Using Oracle SQLcl MCP Server with Oracle 19c: A Step-by-Step Guide for NLP-Based Database Queries

 

Introduction

With the rapid evolution of AI, databases are no longer limited to traditional SQL-only interactions. Oracle has taken a major step forward by introducing MCP (Model Context Protocol) support in SQLcl, allowing AI tools like Claude Desktop to interact directly with Oracle databases using natural language.

In this blog, I’ll walk you through a hands-on, end-to-end setup of Oracle SQLcl MCP Server with an on-prem / OCI-hosted Oracle 19c database, and show how conversational AI can query enterprise databases securely.

This guide is ideal for Oracle DBAs, Cloud Architects, and AI-curious professionals who want to explore NLP-driven database access.

   Image source:-https://blogs.oracle.com/database/introducing-mcp-server-for-oracle-database

---

Architecture Overview

AI Client (Claude Desktop)
⬇️ MCP Protocol
SQLcl MCP Server (Local Machine)
⬇️ JDBC
Oracle Database 19c (OCI / On-Prem)

The AI never connects to the database directly. SQLcl acts as a secure MCP bridge, translating natural language into database operations.

---

Prerequisites

Before starting, ensure you have:

• Oracle Database 19c (On-Prem or OCI Compute VM)

• Windows laptop or desktop

• Internet access to download tools

• Basic Oracle SQL knowledge

---

Step 1: Install JDK 17 (Required for SQLcl)

Oracle SQLcl requires Java 17.

• Download JDK 17 for Windows from Oracle

• Install using the .exe

• Set JAVA_HOME and update PATH

Verify:

java -version

---

Step 2: Install Oracle SQLcl

• Download SQLcl from Oracle

• Unzip it to a directory (example):

  C:\AI\sqlcli

SQLcl is portable—no installer required.

---

Step 3: Install Claude Desktop

Claude Desktop will act as the AI MCP client.

• Download Claude Desktop

• Install and launch once

• Close it before MCP configuration

---

Step 4: Prepare Oracle Database 19c

Verify PDBs

show pdbs;

Ensure your PDB (e.g., ORCLPDB) is in READ WRITE mode.

Listener and Network Setup

• Ensure port 1521 is open

• Disable firewall (lab use only):

systemctl stop firewalld

systemctl disable firewalld

• Confirm connectivity from Windows:

Test-NetConnection <DB_PUBLIC_IP> -Port 1521

---

Step 5: Create SQLcl Connection

Launch SQLcl:

sql /nolog

Create and save a connection:

conn -save oracle19c_mcptest -savepwd system/password@<IP>:1521/ORCLPDB

Validate:

CONNMGR test oracle19c_mcptest

---

Step 6: Start SQLcl MCP Server

sql -mcp -name oracle19c_mcptest

You should see:

MCP Server started successfully

This process must remain running.

---

Step 7: Configure Claude Desktop for MCP

Edit Claude configuration file:

{

"mcpServers": {

"oracle19c": {

"command": "C:/AI/sqlcli/sqlcl/sqlcl/bin/sql.exe",

"args": ["-mcp", "-name", "oracle19c_mcptest"]

}

}

}

Restart Claude Desktop and allow MCP access when prompted.

---

Step 8: Follow Least Privilege (Best Practice)

Instead of SYSTEM, create an application user:

CREATE USER app_user IDENTIFIED BY password;

GRANT CREATE SESSION, CREATE TABLE TO app_user;

Create sample data:

CREATE TABLE sales_orders (...);

INSERT INTO sales_orders VALUES (...);

COMMIT;

Create a separate SQLcl MCP connection for this user.

This ensures:

• AI only sees approved schemas

• SYS/SYSTEM access is avoided

---

Step 9: Test NLP Queries via Claude

Now the magic ✨

Ask Claude:

Claude:

• Understands intent

• Calls SQLcl MCP

• Executes SQL

• Returns results

No SQL typing required.

---

Security Considerations

✔ SQLcl connections are local-only ✔ Credentials stored in user profile ✔ Secure with OS file permissions ✔ Use separate DB users ✔ Optional: Oracle Wallet for credentials

AI never gets raw database access.

