Cannot connect via Oracle SQL Developer on host to adb-free podman instance

[sjsaunde]

Oracle SQL Developer Error:

Status : Failure -Test failed: ORA-17002: I/O error: IO Error PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, connect lapse 7 ms., Authentication lapse 0 ms.

Not wanting to use the wallet as eventually need my application to connect via a jdbc URL so I am testing to work with a thin jdbc connection string.
Example from SQL Developer Custom JDBC URL setting take from tnsnames.ora from adb-free podman instance:

jdbc:oracle:thin:@(description=(retry_count=0)(retry_delay=3)(address=(protocol=tcps)(port=1521)(host=localhost))(connect_data=(service_name=mydb1_high.adb.oraclecloud.com))(security=(ssl_server_dn_match=no)))

Also, can't get keytool to work as sudo/root, needs password but no doc on what password so tried some.
Example:
keytool -import -alias adb_container_certificate -keystore $JAVA_HOME/lib/security/cacerts -file adb_container.cert
Output:

Warning: use -cacerts option to access cacerts keystore
    Enter keystore password:
    keytool error: java.io.IOException: Keystore was tampered with, or password was incorrectkeytool -import -alias adb_container_certificate -keystore $JAVA_HOME/lib/security/cacerts -file adb_container.cert

I assumed WALLET_PASSWORD first - @oracle#123456, then ADMIN_PASSWORD - Oracle123456 from podman run command listed below.

Majority of Deployment Process:

A. Initial PodMan Install on Oracle Linux 8:
Steps as sudo:

1. dnf module install container-tools:ol8
   (source: https://docs.oracle.com/en/learn/intro_podman/index.html#install-the-podman-package)

2. dnf install qemu-img

3. chmod ugo+rx /usr/share/bash-completion/completions/qemu
   Fix PATH and executable for documaker user to start podman:

4. export PATH=$PATH:/usr/share/bash-completion/completions/

5. export proxy=myproxy:myport
   export http_proxy=http://$proxy/
   export https_proxy=http://$proxy/

6. podman machine init
   Output:

		Downloading VM image: fedora-coreos-42.20250623.2.0-qemu.x86_64.qcow2.xz: done
		Extracting compressed file: podman-machine-default_fedora-coreos-42.20250623.2.0-qemu.x86_64.qcow2 [--------------------------------] 0.0b / 753.4MiB
		Extracting compressed file: podman-machine-default_fedora-coreos-42.20250623.2.0-qemu.x86_64.qcow2: done
		Image resized.
		Machine init complete
		To start your machine run:
			podman machine start

7. podman machine set --cpus 4 --memory 8192

B. Install Oracle ADB Podman Container:
Step as non-root user:

1. podman pull container-registry.oracle.com/database/adb-free:latest-23

2. podman run -d
   -p 1521:1522
   -p 1522:1522
   -p 8443:8443
   -p 27017:27017
   -e DATABASE_NAME='MYDB1'
   -e WORKLOAD_TYPE='ATP'
   -e WALLET_PASSWORD=@oracle#123456
   -e ADMIN_PASSWORD=Oracle123456
   -e http_proxy=http://myproxy:myproxyport#/
   -e https_proxy=http://myproxy:myproxyport#/
   -e no_proxy=localhost,127.0.0.1,.my.domain.com,10.10.10.82,10.10.10.30
   -e HTTP_PROXY=http://myproxy:myproxyport#/
   -e HTTPS_PROXY=http://myproxy:myproxyport#/
   -e NO_PROXY=localhost,127.0.0.1,.my.domain.com,10.10.10.82,10.10.10.30
   --cap-add SYS_ADMIN
   --device /dev/fuse
   --name adb-free
   container-registry.oracle.com/database/adb-free:latest-23ai

3. podman images
   Output:

REPOSITORY                                       TAG          IMAGE ID      CREATED      SIZE
container-registry.oracle.com/database/adb-free  latest-23ai  00eb78176ea7  4 weeks ago  4.89 GB

4. podman ps -a
   Output:

CONTAINER ID  IMAGE                                                        COMMAND     CREATED        STATUS                  PORTS                                                                                             NAMES
90c1e0c7e865  container-registry.oracle.com/database/adb-free:latest-23ai              2 minutes ago  Up 2 minutes (healthy)  0.0.0.0:1521->1522/tcp, 0.0.0.0:1522->1522/tcp, 0.0.0.0:8443->8443/tcp, 0.0.0.0:27017->27017/tcp  adb-free

5. podman logs adb-free
   See output at end of message for chuck of log, more available if needed.

