1. Password Verifier Authentication2. DB Access Token (db-token) Authentication3. Interactive OAuth2 Flow
- Autonomous Database Serverless
- Autonomous Database on Dedicated Exadata Infrastructure
- Exadata Cloud@Customer Infrastructure
- Exadata Cloud Service on Dedicated Infrastructure
- Exadata Cloud Service on Cloud@Customer Infrastructure
- Base Database Service
- Exadata dedicated and Autonomous on dedicated Exadata @Azure, @AWS, @Google
- Standalone database server on servers, virtual machines, or cloud compute
- Database server on Windows, AIX, Solaris or HPUX
- Exadata on premises
OCI IAM Integration Setup
1. OCI IAM Users, Groups, And Memberships
- allDBUsers for the shared user schema
- dbMinPriv for minimum privilege database users
- dbMaxPriv for maximum privilege database users
2. OCI IAM Policies
allow group MyIdentityDomain/allDBUsers to use database-connections in tenancy
allow group MyIdentityDomain/dbMinPriv to use database-connections in tenancy
allow group MyIdentityDomain/dbMaxPriv to use database-connections in tenancy
allow group MyIdentityDomain/allDBUsers to use database-family in tenancy
allow group MyIdentityDomain/dbMinPriv to use database-family in tenancy
allow group MyIdentityDomain/dbMaxPriv to use database-family in tenancy
allow group MyIdentityDomain/allDBUsers to use autonomous-database-family in tenancy
allow group MyIdentityDomain/dbMinPriv to use autonomous-database-family in tenancy
allow group MyIdentityDomain/dbMaxPriv to use autonomous-database-family in tenancy
allow group MyIdentityDomain/allDBUsers to use database-connections in compartment development:dev_dbs
allow group MyIdentityDomain/dbMinPriv to use database-connections in compartment development:dev_dbs
allow group MyIdentityDomain/dbMaxPriv to use database-connections in compartment development:dev_dbs
allow group MyIdentityDomain/allDBUsers to use database-family in compartment development:dev_dbs
allow group MyIdentityDomain/dbMinPriv to use database-family in compartment development:dev_dbs
allow group MyIdentityDomain/dbMaxPriv to use database-family in compartment development:dev_dbs
allow group MyIdentityDomain/allDBUsers to use autonomous-database-family in compartment development:dev_dbs
allow group MyIdentityDomain/dbMinPriv to use autonomous-database-family in compartment development:dev_dbs
allow group MyIdentityDomain/dbMaxPriv to use autonomous-database-family in compartment development:dev_dbs
3. Enable OCI IAM In Database
BEGIN
DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
type => 'OCI_IAM' );
END;
/
ALTER SYSTEM SET IDENTITY_PROVIDER_TYPE=OCI_IAM SCOPE=BOTH;
ALTER SYSTEM RESET IDENTITY_PROVIDER_CONFIG SCOPE=BOTH;
NAME VALUE
_________________________ __________
identity_provider_type OCI_IAM
SQL> SELECT NAME, VALUE FROM V$PARAMETER WHERE NAME='identity_provider_config';
NAME VALUE
___________________________ ________
identity_provider_config
4. Configure Database Users And Roles
CREATE ROLE dbMinPriv IDENTIFIED GLOBALLY AS 'IAM_GROUP_NAME=MyIdentityDomain/dbMinPriv';
GRANT CREATE SESSION to dbminpriv;
CREATE ROLE dbMaxPriv IDENTIFIED GLOBALLY AS 'IAM_GROUP_NAME=MyIdentityDomain/dbMaxPriv';
GRANT pdb_dba, CREATE SESSION to dbmaxpriv;
5. Get Oracle Client Wallet
C:\client_wallet
6. TNS Record For Token Based Authentication
DEVDB_PDB1_SSL_TOKEN=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=TCPS)(HOST=devdb-scan.mysubnet.odswest.oraclevcn.com)(PORT=2484))
(SECURITY=
(SSL_SERVER_DN_MATCH=TRUE)
(WALLET_LOCATION=C:\client_wallet)
(TOKEN_AUTH=OCI_TOKEN)
)
(CONNECT_DATA=
(SERVER=DEDICATED)
(SERVICE_NAME=devdb_pdb1.mysubnet.odswest.oraclevcn.com)
)
)
7. Authenticate To OCI IAM
Use the OCI IAM command line tool (oci) to authenticate against OCI IAM using the a specific OCI command line profile (DBUSER) and specify the OCI tenancy name, region and identity domain name. This will pop-up a browser window to your OCI IAM tenancy to login.
oci session authenticate --profile-name DBUSER --tenancy-name <oci_tenancy_name> --region <oci_region> --identity-provider-name <oci_identity_domain_name>
Please switch to newly opened browser window to log in!