---

Why This Matters

This setup demonstrates:

• Conversational AI for ad-hoc querying

• AI + Oracle DB without exposing credentials

• Perfect for DBAs, Support, and Architects

---

Final Thoughts

Oracle SQLcl MCP Server bridges the gap between enterprise databases and modern AI—securely, locally, and powerfully.

If you’re running Oracle 19c today, you can already start experimenting with conversational data access.

Oracle E-Business Suite Hit by New High-Severity Vulnerability — CVE-2025-61884

 

Overview

Oracle has disclosed a new high-severity vulnerability (CVE-2025-61884) impacting Oracle E-Business Suite (EBS) versions 12.2.3 through 12.2.14, as outlined in My Oracle Support (MOS) Note 3107176.1.
This vulnerability follows closely on the heels of another critical issue — CVE-2025-61882, announced on October 4, 2025, which has already been observed in active exploitation campaigns.

Both vulnerabilities underscore the growing importance of timely patching, network hardening, and proactive monitoring for organizations running Oracle EBS on-premises or in the cloud.

---

⚠️ CVE-2025-61884 — What We Know So Far

• Component Affected: Oracle Configurator (Runtime UI)

• Affected Versions: EBS 12.2.3 to 12.2.14

• Severity: High (CVSS v3.1 Base Score 7.5)

• Access Vector: Network — unauthenticated HTTP access

• MOS Reference: Doc ID 3107176.1

This vulnerability allows unauthenticated network access to the Oracle Configurator component, potentially exposing sensitive configuration data or enabling unauthorized access to system resources.
Oracle has released a security patch to address the issue, available through the Patch Availability Document in MOS.

In addition to applying the patch, Oracle recommends specific post-patch verification steps and tightened access controls around Configurator-related URLs.

---

🧩 CVE-2025-61882 — The Earlier Critical CVE Still Demands Attention

• Component Affected: Oracle Concurrent Processing / BI Publisher Integration

• Severity: Critical — Remote Code Execution (RCE)

• MOS Reference: Doc ID 3106344.1

• Status: Actively exploited in the wild

This earlier CVE exposed an RCE vulnerability that could be triggered via HTTP, allowing attackers to execute arbitrary code on EBS application servers.
It has been actively exploited by threat actors (including ransomware groups), leading Oracle and cybersecurity agencies to issue urgent patching advisories.

Organizations should ensure that:

1. The CVE-2025-61882 patch has already been applied.

2. Prerequisite CPU/PSU patches are installed before applying the emergency fix.

3. Threat hunting and log analysis are performed for signs of compromise.

---

🔍 Key Differences Between CVE-2025-61882 and CVE-2025-61884

Aspect	CVE-2025-61882	CVE-2025-61884
Severity	Critical (RCE)	High (Unauthorized Access)
Attack Vector	HTTP, Remote Code Execution	HTTP, Configurator Runtime UI
Public Exploits	Actively exploited	No public exploit observed yet
MOS Note	3106344.1	3107176.1
Additional Mitigation	IOC scanning, log monitoring, CPU baseline patches	Restrict access to Configurator UI, apply post-patch hardening

---

🛠️ Recommended Actions for EBS Administrators

1. Immediately apply the patches for both CVEs as per Oracle’s MOS notes.

2. Validate patch prerequisites (previous CPUs or required patch baselines).

3. Restrict HTTP access to Configurator and BI Publisher components to trusted internal users only.

4. Enable web application firewall (WAF) filtering for known exploit patterns.

5. Perform threat hunting using HTTP access logs, BI Publisher logs, and concurrent manager trace files.

6. Regularly monitor Oracle’s Security Alert portal and subscribe to their Critical Patch Update (CPU) notifications.

---

💡 Why This Matters

Many enterprises still rely on Oracle E-Business Suite for core ERP functions such as finance, supply chain, HR, and manufacturing.
Given its business-critical nature, EBS environments remain a prime target for cyberattacks, especially when exposed to the internet.

Applying the latest patches promptly and reviewing access controls can dramatically reduce risk exposure.
Organizations running EBS on Oracle Cloud Infrastructure (OCI) or private cloud should also ensure that network security lists and WAF rules are up to date.

