DEV Community

Cover image for Oracle Autonomous Database Connectivity: Secure Connections with TLS and mTLS
Ryan Giggs
Ryan Giggs

Posted on

Oracle Autonomous Database Connectivity: Secure Connections with TLS and mTLS

Oracle Autonomous Database provides multiple secure connectivity options designed to balance security requirements with operational simplicity. Understanding the connection methods, authentication protocols, and network configurations is essential for effectively connecting applications to Autonomous Database instances.

Supported Connection Types

Oracle Net Services (SQL*Net)

After you create database users, applications and tools connect to Autonomous Databases using Oracle Net Services (also known as SQL*Net), which enables network sessions from client applications to Oracle Database servers.

Connection Protocol:

  • Acts as data courier between client and database
  • Establishes and maintains connections
  • Handles message exchange between applications and databases
  • Supports multiple connection drivers and interfaces

Connection Driver Support

Autonomous Data Warehouse and Autonomous Transaction Processing support a comprehensive range of connection drivers and interfaces:

JDBC Thin Driver:

  • Pure Java driver for Java applications
  • No Oracle client installation required
  • Supported by Oracle SQL Developer, SQLcl, and many third-party tools
  • Works with JDK8 or higher

JDBC OCI:

  • Oracle Call Interface driver for Java language applications
  • Requires Oracle Instant Client or Oracle Database Client
  • Provides advanced database features
  • Supports connection pooling and advanced security

ODBC (Open Database Connectivity):

  • Standard interface for database connectivity
  • Supports various programming languages and tools
  • Requires ODBC driver installation
  • Compatible with Microsoft applications and BI tools

Python:

  • Oracle python-oracledb driver (formerly cx_Oracle)
  • Thin and thick modes available
  • Native Python integration
  • Support for modern Python applications

Node.js:

  • node-oracledb driver for JavaScript applications
  • Thin and thick modes available
  • Support for async/await patterns
  • Enterprise-ready for production applications

Security Architecture

SSL/TLS Encryption

Mandatory Encryption:
All connections to Autonomous Database use SSL/TLS for encryption, ensuring data protection in transit. No unsecure connections are allowed.

TLS 1.2 Protocol:
Autonomous Database implements Transport Layer Security (TLS) version 1.2, providing industry-standard encryption for all communications.

Security Benefits:

  • Data Confidentiality: All data transmitted is encrypted
  • Data Integrity: Protection against data tampering
  • Server Authentication: Validates server identity
  • Compliance: Meets regulatory encryption requirements

Mutual TLS (mTLS) Authentication

Default Authentication Method:
Autonomous Database uses mutual TLS (mTLS) by default regardless of your network configuration, providing bidirectional authentication where both client and database verify each other's certificates.

mTLS Characteristics:

  • Bidirectional Authentication: Both client and server authenticate each other
  • Certificate-Based: Uses X.509 certificates for authentication
  • Wallet Required: Clients need Oracle Wallet containing certificates
  • Port 1522: Default port for mTLS connections
  • Enhanced Security: Provides highest level of connection security

How mTLS Works:
Certification authentication with Mutual TLS uses an encrypted key stored in a wallet on both the client (where the application is running) and the server (where your database service on the Autonomous Database is running).

TLS Authentication (One-Way)

Modern Standard Connectivity:
TLS authentication is now available, with TLS connections providing several advantages while maintaining secure, encrypted communications.

TLS Advantages:

No Wallet Downloads Required:
For TLS connections using JDBC Thin Driver with JDK8 or higher, a wallet is not required, including connections from SQL Developer and SQL Command Line (SQLcl).

No Wallet Rotation:
Clients connecting with TLS do not need to worry about wallet rotation, which is a regular maintenance procedure for mTLS connections.

Better Connection Latency:
TLS authentication can provide reduced connection latency compared to mTLS, improving application response times.

TLS Can Coexist with mTLS:
TLS and mTLS connections are not mutually exclusive—when you enable TLS authentication, you can use either mTLS or TLS simultaneously (mTLS-only or mTLS + TLS).

