Post on 03-May-2018
transcript
© COPYRIGHT 2007 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 1
A P P L I C A T I O N N O T E
Oracle Database Single Sign-On
with Centrify DirectControl Using Centrify DirectControl with Oracle Database Authentication
Last Updated: August 2008
Abstract
The goal of this Application Note is to offer a solution to allow Microsoft Active Directory users to
be authenticated seamlessly into Oracle databases running on Linux or UNIX platforms leveraging
their Active Directory Kerberos v5 user credentials, without requiring the users to enter their
username and password. By using Active Directory as the centralized authentication system for
Linux or UNIX systems, as well as for Oracle databases, the benefits of seamless centralized access
control are realized, using a well-established secure authentication mechanism.
Centrify DirectControl is used to provide Active Directory-based identity, access control and policy
services for Linux, UNIX and Mac systems, as well as for web applications running on these
platforms. This Application Note describes the steps to be performed to extend DirectControl’s
authentication services to Oracle databases running on Linux or UNIX.
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 2
Contents
1 Architectural Overview ............................................................................... 31.1 Introduction ........................................................................................... 31.2 Oracle Database Single Sign-On using Kerberos .......................................... 31.3 Oracle Advanced Security Option (ASO) ..................................................... 4
2 Requirements and Prerequisites ................................................................. 62.1Windows Server and Client ....................................................................... 62.2 Linux or UNIX ......................................................................................... 72.3 Oracle Database Server 10g (10.2.0.1) ...................................................... 82.4 Centrify DirectControl Agent for Systems.................................................. 102.5 Other Requirements............................................................................... 10
3 Working with Oracle 9 through 10.1.1 ...................................................... 11
4 Oracle Database Server Configuration....................................................... 124.1 Oracle Server Configuration on Red Hat Enterprise Linux 4 ......................... 12
4.1.1 Oracle database environment setup................................................ 124.1.2 Verification of the Oracle Advanced Security Option .......................... 134.1.3 Configuring Oracle Boot Parameters ............................................... 144.1.4 Configuring Kerberos authentication in Oracle database with
DirectControl............................................................................... 154.1.5 Checking the configuration of the Oracle *.ora files........................... 17
4.2 Check Availability of the Kerberos Ticket................................................... 194.3 Creating Oracle Database User Accounts for AD Users ................................ 204.4 Multiple Instances of Oracle Database on a Single Computer ....................... 214.5Working with Oracle on Solaris 10 ........................................................... 22
5 Client Configuration and Testing ............................................................... 225.1 Linux / UNIX client configuration ............................................................. 225.2 Testing the Oracle Database SSO capabilities on Linux / UNIX ..................... 245.3Windows Client Configuration.................................................................. 265.4 Testing the Oracle Database SSO capabilities on Windows .......................... 28
6 TroubleShooting........................................................................................ 32
7 Summary .................................................................................................. 33
Appendix......................................................................................................... 34Sample Linux server configuration files........................................................... 34Sample Windows client configuration files ....................................................... 35Further reading ........................................................................................... 37
Legal Notices................................................................................................... 37
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 3
1 Architectural Overview
1.1 Introduction
Multiple database authentication methods are currently supported for authenticating
users connecting to Oracle databases, including:
• Operating system authentication
• Network service authentication
• Using associated Oracle database
• Using middle-tier application that performs database transactions on behalf of the
user
The goal for the solution outlined in this document is to allow users to leverage their
Active Directory-based Kerberos v5 credentials (which are automatically provided to
them when they log into a system) and use those credentials to allow direct access to an
Oracle database. With this method a user is not required to provide a username and
password when they run an Oracle client application such as SQLplus. We refer to this
scenario as “Oracle Database Single Sign-On” or “Oracle DB SSO”.
In a pure Microsoft Windows environment, Oracle Database on Windows provides Single
Sign-On using Windows Native Authentication (Kerberos v5). As this is a standard
feature of Oracle database server on the Microsoft platform, this document does not
describe the detailed setup for a pure Windows environment. This may be found in the
Oracle documentation for Windows (i.e. “Oracle 10g Database for Windows – Getting
Started”).
In this document, we focus on using the Windows Native Authentication (Kerberos v5) in
a heterogeneous platform environment containing Windows workstations and Linux or
UNIX servers. The Oracle database server will run on a Linux or UNIX server, and the
Oracle database clients will be run on both Windows XP workstations as well as on Linux
or UNIX systems. In order for the Oracle database servers and clients to support
Kerberos v5 system authentication and the SSO functionality described here, both
DirectControl and the optional Oracle Advanced Security Option package must be
installed on all computers that will be running Oracle Database Enterprise Edition 10g.
1.2 Oracle Database Single Sign-On using Kerberos
The Kerberos v5 authentication mechanism requires that every component involved in a
database Single Sign-On session is able to handle Kerberos Authentication Messages and
Kerberos Service Tickets. In a Windows infrastructure, Active Directory provides the
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 4
Kerberos environment required to enable this level of single sign-on. However, on a
Linux or UNIX system that has Oracle database software installed on it, DirectControl
provides the Kerberos environment to enable the same single sign-on capabilities as the
Windows only environment. The Oracle database server and Oracle database client is
Kerberos-enabled when using the optional Oracle Advanced Security Option package. The
figure below depicts the simplified SSO architecture of the implementation described in
this document.
Figure 1-1 Oracle SSO Architecture with Kerberos Authentication and Centrify DirectControl
1.3 Oracle Advanced Security Option (ASO)
Oracle Advanced Security Option (ASO) is a separately licensable component provided by
Oracle, and requires Oracle Database Enterprise Edition 10g to have been licensed and
installed. It enables advanced security features such as multiple strong authentication
mechanisms as well as transparent data encryption mechanisms.
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 5
The figure below depicts the ASO architecture:
Figure 1-2 Oracle Advanced Security Architecture (taken from the Oracle Advanced Security Administrator’s Guide)
Oracle Advanced Security Option supports authentication through adapters that are
similar to the existing Oracle protocol adapters. As shown in the next figure,
authentication adapters integrate with the Oracle Net interface and enable existing
applications to take advantage of new authentication systems transparently, without any
changes to the application.
Figure 1-3 Oracle Net with Authentication Adapters (from Oracle Advanced Security Administrator’s Guide)
For more information on Oracle Advanced Security Option, please see the Oracle
Advanced Security Administrator’s Guide, which can be downloaded from
http://download-west.oracle.com/docs/cd/B19306_01/network.102/b14268.pdf.
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 6
2 Requirements and Prerequisites
The following systems and software need to be setup and configured before proceeding
with the steps outlined later in this document.