---

🧠 Final Thoughts

The appearance of two major vulnerabilities in quick succession highlights the need for a proactive security posture in Oracle ERP environments.
Stay current with patches, monitor advisories, and collaborate closely with your DBA, Sysadmin, and InfoSec teams.

For more technical guidance, refer to:

• CVE-2025-61882 – MOS Note 3106344.1

• CVE-2025-61884 – MOS Note 3107176.1

How to Make a Linux User Password Never Expire: Step-by-Step Guide

Introduction:

Password expiry policies are important for security, but sometimes you need to keep certain Linux user accounts active without enforcing password changes. For instance, in administrative or automation accounts like user1, frequent password expiration can disrupt services. In this guide, we’ll show you how to make a Linux user password never expire.

Step 1: Check the Current Password Expiry

Use the chage command to see when a user’s password will expire:

sudo chage -l user1

Example output:

Last password change                                    : Jul 03, 2025
Password expires                                        : Sep 01, 2025
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 1
Maximum number of days between password change          : 60
Number of days of warning before password expires       : 7


Here, the password is set to expire every 60 days.

Step 2: Make the Password Never Expire
Option 1: Using chage
sudo chage -M 99999 user1


-M 99999 sets the maximum days between password changes to effectively never expire.


Verify the change:
sudo chage -l user1

You should now see:
Password expires : never

Option 2: Using passwd
sudo passwd -x 99999 user1


Step 3: Verify the Configuration
Check again with:
sudo chage -l user1

Ensure:

Password expires: never

Account expires: never


This ensures the account will not require periodic password changes.

Step 4: Best Practices


Only disable password expiry for accounts that require uninterrupted access 
Keep strong passwords or use SSH keys where possible.

Monitor accounts regularly to maintain security.

Conclusion
Preventing password expiration in Linux is simple using chage or passwd. By setting 
odiuser or any critical account to never expire, you can avoid service disruptions 
while maintaining control over other security policies.

How to Install Oracle Database in Docker: Step-by-Step Guide for Seamless Deployment

In this post, we will go through the steps on how we can install and use Oracle Database 21c inside an Docker container. To access the database image on Docker, you start the container and then run the commands through docker to access the database 

Steps:-

[opc@instance-20240128-1525 ~]$ sudo yum install docker-engine docker-cli

[opc@instance-20240128-1525 ~]$ sudo systemctl enable --now docker

[opc@instance-20240128-1525 ~]$ sudo docker info

Client:

 Debug Mode: false

 

Server:

 Containers: 0

  Running: 0

  Paused: 0

  Stopped: 0

 Images: 0

 Server Version: 19.03.11-ol

 Storage Driver: overlay2

  Backing Filesystem: xfs

  Supports d_type: true

  Native Overlay Diff: false

 Logging Driver: json-file

 Cgroup Driver: cgroupfs

 Plugins:

  Volume: local

  Network: bridge host ipvlan macvlan null overlay

  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog

 Swarm: inactive

 Runtimes: runc

 Default Runtime: runc

 Init Binary: docker-init

 containerd version: 7eba5930496d9bbe375fdf71603e610ad737d2b2

 runc version: 860f061

 init version: fec3683

 Security Options:

  seccomp

   Profile: default

 Kernel Version: 5.4.17-2136.322.6.2.el7uek.x86_64

 Operating System: Oracle Linux Server 7.9

 OSType: linux

 Architecture: x86_64

 CPUs: 2

 Total Memory: 6.487GiB

 Name: instance-20240128-1525

 ID: 6OVG:2ZU5:3GU5:AJKF:JAKN:FJSU:SJ2Q:D7ZM:ZNKN:EJKS:6T3M:3GJ6

 Docker Root Dir: /var/lib/docker

 Debug Mode: false

 Registry: https://index.docker.io/v1/

 Labels:

 Experimental: false

 Insecure Registries:

  127.0.0.0/8

 Live Restore Enabled: false

 

Registries:

