1. Oracle GoldenGate Microservices Documentation
  2. Secure
  3. Oracle GoldenGate Security Feature: Implementation
  4. Configure Kerberos Authentication

Configure Kerberos Authentication

Oracle GoldenGate already supports operating system level login for Oracle database. The support of Kerberos authentication is enabled on top of the existing OS level external authentication feature.

To enable Kerberos authentication in Oracle GoldenGate for Oracle database, the following configurations are assumed:

  • Kerberos KDC is configured, and Kerberos system is installed locally.

  • Kerberos Principals are configured for externally authenticated Database Users.

  • Kerberos Caches are configured locally for each Kerberos Principal.

  • Oracle Net Services are configured properly.

  • Oracle Server parameter files are configured with Kerberos related settings.

  • Externally authenticated database users are created with proper privileges.

  • TNS_ADMIN environment variable is configured for Oracle GoldenGate.

For Microservices Architecture you need to first create an alias before you use DBLOGIN: 

CONNECT http://localhost:9005 as ggadmin password We1come_$

Using default deployment demo: 

ALTER CREDENTIALSTORE ADD USER 
/@EAST nopassword alias dbeast

2020-06-22T21:08:33Z  INFO OGG-15102  Credential store created.
2020-06-22T21:08:33Z  INFO OGG-15114  Credential store altered.

INFO CREDENTIALSTORE

Default domain: OracleGoldenGate
  Alias: dbeast
  Userid: /@EAST

DBLOGIN USERIDALIAS dbeast

Successfully logged into database EAST.

Here, the NET SERVICE is the simple name for the database service. Alternatively, a complete connect string (descriptor) can be used instead of the Oracle net service name.

Here's an example of a predefined net service name and connect descriptor mapping:
EAST = (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=db1))
(CONNECT_DATA=(SERVICE_NAME=EAST.regress.rdbms.test.us.oracle.com)))
A valid DBLOGIN command without USERID and password can then be specified as:
DBLOGIN USERID /@EAST

To know more, see the ALTER CREDENTIALSTORE, DBLOGIN USERIDALIAS, and MININGDBLOGIN commands. Also see, USERID | NOUSERID, USERIDALIAS parameters.

On the Oracle GoldenGate side, if you want to issue the DBLOGIN command with different externally authenticated users, the usage of a default Kerberos cache location is specified in the SQLNET.ORA file. This is then assumed to be the externally authenticated user for the database login.

For example, observe a Kerberos Cache location specified in the client side SQLNET.ORA file: 

SQLNET.KERBEROS5_CONF = /ade/b/3910426782/oracle/work/krb/krb.conf
SQLNET.KERBEROS5_KEYTAB = /ade/b/3910426782/oracle/work/krb/v5srvtab
SQLNET.KERBEROS5_CC_NAME = /ade/b/3910426782/oracle/work/krb/krb.cc
In this example, the krb.cc is the Kerberos Cache used in this Oracle GoldenGate deployment. If you open the krb.cc cache file with the oklist utility, you can see that the default principal is used as the externally authenticated user oratst@US.ORACLE.COM. 
ade:[ demo_vw2 ] [demo@test02swv krb]$ oklist krb.cc

Kerberos Utilities for Linux: Version 20.0.0.0.0 - Production on 27-JUN-2020 23:59:13

Copyright (c) 1996, 2021 Oracle.  All rights reserved.

Configuration file : /ade/b/3910426782/oracle/work/krb/krb.conf.
Ticket cache: FILE:krb.cc
Default principal: oratst@US.ORACLE.COM

Valid starting     Expires            Service principal
06/27/20 12:12:34  06/28/20 12:12:34  krbtst/US.ORACLE.COM@US.ORACLE.COM
06/27/20 12:12:34  06/28/20 12:12:34  oratst/demo2swv.us.oracle.com@US.ORACLE.COM

Topics:

Configure Kerberos Authentication with MA

Here are the steps to configure kerberos authentication from the Admin Client.

Connect to the Administration Service from the Admin Client:

CONNECT http://localhost:9005 DEPLOYMENT oggdep as ggadmin PASSWORD We1come_$

Alter the credentialstore after connecting to the Administration Service of the deployment oggdep: 

ALTER CREDENTIALSTORE ADD USER /@DBEAST NOPASSWORD ALIAS ggeast

Output shows:

2020-06-22T21:08:33Z  INFO OGG-15102  Credential store created.
2020-06-22T21:08:33Z  INFO OGG-15114  Credential store altered.

Run the following command to verify that the credentialstore was altered successfully:

INFO CREDENTIALSTORE

Output displays the following:

Default domain: OracleGoldenGate
  Alias: ggeast
  Userid: /@DBEAST

When using the MA web UI to create the credential, if the User ID field begins with a / character, then the password is not required. So, in the User ID field, enter /connect_string where connect_string is your connection string.

Here, the NET SERVICE is the simple name for the database service. Alternatively, a complete connect string (descriptor) can be used instead of the Oracle net service name.

Here's an example of a predefined net service name and connect descriptor mapping:
DBEAST = (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=db1))
(CONNECT_DATA=(SERVICE_NAME=DBEAST.regress.rdbms.test.example.com)))

Example: Using USERIDALIAS in Parameter File for Kerberos Account

The following example shows how to set the USERIDALIAS values in the parameter file after creating the credential store with Kerberos authentication:
ALTER CREDENTIALSTORE ADD USER /@ggadmin NOPASSWORD ALIAS ggadmin 


2020-12-17T21:08:33  
INFO    OGG-15102  Credential store created.2020-12-17T21:08:33  
INFO    OGG-15114  Credential store altered. 

ALTER CREDENTIALSTORE ADD USER /@ggadmin_mining NOPASSWORD ALIAS ggadmin_mining 

2020-12-17T21:09:45  
INFO    OGG-15102  Credential store created.2020-12-17T21:09:45  
INFO    OGG-15114  Credential store altered. 

INFO CREDENTIALSTORE 

Default domain: OracleGoldenGate  
Alias: ggadmin  
Userid: /@ggadmin 

Default domain: OracleGoldenGate  
Alias: ggadmin_mining  
Userid: /@ggadmin_mining
After altering the credentialstore, you can specify USERIDALIAS options in the parameter file:
USERIDALIAS ggadmin 
DOMAIN OracleGoldenGate
TRANLOGOPTIONS MININUSERIDLIAS ggadmin_mining 
DOMAIN OracleGoldenGate