tickets that are issued by a Kerberos Key Distribution Center (KDC) on a Windows 2000 domain controller to enable Kerberos authentication with an Oracle database. To configure Kerberos authentication that uses a Windows 2000 domain controller KDC, perform the following tasks:
Table 7–2 Options for the oklist Utility Option Description
-f Show flags with credentials. Relevant flags are:
■ I, credential is a ticket-granting ticket
■ F, credential is forwardable ■ f, credential is forwarded.
-c Specify an alternative credential cache. In UNIX, the default is
/tmp/krb5cc_uid. The alternate credential cache can also be specified by using the SQLNET.KERBEROS5_CC_NAME
parameter in the sqlnet.ora file.
-k List the entries in the service table (default /etc/v5srvtab) on UNIX. The alternate service table can also be specified by using the SQLNET.KERBEROS5_KEYTABparameter in the
sqlnet.ora file.
See Also: Chapter 1, "Introduction to Oracle Advanced Security" and Oracle Database Heterogeneous Connectivity User's Guide for information about external authentication
Configuring Interoperability with a Windows 2000 Domain Controller KDC
Configuring Kerberos Authentication 7-11 ■ Task 1: Configure an Oracle Kerberos Client to Interoperate with a Windows 2000
Domain Controller KDC
■ Task 2: Configure a Windows 2000 Domain Controller KDC to Interoperate with an Oracle Client
■ Task 3: Configure an Oracle Database to Interoperate with a Windows 2000 Domain Controller KDC
■ Task 4: Obtain an Initial Ticket for the Kerberos/Oracle User
Task 1: Configure an Oracle Kerberos Client to Interoperate with a Windows 2000
Domain Controller KDC
The following steps must be performed on the Oracle Kerberos client.
Step 1: Create the Client Kerberos Configuration Files to Use a Windows Domain
Controller KDC
Create the following Kerberos client configuration files that refer to the Windows 2000 domain controller as the Kerberos KDC. In the examples that follow, the Windows 2000 domain controller is running on a node named sales3854.us.example.com. ■ krb.conf file
For example:
SALES3854.US.EXAMPLE.COM
SALES3854.US.EXAMPLE.COM sales3854.us.example.com admin server ■ krb5.conf file For example: [libdefaults] default_realm=SALES.US.EXAMPLE.COM [realms] SALES.US.EXAMPLE.COM= { kdc=sales3854.us.example.com:88 } [domain_realm] .us.example.com=SALES.US.EXAMPLE.COM ■ krb5.realms file For example: us.example.com SALES.US.EXAMPLE.COM
Step 2: Specify the Oracle Configuration Parameters in the sqlnet.ora File
Configuring an Oracle client to interoperate with a Windows 2000 domain controller KDC uses the same sqlnet.ora file parameters that are listed in "Step 1: Configure Kerberos on the Client and on the Database Server" on page 7-4.
Set the following parameters in the sqlnet.ora file on the client: SQLNET.KERBEROS5_CONF=pathname_to_Kerberos_configuration_file SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=Kerberos_service_name SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)
Configuring Interoperability with a Windows 2000 Domain Controller KDC
Step 3: Specify the Listening Port Number
The Windows 2000 domain controller KDC listens on UDP/TCP port 88. Ensure that the system file entry for kerberos5 is set to UDP/TCP port 88 as follows:
For the UNIX environment, ensure that the first kerberos5 entry in the /etc/services file is set to 88.
Task 2: Configure a Windows 2000 Domain Controller KDC to Interoperate with an
Oracle Client
The following steps must be performed on the Windows 2000 domain controller.
Step 1: Create the User
Create a new user for the Oracle client in Microsoft Active Directory.
Step 2: Create the Oracle Database Principal
1. Create a new user for the Oracle database in Microsoft Active Directory. For example, if the Oracle database runs on the host
sales3854.us.example.com, then use Active Directory to create a user with the user name sales3854.us.example.com and the password oracle.
2. Use the Ktpass command line utility to extract the keytab file with the following syntax:
Ktpass -princ service/hostname@NT-DNS-REALM-NAME -mapuser account -pass password -out keytab.file
Using the database user created in the previous step, the following is an example of Ktpass usage:
C:> Ktpass -princ oracle/[email protected] -mapuser sales3854 -pass oracle -out C:\temp\v5srvtab
This utility is part of the Windows 2000 Support Tools and can be found on the Windows 2000 distribution media in the
\support\reskit\netmgmt\security folder.
Note: Ensure that the SQLNET.KERBEROS5_CONF_MIT parameter is set to TRUE because the Windows 2000 operating system is designed to interoperate only with security services that are based on MIT Kerberos version 5.
See Also: Microsoft documentation for information about how to create users in Active Directory.
Note: Do not create a user as host/hostname.dns.com, such as oracle/sales3854.us.example.com, in Active Directory. Microsoft's KDC does not support multipart names like an MIT KDC does. An MIT KDC allows multipart names to be used for service principals because it treats all principals as user names. However, Microsoft's KDC does not.
Configuring Interoperability with a Windows 2000 Domain Controller KDC
Configuring Kerberos Authentication 7-13 3. Copy the extracted keytab file to the host computer where the Oracle database is
installed.
For example, the keytab that was created in the previous step can be copied to /krb5/v5svrtab.
Task 3: Configure an Oracle Database to Interoperate with a Windows 2000 Domain
Controller KDC
The following steps must be performed on the host computer where the Oracle database is installed.
Step 1: Set Configuration Parameters in the sqlnet.ora File
Specify values for the following parameters in the sqlnet.ora file for the database server: SQLNET.KERBEROS5_CONF=pathname_to_Kerberos_configuration_file SQLNET.KERBEROS5_KEYTAB=pathname_to_Kerberos_principal/key_table SQLNET.KERBEROS5_CONF_MIT=TRUE SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=Kerberos_service_name SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)
Step 2: Create an Externally Authenticated Oracle User
Follow the task information for "Task 9: Create an Externally Authenticated Oracle User" on page 7-8 to create an externally authenticated Oracle user. Ensure that the username is created in all uppercase characters. For example,
Task 4: Obtain an Initial Ticket for the Kerberos/Oracle User
Before a client can connect to the database, the client must request an initial ticket. To request an initial ticket, follow the task information for "Task 10: Get an Initial Ticket for the Kerberos/Oracle User" on page 7-8.
See Also: Detailed information about Windows 2000
interoperability with Kerberos 5 that is available at the following URL:
http://technet.microsoft.com/hi-in/windowsserver/2000/b b735396(en-us).aspx
Note: Ensure that the SQLNET.KERBEROS5_CONF_MIT parameter is set to TRUE because the Windows 2000 operating system is designed to interoperate only with security services that are based on MIT Kerberos version 5.
See Also: "Task 7: Configure Kerberos Authentication" on
page 7-4 for information about using Oracle Net Manager to set the sqlnet.ora file parameters.
Note: The user does not need to explicitly request for an initial ticket, using the okinit command, when using the Windows native cache. If the Oracle client is running on Windows 2000 or later, the Kerberos ticket is automatically retrieved when the user logs in to Windows.