1. Security Guide
  2. Manually Registering Oracle NoSQL Database Service Principal

F Manually Registering Oracle NoSQL Database Service Principal

The securityconfig tool allows you to create service principals and generate keytabs assuming that each Storage Node is able to access the Kerberos admin interface remotely. Although this is the typical configuration most Kerberos deployments have, you may want to use a non-standard configuration. You can manage service principals by using only kadmin.local or ktutil utility on the KDC host.

To register Oracle NoSQL Database service principal by using kadmin.local:

  1. Register the service principal: 

    kadmin.local: addprinc -randkey nosql/abc.example.com

  2. Extract the keytab file using the ktadd command: 

    kadmin.local: ktadd –norandkey –k keytab nosql/abc.example.com

  3. Verify the entries of the generated keytab using the klist tool: 

    klist –k –e /tmp/keytab
Keytab name: FILE:keytab
KVNO Principal
---- ------------------------------------------------
12   nosql/abc.example.com@EXAMPLE.COM 
                           (AES-128 CTS mode with 96-bit SHA-1 HMAC)
12   nosql/abc.example.com@EXAMPLE.COM 
                           (AES-256 CTS mode with 96-bit SHA-1 HMAC)

  4. Copy the keytab of Oracle NoSQL Database server principal to each Storage Node. The default location is under kvroot/security. You need to create the security directory.

  5. Run makebootconfig or securityconfig utility to complete the rest of the Kerberos security configuration.

To register Oracle NoSQL Database service principal by using ktutil utility:

  1. Add principal entries: 

    ktutil: add_entry –password –p \
nosql/abc.example.com –k 1 –e aes128-cts-hmac-sha1-96
Password for nosql/abc.example.com@EXAMPLE.COM:
ktutil:add_entry –password –p nosql/abc.example.com \
–k 1 –e aes256-cts-hmac-sha1-96
Password for nosql/abc.example.com@EXAMPLE.COM

  2. Write the current keylist into the keytab file: 

    Ktutil: write_kt keytab

  3. Verify the entries of the generated keytab using the klist tool: 

    klist –k –e /tmp/keytab
Keytab name: FILE:keytab
KVNO Principal
---- ------------------------------------------------
12   nosql/abc.example.com@EXAMPLE.COM 
                           (AES-128 CTS mode with 96-bit SHA-1 HMAC)
12   nosql/abc.example.com@EXAMPLE.COM 
                           (AES-256 CTS mode with 96-bit SHA-1 HMAC)

  4. Copy the keytab of Oracle NoSQL Database server principal to each Storage Node. The default location is under kvroot/security. You need to create the security directory.

  5. Run makebootconfig or securityconfig utility to complete the rest of the Kerberos security configuration.