Python Connector for Oracle Connect to Oracle from Python using SSL/TLS

Connecting to Oracle using SSL/TLS

Transport Layer Security (TLS) is a security protocol for accessing remote machines over untrusted networks. A primary use case of TLS is encrypting the communication between web applications and servers. It runs on top of TCP/IP to secure client-server communications and allows a TLS-enabled client to authenticate itself to a TLS-enabled server and vice versa. TLS evolved from a previous encryption protocol called Secure Sockets Layer (SSL), and the terms TLS and SSL are sometimes used interchangeably.

During server authentication, the client application uses public-key cryptography (PKI) algorithms to verify the server's identity by checking that the server's certificate is issued by a trusted certificate authority (CA) and proves the ownership of the public key. Similarly, TLS client authentication allows the server to validate the client's identity. The client and server can also authenticate each other using self-signed certificates. However, you will only want to use a self-signed certificate for an internal network or a development server.

After establishing a TLS connection, the client and server can exchange symmetrically encrypted messages with a shared secret key. TLS is the recommended method for establishing a secure connection to Oracle due to its more straightforward configuration and higher performance than SSH.

Using a wallet

A wallet is container for storing authentication and signing credentials, including keys and certificates.

There are two methods to use a wallet:

• Wallet file – Specify the path to the wallet in the WalletPath parameter.
• Windows registry wallet storage – Specify the registry key in the WalletRegistry parameter.

For more information about using a wallet, see Using Oracle Wallet Manager.

Using a certificate and keys

To open a TLS connection to Oracle Database using a certificate and keys, specify the CA certificate, client certificate, and client private key in the SSLCACert, SSLCert, and SSLKey parameters.

Enable TLS on a connection

1. Import the module.

   import devart.oracle

2. Connect to a database using the connect() module method and obtain a connection object.

   my_connection = devart.oracle.connect(
       Direct=True,
       Host="your_server",
       ServiceName="your_service_name",
       UserName="your_username",
       Password="your_password",
       UseSSL="True",
       WalletPath="path_to_wallet",
       ServerCertificateDN="your_server_dn"
   )

TLS parameters

The following table describes the TLS connection parameters.

Parameter	Description
UseSSL	Enables TLS connections.
WalletPath	The path to the wallet in the file system
WalletRegistry	The path to the wallet in the Windows registry
SSLServerCertDN	The server's distinguished name (DN) to enable server Distinguished Name (DN) matching. It checks whether the server is genuine by matching the server's global database name against the DN from the server certificate.
SSLCACert	The CA certificate
SSLCert	The client certificate
SSLKey	The client private key
SSLIgnoreServerCertificateValidity	Specifies whether to verify the server certificate validity period during a TLS handshake. The possible values are True and False. The default value is True.
SSLIgnoreServerCertificateConstraints	Specifies whether to verify the server certificate for compliance with constraints during a TLS handshake. The possible values are True and False. The default value is True.
SSLTrustServerCertificate	Specifies whether to verify the server certificate chain during a TLS handshake. By default, the connector verifies the entire certificate chain. The possible values are True and False. If the parameter is set to True, the connector will bypass walking the certificate chain to validate trust.
SSLIgnoreServerCertificateInsecurity	Specifes whether to verify the server certificate signature security during a TLS handshake. The possible values are True and False. The default value is False.