6. podman cp adb-free:/u01/app/oracle/wallets/tls_wallet /scratch/documaker/tls_ora23ai_podman_wallet
   cd tls_ora23ai_podman_wallet
   zip -r ../tls_ora23ai_podman_wallet.zip .

7. Collected from tnsnames.ora in the wallet directory with jdbc connection strings made to Custom JDBC URL connection string in SQL Developer:

jdbc:oracle:thin:@(description=(retry_count=0)(retry_delay=3)(address=(protocol=tcps)(port=1521)(host=localhost))(connect_data=(service_name=mydb1_high.adb.oraclecloud.com))(security=(ssl_server_dn_match=no)))

C. Attempt to use certificates from adb-free container from B.6 step above:
As root user:

1. cp adb_container.cert /etc/pki/ca-trust/source/anchors
   update-ca-trust
   Seemed to work, no errors.

2. FAILED: Setup certificate in JRE 17 used by Oracle SQL Server:
   keytool -import -alias adb_container_certificate -keystore $JAVA_HOME/lib/security/cacerts -file adb_container.cert
   Error no matter what password I try (assumed WALLET_PASSWORD first since docs don't say - @oracle#123456 then ADMIN_PASSWORD - Oracle123456 from podman run command above and none)

Warning: use -cacerts option to access cacerts keystore
Enter keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrectkeytool -import -alias adb_container_certificate -keystore $JAVA_HOME/lib/security/cacerts -file adb_container.cert

Excerpts from podman logs adb-free:
Start:

Archive:  /u01/POD1.zip
   creating: /u01/app/oracle/oradata/
   creating: /u01/app/oracle/oradata/POD1/
  inflating: /u01/app/oracle/oradata/POD1/redo01.log  
   creating: /u01/app/oracle/oradata/POD1/3673F9E565C374E2E063153F466437DB/
   creating: /u01/app/oracle/oradata/POD1/3673F9E565C374E2E063153F466437DB/datafile/
  inflating: /u01/app/oracle/oradata/POD1/redo02.log  
   creating: /u01/app/oracle/oradata/POD1/datafile/
  inflating: /u01/app/oracle/oradata/POD1/datafile/o1_mf_undotbs1_n3q7w4q0_.dbf  
  inflating: /u01/app/oracle/oradata/POD1/datafile/o1_mf_temp_n3q7w5kw_.tmp  
  inflating: /u01/app/oracle/oradata/POD1/datafile/o1_mf_data_n3q7b02z_.dbf  

...

TIME ELAPSED Unzipping /u01/POD1.zip: 0 minutes and 22 seconds elapsed
User input JSON not found
MY ADB WORKLOAD_TYPE is ATP
MY ADB CUSTOM NAME is MYDB1
BUILDER: Configuring TCPS
BUILDER: Cleanup /u01/app/oracle/wallets/tls_wallet
BUILDER: Creating auto login wallet for server
Oracle PKI Tool Release 23.0.0.0.0 - Production
Version 23.0.0.0.0
Copyright (c) 2004, 2025, Oracle and/or its affiliates. All rights reserved.

Enter password:   
Enter password again:   
Operation is successfully completed.
BUILDER: Creating a self-signed certificate using orapki utility; VALIDITY: 10 years
Oracle PKI Tool Release 23.0.0.0.0 - Production
Version 23.0.0.0.0
Copyright (c) 2004, 2025, Oracle and/or its affiliates. All rights reserved.

Cannot modify auto-login (sso) wallet
nter wallet password:   
Operation is successfully completed.
BUILDER: exporting server's cert
Oracle PKI Tool Release 23.0.0.0.0 - Production
Version 23.0.0.0.0
Copyright (c) 2004, 2025, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.
BUILDER: exporting server's cert
Oracle PKI Tool Release 23.0.0.0.0 - Production
Version 23.0.0.0.0
Copyright (c) 2004, 2025, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.
BUILDER: exporting encrypted private key
Oracle PKI Tool Release 23.0.0.0.0 - Production
Version 23.0.0.0.0
Copyright (c) 2004, 2025, Oracle and/or its affiliates. All rights reserved.

