A P P L I C A T I O N N O T E Oracle Database Single Sign-On with Centrify...

© COPYRIGHT 2007 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 1

A P P L I C A T I O N N O T E

Oracle Database Single Sign-On

with Centrify DirectControl Using Centrify DirectControl with Oracle Database Authentication

Last Updated: August 2008

Abstract

The goal of this Application Note is to offer a solution to allow Microsoft Active Directory users to

be authenticated seamlessly into Oracle databases running on Linux or UNIX platforms leveraging

their Active Directory Kerberos v5 user credentials, without requiring the users to enter their

username and password. By using Active Directory as the centralized authentication system for

Linux or UNIX systems, as well as for Oracle databases, the benefits of seamless centralized access

control are realized, using a well-established secure authentication mechanism.

Centrify DirectControl is used to provide Active Directory-based identity, access control and policy

services for Linux, UNIX and Mac systems, as well as for web applications running on these

platforms. This Application Note describes the steps to be performed to extend DirectControl’s

authentication services to Oracle databases running on Linux or UNIX.

APPLICATION NOTE ORACLE DATABASE SINGLE SIGN-ON WITH CENTRIFY DIRECTCONTROL

© 2007-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 2

Contents

1 Architectural Overview ............................................................................... 31.1 Introduction ........................................................................................... 31.2 Oracle Database Single Sign-On using Kerberos .......................................... 31.3 Oracle Advanced Security Option (ASO) ..................................................... 4

2 Requirements and Prerequisites ................................................................. 62.1Windows Server and Client ....................................................................... 62.2 Linux or UNIX ......................................................................................... 72.3 Oracle Database Server 10g (10.2.0.1) ...................................................... 82.4 Centrify DirectControl Agent for Systems.................................................. 102.5 Other Requirements............................................................................... 10

3 Working with Oracle 9 through 10.1.1 ...................................................... 11

4 Oracle Database Server Configuration....................................................... 124.1 Oracle Server Configuration on Red Hat Enterprise Linux 4 ......................... 12

4.1.1 Oracle database environment setup................................................ 124.1.2 Verification of the Oracle Advanced Security Option .......................... 134.1.3 Configuring Oracle Boot Parameters ............................................... 144.1.4 Configuring Kerberos authentication in Oracle database with

DirectControl............................................................................... 154.1.5 Checking the configuration of the Oracle *.ora files........................... 17

4.2 Check Availability of the Kerberos Ticket................................................... 194.3 Creating Oracle Database User Accounts for AD Users ................................ 204.4 Multiple Instances of Oracle Database on a Single Computer ....................... 214.5Working with Oracle on Solaris 10 ........................................................... 22

5 Client Configuration and Testing ............................................................... 225.1 Linux / UNIX client configuration ............................................................. 225.2 Testing the Oracle Database SSO capabilities on Linux / UNIX ..................... 245.3Windows Client Configuration.................................................................. 265.4 Testing the Oracle Database SSO capabilities on Windows .......................... 28

6 TroubleShooting........................................................................................ 32

7 Summary .................................................................................................. 33

Appendix......................................................................................................... 34Sample Linux server configuration files........................................................... 34Sample Windows client configuration files ....................................................... 35Further reading ........................................................................................... 37

Legal Notices................................................................................................... 37



1 Architectural Overview

1.1 Introduction

Multiple database authentication methods are currently supported for authenticating

users connecting to Oracle databases, including:

• Operating system authentication

• Network service authentication

• Using associated Oracle database

• Using middle-tier application that performs database transactions on behalf of the

user

The goal for the solution outlined in this document is to allow users to leverage their

Active Directory-based Kerberos v5 credentials (which are automatically provided to

them when they log into a system) and use those credentials to allow direct access to an

Oracle database. With this method a user is not required to provide a username and

password when they run an Oracle client application such as SQLplus. We refer to this

scenario as “Oracle Database Single Sign-On” or “Oracle DB SSO”.

In a pure Microsoft Windows environment, Oracle Database on Windows provides Single

Sign-On using Windows Native Authentication (Kerberos v5). As this is a standard

feature of Oracle database server on the Microsoft platform, this document does not

describe the detailed setup for a pure Windows environment. This may be found in the

Oracle documentation for Windows (i.e. “Oracle 10g Database for Windows – Getting

Started”).

In this document, we focus on using the Windows Native Authentication (Kerberos v5) in

a heterogeneous platform environment containing Windows workstations and Linux or

UNIX servers. The Oracle database server will run on a Linux or UNIX server, and the

Oracle database clients will be run on both Windows XP workstations as well as on Linux

or UNIX systems. In order for the Oracle database servers and clients to support

Kerberos v5 system authentication and the SSO functionality described here, both

DirectControl and the optional Oracle Advanced Security Option package must be

installed on all computers that will be running Oracle Database Enterprise Edition 10g.

1.2 Oracle Database Single Sign-On using Kerberos

The Kerberos v5 authentication mechanism requires that every component involved in a

database Single Sign-On session is able to handle Kerberos Authentication Messages and

Kerberos Service Tickets. In a Windows infrastructure, Active Directory provides the



Kerberos environment required to enable this level of single sign-on. However, on a

Linux or UNIX system that has Oracle database software installed on it, DirectControl

provides the Kerberos environment to enable the same single sign-on capabilities as the

Windows only environment. The Oracle database server and Oracle database client is

Kerberos-enabled when using the optional Oracle Advanced Security Option package. The

figure below depicts the simplified SSO architecture of the implementation described in

this document.

Figure 1-1 Oracle SSO Architecture with Kerberos Authentication and Centrify DirectControl

1.3 Oracle Advanced Security Option (ASO)

Oracle Advanced Security Option (ASO) is a separately licensable component provided by

Oracle, and requires Oracle Database Enterprise Edition 10g to have been licensed and

installed. It enables advanced security features such as multiple strong authentication

mechanisms as well as transparent data encryption mechanisms.



The figure below depicts the ASO architecture:

Figure 1-2 Oracle Advanced Security Architecture (taken from the Oracle Advanced Security Administrator’s Guide)

Oracle Advanced Security Option supports authentication through adapters that are

similar to the existing Oracle protocol adapters. As shown in the next figure,

authentication adapters integrate with the Oracle Net interface and enable existing

applications to take advantage of new authentication systems transparently, without any

changes to the application.

