> ## Documentation Index
> Fetch the complete documentation index at: https://docs.maia.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Oracle Autonomous Database authentication guide

export const m_runner = "Maia runner";

[Oracle Autonomous Databases](https://docs.oracle.com/en/cloud/paas/autonomous-database/serverless/adbsb/autonomous-intro-adb.html), including Autonomous Data Warehouse and Autonomous Transaction Processing, require mutual TLS (mTLS) for all client connections. This authentication method ensures that both the client and the server verify each other using certificates, rather than relying solely on passwords.

To establish an mTLS connection, you must provide an Oracle Wallet, which contains the certificates and private keys required for authentication. The wallet file, `cwallet.sso`, doesn't include database usernames or passwords, these must still be entered separately in the connector configuration.

<Note>
  * Wallet file support is currently available only for Hybrid SaaS {m_runner}s.
  * File upload is not supported for Full SaaS {m_runner}s.
</Note>

This document describes how to:

* [Obtain the Oracle Wallet file](#obtaining-the-oracle-wallet-files), `cwallet.sso`, from the Oracle Cloud Console.
* Configure the JDBC Load connector to [use the wallet file](#using-the-wallet-in-the-jdbc-load-connector) for secure connections.
* Identify [prerequisites](#required-dependencies-for-the-jdbc-load-connector).

***

## Obtaining the Oracle Wallet files

To obtain the Oracle Wallet file for your Autonomous Database, follow these steps:

1. Sign in to the [Oracle Cloud Console](https://cloud.oracle.com).
2. Navigate to your Autonomous Database instance.
3. Click **DB Connection** → **Download Wallet**.
4. Choose **Instance Wallet** or **Regional Wallet**, if applicable.
5. Enter a wallet password when prompted. This encrypts the `ewallet.p12` file, not the database.
6. Extract the downloaded ZIP. It includes:
   * `cwallet.sso` - The primary wallet file for mTLS authentication. This auto-login wallet doesn't require a password.
   * `ewallet.p12` - The encrypted, password-protected wallet file.
   * `sqlnet.ora` and `tnsnames.ora` - Network configuration files.
   * Root and intermediate certificates.

<Note>
  * The `cwallet.sso` file is automatically created from the password-protected `ewallet.p12` by Oracle. The other files are included for reference, and aren't needed for the connection.
  * For use with the [JDBC Load](/docs/components/jdbc-load) connector, only `cwallet.sso` is required.
  * Don't rename the wallet file, as the JDBC driver only supports the standard file name, `cwallet.sso`.
</Note>

For more information, read [JDBC Thin Connections with a Wallet (mTLS)](https://docs.oracle.com/en/cloud/paas/autonomous-database/serverless/adbsb/connect-jdbc-thin-wallet.html).

***

## Using the wallet in the JDBC Load connector

<Note>
  File upload is supported for Hybrid SaaS {m_runner}s. Full SaaS {m_runner}s are currently not supported. For more information, read [Matillion Full SaaS vs Hybrid SaaS](/docs/guides/runner-overview#matillion-full-saas-vs-hybrid-saas/).
</Note>

Upload the Oracle Wallet file, `cwallet.sso`, to your {m_runner}'s file system. For more information, read [Uploading external drivers to the {m_runner}](/docs/guides/uploading-external-drivers).

In the [JDBC Load](/docs/components/jdbc-load) connector, configure the following:

1. Provide the database **Username** and **Password** in the **Connect** section.

2. Provide the JDBC **Connection URL**, for example:

   ```
   jdbc:oracle:thin:@tcps://<host>:<port>/<db_service_name>
   ```

   <Note>
     Replace `<host>`, `<port>`, and `<db_service_name>` with the values from the `tnsnames.ora` file included in the wallet ZIP.
   </Note>

3. Reference the wallet file location in **Connection Options**:

   ```
   oracle.net.wallet_location = /usr/local/drivers
   ```

***

## Wallet file contents and security

The wallet file for the {m_runner}:

* **Includes:** Certificates, private keys, and trusted CA certificates required for mTLS authentication.
* **Excludes:** Database usernames and passwords.

<Note>
  - Oracle wallets can store secrets, such as passwords, in certain use cases. For example, when used as a Secure External Password Store (SEPS), or for Transparent Data Encryption (TDE).
  - Matillion doesn't recommend the use of any wallet file type other than the auto-open SSO wallet file, `cwallet.sso`, for security reasons.
</Note>

The Autonomous Database client credentials wallet downloaded from Oracle Cloud is a Transport Layer Security (TLS) wallet, and doesn't include database login credentials. It contains only the certificates and keys required for mutual TLS. For more information, read [Managing Oracle Database Wallets and Certificates](https://docs.oracle.com/en/database/oracle/oracle-database/23/dbseg/using-the-orapki-utility-to-manage-pki-elements.html).

***

## Required dependencies for the JDBC Load connector

The following Oracle JARs must be uploaded alongside the Oracle JDBC driver, `ojdbc.jar`:

* [oraclepki](https://mvnrepository.com/artifact/com.oracle.database.security/oraclepki)
* [osdt\_cert](https://mvnrepository.com/artifact/com.oracle.database.security/osdt_cert)
* [osdt\_core](https://mvnrepository.com/artifact/com.oracle.database.security/osdt_core)

These libraries enable support for wallet based (mTLS) connections.

<Note>
  Connections to Oracle Autonomous Database require Oracle JDBC driver version `19.x` or later.
</Note>
