1. Java Developer's Guide
  2. Security for Oracle Database Java Applications
  3. Database Security in a Multitenant Environment

10.5 Database Security in a Multitenant Environment

Oracle Multitenant Isolation is a set of security principles implemented by the Oracle Multitenant Architecture. It is designed to guard each tenant's data, and the overall performance integrity of all aspects of Oracle Database, on both On-Premises Database as well as on Oracle Cloud Infrastructure.

Oracle Multitenant Isolation is supported with PDB lockdown profiles and PDB initialization options, such as PATH_PREFIX and PDB_OS_CREDENTIAL. Oracle JVM supports Multitenant Isolation since Oracle Database Release 12c. This section describes the PDB lockdown profile features and PDB initialization parameters that Oracle JVM currently supports.

Supported PDB Lockdown Profile Features

Feature or Bundle Name Description
JAVA Disables or enables Java in the Database as a whole.
OS_ACCESS (Bundle) Disables or enables all kinds of OS access from Java.
JAVA_RUNTIME Disables or enables Java operations that require java.lang.RuntimePermission. It disables risky operations like creating or retrieving class loaders, replacing the security manager, and so on.
JAVA_OS_ACCESS Disables or enables JVM file operations as well as the ability to grant Java permissions of type java.io.FilePermission, which basically disables the ability to access files using Java. It is a feature under the OS_ACCESS bundle.Foot 1
NETWORK_ACCESS (Bundle) Disables or enables all networking to and from Java.
JAVA_TCP Disables or enables Java TCP operations. It is a feature under the NETWORK_ACCESS bundle. Refer to the following section for more information.
JAVA_HTTP Disables or enables Java HTTP operations. It is a feature under the NETWORK_ACCESS bundle. Refer to the following section for more information.

Footnote 1 The name of the feature is historical and may be confusing. This feature is related only to file access and not all Java OS operations. Refer to the following section for details about enabling Java file operations, while disabling other kinds of OS operations.

Supported PDB Initialization Parameters and Clauses

Name Description
PATH_PREFIX

(Clause of the CREATE PLUGGABLE DATABASE statement

Confines the OS file access to paths within the PATH_PREFIX directory, regardless of the file access permission grants that are in effect.
PDB_OS_CREDENTIAL

(Initialization Parameter)

 Forces Oracle JVM to use the specified OS user identity, and not the Oracle user identity, when forking OS processes through Runtime.exec().

Starting from the current release, Oracle JVM enhances the support for PDB lockdown profiles, providing more flexibility as described in the following section:

Note:

The enhancements described in the following section are also available in Oracle Database Release 19c and 21c through backports.

Additional Flexibility in Specifying Oracle JVM OS Access Restrictions

The enhancements to the PDB isolation feature provides the following additional flexibility in specifying the Oracle JVM Operating System (OS) Access Restrictions in the PDB lockdown profiles:

New Role of JAVA_OS_ACCESS Lockdown Profile Feature

The existing JAVA_OS_ACCESS lockdown profile feature, which controls the java.io.FilePermission Java permission, is assigned a new, closely-related role. It now controls the file-access checks in the Oracle JVM run time. This new role blends well with its existing role of controlling the file permissions.

The OS_ACCESS Lockdown Feature Bundle

You can still use the existing OS_ACCESS Lockdown profile feature bundle to disable the file-access access in the Oracle JVM run time as long as its constituent feature JAVA_OS_ACCESS is not configured to enable the file-access checks of Oracle JVM.

Examples of Enhanced Oracle JVM OS Access Restrictions

This section describes how to take advantage of the enhanced Oracle JVM OS access restrictions:

Earlier, you used the following command to disable all OS access from Java:

ALTER LOCKDOWN PROFILE my_profile1 DISABLE FEATURE ('OS_ACCESS');

Now, you can use the following commands to disable all OS access from Java, except file access:

    ALTER LOCKDOWN PROFILE my_profile2 DISABLE FEATURE ('OS_ACCESS');
    ALTER LOCKDOWN PROFILE my_profile2 ENABLE FEATURE ('JAVA_OS_ACCESS');

Complete Example

This is a complete example that demonstrates the following:

  • Creating a new PDB with the PATH_REFIX clause value set
  • Creating a new lockdown profile that disables all types of OS access, except for Java file operations
  • Linking the new lockdown profile to the PDB
  • Administering the users in the new PDB with the ability to read and write files inside the PATH_PREFIX

