Last updated: 2026-02-13

Oracle Database TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for Oracle Database to encrypt connections between clients and the database server using the TCPS protocol. Oracle supports TLS through Oracle Wallets or file-based certificates (19c+).

Prerequisites

• Oracle Database 19c or later (for file-based certificate support and TLS 1.2)
• Oracle Database 21c or later (for TLS 1.3 support)
• SSL certificates (server certificate, private key, and CA certificate)
• orapki utility (included with Oracle Database) for wallet management

Wallet Setup

Oracle traditionally manages TLS certificates through Oracle Wallets. A wallet is a PKCS#12 container that stores certificates and private keys.

Create an Auto-Login Wallet

# Create wallet directory
mkdir -p /etc/oracle/ssl
chmod 750 /etc/oracle/ssl

# Create a new auto-login wallet
orapki wallet create -wallet /etc/oracle/ssl -auto_login -pwd WalletPassword123

# Import the CA certificate
orapki wallet add -wallet /etc/oracle/ssl -trusted_cert -cert ca.crt -pwd WalletPassword123

# Import the server certificate and private key
# First convert to PKCS12 if you have PEM files
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name oracle_cert

# Import the PKCS12 into the wallet
orapki wallet import_pkcs12 -wallet /etc/oracle/ssl -pkcs12file server.p12 -pwd WalletPassword123

Verify Wallet Contents

orapki wallet display -wallet /etc/oracle/ssl

The output should show your server certificate, private key, and trusted CA certificates.

File-Based Certificates

Oracle 19c and later supports file-based TLS configuration without wallets. This is simpler and follows the pattern used by most other services.

# Create certificate directory
mkdir -p /etc/oracle/ssl
chmod 750 /etc/oracle/ssl
chown oracle:oinstall /etc/oracle/ssl

# Place certificate files
cp server.crt /etc/oracle/ssl/server-cert.pem
cp server.key /etc/oracle/ssl/server-key.pem
cp ca.crt /etc/oracle/ssl/ca.pem

chmod 640 /etc/oracle/ssl/*.pem
chown oracle:oinstall /etc/oracle/ssl/*.pem

Server Configuration -- sqlnet.ora

The sqlnet.ora file controls network encryption settings. The file is typically located in $ORACLE_HOME/network/admin/.

Wallet-Based Configuration

# TLS wallet location
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /etc/oracle/ssl)
    )
  )

# Require TLS connections
SSL_CLIENT_AUTHENTICATION = FALSE
SQLNET.AUTHENTICATION_SERVICES = (TCPS)

# Protocol version
SSL_VERSION = 1.2 or 1.3

# Cipher suites
SSL_CIPHER_SUITES = (TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)

File-Based Configuration (19c+)

# TLS certificate files (19c+ file-based, no wallet required)
SSL_CERT_FILE = /etc/oracle/ssl/server-cert.pem
SSL_KEY_FILE = /etc/oracle/ssl/server-key.pem
SSL_CERT_REVOCATION = REQUIRED
SSL_CRL_FILE = /etc/oracle/ssl/crl.pem

# CA certificates
SSL_SERVER_CERT_DN = "CN=oracle.example.com"
SQLNET.SSL_EXTENDED_KEY_USAGE = SERVER

# Protocol version
SSL_VERSION = 1.2 or 1.3

# Cipher suites
SSL_CIPHER_SUITES = (TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)

# Client authentication (set to TRUE for mutual TLS)
SSL_CLIENT_AUTHENTICATION = FALSE

Configuration Explained

• SSL_VERSION -- Sets the allowed TLS protocol versions. Use 1.2 or 1.3 to allow both TLS 1.2 and TLS 1.3. Oracle 21c adds TLS 1.3 support.
• SSL_CIPHER_SUITES -- Restricts the allowed cipher suites to strong AEAD ciphers with forward secrecy.
• SSL_CLIENT_AUTHENTICATION -- Set to TRUE to require client certificates (mutual TLS). Set to FALSE for server-only authentication.

Listener Configuration -- listener.ora

Configure the Oracle Net Listener to accept TCPS (TLS-encrypted) connections. The file is typically located in $ORACLE_HOME/network/admin/.

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484))
    )
  )

# Wallet location for the listener
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /etc/oracle/ssl)
    )
  )

SSL_CLIENT_AUTHENTICATION = FALSE

Note: The default port for Oracle TCPS is 2484. You can run both TCP (1521) and TCPS (2484) listeners simultaneously during migration.

To support both unencrypted and TLS connections during a migration period:

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = 0.0.0.0)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484))
    )
  )

Complete Configuration

sqlnet.ora

# Oracle TLS Configuration

# Wallet location
WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /etc/oracle/ssl)
    )
  )

# TLS protocol version
SSL_VERSION = 1.2 or 1.3

# Cipher suites
SSL_CIPHER_SUITES = (TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)

# Client authentication
SSL_CLIENT_AUTHENTICATION = FALSE

# Server DN verification
SQLNET.AUTHENTICATION_SERVICES = (TCPS)

listener.ora

# Oracle TCPS Listener

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 2484))
    )
  )

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /etc/oracle/ssl)
    )
  )

SSL_CLIENT_AUTHENTICATION = FALSE

Client Connections

SQL*Plus

Connect using TCPS with SQL*Plus:

sqlplus username/password@"(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=oracle.example.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=ORCL)))"

tnsnames.ora

Configure a TNS alias for TLS connections in tnsnames.ora:

ORCL_TLS =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = oracle.example.com)(PORT = 2484))
    (CONNECT_DATA =
      (SERVICE_NAME = ORCL)
    )
    (SECURITY =
      (SSL_SERVER_CERT_DN = "CN=oracle.example.com")
    )
  )

Then connect with:

sqlplus username/password@ORCL_TLS

JDBC Thin Driver

For Java applications using the Oracle JDBC thin driver:

jdbc:oracle:thin:@tcps://oracle.example.com:2484/ORCL

Configure the JVM with truststore and keystore properties:

java -Djavax.net.ssl.trustStore=/path/to/truststore.jks \
     -Djavax.net.ssl.trustStorePassword=changeit \
     -Djavax.net.ssl.keyStore=/path/to/keystore.jks \
     -Djavax.net.ssl.keyStorePassword=changeit \
     -jar myapp.jar

Verification

Restart the listener and verify the TCPS endpoint is active:

lsnrctl stop
lsnrctl start
lsnrctl status

The output should show the TCPS endpoint listening on port 2484.

Test the TLS connection with openssl:

openssl s_client -connect oracle.example.com:2484

Verify the TLS protocol and cipher from within an active session:

SELECT sys_context('USERENV', 'NETWORK_PROTOCOL') AS protocol FROM dual;
SELECT sys_context('USERENV', 'SSL_CIPHER') AS cipher FROM dual;

Check active TLS sessions from the server:

SELECT username, program, network_service_banner
FROM v$session_connect_info
WHERE network_service_banner LIKE '%TLS%' OR network_service_banner LIKE '%SSL%';