Connect Liquibase to Oracle Database using Microsoft Entra ID
Last updated: March 24, 2026
This procedure configures Liquibase to authenticate to Oracle Database for Azure (DB@Azure) using OAuth2 tokens issued by Microsoft Entra ID. Authentication is handled by the ojdbc-provider-azure library—no username or password is stored in configuration files. Requires Oracle JDBC 21.x or later (ojdbc11.jar) and a connection over TCPS (port 2484). The Oracle Wallet holds the server’s TLS trust anchor only.
Before you begin
Install Liquibase
Ensure Java is installed.
Install Oracle Client Tools (included with Oracle Database, Oracle Instant Client, or Oracle Database Client) to obtain the
orapkiutility used in this procedure.Obtain from your Azure/Oracle DBA: the Oracle DB@Azure TCPS hostname, the server certificate DN, and the Entra ID tenant ID and client ID for your service principal (or confirm that a managed identity is assigned to the compute resource).
Ask your Oracle DBA to create an external database user mapped to your service principal’s client ID or managed identity:
CREATE USER "<CLIENT_ID_OR_MANAGED_IDENTITY>" IDENTIFIED EXTERNALLY AS 'APP_AZURE'; GRANT CREATE SESSION TO "<CLIENT_ID_OR_MANAGED_IDENTITY>";
Procedure
Download required JARs
All JARs are available from Maven Central. Replace 21.13.0.0 with the latest 21.x release.
Download the following JARs and place them in your lib/ directory.
ojdbc11.jar— available from the Oracle JDBC Downloads page or Maven Centralojdbc-provider-azure.jar— available from Maven Centraloraclepki.jar,osdt_core.jar,osdt_cert.jar— available from the Oracle JDBC Downloads page, required for TCPS only
Create Oracle Wallet for TCPS
Download the wallet zip from the Oracle Cloud console.
Be sure to:
Replace
~/oracle-walletwith the directory where you want to place the wallet files.
Create tnsnames.ora
If you downloaded the wallet zip in Step 2, tnsnames.ora is already included — skip this step or use it as a reference.
Otherwise, create tnsnames.ora in your wallet directory. The hostname, port, service name, and SSL DN come from Azure Portal → Oracle Database@Azure → Connection Strings.
Be sure to:
Replace
ORACLE_AZUREwith your TNS alias. The default alias in the downloaded wallet zip isORACLE_AZUREReplace
your_hostnamewith your Oracle Database@Azure hostnameReplace
your_portwith your TCPS port. Usually,2484Replace
your_service_namewith your service nameReplace
your_ssl_cert_dnwith your server certificate's distinguished name
Create sqlnet.ora
If you downloaded the wallet zip in Step 2, sqlnet.ora is already included — skip this step or use it as a reference.
Otherwise, create sqlnet.ora in your wallet directory.
NAMES.DIRECTORY_PATH = (TNSNAMES, EZCONNECT)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_SERVER_DN_MATCH = ON
DISABLE_OOB = TRUEConfigure JDBC properties
Create ojdbc.properties in your wallet directory. Uncomment one authentication mode.
Be sure to:
Replace
your_wallet_dirwith the absolute path to your wallet directory. For example,/home/user/oracle-wallet,/Users/name/oracle-walletReplace
your_tenant_idwith your Entra ID tenant ID (service principal and interactive browser modes only).Replace
your_client_idwith your service principal client ID or managed identity client ID.Replace
your_client_secretwith your service principal client secret (service principal mode only).
Configure Liquibase
Create or update liquibase.properties. Omit username and password. Entra ID provides the token.
Be sure to:
Replace
ORACLE_AZUREwith your TNS alias from tnsnames.ora. The default alias in the downloaded wallet zip isORACLE_AZUREInclude both JARs on the classpath
url=jdbc:oracle:thin:/@ORACLE_AZURE
driver=oracle.jdbc.OracleDriver
changeLogFile=changelog.xml
classpath=lib/ojdbc11.jar:lib/ojdbc-provider-azure.jarSet environment variables
Set the following environment variables before running Liquibase.
Test your connection
Run Liquibase against your Entra ID-configured database.