4.4 Generate Wallets and Certificates

Secure the client-to-database connection with Transport Layer Security (TLS). Without TLS, the database rejects token-based authentication. Use the orapki (Oracle Public Key Infrastructure) utility to create a server wallet and a self-signed certificate. In this single-host setup, SQL*Plus also uses the same server wallet as its trust store.

Note:

• Run all commands as the operating system user that owns the Oracle software (typically oracle).
• Set Common Name (CN) to the database server’s fully qualified domain name.
• For more details on TLS configuration, see Configuring Transport Layer Security Encryption in Oracle AI Database Security Guide.

1. Open a terminal on the Linux host.
2. Create a directory for the server wallet.

   mkdir -p /u01/app/oracle/wallets/server
   

3. Create the server wallet (identity) and a self-signed certificate.

   orapki wallet create -wallet /u01/app/oracle/wallets/server -pwd <wallet_password> -auto_login
   
   orapki wallet add -wallet /u01/app/oracle/wallets/server -dn "CN=<your-vm-fqdn>,O=Oracle,C=US" -keysize 2048 -self_signed -validity 3650 -pwd <wallet_password>

Note:

This guide uses a self-signed certificate and a single wallet directory for simplicity. For production deployments, use CA-signed certificates, separate client and server trust stores, and a secret manager for wallet passwords. Oracle recommends configuring the WALLET_ROOT initialization parameter and storing the TLS wallet under WALLET_ROOT/<PDB GUID>/tls. See Configuring Transport Layer Security Encryption in Oracle AI Database Security Guide.