Oracle by Example brandingConfiguring Active Directory and Database with Kerberos for OUD 12c and EUS Integration

section 0Before You Begin

This tutorial provides a step-by-step example of how to configure Microsoft Active Directory for Oracle Unified Directory (OUD 12c), Oracle Enterprise Security (EUS) integration and Kerberos Authentication. This tutorial takes approximately 15 minutes to complete.

This is the fourth tutorial in the series Integrating Oracle Unified Directory 12c with Microsoft Active Directory, Oracle Enterprise User Security and Kerberos. Read them sequentially.

Background

Oracle EUS enables Oracle Database users to authenticate against identities stored in an LDAP-compliant directory service such as OUD. In this tutorial you configure Microsoft Active Directory.

What Do You Need?

section 1Create Sample Users and Groups in Microsoft Active Directory

In this section you create a number of sample users and groups under cn=users,dc=example,dc=com and ou=groups,dc=example,dc=com. First you create an OUD administration user cn=eusadmin,cn=Users,dc=example,dc=com. Then you create a number of users and groups, and assign the users to the groups as follows. These users will be used to log in to the database with EUS and Kerberos in a later tutorial:

UserID Groups Password
user.0 [no group] Welcome1
user.1 ora_connect, ora_resource Welcome1
user.2 ora_connect, ora_dba Welcome1

  1. On the Microsoft Active Directory server, load Server Manager and select Tools > Active Directory Users and Computers.
  2. In Active Directory Users and Computers, in the left hand navigation menu, expand example.com and right click on Users. Select New > User.
  3. In the New Object - User window enter eusadmin in the First name and User logon name fields. Click Next.
  4. In the Password and Confirm Password field enter Welcome1. Deselect User must change password at next logon. Click Next and then Finish.
  5. Repeat steps 2-5 and create the users user.0, user.1 and user.2.
  6. Double click user.0 and in the properties select the Account tab. In Account Options, check the following boxes and click OK:

    • This account supports Kerberos AES 128bit encryption
    • This account supports Kerberos AES 128bit encryption
    • Do not require Kerberos preauthentication
  7. Repeat step 6 for user.1 and user.2.
  8. In the left hand navigation menu, right click on Groups. Select New > Group.
  9. In the New Object - Group window enter ora_connect in the Group Name field. Ensure Group Scope: Global and Group Type: Security are selected. Click OK.
  10. Repeat step 8-9 and create the groups ora_resource and ora_dba.
  11. Under Group, double click ora_connect. In the Members tab, click Add. In the Enter the object names to select field, enter user.1 and click Check Names. Select user.1(user1@example.com) and click OK. Repeat and add user.2 to the group. Click OK.
  12. Under Groups, double click ora_resource. In the Members tab, click Add. In the Enter the object names to select field, enter user.1 and click Check Names. Select user.1(user1@example.com) and click OK twice.
  13. Under Group, double click ora_dba. In the Members tab, click Add. In the Enter the object names to select field, enter user.2 and click Check Names. Select user.2(user2@example.com) and click OK twice.

section 2Configure Kerberos Principal and Keytab

In this section you configure the Kerberos principal and keytab file for Active Directory..

  1. Logon to the Windows domain controller as an administrator. Launch a command prompt and enter the following command to create the following user:
    dsadd user "cn=db.example.com,cn=users,dc=example,dc=com" -pwd "Welcome1" -samid "db" -display "db" -fn "db" -ln "db" -upn "db.example.com@example.com" -pwdneverexpires yes
    Note: In this command, the user name to add must be the fully qualified host and domain name of the database server. In this case the host.domain name of the database server is db.example.com.
  2. In the same command prompt, run the following command to create the Kerberos principal and keytab file:
    ktpass -princ oracle/db.example.com@EXAMPLE.COM -mapuser EXAMPLE\db -pass Welcome1 -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -kvno 3 -out c:\temp\db.keytab
    If successful you should see the following output:

    Targeting domain controller: ad.example.com 
Using legacy password setting method 
Successfully mapped oracle/db.example.com to db. 
Key created. 
Output keytab to c:\temp\db.keytab: 
Keytab version: 0x502 
keysize 84 oracle/db.example.com@EXAMPLE.COM ptype 1 
(KRB5_NT_PRINCIPAL) vno 3 e type 0x12 (AES256-SHA1) 
keylength 32 (0xe5b9574306ac870a414f5a4f60c774e0168d84a4 34f7449fb31d9b6206bb8ea1)
    Note: The ktpass command adds oracle as the principal name, which will be referred to by the database as the Kerberos service name. The -crypto parameter is dependant on the policies supported in Active Directory, in some cases -crypto ALL may need to be used.
  3. Using a secure ftp client or similar, connect as the oracle user to the database server, and copy the generated c:\temp\db.keytab file to the database $ORACLE_HOME/network/admin (/u01/app/oracle/product/12.1.0/db_1/network/admin) directory.
  4. Edit the C:\Windows\System32\drivers\etc\services file, change the following and save the file:
    FROM ==>   
    kerberos           88/tcp     krb5 kerberos-sec      #Kerberos

