Authentication
Microsoft Azure Active Directory Integration
You can log into Oracle Databases using your Microsoft Azure Active Directory (Azure AD) single sign-on OAuth2 access token. This feature has been backported to Oracle Database release 19.16 and later, but not for Oracle Database 21c.
New features for Oracle Database 23ai include support for Azure AD v2 tokens and retrieving the tokens directly with the Oracle Database clients. Use of scripts to retrieve tokens for end-users will not be necessary when using the OAuth2 interactive flow.
This multi-cloud feature integrates authentication and authorization between Azure AD and Oracle Databases.
ODP.NET: Azure Active Directory Single Sign-On
ODP.NET can log into Oracle databases using a Microsoft Azure Active Directory (Azure AD) OAuth 2.0 access token. Users can sign-on once with Azure AD, acquire the token, and access their on-premises and cloud-based Oracle databases. This feature is available in ODP.NET Core and managed ODP.NET.
This multicloud capability eases authentication and authorization between Azure AD and Oracle Databases by simplifying user access and management.
Increased Oracle Database Password Length
Oracle Database now supports passwords up to 1024 bytes in length. In previous releases, the Oracle Database password length and the secure role password length could be up to 30 bytes.
Increasing the password length supports an industry-wide trend for stronger authentication. In cases where passwords must be used, the increased length permits passwords that are more difficult to guess.
JDBC-Thin Support for Longer Passwords
Passwords for database user authentication can now be as long as 1024 characters.
This feature fosters increased authentication security for Java applications in Cloud and On-premises environments.
Oracle Data Pump Export and Import Support for Longer Encryption Passwords
Oracle Data Pump can protect export files with encryption passwords of up to 1024 bytes long.
Oracle Data Pump enhances security by supporting encryption passwords of up to 1024 bytes long.
Oracle Call Interface (OCI) and Oracle C++ Call Interface (OCCI) Password Length Increase
Oracle Call Interface (OCI) and Oracle C++ Call Interface (OCCI) now support passwords for database user authentication up to 1024 bytes long.
This feature allows longer passwords to be used to improve security. It also aids database use with tools that generate long passwords.
Updated Kerberos Library and Other Improvements
Oracle Database supports MIT Kerberos library version 1.21.2, and provides cross-domain support for accessing resources in other domains.
This Kerberos enhancement improves security and allows Kerberos to be used in more Oracle Database environments.
Enhancements to RADIUS Configuration
RADIUS is frequently used to provide multi-factor authentication (MFA) for Oracle Database. Oracle Database 23ai now supports the RFC 6613 and 6614 guidelines for RADIUS and implements TCP over Transport Layer Security (TLS) by default. This enhancement introduces new RADIUS-related sqlnet.ora parameters to support the new standards. The enhancement also deprecates several RADIUS-related sqlnet.ora parameters that are no longer needed to support the new standards.
This update to RADIUS standards support improves security for customers using RADIUS-based authentication.
UTL_HTTP Support for SHA-256 and Other Digest Authentication Standards
UTL_HTTP is extended to support both SHA-256 and SHA-512/256 for digest authentication, to ensure forward compatibility.
UTL_HTTP can be seen as an API for client-side HTTP access, much like a standard browser. Support for both SHA-256 and SHA-512/256 for digest authentication enables UTL_HTTP to be at par with other standard browsers.
XDB HTTP SHA512 Digest Authentication
Oracle XDB HTTP protocol server now supports digest authentication SHA512 authentication, which is a more secure digest algorithm than MD5.
This feature improves security when using Oracle XDB from the web.
Ability of OCI and Instant Client to Directly Retrieve Microsoft Entra ID (Azure AD) OAuth2 Tokens
Oracle Call Interface (OCI) and Oracle Database Instant Client now can retrieve a Microsoft Entra ID (formerly Azure AD) OAuth2 token directly from Entra ID instead of relying on a separate script or process to retrieve the token first.
This design improves the interactive flow between the database server and the client when users connect to the database (for example, with SQL*Plus).
This enhancement simplifies the configuration that an end-user must perform in order to retrieve tokens. In previous releases, the end-user had to run a script to get the token from Entra ID before starting SQL*Plus or any other OCI utilities. Now, the token retrieval is part of OCI. This enhancement is similar to recent enhancements with the JDBC-thin and ODP.NET core and managed clients.
Microsoft Entra ID (Azure AD) Integration Now Supported on AIX, Solaris, and HPUX
The Microsoft Entra ID (previously Azure AD) integration is now available to all Oracle Database users regardless of the server operating system platform.
In addition to the newly supported AIX, Solaris, and HPUX platforms, Linux and Windows are still supported. This feature is supported with the Oracle Cloud Infrastructure (OCI) full client and instant clients on Windows and Linux only.
New Parameters to Specify Wallet Certificate and Keys
The orapki command line utility now enables you to store alias names and thumbprint signatures in an Oracle wallet.
These enhancements enable users to do the following:
- Specify these private keys using their thumbprint or alias in a connect string.
- Use the thumbprint to specify a private key in the Microsoft Certificate Store (MCS).
- Store certificates with their serial numbers to simplify specifying certificates or removing certificates.
This enhancement affects the orapki wallet add, orapki wallet remove, and orapki wallet display commands. The benefit of this feature is the simplification of managing wallets and selecting certificates through new the thumbprint, alias, and serial number parameters.
The benefit of this feature is the simplification of managing wallets and selecting certificates through new the thumbprint, alias, and serial number parameters.
mkstore Features Included in orapki
mkstore features have been incorporated into the orapki command line utility to simplify the management of Oracle Database wallets, certificates, and secrets.
The new commands in orapki support the following capabilities of mkstore:
- The ability to create, modify and delete secret store credentials and entries
- The ability to list specific secret store credentials and entries
- The ability to delete a wallet
The capabilities are supported with the orapki secretstore command.
The mkstore utility has been deprecated. Oracle recommends that you use orapki instead.