To configure a TLS connection to a DB system that has client authentication disabled, you need to upload a wallet or certificate during target database registration.
SSL_CLIENT_AUTHENTICATION parameter is set to
FALSE in the
sqlnet.ora file on your target database, then client authentication is disabled.
During target database registration in Oracle Data Safe, you need to upload one of the following:
- Self-signed certificate for the target database.
- Signing root certificate that can issue the public certificate for the target database (if an intermediate signing certificate is not involved in the public certificate signing)
- JKS Wallet (if an intermediate certificate is involved in the public certificate signing). Add to the wallet the signing certificate chain that issues the public certificate for the target database.
Supported certificate types are Privacy Enhanced Mail (PEM) and Distinguished Encoding Rules (DER). Supported file extensions are PEM, CER, CERT, CRT, and DER.
If a commonly used certificate authority (CA) signs the certificate that is used by the target database, then uploading a certificate or wallet is optional.
Keep in mind the following:
- The maximum size for a wallet or certificate that you can upload is 50 KB.
- If a user password or wallet password changes, you can simply update the password in the Oracle Data Safe Console. You do not need to delete the wallet.
- If you delete a target database that uses a wallet to connect, the wallet is also deleted.
- Passwordless SSL authentication based on PKI is enabled when
SQLNET.AUTHENTICATION_SERVICES = TCPSin the
sqlnet.orafile of a target database. Passwordless SSL authentication based on PKI is not supported in Oracle Data Safe.