Before You Begin
This tutorial provides a step-by-step example of how to configure Microsoft Active Directory for Oracle Unified Directory (OUD 12c), Oracle Enterprise Security (EUS) integration and Kerberos Authentication. This tutorial takes approximately 15 minutes to complete.
This is the fourth tutorial in the series Integrating Oracle Unified Directory 12c with Microsoft Active Directory, Oracle Enterprise User Security and Kerberos. Read them sequentially.
- Installing Oracle Unified Directory 12c for Active Directory and EUS Integration
- Configuring OUDSM 12c for EUS
- Configuring an OUD 12c Proxy Server for Active Directory and EUS Integration
- Configuring Active Directory and Database with Kerberos for OUD 12c and EUS Integration
- Configuring Network and Database Connectivity for OUD 12c and EUS
- Configuring Schemas, Roles and Mapping for EUS and OUD 12c
- Testing the EUS, OUD 12c, Active Directory and Kerberos Integration
Background
Oracle EUS enables Oracle Database users to authenticate against identities stored in an LDAP-compliant directory service such as OUD. In this tutorial you configure Microsoft Active Directory.
What Do You Need?
- To have completed OBE III: Configuring an OUD 12c Proxy Server for Active Directory and EUS Integration
Create Sample Users and Groups in Microsoft Active Directory
In this section you create a number of sample users and groups under cn=users,dc=example,dc=com
and ou=groups,dc=example,dc=com
. First you create an OUD administration user cn=eusadmin,cn=Users,dc=example,dc=com
. Then you create a number of users and groups, and assign the users to the groups as follows. These users will be used to log in to the database with EUS and Kerberos in a later tutorial:
UserID | Groups | Password |
---|---|---|
user.0 |
[no group] |
Welcome1 |
user.1 |
ora_connect, ora_resource |
Welcome1 |
user.2 |
ora_connect, ora_dba |
Welcome1 |
- On the Microsoft Active Directory server, load Server Manager and select Tools > Active Directory Users and Computers.
- In Active Directory Users and Computers, in the left hand navigation menu, expand example.com and right click on Users. Select New > User.
- In the New Object - User window enter
eusadmin
in the First name and User logon name fields. Click Next. - In the Password and Confirm Password field enter
Welcome1
. Deselect User must change password at next logon. Click Next and then Finish. - Repeat steps 2-5 and create the users
user.0
,user.1
anduser.2
. - Double click
user.0
and in the properties select the Account tab. In Account Options, check the following boxes and click OK:
- This account supports Kerberos AES 128bit encryption
- This account supports Kerberos AES 128bit encryption
- Do not require Kerberos preauthentication
- Repeat step 6 for user.1 and user.2.
- In the left hand navigation menu, right click on Groups. Select New > Group.
- In the New Object - Group window enter
ora_connect
in the Group Name field. Ensure Group Scope: Global and Group Type: Security are selected. Click OK. - Repeat step 8-9 and create the groups
ora_resource
andora_dba
. - Under Group, double click
ora_connect
. In the Members tab, click Add. In the Enter the object names to select field, enteruser.1
and click Check Names. Selectuser.1(user1@example.com)
and click OK. Repeat and adduser.2
to the group. Click OK. - Under Groups, double click
ora_resource
. In the Members tab, click Add. In the Enter the object names to select field, enteruser.1
and click Check Names. Selectuser.1(user1@example.com)
and click OK twice. - Under Group, double click
ora_dba
. In the Members tab, click Add. In the Enter the object names to select field, enteruser.2
and click Check Names. Selectuser.2(user2@example.com)
and click OK twice.
Configure Kerberos Principal and Keytab
In this section you configure the Kerberos principal and keytab file for Active Directory..
- Logon to the Windows domain controller as an administrator. Launch a command prompt and enter
the following command to create the following user:
Note: In this command, the user name to add must be the fully qualified host and domain name of the database server. In this case the host.domain name of the database server isdsadd user "cn=db.example.com,cn=users,dc=example,dc=com" -pwd "Welcome1" -samid "db" -display "db" -fn "db" -ln "db" -upn "db.example.com@example.com" -pwdneverexpires yes
db.example.com
. - In the same command prompt, run the following command to create the Kerberos principal and keytab file:
If successful you should see the following output:ktpass -princ oracle/db.example.com@EXAMPLE.COM -mapuser EXAMPLE\db -pass Welcome1 -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -kvno 3 -out c:\temp\db.keytab
Note: The ktpass command addsTargeting domain controller: ad.example.com Using legacy password setting method Successfully mapped oracle/db.example.com to db. Key created. Output keytab to c:\temp\db.keytab: Keytab version: 0x502 keysize 84 oracle/db.example.com@EXAMPLE.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 e type 0x12 (AES256-SHA1) keylength 32 (0xe5b9574306ac870a414f5a4f60c774e0168d84a4 34f7449fb31d9b6206bb8ea1)
oracle
as the principal name, which will be referred to by the database as the Kerberos service name. The-crypto
parameter is dependant on the policies supported in Active Directory, in some cases-crypto ALL
may need to be used. - Using a secure ftp client or similar, connect as the
oracle
user to the database server, and copy the generatedc:\temp\db.keytab
file to the database$ORACLE_HOME/network/admin
(/u01/app/oracle/product/12.1.0/db_1/network/admin
) directory. - Edit the
C:\Windows\System32\drivers\etc\services
file, change the following and save the file:
FROM ==>
kerberos 88/tcp krb5 kerberos-sec #Kerberos
TO ==>
kerberos 88/tcp kerberos5 krb5 kerberos-sec #Kerberos - On the Microsoft Active Directory server, load Server Manager and select Tools > Active Directory Users and Computers.