TLS Connection Ports:

  • Port 1521: Standard port for TLS connections
  • Port 1522: Reserved for mTLS connections

Wallet Requirements and Configuration

When Wallets Are Required

mTLS Connections:
Wallets are required for mutual TLS (mTLS) authentication for all connection types.

TLS Connection Wallet Requirements:

No Wallet Required:

  • JDBC Thin Driver with JDK8 or higher
  • Managed ODP.NET or ODP.NET Core versions 19.13, 21.4, or above
  • Oracle Call Interface (OCI) with newer Oracle Instant Client versions
  • SQL Developer and SQLcl with TLS connections

Wallet Required:

  • SQLNet and Oracle Call Interface (OCI) with older client versions
  • Certain other connection types with TLS authentication must provide CA certificate in wallet

Wallet Components

Client Credentials ZIP File Contains:

  • cwallet.sso: Oracle Wallet file (SSO format)
  • ewallet.p12: Wallet in PKCS#12 format
  • keystore.jks: Java KeyStore file for JDBC connections
  • truststore.jks: Java TrustStore file
  • tnsnames.ora: Network configuration file with connection strings
  • sqlnet.ora: SQL*Net configuration file
  • ojdbc.properties: JDBC connection properties

Wallet Security Best Practices

Secure Storage:

  • Store wallet files in secure locations with restricted access
  • Never commit wallets to version control systems
  • Encrypt wallets at rest when stored on disk
  • Implement proper file system permissions

Access Control:

  • Share wallet files only with authorized users
  • Implement role-based access to wallet storage
  • Use secrets management systems for automated deployments
  • Rotate wallets according to security policies

Wallet Rotation:

  • Regular wallet rotation is recommended for security
  • Wallets remain valid until explicitly revoked
  • New wallets can be downloaded without service interruption
  • Old wallets continue working until rotation is complete

Enabling TLS Authentication

Prerequisites for TLS Connections

To allow an Autonomous Database instance to use TLS connections, either Access Control Lists (ACLs) must be defined or a private endpoint must be configured.

Network Access Requirements:

Public Internet Access:
When an Autonomous Database instance is configured to operate over the public internet, one or more Access Control Lists (ACLs) must be defined before using TLS authentication.

Private Endpoint:
When configured with a private endpoint, TLS connections are automatically available without requiring ACLs.

Important Note:
When an Autonomous Database instance is configured with network access type "Secure access from everywhere" (or "Allow secure access from everywhere"), you can only use TLS connections if you specify ACLs to restrict access.

Enabling TLS in Console

Configuration Steps:

  1. Navigate to Autonomous Database details page
  2. Find the "Network" section
  3. Click "Edit" next to "Access Control List" or configure private endpoint
  4. Define ACL entries or configure private endpoint
  5. Uncheck "Require mutual TLS (mTLS) authentication"
  6. Save changes

After Configuration:
Once ACLs or private endpoint are configured and the Mutual TLS (mTLS) Authentication field shows "Not Required," the ACLs or private endpoint apply to all connection types (both mTLS and TLS).

Switching Between mTLS and TLS

Update to Allow Both:
If your Autonomous Database instance is configured to only allow mTLS connections, you can update the instance to allow both mTLS and TLS connections simultaneously.

Revert to mTLS Only:
If your Autonomous Database instance is configured to allow TLS connections, you can update it to require mTLS connections and disallow TLS authentication.

Important Warning:
When you update an Autonomous Database instance to require Mutual TLS (mTLS) connections, existing TLS connections are disconnected immediately.

Connection Methods

1. Using SQL Developer (Desktop)

SQL Developer Support:
Oracle SQL Developer provides comprehensive support for connecting to Autonomous Database with both mTLS and TLS authentication.

mTLS Connection (Cloud Wallet):
Oracle SQL Developer version 18.2 or later provides support for wallet files using the Cloud Wallet Connection Type.

Connection Steps for mTLS:

  1. Download client credentials (wallet) from Autonomous Database
  2. Start SQL Developer
  3. Right-click Connections and select "New Database Connection"
  4. Select "Cloud Wallet" as Connection Type
  5. Browse to wallet location (Configuration File field)
  6. Select TNS alias from dropdown
  7. Enter username and password
  8. Test connection and save

TLS Connection (Custom JDBC):
SQL Developer also supports TLS authentication using Custom JDBC Connection Type without requiring a wallet.

