Transport Layer Security Connection without a Client Wallet

A Transport Layer Security (TLS) connection that uses a common root certificate for the database server does not require a client wallet.

About Transport Layer Security Connections without a Client Wallet

You can configure a Transport Layer Security (TLS) connection without a client wallet if your environment meets certain requirements.

Consider using a TLS connection without a client wallet if your environment meets these requirements:

This is the most common type of configuration as long as the root certificate for the database server already exists in the local system certificate store. This configuration can be used for both cloud and on-premises databases. This configuration enables the client to verify server certificates without having to configure its own wallet.

Note the following:

Configuring a Transport Layer Security Connection without a Client Wallet

Before you can configure Transport Layer Security (TLS) without using client wallets, you must ensure that the database does not require client authentication.

  1. Log in to the server where the Oracle database resides.

  2. Check the sqlnet.ora file for the following settings:

    • AUTHENTICATION_SERVICES=(tcps), which will require TLS for database connections.

    • SSL_CLIENT_AUTHENTICATION=FALSE, whose default is TRUE, which will require mTLS (mutual TLS requiring a client certificate in a client wallet). Setting this parameter to FALSE enables both TLS and mTLS connections from the client. If it is set to TRUE, then it is always mTLS.

    By default, the sqlnet.ora file is located in the $ORACLE_HOME/dbs directory or in the location set by the TNS_ADMIN environment variable.

  3. Ensure that the server wallet exists in the default location, defined by the WALLET_ROOT system parameter, or in the WALLET_LOCATION sqlnet.ora parameter.

  4. Check the listener.ora file to ensure TLS is specified.

    LISTENER = (ADDRESS=(PROTOCOL=tcps)(HOST=)(PORT=1234))
  5. Ensure that the listener wallet also exists the default location, set by the WALLET_ROOT system parameter, or in the WALLET_LOCATION sqlnet.ora parameter.

    If you are creating a new client connection, then edit the listener.ora file to have the following setting:

    ADDRESS=(PROTOCOL=tcps)

    By default, listener.ora is located in the $ORACLE_HOME/network/admin directory.

  6. Log in to the client for the Oracle database.

  7. Modify the client sqlnet.ora and tnsnames.ora files.

    • Edit the SQLNET.SSL_CLIENT_AUTHENTICATION setting in the sqlnet.ora file.

      Set the SQLNET.SSL_CLIENT_AUTHENTICATION=FALSE, because the default is TRUE. FALSE enables the client to create the connection using either TLS or mTLS. A setting of FALSE, will not send information about the client side private certificate. Because this applies to every connection, you can change the SSL_CLIENT_AUTHENTICATION parameter in the tnsnames.ora connection string using the same parameter setting. If SSL_CLIENT_AUTHENTICATION=TRUE, then it can only configure mTLS. This setting is optional.

    • If you connect to multiple databases and some require mTLS with a client wallet, then you can have two options for setting different connections with and without a client wallet, as follows:

      • Option 1: Set WALLET_LOCATION in sqlnet.ora for a common wallet. Then use WALLET_LOCATION in your connect string (in tnsnames.ora or directly on the command line) to override the setting in sqlnet.ora. You can specify a different wallet location for a connection or tell the connection to use the system default keystore instead. Use the following parameter to change wallet location to the system default keystore:

        net_service_name = (DESCRIPTION=(ADDRESS = (PROTOCOL=tcps)
        (HOST=host_name)(PORT=port)) (SECURITY=(WALLET_LOCATION=SYSTEM))
        (CONNECT_DATA=(SERVICE_NAME=service_name)))

        The default certificate store location depends on the platform. For Windows, it is in the Microsoft Certificate Store for Microsoft Windows. For Linux, its locations are as follows:

        • RHEL/Oracle Linux: /etc/pki/tls/cert.pem

        • Debian/Ubuntu/Gentoo: /etc/ssl/certs/ca-certificates.crt

        • Fedora/RHEL: /etc/pki/tls/certs/ca-bundle.crt

        • OpenSUSE: /etc/ssl/ca-bundle.pem

        • OpenELEC: /etc/pki/tls/cacert.pem

        • CentOS/RHEL7: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

        • Alpine Linux: /etc/ssl/cert.pem

        For non-Linux and non-Windows systems, if the PEM file is not in one of the locations listed above for Linux systems, then you must either copy the PEM file to one of these default Linux locations or create a symlink from the PEM file to one of these locations. The file must be a PEM file.

      • Option 2: Only specify WALLET_LOCATION as part of the connections that need to use a client wallet. Do not specify WALLET_LOCATION in sqlnet.ora. Connections that do not need to use a client wallet will automatically use the local default system keystore if WALLET_LOCATION is not specified in the sqlnet.ora file. For example:

        net_service_name = (DESCRIPTION=(ADDRESS = (PROTOCOL=tcps)
        (HOST=host_name)(PORT=port)) (SECURITY=(WALLET_LOCATION=wallet_file_directory))
        (CONNECT_DATA=(SERVICE_NAME=service_name)))
  8. In SQL*Plus, to determine if the database connections are using TLS, check the connections by performing the following query.

    SELECT SYS_CONTEXT ('USERENV', 'NETWORK_PROTOCOL') FROM DUAL;

    Output similar to the following should appear:

    SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
    
    -------------------------------------------------------------------
    tcps