Kerberos Authentication with Oracle DBs
Michael Kloker [email protected] Boehringer Ingelheim GmbH / IT RDM DOAG 2019 Agenda
• About Boehringer Ingelheim • How do we log into Oracle DBs • How Kerberos Authentication works • Requirements for Kerberos Authentication with Oracle • AD Service Account & Keytab file creation • DB Server Config • Oracle User Config • Windows Client Config • Kerberos Ticket handling and Different Login Options • Some additional comments • Oracle Support Articles
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 2 About Boehringer Ingelheim Bpq a
• founded 1885, researching pharmaceutical company • Human pharmaceuticals, Animal health, Biopharmaceutical Manufacturing • about 50.000 employees worldwide, in Germany about 16.000
Spiriva Nexgard
Trajenta Frontline
Jardiance
Ingelvac Circoflex Pradaxa R&D sites
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 3 How do we log into Oracle DBs
• Usually we log in with username/password # sqlplus mustermann/[email protected] • Often an Oracle password and the Windows password differs • Are there other methods available? • Is an synchronized Oracle / Windows password possible? • Is SSO possible with Oracle? • Is a login without username/password into the database possible?
• Is Kerberos Authentication a solution?
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 4 How Kerberos Authentication works
Client 1 1. The Client asks the KDC for an initial ticket called 2 Ticket Granting Ticket(TGT) 2. The KDC(Key Distribution Center) provides the 3 TGT to the client 3. When the client tries to connect to the database, a 4 request to the KDC is being made to get a Service 5 6 AD DC Ticket 4. The KDC sends the Service Ticket to the client 5. The client sends the Service Ticket to the RDBMS Server 6. The session between the client and the server is DB initiated
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 5 Requirements for Kerberos Authentication with Oracle
• AD Service Account & Keytab file creation – Set Service Principal Name & create Keytabfile • DB Server Configuration – sqlnet.ora modification – Create file krb5.conf • Oracle User Configuration • Windows Client Configuration – Adapt Oracle Client – Create / Adpat sqlnet.ora and krb5.conf – Modify services file
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 6 AD Service Account & Keytab file creation
• First create a User Account in the AD for Oracle – Password of the User should not expire • Create SPN and keytab file (run the command on a windows member server) # ktpass -princ oracle/[email protected] -crypto all -mapuser krbuser -pass ************* -out c:\temp\oracle.keytab
Copy the keytab file to server the DB server and change owner and group on the keytab file # ls -al /etc/ | grep keytab -rw-r--r-- 1 oracle oinstall 462 Oct 31 08:38 oracle.keytab
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 7 DB Server Config 1: Modify Sqlnet.ora
# cat /u01/app/oracle/network/admin/sqlnet.ora TRACE_LEVEL_CLIENT = OFF DIAG_ADR_ENABLED = OFF SQLNET.EXPIRE_TIME = 10 NAMES.DEFAULT_DOMAIN = DOM1.COMPANY.COM NAMES.DIRECTORY_PATH = (LDAP,TNSNAMES)
# For Oracle kerberos Authentication SQLNET.KERBEROS5_CONF=/etc/krb5.conf SQLNET.KERBEROS5_KEYTAB=/etc/oracle.keytab SQLNET.KERBEROS5_CONF_MIT=TRUE SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5) # For DB links sqlnet.fallback_authentication = true
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 8 DB Server Config 2: Create krb5.conf on DB Server
# cat /etc/krb5.conf [libdefaults] default_realm = DOM1.COMPANY.COM …. [realms] D0M1.COMPANY.COM = { admin_server = ldapserver.dom1.company.com:749 kdc = ldapserver.dom1. company.com:88 default_domain = dom1. company.com } DOM2.COMPANY.COM = { kdc = ldapserver.dom2. company.com:88 default_domain = dom2. company.com … [domain_realm] .dom1. company.com = DOM1.COMPANY.COM dom1. company.com = DOM1.COMPANY.COM .dom2. company.com = DOM2.COMPANY.COM dom2. company.com = DOM2.COMPANY.COM
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 9 Oracle User Config: Create / Adapt Oracle User
Local authenticated user: SQL> create user mustermann identified by password;
Kerberos authenticated User: SQL> create user mustermann identified externally as ‘[email protected]'; SQL> alter user mustermann identified externally as ‘[email protected]';
SQL> select username, external_name from dba_users where username like ‘%MUSTERMANN%‘; USERNAME EXTERNAL_NAME ------MUSTERMANN [email protected]
Switch back from a Kerberos Authenticated User to a local authenticated user SQL> alter user mustermann identified by password;
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 10 Windows Client Config 1: Install / Check Oracle Client features
Check if the Oracle Advanced Security Feature is installed, if not, install it.
