Professional Documents
Culture Documents
3. Set the wallet location: Add the OraclePKIProvider at the end of the provider list
in the file java.security (this file is part of your JRE install located
at $JRE_HOME/jre/lib/security/java.security) which typically looks
like:
security.provider.14=oracle.security.pki.OraclePKIProvider
4. Compile and Run: Compile and run the sample to get a successful connection.
Make sure to have oraclepki.jar , osdt_core.jar, and osdt_cert.jar, in the
classpath. Also, you need to pass the connection properties. Update the
properties with the location where tnsnames.ora and wallet files are located.
java –classpath
./lib/ojdbc8.jar:./lib/ucp.jar:./lib/oraclepki.jar:./lib/
osdt_core.jar:./lib/osdt_cert.jar:.
-Doracle.net.tns_admin=/users/test/wallet_dbname
-Doracle.net.ssl_server_dn_match=true
-Doracle.net.ssl_version=1.2 (Not required for 12.2)
-Doracle.net.wallet_location= “(SOURCE=(METHOD=FILE)
(METHOD_DATA=(DIRECTORY=/users/test/wallet_dbname)))”
UCPSample
Note:
These are Windows system examples. Add a \ continuation character if you
are setting –D properties on multiple lines on UNIX ( Linux or a Mac).
DB_URL="jdbc:oracle:thin:@dbname_high”
3-64
Chapter 3
Connect to Autonomous Database
Note:
If you are using Microsoft Active Directory with Autonomous Database, then
update the sample source code to use the Active Directory username and
Active Directory user password. See Use Microsoft Active Directory with
Autonomous Database for more information.
3. Compile and Run: Compile and run the sample to get a successful connection. You
need to pass the connection properties as shown. Update the properties with the location
where tnsnames.ora and JKS files are placed. If you want to pass these connection
properties programmatically then refer to DataSourceForJKS.java. For example:
java
-Doracle.net.tns_admin=/users/test/wallet_dbname
-Djavax.net.ssl.trustStore=truststore.jks
-Djavax.net.ssl.trustStorePassword=**********
-Djavax.net.ssl.keyStore=keystore.jks
-Djavax.net.ssl.keyStorePassword=************
-Doracle.net.ssl_server_dn_match=true
-Doracle.net.ssl_version=1.2 // Not required for 12.2
db2022adb_high =
(description=
(address=
(https_proxy=proxyhostname)(https_proxy_port=80)
(protocol=tcps)(port=1522)(host=adb.example.oraclecloud.com)
)
(connect_data=(service_name=db2022adb_high.adb.oraclecloud.com)
)
(security=security=(ssl_server_dn_match=yes)
)
)
3-65
Chapter 3
Connect to Autonomous Database
Notes:
• JDBC Thin client versions earlier than 18.1 do not support connections
through HTTP proxy.
• Successful connection depends on specific proxy configurations and the
performance of data transfers would depend on proxy capacity. Oracle
does not recommend using this feature in Production environments
where performance is critical.
• Configuring tnsnames.ora for the HTTP proxy may not be enough
depending on your organization's network configuration and security
policies. For example, some networks require a username and password
for the HTTP proxy.
• In all cases, contact your network administrator to open outbound
connections to hosts in the oraclecloud.com domain using the relevant
port without going through an HTTP proxy.
JDBC Thin Driver Connection Prerequisites for TLS Connections Without a Wallet
Applications that use JDBC Thin driver support TLS and mutual TLS (mTLS)
authentication. Connecting to an Autonomous Database instance with TLS
authentication requires database credentials (username and password) and provides a
secure connection, but does not require that you download Oracle wallets or Java
KeyStore (JKS) files.
Note:
See Update your Autonomous Database Instance to Allow both TLS and
mTLS Authentication for information on allowing TLS connections.
3-66
Chapter 3
Connect to Autonomous Database
Using a JDBC URL TLS Connection String for JDBC Thin Driver Without a Wallet
To connect the database using JDBC Thin Driver with TLS without a wallet, you provide a
connection string. Each database service has its own TNS Name and connection string.
To run an application using the JDBC Thin Driver with TLS authentication without a wallet:
1. Copy a connection string for the Autonomous Database.
To connect with TLS authentication copy a TLS connection string. On the Database
Connection page, under TLS Authentication, select TLS to view the connection strings
for connecting with TLS authentication.
See View TNS Names and Connection Strings for an Autonomous Database Instance for
information on viewing and copying connection stings.
See Predefined Database Service Names for Autonomous Database for information on
the different databases services for each connection string.
