Oracle Advanced Security Administrator's Guide Release 8.1.6 A76932-01 |
|
This chapter contains information on how to configure Oracle for use with Kerberos authentication and to configure Kerberos to authenticate Oracle users.
This chapter covers the following topics:
Kerberos authentication is enabled by performing the following tasks, each of which is described in this section.
Perform the following tasks in the order listed below.
Task 2: Configure a Service Principal for an Oracle Server
Task 3: Extract a Service Table from Kerberos
Task 4: Install an Oracle Server and an Oracle Client
Task 5: Install Net8 and Oracle Advanced Security
Task 6: Configure Net8 and Oracle
Task 7: Configure Kerberos Authentication
Task 8: Create a Kerberos User
Task 9: Create an Externally-Authenticated Oracle User
Install Kerberos on the machine that functions as the authentication server
More Information:
For information on how to install Kerberos, see "Related Publications" in the Preface. |
For the Oracle Server to validate the identity of clients that authenticate themselves using Kerberos, you must first create a service principal for Oracle.
The name of the principal should have the following format:
kservice/kinstance@REALM
Note: The utility names in this section are actual programs that are run. However, the Kerberos user name krbuser and the realm SOMECO.COM are examples only. |
For example, if kservice is oracle, the fully-qualified name of the machine on which Oracle is running is dbserver.someco.com, and the realm is SOMECO.COM, the principal name is as follows:
oracle/dbserver.someco.com@SOMECO.COM
It is a common convention to use the DNS domain name as the name of the realm.
To create the service principal, run kadmin.local. The following example is UNIX specific. Enter the following as root user:
# cd /kerberos-install-directory/sbin # ./kadmin.local
To add a principal named oracle/dbserver.someco.com@SOMECO.COM to the list of server principals known by Kerberos, enter the following:
kadmin.local:addprinc -randkey oracle/dbserver.someco.com@SOMECO.COM
Extract the service table from Kerberos and copy it to the Oracle server/Kerberos client machine.
For example, to extract a service table for dbserver.someco.com, perform the following steps.
kadmin.local: ktadd -k /tmp/keytab oracle/dbserver.someco.com Entry for principal oracle/dbserver.someco.com with kvno 2, encryption DES-CBC-CRC added to the keytab WRFILE: 'WRFILE:/tmp/keytab kadmin.local: exit oklist -k -t /tmp/keytab
kadmin.local
to append the additional entries.
If you do not enter a realm when using ktadd, it uses the realm of the current host and displays it in the command output, as shown above.
The following example is UNIX specific.
# mv /tmp/keytab /etc/v5srvtab
The default name of the service file is /etc/v5srvtab
. If a different name is used, that name should be substituted for the default name.
/etc/v5srvtab
in the previous example). To do so, set the file owner to the Oracle user or make the file readable by the group to which Oracle belongs.
Install the Oracle server and client software.
Install Net8 and Oracle Advanced Security on the Oracle server and Oracle client machines.
Configure Net8 on the Oracle server and client.
Perform the following tasks to set certain parameters in the Oracle server and client sqlnet.ora
files:
Perform the following steps to configure Kerberos authentication service parameters on the client and on the server:
The Oracle Advanced Security tabbed pages appear.
This field specifies the name of the service Oracle uses to obtain a Kerberos service ticket. Substitute a value for the kservice part of the service name.
The sqlnet.ora
file updates with the following entries:
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5) SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=kservice
Perform the following steps to set parameters in the initialization parameter file.
REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""
Setting OS_AUTHENT_PREFIX to a null value overrides the default value of OPS$.
In addition to the above required parameters, you can optionally set the following sqlnet.ora parameters on the client or on the server.
To create Oracle users that Kerberos can authenticate, perform this task on the Kerberos authentication server where the administration tools are installed.
It is assumed that the realm already exists.
Run /krb5/admin/kadmin.local as root to create a new Kerberos user, such as krbuser.
The following example is UNIX specific:
# ./kadmin.local kadmin.local: addprinc krbuser Enter password for principal: "krbuser@SOMECO.COM": <password not echoed> Re-enter password for principal: "krbuser@SOMECO.COM": <password not echoed> kadmin.local: exit
Run SQL*Plus on the Oracle server to create the Oracle user that corresponds to the Kerberos user. In the following example, OS_AUTHENT_PREFIX is set to null (""). The Oracle user name must be in uppercase and double-quoted, such as "KRBUSER@SOMECO.COM".
SQL> CONNECT INTERNAL; SQL> CREATE USER "KRBUSER@SOMECO.COM" IDENTIFIED EXTERNALLY; SQL> GRANT CREATE SESSION TO "KRBUSER@SOMECO.COM";
Before you can connect to the database, you must ask the Key Distribution Center (KDC) for an initial ticket. To do so, run the following on the client:
% okinit user_name
If, when making a database connection, a reference such as the following follows a database link, you must use the forwardable flag (-f ) option:
sqlplus /@oracle
Executing okinit -f enables credentials that can be used across database links. You should be on the Oracle client before running the following commands:
% okinit -f Password for krbuser@SOMECO.COM:password
Table 6-1 describes utilities that are shipped with the Oracle Kerberos authentication adapter.
Table 6-1 Oracle Kerberos Adapter Utilities for the Client
Command | Description |
---|---|
okinit |
Gets an initial ticket |
oklist |
Displays a list of currently-owned tickets |
okdstry |
Removes all tickets from the credentials cache |
These utilities are intended for use on an Oracle client with Oracle Kerberos authentication support installed.
The okinit utility obtains and caches Kerberos tickets. This utility is typically used to obtain the ticket-granting ticket, using a password entered by the user to decrypt the credential from the key distribution center (KDC). The ticket-granting ticket is then stored in the user's credential cache.
The options available with okinit are listed in Table 6-2.
Table 6-2 Options for the okinit Utility
Users can run the oklist utility to display the list of tickets they hold.
The options available with oklist are listed in Table 6-3.
Table 6-3 Options for the oklist Utility
The show flag option (-f) displays additional information, as shown in the following example:
% oklist -f 27-Jul-1999 21:57:51 28-Jul-1999 05:58:14 krbtgt/SOMECO.COM@SOMECO.COM Flags: FI
Use the okdstry utility to remove credentials from the credentials cache file as follows
To use the okdstry utility, enter the following:
$ okdstry -f
Table 6-4 provides information on the -f command option.
Table 6-4 Option for the okdstry Utility
You can now connect to an Oracle Server without using a user name or password. Enter a command similar to the following:
$ sqlplus /@net_service_name
where net_service_name is a Net8 service name. For example:
$ sqlplus /@oracle_dbname
More Information:
For information on external authentication, see Chapter 1 and Oracle8i Distributed Database Systems. |
This section lists some common configuration problems and explains how to resolve them.
krb.conf
file.
krb.conf
and krb.realms
files are readable by Oracle.
sqlnet.ora
file on the server side has a service name that corresponds to a service known by Kerberos.
sqlnet.ora
file).
v5srvtab
file exists in the correct location and is readable by Oracle (remember to see the sqlnet.ora
parameters).
v5srvtab
file has been generated for the service named in the sqlnet.ora
file on the server side.
|
Copyright © 1999 Oracle Corporation. All Rights Reserved. |
|