Lesson 7	Security features of Oracle
Objective	Discuss core Oracle security features, including external authentication patterns and modern Oracle 23ai identity integration.

Security Features of Oracle

Oracle security is implemented as a set of layered controls that protect (1) identities, (2) network connections, (3) stored data, and (4) privileged activity. This lesson focuses on the network and authentication portion of that stack—how Oracle validates users, integrates with enterprise identity services, and protects credentials and sessions in transit.

Oracle Advanced Security

Oracle Advanced Security (OAS) is the primary feature set for securing Oracle Net sessions with strong authentication and cryptographic protection. In practice, OAS is used to standardize how clients connect to the database—reducing reliance on database passwords, enabling enterprise authentication, and applying encryption and integrity checks to traffic between clients and database servers.

Network protection: encryption and integrity for Oracle Net traffic to reduce sniffing and tampering risk.
External authentication: integration with enterprise identity systems so users authenticate outside the database.
Centralized policy alignment: consistent authentication controls across multiple databases and environments.

Authentication Options Used with Oracle Networks

Oracle supports multiple authentication models, and most organizations use a combination: database accounts for service identities and operational access, plus external authentication for workforce identities.

Authentication with Directory-Based Services

Directory-based identity reduces administrative overhead and improves control. Rather than managing user credentials independently inside every database, organizations centralize identity in a directory and map those identities to database authorization policies (roles, privileges, and schemas).

LDAP / directory integration (historical and current): Oracle environments commonly integrate with directory services (for example, Active Directory, OpenLDAP) to centralize user identity, group membership, and lifecycle management. Earlier Oracle stacks frequently referenced Oracle Internet Directory (OID), Oracle's LDAP-compliant directory service. Modern environments typically emphasize "directory-backed identity" using any standards-compliant LDAP directory regardless of vendor.
Central privilege alignment: database access is still enforced by Oracle, but identity data and (often) role mappings can be aligned with enterprise group structures and controlled processes.

Authentication with Kerberos

Kerberos is a widely adopted network authentication protocol that provides strong authentication using symmetric key cryptography and tickets. Oracle supports Kerberos authentication (version 5), making it a natural fit for environments using Active Directory or MIT Kerberos.

Key characteristics:

Ticket-based authentication: Users authenticate once to obtain tickets, enabling Single Sign-On (SSO) across multiple services
No password transmission: Credentials never travel over the network in plaintext or encrypted form
Mutual authentication: Both client and server verify each other's identity
Time-limited sessions: Tickets expire, limiting exposure from compromised tickets

Kerberos is commonly implemented alongside or instead of RADIUS in enterprise Oracle deployments, particularly where Active Directory is the central identity source. The protocol eliminates password transmission entirely, with authentication handled through encrypted ticket exchanges between the client, Key Distribution Center (KDC), and database server.

Authentication with RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a lightweight, widely adopted protocol for authentication, authorization, and accounting (AAA), defined in RFC 2865 (Authentication) and RFC 2866 (Accounting). Oracle environments have used RADIUS to integrate token-based authentication (including one-time password systems) and to centralize authentication decisions outside the database.

RADIUS Overview

RADIUS can be valuable when you need to plug Oracle authentication into an existing AAA ecosystem. A key benefit is decoupling: you can change the underlying authentication method (for example, switching token vendors) without requiring changes to Oracle clients or application code, as long as the RADIUS interface remains stable.

From the user's perspective, the process should be transparent. The client attempts to connect, and the database server delegates the authentication decision to an external service. The RADIUS server typically:

Looks up the user's security profile
Exchanges authentication and authorization data with the database server (directly or via upstream authentication services)
Returns an accept or reject decision
Records session and accounting signals (time, frequency, duration) based on AAA policy

Oracle Wallets

Oracle Wallets are secure containers for storing credentials, certificates, and cryptographic keys. They provide a standardized approach to credential management and support:

Storage of SSL/TLS certificates for TCPS connections
Client authentication credentials for mutual TLS (mTLS)
Database passwords for applications (though external authentication is preferred)
PKI trust chains for certificate validation

Wallets eliminate the need to embed passwords in configuration files and enable centralized management of cryptographic materials. Oracle Wallet Manager and command-line utilities (orapki) are used to create and maintain wallets in production environments.

Oracle 11g Implementation (Historical Pattern)

The diagram below reflects a common Oracle 11g-era approach: the database server operates as the RADIUS client and delegates authentication to a centralized RADIUS (or RSA ACE–compatible) service. The architecture remains conceptually valid, but it should be treated as a historical reference because many modern deployments prefer TLS-based connectivity plus federated identity (IdP) integration for workforce authentication.

