Our Oracle 19c DBs are setup to allow connections only when authenticated with client certificates. We store the client certificates as JKS and a regular Oracle wallets. Additionally, the users which are authenticated with client certs always must use proxy connections to a “real” schema user.
I can't get such connections to work with SQLcl using the thin driver.
When connecting with OCI tools like SQL*plus, we use commands like below. Of course we need to set ORACLE_HOME and TNS_ADMIN so that the correct wallet can be found.
sqlplus [schema]/@(DESCRIPTION........)
When using Java clients with the thin driver, we need to set Java system properties for the JDBC driver like
-Djavax.net.ssl.keyStore=${keystore} -Djavax.net.ssl.keyStorePassword=${keystore_pw}
-Doracle.net.ssl_client_authentication=true -Doracle.net.ssl_server_dn_match=true -Doracle.net.authentication_services=(TCPS)
With such configurations, Java clients can open connections without specifying any password.
With SQLcl I can't get this to work. When I try something like the below (after setting CUSTOM_JDBC to the proper settings)
sql [schema]/@(DESCRIPTION........)
I get the following error from the database
ORA-28272: Domain policy restricts password based GLOBAL user authentication.
This normally happens when the client tries to send an (empty) password to the server, trying to authenticate after the connection establishment. Now in our setup, authentication already happens when establishing the connection through mTLS and the client certificate. No further authentication is needed. All our users are setup to allow this kind of authentication exclusively, this is implemented in OID and the reason why the ORA-28272 error is raised.
Was anybody successful to use SQLcl in such a setup?
CU, Joe