1. Password Verifier Authentication2. DB Access Token (db-token) Authentication3. Interactive OAuth2 Flow
- Autonomous Database Serverless
- Autonomous Database on Dedicated Exadata Infrastructure
- Exadata Cloud@Customer Infrastructure
- Exadata Cloud Service on Dedicated Infrastructure
- Exadata Cloud Service on Cloud@Customer Infrastructure
- Base Database Service
- Exadata dedicated and Autonomous on dedicated Exadata @Azure, @AWS, @Google
- Standalone database server on servers, virtual machines, or cloud compute
- Database server on Windows, AIX, Solaris or HPUX
- Exadata on premises
OCI IAM Integration Setup
1. OCI IAM Users, Groups, And Memberships
- allDBUsers for the shared user schema
- dbMinPriv for minimum privilege database users
- dbMaxPriv for maximum privilege database users
2. OCI IAM Policies
allow group MyIdentityDomain/allDBUsers to use database-connections in tenancy
allow group MyIdentityDomain/dbMinPriv to use database-connections in tenancy
allow group MyIdentityDomain/dbMaxPriv to use database-connections in tenancy
allow group MyIdentityDomain/allDBUsers to use database-family in tenancy
allow group MyIdentityDomain/dbMinPriv to use database-family in tenancy
allow group MyIdentityDomain/dbMaxPriv to use database-family in tenancy
allow group MyIdentityDomain/allDBUsers to use autonomous-database-family in tenancy
allow group MyIdentityDomain/dbMinPriv to use autonomous-database-family in tenancy
allow group MyIdentityDomain/dbMaxPriv to use autonomous-database-family in tenancy
allow group MyIdentityDomain/allDBUsers to use database-connections in compartment development:dev_dbs
allow group MyIdentityDomain/dbMinPriv to use database-connections in compartment development:dev_dbs
allow group MyIdentityDomain/dbMaxPriv to use database-connections in compartment development:dev_dbs
allow group MyIdentityDomain/allDBUsers to use database-family in compartment development:dev_dbs
allow group MyIdentityDomain/dbMinPriv to use database-family in compartment development:dev_dbs
allow group MyIdentityDomain/dbMaxPriv to use database-family in compartment development:dev_dbs
allow group MyIdentityDomain/allDBUsers to use autonomous-database-family in compartment development:dev_dbs
allow group MyIdentityDomain/dbMinPriv to use autonomous-database-family in compartment development:dev_dbs
allow group MyIdentityDomain/dbMaxPriv to use autonomous-database-family in compartment development:dev_dbs
3. Enable OCI IAM In Database
BEGIN
DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
type => 'OCI_IAM' );
END;
/
ALTER SYSTEM SET IDENTITY_PROVIDER_TYPE=OCI_IAM SCOPE=BOTH;
ALTER SYSTEM RESET IDENTITY_PROVIDER_CONFIG SCOPE=BOTH;
SQL> SELECT NAME, VALUE FROM V$PARAMETER WHERE NAME='identity_provider_type';
NAME VALUE
_________________________ __________
identity_provider_type OCI_IAM
SQL> SELECT NAME, VALUE FROM V$PARAMETER WHERE NAME='identity_provider_config';
NAME VALUE
___________________________ ________
identity_provider_config
4. Configure Database Users And Roles
CREATE USER allDbUsers IDENTIFIED GLOBALLY AS 'IAM_GROUP_NAME=MyIdentityDomain/allDbUsers';
CREATE ROLE dbMinPriv IDENTIFIED GLOBALLY AS 'IAM_GROUP_NAME=MyIdentityDomain/dbMinPriv';
GRANT CREATE SESSION to dbminpriv;
CREATE ROLE dbMaxPriv IDENTIFIED GLOBALLY AS 'IAM_GROUP_NAME=MyIdentityDomain/dbMaxPriv';
GRANT pdb_dba, CREATE SESSION to dbmaxpriv;
5. Get OCI ojdbc-extensions provider for JDBC thin applications
cd C:
mkdir \ojdbc-extensions\oci-1.0.6
cd \ojdbc-extensions\oci-1.0.6
mkdir -p /var/tmp/ojdbc-extensions/oci-1.0.6
cd /var/tmp/ojdbc-extensions/oci-1.0.6
curl -sko ojdbc11.jar https://repo1.maven.org/maven2/com/oracle/database/jdbc/ojdbc11/23.26.2.0.0/ojdbc11-23.26.2.0.0.jar
java -jar ojdbc11.jar get-deps --coords com.oracle.database.jdbc/ojdbc-provider-oci/1.0.6 --path C:\ojdbc-extensions\oci-1.0.6
6. Setup Database Clients
cd C:\
mkdir C:\<SQLcl_dir>\lib\sdks\jdbc-oci
copy \ojdbc-extensions\oci-1.0.6\* C:\<SQLcl_dir>\lib\sdks\jdbc-oci
mkdir -p <SQLcl_dir>/sdks/jdbc-oci
cp /var/tmp/ojdbc-extensions/oci-1.0.6/* <SQLcl_dir>/sdks/jdbc-oci
Windows: <home>\AppData\Roaming\sqldeveloper\<version>/product.confMacOS/Linux: $HOME/.sqldeveloper/<version>/product.conf
Get-ChildItem -Path "C:\ojdbc-extensions\oci-1.0.6" -Include "*.jar" -Recurse -Name -Force | ForEach-Object { Add-Content -Path C:\ojdbc-extensions\oci-1.0.6\product.txt -Value "AddJavaLibFile C:\ojdbc-extensions\oci-1.0.6\$_"}
find /var/tmp/ojdbc-extensions/oci-1.0.6 -name "*.jar"|sed -e "s/^/AddJavaLibFile /g"
7. Get Oracle Client Wallet
C:\ojdbc-extensions\client_wallet
8. TNS Record For Interactive Flow
DEVDB_PDB1_SSL_OCI=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=TCPS)(HOST=devdb-scan.mysubnet.odswest.oraclevcn.com)(PORT=2484))
(SECURITY=
(WALLET_LOCATION=C:\ojdbc-extensions\client_wallet)
(TOKEN_AUTH=OCI_INTERACTIVE)
(OCI_COMPARTMENT=<compartment_ocid>)
(OCI_DATABASE=<database_ocid>)
)
(CONNECT_DATA=
(SERVER=DEDICATED)
(SERVICE_NAME=devdb_pdb1.mysubnet.odswest.oraclevcn.com)
)
)
9. Test Each Client Application
sql -thin /@DEVDB_PDB1_SSL_OCI
Name: DEVDB_PDB1_SSL_OCI_INTERACTIVEDatabase Type: OracleAuthentication Type: OSConnection Type: TNSNetwork Alias: DEVDB_PCB1_SSL_OCI
I hope you find this helpful.
Blessings!

