In today’s security-conscious world, encrypting communication between clients and databases is no longer optional—it’s essential. Oracle Database supports SSL/TLS for secure connections, and Oracle Wallet is the key to making it work. This guide walks you through every step to configure SSL/TLS using Oracle Wallet.
🧰 What You’ll Need
Before diving in, make sure you have:
- Oracle Database 12c or later
- Access to the
orapkiutility or Oracle Wallet Manager - A Certificate Authority (CA) or OpenSSL for self-signed certificates
- Permissions to edit
listener.oraandsqlnet.ora
🪙 Step 1: Create the Oracle Wallet
Start by creating a secure wallet directory:
mkdir -p /u01/app/oracle/wallet_ssl
Example:
mkdir C:\test1\wallets\sslThen create the wallet:
orapki wallet create -wallet /u01/app/oracle/wallet_ssl -pwd MyWalletPass123 -auto_login
Example:
C:\Users>orapki wallet create -wallet C:\test1\wallets\ssl -pwd MyWalletPass123 -auto_login
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.The -auto_login option creates a cwallet.sso file for automatic access.
📜 Step 2: Generate a Certificate Request
Generate a private key and certificate request:
orapki wallet add -wallet /u01/app/oracle/wallet_ssl \
-dn "CN=oracle_ssl, OU=DBA, O=MyCompany, C=IN" \
-keysize 2048 -pwd MyWalletPass123
orapki wallet export -wallet /u01/app/oracle/wallet_ssl \
-dn "CN=oracle_ssl, OU=DBA, O=MyCompany, C=IN" \
-request /u01/app/oracle/wallet_ssl/oracle_ssl.csr -pwd MyWalletPass123
Example:
C:\Users>orapki wallet add -wallet C:\test1\wallets\ssl -dn "CN=oracle_ssl, OU=DBA, O=MyCompany, C=IN" -keysize 2048 -pwd MyWalletPass123
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
------------------------------
C:\Users>orapki wallet export -wallet C:\test1\wallets\ssl -dn "CN=oracle_ssl, OU=DBA, O=MyCompany, C=IN" -request C:\test1\wallets\ssl\oracle_ssl.csr -pwd MyWalletPass123
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.Submit the .csr file to a Certificate Authority or use OpenSSL to self-sign.
📥 Step 3: Import the Signed Certificate and CA Certificate
Once you receive the signed certificate and CA certificate:
Note: Generate certificate with openssl
orapki wallet add -wallet /u01/app/oracle/wallet_ssl \
-trusted_cert -cert /path/to/ca_cert.pem -pwd MyWalletPass123
orapki wallet add -wallet /u01/app/oracle/wallet_ssl \
-user_cert -cert /path/to/signed_cert.pem -pwd MyWalletPass123
Example:
orapki wallet add -wallet C:\test1\wallets\ssl -trusted_cert -cert C:\test1\wallets\ssl\to\ca_cert.pem -pwd MyWalletPass123
rapki wallet add -wallet C:\test1\wallets\ssl -trusted_cert -cert C:\test1\wallets\ssl\to\signed_cert.pem -pwd MyWalletPass123
⚙️ Step 4: Configure SQLNET.ORA
Edit the sqlnet.ora file to enable SSL:
WALLET_LOCATION =
(SOURCE = (METHOD = FILE)
(METHOD_DATA = (DIRECTORY = /u01/app/oracle/wallet_ssl)))
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 1.2
SQLNET.AUTHENTICATION_SERVICES = (TCPS)
Example:
WALLET_LOCATION =
(SOURCE = (METHOD = FILE)
(METHOD_DATA = (DIRECTORY = C:\test1\wallets\ssl)))
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 1.2
SQLNET.AUTHENTICATION_SERVICES = (TCPS)
📡 Step 5: Configure LISTENER.ORA
Enable TCPS protocol in listener.ora:
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = your-hostname)(PORT = 2484))
)
)
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = ORCL)
(ORACLE_HOME = /u01/app/oracle/product/19c/dbhome_1)
)
)
Reload the listener:
lsnrctl reload🧪 Step 6: Test the SSL Connection
Use SQL*Plus or JDBC with TCPS:
sqlplus system@'(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=your-hostname)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=ORCL)))'
🔍 Step 7: Verify SSL Status
Check wallet status:
SELECT * FROM V$ENCRYPTION_WALLET;Check listener status:
lsnrctl status