The steps in this Application Note were only tested with the following systems in a test lab
environment:
• Windows domain controller – running on Windows Server 2003
• Oracle Database Enterprise Edition 10g (10.2.0.1) – installed on Red Hat
Enterprise Linux 4
• Windows XP SP2 computer – with the Oracle Database 10g Client for Windows
• Red Hat Enterprise Linux 4 client with the Oracle Database 10g Client for Linux
• Centrify DirectControl 4.x (or above) – installed on Windows Server 2003 and
Linux / UNIX systems
Note: While these instructions may work on other platforms, version and configurations,
the information provided in this guide are for informational purposes only. Centrify does
not offer support for Oracle products.
For support with you DirectControl product (including Kerberos and Active Directory integration) contact Centrify support according to the terms of your licensing agreement. For help with Oracle, Advanced Security Option, Oracle RAC and other Oracle products and technologies, please contact Oracle directly. Services for additional troubleshooting and alternate configurations may be obtained from Centrify professional services.
2.1 Windows Server and Client
In order to demonstrate Single Sign-On using Active Directory user credentials, you will
need a working Active Directory environment with access to Users and Computers and
the appropriate administrator accounts to join new computers to the domain. In this
example you will need at a minimum one Windows 2003 Server configured as a Domain
Controller. If you already have a domain controller, you do not need any additional AD
components and do not need to modify the Active Directory infrastructure. You will also
need to set up a Windows Client with the “Oracle Client for Windows” software.
The following Windows commands are useful in obtaining and verifying Kerberos
credentials for users, once Oracle Database Client with Advanced Security Option is
installed on Windows, and Kerberos authentication is configured properly, as described
later in this document:
okinit
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 7
oklist
Note: There are some known issues in running the okinit command on Windows. Please
refer to the Oracle Database Administrators Guide or contact Oracle Support if needed, to
resolve this.
2.2 Linux or UNIX
This demonstration will use a Red Hat Enterprise Linux 4 Server configured to run the
Oracle Database Server. The server needs to be configured based on the
recommendations in the Oracle database installation guides. If you need to run on a
different platform, this setup and configuration specified in this document has also been
tested on Sun Solaris, AIX and HP-UX.
In addition, a Linux or UNIX client can be optionally setup to demonstrate Single Sign-
On access to the Linux or UNIX-based Oracle database server from a Linux or UNIX-
based client. The client system will need to have the Oracle Database Client software
installed on it as well as DirectControl in order to setup the proper AD Kerberos
environment. A single Linux or UNIX system may be used as both the server and client
for this configuration if additional hardware is not available.
The following Linux / UNIX commands are useful in verifying the environment settings,
and in creating and managing users and groups:
To check OS version:
uname –a
To check mounted file systems:
mount
To check disk space on mounted file systems:
df –h
To check physical memory available on Linux / UNIX:
free
To add users on Linux / UNIX:
useradd
To add groups on Linux / UNIX:
groupadd
To check a Linux / UNIX user’s profile:
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 8
id
To check for installed packages on Linux / UNIX:
rpm –a
rpm –q <package-name> (for eg. rpm –q libaio)
Note: When installing Linux, it is important to ensure that all packages required for
properly running Oracle Database Enterprise Edition 10g are appropriately installed.
Selecting “Everything” during Linux install, when prompted to select packages, (shown at
the end of the list of available packages) is an easy way to ensure this.
Note: When installing Linux and the Oracle database server on it, it must be ensured
that the file system on which the Oracle database will be installed has plenty of disk space
available. Please refer to the “Oracle Database Installation Guide 10g R2 (10.2) for Linux”
for more information on this. If possible, it is recommended that at-least 20 GB be
allocated to it, to avoid having to increase disk space later.
2.3 Oracle Database Server 10g (10.2.0.1)
This solution has been tested with Oracle Database Enterprise Edition 10g (10.2.0.1) and
should work on any version newer that is installed on a Linux or UNIX server.
Additionally, the Oracle Advanced Security Option (ASO) is required for this solution
since it provides the required Kerberos interfaces within Oracle Database to enable using
Kerberos for user authentication.
Note: Please refer to the Oracle Database Installation Guide to get a list of all required
Operating System packages.
Note: Please refer to the Oracle Database Installation and Administrator Guides to first
get the Oracle Database Server with Advanced Security Option and Oracle Database
Client installed and functioning properly.
The runInstaller utility, provided by Oracle, is used to install Oracle Database Server
and Client.
Note: Ensure that the oracle users have r+x permissions on the oracle database home
directory
The following helpful sqlplus commands, to be run on the Linux / UNIX server as the
Oracle database “owner” (eg. oracle), where Oracle database server is installed, are
useful in verifying that the Oracle database is running properly, and to check entries
made in the database.
To connect to the Oracle database as SYS and run sqlplus commands:
sqlplus “sys as sysdba”
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 9
Connected to an idle instance
SQL> startup
Database started
SQL> show user;
User is SYS
SQL> desc all_tables;
SQL> select TABLE_NAME from all_tables;
SQL> create user oracle identified by oracle;
SQL> grant connect, resource to oracle;
SQL> desc all_users;
SQL> select USERNAME from all_users;
SQL> select NAME from user$;
SQL> select * from user$;
SQL> shutdown
Database shutdown
SQL> exit
Note: A normal user does not see all tables defined in the database, as seen by the
system user SYS.
To stop, start and check status of the Oracle Database Listener:
lsnrctl stop
lsnrctl start
lsnrctl status
The following Linux / UNIX commands are useful in obtaining and verifying Kerberos
credentials for users, once Kerberos authentication is configured properly, as described
later in this document:
okinit
oklist
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 10
Note: Please ensure that the users of oracle database have r+x permissions on the oracle
database home directory. Please refer to the Oracle Database Installation and
Administrator Guides for further information, if needed.
Note: Please refer to the “Oracle Database Installation Guide 10g R2 (10.2) for Linux”
and Oracle Database Administrator Guides to first get the Oracle Database Server and Oracle Database Client functioning properly, before proceeding further.
2.4 Centrify DirectControl Agent for Systems
Centrify DirectControl Console version 4.x (or above) will need to be installed on a
Windows computer where the administrator will manage the AD environment. You will
also need to install the DirectControl agent onto the Linux or UNIX system where Oracle
database server is installed in order to enable the system to join Active Directory,
enabling Kerberos trust between the systems. The Centrify utility adjoin is used to
accomplish this.