Connection Steps for TLS:

  1. Select "Custom JDBC" as Connection Type
  2. Enter TLS connection string from console
  3. Enter username and password
  4. Test connection and save

2. Using Connection Strings

Connection String Formats:

mTLS Connection String (Port 1522):

(description= (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=<hostname>))(connect_data=(service_name=<service_name>))(security=(ssl_server_dn_match=yes)))
Enter fullscreen mode Exit fullscreen mode

TLS Connection String (Port 1521):

(description= (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1521)(host=<hostname>))(connect_data=(service_name=<service_name>))(security=(ssl_server_dn_match=yes)))
Enter fullscreen mode Exit fullscreen mode

Obtaining Connection Strings:

  1. Navigate to Autonomous Database details page
  2. Click "Database Connection" or "DB Connection"
  3. Select connection type (TLS or mTLS)
  4. Copy appropriate connection string for your service level

Service Levels:

  • HIGH: Highest priority, maximum parallelism
  • MEDIUM: Balanced performance and concurrency
  • LOW: Lowest priority, highest concurrency
  • TP/TPURGENT: Transaction processing optimized
  • Parallel service names: For data loading and batch operations

3. Using Wallets with Applications

Java Applications (JDBC Thin):

// mTLS connection with wallet
System.setProperty("oracle.net.tns_admin", "/path/to/wallet");
System.setProperty("oracle.net.wallet_location", "/path/to/wallet");

Connection conn = DriverManager.getConnection(
    "jdbc:oracle:thin:@<tns_alias>", 
    "username", 
    "password"
);
Enter fullscreen mode Exit fullscreen mode

Java Applications (TLS without wallet):

// TLS connection without wallet (JDK8+)
Connection conn = DriverManager.getConnection(
    "jdbc:oracle:thin:@<connection_string>", 
    "username", 
    "password"
);
Enter fullscreen mode Exit fullscreen mode

Python Applications:

# mTLS with wallet
import oracledb

connection = oracledb.connect(
    user="username",
    password="password",
    dsn="<tns_alias>",
    config_dir="/path/to/wallet",
    wallet_location="/path/to/wallet",
    wallet_password="wallet_password"
)
Enter fullscreen mode Exit fullscreen mode

Python TLS without wallet:

# TLS connection without wallet (thin mode)
import oracledb

connection = oracledb.connect(
    user="username",
    password="password",
    dsn="<connection_string>"
)
Enter fullscreen mode Exit fullscreen mode

Node.js Applications:

// mTLS with wallet
const oracledb = require('oracledb');

const connection = await oracledb.getConnection({
    user: "username",
    password: "password",
    connectString: "<tns_alias>",
    walletLocation: "/path/to/wallet",
    walletPassword: "wallet_password"
});
Enter fullscreen mode Exit fullscreen mode

Private Endpoint Connectivity

Private Endpoint Overview

Network Isolation:
You can specify that an Autonomous Database uses a private endpoint inside your Virtual Cloud Network (VCN) to keep all traffic off the public internet.

Benefits:

  • Complete elimination of public internet exposure
  • Integration with existing VCN architecture
  • Enhanced security through network isolation
  • Lower latency for VCN-based applications

Connectivity Options with Private Endpoints:

  • Direct access from compute instances in same VCN
  • VCN peering for cross-VCN access
  • VPN connections for on-premises access
  • FastConnect for dedicated private connectivity

ACL and Private Endpoint Interaction

Important Note:
When using private endpoints, ACLs defined for public endpoints do not apply. Private endpoints use VCN security lists and network security groups for access control instead.

Firewall Configuration

Port Requirements

Default Ports:

  • Port 1522: mTLS connections (default and cannot be changed)
  • Port 1521: TLS connections

Firewall Rules:
Organizations must configure firewalls to allow access to Autonomous Database servers through the appropriate ports based on authentication method.

