Skip to main content

Oracle Wallets for mTLS

A hands-on guide to configuring Oracle wallets for secure mutual TLS (mTLS) connections using existing PEM keys and certificates with OpenSSL and orapki.

A few days ago, I configured an Oracle wallet to establish mutual TLS (mTLS) connections for a client.
Mutual TLS is a more secure variation of TLS where both the client and the server authenticate each other using certificates.
It's widely used in environments where secure, authenticated communication is critical, such as APIs between internal services or business partners.

In this post, I'll walk you through the steps I used to configure an Oracle wallet from an existing private key and certificates using OpenSSL and orapki.
This method is especially useful when you're provided with PEM-format certificates and keys and need to get them into a format Oracle can use.

1. Generate a P12 File with OpenSSL

The first step is to combine the private key, public certificate, and the root CA into a single .p12 file (PKCS#12), which Oracle tools can import:

openssl pkcs12 -export \
  -in /u01/app/oracle/product/19.0.0/orcl/wallet/yourapi.domain.com.crt \
  -inkey /u01/app/oracle/product/19.0.0/orcl/wallet/yourapi.domain.com.key \
  -certfile /u01/app/oracle/product/19.0.0/orcl/wallet/rootca.crt \
  -out openssl.p12

You'll be prompted to set a password for this file. Keep it handy — you'll need it in the next steps.

2. Create a Wallet with Auto Login

Use orapki to create the wallet directory and enable auto-login, which allows the Oracle DB to use the wallet without needing a password at runtime:

orapki wallet create \
  -wallet /u01/app/oracle/product/19.0.0/orcl/wallet \
  -pwd <PASSWORD> \
  -auto_login

Replace <PASSWORD> with your secure wallet password.

3. Import the P12 File into the Wallet.

Now, import the .p12 file you created using OpenSSL:

cd /u01/app/oracle/product/19.0.0/orcl/wallet
orapki wallet import_pkcs12 -wallet . -pkcs12file openssl.p12

This will extract the private key and certificates into the Oracle wallet format.

4. Validate the Wallet Contents

Check that the wallet contains what you expect:

orapki wallet display -wallet /u01/app/oracle/product/19.0.0/orcl/wallet

You should see the subject and issuer for each certificate, including the trusted CA and the identity certificate.

5. Test the HTTPS Connection from the Database

Finally, configure your Oracle session to use the wallet and test the mTLS connection using UTL_HTTP:

EXEC UTL_HTTP.set_wallet('file:/u01/app/oracle/product/19.0.0/orcl/wallet');

SELECT utl_http.request('https://yourapi.domain.com/api/') FROM dual;

If everything is working correctly, you should get a valid response from the API.

Conclusion

Setting up mTLS with Oracle wallets can be a bit tricky when you're working from raw certificate files, but with OpenSSL and orapki, it's straightforward once you know the steps.
This method has proven reliable in production scenarios, especially when integrating secure APIs with Oracle databases.


No Comments
Back to top