Unable to connect to an ADW instance (19c) using a mTLS wallet - the listener is rejecting the connection

[ICO-Dev]

Hi,
I am trying to connect to an ADW instance (19c) using a mTLS wallet and the listener is rejecting the connection.
I am using the same wallet (in the same directory) to successfully connect the ORA SQL Developer plug-in for VSCode to the PDB/schema I need.

I have to use the mTLS wallet since the ADW instance is on a "always free" instance which doesn't allow the use of TLS option

Env:

• Win11 23H2 (2025-01 patches), WSL2 instance with "Red Hat Enterprise Linux release 8.10 (Ootpa)" installed
• VSCode via Remote Window into the above WSL instance - all code, tools, wallets and configuration are on the WSL instance
• Using Pyenv for python virtual environments
• Using Poetry 1.6.1: [tool.poetry.dependencies] [python = "3.12", oci = ">=2.125.1", oracledb = ">=2.5.1"]
• tnsnames.ora in the wallet:
  staging_high = (description= (retry_count=20)(retry_delay=3)
  (address=(protocol=tcps)(port=1522)(host=adb.ca-toronto-1.oraclecloud.com))
  (connect_data=(service_name=a1b2c3d4e5f6g7h_staging_high.adb.oraclecloud.com))
  (security=(ssl_server_dn_match=yes))
  )

~~ Current Code ~~
import oracledb

uname = "UID"
pwd = "user pwd"
svc = "staging_high"
cdir = "/[project dir path]/config/rdb/wallet_extract/" //unzipped contents of adb_wallet.zip (see Scenarios below)
wltloc = cdir
wltpwd = "wlt pwd"

try:
connection = oracledb.connect(
user=uname,
password=pwd,
protocol="tcps",
host="adb.ca-toronto-1.oraclecloud.com",
port=1522,
dsn=svc,
config_dir=cdir,
wallet_location=wltloc,
wallet_password=wltpwd
)
print("Successfully connected to Oracle Database")
except Exception as err:
print(f"Connection Failed: {err}")

Scenario 1:
cdir = "/[project dir path]/config/rdb/adb_wallet.zip"
wltloc = cdir
Error Message: Connection Failed: DPY-4026: file tnsnames.ora not found in /[project dir path]/config/rdb/adb_wallet.zip

Scenario 2:
cdir = "/[project dir path]/config/rdb/wallet_extract/"
wltloc = "/[project dir path]/config/rdb/adb_wallet.zip"
Error Message: Connection Failed: DPY-6005: cannot connect to database (CONNECTION_ID=I0M6akz10QcwsfW4JhQ7SQ==).
DPY-2018: wallet file /[project dir path]/config/rdb/adb_wallet.zip/ewallet.pem was not found

Scenario 3 (the code at the begining of the post) :
cdir = "/[project dir path]/config/rdb/wallet_extract/"
wltloc = cdir
Error Message: Connection Failed: DPY-6005: cannot connect to database (CONNECTION_ID=asV5uLI0b6615dhitv6fEw==).
DPY-6000: Listener refused connection. (Similar to ORA-12506)

It does not look like python-oracledb has the ability to look into the zipped wallet.
Having to extract the contents to make things work is bit of a security fail.

Can you suggest any other strategies/configurations that I can use to get this connection work?

[cjbj]

See oracle/python-cx_Oracle#570 - in particular oracle/python-cx_Oracle#485 (comment)

@anthony-tuininga was looking at this area recently again but the above is the current best practice.

Or convert to 1-way TLS, which will make your apps faster we're told.

[anthony-tuininga]

I have been using TLS with my always free databases without difficulty. I don't think that is a restriction.

[ICO-Dev]

Hi Anthony,
Take a look at the pdf, the tick box for mTLS is also greyed out. You can't do anything else.

[cjbj]

The threads show how to automatically extract the wallet zip file if you want to continue using mTLS.

Regarding TLS vs mTLS, when I create Always Free DBs I also get to choose which one to use. The TLS option is the "Secure access from allowed IPs and VCNs only" option.

Questions about ojdbc are out of our area of expertise.

[ICO-Dev]

Hi Chris,

It could be that, as Oracle employees, that option is activated for you.
I have tried this on 2 separate free accounts with the same result.

It obviously works in a full OCI subscription, but this is me trying to learn python & oracledb to build async data loads/extracts. My customers are not going to subsidize that.

the sqlnet.ora question was based on a suggestion by you - Your suggestion

[cjbj]

My free accounts are the same as yours. Note the option is at DB creation time.

[ICO-Dev]

Well, I have to eat crow here.
I created this wallet years ago for SQL Developer but I decided to create a new one this afternoon (as opposed to rotating it) and then:

• I bounced the ADW instance
• updated the paths in my code to the directory for the newly extracted wallet
• Ran the code and the connection worked like a charm

Who knows what was going on with the old one...

[cjbj]

Glad you got it going. There have been updates to the wallet files at various stages.