Skip to content

Last updated: 2026-06-25

Oracle Database TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for Oracle Database to encrypt connections between clients and the database server using the TCPS protocol. Oracle manages TLS certificates through Oracle Wallets.

Prerequisites

  • Oracle Database 19c or later (for TLS 1.2; 19c and 21c are TLS 1.2 only)
  • Oracle Database 23ai or later (for TLS 1.3 support)
  • SSL certificates (server certificate, private key, and CA certificate)
  • orapki utility (included with Oracle Database) for wallet management

Wallet Setup

Oracle traditionally manages TLS certificates through Oracle Wallets. A wallet is a PKCS#12 container that stores certificates and private keys.

Create an Auto-Login Wallet

# Create wallet directory
mkdir -p /etc/oracle/ssl
chmod 750 /etc/oracle/ssl

# Create a new auto-login wallet
orapki wallet create -wallet /etc/oracle/ssl -auto_login -pwd WalletPassword123

# Import the CA certificate
orapki wallet add -wallet /etc/oracle/ssl -trusted_cert -cert ca.crt -pwd WalletPassword123

# Import the server certificate and private key
# First convert to PKCS12 if you have PEM files
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name oracle_cert

# Import the PKCS12 into the wallet
orapki wallet import_pkcs12 -wallet /etc/oracle/ssl -pkcs12file server.p12 -pwd WalletPassword123

Verify Wallet Contents

orapki wallet display -wallet /etc/oracle/ssl

The output should show your server certificate, private key, and trusted CA certificates.

Server Configuration (sqlnet.ora)

The sqlnet.ora file controls network encryption settings. The file is typically located in $ORACLE_HOME/network/admin/.

Wallet-Based Configuration

# TLS wallet location
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /etc/oracle/ssl)
    )
  )

# Require TLS connections
SSL_CLIENT_AUTHENTICATION = FALSE
SQLNET.AUTHENTICATION_SERVICES = (TCPS)

# Protocol version
SSL_VERSION = 1.2 or 1.3

# Cipher suites
SSL_CIPHER_SUITES = (TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)

Configuration Explained

  • SSL_VERSION - Sets the allowed TLS protocol versions. Use 1.2 or 1.3 to allow both TLS 1.2 and TLS 1.3. TLS 1.3 requires Oracle Database 23ai; Oracle 19c and 21c support TLS 1.2 only.
  • SSL_CIPHER_SUITES - Restricts the allowed cipher suites to strong AEAD ciphers with forward secrecy.
  • SSL_CLIENT_AUTHENTICATION - Set to TRUE to require client certificates (mutual TLS). Set to FALSE for server-only authentication.

See RFC 8446 ยง4.3.2 for the TLS Certificate Request specification, and Wikipedia: Mutual authentication for a general overview.

Listener Configuration (listener.ora)

Configure the Oracle Net Listener to accept TCPS (TLS-encrypted) connections. The file is typically located in $ORACLE_HOME/network/admin/.

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS_LIST =
        (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484))
        (ADDRESS = (PROTOCOL = TCPS)(HOST = ::)(PORT = 2484))
      )
    )
  )

# Wallet location for the listener
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /etc/oracle/ssl)
    )
  )

SSL_CLIENT_AUTHENTICATION = FALSE

Note: The default port for Oracle TCPS is 2484. You can run both TCP (1521) and TCPS (2484) listeners simultaneously during migration.

Note on IPv6: Each endpoint above pairs the IPv4 wildcard 0.0.0.0 with the IPv6 all-interfaces address :: so the listener accepts both families on the same port. Multiple ADDRESS entries are grouped in an ADDRESS_LIST inside one DESCRIPTION, which Oracle Net supports for dual-stack listeners. IPv6 literals are written without square brackets in listener.ora (brackets are only used in connect strings such as EasyConnect). Oracle does not formally document :: as an all-IPv6 wildcard; if your Oracle version does not honor it, replace :: with the server's specific IPv6 address, for example (ADDRESS = (PROTOCOL = TCPS)(HOST = 2001:db8::1)(PORT = 2484)). Specifying a resolvable host name instead of a literal address also causes the listener to bind every interface it resolves to, covering both families.

