Connect Liquibase to Oracle Database with SSL/TLS

Last updated: March 24, 2026

This procedure configures Liquibase to connect to Oracle Database over TCPS (SSL/TLS), encrypting traffic between the client and server on port 2484. Server-side configuration—including the Oracle listener and server wallet—must be completed by your Oracle DBA before you begin. The client wallet stores the server’s trusted certificate.

Before you begin

  • Install Liquibase

  • Ensure Java is installed.

  • Install Oracle Client Tools (included with Oracle Database, Oracle Instant Client, or Oracle Database Client) to obtain the orapki utility used in this procedure.

  • Ask your Oracle DBA to configure the server listener for TCPS on port 2484 and provide you with the server’s certificate (in PEM or DER format) and the server certificate’s distinguished name (DN).

Procedure

1

Download Oracle JDBC drivers

All JARs are available from the Oracle JDBC Downloads page and Maven Central. Replace 21.13.0.0 with the latest 21.x release.

Download the following JARs from the Oracle JDBC Downloads page and place them in your lib/ directory.

  • ojdbc11.jar

  • oraclepki.jar

  • osdt_core.jar

  • osdt_cert.jar

loading

loading
2

Create server wallet directory

Create the server wallet directory on your Oracle Database server. Be sure to:

  • Replace /path/to/oracle with your actual ORACLE_HOME path.

  • Replace ORCL with your Oracle SID.

loading
3

Generate server certificate

Create an auto-login wallet and generate a self-signed certificate.

Be sure to:

  • Replace your-server.example.com with your Oracle server hostname. For example, db.company.com, oracle.example.org.

  • Replace YourOrg and US with your organization and country.

  • Use a certificate from a trusted CA instead of self-signed for production environments.

loading
4

Export server certificate

Export the server certificate to share with Liquibase clients.

Be sure to:

  • Replace your-server.example.com with your Oracle server hostname.

  • Provide /tmp/server_cert.pem to the Liquibase client via scp or your organization's secure file transfer process.

loading
5

Configure listener.ora

Add SSL/TLS listener configuration to $ORACLE_HOME/network/admin/listener.ora. Be sure to:

  • Replace $ORACLE_HOME/network/admin/wallet_server with the actual path to your server wallet directory.

loading

loading
6

Configure server sqlnet.ora

Add SSL/TLS configuration to $ORACLE_HOME/network/admin/sqlnet.ora.

Be sure to:

  • Replace $ORACLE_HOME/network/admin/wallet_server with the actual path to your server wallet directory.

  • Use modern TLS 1.2+ ciphers for JDBC compatibility.

  • Avoid older SSL 3.0 ciphers (SSL_RSA_WITH_3DES_EDE_CBC_SHA).

  • For Java/JDBC clients, prefer GCM ciphers. For example, TLS_RSA_WITH_AES_256_GCM_SHA384.

loading
7

Restart and verify Oracle listener

Restart the Oracle listener to apply the SSL/TLS configuration.

loading

Look for (PROTOCOL=tcps)(HOST=0.0.0.0)(PORT=2484) in the output. This confirms the SSL listener is active.

Optionally, test the SSL handshake with OpenSSL.

Be sure to:

  • Replace your-server.example.com with your Oracle server hostname.

# Test SSL handshake (optional but recommended)
openssl s_client -connect your-server.example.com:2484 -showcerts
8

Create the client wallet

Create the client wallet directory and copy the server certificate from the Oracle server.

mkdir -p ~/liquibase-ssl

Copy the server certificate from the Oracle server to your client machine.

Be sure to:

  • Replace your_oracle_user with your Oracle server OS user. For example, oracle, opc

  • Replace your_oracle_server with the Oracle server hostname or IP.

scp your_oracle_user@your_oracle_server:/tmp/server_cert.pem ~/liquibase-ssl/

Create the auto-login wallet.

orapki wallet create -wallet ~/liquibase-ssl -auto_login_only

Add the server certificate as a trusted root.

loading

Verify the wallet contains the trusted certificate.

orapki wallet display -wallet ~/liquibase-ssl
9

Add database credentials to wallet

Add your database credentials to the wallet so Liquibase can connect without a username or password in the connection string.

