Last updated: 2026-06-25
Oracle Database TLS/SSL Configuration Guide
This guide provides recommended TLS/SSL settings for Oracle Database to encrypt connections between clients and the database server using the TCPS protocol. Oracle manages TLS certificates through Oracle Wallets.
Prerequisites
- Oracle Database 19c or later (for TLS 1.2; 19c and 21c are TLS 1.2 only)
- Oracle Database 23ai or later (for TLS 1.3 support)
- SSL certificates (server certificate, private key, and CA certificate)
orapkiutility (included with Oracle Database) for wallet management
Wallet Setup
Oracle traditionally manages TLS certificates through Oracle Wallets. A wallet is a PKCS#12 container that stores certificates and private keys.
Create an Auto-Login Wallet
# Create wallet directory
mkdir -p /etc/oracle/ssl
chmod 750 /etc/oracle/ssl
# Create a new auto-login wallet
orapki wallet create -wallet /etc/oracle/ssl -auto_login -pwd WalletPassword123
# Import the CA certificate
orapki wallet add -wallet /etc/oracle/ssl -trusted_cert -cert ca.crt -pwd WalletPassword123
# Import the server certificate and private key
# First convert to PKCS12 if you have PEM files
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name oracle_cert
# Import the PKCS12 into the wallet
orapki wallet import_pkcs12 -wallet /etc/oracle/ssl -pkcs12file server.p12 -pwd WalletPassword123
Verify Wallet Contents
orapki wallet display -wallet /etc/oracle/ssl
The output should show your server certificate, private key, and trusted CA certificates.
Server Configuration (sqlnet.ora)
The sqlnet.ora file controls network encryption settings. The file is typically located in $ORACLE_HOME/network/admin/.
Wallet-Based Configuration
# TLS wallet location
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /etc/oracle/ssl)
)
)
# Require TLS connections
SSL_CLIENT_AUTHENTICATION = FALSE
SQLNET.AUTHENTICATION_SERVICES = (TCPS)
# Protocol version
SSL_VERSION = 1.2 or 1.3
# Cipher suites
SSL_CIPHER_SUITES = (TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
Configuration Explained
- SSL_VERSION - Sets the allowed TLS protocol versions. Use
1.2 or 1.3to allow both TLS 1.2 and TLS 1.3. TLS 1.3 requires Oracle Database 23ai; Oracle 19c and 21c support TLS 1.2 only. - SSL_CIPHER_SUITES - Restricts the allowed cipher suites to strong AEAD ciphers with forward secrecy.
- SSL_CLIENT_AUTHENTICATION - Set to
TRUEto require client certificates (mutual TLS). Set toFALSEfor server-only authentication.
See RFC 8446 ยง4.3.2 for the TLS Certificate Request specification, and Wikipedia: Mutual authentication for a general overview.
Listener Configuration (listener.ora)
Configure the Oracle Net Listener to accept TCPS (TLS-encrypted) connections. The file is typically located in $ORACLE_HOME/network/admin/.
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484))
(ADDRESS = (PROTOCOL = TCPS)(HOST = ::)(PORT = 2484))
)
)
)
# Wallet location for the listener
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /etc/oracle/ssl)
)
)
SSL_CLIENT_AUTHENTICATION = FALSE
Note: The default port for Oracle TCPS is 2484. You can run both TCP (1521) and TCPS (2484) listeners simultaneously during migration.
Note on IPv6: Each endpoint above pairs the IPv4 wildcard
0.0.0.0with the IPv6 all-interfaces address::so the listener accepts both families on the same port. MultipleADDRESSentries are grouped in anADDRESS_LISTinside oneDESCRIPTION, which Oracle Net supports for dual-stack listeners. IPv6 literals are written without square brackets inlistener.ora(brackets are only used in connect strings such as EasyConnect). Oracle does not formally document::as an all-IPv6 wildcard; if your Oracle version does not honor it, replace::with the server's specific IPv6 address, for example(ADDRESS = (PROTOCOL = TCPS)(HOST = 2001:db8::1)(PORT = 2484)). Specifying a resolvable host name instead of a literal address also causes the listener to bind every interface it resolves to, covering both families.