Private key password:
Enter password:   
Enter password again:   
Enter wallet password:   
Operation is successfully completed.
BUILDER: exporting private and certificates together in PEM
BUILDER: generating keystore.jks and truststore.jks
Oracle PKI Tool Release 23.0.0.0.0 - Production
Version 23.0.0.0.0
Copyright (c) 2004, 2025, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:   
Enter Key store password:   
Enter Trust store password:   
Operation is successfully completed.
BUILDER: generating sqlnet.ora for client
BUILDER: Generating  tnsnames.ora based on the new CN
BUILDER: Overriding service names based on user input
BUILDER: generating ojdbc.properties
TIME ELAPSED Wallet Generation: 0 minutes and 39 seconds elapsed
User has requested to download '.pdb' archive file from Object Storage bucket
Downloading MY_ATP.pdb..
Download complete for MYDB1.pdb
TIME ELAPSED Downloaded PDBs: 0 minutes and 5 seconds elapsed

LSNRCTL for Linux: Version 23.0.0.0.0 - for Oracle Cloud and Engineered Systems on 06-JUL-2025 02:58:57

Copyright (c) 1991, 2025, Oracle.  All rights reserved.

Starting /u01/app/oracle/product/23.0.0.0/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 23.0.0.0.0 - for Oracle Cloud and Engineered Systems
System parameter file is /u01/app/oracle/product/23.0.0.0/dbhome_1/network/admin/listener.ora
Log messages written to /u01/app/oracle/diag/tnslsnr/270afdde9456/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=0.0.0.0)(PORT=1521)(FIREWALL=OFF)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=0.0.0.0)(PORT=1522)(FIREWALL=OFF)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=0.0.0.0)(PORT=1521)(FIREWALL=OFF)))
STATUS of the LISTENER

Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 23.0.0.0.0 - for Oracle Cloud and Engineered Systems
Start Date                06-JUL-2025 02:58:57
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/oracle/product/23.0.0.0/dbhome_1/network/admin/listener.ora
Listener Log File         /u01/app/oracle/diag/tnslsnr/270afdde9456/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=0.0.0.0)(PORT=1521)(FIREWALL=OFF)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=0.0.0.0)(PORT=1522)(FIREWALL=OFF)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services
The command completed successfully
TIME ELAPSED Listener started: 0 minutes and 0 seconds elapsed

SQL*Plus: Release 23.0.0.0.0 - for Oracle Cloud and Engineered Systems on Sun Jul 6 02:58:57 2025
Version 23.8.0.25.05

Copyright (c) 1982, 2025, Oracle.  All rights reserved.
Connected to an idle instance.

SQL> ORA-32004: obsolete or deprecated parameter(s) specified for RDBMS instance
ORACLE instance started.

Total System Global Area 1607613240 bytes
Fixed Size                  4922168 bytes
Variable Size             754974719 bytes
Database Buffers          721420288 bytes
Redo Buffers                8855552 bytes
In-Memory Area                    1 bytes
Vector Memory Area        117440512 bytes
Database mounted.
SQL> 
Database altered.

SQL> 
Database altered.

SQL> Disconnected from Oracle Database 23ai Enterprise Edition Release 23.0.0.0.0 - for Oracle Cloud and Engineered Systems
Version 23.8.0.25.05
TIME ELAPSED Database started: 0 minutes and 11 seconds elapsed
/u01/container_state/plug_my_container_pdb_20250706_025908.log :
Creating PDB: MYDB1
Opened PDB in read write mode: MYDB1
OFS mount done: MYDB1
Exception encountered during PDB create:ORA-01031: insufficient privileges
Successfully plugged

TIME ELAPSED to plug MYDB1: 0 minutes and 21 seconds elapsed
Password change successful for MYDB1 user admin
TIME ELAPSED Changed password: 0 minutes and 1 seconds elapsed
  adding: README (stored 0%)
  adding: adb_container.cert (deflated 24%)
  adding: cwallet.sso (stored 0%)
  adding: cwallet.sso.lck (stored 0%)
  adding: ewallet.p12 (stored 0%)
  adding: ewallet.p12.lck (stored 0%)
  adding: ewallet.pem (deflated 27%)
  adding: keystore.jks (stored 0%)
  adding: ojdbc.properties (deflated 49%)
  adding: sqlnet.ora (deflated 16%)
  adding: tnsnames.ora (deflated 88%)
  adding: truststore.jks (deflated 5%)
BUILDER: Getting custom DB name
BUILDER: Installing ORDS for MYDB1

ORDS: Release 25.1 Production on Sun Jul 06 02:59:31 2025

Copyright (c) 2010, 2025, Oracle.

