Create a Wallet or Certificates for a TLS Connection

Prior to configuring a TLS connection to a non-Autonomous Database during target registration, you need to create one or more wallets or a certificate, depending on whether client authentication is enabled on your target database.

Create a PEM Certificate for a TLS Connection to a Database that has Server Authentication

  1. Create a PEM Certificate for a TLS Connection. See Transport Layer Security Connections without a Client Wallet in the Oracle Database Security Guide for more information.
  2. When you register the target database in Oracle Data Safe, make sure to do the following:
    • Select the connection type TLS.
    • Set the port number according to the port number you set in the listener.ora file. In this example, the port number is 1553.
    • For the server distinguished name, enter the name you used when you created the self-signed certificate in the wallet. In this example, the name is CN=rootca.
    • For the wallet or certificate type, select PEM Certificate and select the self-signed certificate that you exported from the wallet. In this example, the file is root1.crt.

Create Wallets for a TLS Connection to a Database that has Mutual Authentication

During target registration, you can configure a TLS connection between Oracle Data Safe and an Oracle database. You are required to upload two wallets: a TrustStore wallet and a KeyStore wallet.

Oracle Recommendation:

While self-signed certificates are fine for testing purposes, Oracle recommends that you use certificates signed by a trusted or internal certificate authority (CA) for production systems.

Part 1: Establish Mutually Authentication in Your Database

Configure mutual authentication on your target database. See Transport Layer Security Connections with a Client Wallet in the Oracle Database Security Guide for more information.

Part 2: Save the TrustStore and KeyStore Files

In this part, you copy the TrustStore and KeyStore files to your client machine.You do this because Oracle Data Safe requires a both wallets.

  1. Copy the TrustStore and KeyStore files to your client machine.

Part 3: Configure the TLS Connection During Target Registration in Oracle Data Safe

When you register the target database in Oracle Data Safe, make sure to do the following:

  • Select the TLS connection type.
  • Set the port number according to the port number you set in the listener.ora file. In this example, the port number is 1522.
  • For the server distinguished name, enter the name you used when you created the self-signed certificate for the target database. In this example, the name is CN=CloudST2.debdev19.oraclecloud.internal.
  • Upload the TrustStore file. For example, upload truststore.jks.
  • Upload the KeyStore file. For example, upload keystore.jks.