Change to Oracle

By default, WSO2 Identity Server uses the embedded H2 database as the database for storing user management and registry data. Given below are the steps you need to follow in order to use Oracle for this purpose.

---

Datasource configurations

A datasource is used to establish the connection to a database. By default, WSO2_IDENTITY_DB and WSO2_SHARED_DB datasources are used to connect to the default H2 database.

• WSO2_SHARED_DB - The datasource which stores registry and user management data.
• WSO2_IDENTITY_DB - The datasource specific to the identity server which stores identity related data.

After setting up the Oracle database, you can point the WSO2_IDENTITY_DB or WSO2_SHARED_DB or both to that Oracle database by following the instructions given below.

---

Change the default datasource

Minimum configurations for changing default datasource to Oracle

You can configure the datasource by editing the default configurations in <IS_HOME>/repository/conf/deployment.toml.

Following are the basic configurations and their descriptions.

Element	Description
username and password	The name and password of the database user
type	The type of the database
hostname	The hostname of the host where the database is hosted
port	The port of the database
name	The name of the database

A sample configuration is given below.

1. WSO2_IDENTITY_DB

   1. Configure the deployment.toml file.

      [database.identity_db]
      type = "oracle"
      hostname = "localhost"
      sid = "regdb"
      username = "regadmin"
      password = "regadmin"
      port = "1521"
      

   2. Execute database scripts.

      Navigate to <IS_HOME>/dbscripts. Execute the scripts in the following files, against the database created.

      • <IS_HOME>/dbscripts/identity/oracle.sql
      • <IS_HOME>/dbscripts/consent/oracle.sql

2. WSO2_SHARED_DB

   1. Configure the deployment.toml file.

      [database.shared_db]
      type = "oracle"
      hostname = "localhost"
      sid = "regdb"
      username = "regadmin"
      password = "regadmin"
      port = "1521"
      

   2. Execute database scripts.

      Execute the scripts in the following file, against the database created.

      • <IS_HOME>/dbscripts/oracle.sql

3. Download the Oracle JDBC driver for the version you are using. Extract the downloaded file and copy all required JAR files from the driver package to the <IS_HOME>/repository/components/lib folder.

---

Advanced database configurations

Apart from the basic configurations specified above, WSO2 Identity Server supports some advanced database configurations as well.

• WSO2_IDENTITY_DB related configurations that should be added to the deployment.toml file.

  [database.identity_db.pool_options]
  maxActive = "80"
  maxWait = "360000"
  minIdle ="5"
  testOnBorrow = true
  validationQuery="select 1 from dual"
  validationInterval="30000"
  defaultAutoCommit=false
  commitOnReturn=true
  

• WSO2_SHARED_DB deployment.toml related configurations that should be added to the deployment.toml file.

  [database.shared_db.pool_options]
  maxActive = "80"
  maxWait = "360000"
  minIdle ="5"
  testOnBorrow = true
  validationQuery="select 1 from dual"
  validationInterval="30000"
  defaultAutoCommit=false
  commitOnReturn=true
  

The elements in the above configuration are described below:

maxActive	This is the maximum number of active connections that can be allocated at the same time from this pool. Enter any negative value to denote an unlimited number of active connections.
maxWait	This is the maximum number of milliseconds that the pool will wait (when there are no available connections) for a connection to be returned before throwing an exception. You can enter zero or a negative value to wait indefinitely.
minIdle	The minimum number of active connections that can remain idle in the pool without extra ones being created. Enter zero to create none.
testOnBorrow	This indicates whether objects will be validated before being borrowed from the pool. If the object fails to be validated, it will be dropped from the pool and another attempt will be made to borrow another.
defaultAutoCommit	Indicates whether to commit database changes automatically or not
validationInterval	This is the indication to avoid excess validation and only run validation after the specified frequency (time in milliseconds). If a connection is due for validation, but has been validated previously within this interval, it will not be validated again.
defaultAutoCommit	This property is not applicable to the carbon database in WSO2 Identity Server because auto committing is usually handled at the code level, i.e., the default auto commit configuration specified for the RDBMS driver will be effective instead of this property element. Typically, auto committing is enabled for RDBMS drivers by default. When auto committing is enabled, each SQL statement will be committed to the database as an individual transaction, as opposed to committing multiple statements as a single transaction.

Info

For more information on other parameters that can be defined in the <IS_HOME>/repository/conf/deployment.toml file, see Tomcat JDBC Connection Pool.

Support for case-sensitive usernames

Usernames in WSO2 Identity Server are case-insensitive by default. If you wish to enable case-sensitive usernames, configure the following properties.

To enable the case-sensitivity for the primary user store, open the deployment.toml file found in the <IS_HOME>/repository/conf/ directory and add the following configurations to the primary user store.

[user_store.properties]
CaseInsensitiveUsername = false
UseCaseSensitiveUsernameForCacheKeys = false

For secondary user stores, add the following configurations to the <userstore>.xml file found in the <IS_HOME>/repository/deployment/server/userstores directory.

<Property name="CaseInsensitiveUsername">false</Property>
<Property name="UseCaseSensitiveUsernameForCacheKeys">false</Property>

The database indexes are created using LOWER() functions to support case-insensitive usernames for the related tables. Therefore, remove the LOWER() functions from the related index creation queries in the scripts at <IS_HOME>/dbscripts/.