    TO ==>
    kerberos           88/tcp    kerberos5 krb5 kerberos-sec      #Kerberos
  5. On the Microsoft Active Directory server, load Server Manager and select Tools > Active Directory Users and Computers.
  6. In Active Directory Users and Computers, in the left hand navigation menu, expand example.com and click on Users.
  7. Double click db.example.com and in the properties select the Account tab. In Account Options, check the following boxes and click OK:

    • This account supports Kerberos AES 128bit encryption
    • This account supports Kerberos AES 128bit encryption
    • Do not require Kerberos preauthentication

section 3Verify the Kerberos Realm in Active Directory

In this section you verify the Kerberos realm in the Active Directory domain.

  1. Logon to the Windows domain controller as an administrator. Launch a command prompt and enter the following command:
    nslookup -type=any _kerberos._tcp
    If successful you should see something similar to the following:
    C:\Users\Admin>nslookup -type=any _kerberos._tcp
    Server:  localhost  
    Address:  127.0.0.1   

    _kerberos._tcp.example.com        SRV service location:        
          priority       = 0
          weight         = 100
      port           = 88
          svr hostname   = ad.example.com  
    ad.example.com        internet address = X.X.X.X

section 4Configure Database for Kerberos

In this section you configure the database to use Kerberos

  1. On the database server, launch a terminal window as oracle and create a file called /stage/krb5.conf with the following contents:

    [logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
    
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true 

[realms]
EXAMPLE.COM = {
   kdc = ad.example.com:88
   admin_server = ad.example.com:749
   default_domain = example.com
  }

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
  2. Run the following command to copy the /stage/krb5.conf to the /etc directory and give root user ownership:
    sudo cp /stage/krb5.conf /etc/
  3. Edit the $ORACLE_HOME/network/admin/sqlnet.ora file and update the sqlnet.ora to contain the following information:
    NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT, HOSTNAME)

SQLNET.KERBEROS5_KEYTAB=/u01/app/oracle/product/12.1.0/db_1/network/admin/db.keytab
SQLNET.KERBEROS5_CONF=/etc/krb5.conf
    SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle
SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)
    Note: On Windows database clients, SQLNET.KERBEROS5_CC_NAME is also required. Refer to the 12c database documentation for further details.

section 5Verify the Database Kerberos Configuration

In this section you check that Kerberos Configuration is working correctly.

  1. Launch a terminal window as oracle on the database server and run the following command and enter orcl when prompted:
    . oraenv
  2. Run the following command to request a Kerberos ticket: 
    kinit -k -t /u01/app/oracle/product/12.1.0/db_1/network/admin/db.keytab oracle/db.example.com@EXAMPLE.COM
  3. Run the command to make sure a Kerberos ticket was granted successfully:
    klist
    If successful you should output similar to the following:
    Ticket cache: FILE:/tmp/krb5cc_54321 
Default principal: oracle/db.example.com@EXAMPLE.COM 

Valid starting     Expires            Service principal 
11/22/17 14:10:33  11/23/17 00:11:01  krbtgt/EXAMPLE.COM@EXAMPLE.COM 	
renew until 11/29/17 14:10:33
  4. Run the following command to check the kvno numbers from both commands match:
    kvno oracle/db.example.com@EXAMPLE.COM
    If successful you should see similar to the following:
    
oracle/db.example.com@EXAMPLE.COM: kvno = 3
    Compare the kvno number in the result above with the output from the following command:
    klist -k /u01/app/oracle/product/12.1.0/db_1/network/admin/db.keytab
    If successful you should see similar to the following:
    KVNO Principal
    ---- -------------------------------------------------------------------------- 
    3 oracle/db.example.com@EXAMPLE.COM
    In the above examples the two kvno numbers match i.e. kvno=3. If the numbers don't match, regenerate the keytab file as per Section 2, steps 2-4.
  5. Run the following command to destroy the ticket:
    kdestroy

section 6Configure OUD Truststore for Active Directory Certificates

In this section you export the Trusted Root CA Certificate for the Active Directory certificate and import it into the OUD Proxy server truststore. This is required so OUD Proxy Server can establish an SSL connection to Active Directory successfully.

  1. On the Active Directory server, launch a command prompt as Administrator, and run the following command to export the Root CA certificate to the file msadca.crt:
    certutil -ca.cert msadca.crt
  2. Copy the mdadca.crt file over to the /stage directory of the OUD server .
  3. On the OUD server. launch a terminal window as oracle and run the following command to import the root CA certificate from the Active Directory Server. Enter yes when asked "Trust this certificate".
    cd /u01/app/oracle/config/oud_instances/oud_proxy/config
keytool -import -alias msad-rootca -trustcacerts -file /stage/msadca.crt -keystore keystore -storepass `cat keystore.pin`  -v

next stepNext Tutorial

Configuring Network and Database Connectivity for OUD 12c and EUS