Site icon Ron Ekins' – Oracle Technology, DevOps and Kubernetes Blog

How to configure and test secure access to the Oracle Private AI Services Container

@RonEkins
Database administrator working on laptop with security secured message and clean audit logs

A happy database administrator celebrates securing the system on his laptop.

Background

My post Getting started with the Oracle Private AI Services Container shared how to install and configure the container. The blog also demonstrated how to access the container, and finished by generating an embedding for some text using https.

Introduction

In this post I will share to how to configure a Linux servers trust store, and share how to test secure access to Oracle Private AI Services Container.

Testing Secure Access

Test 1 – Providing no Cert

Let’s try accessing the Private AI Container using curl -I (include) via https without providing a certificate.


$ curl -i https://localhost:8443/health
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.htm
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

As expected the REST call to Oracle Private AI Container health end-point fails.

Test 2 – With Cert

Repeat the test, but this time providing the certificate, to confirm the certificate is valid using curl –cacert <file>.

$ curl -I -cacert /home/oracle/myPrivateAI/aisecrets/cert.pem https://localhost:8443/health
HTTP/1.1 200 OK
date: Tue, 16 Jun 2026 14:14:48 GMT
x-ratelimit-limit-requests: 60
x-ratelimit-remaining-requests: 59
x-ratelimit-reset-requests: 1
x-server-id: 2fd4b0a9-2456-4dd5-9ede-58198d762a2f
content-length: 0

Great, success!

Install Cert.

Install Oracle Private AI Services Container certificate by coping the generated certificate into the /etc/pki/ca-trust/source/anchors/ directory.

Update the certificate store with update-ca-trust.

Use trust list to confirm certificate has been installed successfully, for example:

# cat /etc/oracle-release
Oracle Linux Server release 9.5

# sudo cp /home/oracle/myPrivateAI/aisecrets/cert.pem /etc/pki/ca-trust/source/anchors/

# update-ca-trust

# trust list | more
pkcs11:id=%E5%C4%FC%F0%84%A1%71%D5%98%69%44%4B%99%2A%5A%11%E7%A0%DF%4F;type=cert
type: certificate
label: z-re-ora1.uklab.purestorage.com
trust: anchor
category: authority

Note: If no longer required, delete the certificate from the /etc/pki/ca-trust/source/anchors/ directory and remove it from the servers trust store using trust anchor —remove “pkcs11:id= <ID>” , for example:

$ trust anchor –remove “pkcs11:id==%78%B9%ED%2E%9B%69%56%51%CA%CB%E5%A5%CF%8F%AD%0E%7E%F6%E1%5A;type=cert”
$ update-ca-trust
$ trust anchor list

Test 3 – without Cert.

Repeat the first test again, confirm success and the use of the certificate store using curl -v (verbose)

$ curl -v https://localhost:8443/health
..
Trying 127.0.0.1:8443…
Connected to localhost (127.0.0.1) port 8443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
CAfile: /etc/pki/tls/certs/ca-bundle.crt
TLSv1.0 (OUT), TLS header, Certificate Status (22):
TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS header, Certificate Status (22):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS header, Finished (20):
TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
TLSv1.2 (IN), TLS header, Unknown (23):
TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
TLSv1.3 (IN), TLS handshake, Certificate (11):
TLSv1.3 (IN), TLS handshake, CERT verify (15):
TLSv1.3 (IN), TLS handshake, Finished (20):
TLSv1.2 (OUT), TLS header, Finished (20):
TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
TLSv1.2 (OUT), TLS header, Unknown (23):
TLSv1.3 (OUT), TLS handshake, Finished (20):
SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
ALPN, server did not agree to a protocol
Server certificate:
subject: CN=z-re-ora1.uklab.purestorage.com
start date: May 19 14:33:36 2026 GMT
expire date: May 19 14:33:36 2027 GMT
subjectAltName: host “localhost” matched cert’s “localhost”
issuer: CN=z-re-ora1.uklab.purestorage.com
SSL certificate verify ok.
TLSv1.2 (OUT), TLS header, Unknown (23):
GET /health HTTP/1.1
Host: localhost:8443
User-Agent: curl/7.76.1
Accept: /
TLSv1.2 (IN), TLS header, Unknown (23):
TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
TLSv1.2 (IN), TLS header, Unknown (23):
Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< date: Tue, 16 Jun 2026 16:18:04 GMT
< x-ratelimit-limit-requests: 60
< x-ratelimit-remaining-requests: 59
< x-ratelimit-reset-requests: 1
< x-server-id: 2fd4b0a9-2456-4dd5-9ede-58198d762a2f
< content-length: 0
<
Connection #0 to host localhost left intact

Test 4 – Secure Access

And finally, use curl to get details of the all-minilm-l12-v2 model from the Oracle Private AI Services Container using /v1/models/{id}, for example:

$ curl -s --header "Authorization: Bearer ${TOKEN}" \
https://z-re-ora1.uklab.purestorage.com:8443/v1/models/{${MODEL}} | jq
{
  "id": "all-minilm-l12-v2",
  "modelDeployedTime": "2026-05-06T12:05:39.803350098Z",
  "modelSize": "127.13M",
  "modelCapabilities": [
    "TEXT_EMBEDDINGS"
  ]
}

Summary

In this blog post I have shared how to install certificate into an Oracle Linux trust store, and test connectivity and securely access the Private AI Services Container using Curl.

In my next blog post I will share how we can call the Oracle Private AI Services Container end-point from within an Oracle AI Database 26ai, without configuring an Oracle database wallet.

Exit mobile version