Example 10-6 Complete Example Demonstrating Oracle JVM OS Access Restrictions

  1. Create a PDB named cdb1_pdb5, while you connect as the root SYS user and cdb1_pdb0 is the CDB root:
    create pluggable database cdb1_pdb5 admin user admin identified by manager 
file_name_convert = ('cdb1_pdb0','cdb1_pdb5') path_prefix='/d1/pdbs/pdb5/'
  2. Create a lockdown profile and set it to disable the OS_ACCESS and NETWORK_ACCESS features, and enable the JAVA_OS_ACCESS feature:
        create lockdown profile java_profile;
    alter lockdown profile java_profile disable feature=('OS_ACCESS');
    alter lockdown profile java_profile disable feature=('NETWORK_ACCESS');
    alter lockdown profile java_profile  enable feature=('JAVA_OS_ACCESS');
  3. Associate the JAVA_PROFILE with the pdb5 PDB:
        alter session set container = cdb1_pdb5;
    alter system set pdb_lockdown = java_profile ;
  4. Restart the database after altering the system:
        alter session set container = cdb1_pdb0; -- this is the root
    shutdown abort
    startup pfile = t_initvm1.ora
    alter pluggable database all open;
    alter session set container = cdb1_pdb5;
    grant create session, create procedure, create public synonym to admin;
    grant create table to admin;
    -- add other grants to the local PDB admin as required
  5. Grant permissions to user ADMIN for file access operations:
    call dbms_java.grant_permission('ADMIN', 'SYS:java.io.FilePermission',  
'/d1/pdbs/pdb5/-', 'read,write,delete');
  6. Create a regular user in cdb1_pdb5:
        create user juser identified by juser;
    grant create session to juser;
  7. Grant juser the permissions for file access operations:
        call dbms_java.grant_permission('JUSER', 'SYS:java.io.FilePermission',  
'/d1/pdbs/pdb5/file1.txt', 'read');
    call dbms_java.grant_permission('JUSER', 'SYS:java.io.FilePermission',  
'/d1/pdbs/pdb5/file2.txt', 'read,write');

Additional Flexibility in the Oracle JVM Networking Access Restrictions

The enhancements to the PDB isolation feature provides the following additional flexibilities in specifying the Oracle JVM Networking Access Restrictions in the PDB lockdown profiles:

New Lockdown Profile Feature JAVA_TCP

The existing NETWORK_ACCESS lockdown profile feature bundle receives a new feature JAVA_TCP that controls the TCP operations in the Oracle JVM run time. It is analogous to the existing UTL_TCP lockdown profile feature that controls the PL/SQL TCP functionality.

New Lockdown Profile Feature JAVA_HTTP

The existing NETWORK_ACCESS lockdown profile feature bundle receives a new featureJAVA_HTTP that controls the HTTP operations in the Oracle JVM run time. It is analogous to the existing UTL_HTTP lockdown profile feature that controls the PL/SQL HTTP functionality.

The NETWORK_ACCESS Lockdown Profile Feature Bundle

You can still use the existing NETWORK_ACCESS lockdown profile feature bundle to disable networking in the Oracle JVM run time as a whole.

Important Notes for Database Administrators

This release further enhances the ability of CDB Database Administrators to configure safe lockdowns for PDBs that allow file access from Oracle JVM. For security and isolation, always use the PATH_PREFIX clause when any form of file access is allowed for PDBs.

This section summarizes the important enhancements made to the PDB isolation feature for CDB administrators:

  • Earlier, disabling the OS_ACCESS feature in a lockdown profile meant disabling all OS access from Java, including file operations. Now, a lockdown profile can enable only the Java file operations, while other types of OS access from Java remain disabled:
        ALTER LOCKDOWN PROFILE my_profile DISABLE FEATURE ('OS_ACCESS');
    ALTER LOCKDOWN PROFILE my_profile ENABLE FEATURE ('JAVA_OS_ACCESS');
  • Earlier, disabling the NETWORK_ACCESS feature in a lockdown profile meant disabling all network access from Java. Now, a lockdown profile can selectively enable HTTP connectivity for Oracle JVM, while other types of networking remain disabled:
        ALTER LOCKDOWN PROFILE my_profile DISABLE FEATURE ('NETWORK_ACCESS');
    ALTER LOCKDOWN PROFILE my_profile ENABLE FEATURE ('JAVA_HTTP');
  • Earlier, disabling the NETWORK_ACCESS feature in a lockdown profile meant disabling all network access from Java. Now, a lockdown profile can selectively enable TCP connectivity for Oracle JVM, while other types of networking remain disabled:
        ALTER LOCKDOWN PROFILE my_profile DISABLE FEATURE ('NETWORK_ACCESS');
    ALTER LOCKDOWN PROFILE my_profile ENABLE FEATURE ('JAVA_TCP');

See Also: