Rotate Wallets for Autonomous Database

Wallet rotation lets you invalidate existing client certification keys for a database instance or for all Autonomous Database instances that a cloud account owns in a region.

About Wallet Rotation

You have the option to perform one of two types of wallet rotation: immediate or with a grace period.

  • Immediate wallet rotation initiates immediately, without delay.

  • After a grace period wallet rotation occurs with a grace period. During the grace period the old client certification keys remain valid for a selected time of 1 hour to 24 hours. After the grace period expires only the new client certification keys are valid.

You may want to rotate wallets for any of the following reasons:

  • If your organization's policies require regular client certification key rotation.

  • When a client certification key or a set of keys is suspected to be compromised.

Rotate Wallets with Immediate Rotation

Immediate wallet rotation lets you invalidate existing client certification keys for an Autonomous Database instance or for all Autonomous Database instances that a cloud account owns in a region.

There are two options for immediate client certification key rotation:

  • Per-database with Instance Wallet selected:
    • For the database whose certification key is rotated, any existing database specific instance wallets will be void. After you rotate a wallet you have to download a new wallet to connect to the database.
    • Regional wallets containing all database certification keys continue to work.
    • All user sessions are terminated for the database whose wallet is rotated. User session termination begins after wallet rotation completes, however this process does not happen immediately.

    Note:

    If you want to terminate all connections immediately after the wallet rotation completes, Oracle recommends that you restart the Autonomous Database instance. This provides the highest level of security for your database.
  • Regional level with Regional Wallet selected:
    • For the region whose certification key is rotated, both regional and database specific instance wallets will be void. After you rotate a wallet you have to download new regional or instance wallets to connect to any database in the region.
    • All user sessions are terminated for the databases in the region whose wallet is rotated. User session termination begins after wallet rotation completes, however this process does not happen immediately.

    Note:

    If you want to terminate all connections immediately after the wallet rotation completes, Oracle recommends that you restart the Autonomous Database instances in the region. This provides the highest level of security for your database.

To immediately rotate the client certification key for a given database or for all Autonomous Database instances that a cloud account owns in a region:

  1. Navigate to the Autonomous Database details page.
  2. Click DB Connection.
  3. On the Database Connection page select the Wallet Type:
    • Instance Wallet: Wallet rotation for a single database only; this provides a database-specific wallet rotation.
    • Regional Wallet: Wallet rotation for all Autonomous Databases for a given tenant and region (this option rotates the client certification key for all service instances that a cloud account owns).
  4. Click Rotate Wallet.
  5. Enter the name as shown in the dialog to confirm the wallet rotation.
  6. In the Rotate Wallet dialog, click Rotate.

The Database Connection page shows: Rotation in Progress.

After the rotation completes, the Wallet last rotated field shows the last rotation date and time.

Oracle recommends you provide a database-specific instance wallet to end users and for application use whenever possible, with Wallet Type set to Instance Wallet when you use Download Wallet. Regional wallets should only be used for administrative purposes that require potential access to all Autonomous Databases within a region.

You can also use the Autonomous Database API to rotate wallets using UpdateAutonomousDatabaseRegionalWallet and UpdateAutonomousDatabaseWallet. See Autonomous Database Wallet Reference for more information.

Rotate Wallets with Grace Period

Autonomous Database allows you to rotate wallets for an Autonomous Database instance or for all instances that a cloud account owns in a region. with a grace period of 1 hour to 24 hours.

Setting a grace period allows you to perform wallet rotation without down time. During the grace period you can inform users to download the new wallet and to update their applications to use the new wallet. During the grace period both the old and new client certification keys are valid. When the grace period expires, Autonomous Database invalidates the old client certification keys and only the new client certification keys are valid.

There are two options for client certification key rotation with a grace period:

  • Per-database with Instance Wallet selected:
    • For the database whose certification key is rotated, database specific instance wallets that were in use before the wallet rotation be void after the grace period expires.

    • After you perform client certification key rotation with a grace period, you can immediately download a wallet and use the new wallet to connect to the database.

    • Regional wallets containing all database certification keys continue to work.
    • After the grace period expires, existing connections using the old wallet continue to work.

    Note:

    After the grace period completes, if you want to terminate any connections using the old wallet, Oracle recommends that you restart the Autonomous Database instance.
  • Regional level with Regional Wallet selected:
    • For the region whose certification key is rotated, both regional and database specific instance wallets will be void. After the grace period expires you have to download new regional or instance wallets to connect to any database in the region.

    • After the grace period expires, existing connections using the old wallets continue to work.

    Note:

    After the grace period completes, if you want to terminate any connections using the old wallets, Oracle recommends that you restart every Autonomous Database instance in the region.

To rotate the client certification key with a grace period for a given database or for all for all Autonomous Database instances that a cloud account owns in a region:

  1. Navigate to the Autonomous Database details page.
  2. Click DB Connection.
  3. On the Database Connection page select the Wallet Type:
    • Instance Wallet: Wallet rotation for a single database only; this provides a database-specific wallet rotation.
    • Regional Wallet: Wallet rotation for all Autonomous Databases for a given tenant and region (this option rotates the client certification key for all service instances in the region that a cloud account owns).
  4. Click Rotate Wallet.
  5. Select After a grace period.
  6. In the Grace period (in hours) area, either enter a value in the text field or use the slider to select a value.
  7. Enter the name as shown in the dialog to confirm the wallet rotation.
  8. In the Rotate Wallet dialog, click Rotate.

The Database Connection page shows: Rotation in Progress.

After the rotation completes, the Wallet last rotated field shows the last rotation date and time.

Notes for wallet rotation with a grace period:

  • Always Free Autonomous Databases only support immediate wallet rotation (wallet rotation with a grace period is not supported).

  • Oracle recommends you provide a database-specific instance wallet to end users and for application use whenever possible, with Wallet Type set to Instance Wallet when you use Download Wallet. Regional wallets should only be used for administrative purposes that require potential access to all Autonomous Databases within a region.

You can also use the Autonomous Database API to rotate wallets using UpdateAutonomousDatabaseRegionalWallet and UpdateAutonomousDatabaseWallet. See Autonomous Database Wallet Reference for more information.