Step-by-Step Guide to Enabling TCPS (SSL/TLS) in Oracle Database




Oracle TCPS (TCP with SSL/TLS) ensures secure encrypted communication between clients and the database. This guide provides a step-by-step approach to enabling TCPS in Oracle 12c, 19c, and later.

🔹 Prerequisites

Before proceeding, ensure you have:
Oracle Database Enterprise Edition installed.
Oracle Wallet Manager (OWM) or orapki command-line utility.
Admin access to the database and server.

🔹 Step 1: Create and Configure Oracle Wallet

Oracle Wallet is required to store SSL certificates for TCPS communication.

📌 Option 1: Using orapki (Command Line)

Run the following commands to create a self-signed certificate and wallet:


mkdir -p /u01/app/oracle/wallet

orapki wallet create -wallet /u01/app/oracle/wallet 
-pwd Welcome1 -auto_login_local

orapki wallet add -wallet /u01/app/oracle/wallet 
-dn "CN=`hostname`, OU=IT, O=MyCompany, L=City, ST=State, C=Country" 
-keysize 2048 -self_signed -validity 365 -pwd Welcome1

orapki wallet display -wallet /u01/app/oracle/wallet


Export the Certificate

orapki wallet export -wallet /u01/app/oracle/wallet 
-dn "CN=`hostname`, OU=IT, O=MyCompany, L=City, ST=State, C=Country" 
-cert server_ca.cert

📌 Explanation:

  • Creates a wallet (-wallet /u01/app/oracle/wallet).
  • Generates a self-signed certificate (-self_signed -validity 365).
  • Enables auto-login for the wallet.

🔹 Step 2: Enable TCPS in the Oracle Listener

Modify the listener.ora file ($ORACLE_HOME/network/admin/listener.ora) to include TCPS support:

SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
  (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/wallet)))

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = your-server-ip or hostname)(PORT = 1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = your-server-ip or hostname)(PORT = 2484))
    )
  )

SID_LIST_LISTENER =
  (SID_LIST =
    (SID_DESC =
      (GLOBAL_DBNAME = yourdb)
      (ORACLE_HOME = /u01/app/oracle/product/19c/dbhome_1)
      (SID_NAME = yourdb)
    )
  )

📌 Explanation:

  • TCP (1521) for standard connections.
  • TCPS (2484) for SSL/TLS secured connections.

🔹 Restart the Listener


lsnrctl stop
lsnrctl start
lsnrctl status

Verify the listener is running with TCPS:


lsnrctl status | grep -i "tcps"

🔹 Step 3: Configure SQL*Net for Secure TCPS Connections

Edit sqlnet.ora ($ORACLE_HOME/network/admin/sqlnet.ora) and add:


SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
  (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/wallet)))
SSL_VERSION = TLSv1.2

📌 Explanation:

  • Disables client authentication (SSL_CLIENT_AUTHENTICATION = FALSE).
  • Defines wallet location (WALLET_LOCATION).
  • Forces TLS v1.2 (SSL_VERSION = TLSv1.2).

🔹 Step 4: Configure TCPS in TNSNAMES.ORA

Edit tnsnames.ora ($ORACLE_HOME/network/admin/tnsnames.ora) to define a TCPS service:


MYDB_SSL =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCPS)(HOST = your-server-ip or hostname)(PORT = 2484))
      (CONNECT_DATA =
        (SERVER = DEDICATED)
        (SERVICE_NAME = ORCL)
      )
      (SECURITY =
        (MY_WALLET_DIRECTORY = /u01/app/oracle/wallet)
      )
    )

📌 Explanation:

  • TCPS protocol enabled (PROTOCOL = TCPS).
  • Uses SSL certificate for authentication (SSL_SERVER_CERT_DN).

🔹 Step 5: Validate TCPS Connection

Run the following command to test secure TCPS connection:


sqlplus /nolog
connect system@MYDB_SSL

Verify that the connection is using TCPS:


SELECT sys_context('USERENV', 'NETWORK_PROTOCOL') FROM dual;

📌 Expected Output:


TCPS

If the output shows TCPS, the connection is secured via SSL/TLS.










Please do like and subscribe to my youtube channel: https://www.youtube.com/@foalabs If you like this post please follow,share and comment