Configuring Kerberos Authentication 7-9
Displaying Credentials with the oklist Utility
Run the oklist utility to display the list of tickets held. Available oklist options are listed in Table 7–2:
The show flag option (-f) displays additional information, as shown in the following example:
% oklist -f
27-Jul-1999 21:57:51 28-Jul-1999 05:58:14 krbtgt/[email protected]
Flags: FI
Removing Credentials from the Cache File with the okdstry Utility
Use the okdstry utility to remove credentials from the credentials cache file: $ okdstry -f
where the -f command option lets you specify an alternative credential cache. For UNIX, the default is /tmp/krb5cc_uid. You can also specify the alternate credential cache by using the SQLNET.KRB5_CC_NAME parameter in the sqlnet.ora file.
Connecting to an Oracle Database Server Authenticated by Kerberos
You can now connect to an Oracle database server without using a user name or password. Enter a command similar to the following:
$ sqlplus /@net_service_name
where net_service_name is an Oracle Net Services service name. For example: $ sqlplus /@oracle_dbname
Configuring Interoperability with a Windows 2000 Domain Controller KDC
Oracle Advanced Security, which complies with MIT Kerberos, can interoperate with tickets that are issued by a Kerberos Key Distribution Center (KDC) on a Windows Table 7–2 Options for the oklist Utility
Option Description
-f Show flags with credentials. Relevant flags are:
■ I, credential is a ticket-granting ticket
■ F, credential is forwardable
■ f, credential is forwarded.
-c Specify an alternative credential cache. In UNIX, the default is /tmp/krb5cc_uid. The alternate credential cache can also be specified by using the SQLNET.KERBEROS5_CC_NAME parameter in the sqlnet.ora file.
-k List the entries in the service table (default /etc/v5srvtab) on UNIX. The alternate service table can also be specified by using the SQLNET.KERBEROS5_KEYTABparameter in the sqlnet.ora file.
See Also: Chapter 1, "Introduction to Oracle Advanced Security"
and Oracle Database Heterogeneous Connectivity Administrator's Guide
Configuring Interoperability with a Windows 2000 Domain Controller KDC
7-10 Oracle Database Advanced Security Administrator’s Guide
2000 domain controller to enable Kerberos authentication with an Oracle database. To configure Kerberos authentication that uses a Windows 2000 domain controller KDC, perform the following tasks:
■ Task 1: Configure an Oracle Kerberos Client to Interoperate with a Windows 2000
Domain Controller KDC
■ Task 2: Configure a Windows 2000 Domain Controller KDC to Interoperate with
an Oracle Client
■ Task 3: Configure an Oracle Database to Interoperate with a Windows 2000
Domain Controller KDC
■ Task 4: Obtain an Initial Ticket for the Kerberos/Oracle User
Task 1: Configure an Oracle Kerberos Client to Interoperate with a Windows 2000
Domain Controller KDC
The following steps must be performed on the Oracle Kerberos client.
Step 1: Create the Client Kerberos Configuration Files to Use a Windows Domain
Controller KDC
Create the following Kerberos client configuration files that refer to the Windows 2000 domain controller as the Kerberos KDC. In the examples that follow, the Windows 2000 domain controller is running on a node named sales3854.us.acme.com.
■ krb.conf file For example:
SALES3854.US.ACME.COM
SALES3854.US.ACME.COM sales3854.us.acme.com admin server
■ krb5.conf file For example: [libdefaults] default_realm=SALES.US.ACME.COM [realms] SALES.US.ACME.COM= { kdc=sales3854.us.acme.com:88 } [domain_realm] .us.acme.com=SALES.US.ACME.COM ■ krb5.realms file For example: us.acme.com SALES.US.ACME.COM
Step 2: Specify the Oracle Configuration Parameters in the sqlnet.ora File
Configuring an Oracle client to interoperate with a Windows 2000 domain controller KDC uses the same sqlnet.ora file parameters that are listed in "Step 1: Configure Kerberos on the Client and on the Database Server" on page 7-4.
Set the following parameters in the sqlnet.ora file on the client: SQLNET.KERBEROS5_CONF=pathname_to_Kerberos_configuration_file SQLNET.KERBEROS5_CONF_MIT=TRUE
Configuring Interoperability with a Windows 2000 Domain Controller KDC
Configuring Kerberos Authentication 7-11
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=Kerberos_service_name SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)
Step 3: Specify the Listening Port Number
The Windows 2000 domain controller KDC listens on UDP/TCP port 88. Ensure that the system file entry for kerberos5 is set to UDP/TCP port 88 as follows:
For the UNIX environ,emt, ensure that the kerberos5 entry in the /etc/services
file is set to 88
Task 2: Configure a Windows 2000 Domain Controller KDC to Interoperate with an
Oracle Client
The following steps must be performed on the Windows 2000 domain controller.
Step 1: Create the User
Create a new user for the Oracle client in Microsoft Active Directory.
Step 2: Create the Oracle Database Principal
1. Create a new user for the Oracle database in Microsoft Active Directory.
For example, if the Oracle database runs on the host sales3854.us.acme.com, then use Active Directory to create a user with the user name
sales3854.us.acme.com and the password oracle.
2. Use the Ktpass command line utility to extract the keytab file with the following syntax:
Ktpass -princ service/hostname@NT-DNS-REALM-NAME -mapuser account -pass password -out keytab.file
Using the database user created in the previous step, the following is an example of Ktpass usage:
C:> Ktpass -princ oracle/[email protected] -mapuser sales3854 -pass oracle -out C:\temp\v5srvtab
Note: Ensure that the SQLNET.KERBEROS5_CONF_MIT
parameter is set to TRUE because the Windows 2000 operating system is designed to interoperate only with security services that are based on MIT Kerberos version 5.
See Also: Microsoft documentation for information about how to create users in Active Directory.
Note: Do not create a user as host/hostname.dns.com, such as
oracle/sales3854.us.acme.com, in Active Directory. Microsoft's KDC does not support multipart names like an MIT KDC does. An MIT KDC allows multipart names to be used for service principals because it treats all principals as user names. However, Microsoft's KDC does not.
Configuring Interoperability with a Windows 2000 Domain Controller KDC
7-12 Oracle Database Advanced Security Administrator’s Guide
This utility is part of the Windows 2000 Support Tools and can be found on the Windows 2000 distribution media in the
\support\reskit\netmgmt\security folder.
3. Copy the extracted keytab file to the host computer where the Oracle database is installed.
For example, the keytab that was created in the previous step can be copied to
/krb5/v5svrtab.
Task 3: Configure an Oracle Database to Interoperate with a Windows 2000 Domain
Controller KDC
The following steps must be performed on the host computer where the Oracle database is installed.
Step 1: Set Configuration Parameters in the sqlnet.ora File
Specify values for the following parameters in the sqlnet.ora file for the database server: SQLNET.KERBEROS5_CONF=pathname_to_Kerberos_configuration_file SQLNET.KERBEROS5_KEYTAB=pathname_to_Kerberos_principal/key_table SQLNET.KERBEROS5_CONF_MIT=TRUE SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=Kerberos_service_name SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)
Step 2: Create an Externally Authenticated Oracle User
Follow the task information for "Task 9: Create an Externally Authenticated Oracle User" on page 7-7 to create an externally authenticated Oracle user. Ensure that the username is created in all uppercase characters. For example,
Task 4: Obtain an Initial Ticket for the Kerberos/Oracle User
Before a client can connect to the database, the client must request an initial ticket. To request an initial ticket, follow the task information for "Task 10: Get an Initial Ticket for the Kerberos/Oracle User" on page 7-8.
See Also: Detailed information about Windows 2000
interoperability with Kerberos 5 that is available at the following URL:
http://www.microsoft.com/WINDOWS2000/techinfo/planning/ security/kerbsteps.asp
Note: Ensure that the SQLNET.KERBEROS5_CONF_MIT
parameter is set to TRUE because the Windows 2000 operating system is designed to interoperate only with security services that are based on MIT Kerberos version 5.
See Also: "Task 7: Configure Kerberos Authentication" on
page 7-4 for information about using Oracle Net Manager to set the