Figure 1-3 Oracle Net with Authentication Adapters (from Oracle Advanced Security Administrator’s Guide)

For more information on Oracle Advanced Security Option, please see the Oracle

Advanced Security Administrator’s Guide, which can be downloaded from

http://download-west.oracle.com/docs/cd/B19306_01/network.102/b14268.pdf.



2 Requirements and Prerequisites

The following systems and software need to be setup and configured before proceeding

with the steps outlined later in this document.

The steps in this Application Note were only tested with the following systems in a test lab

environment:

• Windows domain controller – running on Windows Server 2003

• Oracle Database Enterprise Edition 10g (10.2.0.1) – installed on Red Hat

Enterprise Linux 4

• Windows XP SP2 computer – with the Oracle Database 10g Client for Windows

• Red Hat Enterprise Linux 4 client with the Oracle Database 10g Client for Linux

• Centrify DirectControl 4.x (or above) – installed on Windows Server 2003 and

Linux / UNIX systems

Note: While these instructions may work on other platforms, version and configurations,

the information provided in this guide are for informational purposes only. Centrify does

not offer support for Oracle products.

For support with you DirectControl product (including Kerberos and Active Directory integration) contact Centrify support according to the terms of your licensing agreement. For help with Oracle, Advanced Security Option, Oracle RAC and other Oracle products and technologies, please contact Oracle directly. Services for additional troubleshooting and alternate configurations may be obtained from Centrify professional services.

2.1 Windows Server and Client

In order to demonstrate Single Sign-On using Active Directory user credentials, you will

need a working Active Directory environment with access to Users and Computers and

the appropriate administrator accounts to join new computers to the domain. In this

example you will need at a minimum one Windows 2003 Server configured as a Domain

Controller. If you already have a domain controller, you do not need any additional AD

components and do not need to modify the Active Directory infrastructure. You will also

need to set up a Windows Client with the “Oracle Client for Windows” software.

The following Windows commands are useful in obtaining and verifying Kerberos

credentials for users, once Oracle Database Client with Advanced Security Option is

installed on Windows, and Kerberos authentication is configured properly, as described

later in this document:

okinit



oklist

Note: There are some known issues in running the okinit command on Windows. Please

refer to the Oracle Database Administrators Guide or contact Oracle Support if needed, to

resolve this.

2.2 Linux or UNIX

This demonstration will use a Red Hat Enterprise Linux 4 Server configured to run the

Oracle Database Server. The server needs to be configured based on the

recommendations in the Oracle database installation guides. If you need to run on a

different platform, this setup and configuration specified in this document has also been

tested on Sun Solaris, AIX and HP-UX.

In addition, a Linux or UNIX client can be optionally setup to demonstrate Single Sign-

On access to the Linux or UNIX-based Oracle database server from a Linux or UNIX-

based client. The client system will need to have the Oracle Database Client software

installed on it as well as DirectControl in order to setup the proper AD Kerberos

environment. A single Linux or UNIX system may be used as both the server and client

for this configuration if additional hardware is not available.

The following Linux / UNIX commands are useful in verifying the environment settings,

and in creating and managing users and groups:

To check OS version:

uname –a

To check mounted file systems:

mount

To check disk space on mounted file systems:

df –h

To check physical memory available on Linux / UNIX:

free

To add users on Linux / UNIX:

useradd

To add groups on Linux / UNIX:

groupadd

To check a Linux / UNIX user’s profile:



id

To check for installed packages on Linux / UNIX:

rpm –a

rpm –q <package-name> (for eg. rpm –q libaio)

Note: When installing Linux, it is important to ensure that all packages required for

properly running Oracle Database Enterprise Edition 10g are appropriately installed.

Selecting “Everything” during Linux install, when prompted to select packages, (shown at

the end of the list of available packages) is an easy way to ensure this.

Note: When installing Linux and the Oracle database server on it, it must be ensured

that the file system on which the Oracle database will be installed has plenty of disk space

available. Please refer to the “Oracle Database Installation Guide 10g R2 (10.2) for Linux”

for more information on this. If possible, it is recommended that at-least 20 GB be

allocated to it, to avoid having to increase disk space later.

2.3 Oracle Database Server 10g (10.2.0.1)

This solution has been tested with Oracle Database Enterprise Edition 10g (10.2.0.1) and

should work on any version newer that is installed on a Linux or UNIX server.

Additionally, the Oracle Advanced Security Option (ASO) is required for this solution

since it provides the required Kerberos interfaces within Oracle Database to enable using

Kerberos for user authentication.

Note: Please refer to the Oracle Database Installation Guide to get a list of all required

Operating System packages.

Note: Please refer to the Oracle Database Installation and Administrator Guides to first

get the Oracle Database Server with Advanced Security Option and Oracle Database

Client installed and functioning properly.

The runInstaller utility, provided by Oracle, is used to install Oracle Database Server

and Client.

Note: Ensure that the oracle users have r+x permissions on the oracle database home

directory

The following helpful sqlplus commands, to be run on the Linux / UNIX server as the

Oracle database “owner” (eg. oracle), where Oracle database server is installed, are

useful in verifying that the Oracle database is running properly, and to check entries

made in the database.

To connect to the Oracle database as SYS and run sqlplus commands:

sqlplus “sys as sysdba”



Connected to an idle instance

SQL> startup

Database started

SQL> show user;

User is SYS

SQL> desc all_tables;

SQL> select TABLE_NAME from all_tables;

SQL> create user oracle identified by oracle;

SQL> grant connect, resource to oracle;

SQL> desc all_users;

SQL> select USERNAME from all_users;

SQL> select NAME from user$;

SQL> select * from user$;

SQL> shutdown

Database shutdown

SQL> exit

Note: A normal user does not see all tables defined in the database, as seen by the

system user SYS.

To stop, start and check status of the Oracle Database Listener:

lsnrctl stop

lsnrctl start

lsnrctl status

The following Linux / UNIX commands are useful in obtaining and verifying Kerberos

credentials for users, once Kerberos authentication is configured properly, as described

later in this document:

okinit

oklist



Note: Please ensure that the users of oracle database have r+x permissions on the oracle

database home directory. Please refer to the Oracle Database Installation and

Administrator Guides for further information, if needed.

Note: Please refer to the “Oracle Database Installation Guide 10g R2 (10.2) for Linux”

and Oracle Database Administrator Guides to first get the Oracle Database Server and Oracle Database Client functioning properly, before proceeding further.

