotate.

The Database Connection page shows: Rotation in Progress.



After the rotation completes, the Wallet last rotated field shows the last rotation date and time.

If you want to terminate all connections immediately after the wallet rotation completes, Oracle recommends that you stop and then start your instance(s). This provides the highest level of security for your database. See Stop Autonomous Transaction Processing for more information.

Note:

Oracle recommends you provide a database-specific instance wallet, with Wallet Type set to Instance Wallet when you use Download Wallet, to end users and for application use whenever possible. Regional wallets should only be used for administrative purposes that require potential access to all Autonomous Databases within a region.

You can also use the Autonomous Database API to rotate wallets using UpdateAutonomousDatabaseRegionalWallet and UpdateAutonomousDatabaseWallet. See Autonomous Database Wallet Reference for more information.