Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Secure Connections to Autonomous AI Databases with Mutual TLS (mTLS)

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: OCI-AutonomousAIDatabase-012

Ensure that your Oracle Cloud Infrastructure (OCI) Autonomous AI Databases are secured with Mutual TLS (mTLS) to achieve the highest level of connection security, as it requires both the client and the server to authenticate each other using cryptographic certificates, thereby preventing unauthorized access and ensuring end-to-end data confidentiality.

Security

Mutual TLS (mTLS) is the recommended connection method for Autonomous AI Databases because it enforces mutual authentication, requiring both the client and the server to prove their identity using cryptographic credentials. This dual-authentication provides the highest level of security for data in transit, ensuring only trusted, authenticated clients can connect to your sensitive AI data repository.

Mutual TLS (mTLS) authentication can be enabled for Autonomous AI Database instances that use private endpoints or Access Control List (ACLs) for network access.

Audit

To determine if your Oracle Cloud Infrastructure (OCI) Autonomous AI Databases are configured to require mutual TLS (mTLS) authentication, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Autonomous AI Databases console available at https://cloud.oracle.com/db/adbs.

  3. For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the Autonomous AI Databases provisioned in the selected compartment.

  4. Click on the name (link) of the Autonomous AI Database that you want to examine, listed in the Display Name column.

  5. Select the Autonomous AI Database information tab, and check the Mutual TLS (mTLS) authentication attribute value, listed in the Network section. If Mutual TLS (mTLS) authentication is set to Not required, mutual TLS (mTLS) will not be required to authenticate connections to the selected OCI Autonomous AI Database.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run db autonomous-database list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each Autonomous AI Database provisioned in the selected OCI compartment:

    oci db autonomous-database list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested database instance IDs:

    [
	"ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.autonomousdatabase.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run db autonomous-database get command (Windows/macOS/Linux) with the name of the Autonomous AI Database that you want to examine as the identifier parameter and custom output filters to determine if mutual TLS (mTLS) authentication is enabled for the selected database instance:

    oci db autonomous-database get
	--autonomous-database-id 'ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."is-mtls-connection-required"'

  6. The command output should return the feature status (true for enabled, false for disabled):

    false

    If the db autonomous-database get command output returns false, as shown in the output example above, mutual TLS (mTLS) will not be required to authenticate connections to the selected OCI Autonomous AI Database.

Remediation / Resolution

To secure connections to your OCI Autonomous AI Databases with mutual TLS (mTLS) authentication, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Autonomous AI Databases console available at https://cloud.oracle.com/db/adbs.

  3. For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the Autonomous AI Databases provisioned in the selected compartment.

  4. Click on the name (link) of the Autonomous AI Database that you want to configure, listed in the Display Name column.

  5. Select the Autonomous AI Database information tab to access the network configuration settings available for the selected database instance.

  6. In the Network section, choose Edit next to Mutual TLS (mTLS) authentication to change the mTLS configuration.

  7. In the Edit mutual TLS authentication box, toggle the Require mutual TLS (mTLS) authentication button to enable the feature and choose Save to apply the changes. This will require all connections made to your database instance to use mutual TLS (mTLS) authentication. Any existing TLS authenticated connections will be disconnected.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run db autonomous-database list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each Autonomous AI Database provisioned in the selected OCI compartment:

    oci db autonomous-database list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested database instance IDs:

    [
	"ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.autonomousdatabase.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run db autonomous-database update command (Windows/macOS/Linux) with the name of the Autonomous AI Database that you want to configure as the identifier parameter, to enable mutual TLS (mTLS) authentication for the selected database instance. This will require all connections made to your database instance to use mutual TLS (mTLS) authentication. Any existing TLS authenticated connections will be disconnected:

    oci db autonomous-database update
	--autonomous-database-id 'ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--is-mtls-connection-required true

  6. The command output should return the configuration information available for the modified database instance:

    {
	"data": {
		"allocated-storage-size-in-tbs": 0.0078125,
		"are-primary-whitelisted-ips-used": null,
		"auto-refresh-frequency-in-seconds": null,
		"auto-refresh-point-lag-in-seconds": null,
		"autonomous-container-database-id": null,
		"autonomous-maintenance-schedule-type": "REGULAR",
		"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
		"failed-data-recovery-in-seconds": null,
		"freeform-tags": {},
		"id": "ocid1.autonomousdatabase.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"in-memory-area-in-gbs": null,
		"in-memory-percentage": null,
		"infrastructure-type": null,
		"is-access-control-enabled": null,
		"is-auto-scaling-enabled": true,
		"is-auto-scaling-for-storage-enabled": true,
		"is-backup-retention-locked": false,
		"is-data-guard-enabled": true,
		"is-dedicated": false,
		"is-dev-tier": null,
		"is-free-tier": false,
		"is-local-data-guard-enabled": false,
		"is-mtls-connection-required": true,
		"is-preview": false,
		"is-reconnect-clone-enabled": false,
		"is-refreshable-clone": null,
		"is-remote-data-guard-enabled": false,
		"key-store-wallet-name": null,
		"kms-key-id": "ORACLE_MANAGED_KEY",

		...

		"license-model": "LICENSE_INCLUDED",
		"lifecycle-details": null,
		"lifecycle-state": "UPDATING",
		"local-adg-auto-failover-max-data-loss-limit": null,
		"local-disaster-recovery-type": "BACKUP_BASED",
		"time-data-guard-role-changed": null,
		"time-deletion-of-free-autonomous-database": null,
		"time-disaster-recovery-role-changed": null,
		"time-earliest-available-db-version-upgrade": "2025-12-13T14:10:00+00:00",
		"time-latest-available-db-version-upgrade": "2025-12-13T13:40:00+00:00",
		"time-local-data-guard-enabled": "2025-12-13T09:27:58.721000+00:00",
		"time-maintenance-begin": "2025-12-15T06:00:00+00:00",
		"time-maintenance-end": "2025-12-15T08:00:00+00:00",
		"time-of-auto-refresh-start": null,
		"time-of-joining-resource-pool": null,
		"time-of-last-failover": null,
		"time-of-last-refresh": null,
		"time-of-last-refresh-point": null,
		"time-of-last-switchover": null,
		"time-of-next-refresh": null,
		"time-reclamation-of-free-autonomous-database": null,
		"time-scheduled-db-version-upgrade": null,
		"time-undeleted": null,
		"time-until-reconnect-clone-enabled": null,
		"total-backup-storage-size-in-gbs": 0.0,
		"used-data-storage-size-in-gbs": null,
		"used-data-storage-size-in-tbs": null,
		"vanity-connection-urls": null,
	},
	"etag": "abcd1234",
	"opc-work-request-id": "ocid1.coreservicesworkrequest.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

References

Publication date Dec 3, 2025

Related OCI-AutonomousAIDatabase rules