OCP Blog
Super DBA
Configuration Oracle database 11g for kerberos
by Vazha Mantua Sunday, January 8, 2012 11:26 PM

In this case we show plan which you should do on client and servers machines for configuration Kerberos,There are not shown task which you should do on Kerberos server, like install it, create principals,create service key table, etc.

------------YOU SHOULD DO ALL OF THESE STEPS ON DATABASE MACHINE AND ON CLIENT MACHINE ------------

1. Install Oracle Advanced security and net services. It will be done by oracle universal installer.

2. Configure Kerberos Authentication

Use Oracle Net Manager to perform the following steps to configure Kerberos authentication service parameters on the client and on the database server.

On windows run Net Manager, or Unix machine $ORACLE_HOME/bin/netmgr

2.1 Click the Authentication tab <From the Available Methods list, select KERBEROS5 <Move KERBEROS5 to the Selected Methods list<

kerb0001


Click the Other Params

kerb0002

2.2 Than You should create directory /krb5(with all permission)  and create file krb.conf .On client machine, if you use windows location of krb file is C:\Windows\krb.ini

Example of krb file:

[libdefaults]
    default_realm = DOMAIN.GE
    dns_lookup_realm = true
    dns_lookup_kdc = true
[realms] 
    DOMAIN.GE= {
        kdc = KERBEROS.DOMAIN.GE:88
    }
[domain_realm]
    .domain.ge = DOMAIN.GE

[logging]
        default = FILE:/tmp/krb5-kdc.log
        kdc = FILE:/tmp/krb5-kdc.log


2.3 update sqlnet.ora file

SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=kservice
SQLNET.KERBEROS5_CONF_MIT = TRUE


2.4 Set the Initialization Parameter  OS_AUTHENT_PREFIX=""

3. Create an Externally Authenticated Oracle User

CREATE USER SCOTT IDENTIFIED EXTERNALLY AS 'scott@DOMAIN.GE';  

4. Copy Kerberos principal/secret key mapping file  

From system admin get this file and copy to on location /etc/v5srvtab

5.Get an Initial Ticket for the Kerberos/Oracle User

% okinit scott@DOMAIN.GE

sqlplus /@kservice  

As you see we get ticket form Kerberos and without entering password login in DB with username scott

Tags:

Comments (2) -

2/25/2012 4:41:04 PM #

custom assignment services

I am new at using Oracle. thanks guys I came here for one reason, but I have really learnt a lot. Keep up the good work.

custom assignment services Philippines

3/23/2012 8:16:41 AM #

Juicy Couture Outlet

Oracle is awesome

Juicy Couture Outlet Honduras

Add comment

  Country flag

biuquote
  • Comment
  • Preview
Loading

Filter by APML

Calendar

<<  November 2017  >>
MoTuWeThFrSaSu
303112345
6789101112
13141516171819
20212223242526
27282930123
45678910

View posts in large calendar

TextBox