Guidelines for Updating Kerberos Passwords
The password of Kerberos principal should be periodically changed. To do this, you can either manually specify it by using kadmin.local
or automatically randomize principal keys by using the config renew-keytab
command of the securityconfig
tool.
The syntax for this command is:
config renew-keytab -root <secroot> [-secdir <security dir>]
[-keysalt <enc:salt[,enc:salt,..]>]
[-kadmin-path <kadmin utility path>]
[-instance-name <database instance name>]
[-admin-principal <kerberos admin principal name>]
[-kadmin-keytab <keytab file> ]
[-kadmin-ccache <credential cache file>]
where:
-
-keysalt
Sets the list of encryption types and salt types to be used for any new keys created. The default value is
des3-cbc-sha1:normal,aes128-cts-hmac-sha1-96:normal,arcfour-hmac:normal
. -
-kadmin-path
Indicates the absolute path of Kerberos kadmin utility. The default value is
/usr/kerberos/sbin/kadmin
. -
-instance-name
Specifies the service principal name. The default value is the fully qualified domain name (FQDN) of the Storage Node where Oracle NoSQL Database is running.
-
-admin-principal
Specifies the principal used to login to the Kerberos admin interface. This is required while using kadmin keytab or password to connect to the admin interface.
-
-kadmin-keytab
Specifies the location of a Kerberos keytab file that stores Kerberos admin user principals and encrypted keys. The security configuration tool will use the specified keytab file to login to the Kerberos admin interface.
You need to specify the
-admin-principal
flag when using keytab to login to the Kerberos admin, otherwise the correct admin principal will not be recognized. This flag cannot be specified in conjunction with the-kadmin-ccache
flag. -
-kadmin-ccache
Specifies the complete path name to the Kerberos credentials cache file that should contain a service ticket for the kadmin/ADMINHOST.
ADMINHOST
is the fully-qualified hostname of the admin server or kadmin/admin service.If not specified, the user is prompted to enter the password for principal while logging to the Kerberos admin interface. This flag cannot be specified in conjunction with the
-kadmin-keytab
flag.
To manually update the Kerberos principal password instead, you should follow these steps:
-
Use kadmin.local utility to change the service principal password:
kadmin.local: cpw nosql/myhost Enter password for principal nosql/myhost@EXAMPLE.COM Re-enter password for principal nosql/myhost@EXAMPLE.COM
-
Regenerate the keytab file for Oracle NoSQL Database service principal.
kadmin.local: ktadd –norandkey –k new.keytab
-
Copy the new keytab file for Oracle NoSQL Database service principal to each Storage Node. For example:
scp new.keytab kvuser@mystore:KVROOT/security/store.keytab ...
-
Validate the keytab file by comparing the key version number (kvno):
kadmin.local:getprinc nosql/myhost@EXAMPLE.COM Principal: nosql/myhost@EXAMPLE.COM Expiration date: [never] Last password change: Thu Jun 04 03:16:38 UTC 2015 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 0 days 00:00:00 Last modified: Thu Jun 04 03:16:38 UTC 2015 (root/admin@ORACLE.EXAMPLE.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 4 Key: vno 12, aes256-cts-hmac-sha1-96 Key: vno 12, aes128-cts-hmac-sha1-96 Key: vno 12, des3-cbc-sha1 Key: vno 12, arcfour-hmac MKey: vno 1 Attributes: Policy: [none] Kadmin.local: quit # klist –k new.keytab KVNO Principal ---- ------------------------ 12 nosql/myhost@EXAMPLE.COM 12 nosql/myhost@EXAMPLE.COM 12 nosql/myhost@EXAMPLE.COM 12 nosql/myhost@EXAMPLE.COM
Client side user principals require similar password rotation. Keytab or credential cache used to login to the database should be renewed. If kinit
tool is used to create a credential cache, you should run kdestroy
to clear cached tickets and re-run kinit to generate a new credential cache.
For example:
# kdestroy –c /tmp/krb5ccache
# kinit –c /tmp/krb5ccache