Transport Layer Security Connection without a Client Wallet
A Transport Layer Security (TLS) connection that uses a common root certificate for the database server does not require a client wallet.
-
About Transport Layer Security Connections without a Client Wallet
You can configure a Transport Layer Security (TLS) connection without a client wallet if your environment meets certain requirements. -
Configuring a Transport Layer Security Connection without a Client Wallet
Before you can configure Transport Layer Security (TLS) without using client wallets, you must ensure that the database does not require client authentication.
About Transport Layer Security Connections without a Client Wallet
You can configure a Transport Layer Security (TLS) connection without a client wallet if your environment meets certain requirements.
Consider using a TLS connection without a client wallet if your environment meets these requirements:
-
The client certificate is not used as a means of user authentication to the database. Only the server certificate is required to establish a TLS connection.
-
The server certificate was issued by a certificate authority (CA) whose certificate is available in the system’s default certificate store (common root certificate).
-
The Oracle database server is configured to allow TLS connections. (Set
SSL_CLIENT_AUTHENTICATION=FALSE).
This is the most common type of configuration as long as the root certificate for the database server already exists in the local system certificate store. This configuration can be used for both cloud and on-premises databases. This configuration enables the client to verify server certificates without having to configure its own wallet.
Note the following:
-
For the C and Instant Client database drivers (and therefore, SQL*Plus), the walletless feature is only available on Microsoft Windows and Linux x64.
-
For the JDBC-thin driver, the walletless feature is available on all platforms.
Configuring a Transport Layer Security Connection without a Client Wallet
Before you can configure Transport Layer Security (TLS) without using client wallets, you must ensure that the database does not require client authentication.
-
Log in to the server where the Oracle database resides.
-
Check the
sqlnet.orafile for the following settings:-
AUTHENTICATION_SERVICES=(tcps), which will require TLS for database connections. -
SSL_CLIENT_AUTHENTICATION=FALSE, whose default isTRUE, which will require mTLS (mutual TLS requiring a client certificate in a client wallet). Setting this parameter toFALSEenables both TLS and mTLS connections from the client. If it is set toTRUE, then it is always mTLS.
By default, the
sqlnet.orafile is located in the$ORACLE_HOME/dbsdirectory or in the location set by theTNS_ADMINenvironment variable. -
-
Ensure that the server wallet exists in the default location, defined by the
WALLET_ROOTsystem parameter, or in theWALLET_LOCATIONsqlnet.oraparameter. -
Check the
listener.orafile to ensure TLS is specified.LISTENER = (ADDRESS=(PROTOCOL=tcps)(HOST=)(PORT=1234)) -
Ensure that the listener wallet also exists the default location, set by the
WALLET_ROOTsystem parameter, or in theWALLET_LOCATIONsqlnet.oraparameter.If you are creating a new client connection, then edit the
listener.orafile to have the following setting:ADDRESS=(PROTOCOL=tcps)By default,
listener.orais located in the$ORACLE_HOME/network/admindirectory. -
Log in to the client for the Oracle database.
-
Modify the client
sqlnet.oraandtnsnames.orafiles.-
Edit the
SQLNET.SSL_CLIENT_AUTHENTICATIONsetting in thesqlnet.orafile.Set the
SQLNET.SSL_CLIENT_AUTHENTICATION=FALSE, because the default isTRUE.FALSEenables the client to create the connection using either TLS or mTLS. A setting ofFALSE, will not send information about the client side private certificate. Because this applies to every connection, you can change theSSL_CLIENT_AUTHENTICATIONparameter in thetnsnames.oraconnection string using the same parameter setting. IfSSL_CLIENT_AUTHENTICATION=TRUE, then it can only configure mTLS. This setting is optional. -
If you connect to multiple databases and some require mTLS with a client wallet, then you can have two options for setting different connections with and without a client wallet, as follows:
-
Option 1: Set
WALLET_LOCATIONinsqlnet.orafor a common wallet. Then useWALLET_LOCATIONin your connect string (intnsnames.oraor directly on the command line) to override the setting insqlnet.ora. You can specify a different wallet location for a connection or tell the connection to use the system default keystore instead. Use the following parameter to change wallet location to the system default keystore:net_service_name = (DESCRIPTION=(ADDRESS = (PROTOCOL=tcps) (HOST=host_name)(PORT=port)) (SECURITY=(WALLET_LOCATION=SYSTEM)) (CONNECT_DATA=(SERVICE_NAME=service_name)))The default certificate store location depends on the platform. For Windows, it is in the Microsoft Certificate Store for Microsoft Windows. For Linux, its locations are as follows:
-
RHEL/Oracle Linux:
/etc/pki/tls/cert.pem -
Debian/Ubuntu/Gentoo:
/etc/ssl/certs/ca-certificates.crt -
Fedora/RHEL:
/etc/pki/tls/certs/ca-bundle.crt -
OpenSUSE:
/etc/ssl/ca-bundle.pem -
OpenELEC:
/etc/pki/tls/cacert.pem -
CentOS/RHEL7:
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -
Alpine Linux:
/etc/ssl/cert.pem
For non-Linux and non-Windows systems, if the PEM file is not in one of the locations listed above for Linux systems, then you must either copy the PEM file to one of these default Linux locations or create a symlink from the PEM file to one of these locations. The file must be a PEM file.
-
-
Option 2: Only specify
WALLET_LOCATIONas part of the connections that need to use a client wallet. Do not specifyWALLET_LOCATIONinsqlnet.ora. Connections that do not need to use a client wallet will automatically use the local default system keystore ifWALLET_LOCATIONis not specified in thesqlnet.orafile. For example:net_service_name = (DESCRIPTION=(ADDRESS = (PROTOCOL=tcps) (HOST=host_name)(PORT=port)) (SECURITY=(WALLET_LOCATION=wallet_file_directory)) (CONNECT_DATA=(SERVICE_NAME=service_name)))
-
-
-
In SQL*Plus, to determine if the database connections are using TLS, check the connections by performing the following query.
SELECT SYS_CONTEXT ('USERENV', 'NETWORK_PROTOCOL') FROM DUAL;Output similar to the following should appear:
SYS_CONTEXT('USERENV','NETWORK_PROTOCOL') ------------------------------------------------------------------- tcps