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 11 Windows Client Config 2: Adapt sqlnet.ora
# notepad C:\app\oracle\network\admin_krb\sqlnet.ora
NAMES.DIRECTORY_PATH = (TNSNAMES) SQLNET.EXPIRE_TIME = 10 TRACE_LEVEL_CLIENT = OFF NAMES.DEFAULT_DOMAIN = dom1.company.com
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5) SQLNET.KERBEROS5_CONF=C:\app\oracle\network\admin_krb\krb5.conf SQLNET.KERBEROS5_CONF_MIT=true SQLNET.KERBEROS5_CC_NAME=C:\Temp\krb.cc -> Kerberos Ticket File #SQLNET.KERBEROS5_CC_NAME=OSMSFT:// -> Windows ticket cache
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 12 Windows Client Config 3: Create the krb5.conf file
# notepad C:\app\oracle\network\admin_krb\krb5.conf
[libdefaults] default_realm = DOM1.COMPANY.COM … [realms] DOM1.COMPANY.COM = { admin_server = ldapserver.dom1.company.com:749 kdc = ldpaserver.dom1.company.com:88 default_domain = dom1.company.com } … [domain_realm] .dom1.company.com = DOM1.COMPANY.COM dom1. company.com = DOM1.COMPANY.COM …
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 13 Windows Client Config 4: Adapt Windows services file
Modify C:\Windows\System32\drivers\etc\services ... kerberos 88/tcp krb5 kerberos-sec #Kerberos kerberos 88/udp krb5 kerberos-sec #Kerberos ...
-> Modify lines, add kerberos5 ... kerberos 88/tcp kerberos5 krb5 kerberos-sec #Kerberos kerberos 88/udp kerberos5 krb5 kerberos-sec #Kerberos ...
If this adaption is mssing, okinit will fail with following message: # okinit [email protected] Password for [email protected]: okinit: Cannot find KDC for requested realm
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 14 Kerberos Ticket Handling and Different Login Options
• Kerberos Ticket Handling with Oracle commands • Kerberos Ticket Handling with Java commands • SSO with Windows Ticket Cache • SSO with SQL Developer
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 15 Kerberos Ticket Handling with Oracle commands 1
# set TNS_ADMIN=C:\app\oracle\network\admin_krb SQLNET.KERBEROS5_CC_NAME=C:\Temp\krb.cc
# oklist oklist: Credential cache C:\Temp\krb.cc not found. oklist: No credentials cache file found
# okinit [email protected] Password for [email protected]:
# oklist Ticket cache: C:\Temp\krb.cc Default principal: [email protected] Valid Starting Expires Principal 28-Mar-2019 16:05:20 29-Mar-2019 00:05:16 krbtgt/[email protected]
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 16 Kerberos Ticket Handling with Oracle commands 2
# sqlplus /@oraclesid.dom1.company.com SQL> SELECT sys_context('USERENV','ENTERPRISE_IDENTITY') AS enterprise_identity FROM dual; ENTERPRISE_IDENTITY [email protected]
# oklist Ticket cache: C:\Temp\krb.cc Default principal: [email protected] Valid Starting Expires Principal 28-Mar-2019 16:05:20 29-Mar-2019 00:05:16 krbtgt/[email protected] 28-Mar-2019 16:06:19 29-Mar-2019 00:05:16 oracle/[email protected]
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 17 Kerberos Ticket Handling with Java commands 1
# set TNS_ADMIN=C:\app\oracle\network\admin_krb SQLNET.KERBEROS5_CC_NAME=C:\Temp\krb.cc
# "C:\Program Files\Java\jre8\bin\kinit.exe" [email protected] -c C:\temp\krb.cc Password for [email protected]: New ticket is stored in cache file C:\temp\krb.cc
# “C:\Program Files\Java\jre8\bin\klist.exe" -c C:\temp\krb.cc Credentials cache: C:\temp\krb.cc Default principal: [email protected], 1 entry found. [1] Service Principal: krbtgt/[email protected] Valid starting: Apr 01, 2019 08:55:04 Expires: Apr 01, 2019 18:55:04
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 18 Kerberos Ticket Handling with Java commands 2