Outbound Firewall Configuration:

  • Allow outbound HTTPS (port 443) for console access
  • Allow outbound connections to database ports (1521/1522)
  • Configure proxy settings if required by corporate policy

Best Practices for Connectivity

Connection Pooling

Why Use Connection Pooling:

  • Reduces connection establishment overhead
  • Improves application performance
  • Better resource utilization
  • Handles connection failures gracefully

Implementation:
Most connection drivers support built-in connection pooling (JDBC, ODP.NET, python-oracledb, node-oracledb).

Connection String Management

Centralized Configuration:

  • Store connection strings in configuration files or secrets managers
  • Never hard-code credentials in application code
  • Use environment variables for different environments
  • Implement proper credential rotation procedures

High Availability Configuration

Connection Failover:
Connection strings support multiple addresses for high availability and automatic failover.

Retry Logic:
Implement retry logic in applications to handle temporary connection failures:

  • Configure retry_count and retry_delay in connection strings
  • Implement exponential backoff in application code
  • Handle transient errors appropriately

Performance Optimization

TLS vs. mTLS Selection:

  • Use TLS when wallet management overhead is significant
  • Use mTLS when maximum security is required
  • Consider connection latency requirements
  • Evaluate operational complexity trade-offs

Service Level Selection:

  • Use HIGH service for critical, time-sensitive queries
  • Use MEDIUM for general application workloads
  • Use LOW for batch processing and reporting
  • Use parallel services for data loading operations

Troubleshooting Connection Issues

Common Connection Problems

Wallet-Related Issues:

  • Incorrect wallet path or file permissions
  • Expired or invalid wallet files
  • Missing wallet files (cwallet.sso, tnsnames.ora)
  • Wallet password issues

Resolution:

  • Verify wallet file location and permissions
  • Re-download wallet from console
  • Check sqlnet.ora wallet configuration
  • Validate wallet contents

TLS Configuration Issues:

  • ACLs not configured for public internet access
  • Private endpoint not properly configured
  • Firewall blocking ports 1521 or 1522
  • Using wrong port for authentication type

Resolution:

  • Verify ACL configuration in console
  • Check private endpoint VCN configuration
  • Test network connectivity to ports
  • Confirm using correct port for mTLS (1522) or TLS (1521)

Authentication Failures:

  • Invalid username or password
  • User account locked or expired
  • Insufficient privileges
  • Client IP not in ACL

Resolution:

  • Verify credentials are correct
  • Check user account status in database
  • Grant necessary privileges
  • Add client IP to ACL if using public access

Conclusion

Oracle Autonomous Database provides flexible, secure connectivity options that balance security requirements with operational simplicity. Understanding the differences between mTLS and TLS authentication, properly configuring network access, and implementing best practices ensures reliable, secure database connections for enterprise applications.

Key Takeaways:

Security:

  • All connections use SSL/TLS encryption
  • No unsecure connections allowed
  • mTLS provides highest security with mutual authentication
  • TLS offers simplified connectivity without compromising encryption

Authentication Options:

  • mTLS (default): Wallet-based bidirectional authentication via port 1522
  • TLS (optional): Simplified authentication without wallets via port 1521
  • Both can coexist simultaneously
  • Prerequisites required for TLS (ACLs or private endpoints)

Wallet Management:

  • Required for all mTLS connections
  • Not required for most TLS connections (JDBC Thin, ODP.NET, newer OCI clients)
  • Secure storage and rotation procedures essential
  • Multiple formats supported (SSO, PKCS#12, JKS)

Connection Methods:

  • SQL Developer with Cloud Wallet or Custom JDBC
  • Direct connection strings for applications
  • Support for Java, Python, Node.js, .NET, and more
  • Private endpoints for VCN-isolated connectivity

Best Practices:

  • Use TLS for simplified operations when appropriate
  • Implement connection pooling for performance
  • Configure proper firewall rules
  • Store credentials securely
  • Implement retry logic and failover handling

By leveraging the appropriate authentication method and following connectivity best practices, organizations can ensure secure, high-performance access to Autonomous Database from diverse application environments while meeting security and operational requirements.

Top comments (0)