Using Kerberos Authentication with Oracle Database
This section describes the requirements and configuration necessary to use Kerberos authentication to establish the connection between the AAI server and an Oracle database.
As a system administrator, you can choose to use either a keytab file or cached credentials for this type of authentication.
This page includes the following:
Prerequisites and Supported Platforms
Make sure you use the compatibility matrix (compatibility matrix) to check which platforms are supported for connecting an AAI server and an Oracle database with Kerberos authentication. Also check all relevant AAI components and prerequisites for vendor, version or setup information. For more information, see Compatibility Information.
Make sure your meet the following prerequisites:
-
The AAI and the Oracle database computers must be able to access the same Kerberos domain and support Kerberos log in.
-
The Oracle database must accept Kerberos log in.
-
Oracle ojdbc8 driver matching Oracle database version or higher is required. The procedure for installing the Oracle ojdbc8.jar driver is documented in the installation instructions.
-
Apart from using the compatibility matrix to find information on supported Java versions and possible dependencies, you can also check your Oracle Java Runtime version using the java --version command in the command line. However, it is recommended also verifying the version in the jaws.log file. For more information, please refer to the documentation of your Java vendor.
Before configuring AAI, make sure that you have:
-
A user (principal) and keytab on the key distribution center (KDC), if you want to use a keytab file for the authentication
-
A credential file in place, if you want to use cached credentials for authentication
-
An AAI database user with the required permissions for the Oracle database
Creating a User (Principal) and keytab on the Key Distribution Center (KDC)
Your security administrator has to create the AAI database user (principal) and the keytab file for that user in the key distribution center (KDC).
The following parameters are used as an example:
User principal: aaiuser
Kerberos domain: AAIREALM.COM
Generated keytab file: aaiuser.keytab, stored in the current working directory
-
Create the user principal in the KDC:
kadmin.local -q “addprinc -pw aaiuser aaiuser@AAIREALM.COM”
-
Add the principal to the KDC system keytab:
kadmin.local -q “ktadd -k /etc/krb5.keytab aaiuser”
-
Create a new keytab file with the user (principal):
kadmin.local -q “ktadd -k aaiuser.keytab aaiuser”
This keytab file is then transferred to the AAI server.
Creating the Cache File for Kerberos Credentials
Your security administrator has to create the cached credential file so that Kerberos can read and store credentials from/in the cache without having to manage them.
However, if you need to create the file yourself, you can do so using the kinit tool from MIT Kerberos:
Syntax
kinit -c <FILEMNAME> [PRINCIPAL]
Example
kinit -c krb5cc autosys
Oracle Database Permissions for AAI User
Make sure the AAI database user has permissions on the Oracle database.
To do so:
-
Log in as the AAI database user from SQL Plus using Kerberos login
-
Once logged in to SQLPlus via Kerberos as the AAI database user, issue the following SQL: select * from JawsProperties;
This SQL should generate a result set with several rows and no errors.
Configuring the Oracle Database for Kerberos Authentication
To configure the Oracle database, do the following:
-
Copy the keytab and/or the cache credential file for the AAI database user to the AAI server.
To preserve the configuration for future upgrades, it is recommended placing the keytab file in the root directory of the AAI installation. Also, consider setting file permissions so that the process owner for the AAI process has read access and it is not readable by other users/groups on the system.
The cache credential file expires every day.
-
Open the AAI Configuration Tool and enter the appropriate data:
-
DBMS: Oracle
-
Host: fully qualified host name of Oracle server
-
Port: 1521 (default) or other port per installation standards for Oracle DB
-
DB name: Name of DB to connect to (SID, PDB Name or Service Name)
-
User: User principal
-
Kerberos checkbox: Select this checkbox
-
Select either Use Keytab File or Use Cached Credentials, depending on which option you want to use.
-
Keytab Path: Enter the full path or choose the keytab file using the file chooser
-
Cache Path: Enter the full path or choose the cache credential file using the file chooser
-
Test the connection and hit OK after a successful test.
-
You can also use the Configuration Tool CLI to define this data, see AAI Database Commands.
See also: