Authenticate Autonomous Database Users with Kerberos
Describes how to configure Kerberos to authenticate Oracle Autonomous Database users.
- About Kerberos Authentication
- Components of the Kerberos Authentication System
- Notes about Kerberos Authentication on Autonomous Database
- Enable Kerberos Authentication on Autonomous Database
- Disable Kerberos Authentication on Autonomous Database
Parent topic: Autonomous Database on Exadata Cloud@Customer
About Kerberos Authentication
You can configure Autonomous Database on Dedicated Exadata Infrastructure to use Kerberos network authentication protocol to authenticate database users. Kerberos is a strong network authentication protocol. It uses secret-key cryptography to enable strong authentication by providing user-to-server authentication.
- Autonomous Database on Dedicated Exadata Infrastructure support for Kerberos provides the benefits of single sign-on and centralized authentication of Oracle users. Kerberos is a trusted third-party authentication system that relies on shared secrets. It presumes that the third party is secure, and provides single sign-on capabilities, centralized password storage, database link authentication, and enhanced PC security. It does this through a Kerberos authentication server.
- The Kerberos system revolves around the concept of a ticket. A ticket is a set of electronic information that identifies a user or a service. A ticket identifies you and your network access privileges.
- In Kerberos-based authentication, you transparently send a request for a ticket to a Key Distribution Center (KDC). The Key Distribution Center authenticates you and grants you a ticket to access the database.
Parent topic: Authenticate Autonomous Database Users with Kerberos
Components of the Kerberos Authentication System
Provides an overview of the Kerberos authentication system.
- A realm establishes an authentication administrative domain. Each realm has its own Kerberos database which contains the users and services for that particular administrative domain.
- Tickets are issued by the Key Distribution Center (KDC). Clients present tickets to the Database Server to demonstrate the authenticity of their identity. Each ticket has expiration and a renewal time.
- Keytabs stores long-term keys for one or more principals. A keytab file is generated by invoking the tool
kadmin.local
(for MIT Key Distribution Center) orktpass
(for Active Directory Key Distribution Center). - Principals are the entries in the Key Distribution Center database. Each user, host or service is given a principal. A principal is a unique identity to which the Key Distribution Center can assign tickets.
- Kerberos support in Autonomous Database uses these values for various components that make up a service principal's name:
Components of Service Principal | Value in Autonomous Database |
---|---|
|
The value of the |
|
You can retrieve |
REALM |
Any realm supported by your KDC. |
To enable Kerberos authentication for your Autonomous Database, you must keep your Kerberos configuration files (krb.conf
) and service key table file (v5srvtab
) ready. For more information on these files and steps to obtain them, please see About Kerberos Configuration Files.
Parent topic: Authenticate Autonomous Database Users with Kerberos
Notes about Kerberos Authentication on Autonomous Database
Before proceeding with Kerberos authentication on Autonomous Database on Dedicated Exadata Infrastructure, review the following notes:
- You can use Kerberos authentication only with Autonomous Database versions 19.18 or later.
- If you enable Kerberos authentication for your Autonomous Database, you can still use password-based database authentication for your database.
- Only one external authentication method can be used for your Autonomous Database at any time. That is, you can only have Oracle Cloud Infrastructure (IAM), Centrally Managed User with Active Directory (CMU-AD), Azure AD, or Kerberos authentication schemes enabled at any time.
Note
The only exception is that Kerberos authentication can be configured on top of CMU-AD to provide CMU-AD Kerberos authentication for Microsoft Active Directory users. - Kerberos authentication is not supported for the following tools:
- Oracle Database API for MongoDB
- Oracle REST Data Services
- Oracle Machine Learning
- APEX
- Oracle Graph Studio
- Oracle Database Actions
- You can enable Kerberos authentication to authenticate the ADMIN user. You can use the Reset Password functionality on the Oracle Cloud Infrastructure (OCI) Console to reset the ADMIN user's password and regain access if a corrupted keytab file causes ADMIN user's authentication to fail.
- Kerberos authentication is supported only with TCPS protocol.
- Kerberos authentication is not supported with DB_LINKs and databases with Autonomous Data Guard.
Parent topic: Authenticate Autonomous Database Users with Kerberos
Enable Kerberos Authentication on Autonomous Database
Follow the below-listed steps to enable Kerberos authentication for Autonomous Database on Dedicated Exadata Infrastructure:
See Navigate to Oracle Cloud Infrastructure Object Storage and Create Bucket for more information on Object Storage.
See ENABLE_EXTERNAL_AUTHENTICATION Procedure for more information.
Parent topic: Authenticate Autonomous Database Users with Kerberos
Disable Kerberos Authentication on Autonomous Database
Before enabling any other external authentication scheme on your database, you must disable the Kerberos authentication running the DBMS_CLOUD_ADMIN.DISABLE_EXTERNAL_AUTHENTICATION
procedure.
EXECUTE
privilege on DBMS_CLOUD_ADMIN
.BEGIN
DBMS_CLOUD_ADMIN.DISABLE_EXTERNAL_AUTHENTICATION;
END;
/
See DISABLE_EXTERNAL_AUTHENTICATION Procedure for more information.
To provide CMU-AD Kerberos authentication for the Microsoft Active Directory users, you must continue to configure CMU-AD authentication without disabling Kerberos authentication.
Parent topic: Authenticate Autonomous Database Users with Kerberos