About the Oracle Database protocol
This page explains how Aembit’s Oracle Database protocol support works, which Oracle versions and client types Aembit supports, and what limitations apply during the Limited Beta.
Aembit’s Agent Proxy intercepts the Oracle Transparent Network Substrate (TNS) wire protocol and injects database credentials at connection time. Your applications connect to Oracle databases as they normally would. Aembit handles credential provisioning transparently, eliminating static database passwords.
For step-by-step setup instructions, see Create an Oracle Database Server Workload.
How Aembit connects to Oracle databases
Section titled “How Aembit connects to Oracle databases”When your application opens a connection to an Oracle database, the Aembit Agent Proxy on the same Linux VM intercepts the TNS connection through transparent steering. The Agent Proxy identifies the connection as an Oracle TNS protocol request, retrieves credentials from a Credential Provider: Credential Providers obtain the specific access credentials—such as API keys, OAuth tokens, or temporary cloud credentials—that Client Workloads need to authenticate to Server Workloads.Learn more, and injects them into the TNS authentication packets before forwarding the connection to the Oracle database.
The credential injection happens during the Oracle authentication handshake (O5LOGON flow).
Aembit supports passwords stored by Oracle in the 12C password verifier format.
Older password verifier formats (11G, 10G) aren’t supported.
The only change to your client configuration is using aembit as the password—no driver modifications are needed.
Supported versions
Section titled “Supported versions”Aembit supports Oracle Database 19c and 21c in the Limited Beta. Oracle 19c is the most widely deployed version in enterprise environments due to its long-term support status, and Oracle 21c covers organizations using innovation releases. Both versions support the same O5LOGON authentication flow and 12C password version, so Aembit’s credential injection works identically for both.
| Aspect | Oracle 19c | Oracle 21c |
|---|---|---|
| Release type | Long-Term Release | Innovation Release |
| Premier Support | Through December 2029 | Through July 2027 |
| Extended Support | Through December 2032 | Not available |
| Default password version | 12C | 12C |
| Authentication protocol | O5LOGON | O5LOGON |
| AWS RDS availability | Yes | Yes |
Supported environments
Section titled “Supported environments”All environments require Agent Proxy deployed on a Linux VM with transparent steering configured. Aembit has tested Oracle Database protocol support in the following environments.
| Environment | Status |
|---|---|
| AWS RDS for Oracle | Supported |
| Containerized Oracle (for example, Oracle 23ai Free) | Supported |
| Linux VM (on-premises or cloud) | Supported |
| Docker-compose on Linux VMs | Supported |
For the complete list of supported deployment models, see the support matrix.
Thin vs thick clients
Section titled “Thin vs thick clients”Oracle database drivers come in two variants: thin (pure language implementation) and thick (using Oracle Client libraries). Aembit supports thin clients, with experimental support for thick clients. The architectural differences affect deployment requirements.
Driver packages by language
Section titled “Driver packages by language”Java and Python drivers support both thin and thick modes—how you configure the driver determines which mode your application uses. Java and Python are officially supported in this Limited Beta.
| Language | Thin / Managed package | Thick / Oracle Call Interface (OCI) package |
|---|---|---|
| Java | ojdbc11.jar | ojdbc11.jar + Oracle Client |
| Python | oracledb (default thin mode) | oracledb + init_oracle_client() |
When to use each
Section titled “When to use each”Choose thin clients when:
- You’re building new applications or deploying in containers
- You want simpler deployment without Oracle Client dependencies
- Your application uses standard database operations (queries, inserts, transactions)
Choose thick clients when:
- Your application requires advanced Oracle features such as Transparent Application Failover (TAF)
- You need Oracle Wallet or external authentication support
- You’re running legacy applications that depend on Oracle Call Interface (OCI)
For guidance on choosing between thin and thick clients, see Oracle’s driver documentation.
Authentication
Section titled “Authentication”In the Limited Beta, Aembit supports username/password authentication only.
The Agent Proxy intercepts the Oracle TNS authentication handshake and replaces placeholder credentials with real database credentials from the Credential Provider. This uses the O5LOGON authentication flow with password version 12C.
Your applications must use aembit as the password in their connection configuration.
Agent Proxy uses this value to derive a shared key for the Oracle authentication handshake.
It then replaces the credentials with the real username and password from the Credential Provider.
The username can be any value—Agent Proxy replaces it during credential injection.
Limitations
Section titled “Limitations”The following limitations apply during the Limited Beta:
| Limitation | Details |
|---|---|
| Steering mode | Transparent steering only |
| Deployment model | Linux VM only |
| Authentication | Username/password only, no token-based authentication |
| Oracle versions | 19c and 21c only |
| TLS/TCP Secure (TCPS) | Not supported, plain TCP connections only |
These limitations may change as Oracle Database protocol support progresses toward general availability. For the latest supported capabilities, see the support matrix.
Related resources
Section titled “Related resources”How-to guide
Section titled “How-to guide”- Create an Oracle Database Server Workload: Step-by-step setup instructions
Reference
Section titled “Reference”- Support matrix: Supported deployment models for Oracle Database
- Transparent steering: Steering mode configuration