Skip Headers

Oracle® Database Advanced Security Administrator's Guide
1 0g Release 1 (10.1)
Part Number B10772-01
Go to Documentation Home
Home		 Go to Book List
Book Lis t		 Go to Table of Co ntents
Contents		 Go to Index
Index		 Go to Master Index
M aster Index		 Go to Feedback page
Feedback
Go to previous page
Previous		 Go to next page
Next
View PDF

6
Configuring Kerberos Aut hentication

This chapter describes how to configure Oracle Adv anced Security for Oracle Database for use with Kerberos authentication--and how to configure Kerberos to authenticate Oracle databas e users. This chapter contains the following topics:

Enabling Kerberos Authentication

To enable Kerberos authentication:

Task 1: Install Kerberos

Install Kerberos on the system that functions as the authentication server.

See Also:

Notes about building and installing Kerberos from Kerberos version 5 source distribution for information about how to install Kerb eros.

Task 2: Configure a Service Principal for an Oracle Database Server

To enable the Oracle database server to validate the identity of clients that authenticate themselves using K erberos, you must create a service principal for Oracle Database.

< a name="1006174">

The name of the principal should have the following format:

kservice/kinstance@REALM

Each of the fields in the service p rincipal specify the following values:

Service Principal Field Description

kservice

A case- sensitive string that represents the Oracle service; this can be the same as the database service name.

kinstance

This is typically the fully qualified name of the system on which Oracle Database is running.

REALM

The domain name of the database server. REALM must always be uppercase and is typically the DNS domain name.
Note:

The utility names in this section are executable programs. However, the Kerberos user name krbuser and the realm SOMECO.COM are examples only.

For example, if kservice is oracle, the fully qualified name of the system on which Oracle Database is running is dbserver.someco.com and the realm is SOMECO.COM. The principal name is:

oracle/dbserver.someco.com@SOMECO.COM

It is a convention to use the DNS domain name as the name of the realm. To create the service principal, run kadmin.local. On UNIX, run this command as the root user, by using the following syntax:

# cd /kerberos-install-directory/sbin
#
./kadmin.local

To add a principal named oracle/dbserver.someco.com@SOMECO.COM to the list of server principals known by Kerb eros, enter the following:

kadmin.local:addprinc -randkey oracle/dbserver.someco.com@SOMEC
O.COM

Task 3: Extract a Service Table from Kerberos

Extract the service table from Kerberos and copy it to the Oracle database server/Kerberos cli ent system.

For example, use the following steps to extract a service table for dbserv er.someco.com:

  1. Enter the following to e xtract the service table: 
    kadmin.local:  ktadd -k /tmp/keytab oracle/dbserver.someco.com

Entry for principal oracle/dbserver.someco.com with kvno 2, encryption 
DES-CBC-CRC added to
 the keytab WRFILE: 'WRFILE:/tmp/keytab

kadmin.local:  exit

oklist -k -t /tmp/keytab
  2. After the service table has been extracted, verify that the new entries are in the table in addition to the old ones. If they are no t, or you need to add more, use kadmin.local to append to them.

    If you do n ot enter a realm when using ktadd, it uses the realm of the current host and displays it in the command output, as shown in Step 1.

  3. If the Kerberos service table is on the same system as the Kerberos client, you can move it. If the service table is on a different system from the Kerberos client, you must transfer the file with a p rogram such as FTP. If using FTP, transfer the file in binary mode.

    The following exampl e shows how to move the service table on a UNIX platform:

    # mv /tmp/keytab /etc/v5srvtab

    The default name of the service file is /etc/v5srvtab.

  4. Verify that the owner of the Oracle database server executable can read the service table (/etc/v5srvtab in the previous example). To do so, set the file owner to the Oracle user, or make the file readable by the group to which Oracle belongs.

    Caution:

    Do not make the file readable to all users. T his can cause a security breach.

Task 4: Install an Oracle Database Server and an Oracle Client

Install the Oracle database server and client software.

See Also:

Oracle Database operating system-specific installation documentation

Task 5: Install Oracle Net Service s and Oracle Advanced Security

Install Oracle Net Services and Oracle Advanced Security on the Oracle database server and Oracle client systems.

See Also:

Oracle Database operating syste m-specific installation documentation

< font face="Arial, Helvetica, sans-serif" color="#330099">Task 6: Configure Oracle Net Services and Oracle Database

Configure Oracle Net Services on the Oracle database server and client.