2.4 Centrify DirectControl Agent for Systems

Centrify DirectControl Console version 4.x (or above) will need to be installed on a

Windows computer where the administrator will manage the AD environment. You will

also need to install the DirectControl agent onto the Linux or UNIX system where Oracle

database server is installed in order to enable the system to join Active Directory,

enabling Kerberos trust between the systems. The Centrify utility adjoin is used to

accomplish this.

In addition, Centrify’s adkeytab utility is made available for the Linux / UNIX server as

part of Centrify DirectControl 4.x (or above). This tool is used to generate the keytab

file, as described later in this document.

The following Centrify utilities are useful in setting up and verifying the configuration

specified in this document.

adjoin

adkeytab

adclient

adinfo

2.5 Other Requirements

The Oracle Database Server and Client need to be configured to use Kerberos as the

authentication mechanism. This document includes the basic steps to set up Kerberos

authentication on both the server and the clients. Instructions are also provided on how

to set up an Oracle Service Account for Kerberos.

For more information on using Kerberos authentication with Oracle database, please

refer to the Oracle Advanced Security Administrator’s Guide.



Throughout this document, we will use the following parameters to illustrate how these

steps would apply to a real production environment. Obviously, these parameter settings

need to be substituted appropriately to reflect the real production environment:

Parameter Value

Oracle database instance name orcl

Windows domain name sedomain.com

Oracle service account for Kerberos ORACLE

ORACLE_HOME environment variable on Linux /home/app/oracle/db_1

Linux server machine name rhel4

Oracle owner user account oracle

Oracle group used to install Oracle oinstall

Test Oracle database user [email protected]

Windows Server 2003 machine name w2k3ad

Note: Using appropriate consistent case in the various configuration files is critical for

most of these settings.

Note: Ensure that the Time (Clock) skews are very small between Windows Server

(running AD KDC), Windows Client, and Linux / UNIX Server and Client.

3 Working with Oracle 9 through 10.1.1

If you happen to be running a version of Oracle prior to 10.2.0.1, you will need to make a

change to your domain controllers to allow Kerberos tickets to be encrypted using the

DES-CBC-CRC method vs. the default ARCFOUR-HMAC-MD5.

Microsoft Support Note #833708 (http://support.microsoft.com/kb/833708) indicates

that by default, the Key Distribution Center (KDC) of Windows 2003 Server encrypts

tickets in arcfour-hmac-md5 format by default, even if the client asks for another

encryption type. A new registry key must be added to force it to use the requested

encryption type (e.g. DES-CBC-CRC) that previous versions of Oracle require.

To make this registry change, log in on to the Windows Domain Controller server and do

the following:

1. Launch the registry editor:

Start Run… regedit



2. Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\Kdc

3. Create a new DWORD Value called:

KdcUseRequestedEtypesForTickets

4. Set its value to 1

5. Restart the Key Distribution Center service using the Services applet in the

Administrative Tools menu .

Note: This change will need to be done on all domain controllers in the domain.

4 Oracle Database Server Configuration

4.1 Oracle Server Configuration on Red Hat Enterprise Linux 4

In this section, we describe how to set up the Linux server where Oracle database server is

installed. The steps below describe how to create a Kerberos service account for Oracle

using Centrify DirectControl and how to configure Oracle database server to use the

resulting keytab file for authentication. In addition, steps are provided to properly

configure other Oracle database settings.

4.1.1 Oracle database environment setup

Ensure that an appropriate environment is setup for all Oracle users if this has not

already been done. For example, include the following lines in the /etc/profile file on

the Linux or UNIX server:

ORACLE_OWNER=oracle ORACLE_HOME=/home/app/oracle/db_1 ORACLE_SID=orcl KRB5CCNAME=FILE://tmp/krb5cc_$UID PATH=$PATH:$ORACLE_HOME/bin export ORACLE_OWNER ORACLE_HOME ORACLE_SID KRB5CCNAME PATH

The KRB5CCNAME definition is required to address a bug in Oracle which fails to

interpret the leading / correctly. Make the appropriate changes based on your setup.



4.1.2 Verification of the Oracle Advanced Security Option

Verify that the Oracle Advanced Security Option is installed and the binaries bind with

the new authentication methods. As the oracle user, execute the following on the

Linux or UNIX server: $ORACLE_HOME/bin/adapters

You should see output similar to the following: Installed Oracle Net transport protocols are: BEQ TCP/IP SSL RAW ... Installed Oracle Advanced Security options are: MD5 crypto-checksumming SHA-1 crypto-checksumming Kerberos v5 authentication ...

If necessary, run the $ORACLE_HOME/bin/netmgr tool on the Linux or UNIX server,

select Profile, select the Oracle Advanced Security authentication drop-down to configure

Kerberos v5 authentication.

Figure 4-1 Oracle netmgr utility being used to enable Kerberos v5 authentication



4.1.3 Configuring Oracle Boot Parameters

In order to make Oracle work in Single Sign-On mode, a boot parameter may need to be

modified. You can verify the value of this parameter by connecting to Oracle as sysdba

and executing the following command as the oracle user: $ sqlplus "sys as sysdba" SQL*Plus: Release 10.2.0.1.0 - Production on Thu Dec 21 11:20:42 2006 Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved. Enter password: Connected to: Oracle10g Release 10.2.0.1.0 - Production JServer Release 10.2.0.1.0 - Production SQL> show parameter os_authent_prefix; NAME TYPE VALUE ------------------------------------ ----------- -------- os_authent_prefix string

The result should be an empty string value as in the example above.

If this is not the case, then follow the steps below to change it. Note that this parameter

cannot be changed while online and therefore Oracle database must be shutdown and

restarted.

1. Connect to Oracle as sysdba $ sqlplus "sys as sysdba"

SQL*Plus: Release 10.2.0.1.0 - Production on Thu Dec 21 12:20:22 2006

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

Enter password:

Connected to: Oracle10g Release 10.2.0.1.0 - Production JServer Release 10.2.0.1.0 - Production

SQL>

2. Change the os_authent_prefix parameter in the scope spfile: SQL> alter system set os_authent_prefix = '' \ scope=spfile;

3. Shutdown the database with the following command: SQL> shutdown;



4. Restart the database with the following command: SQL> startup;

5. Exit sqlplus with the following command: SQL> exit;

Note: Lines ending with a backslash (\) should append the contents of the next

line.

4.1.4 Configuring Kerberos authentication in Oracle database with DirectControl

On the Linux or UNIX server, log in as root to complete the following steps:

1. Stop the adclient using # adclient -x

2. We need to change the number of simultaneous keytab entries. Oracle

database, by default, uses the first service in the keytab file which is actually the

oldest entry. Since older keys are invalid, Oracle will not be able to authenticate.

To resolve this, we need to have only one key entry in the keytab file. We also

need to setup the correct encryption types. These changes can be accomplished

by editing the file /etc/centrifydc/centrifydc.conf and changing

the settings for the following parameters:

Parameters In File: /etc/centrifydc/centrifydc.conf # Number of keytable entries to be kept for a principal

adclient.krb5.keytab.entries: 1 # Encryption types supported for getting tickets. adclient.krb5.tkt.encryption.types: des-cbc-md5 \ des-cbc-crc arcfour-hmac-md5 # Encryption types permitted in client credentials. adclient.krb5.permitted.encryption.types: \ des-cbc-md5 des-cbc-crc \ arcfour-hmac-md5 arcfour-hmac-exp

Note: If you leave the domain and join it again, you will need to double check

that these parameters have not been changed back to the default settings.

Note: Lines ending with a backslash (\) append the contents of the next line.

3. DirectControl automatically configures the Kerberos configuration files on the

Linux system when you join a domain. However, some additional changes are

required to enable authentication for Oracle database. On the Linux or UNIX



server, edit the file /etc/krb5.conf and ensure that the following entries exist

and have the correct settings:

Parameters In File: /etc/krb5.conf

[libdefaults] default_tgs_enctypes = des-cbc-md5 des-cbc-crc \ arcfour-hmac-md5 default_tkt_enctypes = des-cbc-md5 des-cbc-crc \ arcfour-hmac-md5 permitted_enctypes = des-cbc-md5 des-cbc-crc \ arcfour-hmac-md5 arcfour-hmac-exp passwd_check_s_address = true ccache_type = 3




line.

4. Restart adclient using # adclient -F

5. We now need to create the service account for Oracle and generate the keytab

file. The adkeytab tool is used to do this. This is a Centrify utility that is

designed to work with DirectControl and Active Directory, and is used to create

customized Kerberos Service Accounts. The adkeytab tool is delivered as a

binary utility for this solution. Further information on the use of adkeytab can be

found in the Appendix of this document.

Login as the root user on the Linux or UNIX system where the Oracle Database

Server and Centrify DirectControl are installed. Ensure that environment settings

defined in section 4.1.1 are set.

Also ensure that the file $ORACLE_HOME/ORACLE.keytab does not already

exist.

On the Linux or UNIX server, to create the ORACLE.keytab file, execute the

following command:

# adkeytab -n -U \ userPrincipal/[email protected] -k \ -c Computers –K $ORACLE_HOME/ORACLE.keytab \ -e des-cbc-md5 -V -d domain.com \ –P ORAService/host –P \ ORAService/[email protected] ORAService



Note: Once you have generated the keytab file using the adkeytab command, it

must not be moved; otherwise the keytab won’t be renewed by Centrify

DirectControl. Executing this command will not only create a service account on

Active Directory, but will also create the keytab file.

Note: Make the appropriate changes to this command line based on your local

environment where domain.com is your domain name and the parameters are as

follows:

-n creates a new service account

-U explicitly specifies the UPN

-k uses DES key only

-c specifies the container DN (Distinguished Name)

-K specifies /tmpapkrb5.keytab as the name of the new keytab file

-e specifies the encryption type (des-cbc-md5)

-V generates verbose output

-d creates account in domain.example.com

-P specifies the name of the principal to add (should be explicit)

ORAService is the account name

For more details on the adkeytab command, see the Centrify DirectControl

Administrator's Guide or the man page for adkeytab.

6. The new keytab file must be accessible and readable by the oracle user. Please

execute the next commands as the root user to achieve this: # chown oracle:oinstall $ORACLE_HOME/ORACLE.keytab # chmod 400 $ORACLE_HOME/ORACLE.keytab

4.1.5 Checking the configuration of the Oracle *.ora files

On the Linux or UNIX server, perform the following steps:

1. We now need to modify the Oracle SQLNET configuration file to enable the

correct Kerberos operation and to point to the new keytab file. Edit the file

$ORACLE_HOME/network/admin/sqlnet.ora and ensure that the following

changes are made:

Parameters In File: $ORACLE_HOME/network/admin/sqlnet.ora



NAMES.DEFAULT_DOMAIN = SEDOMAIN.COM SQLNET.KERBEROS5_CONF=/etc/krb5.conf SQLNET.KERBEROS5_KEYTAB=\ /home/app/oracle/db_1/ORACLE.keytab SQLNET.KERBEROS5_CONF_MIT=TRUE SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=ORACLE SQLNET.AUTHENTICATION_SERVICES=(BEQ, KERBEROS5, ALL)


line.

2. The Oracle listener configuration file should already be configured properly if you

have a functional Oracle environment. Using our example settings in this

document, the file $ORACLE_HOME/network/admin/listener.ora would

include the following SID description:

Parameters In File: $ORACLE_HOME/network/admin/listener.ora (SID_DESC = (GLOBAL_DBNAME = ORCL.SEDOMAIN.COM) (ORACLE_HOME = /home/app/oracle/db_1) (SID_NAME = orcl) )

3. The Oracle tnsnames configuration file should already be configured properly if

you have a functional Oracle database environment. Using our example settings

in this document, the file $ORACLE_HOME/network/admin/tnsnames.ora would include the following database entry:

Parameters In File: $ORACLE_HOME/network/admin/tnsnames.ora

ORCL.SEDOMAIN.COM = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP) \ (HOST = rhel4.sedomain.com)(PORT =

1521)) ) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ORCL.SEDOMAIN.COM) ) )


line.

Note: Make the appropriate changes to each of these files based on your local

environment. For example, ORCL.SEDOMAIN.COM should be replaced with the

name of your Oracle database followed by the name of your Active Directory

domain (i.e. <ORACLEDB>.<DOMAIN>). The HOST parameter should be set to

the machine name or IP address of the server where the Oracle database server is



running. Samples of the various configuration files are included in the Appendix

of this document.

If you have made changes to the Oracle database configuration files, it is recommended

that you restart the Oracle database and the Oracle listener.

