Skip to Main Content
  • Questions

  • Database resident connection pooling & proxy users

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question.

Asked: May 10, 2016 - 1:50 pm UTC

Last updated: May 26, 2016 - 3:53 am UTC

Version: 12.1.0.2.0

Viewed 1000+ times

You Asked

Hi guys,

I am learning about DRCP and proxy users with a view to incorporating them both into our applications. As a result, I have the following two questions. I hope you can help!!

Question 1:

When using the database resident connection pooling functionality I observe the following behaviour.

1) Switch on the connection pool with the default values using DBMS_CONNECTION_POOL.start_pool();
2) Alter the TNS connection details to add the SERVER=POOLED
3) Successfully connect to the database using the modified TNS connection details.

All good.... but,

If the MAX_THINK_TIME parameter (default 120) is exceeded (i.e. no commands are issued by the pooled session), the session will terminate and produce an ORA-03113: end-of-file on communication channel. I believe that this is documented but there seems to be a nasty side effect:

Suppose, as part of the application, a sequence was defined with the caching option of 2,000 numbers. I have noticed that whenever a pooled session is terminated in this way, the sequence discards the unused numbers in the cache - almost as if the instance is restarting as a result. I have scanned the on-line manuals and I can't find this behaviour documented anywhere. If this is indeed the desired behaviour, can this behaviour be overridden (apart from increasing the MAX_THINK_TIME parameter)?

Question 2:

When using the proxy user functionality, is there a way of specifying the proxy user password on the command line for SQL*Plus? It is well documented that the proxy user can be specified using the following syntax:

$ sqlplus /nolog
SQL> conn web[mark]/web@testpdb

It would follow that the password for mark could be added using the following syntax but it doesn't seem to work:
SQL> conn web[mark/mark]/web@testpdb

I also use Pro*C and couldn't find a similar extension to the EXEC SQL CONNECT to allow proxy users either.

Many thanks in advance
Mark.


and Connor said...

I dont see that behaviour with the sequence

SQL> select seq.nextval from dual;

   NEXTVAL
----------
    200013

[wait]

SQL> /
select seq.nextval from dual
*
ERROR at line 1:
ORA-03113: end-of-file on communication channel
Process ID: 2336
Session ID: 216 Serial number: 31927


SQL> conn mcdonac/xxxxxx@np12_pooled
Connected.

SQL> select seq.nextval from dual;

   NEXTVAL
----------
    200014


Are you sure its not just the normal behaviour, ie, that when a sequence is aged out of memory, you lose the cache. In which case, you could pin the sequence with dbms_shared_pool to resolve that.

Re Q2, I'm not sure of the rationale...

conn web[mark]/web@testpdb

makes sense, because 'web' has been given the privilege to connect as mark without mark's password.

conn web[mark/mark]/web@testpdb

says that we already know mark's password, so why wouldn't we just

conn mark/mark@testpdb






Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Thanks

Mark, May 24, 2016 - 12:51 pm UTC

Hi Conner,

Many thanks for your reply:

I guess it is highly probable that the sequence is being aged out as my test container database doesn't have a massive SGA allocation. I will attempt to pin the sequence and retest.

With regards to SQL*Plus, if the thick database paradigm is the architecture for the application, it may be that all regular application users can only connect to the database via proxy by asserting this limitation.

ALTER USER mark PROXY ONLY CONNECT;


My previous example was a little misleading as I wouldn't put the password directly into the command line invocation of SQL*Plus. In reality, SQL*Plus would have to prompt for the regular password as well as the proxy password if required.

$ sqlplus web[mark]@testpdb

Enter password for web: 

Enter password for mark:


Where the password for "mark" is optional depending on whether the account has proxy password authentication enabled.

I think what I am asking for is a way to avoid unrestricted access to the "mark" account purely because someone knows the "web" credentials and that ALL application users are allowed to proxy through it. I know it is possible to pass the proxy password via a property when calling the JDBC openProxySession method so I assume this is supported by the OCI. My question is why the de-facto standard SQL*Plus application doesn't have this capability.

Many thanks
Mark.
Connor McDonald
May 25, 2016 - 3:23 am UTC

Ah, ok I follow that more clearly now.

At which point I can was my hands of it and say "You'd need to raise an enhancement request".

Rather than request for SQL Plus (which might give you an idea on my theory on how successful you'd be :-)), drop a line to the SQLcl guys about it. They are still actively developing the product.

How do I raise such a request?

A reader, May 25, 2016 - 8:47 am UTC


Connor McDonald
May 26, 2016 - 3:53 am UTC

support.oracle.com is the place.
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's channel and Chris's channel from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Multitenant

Need more information on Multitenant? Check out the Multitenant docs for the Oracle Database