See Also:

Task 7: Configure Kerberos Authentication

Perform these tasks to set required parameters in the Oracle database server and client sqlnet.ora files:

Step 1: Configure Kerberos on the Client and on the Database Server

Use Oracle Net Manager to perfo rm the following steps to configure Kerberos authentication service parameters on the client and on the database server (See "Starting Oracle Net Manager"):

  1. Navigate to the Oracle Advanced Security profile. ( See "Navigating to the Oracle Advanced Security Profile") The Oracle Advanced Security window ap pears (Figure 6-1):

Figure 6-1 Oracle Advanced Security Authentication Window (Kerberos)

Text description of kerb0001.gif follows.

Text description of the illustrati on kerb0001.gif

  1. Cho ose the Authentication tab.
  2. From the Available Met hods list, select KERBEROS5.
  3. Mov e KERBEROS5 to the Selected Methods list by clicking the right arrow (>).
  4. Arrange the selected methods in order of use. To do this, select a method in the Selected Methods list, then click Promote or Demote to position it in the list. For example, if you want KERBEROS5 to be the first service used, move it to the top of the list.
  5. Choose the Other Params tab (Figure 6-2).

Figur e 6-2 Oracle Advanced Security Other Params Window (Kerberos)

Text de scription of kerb0002.gif follows.

Text description of the illustration kerb0002.gif

  1. From the Authentication Service list, select KERBEROS(V5).
  2. Type Kerberos into the Service field. This field de fines the name of the service Oracle Database uses to obtain a Kerberos service tick et. When you provide the value for this field, the other fields are enabled.
  3. Optionally enter values for the following fields:
  4. Choose File > Save Network Configuration.

    The sqlnet.ora file is updated with the following entries:

    
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=kservice

    5. Step 2: Se t the Initialization Parameters

    To set parameters in the initializati on parameter file:

    1. Add the following parameter to the initialization parameter file: 
      REMOTE_OS_AUTHENT=FALSE
    2. Because Kerberos user names can be long, and Oracle user nam es are limited to 30 characters, Oracle Corporation strongly recommends that you set the value of OS_AUTHENT_PREFIX to n ull as follows: 
      OS_AUTHENT_PREFIX=""

      Setting this parameter to null overrides the default value of OPS$.

      3. < !--TOC=h3-"1006392"-->

      Step 3: Set sqlnet.ora Parameters (op tional)

      In addition to the required parameters, you can optionally se t the following parameters in the sqlnet.ora file on the client and the Oracle database server:

      < /a>Caution:

      Setting REMOTE_OS_AUTHENT to TRUE can enable a security breach, because it lets someone using a non-secure protoco l, such as TCP, perform an operating system-authorized login (formerly called an OPS$ login).
      < td class="Simple">

      Specifies the complete path name to the Kerberos credentials cache (CC) file. The default value is operating system-dependent. For UNIX, it is /tmp/krb5cc_userid.

      You can also set this parameter by using the KRB5CCNAME environment variable, but the value set in the sqlne t.ora file takes precedence over the value set in KRB5CCNAME.

      SQLNET.KERBEROS5_CLOCKSKEW=number_of_seconds_accepted_as _network_delay

       < td class="Simple">

      Parameter:

      < tr class="Simple" align="left" valign="top">

      Parameter:

      < code>SQLNET.KERBEROS5_CC_NAME=pathname_to_credentials_cache_file

      Description:

      Example:

      SQLNET.KERBEROS5_CC_NAME=/usr/tmp/krbcache

      Parameter:

      Description:

      This paramet er specifies how many seconds can pass before a Kerberos credential is considered out-of-date. It is used when a credential is actual ly received by either a client or a database server. An Oracle database server also uses it to decide if a credential needs to be sto red to protect against a replay attack. The default is 300 seconds.

      Example:

      SQLNET.KERBEROS5_CLOCKSKEW=1200

      SQLNET.KERBEROS5_CONF=pathname_to_Kerberos_
      configuration_file

      Description:

      This parameter specifies the complete pat h name to the Kerberos configuration file. The configuration file contains the realm for the default KDC (key distribution center) an d maps realms to KDC hosts. The default is operating system-dependent. For UNIX, it is /krb5/krb.conf.

      Example:

      SQLNET.KERBEROS5_CONF=/krb/krb.conf

      Parameter:

      SQLNET.KERBEROS5_CONF_MI T=[TRUE|FALSE]

      Description:

      This parameter sp ecifies whether the new MIT Kerberos configuration format is used. If the value is set to TRUE, it will parse the file a ccording to the new configuration format rules. When the value is set to FALSE, the default (non-MIT) configuration is u sed. The default is FALSE.

