20 Configuring Kerberos Authentication
For Classic Architecture, Kerberos authentication is configured using the
DBLOGIN
command:GGSCI> DBLOGIN USERID /@NET_SERVICE_NAMEA valid
DBLOGIN command without USERID and
password can then be specified
as:GGSCI> DBLOGIN USERID /@cdb1_pdb1On the Oracle GoldenGate side, if you want to issue the DBLOGIN command
with different externally authenticated users, the usage of a default Kerberos cache
location is specified in the SQLNET.ORA file. This is then assumed to be
the externally authenticated user for the database login.
For example, observe a Kerberos Cache location specified in the client side
SQLNET.ORA file:
SQLNET.KERBEROS5_CONF = /ade/b/3910426782/oracle/work/krb/krb.conf
SQLNET.KERBEROS5_KEYTAB = /ade/b/3910426782/oracle/work/krb/v5srvtab
SQLNET.KERBEROS5_CC_NAME = /ade/b/3910426782/oracle/work/krb/krb.ccIn this example, the
krb.cc is the Kerberos Cache used in
this Oracle GoldenGate deployment. If you open the krb.cc cache file with
the oklist utility, you can see that the default principal is used as the
externally authenticated user oratst@US.ORACLE.COM.
OS>[ demo_vw2 ] [demo@test02swv krb]$ oklist krb.cc
Kerberos Utilities for Linux: Version 21.1.0.0.0 - Production on 27-JUN-2020 23:59:13
Copyright (c) 1996, 2021 Oracle. All rights reserved.
Configuration file : /ade/b/3910426782/oracle/work/krb/krb.conf.
Ticket cache: FILE:krb.cc
Default principal: oratst@US.ORACLE.COM
Valid starting Expires Service principal
06/27/20 12:12:34 06/28/20 12:12:34 krbtst/US.ORACLE.COM@US.ORACLE.COM
06/27/20 12:12:34 06/28/20 12:12:34 oratst/demo2swv.us.oracle.com@US.ORACLE.COM
To know more, see the ALTER CREDENTIALSTORE, DBLOGIN, and MININGDBLOGIN commands. Also see, USERID | NOUSERID, USERIDALIAS parameters.
Parent topic: Securing Oracle GoldenGate