To support both unencrypted and TLS connections during a migration period:

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS_LIST =
        (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521))
        (ADDRESS = (PROTOCOL = TCP)(HOST = ::)(PORT = 1521))
        (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484))
        (ADDRESS = (PROTOCOL = TCPS)(HOST = ::)(PORT = 2484))
      )
    )
  )

Complete Configuration

sqlnet.ora

# Oracle TLS Configuration

# Wallet location
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /etc/oracle/ssl)
    )
  )

# TLS protocol version
SSL_VERSION = 1.2 or 1.3

# Cipher suites
SSL_CIPHER_SUITES = (TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)

# Client authentication
SSL_CLIENT_AUTHENTICATION = FALSE

# Server DN verification
SQLNET.AUTHENTICATION_SERVICES = (TCPS)

listener.ora

# Oracle TCPS Listener

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS_LIST =
        (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484))
        (ADDRESS = (PROTOCOL = TCPS)(HOST = ::)(PORT = 2484))
      )
    )
  )

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /etc/oracle/ssl)
    )
  )

SSL_CLIENT_AUTHENTICATION = FALSE

Client Connections

SQL*Plus

Connect using TCPS with SQL*Plus:

sqlplus username/password@"(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=oracle.example.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=ORCL)))"

tnsnames.ora

Configure a TNS alias for TLS connections in tnsnames.ora:

ORCL_TLS =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = oracle.example.com)(PORT = 2484))
    (CONNECT_DATA =
      (SERVICE_NAME = ORCL)
    )
    (SECURITY =
      (SSL_SERVER_CERT_DN = "CN=oracle.example.com")
    )
  )

Then connect with:

sqlplus username/password@ORCL_TLS

JDBC Thin Driver

For Java applications using the Oracle JDBC thin driver:

jdbc:oracle:thin:@tcps://oracle.example.com:2484/ORCL

Configure the JVM with truststore and keystore properties:

java -Djavax.net.ssl.trustStore=/path/to/truststore.jks \
     -Djavax.net.ssl.trustStorePassword=changeit \
     -Djavax.net.ssl.keyStore=/path/to/keystore.jks \
     -Djavax.net.ssl.keyStorePassword=changeit \
     -jar myapp.jar

Security Notes

Oracle Database TLS uses Oracle's native wallet-based implementation (Oracle Advanced Security) for server-side TLS, and Java's JSSE when connecting from Java clients. The relevant vulnerability history depends on the component:

Oracle server (Oracle Advanced Security / wallet):

  • POODLE / BEAST / FREAK / Sweet32 / ROBOT: Mitigated by the SSL_VERSION and SSL_CIPHER_SUITES parameters in sqlnet.ora. Set SSL_VERSION = 1.2 or higher and exclude legacy cipher suites as shown in this guide.
  • Oracle 12.2+ supports TLS 1.2. TLS 1.3 requires Oracle Database 23ai; Oracle 19c and 21c support TLS 1.2 only.

Java clients (JDBC Thin driver with JSSE):

  • POODLE (CVE-2014-3566, 2014): SSL 3.0 disabled by default since Java 8u31 (January 2015).
  • BEAST (CVE-2011-3389, 2011): TLS 1.0 disabled by default since Java 8u292 / Java 11.0.11 (April 2021).
  • FREAK (CVE-2015-0204, 2015): EXPORT ciphers disabled by default since Java 8u40 (March 2015).
  • Sweet32 (CVE-2016-2183, 2016): 3DES disabled by default since Java 8u151 (October 2017).
  • ROBOT (2017): Static RSA key exchange is excluded from the recommended configuration.

The following are not addressable through TLS configuration alone:

  • Heartbleed (CVE-2014-0160, 2014): Not applicable to Oracle's native TLS or Java JSSE; neither is based on OpenSSL.
  • BREACH (CVE-2013-3587, 2013): Not applicable. BREACH targets HTTP-level response compression; the Oracle SQL*Net wire protocol does not involve HTTP.
  • DROWN (CVE-2016-0800, 2016): Not applicable. Oracle Advanced Security and Java JSSE do not support SSLv2.

Verification

Restart the listener and verify the TCPS endpoint is active:

lsnrctl stop
lsnrctl start
lsnrctl status

The output should show the TCPS endpoint listening on port 2484.

Test the TLS connection with openssl:

openssl s_client -connect oracle.example.com:2484

Verify the TLS protocol and cipher from within an active session:

SELECT sys_context('USERENV', 'NETWORK_PROTOCOL') AS protocol FROM dual;
SELECT sys_context('USERENV', 'SSL_CIPHER') AS cipher FROM dual;

Check active TLS sessions from the server:

SELECT username, program, network_service_banner
FROM v$session_connect_info
WHERE network_service_banner LIKE '%TLS%' OR network_service_banner LIKE '%SSL%';

Related Guides

View all Databases guides →

Configured TLS? Now Monitor It.

Generator Labs alerts you before certificates expire, get revoked, or fail chain validation, across HTTPS, SMTPS, IMAPS, LDAPS, and more.

Certificate Monitoring →