      Example:

      SQLNET.KERBEROS5_CONF_MIT=False

      Parameter:

      SQLNET.KERBEROS5_KEYTAB=
      pathname_to_Kerberos_principal/key_table

      Description:< /p>

      This parameter specifies the complete path name to the Kerberos pri ncipal/secret key mapping file. It is used by the Oracle database server to extract its key and decrypt the incoming authentication i nformation from the client. The default is operating system-dependent. For UNIX, it is /etc/v5srvtab.

      Example:

      SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab

      Parameter:

      SQLNET.KERBEROS5_REALMS=
      pathname_to_K erberos_realm_translation_file

      Description:

      This parameter specifies the complete path name to the Kerberos realm translation file. The translation file provides a mapping f rom a host name or domain name to a realm. The default is operating system-dependent. For UNIX, it is /etc/krb.realms.

      Example:

      SQLNET.KERBEROS5_REALMS=/krb5/krb.realms

      Task 8: Create a Kerberos User

      To create Oracle users that K erberos can authenticate, perform this task on the Kerberos authentication server where the administration tools are installed. The r ealm must already exist.

      Note:

      The utility names in this section are executable programs. However, the Kerberos user name < code>krbuser and realm SOMECO.COM are examples only; they can vary among systems.

      Run /krb5/admin/kadmin.local as root to create a new Kerberos user, such as krbuser.

      The following example is UNIX-specific:

      # ./kadmin.local
kadmin.local: addprinc krbuser
Enter password for principal:
"krbuser@SOMECO.COM": (password does not display)
Re-enter password for principal: "krb
user@SOMECO.COM": (password does not 
display)
kadmin.local: exit

      Task 9: Create an Externall y Authenticated Oracle User

      Run SQL*Plus on the Oracle database serve r to create the Oracle user that corresponds to the Kerberos user. In the following example, OS_AUTHENT_PREFIX is set to null (""). The Oracle user name is in uppercase enclosed in double quotation marks as shown in the following example: 

      SQL> CONNECT / AS SYSDBA;
SQL> CREATE USER "KRBUSER@SOMECO.COM"
 IDENTIFIED EXTERNALLY; 
SQL> GRANT CREATE SESSION TO "KRBUSER@SOMECO.COM";
      < !--TOC=h2-"1006497"-->

      Task 10: Get an Initial Ticket for th e Kerberos/Oracle User

      Before you can connect to the database, you mu st ask the Key Distribution Center (KDC) for an initial ticket. To do so, run the following on the client:

      % okinit use
rname

      If, when making a database connection, a reference such as the following follows a database link, you must use the forwardable flag (-f) option:

      sqlplus /@oracle

      Executing okinit -f enables credenti als that can be used across database links. Run the following commands on the Oracle client:

      <
/a>% okinit -f
Password for krbuser@SOMECO.COM:password
      < h2 class="H1">Utilities for the Kerberos Authentication Adapter

      Three utilities are shipped with the Oracle Kerberos authentication adapter. The se utilities are intended for use on an Oracle client with Oracle Kerberos authentication support installed. Use the following utilit ies for these specified tasks:

      Obtaining the Initial Ticket with the okinit Utility

      The okinit utility obtains and caches Kerberos tickets. This utility i s typically used to obtain the ticket-granting ticket, using a password entered by the user to decrypt the credential from the key di stribution center (KDC). The ticket-granting ticket is then stored in the user's credential cache.

      The options available with okinit are listed in Table 6-1:

      Table 6-1 Options for the okinit Utility
      Option Description

      -f

      Ask for a forwardable ticket-granting ticket. This option is necessary to follow database links.

      -l

      Specify the lifetime of the ticket-granting ticket and all subsequent tickets. By default, the ticket-granting ticket is good for eight (8) hours, but shorter or longer-lived credenti als may be desired. Note that the KDC can ignore this option or put site-configured limits on what can be specified. The lifetime val ue is a string that consists of a number qualified by w (weeks), d (days), h (hours), m (minutes), or s (seconds), as in the followin g example:

      okinit -l 2wld6h20m30s

      The example requests a ticket-granting ticket that has a life time of 2 weeks, 1 day, 6 hours, 20 minutes, and 30 seconds.

      -c

      Specify an alternative credential cache. For UNIX, the default is /tmp/krb 5cc_uid. You can also specify the alternate credential cache by using the SQLNET.KERBEROS5_CC_NA ME parameter in the sqlnet.ora file.

      -?

      List comm and line options.

      Displaying Credentials with the oklist Utility

      Run the oklist utility to display the list of tickets held; available oklist options are listed in Table 6-2:

      Table 6-2 Options for the oklist Utility

      -k

      Option Description

      -f

      Show flags with cred entials. Relevant flags are I, credential is a ticket-granting ticket, F, credential is forwardable, and f, credential is forwarded.< /p>

      -c

      Specify an alternative credential cache. In UNIX, the default is < code>/tmp/krb5cc_uid. The alternate credential cache can also be specified by using the SQLNET.KER BEROS5_CC_NAME parameter in the sqlnet.ora file.

      List the entries in the service table (default /etc/v5srvtab) on UNIX. The alternate service table can also be specif ied by using the SQLNET.KERBEROS5_KEYTAB parameter in the sqlnet.ora file.

      The show flag option (-f) displays additional information, as shown in the follow ing example:

      % oklist -f
27-Jul-1999 21:57:51   28-Jul-1999 05:58:14

krbtgt/SOMECO.COM@SOMECO.COM
Flags: FI

      Removing Credentials from the Cache File with the okdst ry Utility

      Use the okdstry utility to remove credentials from the cre dentials cache file:

      $ okdstry -f

      where the -f command option lets you specify an alternative credential cache. For UNIX, the default is /tmp/krb5cc_uid. You can also specify the alternate credential cache by using the SQLNET.KRB5_CC_N AME parameter in the sqlnet.ora file.

      Connecting to an Oracle Database Server Authenticated by Kerberos

      You can now connect to an Oracle database server without using a user name or password. Enter a command similar to the following:

      $ sqlplus /@net_service_name

      where net_service_name is an Oracle Net Services serv ice name. For example:

      $ sqlplus /@oracle_dbname
      < div align="center">
      See Also:

      Chapter 1, "Introduction to Oracle Advanced Security", for information about external authentication and Oracle Database Heterogeneous Connectivity A dministrator's Guide

      Configuring Interoperability with a Windows 2000 Domain Controller KDC

      < !--/TOC=h1-->

      Oracle Advanced Security, which complies with MIT Kerberos, can interoperate with tickets that are issued by a Kerberos Key Distribution Center (KDC) on a Windows 2000 domain controller to enable Kerberos authentica tion with an Oracle database. To configure Kerberos authentication that uses a Windows 2000 domain controller KDC, perform the follow ing tasks:

      The following steps mus t be performed on the Oracle Kerberos client.

      Step 1: Creating Client Kerberos Configuration Files to Use a Windows Domain Controller KDC

      Create the following Kerberos client configuration files that refer to th e Windows 2000 domain controller as the Kerberos KDC. In the examples that follow, the Windows 2000 domain controller is running on a node named sales3854.us.acme.com.

      • krb.conf file

        For example:

        S
ALES3854.US.ACME.COM
SALES3854.US.ACME.COM sales3854.us.acme.com admin server
      • krb5.conf file

        For example:

        [libdefaults]
default_realm=SALES.US
.ACME.COM
[realms]
SALES.US.ACME.COM= {

        kdc=sales3854.us.acme.com:88
}

        [domain_realm]
.us.acme.com=SALES.US.ACME.COM
      • < /a>krb5.realms file

        For example:

        us.acme.com SALES.US.ACME.COM

      Configuring an Oracle client to interoperate with a Windows 2000 domain controller KDC uses the same sqlnet.ora file parameters that are listed in "Step 1: Configure Kerberos on the Client and on the Database Server".

      Set the following parameters in the sqlnet.ora file on the client:

      SQLNET.KERBEROS5_CONF=pathname_to_Kerberos_configuration_file
SQLNET.KERBEROS5_CONF_MIT=TR
UE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=Kerberos_service_name
SQLNET.AUTHENTI
CATION_SERVICES=(BEQ,KERBEROS5)
      Note:

      Ensure that the SQLNET.KERBEROS5_CONF_MIT parameter is set to T RUE because the Windows 2000 operating system is designed to interoperate only with security services that are based on MIT Ke rberos version 5.

      Step 3: Specifying the Listening Port Number

      The Windows 2000 domain controller KDC listens on UDP/TCP port 88. Ensure that the system file entry for kerbe ros5 is set to UDP/TCP port 88 as follows:

      • (UNIX)

        Ensure that the kerberos5 entry in the /etc/services file is set to 88

      Task 2: Configuring a Windows 2000 Domain Controller KDC to Interoperate with an Oracle Client

      The following steps must be performed on the Windows 2000 domain controller.

      < /a>
      See Also:

      Microsoft documentation for information about how to create users in Active Directory.

