20 Configuring Kerberos Authentication
For Classic Architecture, Kerberos authentication is configured using the
DBLOGIN
command:GGSCI> DBLOGIN USERID /@NET_SERVICE_NAME
A valid
DBLOGIN
command without USERID
and
password can then be specified
as:GGSCI> DBLOGIN USERID /@cdb1_pdb1
On the Oracle GoldenGate side, if you want to issue the DBLOGIN
command
with different externally authenticated users, the usage of a default Kerberos cache
location is specified in the SQLNET.ORA
file. This is then assumed to be
the externally authenticated user for the database login.
For example, observe a Kerberos Cache location specified in the client side
SQLNET.ORA
file:
SQLNET.KERBEROS5_CONF = /ade/b/3910426782/oracle/work/krb/krb.conf
SQLNET.KERBEROS5_KEYTAB = /ade/b/3910426782/oracle/work/krb/v5srvtab
SQLNET.KERBEROS5_CC_NAME = /ade/b/3910426782/oracle/work/krb/krb.cc
In this example, the
krb.cc
is the Kerberos Cache used in
this Oracle GoldenGate deployment. If you open the krb.cc
cache file with
the oklist
utility, you can see that the default principal is used as the
externally authenticated user oratst@US.ORACLE.COM
.
OS>[ demo_vw2 ] [demo@test02swv krb]$ oklist krb.cc
Kerberos Utilities for Linux: Version 21.1.0.0.0 - Production on 27-JUN-2020 23:59:13
Copyright (c) 1996, 2021 Oracle. All rights reserved.
Configuration file : /ade/b/3910426782/oracle/work/krb/krb.conf.
Ticket cache: FILE:krb.cc
Default principal: oratst@US.ORACLE.COM
Valid starting Expires Service principal
06/27/20 12:12:34 06/28/20 12:12:34 krbtst/US.ORACLE.COM@US.ORACLE.COM
06/27/20 12:12:34 06/28/20 12:12:34 oratst/demo2swv.us.oracle.com@US.ORACLE.COM
To know more, see the ALTER CREDENTIALSTORE, DBLOGIN, and MININGDBLOGIN commands. Also see, USERID | NOUSERID, USERIDALIAS parameters.
Parent topic: Securing Oracle GoldenGate