Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. IT Analytics Help
  3. Section XVI. System Administration
  4. Appendix G. Configure TLS-enabled Oracle database on IT Analytics Portal and data receiver
  5. Configure TLS in Oracle with IT Analytics on Windows in split architecture

Configure TLS in Oracle with IT Analytics on Windows in split architecture

In a split architecture, database and portal are on different systems.

Step 1: Configure Oracle wallet for server side.

  1. Create a directory on the server machine to store the server wallet in the C:\opt\oracle\network\ folder.
    mkdir C:\opt\oracle\network\server_wallet
  2. Create an empty wallet for the Oracle server with auto login enabled.
    orapki wallet create -wallet "C:\opt\oracle\network\server_wallet" -pwd <password> -auto_login
  3. Add a self-signed certificate in the wallet (a new pair of private/public keys is created).
    orapki wallet add -wallet "C:\opt\oracle\network\server_wallet" -pwd <password> -dn "CN=<server_machine_name>" -keysize 2048 -self_signed -validity <# of Days>
  4. Check the contents of the wallet. Notice the self-signed certificate is both a user and trusted certificate.
    orapki wallet display -wallet "C:\opt\oracle\network\server_wallet" -pwd <password>
  5. Check whether the certificate has been exported to the above directory.
  6. Make sure the oracle service user can access the wallet file cwallet.sso (READ permission).

Step 2: Configure Oracle wallet for client application.

  1. Create a directory on the client machine to store the client wallet. Call it client_wallet. Create it under the C:\opt\oracle\network folder.
    mkdir C:\opt\oracle\network\client_wallet
  2. Create a wallet for the Oracle client. Create an empty wallet with auto login enabled.
    orapki wallet create -wallet "C:\opt\oracle\network\client_wallet" -pwd <password> -auto_login
  3. Add a self-signed certificate in the wallet (a new pair of private/public keys is created).
    orapki wallet add -wallet "C:\opt\oracle\network\client_wallet" -pwd <password> -dn "CN=<client_machine_name>" -keysize 2048 -self_signed -validity <# of Days>
  4. Check the contents of the wallet. Note that the self-signed certificate is both a user and a trusted certificate.
    orapki wallet display -wallet "C:\opt\oracle\network\client_wallet" -pwd <password>
  5. Export the certificate, so it can be loaded into the server wallet later.
    orapki wallet export -wallet "C:\opt\oracle\network\client_wallet" -pwd <password> -dn "CN=<client_machine_name>" -cert C:\opt\oracle\network\client_wallet\<client-certificate-name>.crt
  6. Check whether the certificate is exported to the above directory.

Step 3: Perform client-server exchange certificate process. These instructions are for the exchange server and client public keys.

  1. Repeat these steps on each of the database client systems.
    • Copy <server-certificate-name>.crt from the server system to the client system /opt/aptare/oracle/network/client_wallet folder.

    • Copy <client-certificate-name>.crt from the client system to the server system /opt/aptare/oracle/network/server_wallet folder.

  2. Load the server certificate into the client wallet.
    orapki wallet add -wallet "C:\opt\oracle\network\client_wallet" -pwd <password> -trusted_cert -cert C:\opt\oracle\network\client_wallet\<server-certificate-name>.crt
  3. Check the contents of the client wallet. Note that the server certificate is now included in the list of trusted certificates.
    orapki wallet display -wallet "C:\opt\oracle\network\client_wallet" -pwd <password>
  4. Load the client certificate into the server wallet.
    orapki wallet add -wallet "C:\opt\oracle\network\server_wallet" -pwd <password> -trusted_cert -cert C:\opt\oracle\network\server_wallet\<client-certificate-name>.crt
  5. Check the contents of the server wallet. Note that the client certificate is now included in the list of trusted certificates.
    orapki wallet display -wallet "C:\opt\oracle\network\server_wallet" -pwd <password>

Step 4: Configure the Oracle database to listen for TCPS connection (Server/Oracle system). In the steps below, host is Oracle server IP address and C:\opt\oracle\network\server_wallet is the server wallet location.

  1. Stop the Oracle listener.
    lsnrctl stop
  2. Modify the listener.ora (C:\opt\oracle\network\admin\listener.ora)
    LISTENER = 
    		(DESCRIPTION_LIST = 
         (DESCRIPTION = 
          (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC)) 
          (ADDRESS = (PROTOCOL = TCPS)(HOST = xx.xx.xx.xx)(PORT = 2484))
         )
      )

    Append the below line at the end of the file.

