Thursday, June 21, 2012

Kerberos Authentication and Proxy Users

Topic: a discussion on how to use Kerberos authentication  and of proxy users in Oracle. This aimed at providing an alternative to the classical use of username and password credential and to help ease the burden of DB credentials management.

Introduction: Kerberos authentication allows to connect to Oracle without specifying the username/password credentials. The authentication is done externally. Kerberos has been used by a large user community since many years (notably Windows Active Directory uses use Kerberos authentication).
Proxy authentication in Oracle, allows connection to a target DB username via another DB user (the proxy user). For example you can authorize a user with a development account to connect to the application owner account using his/her credentials (thus no need to expose the application user's password).

This post is about combining Kerberos and proxy authentication: you can provide a mean to connect to any given DB user via a Kerberos-authenticated user, i.e. without specifying the password at connection time.


Example of client-side configuration (Linux) 

  • These tests have been performed using Oracle server and client 11.2.0.3 for Linux  
    • See below for details of server-side configuration
  • Create oracle user and grant connection privileges: 
create user "LUCA@MYDOMAIN.COM" identified externally;
grant connect to  "LUCA@MYDOMAIN.COM" ;
...add tablespace config and other privileges if needed..
  • configure sqlnet.ora for the oracle client. This can be in $ORACLE_HOME/network/admin, $TNS_ADMIN or in $HOME/.sqlnet.ora depending on the scope of the configuration.
SQLNET.AUTHENTICATION_SERVICES=(ALL)            # easy way to includes KERBEROS5
SQLNET.KERBEROS5_CONF=/etc/krb5.conf            # need to have kerberos client configured
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=orasrv  #this needs to match DB server config
SQLNET.KERBEROS5_CONF_MIT=TRUE
  • Request kerberos pricipal for your user if not already present: kinit luca
    • At this point you'll need to put the password on the command line as asked
    • It's also possible to use the oracle utility okinit, in this case for our config we need to run okinit -e 23 luca. 
    • When using db link one need forwardable tickets (kinit -f)
  • Connect to the DB with kerberos credentials. In sqlplus use this syntax sqlplus /@MYDB
    • Show user will show LUCA@MYDOMAIN.COM
    • If you get instead ORA-12638: Credential retrieval failed means you need to troubleshoot. Unfortunately there are many causes for the error, staring with bugs and version incompatibilities (see also notes below).


Proxy users and Kerberos used together 

Suppose that we need to authorize the user luca@mydomain.com  to connect to production application. I would normally use: sqlplus myappuser/mysecretpass@MYDB. With Kerberos and proxy authentication, used together, we can do the following:
  • Authorize the user to use proxy authentication: 
    • alter user myappuser grant connect through "LUCA@MYDOMAIN.COM";
  • Check the configuration with select * from PROXY_USERS; 
  • Setup and test Kerberos authentication for MYDB, see steps above 
  • Connect to the production user with this method (Kerberos+proxy user]. 
    • The syntax in sqlplus is: sqlplus [myappuser]/@MYDB 
    • show user from sqlplus will show myappuser as result
    • With this method the password for myappuser has never been used. Only the password for the kerberos user  LUCA@MYDOMAIN.COM has been used when requesting the ticket with kinit
    • One can still connect to myappuser with the orginal username/pass credentials too, this is just an additional path to it

Notes on client-side configuration (Windows)

  • Kerberos authentication will work with the ticket granted by the domain at users logon
    • okinit, oklist etc are missing from instant client but are also not needed to make this work
    • do not use client 11.2.0.1 if possible. 
    • you need to logon as domain user
    • in alternative if you want to use this from a local account or usea different kerberos user, just run cmd.exe with run as and specify a domain user's credentials 
    • check with klist that you have the ticket for the principal "LUCA" in this example
  • Create or copy over krb5.conf from a Linux machine (for example from DB server)
  • Edit sqlnet.ora in %ORACLE_HOME%\network\admin (or %TNS_ADMIN%) adding the following:
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)
SQLNET.KERBEROS5_CONF= ....put path here....\krb5.conf
SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=orasrv # match value on server
SQLNET.KERBEROS5_CC_NAME=OSMSFT:    # only needed in Windows
  • connect to the DB with kerberos credentials
    • same as the case of Linux above. 
    • In sqlplus use this syntax sqlplus /@MYDB 
  • This has been tested with a Windows 7 client and Oracle 11.2.0.3 instant client 32 bit

Notes on DB server configuration for kerberos authentication

This is described in Oracle documentation so I'll just put a few notes here.
  • Ask the kerberos administrator to add a new service principal. Best to use a short name, for example orasrv, as used in the examples above
  • Create the keytab file and on each DB server node(s) with correct permissions for the oracle user
    • for CERN installations the tool cern-get-keytab can be used:
    • sudo cern-get-keytab --service orasrv -k /etc/krb5.keytab.orasrv
    • sudo chown oracle:dba /etc/krb5.keytab.orasrv
  • Configure vi $ORACLE_HOME/network/admin/sqlnet.ora and add on all nodes 
    • note there are a few differences with client-only configuration discussed above
    • for RAC: edit sqlnet.ora in $ORACLE_HOME/network/admin, as opposed to $CRS_HOME/network/admin 
SQLNET.AUTHENTICATION_SERVICES=(ALL)
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=orasrv
SQLNET.KERBEROS5_KEYTAB=/etc/krb5.keytab.orasrv # see keytab generation step above
SQLNET.KERBEROS5_CONF=/etc/krb5.conf
SQLNET.KERBEROS5_CONF_MIT=TRUE


Notes:

Setting up Kerberos authentication requires just a few steps and is often quite simple. However there are many possible sources of issues that may need to be troubleshooted for a new installation. That ranges from bug in certain Oracle versions, incompatibilities with encryption levels, etc. I have tested with Oracle client 11.2.0.3 both on Linux and Windows 7 again Oracle server server on 11.2.0.3 (Linux 64 bit). This support note can be a useful starting point for troubleshooting if needed: Master Note For Kerberos Authentication [ID 1375853.1]
A (quite) different technique also aiming at reducing the need of hard-coded credentials is Secure External Password Store. This is described in oracle documentation and in the following support note: Using The Secure External Password Store [ID 340559.1]
Note added on licensing: a recent update to the Oracle licensing information states that "strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database."


Conclusions: 

We have discussed how to set up Kerberos authentication for Oracle users both as a standalone method and in conjunction with Proxy Authentication. These techniques can be of help to reduce the need of hard-coded credentials when accessing Oracle database services.

2 comments:

  1. Hello Luca,

    is ASO option still required for Kerberos authentication? With the release of 12c Oracle has changed ASO licensing contents, even for previous versions.

    Best regards,
    Martin

    martin.decker@ora-solutions.net
    http://www.ora-solutions.net

    ReplyDelete
    Replies
    1. Well spotted Martin, thanks. Indeed this has changed recently and the current version of the licensing documentation states that Kerberos is available in all licensed editions of all supported releases of the Oracle database.

      Delete