Oracle Java virtual machine - Amazon Relational Database Service
PrerequisitesBest practicesAdding the optionRemoving the JVM option
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Oracle Java virtual machine

Amazon RDS supports Oracle Java Virtual Machine (JVM) through the use of the JVM option. Oracle Java provides a SQL schema and functions that facilitate Oracle Java features in an Oracle database. For more information, see Introduction to Java in Oracle database in the Oracle documentation.

You can use Oracle JVM with the following Oracle Database versions:

  • Oracle Database 21c (21.0.0), all versions

  • Oracle Database 19c (19.0.0), all versions

  • Oracle Database 12c Release 2 (12.2), all versions

  • Oracle Database 12c Release 1 (12.1), version 12.1.0.2.v13 and higher

Java implementation in Amazon RDS has a limited set of permissions. The master user is granted the RDS_JAVA_ADMIN role, which grants a subset of the privileges granted by the JAVA_ADMIN role. To list the privileges granted to the RDS_JAVA_ADMIN role, run the following query on your DB instance:

SELECT * FROM dba_java_policy 
   WHERE grantee IN ('RDS_JAVA_ADMIN', 'PUBLIC') 
   AND enabled = 'ENABLED' 
   ORDER BY type_name, name, grantee;

Prerequisites for Oracle JVM

The following are prerequisites for using Oracle Java:

  • Your DB instance must be of a large enough class. Oracle Java isn't supported for the db.t3.micro or db.t3.small DB instance classes. For more information, see DB instance classes.

  • Your DB instance must have Auto Minor Version Upgrade enabled. This option enables your DB instance to receive minor DB engine version upgrades automatically when they become available. Amazon RDS uses this option to update your DB instance to the latest Oracle Patch Set Update (PSU) or Release Update (RU). For more information, see Modifying an Amazon RDS DB instance.

Best practices for Oracle JVM

The following are best practices for using Oracle Java:

  • For maximum security, use the JVM option with Secure Sockets Layer (SSL). For more information, see Oracle Secure Sockets Layer.

  • Configure your DB instance to restrict network access. For more information, see Scenarios for accessing a DB instance in a VPC and Working with a DB instance in a VPC.

  • Update the configuration of your HTTPS endpoints to support TLSv1.2 if you meet the following conditions:

    • You use Oracle Java Virtual Machine (JVM) to connect an HTTPS endpoint over TLSv1 or TLSv1.1 protocols.

    • Your endpoint doesn't support the TLSv1.2 protocol.

    • You haven't applied the April 2021 release update to your Oracle DB.

    By updating your endpoint configuration, you ensure that the connectivity of the JVM to the HTTPS endpoint will continue to work. For more information about TLS changes in the Oracle JRE and JDK, see Oracle JRE and JDK Cryptographic Roadmap.

Adding the Oracle JVM option

The following is the general process for adding the JVM option to a DB instance:

  1. Create a new option group, or copy or modify an existing option group.

  2. Add the option to the option group.

  3. Associate the option group with the DB instance.

There is a brief outage while the JVM option is added. After you add the option, you don't need to restart your DB instance. As soon as the option group is active, Oracle Java is available.

Note

During this outage, password verification functions are disabled briefly. You can also expect to see events related to password verification functions during the outage. Password verification functions are enabled again before the Oracle DB instance is available.

To add the JVM option to a DB instance

  1. Determine the option group that you want to use. You can create a new option group or use an existing option group. If you want to use an existing option group, skip to the next step. Otherwise, create a custom DB option group with the following settings:

    • For Engine, choose the DB engine used by the DB instance (oracle-ee, oracle-se, oracle-se1, or oracle-se2).

    • For Major engine version, choose the version of your DB instance.

    For more information, see Creating an option group.

  2. Add the JVM option to the option group. For more information about adding options, see Adding an option to an option group.

  3. Apply the option group to a new or existing DB instance:

  4. Grant the required permissions to users.

    The Amazon RDS master user has the permissions to use the JVM option by default. If other users require these permissions, connect to the DB instance as the master user in a SQL client and grant the permissions to the users.

    The following example grants the permissions to use the JVM option to the test_proc user.

    
create user test_proc identified by password;
CALL dbms_java.grant_permission('TEST_PROC', 'oracle.aurora.security.JServerPermission', 'LoadClassInPackage.*', '');
    Note

    Specify a password other than the prompt shown here as a security best practice.

    After the user is granted the permissions, the following query should return output.

    select * from dba_java_policy where grantee='TEST_PROC';
    Note

    The Oracle user name is case-sensitive, and it usually has all uppercase characters.

Removing the Oracle JVM option

You can remove the JVM option from a DB instance. There is a brief outage while the option is removed. After you remove the JVM option, you don't need to restart your DB instance.

Warning

Removing the JVM option can result in data loss if the DB instance is using data types that were enabled as part of the option. Back up your data before proceeding. For more information, see Backing up, restoring, and exporting data.

To remove the JVM option from a DB instance, do one of the following:

  • Remove the JVM option from the option group it belongs to. This change affects all DB instances that use the option group. For more information, see Removing an option from an option group.

  • Modify the DB instance and specify a different option group that doesn't include the JVM option. This change affects a single DB instance. You can specify the default (empty) option group, or a different custom option group. For more information, see Modifying an Amazon RDS DB instance.