Oracle Advanced Security, which complies with MIT Kerberos, can interoperate with tickets that are issued by a Kerberos Key Distribution Center (KDC) on a Windows 2000 domain controller to enable Kerberos authentication with an Oracle database. To configure Kerberos authentication that uses a Windows 2000 domain controller KDC, perform the following tasks:
■ Task 1: Configuring an Oracle Kerberos Client to Interoperate with a Windows 2000 Domain Controller KDC
See Also: Chapter 1, "Introduction to Oracle Advanced Security", for information about external authentication and Oracle Database Heterogeneous Connectivity Administrator's Guide
■ Task 2: Configuring a Windows 2000 Domain Controller KDC to Interoperate with an Oracle Client
■ Task 3: Configuring an Oracle Database to Interoperate with a Windows 2000 Domain Controller KDC
■ Task 4: Getting an Initial Ticket for the Kerberos/Oracle User
Task 1: Configuring an Oracle Kerberos Client to Interoperate with a Windows 2000
Domain Controller KDC
The following steps must be performed on the Oracle Kerberos client.
Step 1: Creating Client Kerberos Configuration Files to Use a Windows Domain
Controller KDC
Create the following Kerberos client configuration files that refer to the Windows 2000 domain controller as the Kerberos KDC. In the examples that follow, the Windows 2000 domain controller is running on a node named
sales3854.us.acme.com. ■ krb.conf file
For example:
SALES3854.US.ACME.COM
SALES3854.US.ACME.COM sales3854.us.acme.com admin server
■ krb5.conf file For example: [libdefaults] default_realm=SALES.US.ACME.COM [realms] SALES.US.ACME.COM= { kdc=sales3854.us.acme.com:88 } [domain_realm] .us.acme.com=SALES.US.ACME.COM ■ krb5.realms file For example: us.acme.com SALES.US.ACME.COM
Step 2: Specifying Oracle Configuration Parameters in the sqlnet.ora File
Configuring an Oracle client to interoperate with a Windows 2000 domain
controller KDC uses the samesqlnet.orafile parameters that are listed in"Step 1: Configure Kerberos on the Client and on the Database Server" on page 6-5.
Set the following parameters in thesqlnet.ora file on the client:
SQLNET.KERBEROS5_CONF=pathname_to_Kerberos_configuration_file SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=Kerberos_service_name SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)
Step 3: Specifying the Listening Port Number
The Windows 2000 domain controller KDC listens on UDP/TCP port 88. Ensure that the system file entry forkerberos5 is set to UDP/TCP port 88 as follows: ■ (UNIX)
Ensure that thekerberos5 entry in the/etc/services file is set to 88
Task 2: Configuring a Windows 2000 Domain Controller KDC to Interoperate with an
Oracle Client
The following steps must be performed on the Windows 2000 domain controller.
Step 1: Creating the User
Create a new user for the Oracle client in Microsoft Active Directory.
Step 2: Creating the Oracle Database Principal
1. Create a new user for the Oracle database in Microsoft Active Directory.
Note: Ensure that theSQLNET.KERBEROS5_CONF_MIT
parameter is set toTRUE because the Windows 2000 operating system is designed to interoperate only with security services that are based on MIT Kerberos version 5.
See Also: Microsoft documentation for information about how to create users in Active Directory.
For example, if the Oracle database runs on the host
sales3854.us.acme.com, then use Active Directory to create a user with the usernamesales3854.us.acme.com and the passwordoracle.
2. Use theKtpass command line utility to extract the keytab file with the following syntax:
Ktpass -princ service/hostname@NT-DNS-REALM-NAME -mapuser account -pass
password -out keytab.file
Using the database user created in the previous step, the following is an example ofKtpass usage:
C:> Ktpass -princ oracle/[email protected] -mapuser
sales3854 -pass oracle -out C:\temp\v5srvtab
This utility is part of the Windows 2000 Support Tools and can be found on the Windows 2000 distribution media in the
\support\reskit\netmgmt\security folder.
3. Copy the extracted keytab file to the host computer where the Oracle database is installed.
For example, the keytab that was created in the previous step can be copied to
/krb5/v5svrtab.
Note: Do not create a user ashost/hostname.dns.com, such as
oracle/sales3854.us.acme.com, in Active Directory. Microsoft's KDC does not support multipart names like an MIT KDC does. An MIT KDC allows multipart names to be used for service principals because it treats all principals as usernames. However, Microsoft's KDC does not.
See Also: Detailed information about Windows 2000
interoperability with Kerberos 5 that is available at the following URL:
http://www.microsoft.com/WINDOWS2000/techinfo/planning/security/ kerbsteps.asp
Task 3: Configuring an Oracle Database to Interoperate with a Windows 2000 Domain
Controller KDC
The following steps must be performed on the host computer where the Oracle database is installed.
Step 1: Setting Configuration Parameters in the sqlnet.ora File
Specify values for the following parameters in the sqlnet.ora file for the database server: SQLNET.KERBEROS5_CONF=pathname_to_Kerberos_configuration_file SQLNET.KERBEROS5_KEYTAB=pathname_to_Kerberos_principal/key_table SQLNET.KERBEROS5_CONF_MIT=TRUE SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=Kerberos_service_name SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)
Step 2: Creating an Externally Authenticated Oracle User
Follow the task information for"Task 9: Create an Externally Authenticated Oracle User"on page 6-10 to create an externally authenticated Oracle user. Ensure that the username is created in all uppercase characters. For example,
Task 4: Getting an Initial Ticket for the Kerberos/Oracle User
Before a client can connect to the database, the client must request aninitial ticket. To request an initial ticket, follow the task information for"Task 10: Get an Initial Ticket for the Kerberos/Oracle User" on page 6-11.
Note: Ensure that theSQLNET.KERBEROS5_CONF_MIT
parameter is set toTRUE because the Windows 2000 operating system is designed to interoperate only with security services that are based on MIT Kerberos version 5.
See Also: ■"Task 7: Configure Kerberos Authentication" on page 6-5 for information about using Oracle Net Manager to set thesqlnet.ora file parameters.