Be sure to:

  • Replace your_tns_alias with the TNS alias from tnsnames.ora. For example, MYDB_SSL

  • Replace your_username with your database username.

  • Replace your_password with your database password.

mkstore -wrl ~/liquibase-ssl \
  -createCredential your_tns_alias your_username your_password

Verify the credentials were stored successfully.

mkstore -wrl ~/liquibase-ssl -listCredential
10

Download Oracle JDBC drivers

Download the Oracle JDBC and PKI JARs to your Liquibase lib/ directory. Replace 21.13.0.0 with the latest 21.x release.

Download the following JARs from the Oracle JDBC Downloads page and place them in your Liquibase lib/ directory.

  • ojdbc11.jar

  • oraclepki.jar

  • osdt_core.jar

  • osdt_cert.jar

loading

loading
11

Create tnsnames.ora

Create tnsnames.ora in your ~/liquibase-ssl/config/ directory. Be sure to:

  • Replace your-server.example.com with your Oracle server hostname.

  • Replace ORCL with your service name.

  • Replace CN=your-server.example.com,O=YourOrg,C=US with your server certificate's distinguished name.

loading
12

Create sqlnet.ora

Create sqlnet.ora in your wallet directory.

Be sure to:

  • Replace your_wallet_dir with the absolute path to your wallet directory. For example, /home/user/liquibase-ssl, /Users/name/liquibase-ssl

loading
13

Configure JDBC properties

Create ojdbc.properties in your wallet directory.

Be sure to:

  • Replace your_wallet_dir with the absolute path to your wallet directory. For example, /home/user/liquibase-ssl, /Users/name/liquibase-ssl

oracle.net.tns_admin=your_wallet_dir
oracle.net.wallet_location=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=your_wallet_dir)))
14

Configure Liquibase

Create or update liquibase.properties. Use the TCPS TNS alias and include the PKI JARs on the classpath. No username or password is needed, because the credentials come from the wallet.

Be sure to:

  • Replace your_tns_alias with your TNS alias from tnsnames.ora. For example, MYDB_SSL, PROD_SSL

  • Replace your_lib_path/ with your absolute path to your JAR files directory. For example, /home/user/liquibase-ssl/lib/, /Users/name/liquibase-ssl/lib/

loading
15

Create sample changelog

Create ~/liquibase-ssl/changelog.xml.

loading
16

Copy ojdbc.properties to root

Copy ojdbc.properties to the root directory so the JDBC driver can find it automatically.

cp ~/liquibase-ssl/config/ojdbc.properties ~/liquibase-ssl/

This allows the JDBC driver to discover TNS_ADMIN and wallet locations.

17

Set environment variables

Set the following environment variables before running Liquibase.

loading
18

Test your setup

Test 1: Verify Folder Structure

cd ~/liquibase-ssl
tree -L 2

Expected structure:

loading

Test 2: Test SSL Port Connectivity

Be sure to:

  • Replace your-server.example.com with your Oracle server hostname.

loading

Expected: Connection succeeds.

Test 3: Test SSL Handshake

Be sure to:

  • Replace your-server.example.com with your Oracle server hostname.

openssl s_client -connect your-server.example.com:2484 -showcerts

Expected output (press Ctrl+C to exit):

loading

Test 4: Verify Wallet Contents

loading

Expected:

  • Trusted certificate listed

  • MYDB_SSL credential listed

Test 5: Test Liquibase Connection

loading

Expected output:

Database is up to date
No changesets to deploy
Liquibase command 'status' was executed successfully.

Test 6: Apply Changes

loading

Expected:

  • Table created successfully

  • "Database is up to date"

Test 7: Verify Encryption

Connect to the database and check the session.

loading

Expected output should include:

TCP/IP with SSL/TLS
AES256 Encryption service adapter
SHA256 Crypto-checksumming service