You can also open the following URL in a web browser window to continue:
https://login.us-phoenix-1.oraclecloud.com/v1/oauth2/authorize?action=login...
Service
Completed browser authentication process!
Config written to: /Users/dbuser/.oci/config
Note that a new DBUSER profile may have been added to your $HOME/.oci/config configuration file that looks similar to the following.
[DBUSER]
fingerprint=<unique_fingerprint>
key_file=/<users_home_directory>/.oci/sessions/DBUSER/oci_api_key.pem
tenancy=<oci_tenancy_ocid>
region=<oci_region>
security_token_file=/<users_home_directory>/.oci/sessions/DBUSER/token
8. Request Access Token (db-token)
Note that a new DBUSER profile may have been added to your $HOME/.oci/config configuration file that looks similar to the following.
fingerprint=<unique_fingerprint>
key_file=/<users_home_directory>/.oci/sessions/DBUSER/oci_api_key.pem
tenancy=<oci_tenancy_ocid>
region=<oci_region>
security_token_file=/<users_home_directory>/.oci/sessions/DBUSER/token
Use the OCI IAM command line tool (oci) to request an access token (db-token) from OCI IAM.
Private key written at /Users/dbuser/.oci/db-token/oci_db_key.pem
db-token written at: /Users/dbuser/.oci/db-token/token
db-token is valid until 2026-07-09 12:32:09
db-token is valid until 2026-07-09 12:32:09
IMPORTANT NOTES:
- The access token (db-token) will expire after 1 hour. Therefore, you will need to get the token again after the initial token expires with the "oci iam db-token get ..." command again.
- The scope parameter in the above example presumes that the IAM policy has restricted access to a specific OCI compartment. If your OCI IAM policy is applied at the tenancy rather than compartment level, then the --scope ... parameter is not necessary.
9. Test Each Client Application
Name: DEVDB_PDB1_SSL_TokenDatabase Type: OracleAuthentication Type: OSConnection Type: TNSNetwork Alias: DEVDB_PDB1_SSL_TOKEN
sql -thin /@DEVDB_PDB1_SSL_TOKEN
sqlplus /@DEVDB_PDB1_SSL_TOKEN
SQL> show user;
USER is "ALLDBUSERS"
SQL> SELECT SYS_CONTEXT ('USERENV','CURRENT_USER') FROM DUAL;
SYS_CONTEXT('USERENV','CURRENT_USER')
--------------------------------------------------------------------------------
ALLDBUSERS
SQL> SELECT SYS_CONTEXT ('USERENV','AUTHENTICATED_IDENTITY') FROM DUAL;
SYS_CONTEXT('USERENV','AUTHENTICATED_IDENTITY')
--------------------------------------------------------------------------------
oracleidentitycloudservice/dbuser@dbauthdemo.com
SQL> SELECT SYS_CONTEXT ('USERENV','ENTERPRISE_IDENTITY') FROM DUAL;
SYS_CONTEXT('USERENV','ENTERPRISE_IDENTITY')
--------------------------------------------------------------------------------
<user_ocid>
SQL> SELECT SYS_CONTEXT('USERENV', 'NETWORK_PROTOCOL') FROM DUAL;
SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
--------------------------------------------------------------------------------
tcps
SQL> SELECT SYS_CONTEXT('USERENV', 'AUTHENTICATION_METHOD') FROM DUAL;
SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD')
--------------------------------------------------------------------------------
TOKEN_GLOBAL
SQL> SELECT SYS_CONTEXT('USERENV', 'IDENTIFICATION_TYPE') FROM DUAL;
SYS_CONTEXT('USERENV','IDENTIFICATION_TYPE')
--------------------------------------------------------------------------------
GLOBAL SHARED
I hope you find this helpful.
Blessings!


No comments:
Post a Comment