Oracle Database supports current user database links over an SSL-authenticated network connection. Current user database links let you connect to a second database as yourself, or as another user when used from within a stored procedure owned by that user. Such access is limited to the scope of the procedure. The security advantage of current user database links is that the other user's credentials are not stored in the database link definition and are not sent across the network connection between databases. Instead, security of these links is based on mutual trust, mutual authentication, and a secure network connection between the databases themselves.
For example, a current user database link lets Harriet, a user of the Finance database, procedurally access the Accounts Payable database by connecting as the enterprise user Scott.
For Harriet to access a current user database link to connect to the schema Scott, Scott must be a global schema (created as IDENTIFIED GLOBALLY
) in both databases. Harriet, however, can be a user identified in one of three ways:
By a password
GLOBALLY
EXTERNALLY
To create Scott as a global user in the first database, Finance, you must enter
CREATE USER Scott IDENTIFIED GLOBALLY as 'CN=Scott,O=nmt'
so that Scott has an exclusive schema. Then Scott can map to a shared schema in the second database, Accounts Payable. In order for the current user database link to work, the schema created for Scott in the first database cannot be shared with other users.
Current user database links operate only between trusted databases within a single enterprise domain. Databases within the domain trust each other to authenticate users. You specify an enterprise domain as trusted by using Oracle Enterprise Manager. When you use Oracle Enterprise Manager to enable current user database links for a domain, they will work for all databases within that domain. However, each database in the domain must have its own PKI credentials and use SSL to authenticate to the other databases. To specify a database as untrusted that is part of a trusted enterprise domain, use the PL/SQL package DBMS_DISTRIBUTED_TRUST_ADMIN.
To obtain a list of trusted servers, use the TRUSTED_SERVERS
view.
Note:
Oracle Advanced Security, an option to the Oracle Database Enterprise Edition, does not support RADIUS authentication over database links.
See Also:
Oracle Database Heterogeneous Connectivity User's Guide, for additional information about current user database links
Oracle Database SQL Language Reference, for more information about SQL syntax
Oracle Database PL/SQL Packages and Types Reference, for information about the PL/SQL package DBMS_DISTRIBUTED_TRUST_ADMIN
Oracle Database Reference, for information about the TRUSTED_SERVERS
view
Oracle Database Security Guide, for information about configuring SSL for Oracle Net.
"Managing Oracle Wallets" for information about creating wallets