Oracle Autonomous Database provides multiple secure connectivity options designed to balance security requirements with operational simplicity. Understanding the connection methods, authentication protocols, and network configurations is essential for effectively connecting applications to Autonomous Database instances.
Supported Connection Types
Oracle Net Services (SQL*Net)
After you create database users, applications and tools connect to Autonomous Databases using Oracle Net Services (also known as SQL*Net), which enables network sessions from client applications to Oracle Database servers.
Connection Protocol:
- Acts as data courier between client and database
- Establishes and maintains connections
- Handles message exchange between applications and databases
- Supports multiple connection drivers and interfaces
Connection Driver Support
Autonomous Data Warehouse and Autonomous Transaction Processing support a comprehensive range of connection drivers and interfaces:
JDBC Thin Driver:
- Pure Java driver for Java applications
- No Oracle client installation required
- Supported by Oracle SQL Developer, SQLcl, and many third-party tools
- Works with JDK8 or higher
JDBC OCI:
- Oracle Call Interface driver for Java language applications
- Requires Oracle Instant Client or Oracle Database Client
- Provides advanced database features
- Supports connection pooling and advanced security
ODBC (Open Database Connectivity):
- Standard interface for database connectivity
- Supports various programming languages and tools
- Requires ODBC driver installation
- Compatible with Microsoft applications and BI tools
Python:
- Oracle python-oracledb driver (formerly cx_Oracle)
- Thin and thick modes available
- Native Python integration
- Support for modern Python applications
Node.js:
- node-oracledb driver for JavaScript applications
- Thin and thick modes available
- Support for async/await patterns
- Enterprise-ready for production applications
Security Architecture
SSL/TLS Encryption
Mandatory Encryption:
All connections to Autonomous Database use SSL/TLS for encryption, ensuring data protection in transit. No unsecure connections are allowed.
TLS 1.2 Protocol:
Autonomous Database implements Transport Layer Security (TLS) version 1.2, providing industry-standard encryption for all communications.
Security Benefits:
- Data Confidentiality: All data transmitted is encrypted
- Data Integrity: Protection against data tampering
- Server Authentication: Validates server identity
- Compliance: Meets regulatory encryption requirements
Mutual TLS (mTLS) Authentication
Default Authentication Method:
Autonomous Database uses mutual TLS (mTLS) by default regardless of your network configuration, providing bidirectional authentication where both client and database verify each other's certificates.
mTLS Characteristics:
- Bidirectional Authentication: Both client and server authenticate each other
- Certificate-Based: Uses X.509 certificates for authentication
- Wallet Required: Clients need Oracle Wallet containing certificates
- Port 1522: Default port for mTLS connections
- Enhanced Security: Provides highest level of connection security
How mTLS Works:
Certification authentication with Mutual TLS uses an encrypted key stored in a wallet on both the client (where the application is running) and the server (where your database service on the Autonomous Database is running).
TLS Authentication (One-Way)
Modern Standard Connectivity:
TLS authentication is now available, with TLS connections providing several advantages while maintaining secure, encrypted communications.
TLS Advantages:
No Wallet Downloads Required:
For TLS connections using JDBC Thin Driver with JDK8 or higher, a wallet is not required, including connections from SQL Developer and SQL Command Line (SQLcl).
No Wallet Rotation:
Clients connecting with TLS do not need to worry about wallet rotation, which is a regular maintenance procedure for mTLS connections.
Better Connection Latency:
TLS authentication can provide reduced connection latency compared to mTLS, improving application response times.
TLS Can Coexist with mTLS:
TLS and mTLS connections are not mutually exclusive—when you enable TLS authentication, you can use either mTLS or TLS simultaneously (mTLS-only or mTLS + TLS).
TLS Connection Ports:
- Port 1521: Standard port for TLS connections
- Port 1522: Reserved for mTLS connections
Wallet Requirements and Configuration
When Wallets Are Required
mTLS Connections:
Wallets are required for mutual TLS (mTLS) authentication for all connection types.
TLS Connection Wallet Requirements:
No Wallet Required:
- JDBC Thin Driver with JDK8 or higher
- Managed ODP.NET or ODP.NET Core versions 19.13, 21.4, or above
- Oracle Call Interface (OCI) with newer Oracle Instant Client versions
- SQL Developer and SQLcl with TLS connections
Wallet Required:
- SQLNet and Oracle Call Interface (OCI) with older client versions
- Certain other connection types with TLS authentication must provide CA certificate in wallet
Wallet Components
Client Credentials ZIP File Contains:
- cwallet.sso: Oracle Wallet file (SSO format)
- ewallet.p12: Wallet in PKCS#12 format
- keystore.jks: Java KeyStore file for JDBC connections
- truststore.jks: Java TrustStore file
- tnsnames.ora: Network configuration file with connection strings
- sqlnet.ora: SQL*Net configuration file
- ojdbc.properties: JDBC connection properties
Wallet Security Best Practices
Secure Storage:
- Store wallet files in secure locations with restricted access
- Never commit wallets to version control systems
- Encrypt wallets at rest when stored on disk
- Implement proper file system permissions
Access Control:
- Share wallet files only with authorized users
- Implement role-based access to wallet storage
- Use secrets management systems for automated deployments
- Rotate wallets according to security policies
Wallet Rotation:
- Regular wallet rotation is recommended for security
- Wallets remain valid until explicitly revoked
- New wallets can be downloaded without service interruption
- Old wallets continue working until rotation is complete
Enabling TLS Authentication
Prerequisites for TLS Connections
To allow an Autonomous Database instance to use TLS connections, either Access Control Lists (ACLs) must be defined or a private endpoint must be configured.
