Create a Wallet or Certificates for a TLS Connection
Prior to configuring a TLS connection to a non-Autonomous Database during target registration, you need to create one or more wallets or a certificate, depending on whether client authentication is enabled on your target database.
Create a PEM Certificate for a TLS Connection to a Database that has Server Authentication
This example shows you how to create a self-signed PEM certificate that you can use when configuring a TLS connection between Oracle Data Safe and a database that has server authentication. For server authentication, you need to disable client authentication on the database for which the process is shown below. While a self-signed certificate is fine for testing purposes, Oracle recommends that you use a certificate signed by a trusted or internal certificate authority (CA) for production systems.
Create JKS Wallets for a TLS Connection to a Database that has Mutual Authentication
During target registration, you can configure a TLS connection between Oracle Data Safe and an Oracle database. You are required to upload two JKS wallets: a TrustStore wallet and a KeyStore wallet.
The example discussed here is only for databases that are mutually authenticated. For mutual authentication, you need to enable client authentication on the database for which the process is shown below.
The example discussed here shows you how to create two JKS wallets with self-signed certificates, enable client authentication on your DB system, and configure the listener to accept SSL/TLS encrypted connections.
Oracle Recommendation:
While self-signed certificates are fine for testing purposes, Oracle recommends that you use certificates signed by a trusted or internal certificate authority (CA) for production systems.Part 1: Create a Database Server Wallet and Certificate
From the command line, access your database server. Then, as shown below,
use the orapki
utility to create a database server wallet, create a
self-signed certificate and load it into the wallet, and export the certificate. Ensure
that the location to the orapki
utility is added to your path.
Part 2: Create a Client Wallet and Certificate
You can continue to work from your database server. From the command line,
use the orapki
utility to create a client wallet, create a self-signed
certificate and load it into the wallet, and export the certificate.
Part 3: Exchange Client and Server Certificates
Continue to work on the database server. Load the server certificate as a trusted certificate into the client wallet, and load the client certificate into the server wallet. You do this because each side of the connection needs to trust the other.
Part 4: Create a JKS Wallet from the PKCS#12 Wallet
In this part, you use the orapki
utility to convert the
client wallet, which is currently in PKCS#12 format, into a JKS wallet. You do this
because Oracle Data Safe requires a JKS wallet and does not support PKCS#12 wallets.
Part 5: Configure the Server Network
In this part, you configure the wallet location, enable client authentication, and enable SSL/TLS encrypted connections on the target database.
Part 6: Configure the TLS Connection During Target Registration in Oracle Data Safe
When you register the target database in Oracle Data Safe, make sure to do the following:
- Select the TLS connection type.
- Set the port number according to the port number you set in the
listener.ora
file. In this example, the port number is 1522. - For the server distinguished name, enter the name you used when you created the
self-signed certificate for the target database. In this example, the name is
CN=CloudST2.debdev19.oraclecloud.internal
. - Select JKS wallet type.
- Upload the JKS TrustStore file. In this example, it is
truststore.jks
. - Upload the JKS KeyStore file. In this example, it is
keystore.jks
.