Changes in This Release for Oracle Database Net Services Reference

The following are the changes in Oracle Database Net Services Reference for Oracle Database 18c:

• New Features

• Deprecated Features

New Features

The following are the new features in Oracle Net Services:

• Read-only Oracle Home Support

  An Oracle home can be configured in a read-only mode, which prevents creation or modification of files inside the Oracle home (ORACLE_HOME) directory. A read-only Oracle home can be used as a software image that can be shared across multiple independent servers. This simplifies patching and mass rollout as only one Oracle home image needs to be updated to distribute a patch to multiple servers. In the read-only Oracle home mode, ORACLE_BASE_HOME is a home-specific directory located at ORACLE_BASE/homes/HOME_NAME.

  See Also:

  • Oracle Database Installation Guide for Linux

  • Overview of Oracle Net Listener Configuration File

• New sqlnet.ora Parameters

  • ACCEPT_MD5_CERTS parameter replaces the ORACLE_SSL_ALLOW_MD5_CERT_SIGNATURES environment variable

  • ACCEPT_SHA1_CERTS parameter

  • ADD_SSLV3_TO_DEFAULT parameter

  See Also:

  sqlnet.ora Profile Parameters

• Ability to Create a Keystore for Each Pluggable Database

  Starting with this release, each pluggable database (PDB) can have its own keystore, instead of there being only one keystore for the entire container database (CDB). The advantage of this feature is that it enables independent key management operations to be performed by each tenant (PDB) in a multitenant environment rather than having to share a keystore at the CDB root level. This feature benefits both multitenant and non-multitenant environments because it provides parameters to facilitate the configuration of the keystore location and the keystore type, eliminating the need for editing the sqlnet.ora file.

  This feature provides the following new functionality:

  • For multitenant environments, the following two modes:

    • United mode, in which the keystores and master encryption keys are primarily managed from the CDB root, and can be accessed from the united mode PDB. Within the PDB, the keystore can be opened and closed just for that PDB. You also can create a PDB-specific master encryption key for this keystore.

    • Isolated mode, in which the keystore and encryption keys are managed in an individual PDB. This way, each PDB can configure its own keystore type independently, and create and manage this keystore after configuring it.

    To accommodate these modes, the ADMINISTER KEY MANAGEMENT SQL statement has been enhanced to behave differently in the two modes.

  • For both non-multitenant and multitenant environments, the following are the new features:

    • Addition of the WALLET_ROOT static instance initialization parameter, to specify the keystore path. In this guide, WALLET_ROOT refers to the configuration of software keystores, hardware keystores, and Oracle Key Vault keystores, but this parameter can be used to designate the wallet location for other products as well: Enterprise User Security, Secure Sockets Layer, Oracle XML DB, and Secure External Password Store.

    • Addition of the TDE_CONFIGURATION dynamic instance initialization parameter, to specify the type of keystore to use. You can set this parameter for TDE software keystores, hardware security module keystores (HSMs), and Oracle Key Vault.

    • Modification to the behavior of the SQLNET.ENCRYPTION_WALLET_LOCATION parameter, to enable its use only if the WALLET_ROOT parameter has not been set

• Integration of Active Directory Services with Oracle Database

  With centrally managed users (CMU) Oracle database users and roles can map directly to Active Directory users and groups without using Oracle Enterprise User Security (EUS) or another intermediate directory service. EUS is not being replaced or deprecated; this new feature is another simpler option if you only want to authenticate and authorize users with Active Directory.

  The direct integration with directory services supports better security through faster and easier configuration with the enterprise identity management architecture. In the past, users may have avoided integrating the database with directory services due to the difficulty and complexity. Centrally managed users allows the Oracle database to directly connect with Active Directory

• Support for Oracle Connection Manager in Traffic Director Mode

  This feature provides improved high availability and performance for both planned and unplanned outages with the help of new cman.ora parameters. Some of the existing parameters that support Oracle Connection Manager in Traffic Director Mode are inbound_connect_timeout, min_gateway_processes, max_gateway_processes, and max_connections.

  See Also:

  • Oracle Connection Manager in Traffic Director Mode Parameters

  • Oracle Database Net Services Administrator's Guide

Deprecated Features

The following feature is deprecated in this release:

Deprecation of Weak Native Network Encryption and Integrity Algorithms

The DES, DES40, 3DES112, 3DES168, RC4_40, RC4_56, RC4_128, RC4_256, and MD5 algorithms are deprecated in this release.

As a result of this deprecation, Oracle recommends that you review your network encryption and integrity configuration to check if you have specified any of the deprecated weak algorithms.

To transition your Oracle Database environment to use stronger algorithms, download and install the patch described in My Oracle Support note 2118136.2.