Oracle Autonomous AI Database Recommendations
Oracle Autonomous AI Database allows both one-way TLS as well as mutual TLS (mTLS) for connection, the default being the later. Refer to QuickStart with Oracle AI Autonomous Database for successfully connecting to the Autonomous AI database.
Java Connectivity to Oracle AI Autonomous Database Serverless
Recommended Oracle JDBC Drivers
- Oracle recommends using the latest OracleJDBC version 26ai which is the Long Term Support Release.
- Alternatevly, you can use the latest Oracle JDBC Version 19c or Oracle JDBC version 21c. 21c is an Innovation Release. Refer to page 6 of Lifetime Support Policy for more details about the support.
Recent Changes to AI ADB-S Connectivity
DigiCert retired the Organizational Unit (OU) field for all public TLS/SSL certificates to comply with industry standards as of August 2022 per their announcement. This means that the public TLS/SSL certificates issued by DigiCert will no longer have an OU field. Refer to MOS note 2911553.1 for details.
To avoid disruption to applications connecting to Oracle Autonomous AI Database Serverless (ADB-S) during the server side certificate change while preserving security, you must use hostname-based matching (a.k.a Domain Name (DN) matching) of the server certificate (for TLS server-authentication).
The following versions of JDBC-Thin support hostname-based matching:
- 26ai and 23ai (any versions): While using Easy Connection URL, hostname matching is enabled by default. However, with the long-form connection string, ssl_server_dn_match=yes must be set explicitly.
- 21.6 (or later) or 19.15 (or later). These are the versions that support "(security=(ssl_server_dn_match=yes))" in the TNS connection string.
- Other versions require that you turn on hostname-based matching explicitly (see last bullet point): Refer to Oracle JDBC Drivers Archive page for old versions.
- 21.5 (or before) and 19.14 (or before)
- 18.21.0.0-patched-for-bug-28492769 and 12.2.0.1-patched-for-bug-28492769
- 12.1.0.2 and 11.2.0.4 with patch for bugs 28492769 and 19030178 (for hostname-based matching and TLSv1.2 support)
- You must also explicitly turn on DN matching using one of the methods below:
- programmatically: prop.setProperty("oracle.net.ssl_server_dn_match", "true"), or
- setting a Java system property: -Doracle.net.ssl_server_dn_match=true
An additional step is required if you have changed the ADB-S connection string
ADB-S connect strings contain hostname "...(HOST=xyz)..." which depends on the region. For example, in the Chicago region the hostname would be "adb.us-chicago-1.oraclecloud.com". If you have replaced the default hostname with an IP address or a custom hostname, then hostname based DN matching will fail.
The solution is to add a new entry to your /etc/hosts file using the original ADB-S domain suffix. Your connection string should then use this new name. For example, add an entry "localtunnel.adb.us-chicago-1.oraclecloud.com" that resolves to your custom IP address and use that name in the JDBC connection string.