      Step 1: Creating the Use r

      Create a new user for the Oracle client in Microsoft Active Directo ry.

      Step 2: Creating the Oracle Database Principal

      1. Create a new user for the Oracle database in Microsoft Active Directory.

        For example, if the Oracle database runs on the host sales3854.us.acme.com, then use Active Directory to create a us er with the username sales3854.us.acme.com and the password oracle.

        Note:

        Do not create a user as host/hostname.dns.com, such as oracle/sales3854.us.acme.com, in Active Directory. Microsoft's KDC does not support multipart names like an MIT KDC does. An MIT KDC allows multipart names to be used for service principals because it treats all principals as usernames. However, Microsoft's KDC does not.
      1. Use the Ktpass command line utility to extract the keytab file with the following syntax: 
        Ktpass -princ service/hostname@NT-
DNS-REALM-NAME -mapuser account -pass 
password -out keytab.file
        2. < /ol>

        Using the database user created in the previous step, the following is an example of Ktpass usage:

        C:> Ktpass -princ oracle/sales3854.us.acme.com@SALES.US.COM<
/em> -mapuser 
sales3854 -pass oracle -out C:\temp\v5srvtab

        This utility is part of the Windows 2000 Support Tools and can be found on the Windows 2000 distribution media in the \support\reskit\netmgmt\security folder.

        Task 3: Configuring an Oracle Database to Interoperate with a Windows 2000 Domain Controller KDC

        The following steps must be performed on the host computer where the Oracle database is installed.

        Step 1: Setting Configuration Paramete rs in the sqlnet.ora File

        Specify values for the following parameters in the sqlnet.ora file for the database server:

        SQLNET.KERBEROS5_CONF=pathname_to_Ker
beros_configuration_file
SQLNET.KERBEROS5_KEYTAB=pathname_to_Kerberos_principal/key_table
SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=Kerberos_service_name

SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)
        Note:

        Ensure that the SQLNET.KERBEROS5_ CONF_MIT parameter is set to TRUE because the Windows 2000 operating system is designed to interoperate only with security services that are based on MIT Kerberos version 5.

        Step 2: Creating an Externally Authenticated Orac le User

        Follow the task information for "Task 9: Create an Externally Authenticated Oracle User" to create an externally authenticated Oracle user. Ensure that the username is created in all uppercase characters. For example, ORAKRB@SALES.US.ACME.COM.

        See Also:

        Task 4: Getting an Initial Ticket for the Kerberos/Oracle User

        Before a client can connect to the database, the client must request an initial ticket. To request an initial ticket, follow the task information for "Task 1 0: Get an Initial Ticket for the Kerberos/Oracle User".

        Troubleshooting

        This section lists some common configuration problems and explains how to resolve them.

        • If you cannot get your ticket-granting ticket using OKINIT:
          • Ensure that the default realm is correct by examining the krb.conf file.
            • < li class="LD2" type="CIRCLE">Ensure that the KDC is running on the host specified for the realm.
          • Ensure that the KDC has an entry for the user principal and that the passwords match.
          • Ensure that the krb.conf and krb.realms files are readable by Oracle.
        • If you have an initial ticket, but still cannot connect:
            After trying to connect, check for a service ticket.
          • Check that the sqlnet.ora file on the database server side has a service name that correspond s to a service known by Kerberos.
          • Check that the clocks on all systems invol ved are set to times that are within a few minutes of each other (or change the SQLNET.KERBEROS5_CLOCKSKEW parameter in the
            sqlnet.ora file).
        • If you have a service ticke t and you still cannot connect:
          • Check the clocks on the client a nd database server.
          • Check that the v5srvtab file exists in the correct locat ion and is readable by Oracle (remember to set the sqlnet.ora parameters).
          • Check that the v5srvtab file has been generated for the service named in the sqlnet.ora file on the database server side.
        • If everything seems to work fine, but then you issue another query and it fails:
          • Check that the initial ticket is fo rwardable. (You must have obtained the initial ticket by running the okinit utility.)
          • Check the expiration date on the credentials. If the credentials have expired, then close the connection and run okinit to get a new initial ticket.
      Go to previous page
      Previous      		 Go to next page
      Next
      		Oracle
      Copyright © 1996, 2003 Oracle Corporation
      All Rights Reserved.       		< td align="center" valign="top">Go to Index
      Index
      Go to Documentation Home
      Home      		 Go to Book List
      Book List      		 Go to Table of Contents
      Contents      		 Go to Master Index
      Master Index      		 < a href="../../dcommon/html/feedback.htm">Go to Feedback page
      Feedback