TCPS/CAC Smartcard Authentication Not Supported - Java JDBC Thin Driver Cannot Present Client Certificate from Smartcard #17
Description
Environment
- Extension version: 25.4.1
- VS Code on Windows
- Oracle 19c Client installed
- Database: on-premises, TCPS connection
- Authentication: CAC/PIV smartcard via Windows Certificate Store (MCS)
Description
Note: I used Claude to assist with troubleshooting and diagnosing this problem, and generating this issue.
I am unable to connect to an Oracle database using CAC/smartcard authentication. The same database connection works correctly in Toad for Oracle (64-bit).
sqlnet.ora configuration (which works with Toad):
SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS)
NAMES.DIRECTORY_PATH= (TNSNAMES)
SSL_CLIENT_AUTHENTICATION = TRUE
SSL_VERSION = 1.2 or 1.0
WALLET_LOCATION = (SOURCE = (METHOD=MCS))
Connection setup in the extension:
- Connection Type: TNS
- Network Alias: (TCPS alias from tnsnames.ora)
- Username: EXTERNAL
- Password: (blank)
What was tried
The organization's CA certificate chain (intermediate and root) was imported into the extension's bundled JDK trust store using keytool. This resolved the initial error:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
However, a second error now occurs:
ORA-17967: SSL Handshake failure.: Received fatal alert: handshake_failure
This indicates the server requires mutual TLS authentication and is rejecting the connection because the Java JDBC thin driver cannot present the client certificate from the smartcard (CAC) during the TLS handshake. The driver has no mechanism to access smartcard client certificates from the Windows Certificate Store.
Root cause
The extension uses a bundled Java JDBC thin driver that has no supported path for presenting a CAC/PIV smartcard client certificate during TLS negotiation. Native Oracle Client tools on Windows (such as Toad) handle this transparently via the Windows Certificate Store (MCS wallet), prompting the user with a standard Windows certificate picker dialog. The Java JDBC thin driver has no equivalent capability.
Expected behavior
When connecting to a TCPS database using MCS-based CAC/smartcard authentication, the user should be prompted with the standard Windows certificate picker dialog to select the appropriate certificate, consistent with the behavior of other Oracle tools on Windows.
This is a significant gap for users in government where CAC authentication is mandatory and the Windows Certificate Store is the authoritative source of trust. There is currently no supported path to use this extension in such environments.