Configuring SQL*Plus to use SSL with an RDS for Oracle DB instance
Before you can connect to an RDS for Oracle DB instance that uses the Oracle SSL option, you must configure SQL*Plus before connecting.
Note
To allow access to the DB instance from the appropriate clients, ensure that your security groups are configured correctly. For more information, see Controlling access with security groups. Also, these instructions are for SQL*Plus and other clients that directly use an Oracle home. For JDBC connections, see Setting up an SSL connection over JDBC.
To configure SQL*Plus to use SSL to connect to an RDS for Oracle DB instance
-
Set the
ORACLE_HOME
environment variable to the location of your Oracle home directory.The path to your Oracle home directory depends on your installation. The following example sets the
ORACLE_HOME
environment variable.prompt>export ORACLE_HOME=/home/user/app/user/product/19.0.0/dbhome_1
For information about setting Oracle environment variables, see SQL*Plus environment variables
in the Oracle documentation, and also see the Oracle installation guide for your operating system. -
Append
$ORACLE_HOME/lib
to theLD_LIBRARY_PATH
environment variable.The following is an example that sets the LD_LIBRARY_PATH environment variable.
prompt>export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
-
Create a directory for the Oracle wallet at
$ORACLE_HOME/ssl_wallet
.The following is an example that creates the Oracle wallet directory.
prompt>mkdir $ORACLE_HOME/ssl_wallet
-
Download the certificate bundle .pem file that works for all AWS Regions and put the file in the ssl_wallet directory. For information, see Using SSL/TLS to encrypt a connection to a DB instance or cluster.
-
In the
$ORACLE_HOME/network/admin
directory, modify or create thetnsnames.ora
file and include the following entry.net_service_name
= (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS) (HOST =endpoint
) (PORT =ssl_port_number
) ) ) (CONNECT_DATA = (SID =database_name
) ) (SECURITY = (SSL_SERVER_CERT_DN = "C=US,ST=Washington,L=Seattle,O=Amazon.com,OU=RDS,CN=endpoint
") ) ) -
In the same directory, modify or create the sqlnet.ora file and include the following parameters.
Note
To communicate with entities over a TLS secured connection, Oracle requires a wallet with the necessary certificates for authentication. You can use Oracle's ORAPKI utility to create and maintain Oracle wallets, as shown in step 7. For more information, see Setting up Oracle wallet using ORAPKI
in the Oracle documentation. WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = $ORACLE_HOME/ssl_wallet))) SSL_CLIENT_AUTHENTICATION = FALSE SSL_VERSION = 1.0 SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA) SSL_SERVER_DN_MATCH = ON
Note
You can set
SSL_VERSION
to a higher value if your DB instance supports it. -
Run the following command to create the Oracle wallet.
prompt>orapki wallet create -wallet $ORACLE_HOME/ssl_wallet -auto_login_only
-
Extract each certificate in the .pem bundle file into a separate .pem file using an OS utility.
-
Add each certificate to your wallet using separate
orapki
commands, replacing
with the absolute file name of the .pem file.certificate-pem-file
prompt>orapki wallet add -wallet $ORACLE_HOME/ssl_wallet -trusted_cert -cert
certificate-pem-file
-auto_login_onlyFor more information, see Rotating your SSL/TLS certificate.