8.3.1.1 Prerequisites for Using the Azure App Configuration Store

Perform these steps in the Azure portal or using the Azure CLI or API, before beginning to use the Azure App Configuration store.

• Register an OAuth application and grant authorization permissions:

  The Azure App Configuration store's administrator must register an OAuth application with Microsoft Entra ID (previously called Microsoft Azure Active Directory) using App Registrations. The administrator must also give authorization permissions to this OAuth application for accessing the Azure App Configuration store.

• (Optional) Create Azure Key Vault for secrets and grant authorization permissions:

  You can store Oracle Database credentials and Oracle wallet data in Azure Key Vault.

  • To store Oracle Database credentials:

    Create Azure Key Vault with the database password stored as a secret in that vault.

  • To store Oracle wallet data:

    The SQLNET client applications running on multitenant cloud service environments can store wallets in remote stores. Because these applications may not have access to the wallets stored in a local system file, this feature is especially useful for Mutual Transport Layer Security (mTLS) connections that require file system access to keep the wallet.

    To store wallet data, you first convert an auto-login wallet file (cwallet.sso) to a Base64 format, and then create Azure Key Vault with the Base64-formatted cwallet.sso value stored as a secret.

    1. Convert your cwallet.sso file to a Base64 format.

       A common way to convert cwallet.sso to Base64 is by using the following openssl command on Linux:

       cat cwallet.sso | base64 -w 0 > file_to_upload

       Here, file_to_upload specifies the cwallet.sso file that you want to convert.

    2. Create Azure Key Vault by pasting contents of the Base64-formatted string of the cwallet.sso file, as secret contents without any new lines.

  You will later add a Key Vault reference to this vault in Azure App Configuration. The Azure App Configuration store's administrator must give authorization permissions to the registered OAuth application for accessing this vault.

  For detailed information on how to perform these steps, see Azure Key Vault Documentation.

• Understand how to organize keys in Azure App Configuration:

  Keys ending with connect_descriptor, user, password, and wallet_location serve as identifiers for key-values, and are used to store and retrieve corresponding values for the database connection.

  The connect_descriptor keys (keys ending with connect_descriptor) store connection descriptors, also known as TNS connection strings.

  It is a common practice to organize keys into a hierarchical namespace by using a character delimiter, such as / (slash), & (ampersand), or : (colon). Use a convention that suits your application. The examples here use / (slash) as a character delimiter to organize keys.

  An application user can organize connect descriptors under a prefix as per application requirements, and set up authentication and authorization for all such keys in Azure App Configuration. Optionally, you can add database credentials (such as the user name and password of database user), wallet location, and Oracle Call Interface attributes under the same prefix:

  • prefix/connect_descriptor (required)

  • prefix/user (optional)

  • prefix/password (optional)

  • prefix/wallet_location (optional)

  • prefix/oci (optional)

  The portion of a key without the connect_descriptor suffix is treated as a prefix for deriving the database user name, database password, and OCI attributes. Database clients look for a key ending with the user suffix after the derived prefix is used as the database user name, a key ending with the password suffix for the database password, a key ending with the wallet_location suffix for the wallet directory, and a key ending with the oci suffix for OCI attributes.

  A connect identifier contains the part of a key without terminating connect_descriptor as a prefix. Database clients complete the key by appending connect_descriptor, user, password, wallet_location, or oci, and then search the Azure App Configuration store with that key.

  Syntax for Azure Centralized Configuration Provider Naming:

  config-azure://{appconfig-name}[?key=prefix&label=value&option1=value1&option2=value2...]

  For example:

  sqlplus dbuser/@"config-azure://dbclient-appconfig?key=database/sales/&azure_client_id=client id&azure_client_secret=secret&azure_tenant_id=tenant id"

  This syntax is explained in details in the sections that follow.