Can't get mTLS authentication working in thin mode

[jammann]

I'm trying to get mTLS working (with a proxy-user, actually) with thin mode to an Oracle 19c database. I'm using 1.3.0 with the following code

dsn = """(DESCRIPTION=
        (ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=db.pyx.ch)(PORT=1522)))
        (CONNECT_DATA=(SERVICE_NAME=MYDB.PYX.CH))
            (SECURITY=(SSL_SERVER_CERT_DN="CN=db.pyx.ch,OU=OracleDB,O=PCY,C=CH")
        )
    )"""

connection = oracledb.connect(user="CERTOWNER", password='', proxy_user='DBUSER',
                              dsn=dsn, wallet_location="/var/tmp/oracleconfig")

Somehow I don't understand the part where I instruct the thin driver to use the private key contained in /var/tmp/oracleconfig/ewallet.pem. I would have expected that I don't need to specify the password= parameter, but when I set it to None, I immediately get "DPY-4001: no credentials specified".

When I specify it as empty string, the connection bascially seems to work. The TLS handshake succeeds but as far as I can tell, no client certificate is being sent. I get the error

DatabaseError: ORA-28272: Domain policy restricts password based GLOBAL user authentication

Which makes sense, because the GLOBAL user 'CERTOWNER' is configured to only allow certificate based authentication.

My ewallet.pem contains all needed CA certificates to verify the server cert, plus the certifcate and private key (unencrypted - hence I don't set a wallet_password).

I think I'm missing some simple but important piece, but I couldn't find any pointer in the documentation or the code

Many thanks in advance for your support!

CU, Joe

[anthony-tuininga]

Thin mode currently only allows user/password authentication. No form of external authentication is currently supported -- which seems to be what you are attempting? I am not familiar with "certificate based authentication" but suspect that is a form of external authentication. You'll need to create an enhancement request for this to be used in thin mode.

[jammann]

Thanks Anthony for the super-fast reply! Indeed I was assuming that all the references in the documentation about "mTLS in thin mode" like here https://python-oracledb.readthedocs.io/en/latest/user_guide/connection_handling.html#mutual-tls-mtls-connection-to-oracle-autonomous-database were implying that full authentication of the client by its client certificate is possible.

Apparently this is not so, as you say.

I did in the meantime a packet trace of the handshake and I could confirm that the "mutual" part of the TLS handshake indeed happens and is successful. It appears that there is more to a successful Oracle authentication with a client certificate than just the successful mTLS handshake.

I will give the think mode a try, because our databases are configured in a way that they don't allow username/password authentication (hence the ORA-28272 error)

Thanks again!