In addition, Centrify’s adkeytab utility is made available for the Linux / UNIX server as
part of Centrify DirectControl 4.x (or above). This tool is used to generate the keytab
file, as described later in this document.
The following Centrify utilities are useful in setting up and verifying the configuration
specified in this document.
adjoin
adkeytab
adclient
adinfo
2.5 Other Requirements
The Oracle Database Server and Client need to be configured to use Kerberos as the
authentication mechanism. This document includes the basic steps to set up Kerberos
authentication on both the server and the clients. Instructions are also provided on how
to set up an Oracle Service Account for Kerberos.
For more information on using Kerberos authentication with Oracle database, please
refer to the Oracle Advanced Security Administrator’s Guide.
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 11
Throughout this document, we will use the following parameters to illustrate how these
steps would apply to a real production environment. Obviously, these parameter settings
need to be substituted appropriately to reflect the real production environment:
Parameter Value
Oracle database instance name orcl
Windows domain name sedomain.com
Oracle service account for Kerberos ORACLE
ORACLE_HOME environment variable on Linux /home/app/oracle/db_1
Linux server machine name rhel4
Oracle owner user account oracle
Oracle group used to install Oracle oinstall
Test Oracle database user JEFF_HAY@SEDOMAIN.COM
Windows Server 2003 machine name w2k3ad
Note: Using appropriate consistent case in the various configuration files is critical for
most of these settings.
Note: Ensure that the Time (Clock) skews are very small between Windows Server
(running AD KDC), Windows Client, and Linux / UNIX Server and Client.
3 Working with Oracle 9 through 10.1.1
If you happen to be running a version of Oracle prior to 10.2.0.1, you will need to make a
change to your domain controllers to allow Kerberos tickets to be encrypted using the
DES-CBC-CRC method vs. the default ARCFOUR-HMAC-MD5.
Microsoft Support Note #833708 (http://support.microsoft.com/kb/833708) indicates
that by default, the Key Distribution Center (KDC) of Windows 2003 Server encrypts
tickets in arcfour-hmac-md5 format by default, even if the client asks for another
encryption type. A new registry key must be added to force it to use the requested
encryption type (e.g. DES-CBC-CRC) that previous versions of Oracle require.
To make this registry change, log in on to the Windows Domain Controller server and do
the following:
1. Launch the registry editor:
Start Run… regedit
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 12
2. Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\Kdc
3. Create a new DWORD Value called:
KdcUseRequestedEtypesForTickets
4. Set its value to 1
5. Restart the Key Distribution Center service using the Services applet in the
Administrative Tools menu .
Note: This change will need to be done on all domain controllers in the domain.
4 Oracle Database Server Configuration
4.1 Oracle Server Configuration on Red Hat Enterprise Linux 4
In this section, we describe how to set up the Linux server where Oracle database server is
installed. The steps below describe how to create a Kerberos service account for Oracle
using Centrify DirectControl and how to configure Oracle database server to use the
resulting keytab file for authentication. In addition, steps are provided to properly
configure other Oracle database settings.
4.1.1 Oracle database environment setup
Ensure that an appropriate environment is setup for all Oracle users if this has not
already been done. For example, include the following lines in the /etc/profile file on
the Linux or UNIX server:
ORACLE_OWNER=oracle ORACLE_HOME=/home/app/oracle/db_1 ORACLE_SID=orcl KRB5CCNAME=FILE://tmp/krb5cc_$UID PATH=$PATH:$ORACLE_HOME/bin export ORACLE_OWNER ORACLE_HOME ORACLE_SID KRB5CCNAME PATH
The KRB5CCNAME definition is required to address a bug in Oracle which fails to
interpret the leading / correctly. Make the appropriate changes based on your setup.
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 13
4.1.2 Verification of the Oracle Advanced Security Option
Verify that the Oracle Advanced Security Option is installed and the binaries bind with
the new authentication methods. As the oracle user, execute the following on the
Linux or UNIX server: $ORACLE_HOME/bin/adapters
You should see output similar to the following: Installed Oracle Net transport protocols are: BEQ TCP/IP SSL RAW ... Installed Oracle Advanced Security options are: MD5 crypto-checksumming SHA-1 crypto-checksumming Kerberos v5 authentication ...
If necessary, run the $ORACLE_HOME/bin/netmgr tool on the Linux or UNIX server,
select Profile, select the Oracle Advanced Security authentication drop-down to configure
Kerberos v5 authentication.
Figure 4-1 Oracle netmgr utility being used to enable Kerberos v5 authentication
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 14
4.1.3 Configuring Oracle Boot Parameters
In order to make Oracle work in Single Sign-On mode, a boot parameter may need to be
modified. You can verify the value of this parameter by connecting to Oracle as sysdba
and executing the following command as the oracle user: $ sqlplus "sys as sysdba" SQL*Plus: Release 10.2.0.1.0 - Production on Thu Dec 21 11:20:42 2006 Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved. Enter password: Connected to: Oracle10g Release 10.2.0.1.0 - Production JServer Release 10.2.0.1.0 - Production SQL> show parameter os_authent_prefix; NAME TYPE VALUE ------------------------------------ ----------- -------- os_authent_prefix string
The result should be an empty string value as in the example above.
If this is not the case, then follow the steps below to change it. Note that this parameter
cannot be changed while online and therefore Oracle database must be shutdown and
restarted.
1. Connect to Oracle as sysdba $ sqlplus "sys as sysdba"
SQL*Plus: Release 10.2.0.1.0 - Production on Thu Dec 21 12:20:22 2006
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Enter password:
Connected to: Oracle10g Release 10.2.0.1.0 - Production JServer Release 10.2.0.1.0 - Production
SQL>
2. Change the os_authent_prefix parameter in the scope spfile: SQL> alter system set os_authent_prefix = '' \ scope=spfile;
3. Shutdown the database with the following command: SQL> shutdown;
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 15
4. Restart the database with the following command: SQL> startup;
5. Exit sqlplus with the following command: SQL> exit;
Note: Lines ending with a backslash (\) should append the contents of the next
line.
4.1.4 Configuring Kerberos authentication in Oracle database with DirectControl
On the Linux or UNIX server, log in as root to complete the following steps:
1. Stop the adclient using # adclient -x
2. We need to change the number of simultaneous keytab entries. Oracle
database, by default, uses the first service in the keytab file which is actually the
oldest entry. Since older keys are invalid, Oracle will not be able to authenticate.
To resolve this, we need to have only one key entry in the keytab file. We also
need to setup the correct encryption types. These changes can be accomplished
by editing the file /etc/centrifydc/centrifydc.conf and changing
the settings for the following parameters:
Parameters In File: /etc/centrifydc/centrifydc.conf # Number of keytable entries to be kept for a principal
adclient.krb5.keytab.entries: 1 # Encryption types supported for getting tickets. adclient.krb5.tkt.encryption.types: des-cbc-md5 \ des-cbc-crc arcfour-hmac-md5 # Encryption types permitted in client credentials. adclient.krb5.permitted.encryption.types: \ des-cbc-md5 des-cbc-crc \ arcfour-hmac-md5 arcfour-hmac-exp
Note: If you leave the domain and join it again, you will need to double check
that these parameters have not been changed back to the default settings.
Note: Lines ending with a backslash (\) append the contents of the next line.
3. DirectControl automatically configures the Kerberos configuration files on the
Linux system when you join a domain. However, some additional changes are
required to enable authentication for Oracle database. On the Linux or UNIX
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 16
server, edit the file /etc/krb5.conf and ensure that the following entries exist
and have the correct settings:
Parameters In File: /etc/krb5.conf
[libdefaults] default_tgs_enctypes = des-cbc-md5 des-cbc-crc \ arcfour-hmac-md5 default_tkt_enctypes = des-cbc-md5 des-cbc-crc \ arcfour-hmac-md5 permitted_enctypes = des-cbc-md5 des-cbc-crc \ arcfour-hmac-md5 arcfour-hmac-exp passwd_check_s_address = true ccache_type = 3
Note: If you leave the domain and join it again, you will need to double check
that these parameters have not been changed back to the default settings.
Note: Lines ending with a backslash (\) should append the contents of the next
line.
4. Restart adclient using # adclient -F
5. We now need to create the service account for Oracle and generate the keytab
file. The adkeytab tool is used to do this. This is a Centrify utility that is
designed to work with DirectControl and Active Directory, and is used to create
customized Kerberos Service Accounts. The adkeytab tool is delivered as a
binary utility for this solution. Further information on the use of adkeytab can be
found in the Appendix of this document.
Login as the root user on the Linux or UNIX system where the Oracle Database
Server and Centrify DirectControl are installed. Ensure that environment settings
defined in section 4.1.1 are set.
Also ensure that the file $ORACLE_HOME/ORACLE.keytab does not already
exist.
On the Linux or UNIX server, to create the ORACLE.keytab file, execute the
following command:
# adkeytab -n -U \ userPrincipal/host.domain.com@DOMAIN.COM -k \ -c Computers –K $ORACLE_HOME/ORACLE.keytab \ -e des-cbc-md5 -V -d domain.com \ –P ORAService/host –P \ ORAService/host.domain.com@DOMAIN.COM ORAService
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 17
Note: Once you have generated the keytab file using the adkeytab command, it
must not be moved; otherwise the keytab won’t be renewed by Centrify
DirectControl. Executing this command will not only create a service account on
Active Directory, but will also create the keytab file.
Note: Make the appropriate changes to this command line based on your local
environment where domain.com is your domain name and the parameters are as
follows:
-n creates a new service account
-U explicitly specifies the UPN
-k uses DES key only
-c specifies the container DN (Distinguished Name)
-K specifies /tmpapkrb5.keytab as the name of the new keytab file
-e specifies the encryption type (des-cbc-md5)
-V generates verbose output
-d creates account in domain.example.com
-P specifies the name of the principal to add (should be explicit)
ORAService is the account name
For more details on the adkeytab command, see the Centrify DirectControl
Administrator's Guide or the man page for adkeytab.
6. The new keytab file must be accessible and readable by the oracle user. Please
execute the next commands as the root user to achieve this: # chown oracle:oinstall $ORACLE_HOME/ORACLE.keytab # chmod 400 $ORACLE_HOME/ORACLE.keytab
4.1.5 Checking the configuration of the Oracle *.ora files
On the Linux or UNIX server, perform the following steps:
1. We now need to modify the Oracle SQLNET configuration file to enable the
correct Kerberos operation and to point to the new keytab file. Edit the file
$ORACLE_HOME/network/admin/sqlnet.ora and ensure that the following
changes are made:
Parameters In File: $ORACLE_HOME/network/admin/sqlnet.ora
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 18
NAMES.DEFAULT_DOMAIN = SEDOMAIN.COM SQLNET.KERBEROS5_CONF=/etc/krb5.conf SQLNET.KERBEROS5_KEYTAB=\ /home/app/oracle/db_1/ORACLE.keytab SQLNET.KERBEROS5_CONF_MIT=TRUE SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=ORACLE SQLNET.AUTHENTICATION_SERVICES=(BEQ, KERBEROS5, ALL)
Note: Lines ending with a backslash (\) should append the contents of the next
line.
2. The Oracle listener configuration file should already be configured properly if you
have a functional Oracle environment. Using our example settings in this
document, the file $ORACLE_HOME/network/admin/listener.ora would
include the following SID description:
Parameters In File: $ORACLE_HOME/network/admin/listener.ora (SID_DESC = (GLOBAL_DBNAME = ORCL.SEDOMAIN.COM) (ORACLE_HOME = /home/app/oracle/db_1) (SID_NAME = orcl) )
3. The Oracle tnsnames configuration file should already be configured properly if
you have a functional Oracle database environment. Using our example settings
in this document, the file $ORACLE_HOME/network/admin/tnsnames.ora would include the following database entry:
Parameters In File: $ORACLE_HOME/network/admin/tnsnames.ora
ORCL.SEDOMAIN.COM = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP) \ (HOST = rhel4.sedomain.com)(PORT =
1521)) ) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ORCL.SEDOMAIN.COM) ) )
Note: Lines ending with a backslash (\) should append the contents of the next
line.
Note: Make the appropriate changes to each of these files based on your local
environment. For example, ORCL.SEDOMAIN.COM should be replaced with the
name of your Oracle database followed by the name of your Active Directory
domain (i.e. <ORACLEDB>.<DOMAIN>). The HOST parameter should be set to
the machine name or IP address of the server where the Oracle database server is
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 19
running. Samples of the various configuration files are included in the Appendix
of this document.
If you have made changes to the Oracle database configuration files, it is recommended
that you restart the Oracle database and the Oracle listener.
Connect to Oracle database as sysdba: $ sqlplus "sys as sysdba"
SQL*Plus: Release 10.2.0.1.0 - Production on Thu Dec 21 12:40:44 2006
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Enter password:
Connected to: Oracle10g Release 10.2.0.1.0 - Production JServer Release 10.2.0.1.0 - Production
SQL>
Shutdown the database with the following command: SQL> shutdown; Database shutdown
Restart the database with the following command: SQL> startup; Database started
Exit sqlplus with the following command: SQL> exit;
Then, restart the Oracle database listener using the following commands:
$ lsnrctl stop $ lsnrctl start
Oracle database should now be correctly configured to use Centrify DirectControl to
manage external Kerberos-based authentication.