Oracle Radius — **Oracle 11g-era RADIUS integration components (left to right):**

**Oracle Client**

End-user workstation, application server, or client tool

Initiates the database connection request

Does not communicate directly with the RADIUS server

**Oracle Server (RADIUS Client)**

Oracle Database server hosting Oracle Net listener

Delegates authentication to RADIUS as an external decision point

Enforces access based on the accept/reject response

**RADIUS Server (or RSA ACE–compatible server)**

Centralized AAA service

Validates credentials (passwords, OTP tokens, smart cards, MFA workflows depending on the stack)

Returns an **accept** or **reject** decision to the database server

**Communication flow:**

**Oracle Client ⇄ Oracle Server:** database session setup and runtime traffic

**Oracle Server ⇄ RADIUS server:** authentication and authorization exchange

Oracle 23ai Authentication and MFA Integration (Modern Pattern)

In Oracle 23ai-era designs, organizations typically standardize on encrypted network transport (TLS/TCPS) and shift workforce authentication toward a central Identity Provider (IdP). Modern IdP integration uses OAuth 2.0 and OpenID Connect (OIDC) protocols for token-based authentication and SSO. Oracle Database 23ai can validate these identity tokens, allowing users to authenticate once at the IdP and access multiple resources without re-entering credentials.

In this model, multi-factor authentication (MFA) is executed at the IdP layer and Oracle trusts the validated identity assertion. RADIUS and Kerberos often remain in the environment for interoperability with legacy systems or specific use cases, but federated identity with an IdP is commonly treated as the default architecture for workforce authentication.

Oracle 23ai Authentication and MFA Integration Diagram — **What this diagram highlights:** clients connect over encrypted Oracle Net (TCPS), Oracle enforces authorization locally, and identity/MFA is centralized in an IdP. RADIUS and Kerberos may still be present for legacy token or access-gateway workflows.

**Clients**

Interactive tools and applications (SQL*Plus, JDBC, ODP.NET, application servers, batch jobs)

Often connect through a connection pool for performance and session reuse

**Connectivity layer**

**TCPS (TLS)** protects credentials and session data in transit

**mTLS (mutual TLS)** extends standard TLS by requiring both client and server to present certificates, providing strong cryptographic proof of identity for both endpoints. This is particularly valuable for service-to-service authentication where endpoint identity assurance is required.

**Oracle Database 23ai security enforcement**

**Authentication (AuthN) and authorization (AuthZ)** decisions are enforced by Oracle (users, roles, privileges, schemas)

**Unified auditing** captures logons, failures, and privileged activity for traceability

**Identity Provider and MFA**

SSO and federation patterns centralize identity governance using OAuth 2.0 and OIDC

MFA runs once at the IdP and can be enforced consistently across many applications and databases

Supports modern authentication methods including FIDO2/WebAuthn, TOTP, and push notifications

**Legacy / interoperability path (optional)**

RADIUS and Kerberos can remain as bridges for older token systems, Active Directory authentication, or access gateways

Best treated as integration options rather than the default design baseline

**Mermaid source used to generate the diagram (reference):**

flowchart LR subgraph C[Clients] A1[Client App\n(SQL*Plus / JDBC / ODP.NET / App Server)] end subgraph N[Connectivity Layer] B1[Oracle Net / TCPS\n(mTLS, wallets, cert validation)] B2[Optional: Connection Pool\n(UCP / App Server Pool)] end subgraph D[Oracle Database 23ai] C1[Oracle DB 23ai\nAuthN/AuthZ Engine] C2[Database Users / Schemas\nGlobal Users / Local Users] C3[Unified Auditing\n& Security Policies] end subgraph I[Identity & MFA Services] D1[Identity Provider (IdP)\nOIDC / OAuth2 (SSO)] D2[MFA Service\n(FIDO2/WebAuthn, TOTP, Push)] D3[Directory / HR Source\n(AD/LDAP)] end subgraph L[Legacy / Interop] E1[RADIUS Server\n(or RSA/ACE-compatible)] E2[PAM / Access Gateway\n(optional)] end A1 -->|SQL over TLS| B1 A1 -->|Optional pooled sessions| B2 --> B1 B1 -->|Auth handshake + session| C1 C1 -->|Federation / token validation| D1 D1 --> D2 D1 --> D3 C1 -.->|If required for legacy flows| E2 E2 -.-> E1 C1 --> C2 C1 --> C3

Security Takeaways for Production Design

Prefer encrypted transport by default: deploy TCPS broadly; add mTLS where endpoint identity assurance is required.
Centralize workforce authentication: use an IdP to standardize SSO and MFA across applications and database entry points.
Keep authorization inside Oracle: roles, privileges, schema access, and fine-grained controls remain database-enforced.
Leverage Kerberos for Active Directory environments: Kerberos provides strong, passwordless authentication that integrates naturally with Windows-based enterprise infrastructure.
Treat RADIUS as interop when appropriate: retain it for legacy token systems or gateways, but avoid making it the only security pillar.
Use Oracle Wallets for credential management: centralize certificates and keys rather than embedding credentials in configuration files.
Audit aggressively: capture logon success/failure and privileged actions so investigations can follow an end-to-end trail.

[1] RADIUS: Acronym for Remote Authentication Dial-In User Service, a client-server AAA protocol used to centralize authentication and access decisions (RFC 2865, RFC 2866).