oonnx2oracle
Guide 04

Connect to Oracle ADB

Local Docker is the shortest demo. Real work happens against Autonomous Database. There are two paths, and the walletless mTLS one is genuinely simpler.

Path A — Walletless mTLS (preferred)

ADB instances provisioned with mTLS can accept an mTLS connection string that embeds the wallet info directly. No ZIP to unpack, no TNS_ADMIN to configure. Since 2024 this is the default way to connect from Python.

01

Grab the mTLS connection string

From the OCI console: your ADB instance → Database connectionmTLS authentication required → copy the connection string. It looks like:

(description= (retry_count=20)(retry_delay=3)
  (address=(protocol=tcps)(port=1522)(host=adb.us-ashburn-1.oraclecloud.com))
  (connect_data=(service_name=abc123_mydb_high.adb.oraclecloud.com))
  (security=(ssl_server_dn_match=yes)))
02

Call the loader with a --dsn

Collapse the description into one line, prefix with admin/password@, and pass it through. The Python driver parses it directly.

$ onnx2oracle load all-MiniLM-L6-v2 \
    --dsn 'admin/YourStrongPass@(description=...service_name=..._high...)'
03

Or put it in the env

DSN resolution walks --dsnORACLE_DSN~/.onnx2oracle/config.toml → local. Shell-wide exports win over CI flags only if you forget the flag.

$ export ORACLE_DSN='admin/YourStrongPass@(description=...)'
$ onnx2oracle load all-MiniLM-L6-v2
$ onnx2oracle verify
Service levels. ADB exposes five levels (_high, _medium, _low, _tp, _tpurgent). For model loading and verification, any of them works. For production VECTOR_EMBEDDING calls at scale, _tp or _medium are the usual picks.

Path B — Classic wallet

If the instance requires the downloaded wallet (older pre-mTLS provisioning, or you want SSL_SERVER_DN_MATCH verified by file):

01

Download the wallet

Console → ADB instance → Database connectionDownload wallet. Save the ZIP, pick a passphrase, remember it.

02

Unpack and point TNS_ADMIN at it

$ mkdir -p ~/wallets/mydb
$ unzip wallet_mydb.zip -d ~/wallets/mydb
$ export TNS_ADMIN=~/wallets/mydb

The wallet bundles tnsnames.ora, sqlnet.ora, and the encrypted keystore. With TNS_ADMIN set, you can use the TNS alias directly.

03

Load against the alias

$ onnx2oracle load all-MiniLM-L6-v2 \
    --dsn 'admin/YourStrongPass@mydb_high'

Where mydb_high is one of the aliases in tnsnames.ora.

Privileges the ADMIN user needs

The default ADMIN role on ADB already has what's needed. If you load as a non-admin user (recommended for production), grant these first:

-- run as ADMIN
GRANT EXECUTE ON DBMS_VECTOR TO app_user;
GRANT CREATE MINING MODEL TO app_user;
GRANT SELECT ANY DICTIONARY TO app_user;

The SELECT ANY DICTIONARY grant is what lets verify query user_mining_models to confirm the load landed.

One-time checks

From the same shell:

$ onnx2oracle verify
$ echo $?
0

If the exit code is 0 and the cosine sanity reads 1.000, you're done. Vectors are flowing through VECTOR_EMBEDDING on ADB.

Pick a model Custom models