Oracle Cloud Infrastructure Documentation

TLS Connections to DB Systems with Client Authentication Disabled

To configure a TLS connection to a DB system that has client authentication disabled, you need to upload a wallet or certificate during target database registration.

If the SSL_CLIENT_AUTHENTICATION parameter is set to FALSE in the sqlnet.ora file on your target database, then client authentication is disabled.

During target database registration in Oracle Data Safe, you need to upload one of the following:

  • Self-signed certificate for the target database.
  • Signing root certificate that can issue the public certificate for the target database (if an intermediate signing certificate is not involved in the public certificate signing)
  • JKS Wallet (if an intermediate certificate is involved in the public certificate signing). Add to the wallet the signing certificate chain that issues the public certificate for the target database.

Supported certificate types are Privacy Enhanced Mail (PEM) and Distinguished Encoding Rules (DER). Supported file extensions are PEM, CER, CERT, CRT, and DER.

Note

If a commonly used certificate authority (CA) signs the certificate that is used by the target database, then uploading a certificate or wallet is optional.

See Create a Self-Signed Certificate for a DB System with Client Authentication Disabled for an example.

Keep in mind the following:

  • The maximum size for a wallet or certificate that you can upload is 50 KB.
  • If a user password or wallet password changes, you can simply update the password in the Oracle Data Safe Console. You do not need to delete the wallet.
  • If you delete a target database that uses a wallet to connect, the wallet is also deleted.
  • Passwordless SSL authentication based on PKI is enabled when SQLNET.AUTHENTICATION_SERVICES = TCPS in the sqlnet.ora file of a target database. Passwordless SSL authentication based on PKI is not supported in Oracle Data Safe.