Urgent Action Required for Essbase on OCI Marketplace

To avoid loss of service, before April 15, 2026, you must use an Autonomous AI Database wallet downloaded after Jan 28, 2026 with your Essbase on OCI deployment. Apply a patch as described, and then use the rotate-schema-credentials.sh script to update your Essbase on OCI deployment with the new wallet.

Note:

This action is required for all Essbase on OCI versions prior to Release 21.8.1.0.1.

Why is this action required?

After April 15, 2026, DigiCert will no longer trust G1 root certificates. If your Essbase instance uses mTLS with a wallet created before January 28, 2026, you will lose database connectivity. To ensure uninterrupted service, the rotate-schema-credentials.sh script needs a change in the underlying library.

How will this affect my service?

If your Essbase Marketplace deployment uses Autonomous AI Database as the repository, and you generated your wallet before January 28, 2026, your service will stop working after April 15, 2026. Older wallets use G1 root certificates, which DigiCert will distrust.

Required Action – Summary

On a machine with access to the public Internet and to the Essbase compute instance / VM, download the wallet patch file, and copy it to /tmp on the Essbase node. Change ownership of the file to the oracle user, stop the Essbase Server, and apply the patch.

Required Action – Steps

SSH to the Essbase compute instance as the opc user and navigate to the /tmp directory.
Download wallet.patch from the following location:

https://raw.githubusercontent.com/oracle-quickstart/oci-essbase/refs/heads/main/scripts/walletpatch/wallet.patch

Example:
```
wget https://raw.githubusercontent.com/oracle-quickstart/oci-essbase/refs/heads/main/scripts/walletpatch/wallet.patch
```
Change the file owner to oracle for wallet.patch.

Example:
```
sudo chown oracle:oracle /tmp/wallet.patch
```
Install the patch utility.

Example:
```
sudo yum install -y patch
```
Switch to oracle user.

Example:
```
sudo su oracle
```

Stop Essbase.

Example:

/u01/config/domains/essbase_domain/esstools/bin/stop.sh

Navigate to /u01/vmtools.

Example:
```
cd /u01/vmtools/
```
Apply the patch.

Example:
```
patch -p0 < /tmp/wallet.patch
```
Run a script to update your database wallet.

Example:
```
/u01/vmtools/sysman/rotate-schema-credentials.sh
```
(You’ll be prompted for your database administrator password, and the wallet will update.)

Restart Essbase.

Example:

/u01/config/domains/essbase_domain/esstools/bin/start.sh

Note:

For any other wallet-based Autonomous AI Database connection, download and use the new wallet.

Additional Steps for Essbase Versions Prior to 21.5.3

For Essbase Marketplace versions prior to 21.5.3, after completing the steps mentioned above, Essbase application may fail to start.

You may encounter the following error -

Error (1350014)
Attempt to execute OCI statement failed. [ORA-29003: SSL transport detected mismatched server certificate.]

Solution

SSH into the Essbase server and stop Essbase as oracle user.

/u01/config/domains/essbase_domain/esstools/bin/stop.sh

Make a backup of the old wallet directory (under Wallet Directory Location for your Essbase Marketplace Listing version).

Wallet Directory Location:
```
21c: /u01/config/domains/essbase_domain/config/wallets/wallet
```

Make changes in sqlnet.ora and tnsnames.ora as follows, replace the <Wallet Directory Location> with the path from above:

sqlnet.ora

WALLET_LOCATION = (SOURCE = (METHOD = file) (METHOD_DATA = (DIRECTORY="<Wallet Directory Location>"))) SSL_SERVER_DN_MATCH=yes

WALLET_LOCATION = (SOURCE = (METHOD = file) (METHOD_DATA = (DIRECTORY="<Wallet Directory Location>"))) SSL_SERVER_DN_MATCH=no

tnsnames.ora

Note:

Note: The following change is necessary only if tnsnames.ora has the setting - security=(ssl_server_dn_match=yes). If not , leave the tnsnames.ora as is and proceed.

xxxxxxx_high = (description=
      (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=hostname.oraclecloud.com))
      (connect_data=(service_name=servicename.oraclecloud.com))(security=(ssl_server_dn_match=yes)))

xxxxxxx_low = (description=
      (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=hostname.oraclecloud.com))
      (connect_data=(service_name=servicename.oraclecloud.com))(security=(ssl_server_dn_match=yes)))

xxxxxxx_medium = (description=
        (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=hostname.oraclecloud.com))(connect_data=service_name=servicename.oraclecloud.com))(security=(ssl_server_dn_match=yes)))

xxxxxxx_high = (description=
      (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=hostname.oraclecloud.com))(connect_data=(service_name=servicename.oraclecloud.com))(security=(ssl_server_dn_match=no)))

xxxxxxx_low = (description=
      (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=hostname.oraclecloud.com))
      (connect_data=(service_name=servicename.oraclecloud.com))(security=(ssl_server_dn_match=no)))

xxxxxxx_medium = (description=
      (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=hostname.oraclecloud.com))(connect_data=service_name=servicename.oraclecloud.com))(security=(ssl_server_dn_match=no)))

Everything else remains the same. After following these steps, start Essbase server.
```
/u01/config/domains/essbase_domain/esstools/bin/start.sh
```
Start Essbase applications.

Where can I find additional information?

For more details on the changes in Autonomous AI Database, refer to the blog post: https://blogs.oracle.com/autonomous-ai-database/autonomous-database-announcement-digicert

Refer to this link for the DigiCert announcement: https://knowledge.digicert.com/general-information/digicert-root-and-intermediate-ca-certificate-updates-2023

For Essbase on OCI Marketplace deployment release notes, see: Stack Deployment on OCI