    SSL_CLIENT_AUTHENTICATION = FALSE 
    SECURE_PROTOCOL_LISTENER=(IPC) 
    WALLET_LOCATION = 
        (SOURCE = 
          (METHOD = FILE) 
          (METHOD_DATA = 
             (DIRECTORY = C:\opt\oracle\network\server_wallet) 
          ) 
        ) 
    C:\opt\oracle\network\server_wallet
  3. Modify the sqlnet.ora file (C:\opt\oracle\network\admin\sqlnet.ora)
    SSL_CLIENT_AUTHENTICATION = FALSE 
      WALLET_LOCATION = 
        (SOURCE = 
           (METHOD = FILE) 
           (METHOD_DATA = 
              (DIRECTORY = C:\opt\oracle\network\server_wallet) 
           ) 
        )
    
    SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA) SQLNET.WALLET_OVERRIDE = TRUE
  4. Modify the tnsnames.ora file (C:\opt\oracle\network\admin\tnsnames.ora)
    SCDB =       
         (DESCRIPTION = 
            (ADDRESS= 
                (PROTOCOL=TCPS) 
                (HOST=xx.xx.xx.xx) 
                (PORT=2484) 
            ) 
            (CONNECT_DATA=(SERVICE_NAME=scdb)(SID=SCDB)) 
        )
  5. Start the Oracle service.
    lsnrctl start
  6. Check the listener status.
    lsnrctl status
  7. Test Oracle connection using sqlplus.
    sqlplus username/password@service_name

Step 5: Configure the Oracle database to listen for TCPS connection on the client system. Configure the listener.ora and sqlnet.ora files on the database server using the following steps. In the procedure below, host is Oracle server IP address and C:\opt\oracle\network\server_wallet is the server wallet location.

  1. Modify the listener.ora (C:\opt\oracle\network\admin\listener.ora) and add the below contents.
    LISTENER = 
       (DESCRIPTION_LIST = 
          (DESCRIPTION = 
             (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC)) 
             (ADDRESS = (PROTOCOL = TCPS)(HOST = xx.xx.xx.xx)(PORT = 2484)) 
          ) 
       )

    Add below line at the end of file:

     SSL_CLIENT_AUTHENTICATION = FALSE 
        SECURE_PROTOCOL_LISTENER=(IPC) 
        WALLET_LOCATION = 
         (SOURCE = 
           (METHOD = FILE) 
           (METHOD_DATA = 
             (DIRECTORY = C:\opt\oracle\network\client_wallet) 
         ) 
      )   
    C:\opt\oracle\network\client_wallet
  2. Modify the sqlnet.ora file (C:\opt\oracle\network\admin\sqlnet.ora).
    SSL_CLIENT_AUTHENTICATION = FALSE 
        WALLET_LOCATION = 
           (SOURCE = 
             (METHOD = FILE) 
             (METHOD_DATA = 
               (DIRECTORY = C:\opt\oracle\network\client_wallet) 
             ) 
           )
    
    SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA) SQLNET.WALLET_OVERRIDE = TRUE
  3. Modify the tnsnames.ora (C:\opt\oracle\network\admin\tnsnames.ora)
    SCDB = 
       (DESCRIPTION = 
           (ADDRESS= 
               (PROTOCOL=TCPS) 
               (HOST=xx.xx.xx.xx) 
               (PORT=2484) 
           ) 
           (CONNECT_DATA=(SERVICE_NAME=scdb)(SID=SCDB)) 
        )

Step 6: Load Oracle server wallet certificate to the portal and upgrader Java KeyStore.

  1. Login as a root user.
  2. Add server certificate in portal java.
    cd C:\opt\jre\bin 
    keytool -import -trustcacerts -alias ora_server_cert -file C:\opt\oracle\network\client_wallet\server-cert-db.crt -keystore 
    C:\opt\jre\lib\security\cacerts
    cd C:\opt\jdk\bin 
    keytool -import -trustcacerts -alias ora_server_cert -file C:\opt\oracle\network\client_wallet\server-cert-db.crt -keystore 
    C:\opt\jdk\lib\security\cacerts
    password: changeit
  3. Add server certificate in upgrader Java.
    cd C:\opt\aptare\upgrade\jre\bin 
    keytool -import -trustcacerts -alias ora_server_cert -file 
    C:\opt\oracle\network\client_wallet\server-cert-db.crt -keystore 
    C:\opt\aptare\upgrade\jre\lib\security\cacerts 
    password: changeit

Step 7: Modify connection URL in the portal and receiver property file.

  1. Stop portal and agent services.
  2. Modify database URL in /opt/aptare/portalconf/portal.properties.
    db.url=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)
    (HOST=xx.xx.xx.xx)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=SCDB)))
  3. Modify database URL in /opt/aptare/datarcvrconf/datrarcvrproperties.xml.
    <URL>jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)
    (HOST=xx.xx.xx.xx)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=SCDB))</URL>
  4. Start portal and agent services.

Feedback

Was this page helpful?
Previous

Configure TLS in Oracle with IT Analytics on Linux in non-split architecture

Next

Configure TLS in Oracle with IT Analytics on Windows in non-split architecture

Feedback

Was this page helpful?