4.2 Check Availability of the Kerberos Ticket
Perform the following steps on the Linux or UNIX server:
Centrify DirectControl enables an Active Directory domain user, such as “jeff_hay”, to
seamlessly log onto the Linux or UNIX system.
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 20
When connecting with an AD user to a Linux/UNIX computer, you can check if you have
a valid Ticket Granting Ticket (TGT) with the oklist command. For example: [jeff_hay@rhel4 ~]$ oklist Kerberos Utilities for Linux: Version 10.2.0.1.0 - Production on 22-DEC-2006 17:49:59 Copyright (c) 1996, 2004 Oracle. All rights reserved. Ticket cache: /tmp/krb5cc_10002 Default principal: jeff_hay@SEDOMAIN.COM Valid Starting Expires Principal 22-Dec-2006 17:51:09 23-Dec-2006 01:48:22 krbtgt/SEDOMAIN.COM@SEDOMAIN.COM
If you do not have a ticket, you can create one for the sample user “jeff_hay” with the
okinit command. For example: [jeff_hay@rhel4 ~]$ okinit jeff_hay@SEDOMAIN.COM Kerberos Utilities for Linux: Version 10.2.0.1.0 - Production on 22-AUG-2006 17:51:53 Copyright (c) 1996, 2004 Oracle. All rights reserved. Password for jeff_hay@SEDOMAIN.COM:
You can also check the encryption types in the Oracle keytab file by running the following
klist command as the oracle user: klist -kte /home/app/oracle/db_1/ORACLE.keytab
You should see output similar to the following after running the klist command:
Keytab name: FILE:/home/app/oracle/db_1/ORACLE.keytab KVNO Timestamp Principal ---- ----------------- ----------------------------------- 2 12/22/06 07:35:27 ORACLE/rhel4.sedomain.com@SEDOMAIN.COM (DES cbc mode with RSA-MD5) 2 12/22/06 07:35:27 ORACLE/rhel4@SEDOMAIN.COM (DES cbc mode with RSA-MD5) 2 12/22/06 07:35:28 ORACLE@SEDOMAIN.COM (DES cbc mode with RSA-MD5) 2 12/22/06 07:35:28 ORACLE/rhel4.sedomain.com@SEDOMAIN.COM (DES cbc mode with CRC-32) 2 12/22/06 07:35:28 ORACLE/rhel4@SEDOMAIN.COM (DES cbc mode with CRC-32) 2 12/22/06 07:35:28 ORACLE@SEDOMAIN.COM (DES cbc mode with CRC-32)
4.3 Creating Oracle Database User Accounts for AD Users
For Active Directory domain users to be able to connect to Oracle database, they must
have a local account created in the Oracle database and granted appropriate rights. There
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 21
are many solutions that can be leveraged to automate this process such as Microsoft
Identity Integration Server with the Oracle provisioning agent.
The following steps are required to enable an Oracle Database user with the login name
“jeff_hay” in the domain “SEDOMAIN.COM” to connect to Oracle.
1. Login as the oracle user and connect to Oracle as sysdba
$ sqlplus "sys as sysdba" SQL*Plus: Release 10.2.0.1.0 - Production on Thu Dec 22 12:24:44 2006 Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved. Enter password: Connected to: Oracle10g Release 10.2.0.1.0 - Production JServer Release 10.2.0.1.0 - Production SQL>
2. Create the user with the following command: SQL> create user "JEFF_HAY@SEDOMAIN.COM" identified \ externally;
User created.
3. Grant rights to the user with the following command:
SQL> grant connect, resource to \ "JEFF_HAY@SEDOMAIN.COM"; Grant succeeded.
Note: Lines ending with a backslash (\) should append the contents of the next
line.
Note: The full username should be in uppercase.
Every user in the Active Directory domain that requires access to Oracle database must
have an account created in the Oracle database and have the appropriate rights granted.
If the user already has a non-Kerberos-enabled account in Oracle database, then a new
account will need to be created using the Kerberos format and syntax noted above (i.e.
<USER>@<DOMAIN>) and the appropriate access rights and settings will need to be
applied to the new account.
4.4 Multiple Instances of Oracle Database on a Single Computer
This optional step applies only if you are using multiple instances of Oracle databases on
a single Linux or UNIX system.
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 22
Multiple instances of Oracle database can be installed on a single computer. It is entirely
possible to have a TEST and DEV instance running concurrently, with the TEST instance
using Centrify as its authentication mechanism, while the DEV instance still uses the
default Oracle authentication mechanism.
The type of authentication mechanism used is set in the Oracle configuration file called
$ORACLE_HOME/network/admin/sqlnet.ora. As each Oracle instance has its own
sqlnet.ora file, it is not very difficult to set up each instance with a different mechanism.
In the following example, the TEST instance is configured to use KERBEROS5, and DEV
to use the standard Oracle authentication mechanism.
Extract of sqlnet.ora of instance TEST:
SQLNET.AUTHENTICATION_SERVICES= (KERBEROS5, BEQ) SQLNET.KERBEROS5_CONF=/etc/krb5.conf SQLNET.KERBEROS5_KEYTAB=\ /home/app/oracle/db_1/ORACLETEST.keytab
Extract of sqlnet.ora of instance DEV: SQLNET.AUTHENTICATION_SERVICES= (BEQ)
Note: Lines ending with a backslash (\) should append the contents of the next line.
4.5 Working with Oracle on Solaris 10
If you are installing Oracle server on Solaris 10, you will need to ensure that the path to
the krb5.conf file is defined correctly. Use the same steps as described for setting up the
Linux server in section 4 but ensure that you replace all instances of
/etc/krb5.conf with /etc/krb5/krb5.conf in the appropriate steps (i.e.
section 4.1.4 - step #3 and 4.1.5 - step #1).
5 Client Configuration and Testing
5.1 Linux / UNIX client configuration
The following steps illustrate how to set up a Single Sign-On session from a Linux client
using a UNIX-based Oracle database server. The Oracle Database SSO capabilities are
enabled via the Centrify DirectControl client authentication services on the Linux client
and the Centrify DirectControl services on the UNIX server. In this example, we assume
the Oracle client has been installed on Linux or UNIX with the Oracle Advanced Security
Option installed, and the authentication mechanism configured to use KERBEROS5. This
option links the Oracle binaries with Kerberos libraries.
