Recently production Oracle GoldenGate Cloud Service deployments Extract and Replicat processes ABENDED with the error message:
OGG-00664 OCI Error ORA (status = 29003-ORA-29003: SSL transport detected mismatched server certificate.
These Extract and Replicat processes were connected to an Oracle Autonomous Database on shared infrastructure.
Both Oracle GoldenGate as well as SQL*Plus connections to the ADB database were returning errors as shown below.
As of August 2022, DigiCert retired the Organizational Unit (OU) field for all public TLS/SSL certificates to comply with industry standards. This impacted Oracle OCI Autonomous Databases.
ADB/ADW databases perform server DN matching by default based on the ssl_server_cert_dn property of the connection string which do contain the OU field.
If we have downloaded the new ADB/ADW wallet after January 10th, 2023, then the mTLS connect strings already do not have an OU field in them and such we do not need to take any action.
Since in this particular case the wallet for the Autonomous Database was generated prior to January 10th, 2023, to resolve the ORA-29003 error we needed to download the new wallet zip file from the OCI console and use that for client connections to the Oracle Autonomous Database.
To resolve the GoldenGate Cloud Service error, we needed to create a new connection to the Oracle Autonomous Database and assign that connection to the relevant GoldenGate Cloud Service deployment.
Note the TNS connection details of the Autonomous Database – existing (which caused the error) and after downloading the new wallet zip file.
The Organizational Unit (OU) related entry which is present in the existing TNS connection is no longer present in the new TNS entry for the same Autonomous Database.
Existing
pporbshssadw01_high = (description= (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=PPORBSHSSADW001.adb.ap-sydney-1.oraclecloud.com))(connect_data=(service_name=g6da9c2218ad114_pporbshssadw01_high.adb.oraclecloud.com))(security=(ssl_server_cert_dn=”CN=adb.ap-sydney-1.oraclecloud.com, OU=Oracle ADB SYDNEY, O=Oracle Corporation, L=Redwood City, ST=California, C=US”)))
New
pporbshssadw01_high = (description= (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=PPORBSHSSADW001.adb.ap-sydney-1.oraclecloud.com))(connect_data=(service_name=g6da9c2218ad114_pporbshssadw01_high.adb.oraclecloud.com))(security=(ssl_server_dn_match=no)))
The similar issue is documented in MOS note 2911553.1 ALERT: Action Required for Autonomous Databases
The table below indicates the dates before which we need to change the wallets which enable connectivity to the Oracle Autonomous Databases – across different regions.
