Open in app

Sign in

Write

Sign in

Securely Connect .NET to Oracle Autonomous Database without a Wallet or Client Configuration Files

Alex Keh
Oracle Developers
Published in
5 min readJan 25, 2022

For Oracle Autonomous Database — Shared (ADB-S) developers, it’s become easier to connect with one-way Transport Layer Security (TLS) connectivity without wallets. Now, there are two ways to connect from .NET to ADB-S.

  • Mutual TLS (mTLS) — both client and server authenticate each other
  • One-Way TLS (TLS) — just the client authenticates the server

In this blog post, I discuss the differences between the two connectivity options, walk you through walletless TLS ADB-S connectivity setup, and show you how to even eliminate deploying Oracle client configuration files (tnsnames.ora and sqlnet.ora) to your .NET ADB-S apps. By the end, your .NET apps will be able to connect to ADB-S without any Oracle wallet nor configuration file deployment.

Comparing mTLS and TLS with ADB-S

Both mTLS and TLS provide secure connections to ADB-S. One key difference is mTLS requires a client side wallet, while TLS does not. The wallet is typically downloaded from the ADB-S management console or tools for each client to use. The .NET app must have access to this wallet to connect to ADB-S via mTLS. With TLS, the benefits are that wallet management is no longer needed and better connection latency over mTLS.

Even without a wallet, TLS connections remain secure as administrators must define the public endpoint Access Control List (ACL) allowed to connect to ADB-S or use private endpoints. The ACL can include IP addresses, Classless Inter-Domain Routing (CIDR) blocks, and Virtual Cloud Networks (VCN). Any connection from outside the ACL must use mTLS. Thus, TLS requires ACL administration that mTLS does not.

mTLS remains the default ADB-S connectivity option. An administrator must explicitly enable TLS and update the ACL for clients to use it. Once TLS is enabled, TLS and mTLS ADB-S connections can co-exist.

Oracle Data Provider for .NET (ODP.NET) supports walletless TLS starting from the following versions:

  • ODP.NET Core — 19.13 and 21.4
  • Managed ODP.NET — 19.13 and 21.4
  • Unmanaged ODP.NET — 19.14 and 21.5

If you plan to use ODP.NET TLS without wallets, be sure to use one of these versions or higher.

TLS Setup Without Wallets

Using walletless TLS and public endpoints requires a few configuration steps. Here’s what to do:

1. Log into the Oracle Cloud console. Next, select the ADB-S instance that you want to enable TLS for. In the Network section, click the “Edit” link on the Access Control List line.

2. Add the IP addresses, CIDR blocks, and/or VCNs allowed to connect to this ADB-S instance and then click the “Save Changes” button.

3. After saving, you will be back on the ADB-S instance console page. In the Network section, click the “Edit” link on the Mutual TLS (mTLS) Authentication line.

4. Uncheck the Require mutual TLS (mTLS) authentication box and click the “Save Changes” button.

ODP.NET apps from the specified IPs, CIDR blocks, VCNs can now connect to the ADB-S instance via TLS without a wallet.

Eliminate Oracle Client File Deployment

So far, we have learned how to setup walletless ODP.NET ADB-S connectivity. We can simplify client file deployment even further by eliminating all Oracle configuration file distribution. That will save you from having to deploy tnsnames.ora and sqlnet.ora to each ODP.NET app.

5. From the ADB-S instance console page, click on the “DB Connection” button near the top.

6. In the Connection Strings section, choose “TLS” from the TLS Authentication drop down box. This selection provides a connection string value for each of the ADB-S TNS Names. Click on the “Copy” link next to the connection string text value you want to use.

Connect with No Oracle Client Files Deployed

The connection string can be pasted in the ODP.NET connection string “Data Source” attribute. Here’s a sample ODP.NET Core console app that connects to ADB-S without a wallet.

Note the TLS connection string uses quotation marks around the distinguished name value. When you save the TLS connection string in a .NET string, add a backslash (\) escape sequence before each quotation mark. The escape sequence allows .NET to recognize the quotation mark as part of the TLS connection string instead of the end of the connection string.

Once you supply the “User Id” and “Password” values, you can run the app to connect to your ADB-S instance from a machine on the ACL. You should see a result similar to the following:

If you examine the code, you will see there is no need to set OracleConfiguration.TnsAdmin nor OracleConfiguration.WalletLocation since the Oracle client and wallet files are no longer needed.

You now have a secure ODP.NET connection to ADB-S with no client configuration file deployment.

Join the conversation!

If you’re curious about the goings-on of Oracle Developers in their natural habitat, come join us on our public Slack channel! We don’t mind being your fish bowl 🐠

Odpnet
Autonomous Database
Tls
Wallet
Oracle Cloud

--

--

Alex Keh
Oracle Developers

Written by Alex Keh

230 Followers
Writer for

Alex Keh is a senior principal product manager at Oracle focusing on data access and database integration with .NET, Windows, and the cloud.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams