Configuring Kerberos authentication

Before you use Kerberos authentication to connect to an Oracle database on Linux or Windows, your organization administrator needs to create a few configuration files and set some environment variables.

1Configure the Java Authentication and Authorization Service configuration file (JAAS) that the JDBC driver will use for Java client authentication.

aCreate a JAAS configuration file on the Secure Agent machine.
b Add an entry to the JAAS configuration file that specifies the authentication technology to use for a particular driver. For example:

JDBC_DRIVER_01 {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
principal="user@EXAMPLE.COM";
};

The Krb5LoginModule authenticates users by using Kerberos protocols. You can add LoginModule options such as useTicketCache and principal as needed. For more information, see the Oracle Java documentation at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html.

2Configure the Kerberos configuration file, krb5.conf, which defines Kerberos settings and realm details.

aCreate a krb5.conf file on the Secure Agent machine.
bAdd the details for the Key Distribution Center (KDC) and admin server to the krb5.conf file in the following format:

[libdefaults]
default_realm = <realm_name>

[realms]
<realm_name> = {
kdc = <location where KDC is installed>
admin_server = <location where KDC is installed>
}

Where [libdefaults] sets the default realm, and [realms] specifies the KDC and admin server for the realm.

For example:

[libdefaults]
default_realm = EXAMPLE.COM

[realms]
EXAMPLE.COM = {
kdc = rnd.EXAMPLE.COM
admin_server = rnd.EXAMPLE.COM
}

For more information, see the Oracle documentation at https://docs.oracle.com/cd/E86824_01/html/E54775/krb5.conf-4.html.

3Set the following environment variables on the machine where Data Ingestion and Replication and Secure Agent run:

setenv JAASCONFIG <Absolute path of the JAAS config file>\<File name>.conf>
setenv KRB5_CONFIG <Absolute path of the Kerberos configuration file>\krb5.conf>
setenv KRB5CCNAME <Absolute path and file name of the credentials cache file>

These variables are required to test Oracle Database Ingestion connections, deploy tasks, and run jobs when Kerberos authentication is in use.

Alternatively, you can specify these environment variables in Administrator for the Secure Agent. If you set environment variables in Administrator and on the Secure Agent machine, the variables that you specify in Administrator take precedence.

To define environment variables for the Seucre Agent in Administrator, go to Runtime Environments. Then open a Secure Agent and click Edit. Under System Configuration Details > Custom Configuration Details, enter the variables for the Database Ingestion service and DBMI_AGEN_ENV type. For example:

4Restart the Secure Agent.

5Generate the credential cache file by using the kinit or okinit tool.

- To use the kinit tool on Windows, first install the MIT Kerberos Client and make sure that the KRB5CCNAME system environment variable or the default_ccache_name variable in the [libdefaults] section of krb5.conf is set. Then issue the following command to run the kinit tool. Enter the password when prompted.

kinit user@<realm_name>

- To use the kinit tool on Linux, first install the kinit tool and make sure that the KRB5CCNAME system environment variable is set. Then issue the following command to run the kinit tool. Enter the password when prompted.

kinit user@<realm_name>

- To use the okinit tool, first install the Oracle Instant Client. The credential cache file will be created based on the SQLNET.KERBEROS5_CC_NAME property in the sqlnet.ora file. Then issue the following command to run the okinit tool. Enter the password when prompted.

okinit user@<realm_name>