Configuring SQL*Plus to use SSL with an RDS for Oracle DB instance (original) (raw)

Before you can connect to an RDS for Oracle DB instance that uses the Oracle SSL option, you must configure SQL*Plus before connecting.

To configure SQL*Plus to use SSL to connect to an RDS for Oracle DB instance

1. Set the ORACLE_HOME environment variable to the location of your Oracle home directory.
   The path to your Oracle home directory depends on your installation. The following example sets the ORACLE_HOME environment variable.

prompt>export ORACLE_HOME=/home/user/app/user/product/19.0.0/dbhome_1  

For information about setting Oracle environment variables, see SQL*Plus environment variables in the Oracle documentation, and also see the Oracle installation guide for your operating system. 2. Append $ORACLE_HOME/lib to theLD_LIBRARY_PATH environment variable.
The following is an example that sets the LD_LIBRARY_PATH environment variable.

prompt>export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib  

1. Create a directory for the Oracle wallet at$ORACLE_HOME/ssl_wallet.
   The following is an example that creates the Oracle wallet directory.

prompt>mkdir $ORACLE_HOME/ssl_wallet  

1. Download the certificate bundle .pem file that works for all AWS Regions and put the file in the ssl_wallet directory. For information, see Using SSL/TLS to encrypt a connection to a DB instance or cluster.
2. In the $ORACLE_HOME/network/admin directory, modify or create the tnsnames.ora file and include the following entry.

net_service_name =  
  (DESCRIPTION =  
    (ADDRESS_LIST =  
      (ADDRESS =  
        (PROTOCOL = TCPS)  
        (HOST = endpoint)  
        (PORT = ssl_port_number)  
      )  
    )  
    (CONNECT_DATA =  
      (SID = database_name)  
    )  
    (SECURITY =  
      (SSL_SERVER_CERT_DN = "C=US,ST=Washington,L=Seattle,O=Amazon.com,OU=RDS,CN=endpoint")  
    )  
  )  

1. In the same directory, modify or create the sqlnet.ora file and include the following parameters.

Note

To communicate with entities over a TLS secured connection, Oracle requires a wallet with the necessary certificates for authentication. You can use Oracle's ORAPKI utility to create and maintain Oracle wallets, as shown in step 7. For more information, see Setting up Oracle wallet using ORAPKI in the Oracle documentation.

WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = $ORACLE_HOME/ssl_wallet)))  
SSL_CLIENT_AUTHENTICATION = FALSE  
SSL_VERSION = 1.0  
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA)  
SSL_SERVER_DN_MATCH = ON  

Note

You can set SSL_VERSION to a higher value if your DB instance supports it. 7. Run the following command to create the Oracle wallet.

prompt>orapki wallet create -wallet $ORACLE_HOME/ssl_wallet -auto_login_only  

1. Extract each certificate in the .pem bundle file into a separate .pem file using an OS utility.
2. Add each certificate to your wallet using separate orapki commands, replacing `certificate-pem-file` with the absolute file name of the .pem file.

prompt>orapki wallet add -wallet $ORACLE_HOME/ssl_wallet -trusted_cert -cert  
      certificate-pem-file -auto_login_only  

For more information, see Rotating your SSL/TLS certificate.

Adding the SSL option

Connecting using SSL

Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of it.

Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.