[opc@instance-20240128-1525 ~]$ sudo su

[root@instance-20240128-1525 opc]# docker login container-registry.oracle.com

Username: *********

Password:

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

 

Login Succeeded

[root@instance-20240128-1525 opc]# docker pull container-registry.oracle.com/database/enterprise:latest

[root@instance-20240128-1525 opc]# docker ps

CONTAINER ID        IMAGE                                                      COMMAND                  CREATED             STATUS                            PORTS                    NAMES

e556dbeb3c1d        container-registry.oracle.com/database/enterprise:latest   "/bin/sh -c 'exec $O…"   5 seconds ago       Up 4 seconds (health: starting)   0.0.0.0:1521->1521/tcp   oracle-db

Check the logs

[root@instance-20240128-1525 opc]# docker logs oracle-db

From the log, we can after few mins, we can see a message like below.

The Oracle base remains unchanged with value /opt/oracle

#########################

DATABASE IS READY TO USE!

#########################

Now, go inside the docker container.

[root@instance-20240128-1525 opc]# docker ps -a

CONTAINER ID        IMAGE                                                      COMMAND                  CREATED             STATUS                       PORTS                    NAMES

e556dbeb3c1d        container-registry.oracle.com/database/enterprise:latest   "/bin/sh -c 'exec $O…"   2 hours ago         Up About an hour (healthy)   0.0.0.0:1521->1521/tcp   oracle-db

[root@instance-20240128-1525 opc]# docker exec -it oracle-db /bin/bash

bash-4.2$ whoami

oracle

bash-4.2$ sqlplus / as sysdba

 

SQL*Plus: Release 21.0.0.0.0 - Production on Sun Jan 28 12:27:14 2024

Version 21.3.0.0.0

 

Copyright (c) 1982, 2021, Oracle.  All rights reserved.

 

 

Connected to:

Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production

Version 21.3.0.0.0

 

SQL> show pdbs;

 

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED

---------- ------------------------------ ---------- ----------

         2 PDB$SEED                       READ ONLY  NO

         3 ORCLPDB1                       READ WRITE NO

 

bash-4.2$ df -kh

Filesystem      Size  Used Avail Use% Mounted on

overlay          39G   19G   21G  48% /

tmpfs            64M     0   64M   0% /dev

tmpfs           3.3G     0  3.3G   0% /sys/fs/cgroup

shm              64M     0   64M   0% /dev/shm

/dev/sda3        39G   19G   21G  48% /etc/hosts

tmpfs           3.3G     0  3.3G   0% /proc/acpi

tmpfs           3.3G     0  3.3G   0% /proc/scsi

tmpfs           3.3G     0  3.3G   0% /sys/firmware

how to connect to the db using sqldeveloper

Hostname is the public IP of the VM where the container is running.

This completes the step by step instructions on how we can install Oracle DB inside a docker container and subsequently connect to the DB using sqldeveloper client. I hope, this post will help someone. 

Till then, start learning cloud. 

Mastering Oracle Cloud: Step-by-Step Guide to Provision Your OIC Instance

 Oracle Integration Cloud Service is a complete, secure, but lightweight integration solution that enables you to connect your applications in the cloud. It simplifies connectivity between your applications, and can connect both your applications that live in the cloud and your applications that still live on premises. It is a PaaS offering from Oracle and thus users who needs access to access to OIC must reside in IDCS(which is now the identity domain). In this post, we are going to explain, how we can provision an OIC instance from scratch when we have identity domain in place.

We will now provision an OIC instance in OCI console. Go to Developer Services

Click on Integration

We have successfully provisioned OIC instance. Now, in order to login, we need a user which has to be validated by IAM(Identity Domains) and it should have proper role assigned to it.

Go to Identity Domains, select the required domain and create a new user

Once the user is created, go to the Oracle Cloud Services under Identity domains and choose the OIC instance which was created earlier.

Click on the name and navigate to "Application roles".

Click on Assign.

That's it. Using this user, we should be able to login to the OIC Console.

I hope this post will help someone. Till, then keep learning cloud.