- In Active Directory Users and Computers, in the left hand navigation menu, expand example.com and click on Users.
- Double click
db.example.com
and in the properties select the Account tab. In Account Options, check the following boxes and click OK:
- This account supports Kerberos AES 128bit encryption
- This account supports Kerberos AES 128bit encryption
- Do not require Kerberos preauthentication
Verify the Kerberos Realm in Active Directory
In this section you verify the Kerberos realm in the Active Directory domain.
- Logon to the Windows domain controller as an administrator. Launch a command prompt and enter
the following command:
If successful you should see something similar to the following:nslookup -type=any _kerberos._tcp
C:\Users\Admin>nslookup -type=any _kerberos._tcp
Server: localhost
Address: 127.0.0.1
_kerberos._tcp.example.com SRV service location:
priority = 0
weight = 100 port = 88
svr hostname = ad.example.com
ad.example.com internet address = X.X.X.X
Configure Database for Kerberos
In this section you configure the database to use Kerberos
- On the database server, launch a terminal window as
oracle
and create a file called /stage/krb5.conf with the following contents:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.COM = { kdc = ad.example.com:88 admin_server = ad.example.com:749 default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM - Run the following command to copy the
/stage/krb5.conf
to the/etc
directory and give root user ownership:
sudo cp /stage/krb5.conf /etc/
- Edit the
$ORACLE_HOME/network/admin/sqlnet.ora
file and update the sqlnet.ora to contain the following information:
Note: On Windows database clients,NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT, HOSTNAME) SQLNET.KERBEROS5_KEYTAB=/u01/app/oracle/product/12.1.0/db_1/network/admin/db.keytab SQLNET.KERBEROS5_CONF=/etc/krb5.conf
SQLNET.KERBEROS5_CONF_MIT=TRUE SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)SQLNET.KERBEROS5_CC_NAME
is also required. Refer to the 12c database documentation for further details.
Verify the Database Kerberos Configuration
In this section you check that Kerberos Configuration is working correctly.
- Launch a terminal window as
oracle
on the database server and run the following command and enterorcl
when prompted:
. oraenv
- Run the following command to request a Kerberos ticket:
kinit -k -t /u01/app/oracle/product/12.1.0/db_1/network/admin/db.keytab oracle/db.example.com@EXAMPLE.COM
- Run the command to make sure a Kerberos ticket was granted successfully:
If successful you should output similar to the following:klist
Ticket cache: FILE:/tmp/krb5cc_54321 Default principal: oracle/db.example.com@EXAMPLE.COM Valid starting Expires Service principal 11/22/17 14:10:33 11/23/17 00:11:01 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 11/29/17 14:10:33
- Run the following command to check the kvno numbers from both commands match:
If successful you should see similar to the following:kvno oracle/db.example.com@EXAMPLE.COM
Compare the kvno number in the result above with the output from the following command:oracle/db.example.com@EXAMPLE.COM: kvno = 3
If successful you should see similar to the following:klist -k /u01/app/oracle/product/12.1.0/db_1/network/admin/db.keytab
In the above examples the two kvno numbers match i.e. kvno=3. If the numbers don't match, regenerate the keytab file as per Section 2, steps 2-4.KVNO Principal
---- --------------------------------------------------------------------------
3 oracle/db.example.com@EXAMPLE.COM - Run the following command to destroy the ticket:
kdestroy
Configure OUD Truststore for Active Directory Certificates
In this section you export the Trusted Root CA Certificate for the Active Directory certificate and import it into the OUD Proxy server truststore. This is required so OUD Proxy Server can establish an SSL connection to Active Directory successfully.
- On the Active Directory server, launch a command prompt as Administrator, and run the following command to export the Root CA certificate to the file
msadca.crt
:
certutil -ca.cert msadca.crt
- Copy the
mdadca.crt
file over to the /stage directory of the OUD server .
- On the OUD server. launch a terminal window as
oracle
and run the following command to import the root CA certificate from the Active Directory Server. Enteryes
when asked"Trust this certificate"
.
cd /u01/app/oracle/config/oud_instances/oud_proxy/config keytool -import -alias msad-rootca -trustcacerts -file /stage/msadca.crt -keystore keystore -storepass `cat keystore.pin` -v
Next Tutorial
Configuring Network and Database Connectivity for OUD 12c and EUS