Connect to Oracle database as sysdba: $ sqlplus "sys as sysdba"

SQL*Plus: Release 10.2.0.1.0 - Production on Thu Dec 21 12:40:44 2006

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

Enter password:

Connected to: Oracle10g Release 10.2.0.1.0 - Production JServer Release 10.2.0.1.0 - Production

SQL>

Shutdown the database with the following command: SQL> shutdown; Database shutdown

Restart the database with the following command: SQL> startup; Database started

Exit sqlplus with the following command: SQL> exit;

Then, restart the Oracle database listener using the following commands:

$ lsnrctl stop $ lsnrctl start

Oracle database should now be correctly configured to use Centrify DirectControl to

manage external Kerberos-based authentication.

4.2 Check Availability of the Kerberos Ticket

Perform the following steps on the Linux or UNIX server:

Centrify DirectControl enables an Active Directory domain user, such as “jeff_hay”, to

seamlessly log onto the Linux or UNIX system.



When connecting with an AD user to a Linux/UNIX computer, you can check if you have

a valid Ticket Granting Ticket (TGT) with the oklist command. For example: [jeff_hay@rhel4 ~]$ oklist Kerberos Utilities for Linux: Version 10.2.0.1.0 - Production on 22-DEC-2006 17:49:59 Copyright (c) 1996, 2004 Oracle. All rights reserved. Ticket cache: /tmp/krb5cc_10002 Default principal: [email protected] Valid Starting Expires Principal 22-Dec-2006 17:51:09 23-Dec-2006 01:48:22 krbtgt/[email protected]

If you do not have a ticket, you can create one for the sample user “jeff_hay” with the

okinit command. For example: [jeff_hay@rhel4 ~]$ okinit [email protected] Kerberos Utilities for Linux: Version 10.2.0.1.0 - Production on 22-AUG-2006 17:51:53 Copyright (c) 1996, 2004 Oracle. All rights reserved. Password for [email protected]:

You can also check the encryption types in the Oracle keytab file by running the following

klist command as the oracle user: klist -kte /home/app/oracle/db_1/ORACLE.keytab

You should see output similar to the following after running the klist command:

Keytab name: FILE:/home/app/oracle/db_1/ORACLE.keytab KVNO Timestamp Principal ---- ----------------- ----------------------------------- 2 12/22/06 07:35:27 ORACLE/[email protected] (DES cbc mode with RSA-MD5) 2 12/22/06 07:35:27 ORACLE/[email protected] (DES cbc mode with RSA-MD5) 2 12/22/06 07:35:28 [email protected] (DES cbc mode with RSA-MD5) 2 12/22/06 07:35:28 ORACLE/[email protected] (DES cbc mode with CRC-32) 2 12/22/06 07:35:28 ORACLE/[email protected] (DES cbc mode with CRC-32) 2 12/22/06 07:35:28 [email protected] (DES cbc mode with CRC-32)

4.3 Creating Oracle Database User Accounts for AD Users

For Active Directory domain users to be able to connect to Oracle database, they must

have a local account created in the Oracle database and granted appropriate rights. There



are many solutions that can be leveraged to automate this process such as Microsoft

Identity Integration Server with the Oracle provisioning agent.

The following steps are required to enable an Oracle Database user with the login name

“jeff_hay” in the domain “SEDOMAIN.COM” to connect to Oracle.

1. Login as the oracle user and connect to Oracle as sysdba

$ sqlplus "sys as sysdba" SQL*Plus: Release 10.2.0.1.0 - Production on Thu Dec 22 12:24:44 2006 Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved. Enter password: Connected to: Oracle10g Release 10.2.0.1.0 - Production JServer Release 10.2.0.1.0 - Production SQL>

2. Create the user with the following command: SQL> create user "[email protected]" identified \ externally;

User created.

3. Grant rights to the user with the following command:

SQL> grant connect, resource to \ "[email protected]"; Grant succeeded.


line.

Note: The full username should be in uppercase.

Every user in the Active Directory domain that requires access to Oracle database must

have an account created in the Oracle database and have the appropriate rights granted.

If the user already has a non-Kerberos-enabled account in Oracle database, then a new

account will need to be created using the Kerberos format and syntax noted above (i.e.

<USER>@<DOMAIN>) and the appropriate access rights and settings will need to be

applied to the new account.

4.4 Multiple Instances of Oracle Database on a Single Computer

This optional step applies only if you are using multiple instances of Oracle databases on

a single Linux or UNIX system.



Multiple instances of Oracle database can be installed on a single computer. It is entirely

possible to have a TEST and DEV instance running concurrently, with the TEST instance

using Centrify as its authentication mechanism, while the DEV instance still uses the

default Oracle authentication mechanism.

The type of authentication mechanism used is set in the Oracle configuration file called

$ORACLE_HOME/network/admin/sqlnet.ora. As each Oracle instance has its own

sqlnet.ora file, it is not very difficult to set up each instance with a different mechanism.

In the following example, the TEST instance is configured to use KERBEROS5, and DEV

to use the standard Oracle authentication mechanism.

Extract of sqlnet.ora of instance TEST:

SQLNET.AUTHENTICATION_SERVICES= (KERBEROS5, BEQ) SQLNET.KERBEROS5_CONF=/etc/krb5.conf SQLNET.KERBEROS5_KEYTAB=\ /home/app/oracle/db_1/ORACLETEST.keytab

Extract of sqlnet.ora of instance DEV: SQLNET.AUTHENTICATION_SERVICES= (BEQ)

Note: Lines ending with a backslash (\) should append the contents of the next line.

4.5 Working with Oracle on Solaris 10

If you are installing Oracle server on Solaris 10, you will need to ensure that the path to

the krb5.conf file is defined correctly. Use the same steps as described for setting up the

Linux server in section 4 but ensure that you replace all instances of

/etc/krb5.conf with /etc/krb5/krb5.conf in the appropriate steps (i.e.

section 4.1.4 - step #3 and 4.1.5 - step #1).

5 Client Configuration and Testing

5.1 Linux / UNIX client configuration

The following steps illustrate how to set up a Single Sign-On session from a Linux client

using a UNIX-based Oracle database server. The Oracle Database SSO capabilities are

enabled via the Centrify DirectControl client authentication services on the Linux client

and the Centrify DirectControl services on the UNIX server. In this example, we assume

the Oracle client has been installed on Linux or UNIX with the Oracle Advanced Security

Option installed, and the authentication mechanism configured to use KERBEROS5. This

option links the Oracle binaries with Kerberos libraries.

We also assume that Centrify DirectControl 4.x (or above) is installed, and that the Linux

/ UNIX system has joined the Active Directory domain.



For testing purposes, you can use the Linux server where the Oracle database server is

installed, since the default installation of Oracle database server also installs the Oracle

client software. If you use the same server for your tests, then no additional configuration

steps beyond what was done in section 4 is required.

If you are using a different Linux or UNIX system to test the Oracle Database SSO client

capabilities, then the Oracle database client needs three configuration files to be

configured. These configuration changes are similar to the changes that were made on the

Linux server in section 4 above. Complete the following steps on the Linux client system.

1. Ensure that you have set up the various Oracle environment variables correctly

on the client system. The steps to do this are the same as what is described in

section 4.1.1 above.

2. Stop the adclient using

adclient -x

3. Edit the /etc/centrifydc/centrifydc.conf file and change the setting for the

following parameters: # Number of keytable entries to be kept for a \ principal

adclient.krb5.keytab.entries: 1 # Additional service principals for key table entry adclient.krb5.service.principals: ftp cifs nfs ORACLE # Encryption types supported for getting tickets. adclient.krb5.tkt.encryption.types: des-cbc-md5 \ des-cbc-crc arcfour-hmac-md5 # Encryption types permitted in client credentials. adclient.krb5.permitted.encryption.types: \ des-cbc-md5 des-cbc-crc \ arcfour-hmac-md5 arcfour-hmac-exp


line.



4. Edit the file, /etc/krb5.conf and ensure that the following entries exist and have

the correct settings:

[libdefaults] default_tgs_enctypes = des-cbc-md5 des-cbc-crc \ arcfour-hmac-md5 default_tkt_enctypes = des-cbc-md5 des-cbc-crc \ arcfour-hmac-md5 permitted_enctypes = des-cbc-md5 des-cbc-crc \ arcfour-hmac-md5 arcfour-hmac-exp passwd_check_s_address = true



ccache_type = 3


line.



5. Restart adclient using:

adclient -F

6. We now need to modify the Oracle SQLNET configuration file to enable the

correct Kerberos operation. On the Linux client, edit the file

$ORACLE_HOME/network/admin/sqlnet.ora and ensure that the following

changes are made: NAMES.DEFAULT_DOMAIN = SEDOMAIN.COM SQLNET.AUTHENTICATION_SERVICES=(BEQ, KERBEROS5) SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=ORACLE SQLNET.KERBEROS5_CONF=/etc/krb5.conf SQLNET.KERBEROS5_CONF_MIT=TRUE

Other Oracle SQLNET attributes should be the same as the settings on the

Linux/UNIX server where Oracle database is installed.

Note: Make the appropriate changes to these files based on your local

environment.

Note: On Solaris, the path to the Kerberos configuration file is different. On

Solaris, the following setting should be used in the sqlnet.ora file: SQLNET.KERBEROS5_CONF=/etc/krb5/krb5.conf

5.2 Testing the Oracle Database SSO capabilities on Linux / UNIX

We’re now ready to test the Oracle Database Single Sign-On capability from the Linux /

UNIX client using the sqlplus client program. If this test is successful, it should prove

that the SSO capabilities are running for a certain Linux / UNIX user.

To execute the test, complete the following steps:

1. Log into the Linux / UNIX client as an Active Directory user that was setup in the

Oracle database as defined in section 4.3 above.

2. Check that you have a valid Ticket Granting Ticket (TGT) with the oklist

command: [jeff_hay@rhel4 ~]$ oklist Kerberos Utilities for Linux: Version 10.2.0.1.0 - Production on 22-DEC-2006 17:49:59



Copyright (c) 1996, 2004 Oracle. All rights reserved. Ticket cache: /tmp/krb5cc_10002 Default principal: [email protected] Valid Starting Expires Principal 22-Dec-2006 17:51:09 23-Dec-2006 01:48:22 krbtgt/[email protected]

3. If you do not have a ticket, you can create one for the sample user “jeff_hay”

with the okinit command:

[jeff_hay@rhel4 ~]$ okinit [email protected] Kerberos Utilities for Linux: Version 10.2.0.1.0 - Production on 22-DEC-2006 17:51:53 Copyright (c) 1996, 2004 Oracle. All rights reserved. Password for [email protected]:

Now, re-run the oklist command. You should see at least a krbtgt ticket for your

domain to continue the test.

4. Run $ORACLE_HOME/bin/sqlplus /@orcl to access the Oracle SQL

command line environment (replacing orcl with the appropriate instance name

for your setup).

$ sqlplus /@orcl SQL*Plus: Release 10.2.0.1.0 - Production on Thu Dec 21 11:36:09 2006 Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved. Connected to: Oracle10g Release 10.2.0.1.0 - Production JServer Release 10.2.0.1.0 - Production SQL>

5. Run the SQL command ‘show user’ to display the current SQLplus session user,

as shown below.

$ sqlplus /@orcl SQL*Plus: Release 10.2.0.1.0 - Production on Thu Dec 21 11:36:09 2006 Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved. Connected to: Oracle9i Release 10.2.0.1.0 - Production JServer Release 10.2.0.1.0 - Production



SQL>show user; USER is [email protected] SQL>

The Linux user jeff_hay, used for this example, is registered in the Oracle

database as user “[email protected]”.

The above successful test result demonstrates that the Oracle Database Single Sign-On capability for a Linux/UNIX Oracle database client

connecting to a Linux/UNIX-based Oracle database server is functioning

properly.

5.3 Windows Client Configuration

The following steps illustrate how to set up a Single Sign-On session from a Windows

client to a UNIX-based Oracle database server. The Oracle Database SSO capabilities are

enabled via the native Active Directory / Kerberos authentication services on the

Windows client and the Centrify DirectControl services on the UNIX system. In this

example, we assume the Oracle database client and the Oracle Advanced Security Option

client software has been installed on Windows XP. These steps will configure the client to

use the KERBEROS5 authentication option. This will enable the Oracle binaries to work

with the Kerberos libraries.

To enable Kerberos-based authentication, the Oracle database client needs two

configuration files to exist with the following settings.

1. The Kerberos configuration file (krb5.ini in this example) needs to be created if

it does not already exist. It is used by the Oracle client for finding the location of

the KDC (Key Distribution Center) server and the Kerberos realm.

