This module contains providers for integration between Oracle JDBC and Oracle Cloud Infrastructure (OCI).
- OCI Database Tools Connections Config Provider
- Provides connection properties managed by the Database Tools Connection service
- OCI Object Storage Config Provider
- Provides connection properties managed by the Object Storage service
- Database Connection String Provider
- Provides connection strings for an Autonomous Database
- Database TLS Provider
- Provides TLS keys and certificates for an Autonomous Database
- Vault Password Provider
- Provides passwords managed by the Vault service
- Vault Username Provider
- Provides usernames managed by the Vault service
- Access Token Provider
- Provides access tokens issued by the Dataplane service
All providers in this module are distributed as single jar on the Maven Central Repository. The jar is compiled for JDK 8, and is forward compatible with later JDK versions. The coordinates for the latest release are:
<dependency>
<groupId>com.oracle.database.jdbc</groupId>
<artifactId>ojdbc-provider-oci</artifactId>
<version>1.0.0</version>
</dependency>The OCI Database Tools Connections is a managed service that can be used to configure connections to a database. The created resource stores connection properties, including user, password and wallets (these last two optionally as references to a secret in OCI Vault). Each configuration has an identifier (OCID) that is used to identify which connection is requested by the driver.
JDBC URL Sample that uses the OCI DBTools provider:
jdbc:oracle:thin:@config-ocidbtools:ocid1.databasetoolsconnection.oc1.phx.ama ...
The Oracle DataSource uses a new prefix jdbc:oracle:thin:@config-ociobject: to be able to identify that the configuration parameters should be loaded using OCI Object Storage. Users only need to indicate the URL Path of the Object containing the JSON payload, with the following syntax:
jdbc:oracle:thin:@config-ociobject:{url_path}[?option1=value1&option2=value2...]
The insturctions of obtaining a URL Path can be found in Get the URI or Pre-Authenticated Request URL to Access the Object Store.
There are 3 fixed values that are looked at the root level.
- connect_descriptor (required)
- user (optional)
- password (optional)
The rest are dependent on the driver, in our case /jdbc. The key-value pairs that are with sub-prefix /jdbc will be applied to a DataSource. The key values are constant keys which are equivalent to the properties defined in the OracleConnection interface.
For example, let's suppose an url like:
jdbc:oracle:thin:@config-ociobject:https://objectstorage.us-phoenix-1.oraclecloud.com/n/mytenancy/b/bucket1/o/payload_ojdbc_objectstorage.json
And the JSON Payload for the file payload_ojdbc_objectstorage.json in the bucket1 which namespace is mytenancy is as following:
{
"connect_descriptor": "(description=(retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1521)(host=adb.us-phoenix-1.oraclecloud.com))(connect_data=(service_name=xsxsxs_dbtest_medium.adb.oraclecloud.com))(security=(ssl_server_dn_match=yes)))",
"user": "scott",
"password": {
"type": "vault-oci",
"value": "ocid1.vaultsecret.oc1.phx.amaaaaaxxxx"
},
"jdbc": {
"oracle.jdbc.ReadTimeout": 1000,
"defaultRowPrefetch": 20,
"autoCommit": "false"
}
}The sample code below executes as expected with the previous configuration.
OracleDataSource ds = new OracleDataSource();
ds.setURL("jdbc:oracle:thin:@config-ociobject:https://objectstorage.us-phoenix-1.oraclecloud.com/n/mytenancy/b/bucket1/o/payload_ojdbc_objectstorage.json");
Connection cn = ds.getConnection();
Statement st = cn.createStatement();
ResultSet rs = st.executeQuery("select sysdate from dual");
if (rs.next())
System.out.println("select sysdate from dual: " + rs.getString(1));For the JSON type of provider (OCI Object Storage, HTTP/HTTPS, File) the password is an object itself with the following spec:
- type
- Mandatory
- Possible values
- vault-oci
- vault-azure
- base64
- value
- Mandatory
- Possible values
- OCID of the secret (if vault-oci)
- Azure Key Vault URI (if vault-azure)
- Base64 Encoded password (if base64)
- Text
- authentication
- Optional (it will apply defaults in the same way as described in Configuring Authentication).