Network Access Requirements:
Public Internet Access:
When an Autonomous Database instance is configured to operate over the public internet, one or more Access Control Lists (ACLs) must be defined before using TLS authentication.
Private Endpoint:
When configured with a private endpoint, TLS connections are automatically available without requiring ACLs.
Important Note:
When an Autonomous Database instance is configured with network access type "Secure access from everywhere" (or "Allow secure access from everywhere"), you can only use TLS connections if you specify ACLs to restrict access.
Enabling TLS in Console
Configuration Steps:
- Navigate to Autonomous Database details page
- Find the "Network" section
- Click "Edit" next to "Access Control List" or configure private endpoint
- Define ACL entries or configure private endpoint
- Uncheck "Require mutual TLS (mTLS) authentication"
- Save changes
After Configuration:
Once ACLs or private endpoint are configured and the Mutual TLS (mTLS) Authentication field shows "Not Required," the ACLs or private endpoint apply to all connection types (both mTLS and TLS).
Switching Between mTLS and TLS
Update to Allow Both:
If your Autonomous Database instance is configured to only allow mTLS connections, you can update the instance to allow both mTLS and TLS connections simultaneously.
Revert to mTLS Only:
If your Autonomous Database instance is configured to allow TLS connections, you can update it to require mTLS connections and disallow TLS authentication.
Important Warning:
When you update an Autonomous Database instance to require Mutual TLS (mTLS) connections, existing TLS connections are disconnected immediately.
Connection Methods
1. Using SQL Developer (Desktop)
SQL Developer Support:
Oracle SQL Developer provides comprehensive support for connecting to Autonomous Database with both mTLS and TLS authentication.
mTLS Connection (Cloud Wallet):
Oracle SQL Developer version 18.2 or later provides support for wallet files using the Cloud Wallet Connection Type.
Connection Steps for mTLS:
- Download client credentials (wallet) from Autonomous Database
- Start SQL Developer
- Right-click Connections and select "New Database Connection"
- Select "Cloud Wallet" as Connection Type
- Browse to wallet location (Configuration File field)
- Select TNS alias from dropdown
- Enter username and password
- Test connection and save
TLS Connection (Custom JDBC):
SQL Developer also supports TLS authentication using Custom JDBC Connection Type without requiring a wallet.
Connection Steps for TLS:
- Select "Custom JDBC" as Connection Type
- Enter TLS connection string from console
- Enter username and password
- Test connection and save
2. Using Connection Strings
Connection String Formats:
mTLS Connection String (Port 1522):
(description= (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=<hostname>))(connect_data=(service_name=<service_name>))(security=(ssl_server_dn_match=yes)))
TLS Connection String (Port 1521):
(description= (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1521)(host=<hostname>))(connect_data=(service_name=<service_name>))(security=(ssl_server_dn_match=yes)))
Obtaining Connection Strings:
- Navigate to Autonomous Database details page
- Click "Database Connection" or "DB Connection"
- Select connection type (TLS or mTLS)
- Copy appropriate connection string for your service level
Service Levels:
- HIGH: Highest priority, maximum parallelism
- MEDIUM: Balanced performance and concurrency
- LOW: Lowest priority, highest concurrency
- TP/TPURGENT: Transaction processing optimized
- Parallel service names: For data loading and batch operations
3. Using Wallets with Applications
Java Applications (JDBC Thin):
// mTLS connection with wallet
System.setProperty("oracle.net.tns_admin", "/path/to/wallet");
System.setProperty("oracle.net.wallet_location", "/path/to/wallet");
Connection conn = DriverManager.getConnection(
"jdbc:oracle:thin:@<tns_alias>",
"username",
"password"
);
Java Applications (TLS without wallet):
// TLS connection without wallet (JDK8+)
Connection conn = DriverManager.getConnection(
"jdbc:oracle:thin:@<connection_string>",
"username",
"password"
);
Python Applications:
# mTLS with wallet
import oracledb
connection = oracledb.connect(
user="username",
password="password",
dsn="<tns_alias>",
config_dir="/path/to/wallet",
wallet_location="/path/to/wallet",
wallet_password="wallet_password"
)
Python TLS without wallet:
# TLS connection without wallet (thin mode)
import oracledb
connection = oracledb.connect(
user="username",
password="password",
dsn="<connection_string>"
)
Node.js Applications:
// mTLS with wallet
const oracledb = require('oracledb');
const connection = await oracledb.getConnection({
user: "username",
password: "password",
connectString: "<tns_alias>",
walletLocation: "/path/to/wallet",
walletPassword: "wallet_password"
});
Private Endpoint Connectivity
Private Endpoint Overview
Network Isolation:
You can specify that an Autonomous Database uses a private endpoint inside your Virtual Cloud Network (VCN) to keep all traffic off the public internet.