2. Set the DB_URL parameter.
Use the following format for the DB_URL parameter:
DB_URL=jdbc:oracle:thin:@my_connect_string
For example:
DB_URL=jdbc:oracle:thin:@(description= (retry_count=20)(retry_delay=3)
(address=(protocol=tcps)
(port=1521)(host=adb.region.oraclecloud.com))
(connect_data=(service_name=u9adutfb2ba8x4d_database_medium.adb.oracleclou
d.com))
(security=(ssl_server_dn_match=yes)))
3-67
Chapter 3
Connect to Autonomous Database
When WALLET_LOCATION is used, Oracle Net Services automatically uses the wallet.
The wallet is used transparently to the application. See Prepare for Oracle Call
Interface, ODBC, and JDBC OCI Connections with Wallets (mTLS) for information on
setting WALLET_LOCATION.
Note:
See Update your Autonomous Database Instance to Allow both TLS and
mTLS Authentication for information on allowing TLS connections.
See Prepare for Oracle Call Interface, ODBC, and JDBC OCI Connections Using TLS
Authentication to prepare for Oracle Call Interface connections.
When a wallet is required and you set WALLET_LOCATION parameter in the
sqlnet.ora file, Oracle Net Services finds the location of the wallet and uses the
wallet (use of the wallet is transparent to the application).
3-68
Chapter 3
Connect to Autonomous Database
3-69
Chapter 3
Connect to Autonomous Database
Note:
For all of these options connections to your Autonomous Database use
certificate-based authentication and Secure Sockets Layer (SSL).
3-70
Chapter 3
Connect to Autonomous Database
When you provision or clone your Autonomous Database you specify one of the following
network access options:
• Allow secure access from everywhere: This option assigns a public endpoint, public IP
and hostname, to your database. With this selection you have two options:
– The database is accessible from all IP addresses: this is the default option when you
provision or clone Autonomous Database.
– Select Configure access control rules: This option lets you restrict access by
defining access control rules in an Access Control List (ACL). By specifying an ACL,
the database will be accessible from a whitelisted set of IP addresses or VCNs.
If you configure your database with the Allow secure access from everywhere option,
you can add, modify, or remove ACLs after you provision or clone the database.
See Overview of Restricting Access with ACLs for more information.
• Virtual cloud network: This option assigns a private endpoint, private IP, and hostname
to your database. Specifying this option allows traffic only from the VCN you specify;
access to the database from all public IPs or VCNs is blocked. This allows you to define
security rules, ingress/egress, at the Network Security Group (NSG) level and to control
traffic to your Autonomous Database.
See Configure Private Endpoints When You Provision or Clone an Instance for more
information.
Note:
After you provision or clone your database, you can change the selection you make,
to either Allow secure access from everywhere or Virtual cloud network for the
database instance.
See Change from Public to Private Endpoints with Autonomous Database for more
information.
See Change from Private to Public Endpoints with Autonomous Database for more
information.
3-71
Chapter 3
Connect to Autonomous Database
Specifying an access control list blocks all IP addresses that are not in the ACL list
from accessing the database. After you specify an access control list, the database
only accepts connections from addresses on the access control list and the database
rejects all other client connections.
Depending on where the client machines that connect to your database are located
you have the following options with ACLs:
• If your client machines connect to your database through the public internet, then
you can use ACLs to specify the client machine's public IP addresses or their
public CIDR blocks. In this case only the specified public IP addresses can access
your database.
• If the client machines reside in an Oracle Cloud Infrastructure Virtual Cloud
Network (VCN), you can configure a Service Gateway to connect to your
database. In this case, you can specify the VCN in your ACL, this allows all client
machines in that VCN to access your database and blocks all other connections.
Furthermore, you can specify the VCN and a list of private IP addresses or CIDR
blocks in that VCN. This allows only those client machines with the specified IP
addresses or CIDR blocks to access your database and blocks all other
connections.
See VCNs and Subnets for details on Virtual Cloud Networks (VCN).
See Access to Oracle Services: Service Gateway for details on setting up a
Service Gateway.
• If you have on-premises clients that connect to your database through Transit
Routing, you can specify the VCN and also the private IP addresses or CIDR
blocks of these on-premises clients to access to your database.
See Transit Routing: Private Access to Oracle Services for details on Transit
Routing.
• You can use these options together to set multiple rules to allow access from
different types of clients. Multiple rules do not exclude each other.
See Configuring Network Access with Access Control Rules (ACLs) for the steps for
configuring network access with ACLs, either when you provision or clone your
database, or whenever you want to add, modify or remove ACLs.
3-72
Chapter 3
Connect to Autonomous Database
3-73