Oracle Autonomous Database authentication guide

Oracle Autonomous Databases, including Autonomous Data Warehouse and Autonomous Transaction Processing, require mutual TLS (mTLS) for all client connections. This authentication method ensures that both the client and the server verify each other using certificates, rather than relying solely on passwords.

To establish an mTLS connection, you must provide an Oracle Wallet, which contains the certificates and private keys required for authentication. The wallet file, cwallet.sso, doesn't include database usernames or passwords, these must still be entered separately in the connector configuration.

Note

Wallet file support is currently available only for Hybrid SaaS agents.
File upload is not supported for Full SaaS agents.

This document describes how to:

Obtain the Oracle Wallet file, cwallet.sso, from the Oracle Cloud Console.
Configure the JDBC Load connector to use the wallet file for secure connections.
Identify prerequisites.

Obtaining the Oracle Wallet files

To obtain the Oracle Wallet file for your Autonomous Database, follow these steps:

Sign in to the Oracle Cloud Console.
Navigate to your Autonomous Database instance.
Click DB Connection → Download Wallet.
Choose Instance Wallet or Regional Wallet, if applicable.
Enter a wallet password when prompted. This encrypts the ewallet.p12 file, not the database.
Extract the downloaded ZIP. It includes:
- cwallet.sso - The primary wallet file for mTLS authentication. This auto-login wallet doesn't require a password.
- ewallet.p12 - The encrypted, password-protected wallet file.
- sqlnet.ora and tnsnames.ora - Network configuration files.
- Root and intermediate certificates.

Note

The cwallet.sso file is automatically created from the password-protected ewallet.p12 by Oracle. The other files are included for reference, and aren't needed for the connection.
For use with the JDBC Load connector, only cwallet.sso is required.
Don't rename the wallet file, as the JDBC driver only supports the standard file name, cwallet.sso.

For more information, read JDBC Thin Connections with a Wallet (mTLS).

Using the wallet in the JDBC Load connector

Note

File upload is supported for Hybrid SaaS agents. Full SaaS agents are currently not supported. For more information, read Matillion Full SaaS vs Hybrid SaaS.

Upload the Oracle Wallet file, cwallet.sso, to your agent's file system. For more information, read Uploading external drivers to the agent.

In the JDBC Load connector, configure the following:

Provide the database Username and Password in the Connect section.
Provide the JDBC Connection URL, for example:
```
jdbc:oracle:thin:@tcps://<host>:<port>/<db_service_name>
```
Note

Replace <host>, <port>, and <db_service_name> with the values from the tnsnames.ora file included in the wallet ZIP.
Reference the wallet file location in Connection Options:
```
oracle.net.wallet_location = /usr/local/drivers
```

Wallet file contents and security

The wallet file for the agent:

Includes: Certificates, private keys, and trusted CA certificates required for mTLS authentication.
Excludes: Database usernames and passwords.

Note

Oracle wallets can store secrets, such as passwords, in certain use cases. For example, when used as a Secure External Password Store (SEPS), or for Transparent Data Encryption (TDE).
Matillion doesn't recommend the use of any wallet file type other than the auto-open SSO wallet file, cwallet.sso, for security reasons.

The Autonomous Database client credentials wallet downloaded from Oracle Cloud is a Transport Layer Security (TLS) wallet, and doesn't include database login credentials. It contains only the certificates and keys required for mutual TLS. For more information, read Managing Oracle Database Wallets and Certificates.

Required dependencies for the JDBC Load connector

The following Oracle JARs must be uploaded alongside the Oracle JDBC driver, ojdbc.jar:

These libraries enable support for wallet based (mTLS) connections.

Got feedback or spotted something we can improve?

We'd love to hear from you. Join the conversation in the Documentation forum!