Benefits:
- Complete elimination of public internet exposure
- Integration with existing VCN architecture
- Enhanced security through network isolation
- Lower latency for VCN-based applications
Connectivity Options with Private Endpoints:
- Direct access from compute instances in same VCN
- VCN peering for cross-VCN access
- VPN connections for on-premises access
- FastConnect for dedicated private connectivity
ACL and Private Endpoint Interaction
Important Note:
When using private endpoints, ACLs defined for public endpoints do not apply. Private endpoints use VCN security lists and network security groups for access control instead.
Firewall Configuration
Port Requirements
Default Ports:
- Port 1522: mTLS connections (default and cannot be changed)
- Port 1521: TLS connections
Firewall Rules:
Organizations must configure firewalls to allow access to Autonomous Database servers through the appropriate ports based on authentication method.
Outbound Firewall Configuration:
- Allow outbound HTTPS (port 443) for console access
- Allow outbound connections to database ports (1521/1522)
- Configure proxy settings if required by corporate policy
Best Practices for Connectivity
Connection Pooling
Why Use Connection Pooling:
- Reduces connection establishment overhead
- Improves application performance
- Better resource utilization
- Handles connection failures gracefully
Implementation:
Most connection drivers support built-in connection pooling (JDBC, ODP.NET, python-oracledb, node-oracledb).
Connection String Management
Centralized Configuration:
- Store connection strings in configuration files or secrets managers
- Never hard-code credentials in application code
- Use environment variables for different environments
- Implement proper credential rotation procedures
High Availability Configuration
Connection Failover:
Connection strings support multiple addresses for high availability and automatic failover.
Retry Logic:
Implement retry logic in applications to handle temporary connection failures:
- Configure retry_count and retry_delay in connection strings
- Implement exponential backoff in application code
- Handle transient errors appropriately
Performance Optimization
TLS vs. mTLS Selection:
- Use TLS when wallet management overhead is significant
- Use mTLS when maximum security is required
- Consider connection latency requirements
- Evaluate operational complexity trade-offs
Service Level Selection:
- Use HIGH service for critical, time-sensitive queries
- Use MEDIUM for general application workloads
- Use LOW for batch processing and reporting
- Use parallel services for data loading operations
Troubleshooting Connection Issues
Common Connection Problems
Wallet-Related Issues:
- Incorrect wallet path or file permissions
- Expired or invalid wallet files
- Missing wallet files (cwallet.sso, tnsnames.ora)
- Wallet password issues
Resolution:
- Verify wallet file location and permissions
- Re-download wallet from console
- Check sqlnet.ora wallet configuration
- Validate wallet contents
TLS Configuration Issues:
- ACLs not configured for public internet access
- Private endpoint not properly configured
- Firewall blocking ports 1521 or 1522
- Using wrong port for authentication type
Resolution:
- Verify ACL configuration in console
- Check private endpoint VCN configuration
- Test network connectivity to ports
- Confirm using correct port for mTLS (1522) or TLS (1521)
Authentication Failures:
- Invalid username or password
- User account locked or expired
- Insufficient privileges
- Client IP not in ACL
Resolution:
- Verify credentials are correct
- Check user account status in database
- Grant necessary privileges
- Add client IP to ACL if using public access
Conclusion
Oracle Autonomous Database provides flexible, secure connectivity options that balance security requirements with operational simplicity. Understanding the differences between mTLS and TLS authentication, properly configuring network access, and implementing best practices ensures reliable, secure database connections for enterprise applications.
Key Takeaways:
Security:
- All connections use SSL/TLS encryption
- No unsecure connections allowed
- mTLS provides highest security with mutual authentication
- TLS offers simplified connectivity without compromising encryption
Authentication Options:
- mTLS (default): Wallet-based bidirectional authentication via port 1522
- TLS (optional): Simplified authentication without wallets via port 1521
- Both can coexist simultaneously
- Prerequisites required for TLS (ACLs or private endpoints)
Wallet Management:
- Required for all mTLS connections
- Not required for most TLS connections (JDBC Thin, ODP.NET, newer OCI clients)
- Secure storage and rotation procedures essential
- Multiple formats supported (SSO, PKCS#12, JKS)
Connection Methods:
- SQL Developer with Cloud Wallet or Custom JDBC
- Direct connection strings for applications
- Support for Java, Python, Node.js, .NET, and more
- Private endpoints for VCN-isolated connectivity
Best Practices:
- Use TLS for simplified operations when appropriate
- Implement connection pooling for performance
- Configure proper firewall rules
- Store credentials securely
- Implement retry logic and failover handling
By leveraging the appropriate authentication method and following connectivity best practices, organizations can ensure secure, high-performance access to Autonomous Database from diverse application environments while meeting security and operational requirements.
Top comments (0)