On Windows 2000, the path for this file is normally C:\WINNT\krb5.ini

On Windows XP, the path for this file is normally C:\WINDOWS\krb5.ini

For example using our environment, the file would contain the following lines:

Parameters In File:

C:\WINDOWS\krb5.ini [realms] SEDOMAIN.COM = { kdc = w2k3ad.sedomain.com:88 # Following 3 lines are optional and not necessary # master_kdc = w2k3ad.sedomain.com:88 # kpasswd = w2k3ad.sedomain.com:464 # kpasswd_server = w2k3ad.sedomain.com:464 } [domain_realm]



sedomain.com = SEDOMAIN.COM

Note: Double check to ensure that the krb5.ini configuration file created does

not have a “.txt” extension by default, if using Notepad to create the file.

The main information in this file is the name of the Active Directory domain

controller that is used by the Windows client. The domain controller is also the

KDC for the Kerberos environment. The kdc setting needs to point to the fully

qualified domain name of your KDC. Change the appropriate settings above for

your setup being sure to maintain the correct case for any changes. For example,

SEDOMAIN.COM should be replaced with the name of your Active Directory

domain.

2. The Oracle SQLNET configuration file on the Windows client needs to be

configured correctly. This file needs to be updated so that the Kerberos adapter

on the client is used to talk to the Oracle service running on the UNIX server.

Besides the common Oracle network configuration settings, the following settings

would be required in the $ORACLE_HOME\NETWORK\ADMIN\sqlnet.ora

file using our example environment:

Parameters In File:

$ORACLE_HOME\NETWORK\ADMIN\sqlnet.ora

NAMES.DEFAULT_DOMAIN = SEDOMAIN.COM SQLNET.AUTHENTICATION_SERVICES=(BEQ, KERBEROS5) SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=ORACLE SQLNET.KERBEROS5_CONF=C:\WINDOWS\krb5.ini SQLNET.KERBEROS5_CONF_MIT=TRUE SQLNET.KERBEROS5_CC_NAME=OSMSFT://

Most of the SQLNET attributes are usually the same as the settings on the server

system. The important additional information for the Oracle client is the

KERBEROS5_CC_NAME attribute which has to be set with the value OSMSFT://. This parameter enables the use of the integrated Kerberos ticket

cache in Windows.

Change the appropriate settings above for your setup being sure to maintain the

correct case for any changes. For example, SEDOMAIN.COM should be replaced

with the name of your Active Directory domain. The parameter

SQLNET.KERBEROS5_CONF describes the full path to the krb5.ini file, as

described in the previous step. Note that this path is different depending on

whether you are using Windows 2000 or Windows XP.



3. The Oracle tnsnames configuration file should already be configured properly if

you have a functional Oracle database environment. Using our example settings

in this document, the $ORACLE_HOME/NETWORK/ADMIN/tnsnames.ora file would include the following database entry:

Parameters In File:

$ORACLE_HOME\NETWORK\ADMIN\tnsnames.ora ORCL.SEDOMAIN.COM = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP) \

(HOST = rhel4.sedomain.com) (PORT = 1521)) ) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ORCL.SEDOMAIN.COM) ) )

Lines ending with a backslash (\) should append the contents of the next line.

Note: Make the appropriate changes to each of these files based on your local

environment. For example, ORCL.SEDOMAIN.COM should be replaced with the

name of your Oracle database followed by the name of your Active Directory

domain (i.e. <ORACLEDB>.<DOMAIN>). The HOST parameter should be set to

the machine name or IP address of the server where the Oracle database server is

running. Samples of the various configuration files are included in the Appendix

of this document.

5.4 Testing the Oracle Database SSO capabilities on Windows

We’re now ready to test the Oracle Database Single Sign-On capability from the Windows

client using the Windows SQLplus client.

If this test is successful, it should prove that the Oracle Database SSO capabilities are

functioning properly for this Windows user.

To execute the test, complete the following steps:

1. Log into the Windows laptop / desktop as an Active Directory user that was setup

in the Oracle database as defined in section 4.3 above.



2. Create a shortcut icon to Oracle SQLplus Windows client on the Windows

desktop:

$ORACLE_HOME\bin\sqlplusw.exe

The sqlplus command may also be run from the command prompt for this test.

3. Modify the SQLplus shortcut icon properties as shown below. The Target field

should be updated so that the sqlplusw.exe command connects to a defined

Oracle service (orcl in our example).

Figure 5-1 Windows SQLplusw Shortcut Properties

Note the change in the Target entry above – to add “ /@orcl” at the end.



4. Open a command prompt and run $ORACLE_HOME\bin\oklist to show the

user’s Kerberos tickets. Output similar to the following should be displayed:

Figure 5-2 Output from the oklist command on a Windows client

The win2kcc parameter values above show that we are using the integrated

Windows system Kerberos cache for the user jeff.hay in the Active Directory

domain. You should see at least the krbtgt ticket for the specified domain.

Note: References to CONTOSO.COM in the figure above are to be replaced by

SEDOMAIN.COM in our example.

5. Finally, to run the actual Oracle Database SSO test, double click the splplusw

icon. This should connect you in Oracle Database SSO mode to the Oracle

database server. Output should be similar to the screenshot below:

Figure 5-3 Connecting to the Oracle Database in SSO mode using SQLplusw

The figure above shows a successful connect to the Oracle database.



This shows that we logged into the Oracle database server on UNIX in SSO mode.

The original credentials that were used to log into Windows were forwarded to

the Oracle server. You should connect without any errors and you should not be

prompted to provide a username or password. If that is not the case, then the

complete SSO settings need to be reviewed.

The same test may also be run in a command prompt by entering the following

command:

> sqlplus /@orcl

6. Running the SQL command ‘show user’ displays the current SQLplusw session

user as shown below.

Figure 5-4 SQLplus Current Oracle Database SSO User

The Windows user jeff.hay, used for our example, is registered in the Oracle

database as user “[email protected]” in the specified Kerberos

realm. (Note: References to CONTOSO.COM in the figure above are to be

replaced by SEDOMAIN.COM in our example.)

The above successful test result demonstrates that the Oracle Database Single Sign-On capability for a Windows Oracle client connecting to a

UNIX-based Oracle database server is functioning properly.



6 TroubleShooting

For troubleshooting, the following Trace Level entries may optionally be added to the

Server and Client systems, if needed.

