Enterprise users make use of Oracle Internet Directory, which is a part of the Oracle Identity Management infrastructure. If your organization uses a third party directory like Active Directory to store and manage user entries, then you can integrate it with Oracle Internet Directory to manage Enterprise User Security.
Kerberos authentication for enterprise users can make use of tickets issued by a kerberos Key Distribution Center (KDC) running with Microsoft Active Directory.
Oracle components make use of Oracle Internet Directory for centralized security administration. Your organization might have a Microsoft Windows domain that uses Microsoft Active Directory for centralized administration. You should set up synchronization between Oracle Internet Directory and Microsoft Active Directory before you configure Enterprise User Security to work with Microsoft Active Directory.
Synchronization profiles are used to synchronize the two directories. The profile contains configuration information required to synchronize the two directories. This includes direction of synchronization, mapping rules and formats, connection details of Microsoft Windows domain and the like. Mapping rules contain domain rules and attribute rules to map a domain and attributes in one directory to the other directory, optionally formatting the attributes.
For step-by-step instructions on integrating Oracle Internet Directory with Microsoft Active Directory, refer to the Oracle Identity Management Integration Guide
The following tasks must be performed on the Windows domain controller:
This creates a new user for the database in Microsoft Active Directory.
okcreatecommand-line utility to automate the creation of the service principal
Beginning with Oracle Database 12c Release 2 (12.2), the
okcreate utility provides for automation of service principal keytab creation on the Key Distribution Center (KDC) to create all service keytabs that setup requires. To use an Active Directory as a KDC, this requires the
keytab file. If the Oracle client does not have a
keytab file in the location specified by
SQLNET.KERBEROS5_CONF, it uses a generic
krb5.conf file. In this case, it detects realm and KDC settings from DNS. This utility takes input about the keytabs to create and output them to a specified location. The inputs taken are the service name (defaults to oracle) and a list of hostnames on which the database server is installed.
The following task must be performed on the host computer where Oracle Database is installed:
sqlnet.ora file in the database with kerberos parameters
Oracle Database Security Guide for a detailed description of the preceding step.
The following steps must be performed on the Oracle kerberos client:
The client kerberos configuration files refer to the Microsoft Active Directory as the kerberos KDC.
You can either manually update the file or use Oracle Net Manager utility.
Before a client can connect to the database, the client must request for an initial ticket. The initial ticket identifies the client as having the rights to ask for additional service tickets. An initial ticket is requested using the
Oracle Database Security Guide for more details on requesting an initial ticket with
To configure Enterprise User Security for Kerberos Authentication, use the following steps:
You can use Database Configuration Assistant for registering the database.
Create global schemas and global roles in the database. Also create enterprise roles in the enterprise domain. Configure user schema mappings for the enterprise domain, add global database roles to enterprise roles and grant enterprise roles to enterprise users for database access.
Use Oracle Enterprise Manager to enable kerberos authentication for your enterprise domain.
Launch SQL*Plus and use the command,
net_service_name to connect as a kerberos authenticated enterprise user.
For detailed information on the preceding steps, refer to "Configuring Enterprise User Security for Kerberos Authentication" .