We also assume that Centrify DirectControl 4.x (or above) is installed, and that the Linux
/ UNIX system has joined the Active Directory domain.
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 23
For testing purposes, you can use the Linux server where the Oracle database server is
installed, since the default installation of Oracle database server also installs the Oracle
client software. If you use the same server for your tests, then no additional configuration
steps beyond what was done in section 4 is required.
If you are using a different Linux or UNIX system to test the Oracle Database SSO client
capabilities, then the Oracle database client needs three configuration files to be
configured. These configuration changes are similar to the changes that were made on the
Linux server in section 4 above. Complete the following steps on the Linux client system.
1. Ensure that you have set up the various Oracle environment variables correctly
on the client system. The steps to do this are the same as what is described in
section 4.1.1 above.
2. Stop the adclient using
adclient -x
3. Edit the /etc/centrifydc/centrifydc.conf file and change the setting for the
following parameters: # Number of keytable entries to be kept for a \ principal
adclient.krb5.keytab.entries: 1 # Additional service principals for key table entry adclient.krb5.service.principals: ftp cifs nfs ORACLE # Encryption types supported for getting tickets. adclient.krb5.tkt.encryption.types: des-cbc-md5 \ des-cbc-crc arcfour-hmac-md5 # Encryption types permitted in client credentials. adclient.krb5.permitted.encryption.types: \ des-cbc-md5 des-cbc-crc \ arcfour-hmac-md5 arcfour-hmac-exp
Note: Lines ending with a backslash (\) should append the contents of the next
line.
Note: If you leave the domain and join it again, you will need to double check
that these parameters have not been changed back to the default settings.
4. Edit the file, /etc/krb5.conf and ensure that the following entries exist and have
the correct settings:
[libdefaults] default_tgs_enctypes = des-cbc-md5 des-cbc-crc \ arcfour-hmac-md5 default_tkt_enctypes = des-cbc-md5 des-cbc-crc \ arcfour-hmac-md5 permitted_enctypes = des-cbc-md5 des-cbc-crc \ arcfour-hmac-md5 arcfour-hmac-exp passwd_check_s_address = true
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 24
ccache_type = 3
Note: Lines ending with a backslash (\) should append the contents of the next
line.
Note: If you leave the domain and join it again, you will need to double check
that these parameters have not been changed back to the default settings.
5. Restart adclient using:
adclient -F
6. We now need to modify the Oracle SQLNET configuration file to enable the
correct Kerberos operation. On the Linux client, edit the file
$ORACLE_HOME/network/admin/sqlnet.ora and ensure that the following
changes are made: NAMES.DEFAULT_DOMAIN = SEDOMAIN.COM SQLNET.AUTHENTICATION_SERVICES=(BEQ, KERBEROS5) SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=ORACLE SQLNET.KERBEROS5_CONF=/etc/krb5.conf SQLNET.KERBEROS5_CONF_MIT=TRUE
Other Oracle SQLNET attributes should be the same as the settings on the
Linux/UNIX server where Oracle database is installed.
Note: Make the appropriate changes to these files based on your local
environment.
Note: On Solaris, the path to the Kerberos configuration file is different. On
Solaris, the following setting should be used in the sqlnet.ora file: SQLNET.KERBEROS5_CONF=/etc/krb5/krb5.conf
5.2 Testing the Oracle Database SSO capabilities on Linux / UNIX
We’re now ready to test the Oracle Database Single Sign-On capability from the Linux /
UNIX client using the sqlplus client program. If this test is successful, it should prove
that the SSO capabilities are running for a certain Linux / UNIX user.
To execute the test, complete the following steps:
1. Log into the Linux / UNIX client as an Active Directory user that was setup in the
Oracle database as defined in section 4.3 above.
2. Check that you have a valid Ticket Granting Ticket (TGT) with the oklist
command: [jeff_hay@rhel4 ~]$ oklist Kerberos Utilities for Linux: Version 10.2.0.1.0 - Production on 22-DEC-2006 17:49:59
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 25
Copyright (c) 1996, 2004 Oracle. All rights reserved. Ticket cache: /tmp/krb5cc_10002 Default principal: jeff_hay@SEDOMAIN.COM Valid Starting Expires Principal 22-Dec-2006 17:51:09 23-Dec-2006 01:48:22 krbtgt/SEDOMAIN.COM@SEDOMAIN.COM
3. If you do not have a ticket, you can create one for the sample user “jeff_hay”
with the okinit command:
[jeff_hay@rhel4 ~]$ okinit jeff_hay@SEDOMAIN.COM Kerberos Utilities for Linux: Version 10.2.0.1.0 - Production on 22-DEC-2006 17:51:53 Copyright (c) 1996, 2004 Oracle. All rights reserved. Password for jeff_hay@SEDOMAIN.COM:
Now, re-run the oklist command. You should see at least a krbtgt ticket for your
domain to continue the test.
4. Run $ORACLE_HOME/bin/sqlplus /@orcl to access the Oracle SQL
command line environment (replacing orcl with the appropriate instance name
for your setup).
$ sqlplus /@orcl SQL*Plus: Release 10.2.0.1.0 - Production on Thu Dec 21 11:36:09 2006 Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved. Connected to: Oracle10g Release 10.2.0.1.0 - Production JServer Release 10.2.0.1.0 - Production SQL>
5. Run the SQL command ‘show user’ to display the current SQLplus session user,
as shown below.
$ sqlplus /@orcl SQL*Plus: Release 10.2.0.1.0 - Production on Thu Dec 21 11:36:09 2006 Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved. Connected to: Oracle9i Release 10.2.0.1.0 - Production JServer Release 10.2.0.1.0 - Production
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 26
SQL>show user; USER is JEFF_HAY@SEDOMAIN.COM SQL>
The Linux user jeff_hay, used for this example, is registered in the Oracle
database as user “JEFF_HAY@SEDOMAIN.COM”.
The above successful test result demonstrates that the Oracle Database Single Sign-On capability for a Linux/UNIX Oracle database client
connecting to a Linux/UNIX-based Oracle database server is functioning
properly.
5.3 Windows Client Configuration
The following steps illustrate how to set up a Single Sign-On session from a Windows
client to a UNIX-based Oracle database server. The Oracle Database SSO capabilities are
enabled via the native Active Directory / Kerberos authentication services on the
Windows client and the Centrify DirectControl services on the UNIX system. In this
example, we assume the Oracle database client and the Oracle Advanced Security Option
client software has been installed on Windows XP. These steps will configure the client to
use the KERBEROS5 authentication option. This will enable the Oracle binaries to work
with the Kerberos libraries.
