ALERT: Action Required for Autonomous Databases
(Doc ID 2911553.1)
Last updated on FEBRUARY 07, 2024
Applies to:
Autonomous Database Serverless - Version N/A to N/AOracle WebLogic Server for OCI Container Engine - Version N/A to N/A
Information in this document applies to any platform.
Details
DigiCert retired the Organizational Unit (OU) field for all public TLS/SSL certificates to comply with industry standards as of August 2022 per their announcement. This means that the public TLS/SSL certificates issued by DigiCert will not have the OU field anymore. This may affect existing applications, tools and/or services that are connecting to your Autonomous Database (ADB-S) instance.
How will this affect my service?
Autonomous Database does server DN matching by default based on the ssl_server_cert_dn property of your connection string, which contains the OU field today. Once the OU field is retired from the server-side certificates, DN matching will not succeed.
To avoid any disruptions to existing client connections, Autonomous Database will support doing DN matching based on the host property of your connection string.
If you are using mTLS authentication, you must use an Oracle client library version that supports this new approach (see below for supported client versions) and download your wallet zip file with the new mTLS connection strings before the due date listed for your region below (a wallet rotation is not required).
The connection strings for TLS authentication already do not include the OU field as of August 2022. However, if you are still using a TLS connect string with OU field, you must obtain and start using your new TLS string without the OU field via OCI console (or API) before the due date listed for your region below.
Failing to complete these steps before the specified date will result in existing applications, tools, and/or services to not able to connect to your Autonomous Database instance.
Actions
The connection strings for TLS authentication (which does not require a wallet) already do not include the OU field as of August 2022.
If you are using a TLS connect string without the OU field, you do not need to take any action.
However, if you are still using a TLS connect string with OU field, you must obtain and start using your new TLS string without the OU field via OCI console (or API) before the due date listed for your region below.
If you are using mTLS authentication (which requires a wallet), you need to take the following actions:
1.For your connections to support this new format, you must use an Oracle client with the following versions:
- Oracle Instant Client/Oracle Database Client:18.19 (or later), 19.2 (or later), 21 (base release or later)
Oracle Database drivers that use Oracle Instant Client/Oracle Database Client (e.g. cx_Oracle, node-oracledb, godror, PHP OCI8, PHP PDO_OCI, ruby-oci8, ROracle, rust-oracle): Use the driver with a compatible Oracle Instant Client/Oracle Database Client release from the list above.
- ODP.NET: 12.1 (Starting with April 2022 WINDBBP; ODP.NET Managed only), 18 (base release or later), 19.4 (or later, except for 19.10), 21 (base release or later)
- JDBC Thin: 11.2.0.4 (or later with one-off patch for Bug 28492769), 12.2 (or later with one-off patch for Bug 28492769), 18 (base release or later with one-off patch for Bug 28492769), 19 (base release or later), 21 (base release or later)
- Python: python-oracledb 1.0 (or later)
You can download the latest versions of these clients from the links provided below:
- Oracle JDBC Downloads Page
- Oracle .NET Downloads Page
- Oracle Instant Client Downloads Page
- Python python-oracledb Downloads Page
2.The new mTLS connection strings without the OU field are available to download as part of your wallet zip file today. You must download your wallet zip file with the new mTLS connection strings before the due date listed for your region below (a wallet rotation is not required).
Please note that the connection strings for TLS authentication already do not include the OU field as of August 2022, and the clients that support TLS authentication already support this new connect string format. Therefore, we encourage you to use TLS authentication, which will also allow you to connect to your ADB-S instance without a wallet.
Wallet Download Due Dates by Region
Note: If you are using mTLS authentication and already downloaded your new wallet after January 10th, 2023, you do not need to take any action. In other words, if your current mTLS connect strings already do not have an OU field in them, you do not need to take any action.
If you haven’t downloaded your new wallet yet, you must download it before the specified date for your region (a wallet rotation is not required).
If any of the dates below changes, you will be notified via email and this note will also be updated.
Please note that any region that is not mentioned in the table below already has the change implemented.
| Region Name | Due Date |
| Canada Southeast (YYZ) | April 12th, 2023 |
| India South (HYD), Netherlands Northwest (AMS), Saudi Arabia West (JED), Switzerland North (ZRH), Australia East (SYD) | April 27th, 2023 |
| UAE Central (AUH), Israel Central (MTZ), Italy Northwest (LIN), Brazil East (GRU) | May 4th, 2023 |
| Japan Central (KIX), Singapore (SIN), US West (SJC), South Korea Central (ICN) | May 11th, 2023 |
| Japan East (NRT), Australia Southeast (MEL), France South (MRS) | May 18th, 2023 |
| Germany Central (FRA), UK South (LHR) | May 25th, 2023 |
| US East (IAD), US West (PHX) | June 8th, 2023 |
| UAE East (DXB) | June 29th, 2023 |
| India West (BOM) | July 14th, 2023 |
Contacts
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Details |
| Actions |
| Contacts |