Changes in This Release for Oracle Database Net Services Reference
The following are the changes in Oracle Database Net Services Reference for Oracle Database 18c:
New Features
The following are the new features in Oracle Net Services:
-
Read-only Oracle Home Support
An Oracle home can be configured in a read-only mode, which prevents creation or modification of files inside the Oracle home (
ORACLE_HOME
) directory. A read-only Oracle home can be used as a software image that can be shared across multiple independent servers. This simplifies patching and mass rollout as only one Oracle home image needs to be updated to distribute a patch to multiple servers. In the read-only Oracle home mode,ORACLE_BASE_
HOME is a home-specific directory located atORACLE_BASE/homes/
HOME_NAME. -
New sqlnet.ora Parameters
-
ACCEPT_MD5_CERTS
parameter replaces theORACLE_SSL_ALLOW_MD5_CERT_SIGNATURES
environment variable -
ACCEPT_SHA1_CERTS
parameter -
ADD_SSLV3_TO_DEFAULT
parameter
See Also:
sqlnet.ora Profile Parameters -
-
Ability to Create a Keystore for Each Pluggable Database
Starting with this release, each pluggable database (PDB) can have its own keystore, instead of there being only one keystore for the entire container database (CDB). The advantage of this feature is that it enables independent key management operations to be performed by each tenant (PDB) in a multitenant environment rather than having to share a keystore at the CDB root level. This feature benefits both multitenant and non-multitenant environments because it provides parameters to facilitate the configuration of the keystore location and the keystore type, eliminating the need for editing the
sqlnet.ora
file.This feature provides the following new functionality:
-
For multitenant environments, the following two modes:
-
United mode, in which the keystores and master encryption keys are primarily managed from the CDB root, and can be accessed from the united mode PDB. Within the PDB, the keystore can be opened and closed just for that PDB. You also can create a PDB-specific master encryption key for this keystore.
-
Isolated mode, in which the keystore and encryption keys are managed in an individual PDB. This way, each PDB can configure its own keystore type independently, and create and manage this keystore after configuring it.
To accommodate these modes, the
ADMINISTER KEY MANAGEMENT
SQL statement has been enhanced to behave differently in the two modes. -
-
For both non-multitenant and multitenant environments, the following are the new features:
-
Addition of the
WALLET_ROOT
static instance initialization parameter, to specify the keystore path. In this guide,WALLET_ROOT
refers to the configuration of software keystores, hardware keystores, and Oracle Key Vault keystores, but this parameter can be used to designate the wallet location for other products as well: Enterprise User Security, Secure Sockets Layer, Oracle XML DB, and Secure External Password Store. -
Addition of the
TDE_CONFIGURATION
dynamic instance initialization parameter, to specify the type of keystore to use. You can set this parameter for TDE software keystores, hardware security module keystores (HSMs), and Oracle Key Vault. -
Modification to the behavior of the
SQLNET.ENCRYPTION_WALLET_LOCATION
parameter, to enable its use only if theWALLET_ROOT
parameter has not been set
-
-
-
Integration of Active Directory Services with Oracle Database
With centrally managed users (CMU) Oracle database users and roles can map directly to Active Directory users and groups without using Oracle Enterprise User Security (EUS) or another intermediate directory service. EUS is not being replaced or deprecated; this new feature is another simpler option if you only want to authenticate and authorize users with Active Directory.
The direct integration with directory services supports better security through faster and easier configuration with the enterprise identity management architecture. In the past, users may have avoided integrating the database with directory services due to the difficulty and complexity. Centrally managed users allows the Oracle database to directly connect with Active Directory
-
Support for Oracle Connection Manager in Traffic Director Mode
This feature provides improved high availability and performance for both planned and unplanned outages with the help of new
cman.ora
parameters. Some of the existing parameters that support Oracle Connection Manager in Traffic Director Mode areinbound_connect_timeout
,min_gateway_processes
,max_gateway_processes
, andmax_connections
.
Deprecated Features
The following feature is deprecated in this release:
Deprecation of Weak Native Network Encryption and Integrity Algorithms
The DES
, DES40
, 3DES112
, 3DES168
, RC4_40
, RC4_56
, RC4_128
, RC4_256
, and MD5
algorithms are deprecated in this release.
As a result of this deprecation, Oracle recommends that you review your network encryption and integrity configuration to check if you have specified any of the deprecated weak algorithms.
To transition your Oracle Database environment to use stronger algorithms, download and install the patch described in My Oracle Support note 2118136.2.
Related Topics