Strengthen Your Cloud Security: Exploring OCI Vulnerability Scanning Services

  In Oracle Cloud Infrastructure (OCI), vulnerability scanning services are offered to help ensure the security of your infrastructure. The OCI vulnerability scanning service is designed to scan virtual cloud networks (VCNs) and identify vulnerabilities in the cloud infrastructure

In this post, we are going to explain, once a CVE is detected, then what is the approach we can take to mitigate those CVE risks. But before we do so, i would suggest we go through the official Oracle Documentations VSS.

You can access the vulnerability scanning service in OCI through the OCI console. Here's a brief guide on how to do it:

Log in to the OCI Console.

Open the "Security" menu.

Click on "Security Advisor".

Navigate to "Vulnerability Scanning".

Now, let us go through the remediation steps. You might get the CVEs as listed below

If we click on "View Details", we might see the below information for cause and remediation.

The errata details can be found in the link which is considered to be as the database for CVEs.

https://nvd.nist.gov

Server was already having the version 4.5.0-36.el7_9.5

 Command to check:

rpm -qa|grep libvirt

Thus, we came to conclusion that the CVEs are being reported for the existing package which is there in the server and in order to mitigate them, we need to upgrade the version to 5.

Steps:

Steps:-

1.       cd /etc/yum.repos.d

2.       took the backup of file public-yum-ol7.repo

3.       took the backup of boot volume

4.       in the file public-yum-ol7.repo, enabled the flag as 1 for section

y    yum update

1.       Reboot the server

2.       Disable and enable VSS

3.       Verify the Scanning report

4.       Check with the application team for sanity before moving it to next higher instances

y

These are the many ways through which we can mitigate the CVEs being reported by VSS in OCI. I hope this post will help someone. Till then, happy learning cloud.

Cross-Platform Efficiency: Mastering Federation of Azure AD with OCI Identity Domains for SSO Solution

 By federating Azure AD with OCI Identity domains(more on OCI Identity Domains), businesses can centralize user authentication, simplifying access management and reducing administrative overhead. This robust integration enables a single sign-on (SSO) experience, allowing users to securely access resources across both platforms with a single set of credentials. With enhanced security measures and simplified user provisioning, organizations can ensure compliance with regulatory standards while fostering a seamless user experience. Now, with all new tenancies, Oracle has introduced identity domains as a single domain for storing all the users, groups credentials and so the navigations have also changed a bit. Also, the point to be noted that in the background, it is the same IDCS solution running.

Here, OCI act as a service provider (SP) and Microsoft Azure act as an Identity Provider (IdP). The Service Provider (OCI) creates a SAML request and forwards the user and the SAML request to the Identity Provider (Azure AD). Once the user is authenticated, the IdP sends back a SAML response with an assertion to the Service Provider's Assertion Consumer Service endpoint. 

Note: Azure AD  is now Microsoft Entra ID.

Go to the OCI Hamburger menu > Identity and Security

Click on Domains and change the below settings first

get the IDCS url

Copy the IDCS url and add /fed/v1/metadata. Open a browser and save the file as XML.

On the Azure Portal now:-

Create an Enterprise Application. Choose the option as Oracle

Choose the option Oracle Cloud Infrastructure Console

Give it a name and Click on Create

Click on Single Sign on and choose the option for SAML

Upload the OCI downloaded metadata xml file

Download the Federation Metadata XML which has to be uploaded to OCI side.

OCI Side:-

Click on Add SAML IdP

Choose the option Upload metadata xml file

Upload the xml file downloaded from Azure Portal

Review and Create

Test the login

Activate the IdP

Edit the IdP policies and add Azure AD

Test the setup.

Note: User has to be present on both OCI IAM and Azure AD

Login to the OCI console and we will get the IdP icon

Click on Azure AD

Here we are. We have successfully landed to the OCI home page.

This post explains about the integration of Oracle cloud Infrastructure Identity domains with Microsoft Azure AD for a seamless Single Sign on Solution.

I hope, this post will help someone. Till then, enjoy learning cloud.

References:-https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/federation.htm#top

https://docs.oracle.com/en-us/iaas/Content/Identity/tutorials/azure_ad/lifecycle_azure/02-config-azure-iam-template.htm#config-azure-iam-template