COMMON_USER_CONNECT lockdown profiles feature in Oracle Database 19c

After upgrading some CDBs to 19c, we hit the problem of not being able to connect as common users to the PDBs. In all affected CDBs, lockdown profiles were in place with following definition regarding common user connection part:

SQL> ALTER LOCKDOWN PROFILE lockdown DISABLE FEATURE = ('CONNECTIONS');
SQL> ALTER LOCKDOWN PROFILE lockdown ENABLE FEATURE = ('COMMON_USER_CONNECT');

It worked well in 12c, but after the upgrade we started to get:

sqlplus C##USER/<pass>@//server-scan:1521/ldptest01_rw.domain

SQL*Plus: Release 19.0.0.0.0 - Production on Mon May 3 16:07:16 2021
Version 19.9.0.0.0

Copyright (c) 1982, 2020, Oracle.  All rights reserved.

ERROR:
ORA-01017: invalid username/password; logon denied

As CONNECTIONS is a feature bundle consisting of 2 features: COMMON_USER_CONNECT and LOCAL_SYSOPER_RESTRICTED_MODE_CONNECT, possible workaround is to change the definition to:

SQL> ALTER LOCKDOWN PROFILE lockdown ENABLE FEATURE = ('CONNECTIONS');
SQL> ALTER LOCKDOWN PROFILE lockdown DISABLE FEATURE = ('LOCAL_SYSOPER_RESTRICTED_MODE_CONNECT');

However, as it is less prohibitive way, especially if new features are added to the bundle in the future, I have opened SR and Oracle has provided better solution, showing that the new feature COMMON_USER_CONNECT_LOCAL_SERVICE (undocumented at the time of writing) has already been added in 19c:

SQL> ALTER LOCKDOWN PROFILE lockdown DISABLE FEATURE = ('CONNECTIONS');
SQL> ALTER LOCKDOWN PROFILE lockdown ENABLE FEATURE = ('COMMON_USER_CONNECT');
SQL> ALTER LOCKDOWN PROFILE lockdown ENABLE FEATURE = ('COMMON_USER_CONNECT_LOCAL_SERVICE');

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s