Release Update 19.31
This page describes the features and behavioral changes that are new in Release Update 19.31.
File-Group Metadata Visibility Evaluation Updated
The READ ANY FILE GROUP privilege is deprecated for use in ALL_FILE_GROUPS visibility evaluation. This privilege was previously being used to expose all file-group records through ALL_FILE_GROUPS, which was functionally equivalent to granting SELECT on the corresponding DBA_ file-group views, and it was not intended for performing file-group operations. Customers should instead use the supported access model, such as appropriate SELECT access to the relevant views for metadata visibility, while MANAGE ANY FILE GROUP remains the privilege for performing file-group management operations.
This change clarifies the distinction between metadata visibility and file-group management privileges, reduces ambiguity in access control, and aligns file-group behavior with the intended security and administration model.
In-Place Conversion to Immutable Tables and Parallel CTAS Support
The following enhancements have been introduced for blockchain and immutable tables:
- In-place conversion to immutable tables: Adds DDL support to convert an existing table into an immutable table.
- Parallel CTAS support: Enables parallel execution for creating blockchain tables using the
CREATE TABLE AS SELECT(CTAS) operation.
These enhancements to blockchain and immutable tables improve both usability and performance during their creation.
Introduction of HS_IDLE_TIMEOUT for Heterogeneous Services (HS) extproc init Parameter HS_IDLE_TIMEOUT
This enhancement introduces the HS_IDLE_TIMEOUT initialization parameter to provide granular control over extproc session termination. It allows administrators to either honor, override, or disable the inherited SQLNET.INBOUND_CONNECT_TIMEOUT settings. The parameter supports values ranging from 0 to 9,999 minutes.
This feature improves system stability and reduces intermittent connection failures, such as ORA-28576, by allowing tailored idle timeout configurations for external procedures. This ensures that critical long-running processes are not prematurely terminated by generic network security timeouts, while still allowing for the efficient reclamation of idle system resources.
Kerberos Constrained Delegation for DBLink
This feature enables Oracle Database links to continue working in Kerberos-authenticated environments that use Microsoft Active Directory, especially on Windows 11/Windows Server 2025 systems where Microsoft’s newer Kerberos delegation constraints prevent the old ticket-forwarding behavior.
The feature prevents DBLink breakage for customers using Microsoft Kerberos authentication, removes dependence on Microsoft’s deprecated registry workaround, and protects critical customer deployments from functional regressions in widely used Windows identity environments.
ONS Support for Disabling Weak Elliptic Curves for TLS
Oracle Notification Service (ONS) now supports disabling weak elliptic curves used during ECDH/ECDHE key exchange. A new ONS configuration parameter, DISABLE_WEAK_CURVES, allows TLS negotiation to be restricted to approved strong elliptic curves only. When enabled, weak EC curves are excluded during TLS handshakes.
To enable this feature, run the following command on any cluster node from the Grid Infrastructure home:
srvctl setenv nodeapps -onsonly -env DISABLE_WEAK_CURVES='yes'
This enhancement strengthens ONS TLS security, helps organizations meet compliance and vulnerability-scanning requirements, and provides a simple configuration-based method to harden ONS deployments against weak elliptic curve usage.
Parallel Verification of Blockchain Tables
There is now a new PL/SQL stored procedure that performs parallel verification of blockchain tables.
This feature significantly speeds up verification of data integrity (detecting deletion or tampering) by parallelizing the process through a new PL/SQL stored procedure, allowing more frequent verifications with less impact on other database workloads.
Standard Audit Actions to Include Equivalent Real Application Security (RAS) Actions
When you configure an audit policy on regular database user and role actions, the equivalent RAS user and role actions are now also audited.
For example, if an audit policy contains audit of database CREATE USER action, it also audits the RAS Create User action (XS_PRINCIPAL.CREATE_USER procedure call).
To improve usability and address security concerns, auditing the CREATE USER action now includes all forms of CREATE USER operations in the database.