- Possible Values
- method
- optional parameters (depends on the cloud provider, applies the same logic as Config Provider for Azure).
OCI Database Tools Connections Config Provider and OCI Object Storage Config Provider share the same sets of parameters for authentication configuration.
The Centralized Config Providers in this module use the
OCI SDK Authentication Methods to provide authorization and authentication to the Object Storage, Database Tools Connection and Vault services.
The user can provide an optional parameter AUTHENTICATION (case-ignored) which is mapped with the following Credential Class.
| 'AUTHENTICATION' Param Value | Method | Optional Configuration | Optional Parameters |
|---|---|---|---|
| OCI_DEFAULT or <Empty> | API Key-Based Authentication | (~/.oci/config) or (~/.oraclebmc/config) or environment variable OCI_CONFIG_FILE (this is the same approach that oci-java-sdk has) Either above or all the optional values in Optional Parameters |
OCI_PROFILE |
| OCI_TENANCY | |||
| OCI_USER | |||
| OCI_FINGERPRINT | |||
| OCI_KEY_FILE | |||
| OCI_PASS_PHRASE | |||
| OCI_REGION (*) | |||
| OCI_INSTANCE_PRINCIPAL | Instance Principal Authentication | ||
| OCI_RESOURCE_PRINCIPAL | Resource Principal Authentication | ||
| OCI_INTERACTIVE | Session Token-Based Authentication | Same as OCI_DEFAULT | Same as OCI_DEFAULT |
*Note: this parameter is introduced to align with entries of the config file. The region that is used for calling Object Storage, Database Tools Connection, and Secret services will be extracted from the Object Storage URL, Database Tools Connection OCID or Secret OCID
The Database Connection String Provider provides Oracle JDBC with the connection string of an
Autonomous Database. This is a Resource Provider identified by the name
ojdbc-provider-oci-database-connection-string.
For databases that require mutual TLS (mTLS) authentication, it is recommended to use the Database TLS Provider in conjunction with this provider.
In addition to the set of common parameters, this provider also supports the parameters listed below.
| Parameter Name | Description | Accepted Values | Default Value |
|---|---|---|---|
| ocid | Identifies the database that a connection string is provided for. | The OCID of an Autonomous Database | No default value. A value must be configured for this parameter. |
| consumerGroup | Configures a share of CPU and IO resources allocated for the database session. Predefined groups are specified in the ADB product documentation |
"HIGH", "MEDIUM", "LOW", "TP", or "TPURGENT".
A database provisioned with the Data Warehouse workload type will not recognize TP or TPURGENT |
MEDIUM |
An example of a connection properties file that configures this provider can be found in example-adb.properties.
The Database TLS Provider provides Oracle JDBC with keys and certificates for
mutual TLS authentication
(mTLS)
with an Autonomous Database. This is a Resource Provider identified by the name
ojdbc-provider-oci-database-tls.
In addition to the set of common parameters, this provider also supports the parameters listed below.
| Parameter Name | Description | Accepted Values | Default Value |
|---|---|---|---|
| ocid | Identifies the database that TLS keys and certificates are provided for. | The OCID of an Autonomous Database | No default value. A value must be configured for this parameter. |
An example of a connection properties file that configures this provider can be found in example-adb.properties.
The Vault Password Provider provides Oracle JDBC with a password that is managed
by the OCI Vault service. This is a Resource Provider identified by the
name ojdbc-provider-oci-vault-password.
In addition to the set of common parameters, this provider also supports the parameters listed below.
| Parameter Name | Description | Accepted Values | Default Value |
|---|---|---|---|
| ocid | Identifies the secret that is provided. | The OCID of an OCI Vault secret | No default value. A value must be configured for this parameter. |
An example of a connection properties file that configures this provider can be found in example-vault.properties.
The Vault Username Provider provides Oracle JDBC with a username that is managed by the
OCI Vault service. This is a Resource Provider identified by the name
ojdbc-provider-oci-vault-username.
In addition to the set of common parameters, this provider also supports the parameters listed below.
| Parameter Name | Description | Accepted Values | Default Value |
|---|---|---|---|
| ocid | Identifies the secret that is provided. | The OCID of an OCI Vault secret | No default value. A value must be configured for this parameter. |
An example of a connection properties file that configures this provider can be found in example-vault.properties.