Configuration:
  /u01/ords

Oracle REST Data Services - Non-Interactive Customer Managed ORDS for Autonomous Database
Connecting to Autonomous database user: ADMIN TNS Service: MYDB1_low
Retrieving information
The setting named: db.wallet.zip.path was set to: /u01/ords/wallet.zip in configuration: default
The setting named: db.wallet.zip.service was set to: MYDB1_low in configuration: default
The setting named: db.username was set to: ORDS_PUBLIC_USER2 in configuration: default
The setting named: db.password was set to: ****** in configuration: default
The setting named: plsql.gateway.mode was set to: proxied in configuration: default
The setting named: feature.sdw was set to: true in configuration: default
The global setting named: database.api.enabled was set to: true
The setting named: restEnabledSql.active was set to: true in configuration: default
The setting named: security.requestValidationFunction was set to: ords_util.authorize_plsql_gateway in configuration: default
------------------------------------------------------------
Date       : 06 Jul 2025 02:59:33
Release    : Oracle REST Data Services 25.1.0.r1001652

Database   : Oracle Database 23ai Enterprise Edition  
DB Version : 23.8.0.25.05
------------------------------------------------------------
Container Name: MYDB1
------------------------------------------------------------

[*** script: ords_runtime_user.sql] 

PL/SQL procedure successfully completed.
[*** script: ords_gateway_user.sql] 

PL/SQL procedure successfully completed.

[*** Info: Completed configuring for Customer Managed Oracle REST Data Services version 25.1.0.r1001652. Elapsed time: 00:00:02.259 
 ]
BUILDER: Setting global properties for ORDS

ORDS: Release 25.1 Production on Sun Jul 06 02:59:37 2025

Copyright (c) 2010, 2025, Oracle.

Configuration:
  /u01/ords

The global setting named: mongo.enabled was set to: true
ORDS: Release 25.1 Production on Sun Jul 06 02:59:39 2025

Copyright (c) 2010, 2025, Oracle.

Configuration:
  /u01/ords

The global setting named: mongo.port was set to: 27017

ORDS: Release 25.1 Production on Sun Jul 06 02:59:41 2025

Copyright (c) 2010, 2025, Oracle.

Configuration:
  /u01/ords

The global setting named: standalone.https.port was set to: 8443

ORDS: Release 25.1 Production on Sun Jul 06 02:59:43 2025

Copyright (c) 2010, 2025, Oracle.

Configuration:
  /u01/ords

The global setting named: security.httpsHeaderCheck was set to: X-Forwarded-Proto: https
TIME ELAPSED ORDS INSTALL: 0 minutes and 13 seconds elapsed
Owner: CN=270afdde9456
Issuer: CN=270afdde9456
Serial number: 30007519d47ae375342cf46ad3265c428593d2ce
Valid from: Sun Jul 06 02:59:44 UTC 2025 until: Wed Jul 04 02:59:44 UTC 2035
Certificate fingerprints:
         SHA1: 85:6F:14:45:BC:11:02:76:47:7D:46:C5:59:AF:8C:E0:B4:BE:79:C8
         SHA256: 7E:C1:7C:EE:F9:D3:A0:B6:30:60:C8:D0:50:4A:B8:9D:B4:6E:2D:7D:9D:49:0F:2C:8D:05:48:86:C1:B2:17:74
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions: 

...

[sjsaunde]

Figured out that the cert was using default 'changeit' password. Probably should be passed in like the WALLET_PASSWORD or use WALLET_PASSWORD IMO.

Got new exception after successfully importing the cert into my java 17 deployment used by Oracle SQL Developer.
Status : Failure -Test failed: begin 0, end -1, length 253

Checking on what others Open issue says is error in the port forwarding in the doc by redoing all from scratch.

[sjsaunde]

Reran from start but replaced in podman run the -p1521:1522 with -p 1521:1521 as per note in other issue of the possible documentation error.

Created the connections from loading the tnsnames.ora directly into Oracle SQL Developer.
And connected as ADMIN user using podman run ADMIN password (-e ADMIN_PASSWORD=Oracle123456) as Role : default.

I can connect now!

I think this is all documentation issues in the README:

1. podman run argument -p 1521:1522 value for port forwarding needs to be changed to -p 1521:1521 (if that is indeed correct)
2. Where to get the tnsnames.ora needs to be more clear as from wallet directory copied out of from podman.
3. Use 'changeit' for password for keytool when adding adb_container.cert from wallet directory to the client rarget JRE lib/security/certs

[sjsaunde]

I believe #3 is user error. the JRE's llib/security/certs keystore has the default 'changeit' so scratch that item.