Server Tracing – Parameters in sqlnet.ora on Database Server System #TRACE_LEVEL_SERVER = 16 #TRACE_FILE_SERVER = SVR #TRACE_DIRECTORY_SERVER = /u01/tmp/tar #TRACE_TIMESTAMP_SERVER = ON

Client Tracing – Parameters in sqlnet.ora on Database Client System

#TRACE_LEVEL_CLIENT = 16

#TRACE_FILE_CLIENT = CLI

#TRACE_DIRECTORY_CLIENT = c:\tmp

#TRACE_UNIQUE_CLIENT = ON

#TRACE_TIMESTAMP_CLIENT = ON

#TNSPING.TRACE_LEVEL = 16

#TNSPING.TRACE_DIRECTORY = c:\tmp

Note: During testing, if it is needed to turn Tracing ON, the “#” sign in front of the above

entries needs to be removed.

Common Errors Encountered

Some of the common errors encountered during testing of the “sqlplus /@orcl”

command are listed below:

• ORA-12638: Credential retrieval failed

• ORA-12637: Packet receive failed

For most such errors, please first double-check all entries in all parameter files, as

described earlier in this document. Also ensure that the clock skew between the Windows

and Linux systems is not big (should be less than a minute or two at most). Also check

that the domain names and entries are specified correctly.

Other common database-related errors encountered are:

• TNS: Protocol error

• Package not found: libaio

• Okinit: Generic error



Note: For additional troubleshooting information, please refer to the Oracle Database

Installation and Administrators Guides, or contact Oracle Technical Support for Oracle

database-specific issues.

7 Summary

After successfully completing the steps outlined in this Application Note, an Oracle Database Single Sign-On environment that leverages Active Directory-based

Kerberos v5 authentication for both Windows and Linux / UNIX should now be

available.

By using Centrify DirectControl 4.x (or higher) and Oracle Database Enterprise Edition

10g (10.2.0.1 or higher) with the Advanced Security Option, in offering this solution,

Centrify provides the enhanced capabilities to seamless centralize database

authentication and access control for Windows and Linux / UNIX environments,

resulting in a more secure and manageable database environment.

For more information on Centrify and Centrify DirectControl, please call + 1 (650) 961-

1100 or email [email protected].



Appendix

Sample Linux server configuration files

Sample krb5.conf file: [libdefaults] default_realm = SEDOMAIN.COM default_tgs_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 default_tkt_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 permitted_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 \ arcfour-hmac-exp passwd_check_s_address = true ccache_type = 3 dns_lookup_realm = false dns_lookup_kdc = false [domain_realm] w2k3ad.sedomain.com = SEDOMAIN.COM rhel4.sedomain.com = SEDOMAIN.COM [realms] SEDOMAIN.COM = { kdc=w2k3ad.sedomain.com:88 master_kdc=w2k3ad.sedomain.com:88 kpasswd=w2k3ad.sedomain.com:464 kpasswd_server=w2k3ad.sedomain.com:464 }

Sample sqlnet.ora file:

NAMES.DIRECTORY_PATH= (TNSNAMES, ONAMES, HOSTNAME) NAMES.DEFAULT_DOMAIN = SEDOMAIN.COM SQLNET.KERBEROS5_CONF=/etc/krb5.conf SQLNET.KERBEROS5_KEYTAB=/home/app/oracle/db_1/ORACLE.keytab SQLNET.KERBEROS5_CONF_MIT=TRUE SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=ORACLE SQLNET.AUTHENTICATION_SERVICES=(BEQ, KERBEROS5, ALL)

Sample tnsnames.ora file:

ORCL.SEDOMAIN.COM = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP) \ (HOST = rhel4.sedomain.com) (PORT = 1521)) ) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ORCL.SEDOMAIN.COM) ) )



EXTPROC_CONNECTION_DATA = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = IPC) (KEY = EXTPROC1)) ) (CONNECT_DATA = (SID = PLSExtProc) (PRESENTATION = RO) ) )

Sample listener.ora file:

LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = IPC) (KEY = EXTPROC)) ) (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP) \ (HOST = rhel4.sedomain.com) (PORT = 1521)) ) ) ) SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = /home/app/oracle/db_1) (PROGRAM = extproc) ) (SID_DESC = (GLOBAL_DBNAME = ORCL.SEDOMAIN.COM) (ORACLE_HOME = /home/app/oracle/db_1) (SID_NAME = orcl) ) )

Sample Windows client configuration files

Sample krb5.ini file:

[realms] SEDOMAIN.COM = { kdc = w2k3ad.contoso.com:88 } [domain_realm] sedomain.com = SEDOMAIN.COM



Sample sqlnet.ora file:

NAMES.DIRECTORY_PATH= (TNSNAMES, LDAP, EZCONNECT) NAMES.DEFAULT_DOMAIN = sedomain.com SQLNET.AUTHENTICATION_SERVICES=(BEQ, KERBEROS5) SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=ORACLE SQLNET.KERBEROS5_CONF=C:\WINDOWS\krb5.ini SQLNET.KERBEROS5_CONF_MIT=TRUE SQLNET.KERBEROS5_CC_NAME=OSMSFT://

Sample tnsnames.ora file: ORCL.SEDOMAIN.COM = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP) \ (HOST = rhel4.sedomain.com) (PORT = 1521)) ) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ORCL.SEDOMAIN.COM) ) ) EXTPROC_CONNECTION_DATA = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = IPC) (KEY = EXTPROC1)) ) (CONNECT_DATA = (SID = PLSExtProc) (PRESENTATION = RO)



Further reading

For further information on setting up Oracle database, please see the following

documentation and training materials provided by Oracle:

• Oracle Database Administrator's Guide

• Oracle Database Server Quick Installation Guide for Linux x86

• Client Quick Installation Guide for Linux x86

• Client Quick Installation Guide for Microsoft Windows

• Oracle Database Advanced Security Administrator’s Guide

• Getting Started with Oracle Enterprise Manager

• Oracle Identity Management Training

Oracle documents can be found on www.oracle.com/pls/db102/homepage.

Additional information on Centrify DirectControl can be found on www.centrify.com and

on your Centrify installation media.

Legal Notices

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation.

Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2007-2008 Centrify Corporation. All rights reserved.

Centrify and DirectControl are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Date post:	03-May-2018
Category:	Documents
Upload:	vuongbao
View:	232 times
Download:	2 times

A P P L I C A T I O N N O T E Oracle Database Single Sign-On with Centrify...

Documents