To enable Kerberos-based authentication, the Oracle database client needs two
configuration files to exist with the following settings.
1. The Kerberos configuration file (krb5.ini in this example) needs to be created if
it does not already exist. It is used by the Oracle client for finding the location of
the KDC (Key Distribution Center) server and the Kerberos realm.
On Windows 2000, the path for this file is normally C:\WINNT\krb5.ini
On Windows XP, the path for this file is normally C:\WINDOWS\krb5.ini
For example using our environment, the file would contain the following lines:
Parameters In File:
C:\WINDOWS\krb5.ini [realms] SEDOMAIN.COM = { kdc = w2k3ad.sedomain.com:88 # Following 3 lines are optional and not necessary # master_kdc = w2k3ad.sedomain.com:88 # kpasswd = w2k3ad.sedomain.com:464 # kpasswd_server = w2k3ad.sedomain.com:464 } [domain_realm]
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 27
sedomain.com = SEDOMAIN.COM
Note: Double check to ensure that the krb5.ini configuration file created does
not have a “.txt” extension by default, if using Notepad to create the file.
The main information in this file is the name of the Active Directory domain
controller that is used by the Windows client. The domain controller is also the
KDC for the Kerberos environment. The kdc setting needs to point to the fully
qualified domain name of your KDC. Change the appropriate settings above for
your setup being sure to maintain the correct case for any changes. For example,
SEDOMAIN.COM should be replaced with the name of your Active Directory
domain.
2. The Oracle SQLNET configuration file on the Windows client needs to be
configured correctly. This file needs to be updated so that the Kerberos adapter
on the client is used to talk to the Oracle service running on the UNIX server.
Besides the common Oracle network configuration settings, the following settings
would be required in the $ORACLE_HOME\NETWORK\ADMIN\sqlnet.ora
file using our example environment:
Parameters In File:
$ORACLE_HOME\NETWORK\ADMIN\sqlnet.ora
NAMES.DEFAULT_DOMAIN = SEDOMAIN.COM SQLNET.AUTHENTICATION_SERVICES=(BEQ, KERBEROS5) SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=ORACLE SQLNET.KERBEROS5_CONF=C:\WINDOWS\krb5.ini SQLNET.KERBEROS5_CONF_MIT=TRUE SQLNET.KERBEROS5_CC_NAME=OSMSFT://
Most of the SQLNET attributes are usually the same as the settings on the server
system. The important additional information for the Oracle client is the
KERBEROS5_CC_NAME attribute which has to be set with the value OSMSFT://. This parameter enables the use of the integrated Kerberos ticket
cache in Windows.
Change the appropriate settings above for your setup being sure to maintain the
correct case for any changes. For example, SEDOMAIN.COM should be replaced
with the name of your Active Directory domain. The parameter
SQLNET.KERBEROS5_CONF describes the full path to the krb5.ini file, as
described in the previous step. Note that this path is different depending on
whether you are using Windows 2000 or Windows XP.
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 28
3. The Oracle tnsnames configuration file should already be configured properly if
you have a functional Oracle database environment. Using our example settings
in this document, the $ORACLE_HOME/NETWORK/ADMIN/tnsnames.ora file would include the following database entry:
Parameters In File:
$ORACLE_HOME\NETWORK\ADMIN\tnsnames.ora ORCL.SEDOMAIN.COM = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP) \
(HOST = rhel4.sedomain.com) (PORT = 1521)) ) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ORCL.SEDOMAIN.COM) ) )
Lines ending with a backslash (\) should append the contents of the next line.
Note: Make the appropriate changes to each of these files based on your local
environment. For example, ORCL.SEDOMAIN.COM should be replaced with the
name of your Oracle database followed by the name of your Active Directory
domain (i.e. <ORACLEDB>.<DOMAIN>). The HOST parameter should be set to
the machine name or IP address of the server where the Oracle database server is
running. Samples of the various configuration files are included in the Appendix
of this document.
5.4 Testing the Oracle Database SSO capabilities on Windows
We’re now ready to test the Oracle Database Single Sign-On capability from the Windows
client using the Windows SQLplus client.
If this test is successful, it should prove that the Oracle Database SSO capabilities are
functioning properly for this Windows user.
To execute the test, complete the following steps:
1. Log into the Windows laptop / desktop as an Active Directory user that was setup
in the Oracle database as defined in section 4.3 above.
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 29
2. Create a shortcut icon to Oracle SQLplus Windows client on the Windows
desktop:
$ORACLE_HOME\bin\sqlplusw.exe
The sqlplus command may also be run from the command prompt for this test.
3. Modify the SQLplus shortcut icon properties as shown below. The Target field
should be updated so that the sqlplusw.exe command connects to a defined
Oracle service (orcl in our example).
Figure 5-1 Windows SQLplusw Shortcut Properties
Note the change in the Target entry above – to add “ /@orcl” at the end.
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 30
4. Open a command prompt and run $ORACLE_HOME\bin\oklist to show the
user’s Kerberos tickets. Output similar to the following should be displayed:
Figure 5-2 Output from the oklist command on a Windows client
The win2kcc parameter values above show that we are using the integrated
Windows system Kerberos cache for the user jeff.hay in the Active Directory
domain. You should see at least the krbtgt ticket for the specified domain.
Note: References to CONTOSO.COM in the figure above are to be replaced by
SEDOMAIN.COM in our example.
5. Finally, to run the actual Oracle Database SSO test, double click the splplusw
icon. This should connect you in Oracle Database SSO mode to the Oracle
database server. Output should be similar to the screenshot below:
Figure 5-3 Connecting to the Oracle Database in SSO mode using SQLplusw
The figure above shows a successful connect to the Oracle database.
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 31
This shows that we logged into the Oracle database server on UNIX in SSO mode.
The original credentials that were used to log into Windows were forwarded to
the Oracle server. You should connect without any errors and you should not be
prompted to provide a username or password. If that is not the case, then the
complete SSO settings need to be reviewed.
The same test may also be run in a command prompt by entering the following
command:
> sqlplus /@orcl
6. Running the SQL command ‘show user’ displays the current SQLplusw session
user as shown below.
Figure 5-4 SQLplus Current Oracle Database SSO User
The Windows user jeff.hay, used for our example, is registered in the Oracle
database as user “JEFF.HAY@SEDOMAIN.COM” in the specified Kerberos
realm. (Note: References to CONTOSO.COM in the figure above are to be
replaced by SEDOMAIN.COM in our example.)
The above successful test result demonstrates that the Oracle Database Single Sign-On capability for a Windows Oracle client connecting to a
UNIX-based Oracle database server is functioning properly.
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 32
6 TroubleShooting
For troubleshooting, the following Trace Level entries may optionally be added to the
Server and Client systems, if needed.
Server Tracing – Parameters in sqlnet.ora on Database Server System #TRACE_LEVEL_SERVER = 16 #TRACE_FILE_SERVER = SVR #TRACE_DIRECTORY_SERVER = /u01/tmp/tar #TRACE_TIMESTAMP_SERVER = ON
Client Tracing – Parameters in sqlnet.ora on Database Client System
#TRACE_LEVEL_CLIENT = 16
#TRACE_FILE_CLIENT = CLI
#TRACE_DIRECTORY_CLIENT = c:\tmp
#TRACE_UNIQUE_CLIENT = ON
#TRACE_TIMESTAMP_CLIENT = ON
#TNSPING.TRACE_LEVEL = 16
#TNSPING.TRACE_DIRECTORY = c:\tmp
Note: During testing, if it is needed to turn Tracing ON, the “#” sign in front of the above
entries needs to be removed.
Common Errors Encountered
Some of the common errors encountered during testing of the “sqlplus /@orcl”
command are listed below:
• ORA-12638: Credential retrieval failed
• ORA-12637: Packet receive failed
For most such errors, please first double-check all entries in all parameter files, as
described earlier in this document. Also ensure that the clock skew between the Windows
and Linux systems is not big (should be less than a minute or two at most). Also check
that the domain names and entries are specified correctly.
Other common database-related errors encountered are:
• TNS: Protocol error
• Package not found: libaio
• Okinit: Generic error
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 33
Note: For additional troubleshooting information, please refer to the Oracle Database
Installation and Administrators Guides, or contact Oracle Technical Support for Oracle
database-specific issues.
7 Summary
After successfully completing the steps outlined in this Application Note, an Oracle Database Single Sign-On environment that leverages Active Directory-based
Kerberos v5 authentication for both Windows and Linux / UNIX should now be
available.
By using Centrify DirectControl 4.x (or higher) and Oracle Database Enterprise Edition
10g (10.2.0.1 or higher) with the Advanced Security Option, in offering this solution,
Centrify provides the enhanced capabilities to seamless centralize database
authentication and access control for Windows and Linux / UNIX environments,
resulting in a more secure and manageable database environment.
For more information on Centrify and Centrify DirectControl, please call + 1 (650) 961-
1100 or email info@centrify.com.
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 34
Appendix
Sample Linux server configuration files
Sample krb5.conf file: [libdefaults] default_realm = SEDOMAIN.COM default_tgs_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 default_tkt_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 permitted_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 \ arcfour-hmac-exp passwd_check_s_address = true ccache_type = 3 dns_lookup_realm = false dns_lookup_kdc = false [domain_realm] w2k3ad.sedomain.com = SEDOMAIN.COM rhel4.sedomain.com = SEDOMAIN.COM [realms] SEDOMAIN.COM = { kdc=w2k3ad.sedomain.com:88 master_kdc=w2k3ad.sedomain.com:88 kpasswd=w2k3ad.sedomain.com:464 kpasswd_server=w2k3ad.sedomain.com:464 }
Sample sqlnet.ora file:
NAMES.DIRECTORY_PATH= (TNSNAMES, ONAMES, HOSTNAME) NAMES.DEFAULT_DOMAIN = SEDOMAIN.COM SQLNET.KERBEROS5_CONF=/etc/krb5.conf SQLNET.KERBEROS5_KEYTAB=/home/app/oracle/db_1/ORACLE.keytab SQLNET.KERBEROS5_CONF_MIT=TRUE SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=ORACLE SQLNET.AUTHENTICATION_SERVICES=(BEQ, KERBEROS5, ALL)
Sample tnsnames.ora file:
ORCL.SEDOMAIN.COM = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP) \ (HOST = rhel4.sedomain.com) (PORT = 1521)) ) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ORCL.SEDOMAIN.COM) ) )
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 35
EXTPROC_CONNECTION_DATA = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = IPC) (KEY = EXTPROC1)) ) (CONNECT_DATA = (SID = PLSExtProc) (PRESENTATION = RO) ) )
Sample listener.ora file:
LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = IPC) (KEY = EXTPROC)) ) (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP) \ (HOST = rhel4.sedomain.com) (PORT = 1521)) ) ) ) SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = /home/app/oracle/db_1) (PROGRAM = extproc) ) (SID_DESC = (GLOBAL_DBNAME = ORCL.SEDOMAIN.COM) (ORACLE_HOME = /home/app/oracle/db_1) (SID_NAME = orcl) ) )
Sample Windows client configuration files
Sample krb5.ini file:
[realms] SEDOMAIN.COM = { kdc = w2k3ad.contoso.com:88 } [domain_realm] sedomain.com = SEDOMAIN.COM
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 36
Sample sqlnet.ora file:
NAMES.DIRECTORY_PATH= (TNSNAMES, LDAP, EZCONNECT) NAMES.DEFAULT_DOMAIN = sedomain.com SQLNET.AUTHENTICATION_SERVICES=(BEQ, KERBEROS5) SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=ORACLE SQLNET.KERBEROS5_CONF=C:\WINDOWS\krb5.ini SQLNET.KERBEROS5_CONF_MIT=TRUE SQLNET.KERBEROS5_CC_NAME=OSMSFT://
Sample tnsnames.ora file: ORCL.SEDOMAIN.COM = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP) \ (HOST = rhel4.sedomain.com) (PORT = 1521)) ) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ORCL.SEDOMAIN.COM) ) ) EXTPROC_CONNECTION_DATA = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = IPC) (KEY = EXTPROC1)) ) (CONNECT_DATA = (SID = PLSExtProc) (PRESENTATION = RO)
APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL
© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 37
Further reading
For further information on setting up Oracle database, please see the following
documentation and training materials provided by Oracle:
• Oracle Database Administrator's Guide
• Oracle Database Server Quick Installation Guide for Linux x86
• Client Quick Installation Guide for Linux x86
• Client Quick Installation Guide for Microsoft Windows
• Oracle Database Advanced Security Administrator’s Guide
• Getting Started with Oracle Enterprise Manager
• Oracle Identity Management Training
Oracle documents can be found on www.oracle.com/pls/db102/homepage.
Additional information on Centrify DirectControl can be found on www.centrify.com and
on your Centrify installation media.
Legal Notices
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation.
Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2007-2008 Centrify Corporation. All rights reserved.
Centrify and DirectControl are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.