To support both unencrypted and TLS connections during a migration period:
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = ::)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484))
(ADDRESS = (PROTOCOL = TCPS)(HOST = ::)(PORT = 2484))
)
)
)
Complete Configuration
sqlnet.ora
# Oracle TLS Configuration
# Wallet location
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /etc/oracle/ssl)
)
)
# TLS protocol version
SSL_VERSION = 1.2 or 1.3
# Cipher suites
SSL_CIPHER_SUITES = (TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
# Client authentication
SSL_CLIENT_AUTHENTICATION = FALSE
# Server DN verification
SQLNET.AUTHENTICATION_SERVICES = (TCPS)
listener.ora
# Oracle TCPS Listener
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484))
(ADDRESS = (PROTOCOL = TCPS)(HOST = ::)(PORT = 2484))
)
)
)
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /etc/oracle/ssl)
)
)
SSL_CLIENT_AUTHENTICATION = FALSE
Client Connections
SQL*Plus
Connect using TCPS with SQL*Plus:
sqlplus username/password@"(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=oracle.example.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=ORCL)))"
tnsnames.ora
Configure a TNS alias for TLS connections in tnsnames.ora:
ORCL_TLS =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = oracle.example.com)(PORT = 2484))
(CONNECT_DATA =
(SERVICE_NAME = ORCL)
)
(SECURITY =
(SSL_SERVER_CERT_DN = "CN=oracle.example.com")
)
)
Then connect with:
sqlplus username/password@ORCL_TLS
JDBC Thin Driver
For Java applications using the Oracle JDBC thin driver:
jdbc:oracle:thin:@tcps://oracle.example.com:2484/ORCL
Configure the JVM with truststore and keystore properties:
java -Djavax.net.ssl.trustStore=/path/to/truststore.jks \
-Djavax.net.ssl.trustStorePassword=changeit \
-Djavax.net.ssl.keyStore=/path/to/keystore.jks \
-Djavax.net.ssl.keyStorePassword=changeit \
-jar myapp.jar
Security Notes
Oracle Database TLS uses Oracle's native wallet-based implementation (Oracle Advanced Security) for server-side TLS, and Java's JSSE when connecting from Java clients. The relevant vulnerability history depends on the component:
Oracle server (Oracle Advanced Security / wallet):
- POODLE / BEAST / FREAK / Sweet32 / ROBOT: Mitigated by the
SSL_VERSIONandSSL_CIPHER_SUITESparameters insqlnet.ora. SetSSL_VERSION = 1.2or higher and exclude legacy cipher suites as shown in this guide. - Oracle 12.2+ supports TLS 1.2. TLS 1.3 requires Oracle Database 23ai; Oracle 19c and 21c support TLS 1.2 only.
Java clients (JDBC Thin driver with JSSE):
- POODLE (CVE-2014-3566, 2014): SSL 3.0 disabled by default since Java 8u31 (January 2015).
- BEAST (CVE-2011-3389, 2011): TLS 1.0 disabled by default since Java 8u292 / Java 11.0.11 (April 2021).
- FREAK (CVE-2015-0204, 2015): EXPORT ciphers disabled by default since Java 8u40 (March 2015).
- Sweet32 (CVE-2016-2183, 2016): 3DES disabled by default since Java 8u151 (October 2017).
- ROBOT (2017): Static RSA key exchange is excluded from the recommended configuration.
The following are not addressable through TLS configuration alone:
- Heartbleed (CVE-2014-0160, 2014): Not applicable to Oracle's native TLS or Java JSSE; neither is based on OpenSSL.
- BREACH (CVE-2013-3587, 2013): Not applicable. BREACH targets HTTP-level response compression; the Oracle SQL*Net wire protocol does not involve HTTP.
- DROWN (CVE-2016-0800, 2016): Not applicable. Oracle Advanced Security and Java JSSE do not support SSLv2.
Verification
Restart the listener and verify the TCPS endpoint is active:
lsnrctl stop
lsnrctl start
lsnrctl status
The output should show the TCPS endpoint listening on port 2484.
Test the TLS connection with openssl:
openssl s_client -connect oracle.example.com:2484
Verify the TLS protocol and cipher from within an active session:
SELECT sys_context('USERENV', 'NETWORK_PROTOCOL') AS protocol FROM dual;
SELECT sys_context('USERENV', 'SSL_CIPHER') AS cipher FROM dual;
Check active TLS sessions from the server:
SELECT username, program, network_service_banner
FROM v$session_connect_info
WHERE network_service_banner LIKE '%TLS%' OR network_service_banner LIKE '%SSL%';