# sqlplus /@oraclesid.dom1.company.com SQL> SELECT sys_context('USERENV','ENTERPRISE_IDENTITY') AS enterprise_identity FROM dual; ENTERPRISE_IDENTITY [email protected]
# "C:\Program Files\Java\jre8\bin\klist.exe" -c C:\temp\krb.cc Credentials cache: C:\temp\krb.cc Default principal: [email protected], 2 entries found. [1] Service Principal: krbtgt/[email protected] Valid starting: Apr 01, 2019 08:55:04 Expires: Apr 01, 2019 18:55:04 [2] Service Principal: oracle/[email protected] Valid starting: Apr 01, 2019 08:56:07 Expires: Apr 01, 2019 18:55:04
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 19 SSO with Windows Ticket Cache
# set TNS_ADMIN=C:\app\oracle\network\admin_wtc SQLNET.KERBEROS5_CC_NAME=OSMSFT://
# C:\Windows\System32\klist.exe Aktuelle Anmelde-ID ist 0:0xc02d1 Zwischengespeicherte Tickets: (0)
# sqlplus /@oraclesid.dom1.company.com SQL> SELECT sys_context('USERENV','ENTERPRISE_IDENTITY') AS enterprise_identity FROM dual; ENTERPRISE_IDENTITY [email protected]
# C:\Windows\System32\klist.exe #0> Client: mustermann @ DOM1.COMPANY.COM Server: krbtgt/DOM1.COMPANY.COM @ DOM1.COMPANY.COM #1> Client: mustermann @ DOM1.COMPANY.COM Server: oracle/dbserver.dom1.company.com @ DOM1.COMPANY.COM
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 20 SSO with SQL Developer 1
• Start SQLDeveloper • Goto Extras • Preferences • Database • Extended • Configure Oracle Client • Set the Checkboxes • Configure TNS-Names directory
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 21 SSO with SQL Developer 2
# set TNS_ADMIN=C:\app\oracle\network\admin_wtc # C:\PortableApps\sqldeveloper18.3\sqldeveloper.exe
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 22 Some additional comments 1
• Normal Oracle users in the database must exist • Application login must be adapted, because login does not work with username/pwd
• Difference between okinit and java\kinit – okinit supports no password as command line parameter – java\bin\kinit supports a password as command line parameter # java\bin\kinit -c C:\temp\krb.cc [email protected] password
• When adapting the login dialog for an application, java\kinit can be used to create a Kerberos ticket
• When using the Windows Ticket Cache, only the user which is currently logged in in Windows, can login into the database • When using a Kerberos Ticket File, a Kerberos ticket for different users can be created and so the login with different credentials into the database is possible
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 23 Some additional comments 2
• The Service Account for the kerberos authentication must be located in the same Domain as the database server • User: [email protected] FQN: dbserver.dom2.company.com -> configuration does not work • User: [email protected] FQN: dbserver.dom1.company.com -> this configuration works
• Only one keytab file is necessary for several DBs on the same database server
• But for every DB server a dedicated Kerberos User is needed
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 24 Oracle Support Articles
• Master Note For Kerberos Authentication(1375853.1) • Configuring ASO Kerberos Authentication with a Microsoft Windows 2008 R2 Active Directory KDC (Doc ID 1304004.1) • Configuring Oracle Advanced Security Option (ASO) with Microsoft Windows Server 2003 Active Directory Kerberos KDC (Doc ID 331252.1) • How To Configure Kerberos Authentication In A 12c Database (Doc ID 1996329.1) • Server sqlnet.ora: SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5PRE,KERBEROS5) • Windows Client sqlnet.ora SQLNET.KERBEROS5_CC_NAME=MSLSA: does not work Use instead SQLNET.KERBEROS5_CC_NAME=OSMSFT:// SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5PRE,KERBEROS5) • ORA-12638 With Kerberos Authentication Against MSAD Using Windows Credential Cache (Doc ID 1958479.1)
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 25 Q&A ???
Kerberos Authentication with Oracle DBs and Active Directory, DOAG 2019, Michael Kloker 26