Enforce Oracle RDS to use only SSL

Question

I'm looking for enforcing my Oracle RDS to use only SSL, and not plain-text communication.

I've looked into Oracle's parameter group, but haven't seen any related parameters (only encountered SSL in addition to the plain communication, but not instead).

Is there any parameter for this use case?

Answer 1

Disable the TCP Listener Port and have the listener only use the TCPS protocol.

If you use an installation without the GI Stack (Oracle Restart/RAC), change the listener.ora. In the GI case, you will have to use "srvctl" to change the listener (and the port it is listening on) - and you should also change SCAN.

Step by Step Guide: How to Configure SSL/TLS on ORACLE RAC (with SCAN) (Doc ID 1448841.1)

Note if you use dynamic service registration (local_listener / remote_listener) database parameter, also ensure that the database knows the SSL certificates. Else the database cannot register as this normally works via. the non-TCPS port as well.

Last but not least: Even using TCP, you can enable native network encryption by using "sqlnet.ora" parameters. So there is no requirement to disable the standard listener port if you set the SQL parameter to "restricted" that only encrypted traffic is allowed:

https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/configuring-network-data-encryption-and-integrity.html