Eg:

CREATE UNIQUE INDEX INDEX_UM_USERNAME_UM_TENANT_ID ON UM_USER(LOWER(UM_USER_NAME), UM_TENANT_ID);

Using an alternate user to connect to database

When the database owner is not the user used to connect to the database, specify the parent schema in the datasource declarion.

``` toml
[database.identity_db.db_props]
parentSchema = "<parent_schema_name>"

[database.shared_db.db_props]
parentSchema = "<parent_schema_name>"
```

Database user priviledges

When a custom database user is created, please note that the following privildges should be granted according to the purpose of the user.

• Execute the below permissions on the database to perform DDL operations.

  • CREATE SESSION, ALTER SESSION, UNLIMITED TABLESPACE, CREATE VIEW, CREATE SEQUENCE, CREATE TABLE, CREATE PROCEDURE, CREATE TRIGGER, CREATE PUBLIC SYNONYM
    • ex: GRANT CREATE SESSION TO <db-user>;

• Execute the below permissions on the database to perform DML operations.

  • CREATE SESSION, ALTER SESSION, UNLIMITED TABLESPACE
    • ex: GRANT CREATE SESSION TO <db-user>;

• When a user accessing the tables is not the owner of the tables, the following permissions should be granted on the table.

  • SELECT, INSERT, DELETE, UPDATE
    • ex: GRANT SELECT, INSERT, DELETE, <db-user>.<table-name>;

Please refer the offcial oracle documentation for further details.

---

Configure the connection pool behavior on return

By default, when a database connection is returned to the pool, the product rolls back the pending transactions if defaultAutoCommit=true.

However, if required, you can disable the latter mentioned default behavior by disabling the JDBC-Pool JDBC interceptor, ConnectionRollbackOnReturnInterceptor, and setting the connection pool behavior on return via the datasource configurations.

Configure the connection pool to commit pending transactions on connection return

1. Navigate to either one of the following locations based on your OS.

   Linux/macOSWindows

   <IS_HOME>/bin/wso2server.sh/
   

   <IS_HOME>\bin\wso2server.bat
   

2. Add the following JVM option:

   -Dndatasource.disable.rollbackOnReturn=true \
   

3. Navigate to the <IS_HOME>/repository/conf/deployment.toml file.

4. Disable the defaultAutoCommit property by defining it as false.

5. Add the commitOnReturn property and set it to true.

   • WSO2_IDENTITY_DB related configurations that should be added to the <IS_HOME>/repository/conf/deployment.toml file.

     [database.identity_db.pool_options]
     defaultAutoCommit="false"
     commitOnReturn="true"
     

   • WSO2_SHARED_DB related configurations that should be added to the <IS_HOME>/repository/conf/deployment.toml file.

     [database.shared_db.pool_options]
     defaultAutoCommit="false"
     commitOnReturn="true"
     

Configure the connection pool to rollback pending transactions on connection return

1. Navigate to the <IS_HOME>/repository/conf/deployment.toml file.

2. Disable the defaultAutoCommit property by defining it as false.

3. Set the rollbackOnReturn property to the datasources as true.

   • WSO2_IDENTITY_DB related configurations that should be added to the <IS_HOME>/repository/conf/deployment.toml file.

     [database.identity_db.pool_options]
     defaultAutoCommit="false"
     rollbackOnReturn="true"
     

   • WSO2_SHARED_DB related configurations that should be added to the <IS_HOME>/repository/conf/deployment.toml file.

     [database.shared_db.pool_options]
     defaultAutoCommit="false"
     rollbackOnReturn="true"
     

The elements in the above configuration are described below.

Element	Description
commitOnReturn	If defaultAutoCommit=false, then you can set commitOnReturn=true, so that the pool can complete the transaction by calling the commit on the connection as it is returned to the pool. However, if the rollbackOnReturn=true then this attribute is ignored. The default value is false.
rollbackOnReturn	If defaultAutoCommit=false, then you can set rollbackOnReturn=true so that the pool can terminate the transaction by calling rollback on the connection as it is returned to the pool. The default value is false.

Driver-Level Timeouts (Recommended for Production)

If the database becomes unresponsive, WSO2 Identity Server threads can get stuck waiting for a JDBC connection. This happens because the Tomcat JDBC Pool can't abort connection creation by itself (source).

To prevent this, configure driver-level timeouts in the JDBC URL:

• connectTimeout → Maximum time to wait while establishing a database connection.
• socketTimeout (or driver-specific equivalent) → Maximum time to wait for responses on an active connection.
• tcpKeepAlive=true (if supported) → Helps detect unresponsive database servers.

Also note the distinction:

• maxWait (Tomcat pool) controls how long to wait for a free connection from the pool.
• connectTimeout / socketTimeout (driver) → how long to connect/read at the DB level.

Note: The PoolExhaustedException warning log is logged only when maxWait expires (source). It does not cover delays inside the driver’s connection or read operations. Driver-level timeouts are required to handle those cases.

Example: Oracle database

[database.identity_db]
url = "jdbc:oracle:thin:@//DB_HOST:1521/WSO2_IDENTITY_DB?oracle.net.CONNECT_TIMEOUT=10000&oracle.jdbc.ReadTimeout=60000"
username = "..."
password = "..."
driver = "oracle.jdbc.OracleDriver"

Learn more in Oracle JDBC data sources & URLs.