Oracle
OneDB supports secure connections for Oracle database traffic through the OneDB Listener. This allows Oracle client applications to connect to OneDB using an encrypted connection before the traffic is forwarded to the target Oracle Database.
Secure Connection is useful when applications are required to protect database communication over the network, especially in environments where security policies require encrypted database connections.
Before You Begin
Before configuring the Oracle client, make sure the following items are already prepared:
- The Oracle Database connection has been registered in OneDB.
- The OneDB Listener has been created for the Oracle connection.
- Secure Connection has been enabled on the OneDB Listener.
- The listener port is open and reachable from the client machine.
- The required Oracle wallet or certificate configuration is available on the Oracle client side.
Listener Configuration in OneDB
In OneDB Web Console, go to the Listener configuration page and create or edit an Oracle listener.
Make sure the following settings are configured:
| Setting | Description |
|---|---|
| Database Type | Oracle |
| Listener Host | OneDB server hostname or IP address |
| Listener Port | Port used by the OneDB Listener |
| Target Connection | Oracle database connection registered in OneDB |
| Secure Connection | Enabled |
After saving the listener configuration, start or reload the listener.
Oracle Client Connection Format
For secure Oracle connections, the client should use the tcps protocol instead of tcp.
Example connection descriptor:
(DESCRIPTION=
(ADDRESS=
(PROTOCOL=tcps)
(HOST=onedb-listener-host)
(PORT=1522)
)
(CONNECT_DATA=
(SERVICE_NAME=ORCLPDB1)
)
)Replace the following values based on your environment:
| Value | Description |
|---|---|
onedb-listener-host |
Hostname or IP address of the OneDB Listener |
1522 |
Secure listener port configured in OneDB |
ORCLPDB1 |
Oracle service name |
Example Using SQL*Plus
Oracle clients can connect to the OneDB Listener using SQL*Plus with a TCPS connection string.
Example:
sqlplus app_user/app_password@"(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=onedb-listener-host)(PORT=1522))(CONNECT_DATA=(SERVICE_NAME=ORCLPDB1)))"Once connected, SQL queries will be routed through the OneDB Listener.
Example U
Example Using Oracle Developer
Export cert from OneDB listener:
openssl s_client -connect localhost:1946 -servername localhost -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > /tmp/onedb-proxy-cert.pemThen create a truststore:
keytool -importcert -alias onedb-proxy -file /tmp/onedb-proxy-cert.pem -keystore /tmp/onedb-proxy-truststore.jks -storepass changeit -nopromptAfter that, SQL Developer needs to run with the VM option:
-Djavax.net.ssl.trustStore=/tmp/onedb-proxy-truststore.jks
-Djavax.net.ssl.trustStorePassword=changeitOn macOS, this can usually be placed in the SQL Developer product.conf file, for example:
AddVMOption -Djavax.net.ssl.trustStore=/tmp/onedb-proxy-truststore.jks
AddVMOption -Djavax.net.ssl.trustStorePassword=changeitThen restart SQL Developer and test again.
Conclusion: This isn’t a database or authentication error yet. It is a client-side TLS certificate trust issue. The good sign is that the OneDB secure listener is clearly already responding via TLS.
Example Using JDBC
For Java applications, the JDBC URL can use a TCPS-based Oracle connection descriptor.
Example:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=onedb-listener-host)(PORT=1522))(CONNECT_DATA=(SERVICE_NAME=ORCLPDB1)))Example Spring Boot configuration:
spring.datasource.url=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=onedb-listener-host)(PORT=1522))(CONNECT_DATA=(SERVICE_NAME=ORCLPDB1)))
spring.datasource.username=app_user
spring.datasource.password=app_password
spring.datasource.driver-class-name=oracle.jdbc.OracleDriverOracle Wallet Configuration
For TCPS connections, Oracle clients may require wallet configuration depending on the certificate setup.
Example sqlnet.ora configuration:
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /path/to/oracle/wallet)
)
)
SSL_SERVER_DN_MATCH = NOThe wallet directory should contain the required trusted certificate or wallet files used by the Oracle client.
The exact wallet configuration may vary depending on the organization’s Oracle client version, certificate policy, and security requirements.
Testing the Connection
After the listener and Oracle client configuration are ready, test the connection using SQL*Plus or the application connection pool.
Example:
sqlplus app_user/app_password@"(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=onedb-listener-host)(PORT=1522))(CONNECT_DATA=(SERVICE_NAME=ORCLPDB1)))"Then run a simple query:
SELECT 1 FROM dual;If the connection is successful, the Oracle client is connected through the OneDB Listener using a secure connection.
Troubleshooting
Unable to connect to the listener
Check that the OneDB Listener is running and the listener port is open from the client machine.
telnet onedb-listener-host 1522Or:
nc -vz onedb-listener-host 1522TCPS handshake failed
Check the Oracle wallet or certificate configuration on the client side. Make sure the wallet path is correct and accessible by the Oracle client process.
Invalid service name
Make sure the SERVICE_NAME in the connection descriptor matches the Oracle service name used by the target database.
Example:
(CONNECT_DATA=(SERVICE_NAME=ORCLPDB1))Application still using TCP
Make sure the client connection string uses:
PROTOCOL=tcpsnot:
PROTOCOL=tcpSummary
Oracle applications can connect securely to the OneDB Listener using Oracle TCPS. By enabling Secure Connection on the listener and configuring the Oracle client to use a TCPS connection descriptor, database traffic from the application to OneDB can be protected over the network.
This setup is recommended for environments that require encrypted database connectivity and stronger protection between applications and database access points.
