The following are the new features in Oracle Net Services:

• Read-only Oracle Home Support

  An Oracle home can be configured in a read-only mode, which prevents creation or modification of files inside the Oracle home (ORACLE_HOME) directory. A read-only Oracle home can be used as a software image that can be shared across multiple independent servers. This simplifies patching and mass rollout as only one Oracle home image needs to be updated to distribute a patch to multiple servers. In the read-only Oracle home mode, ORACLE_BASE_HOME is a home-specific directory located at ORACLE_BASE/homes/HOME_NAME.

  See Also:

  • Oracle Database Installation Guide for Linux

  • Overview of Oracle Net Listener Configuration File

• New sqlnet.ora Parameters

  • ACCEPT_MD5_CERTS parameter replaces the ORACLE_SSL_ALLOW_MD5_CERT_SIGNATURES environment variable

  • ACCEPT_SHA1_CERTS parameter

  • ADD_SSLV3_TO_DEFAULT parameter

  See Also:

  sqlnet.ora Profile Parameters

• Ability to Create a Keystore for Each Pluggable Database

  Starting with this release, each pluggable database (PDB) can have its own keystore, instead of there being only one keystore for the entire container database (CDB). The advantage of this feature is that it enables independent key management operations to be performed by each tenant (PDB) in a multitenant environment rather than having to share a keystore at the CDB root level. This feature benefits both multitenant and non-multitenant environments because it provides parameters to facilitate the configuration of the keystore location and the keystore type, eliminating the need for editing the sqlnet.ora file.

  This feature provides the following new functionality:

  • For multitenant environments, the following two modes:

    • United mode, in which the keystores and master encryption keys are primarily managed from the CDB root, and can be accessed from the united mode PDB. Within the PDB, the keystore can be opened and closed just for that PDB. You also can create a PDB-specific master encryption key for this keystore.

    • Isolated mode, in which the keystore and encryption keys are managed in an individual PDB. This way, each PDB can configure its own keystore type independently, and create and manage this keystore after configuring it.

    To accommodate these modes, the ADMINISTER KEY MANAGEMENT SQL statement has been enhanced to behave differently in the two modes.

  • For both non-multitenant and multitenant environments, the following are the new features:

    • Addition of the WALLET_ROOT static instance initialization parameter, to specify the keystore path. In this guide, WALLET_ROOT refers to the configuration of software keystores, hardware keystores, and Oracle Key Vault keystores, but this parameter can be used to designate the wallet location for other products as well: Enterprise User Security, Secure Sockets Layer, Oracle XML DB, and Secure External Password Store.

    • Addition of the TDE_CONFIGURATION dynamic instance initialization parameter, to specify the type of keystore to use. You can set this parameter for TDE software keystores, hardware security module keystores (HSMs), and Oracle Key Vault.

    • Modification to the behavior of the SQLNET.ENCRYPTION_WALLET_LOCATION parameter, to enable its use only if the WALLET_ROOT parameter has not been set

• Integration of Active Directory Services with Oracle Database

  With centrally managed users (CMU) Oracle database users and roles can map directly to Active Directory users and groups without using Oracle Enterprise User Security (EUS) or another intermediate directory service. EUS is not being replaced or deprecated; this new feature is another simpler option if you only want to authenticate and authorize users with Active Directory.

  The direct integration with directory services supports better security through faster and easier configuration with the enterprise identity management architecture. In the past, users may have avoided integrating the database with directory services due to the difficulty and complexity. Centrally managed users allows the Oracle database to directly connect with Active Directory

• Support for Oracle Connection Manager in Traffic Director Mode

  This feature provides improved high availability and performance for both planned and unplanned outages with the help of new cman.ora parameters. Some of the existing parameters that support Oracle Connection Manager in Traffic Director Mode are inbound_connect_timeout, min_gateway_processes, max_gateway_processes, and max_connections.

  See Also:

  • Oracle Connection Manager in Traffic Director Mode Parameters

  • Oracle Database Net Services Administrator's Guide

The following are the new features in Oracle Net Services:

• Listener Parameter for Multiple Redirects

  Starting with Oracle Database 12c Release 2 (12.2), Oracle Net listener supports multiple redirects with the introduction of a new listener parameter, ALLOW_MULTIPLE_REDIRECTS_listener_name. It supports seamless migration of a PDB from a local database to the Oracle Public Cloud.

  See Also:

  Oracle Database Net Services Administrator's Guide for information about this parameter

• Sharding and Data Dependent Routing

  This feature provides the ability to horizontally partition the data across multiple independent Oracle databases, also called shards, and based on a key specified in the connect string, route the database requests to a particular shard.

  See Also:

  • CONNECT_DATA section for information about the new parameters

  • Oracle Database Net Services Administrator's Guide for information about data-dependent routing

  • Oracle Data Provider for .NET Developer's Guide for Microsoft Windows for more information about this feature

• SCAN Listener Support for HTTP

  This feature enables load balancing across the HTTP presentation handlers residing on different nodes by redirecting to the least loaded node.

• ExaDirect SQL*Net Adapter

  Use the ExaDirect SQL*Net adapter for low overhead database access. Use the new transport to improve latency and throughput by leveraging Remote Direct Memory Access (RDMA) in an InfiniBand environment.

  See Also:

  Oracle Database Net Services Administrator's Guide for information

• Direct SQL*Net Access Over Oracle Cloud

  This feature enables Oracle Cloud support for Oracle Database over SQL*Net. The existing applications can now use Oracle Cloud without any code changes. The database clients can connect to Oracle Cloud using Oracle Connection Manager.

• Service-Level ACLs for TCP Protocol

  This feature allows every database service to have its own access control list (ACL) and the ACL is based on IPs. Since each pluggable database is a different service, this feature enables different pluggable databases to have different ACLs. These ACLs are enforced by the listener. In other words, access to a pluggable database service is enabled only for IPs that are permitted through an ACL.

• Better Security for Password Verifiers

  Starting with this release, Oracle Database provides several enhancements for password authentication verifiers.

  • The default for the SQLNET.ALLOWED_LOGIN_VERSION_SERVER parameter is now 12 (Exclusive Mode) instead of 11. A setting of 12 generates both 11G and 12C verifiers. If you want to restrict the verifier generation to the 12C verifier, then you can set SQLNET.ALLOWED_LOGIN_VERSION_SERVER to 12a.

  • The 12C verifier is now generated automatically. In previous releases, the 10G verifier was generated automatically.

  See Also:

  Oracle Database Security Guide for more information about this feature.

• Additional Supported Encryption Algorithms

  Starting with this release, you can use the ARIA, GOST, and SEED encryption algorithms for both column encryption and tablespace encryption, in addition to the AES and DES encryption standards. The following are the benefits of these new encryption standards:

  • ARIA uses the same block sizes as AES. It is designed for lightweight environments and the implementation of hardware.

  • GOST is very similar to DES except that it has a large number of rounds and secret S-boxes.

  • SEED is used by several standard protocols: S/MIME, TLS/SSL, IPSec, and ISO/IEC.