Oracle Database 12c enables enhanced security for
extproc by authenticating it against a user-supplied credential. This new feature allows the creation of a user credential and links it with a PL/SQL library object. Whenever an application calls an external procedure, the extproc process authenticates the connection before loading the shared library.
DBMS_CREDENTIAL package is used to configure the credential. The
CREATE LIBRARY statement has been enhanced for the credential specification.
A new environment variable,
ENFORCE_CREDENTIAL, can be specified in extproc.ora to control the authentication by the extproc process. The default value of the parameter is FALSE. Another new environment variable,
GLOBAL_EXTPROC_CREDENTIAL, serves as the default credential and is only used when the credential is not specified for a library. If
ENFORCE_CREDENTIAL is FALSE and no credential has been defined in the PL/SQL library, there will be no user authentication; this means the extproc process will authenticate by using the privileges of the user running the Oracle server.
The following PL/SQL block creates a credential by using
DBMS_CREDENTIAL.CREATE_CREDENTIAL. This credential is built using the ORADEV user:
credential_name => 'devhost_auth',
user_name => 'oradev',
password => 'oradev')
The library definition will include a new
CREATE OR REPLACE LIBRARY myextlib
When the extproc process reads the call specification and finds the shared library with a secured credential, it authenticates the library on behalf of the credential and then loads it.
Note – this post is an excerpt from the book “Advanced Oracle PL/SQL Developer’s Guide – Second Edition“