Today’s #JoelKallmanDay, my topic is about simplifying the configuration of Kerberos authentication of Oracle databases using Linux tools. I have already written a few things about Kerberos in the past. The blog posts on this topic are usually tagged with Kerberos. Today I want to show you an alternative method how to create the keytab file directly on the database server without the help of a domain admin. This is especially helpful in larger environments or when troubleshooting. You have a new keytab file immediately, without having to first create an incident ticket and wait for support from your Windows administration colleagues. As a rule, they are not bored either and are glad to have one task less.
Some Basics
Kerberos is a networked authentication system that Oracle uses authenticate Oracle Database users. The following graphic shows the Kerberos authentication process at a glance. The complete configuration is described in detail in Oracle® Database Security Guide 23c – Configuring Kerberos Authentication or Oracle Support Document 1996329.1. Further links can be found in the Reference chapter. This blog post is only about an alternative creation of the keytab file.
The keytab file plays a vital role in securely managing service keys, especially service principals, for the host’s various services, including those associated with Kerberos authentication for the Oracle database. This important file equips the Oracle database with the necessary information to interact with the Key Distribution Center (KDC) and perform user authentication.
Traditionally, the keytab file is generated on the KDC server. In the context of Windows Active Directory, the ktpass tool stands as the go-to utility for this task. Detailed guidance and examples for using ktpass can be found in official documentation.
For instance, here’s an example of how I create a keytab file using ktpass in my test lab. In this case, I’m associating the service principal with the user DB19. The resulting keytab file includes all available cryptographic keys for enhanced security.
ktpass.exe -princ oracle/db19.trivadislabs.com@TRIVADISLABS.COM -mapuser db19 -pass <PASSWORD> -crypto AL -ptype KRB5_NT_PRINCIPAL -out C:\stage\db19.trivadislabs.com.keytab
In a test lab you can do everything yourself. This is not possible in productive environments. You need admin access to the Active Directory or have a Windows admin at hand who can do it. Afterwards you have to copy the file partially over detours on the database server. The whole thing is cumbersome and error-prone.
Requirements
The following requirements must be met in order to use the Linux tools for configuration:
- Tools Installing Kerberos client utilities on the database server. Whereas we don’t do Kerberos configuration for the operating system, we just use the tools. Kerberos is only used for database authentication in this example.
- AD User Creating a service account in Active Directory and set the service principal name (SPN) for this account.
- Configuration have the basic Kerberos configuration ready in your database environment e.g., $TNS_ADMIN/sqlnet.ora and $TNS_ADMIN/krb5.conf
Example of Tools Installation
Command line commands to install Kerberos client utilities on OEL8
sudo dnf install krb5-workstation
Command line commands to install Kerberos client utilities on OEL7
sudo yum -y install krb5-workstation
Example of AD User Creation
PowerShell commands to create service principal account with the flags set for This account supports Kerberos AES 128 bit encryption and This account supports Kerberos AES 256 bit encryption. This ensures that the keytab file can be created with the encryption type for AES respectively that an authentication then also works with such a keytab file. Additionaly we do set the SPN using setspn.
$Hostname = "db19" $sPWD = ConvertTo-SecureString -AsPlainText "<PASSWORD>" -Force $UsersDN = "cn=Users," + (Get-ADDomain).DistinguishedName $DNSRoot = (Get-ADDomain).DNSRoot $Domain = (Get-ADDomainController).Domain.ToUpper() if (!(Get-ADUser -Filter "sAMAccountName -eq '$Hostname'")) { Write-Host "INFO : User does not exist." } else { Write-Host "INFO : Remove existing User." Remove-ADUser -Identity $Hostname -Confirm } Write-Host "INFO : Create service account for DB server $Hostname." New-ADUser -SamAccountName $Hostname -Name $Hostname -DisplayName $Hostname -UserPrincipalName "oracle/$Hostname.$DNSRoot" -Description "Kerberos Service User for $Hostname" -Path $UsersDN -AccountPassword $sPWD -Enabled $true -KerberosEncryptionType "AES128, AES256"
Additionaly we do set the SPN using setspn.
setspn $Hostname -s oracle/$Hostname.$DNSRoot@$Domain
PS C:\Windows\system32> setspn $Hostname -s oracle/$Hostname.$DNSRoot@$Domain Checking domain DC=trivadislabs,DC=com Registering ServicePrincipalNames for CN=db19,CN=Users,DC=trivadislabs,DC=com oracle/db19.trivadislabs.com@TRIVADISLABS.COM Updated object
Example Kerberos Configuration
Basic krb5.conf file in the $TNS_ADMIN folder. This example does configure ad.trivadislabs.com as KDC for the realm / domain TRIVADISLABS.COM.
# ---------------------------------------------------------------- # OraDBA - Oracle Database Infrastructur and Security, 5630 Muri, # Switzerland # ---------------------------------------------------------------- # Name.......: krb5.conf # Author.....: Stefan Oehrli (oes) stefan.oehrli@oradba.ch # Editor.....: Stefan Oehrli # Date.......: 2023.05.04 # Version....: -- # Purpose....: Kerberos Configuration File # Notes......: -- # Reference..: Oracle Database Security Guide 19c # ---------------------------------------------------------------- [libdefaults] forwardable = true default_realm = TRIVADISLABS.COM [realms] TRIVADISLABS.COM = { kdc = ad.trivadislabs.com } [domain_realm] .trivadislabs.com = TRIVADISLABS.COM trivadislabs.com = TRIVADISLABS.COM
Extract from sqlnet.ora in $TNS_ADMIN with the Kerberos configuration
# ---------------------------------------------------------------- # Kerberos settings # ---------------------------------------------------------------- SQLNET.AUTHENTICATION_SERVICES=(beq,tcps,kerberos5pre,kerberos5) SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = oracle SQLNET.FALLBACK_AUTHENTICATION = TRUE SQLNET.KERBEROS5_KEYTAB = /u01/app/oracle/network/admin/krb5.keytab SQLNET.KERBEROS5_CONF = /u01/app/oracle/network/admin/krb5.conf SQLNET.KERBEROS5_CONF_MIT=TRUE
Using the Kerberos Utilities
Lets use the different commandline utilities to create the keytab file on the database server as user oracle.
Step 1: Create a TGT for the service principal
To verify the service account and simplify the following steps we do get a ticket granting ticket (TGT) using okinit. Whereby okinit is an Oracle tool and does require the sqlnet.ora configuration mentioned before.
oracle@db19:~/ [rdbms19] okinit db19 Kerberos Utilities for Linux: Version 19.0.0.0.0 - Production on 11-OCT-2023 21:33:35 Copyright (c) 1996, 2019 Oracle. All rights reserved. Configuration file : /u01/app/oracle/network/admin/krb5.conf. Password for db19@TRIVADISLABS.COM:
Step 2: Check the ticket cache
Verify the ticket cache using oklist
oracle@db19:~/ [rdbms19] oklist Kerberos Utilities for Linux: Version 19.0.0.0.0 - Production on 11-OCT-2023 21:34:54 Copyright (c) 1996, 2019 Oracle. All rights reserved. Configuration file : /u01/app/oracle/network/admin/krb5.conf. Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: db19@TRIVADISLABS.COM Valid starting Expires Service principal 10/11/23 21:33:39 10/12/23 07:33:39 krbtgt/TRIVADISLABS.COM@TRIVADISLABS.COM renew until 10/12/23 21:33:35
Step 3: Get the kvno for the Service Principle
We need the key version number (kvno) of the service principle. this can be queried using the kvno utility. Verify above which ticket cache is used. Optionally specify the ticket cache explicitly using -c. The kvno will be used when creating the keytab file.
oracle@db19:~/ [rdbms19] kvno -c /tmp/krb5cc_1000 db19@TRIVADISLABS.COM db19@TRIVADISLABS.COM: kvno = 2
Step 4: Create a keytab file using ktutil
We now create a keytab file with ktutil. The tool must be used interactively to read, create and write the keytab file. See the ktutil man page for full usage. In the following example, we use the aes256-cts-hmac-sha1-96 encryption type. Update the addent command accordingly with the correct kvno and encryption type. Optionally, you can add multiple encryption types to a keytab by running addent multiple times. The list of encryption types can be found at Kerberos Parameters. Make sure to use encryption types which are supported by your KDC.
oracle@db19:~/ [rdbms19] mv $TNS_ADMIN/krb5.keytab $TNS_ADMIN/krb5.keytab.orig oracle@db19:~/ [rdbms19] ktutil ktutil: addent -password -p oracle/db19.trivadislabs.com@TRIVADISLABS.COM -k 2 -e aes256-cts-hmac-sha1-96 Password for oracle/db19.trivadislabs.com@TRIVADISLABS.COM: ktutil: list -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 oracle/db19.trivadislabs.com@TRIVADISLABS.COM (aes256-cts-hmac-sha1-96) ktutil: wkt /u01/app/oracle/network/admin/krb5.keytab ktutil: q
Step 5: Verify the new keytab File
Verify the new keytab file using oklist
oracle@db19:~/ [rdbms19] oklist -e -k Kerberos Utilities for Linux: Version 19.0.0.0.0 - Production on 11-OCT-2023 22:41:00 Copyright (c) 1996, 2019 Oracle. All rights reserved. Configuration file : /u01/app/oracle/network/admin/krb5.conf. Keytab name: FILE:/u01/app/oracle/network/admin/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 oracle/db19.trivadislabs.com@TRIVADISLABS.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
Conculsion
Especially in large environments, where you sometimes have to wait several days for a service ticket to be processed, the alternative method for creating a keytab file is a relief. The keytab file is immediately where you need it. No need for cumbersome copying via SSH, fileshare, tunnels etc. You need another or an additional encryption type in the keytab file? Nothing simpler than that. One call of ktutil and addent and you have an additional entcryption type in the keytab file.
Have fun configuring Kerberos
References
Some links related to this topic.
- Oracle® Database Security Guide 23c – Configuring Kerberos Authentication
- Oracle Support Document 1375853.1 Primary Note For Kerberos Authentication
- Oracle Support Document 1996329.1 How To Configure Kerberos Authentication In A 12c Database
- Oracle Support Document 1304004.1 Configuring Kerberos Authentication with a Microsoft Windows Active Directory KDC
- Oracle Support Document 132804.1 Enabling Kerberos Authentication
- Oracle Support Document 185897.1 Kerberos Troubleshooting Guide
- Oracle Support Document 1523651.1 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
- Oracle Support Document 1609359.1 How To Use Kerberos Authentication to connect to a database with SQL Developer with thin JDBC
- Oracle Support Document 294136.1 Kerberos: High Level Introduction and Flow
- Microsoft Windows Server Documentation ktpass
- Linux Man Pages ktutil
- Linux Man Pages kvno
- IANA Kerberos Encryption Type Numbers
- OraDBA Kerberos related blog posts see Kerberos
Just enhanced the command New-ADUser and add -UserPrincipalName got somehow missing. Setting correct UPN is mandatory to make sure kerberos does work.