How to Use Gradual Wallet Rotation in Autonomous Database

August 2, 2022 | 4 minute read
Can Tuzla
Principal Product Manager
Text Size 100%:

Connections to Autonomous Database (ADB) are always end-to-end encrypted, which means they are all secure and use the Transport Layer Security (TLSv1.2) protocol. As we have covered in one of my earlier blog posts, ADB uses mutual TLS (mTLS) by default regardless of your network configuration, so both the client and the database verify each other’s certificates. To complete server-side authentication, any client connecting to an ADB instance must present their client credentials which can be downloaded as a zip file and contains the SSO wallet, keystore, truststore, and network configuration files. Therefore, you need to download a wallet to connect to your Autonomous Database when using mTLS.

When we are talking about wallets or wallet-based connections to ADB, one of the first things that come to mind is wallet rotation. It could potentially play a very important role in database lifecycle management depending on the use case. You may want to rotate your instance or regional wallet so that your current wallet is immediately invalidated if you think your wallet could be compromised. Another (and more common) use case is to periodically rotate your wallet every 3 or 6 months due to compliance reasons. For this second use case, one of the key customer requirements is to not cause any disruptions to the application or the existing database connections. In other words, switching from the old wallet to the new one needs to be seamless with no downtime. In this blog post, I want to demonstrate how to do a gradual wallet rotation in ADB in just a few simple steps. However, before we begin, I’d like to recommend checking out TLS (aka one-way TLS) authentication which has many benefits in addition to eliminating the need to maintain a wallet as listed here.

Here are the steps that we will follow:

  • Rotate existing instance wallet with a grace period
  • Connect to the database using both wallets before the grace period ends
  • Try connecting to the database using the old wallet after the grace period ends

Rotate existing instance wallet with a grace period

For my ADB instance, adwfinance, I have already downloaded the instance wallet and named it Wallet_adwfinance_old.zip (I added the ‘old’ as a postfix since I’ll be rotating it shortly). To rotate my wallet (which will be named Wallet_adwfinance_new.zip), I go to DB Connection under ADB details page and hit ‘Rotate Wallet’ button, which takes me to the following pop-up:

rotate wallet

As we discussed earlier, there are two options to rotate a wallet. If you want your existing wallet to be invalidated immediately, you choose ‘Immediately’. If you want your existing wallet to be still valid for up to 24 hours after the rotation, you choose ‘After a grace period’ option and specify the grace period. For this demonstration, I have chosen to rotate my wallet with a 1-hour grace period. Then, I downloaded the new wallet.

Connect to the database using both wallets before the grace period ends

Now that I have rotated my wallet with a 1-hour grace period, I should be able to connect to my database using either the old or the new wallet. Let’s try the new wallet first:

ctuzla-mac:bin ctuzla$ ./sql /nolog

SQLcl: Release 20.2 Production on Mon Aug 01 09:17:27 2022

Copyright (c) 1982, 2022, Oracle.  All rights reserved.


SQL> set cloudconfig /Users/ctuzla/Downloads/Wallet_adwfinance_new.zip

Operation is successfully completed.

SQL> connect ADMIN@adwfinance_low
Password? (**********?) ************


Connected.
SQL> select * from dual;


DUMMY 
________ 
X        

Next, I’ll connect with my old wallet:

ctuzla-mac:bin ctuzla$ ./sql /nolog

SQLcl: Release 20.2 Production on Mon Aug 01 09:18:10 2022

Copyright (c) 1982, 2022, Oracle.  All rights reserved.


SQL> set cloudconfig /Users/ctuzla/Downloads/Wallet_adwfinance_old.zip

Operation is successfully completed.

SQL> connect ADMIN@adwfinance_low
Password? (**********?) ************


Connected.
SQL> select * from dual;


DUMMY 
________ 
X        

As expected, I can use either wallet to connect to my database while I’m still within the grace period.

Try connecting to the database using the old wallet after the grace period ends

Before concluding this post, I also want to show that once the grace period ends, I can no longer use my old wallet:

ctuzla-mac:bin ctuzla$ ./sql /nolog

SQLcl: Release 20.2 Production on Mon Aug 01 11:41:35 2022

Copyright (c) 1982, 2022, Oracle.  All rights reserved.


SQL> set cloudconfig /Users/ctuzla/Downloads/Wallet_adwfinance_old.zip

Operation is successfully completed.

SQL> connect ADMIN@adwfinance_low
Password? (**********?) ************


  USER          = ADMIN
  URL           = jdbc:oracle:thin:@adwfinance_low
  Error Message = Listener refused the connection with the following error:
ORA-12529, TNS:connect request rejected based on current filtering rules

 

That’s it! Wallet rotation with a grace period is a pretty simple but extremely useful feature for those customers who use wallet-based connections (i.e. mTLS authentication) and want to perform a wallet rotation with no downtime. For more details on this feature, please check out the documentation,and if you are interested in a wallet-free Autonomous Database, our documentation has got you covered as well.

 

Can Tuzla

Principal Product Manager

Can is a Principal Product Manager for Oracle Autonomous Database (ADB-S) and has been with the company since 2014. Prior to joining the ADB-S team, he worked on the Oracle Multitenant and Oracle Query Optimizer teams. Can holds a MS (Computer Science) from Case Western Reserve University and a BS (Computer Engineering) from Bilkent University.


Previous Post

Autonomous Database Newsletter - July 28 2022

Keith Laker | 54 min read

Next Post


Getting Started with Autonomous Database on Oracle Database Service for Microsoft Azure

Can Tuzla | 5 min read
Everything you need to know about data warehousing with the world's leading cloud solution provider