Java Connectivity to Oracle Autonomous Database on Shared Exadata Infrastructure (ADB-S)

Oracle Autonomous Database allows both one-way TLS as well as mutual TLS (mTLS) for connection, the default being the later. Refer to QuickStart with Autonomous Database for detailed steps for using one-way TLS or mutual TLS (using Oracle Wallets) to connect to the Autonomous Database.

Recommended Oracle JDBC Drivers

Oracle recommends using the latest Oracle JDBC version 19c which is the Long Term Release.
Alternatively you can use the latest Oracle JDBC version 21c if you require its new features. 21c is an Innovation Release. Refer to page 6 of Lifetime Support Policy for more details about the support.


Recent Changes to ADB-S connectivity

DigiCert retired the Organizational Unit (OU) field for all public TLS/SSL certificates to comply with industry standards as of August 2022 per their announcement. This means that the public TLS/SSL certificates issued by DigiCert will no longer have an OU field. Refer to MOS note 2911553.1 for details.

To avoid disruption to applications connecting to Oracle Autonomous Database on Shared Exadata Infrastructure (ADB-S) during the server side certificate change while preserving security, you must use hostname-based matching (a.k.a Domain Name (DN) matching) of the server certificate (for TLS server-authentication).

The following versions of JDBC-thin support hostname-based matching:

  • 21.6 (or later) or 19.15 (or later). These are the recommended versions that support "(security=(ssl_server_dn_match=yes))" in the TNS connection string.
  • Other versions require that you turn on hostname-based matching explicitly (see last bullet point): Refer to Oracle JDBC Drivers Archive page for old versions.
    • 21.5 (or before) and 19.14 (or before)
    • 18.21.0.0-patched-for-bug-28492769 and 12.2.0.1-Patched-for-bug-28492769
    • 12.1.0.2 and 11.2.0.4 with patch for bugs 28492769 and 19030178 (for hostname-based matching and TLS v1.2 support)
    • You must also explicitly turn on DN matching using one of the methods below:
      • programmatically: prop.setProperty("oracle.net.ssl_server_dn_match", "true"), or
      • setting a Java system property: -Doracle.net.ssl_server_dn_match=true

An additional step is required if you have changed the ADB-S connection string


ADB-S connect strings contain hostname "...(HOST=xyz)..." which depends on the region. For example, in the Chicago region the hostname would be "adb.us-chicago-1.oraclecloud.com". If you have replaced the default hostname with an IP address or a custom hostname, then hostname based DN matching will fail.

The solution is to add a new entry to your /etc/hosts file using the original ADB-S domain suffix. Your connection string should then use this new name. For example, add an entry "localtunnel.adb.us-chicago-1.oraclecloud.com" that resolves to your custom IP address and use that name in the JDBC connection string.

Additional Resources