1 Oracle SALT 22c (22.1.0.0.0) New Features

This release note contains new features and enhancements incorporated in Oracle SALT Release 22c (22.1.0.0.0).

• Integrate with Oracle Transaction Manager for Microservices
  In this release, SALT has been enhanced to allow Oracle Tuxedo services to participate in global transactions coordinated by Oracle Transaction Manager for Microservices.
• Support JWT Token Authentication
  
• Updates to SALT Security
  This release promotes a more secure environment by default. This section describes the default security behavior and the environment variables needed for backward compatibility.

1.1 Integrate with Oracle Transaction Manager for Microservices

In this release, SALT has been enhanced to allow Oracle Tuxedo services to participate in global transactions coordinated by Oracle Transaction Manager for Microservices.

Oracle Transaction Manager for Microservices enables enterprise users to adopt and increase use of microservices architecture for mission-critical applications by providing capabilities that make it easier to develop, deploy, and maintain such applications. You do not need any additional configuration to integrate SALT with the Oracle Transaction Manager for Microservices.

See Also:

Oracle® Transaction Manager for Microservices Developer Guide

1.2 Support JWT Token Authentication

• JWT Token Authentication

  You can use the new TrustedIdpCert element for JWT token authentication. Add this element in the block of Certificate. Next, set the value of this element to the name of the file that contains a list of PEM formats of X509 certificates.

  When GWWS receives a REST inbound request, it checks the HTTP header. If there is an Authorization: Bearer header present, then GWWS assumes that the request uses the JWT bearer token. GWWS does the credential mapping if the JWT token is valid. By default, GWWS uses the sub claim in JWT as the Tuxedo username.

  Note:

  If you set the Tuxedo SECURITY to NONE in the UBBCONFIG file, then GWWS does not validate the JWT token. In this case, the Authorization header is ignored.

  Example

  <System>
          <Certificate>
              <TrustedIdpCert>idp.pem</TrustedIdpCert>
          </Certificate>
      </System>

• JWT Authentication supports the following JWT signing algorithms:
  • RS256: RSA Signature with SHA-256
  • RS384: RSA Signature with SHA-384
  • RS512: RSA Signature with SHA-512
  • ES256: ECDSA Signature with SHA-256
  • ES384: ECDSA Signature with SHA-384
  • ES512: ECDSA Signature with SHA-512

1.3 Updates to SALT Security

This release promotes a more secure environment by default. This section describes the default security behavior and the environment variables needed for backward compatibility.

• TM_MIN_PUB_KEY_LENGTH: When you use HTTPS, for RSA, the minimum key length is 2048. When you load the key/certificate, GWWS detects the key length. If the key length is smaller than 2048, it will fail to boot. In case you want to use a shorter key length, then use the environment variable TM_MIN_PUB_KEY_LENGTH.
• TM_TLS_FORCE_VER: TLS 1.2 is used by default. To use a different version of TLS (for SSL servers), use the environment variable TM_TLS_FORCE_VER to specify the forced TLS version.
• Following is the list of cipher suites supported by default:
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256

    In case you want to use other cipher suites, use the environment variable TM_CIPHERSUITES to explicitly specify the ciphers. For example, to interoperate with old versions of Oracle Tuxedo.