The Access Token Provider provides Oracle JDBC with an access token that authorizes logins to an Autonomous Database. This is a Resource Provider identified by
the name ojdbc-provider-oci-token.
This provider must be configured to authenticate as an IAM user that has been mapped to a database user. The IAM user must also be included in a policy that grants access to the Autonomous Database. Instructions can be found in the ADB product documentation.
In addition to the set of common parameters, this provider also supports the parameters listed below.
| Parameter Name | Description | Accepted Values | Default Value |
|---|---|---|---|
| scope | Specifies the scope of databases that may be accessed with the token. See Configuring a Scope for details. |
A URN in any of the following forms is accepted:urn:oracle:db::id::compartment-ocid::database-ocid urn:oracle:db::id::compartment-ocid urn:oracle:db::id::* |
urn:oracle:db::id::* |
An example of a connection properties file that configures this provider can be found in example-token.properties.
The "scope" parameter may be configured as a URN that identifies a database and/or compartment.
The least privileged scope is one that authorizes logins to a single database. This scope is expressed as a URN in the form shown below, where database-ocid is the OCID of a database, and compartment-ocid is the OCID of the compartment that contains the database.
urn:oracle:db::id::comparment-ocid::database-ocid
A more privileged scope is one that authorizes logins to all databases within a compartment. This scope is expressed as a URN in the form shown below, where compartment-ocid is the OCID of the compartment that contains the databases.
urn:oracle:db::id::comparment-ocid
The most privileged scope is one that authorizes logins to all databases within
a tenancy. This scope is expressed as the URN shown below, which contains the
* symbol.
urn:oracle:db::id::*
Providers classified as Resource Providers in this module all support a common set of parameters.
| Parameter Name | Description | Accepted Values | Default Value |
|---|---|---|---|
| authenticationMethod | Configures a method of authentication with OCI | Accepted values are defined in: Configuring Authentication | auto-detect |
| configFile | Configures the path to an OCI configuration file | A file system path | ~/.oci/config |
| profile | Configures the name of a profile in an OCI configuration file | A profile name | DEFAULT |
These parameters may be configured as a connection properties recognized by the
Oracle JDBC Driver. Parameter names are recognized when appended to the name of
a connection property that identifies a provider.
For example, when the connection property oracle.jdbc.provider.database
identifies a provider, any of the parameter names listed above may be appended to it:
oracle.jdbc.provider.database=ojdbc-provider-oci-database-connection-string
oracle.jdbc.provider.database.authenticationMethod=config-file
oracle.jdbc.provider.database.configFile=/home/app/resources/oci-config
oracle.jdbc.provider.database.profile=APP_PROFILEIn the example above, the parameter names authenticationMethod, configFile,
and profile are appended to the name of the connection property
oracle.jdbc.provider.database.
This has the effect of configuring the Database Connection String Provider, which
is identified by that property.
These same parameter names can be appended to the name of any other property
that identifies a provider. For instance, a provider identified by
the connection property oracle.jdbc.provider.accessToken can be configured with
the same parameters seen in the previous example:
oracle.jdbc.provider.accessToken=ojdbc-provider-oci-token
oracle.jdbc.provider.accessToken.authenticationMethod=config-file
oracle.jdbc.provider.accessToken.configFile=/home/app/resources/oci-config
oracle.jdbc.provider.accessToken.profile=APP_PROFILEConnection properties which identify and configure a provider may appear in a connection properties file or be configured programmatically. Configuration with JVM system properties is not supported.
Providers in this module must authenticate with OCI. By default, a provider will automatically detect any available credentials. A specific credential may be configured using the "authenticationMethod" parameter. The parameter may be set to any of the following values:
- config-file
- Authenticate with credentials configured by an OCI configuration file .
- instance-principal
- Authenticate as an instance principal .
- resource-principal
- Authenticate as a resource principal .
- cloud-shell
- Authenticate with the session token of a Cloud Shell .
- interactive
- Authenticate interactively by logging in to a cloud account with your default web browser. The browser window is opened automatically.
- auto-detect
- This is the default authentication method. The provider will attempt the following authentication methods, in the order listed, until one succeeds: "config-file", "cloud-shell", "resource-principal", and "instance-principal".