Pages

Wednesday, January 5, 2011

Installation of Kerberos 5 on linux and Oracle authentication on 11gR2

For more information about Kerberos just read the MIT documentation about the terminology used. For Oracle authentcation just read the Oracle Advanced Security Administrator's Guide.


First of all as oracle user you have to check if you installed your Oracle Database Server with Oracle Advanced Security option. Type

[oracle@plutone ~]$ adapters


and you should see something like

...
Installed Oracle Advanced Security options are:
...
Kerberos v5 authentication
...


Go to the MIT website and download the latest available stable realease of Kerberos.
http://mit.edu/kerberos/

For me it was krb5-1.9.
I've copied the krb5-1.9-signed.tar file on my directory /u04/kerberos5 and then typed the following commands:

[root@plutone /root]# cd /u04/kerberos5
[root@plutone kerberos5]# tar xvf krb5-1.9-signed.tar
[root@plutone kerberos5]# tar xvfz krb5-1.9.tar.gz
[root@plutone kerberos5]# cd krb5-1.9/src
[root@plutone src]# pwd
/u04/kerberos5/krb5-1.9/src


Then you have to compile the kerberos files using the usual commands:

[root@plutone src]# ./configure 
[root@plutone src]# make 
[root@plutone src]# make install


Now it's time to configure one of the two Kerberos configuration files. To the default conf file I've modified only my hostname (plutone)

[root@plutone src]# vi /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 EXAMPLE.COM = {
  kdc = plutone:88
  admin_server = plutone:749
  default_domain = example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


Then you should modify (or create) the second kerberos configuration file, I mean kdc.conf:

[root@plutone src]# cd /usr/local/var/krb5kdc/
[root@plutone krb5kdc]# ll
total 0
[root@plutone krb5kdc]# vi kdc.conf 
[kdcdefaults]
   kdc_ports = 750,88

[realms]
   EXAMPLE.COM = {
      kdc_ports = 750,88
      database_name = /usr/local/var/krb5kdc/principal
      admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
      acl_file = /usr/local/var/krb5kdc/kadm5.acl
      key_stash_file = /usr/local/var/krb5kdc/.k5.KERB.IT
      max_life = 10h 0m 0s
      max_renewable_life = 7d 0h 0m 0s
   }


Let's create the kerberos database for the Key Distribution Centers (KDCs) . The following command created five files.

[root@plutone krb5kdc]# /usr/local/sbin/kdb5_util create -r EXAMPLE.COM -s
Loading random data
Initializing database '/usr/local/var/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:    
Re-enter KDC database master key to verify: 
[root@plutone krb5kdc]# ls -la
total 32
drwxr-xr-x 2 root root 4096 Jan  5 14:30 .
drwxr-xr-x 3 root root 4096 Jan  5 13:06 ..
-rw------- 1 root root   72 Jan  5 14:30 .k5.KERB.IT
-rw-r--r-- 1 root root  386 Jan  5 14:28 kdc.conf
-rw------- 1 root root 8192 Jan  5 14:30 principal
-rw------- 1 root root 8192 Jan  5 14:30 principal.kadm5
-rw------- 1 root root    0 Jan  5 14:30 principal.kadm5.lock
-rw------- 1 root root    0 Jan  5 14:30 principal.ok


Now let's create the acl file

[root@plutone krb5kdc]# echo "*/plutone@EXAMPLE.COM * *" > kadm5.acl        
[root@plutone krb5kdc]# more kadm5.acl                            
*/plutone@EXAMPLE.COM * *


and create the principal administrator of the kerberos database

[root@plutone krb5kdc]# /usr/local/sbin/kadmin.local 
Authenticating as principal root/plutone@EXAMPLE.COM with password.
kadmin.local:  addprinc admin/plutone@EXAMPLE.COM
WARNING: no policy specified for admin/plutone@EXAMPLE.COM; defaulting to no policy
Enter password for principal "admin/plutone@EXAMPLE.COM": 
Re-enter password for principal "admin/plutone@EXAMPLE.COM": 
Principal "admin/plutone@EXAMPLE.COM" created.
kadmin.local:  quit


Now let's start the Kerberos daemons:

[root@plutone krb5kdc]# /usr/local/sbin/krb5kdc 
[root@plutone krb5kdc]# /usr/local/sbin/kadmind


and see if there are any errors on log files

[root@plutone ~]# tail -f /var/log/kadmind.log
Jan 05 14:42:36 plutone kadmind[22621](info): listening on fd 7: udp ::.464 (pktinfo)
kadmind: setsockopt(8,IPV6_V6ONLY,1) worked
Jan 05 14:42:37 plutone kadmind[22621](info): listening on fd 9: tcp 0.0.0.0.464
Jan 05 14:42:37 plutone kadmind[22621](info): listening on fd 8: tcp ::.464
Jan 05 14:42:37 plutone kadmind[22621](info): listening on fd 10: rpc 0.0.0.0.749
kadmind: setsockopt(11,IPV6_V6ONLY,1) worked
Jan 05 14:42:37 plutone kadmind[22621](info): listening on fd 11: rpc ::.749
Jan 05 14:42:37 plutone kadmind[22621](info): set up 6 sockets
Jan 05 14:42:37 plutone kadmind[22622](info): Seeding random number generator
Jan 05 14:42:37 plutone kadmind[22622](info): starting

[root@plutone ~]# tail -f /var/log/krb5kdc.log  
Jan 05 14:42:30 plutone krb5kdc[22619](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support
Jan 05 14:42:30 plutone krb5kdc[22619](info): setting up network...
Jan 05 14:42:30 plutone krb5kdc[22619](info): listening on fd 6: udp 0.0.0.0.88 (pktinfo)
Jan 05 14:42:30 plutone krb5kdc[22619](info): listening on fd 7: udp 0.0.0.0.750 (pktinfo)
krb5kdc: setsockopt(8,IPV6_V6ONLY,1) worked
Jan 05 14:42:30 plutone krb5kdc[22619](info): listening on fd 8: udp ::.88 (pktinfo)
krb5kdc: setsockopt(9,IPV6_V6ONLY,1) worked
Jan 05 14:42:30 plutone krb5kdc[22619](info): listening on fd 9: udp ::.750 (pktinfo)
Jan 05 14:42:30 plutone krb5kdc[22619](info): set up 4 sockets
Jan 05 14:42:31 plutone krb5kdc[22620](info): commencing operation


Now add a service principal for our Oracle Database Server

[root@plutone krb5kdc]# /usr/local/sbin/kadmin.local 
Authenticating as principal root/plutone@EXAMPLE.COM with password.
kadmin.local:  DB11G/plutone@EXAMPLE.COM
kadmin.local: Unknown request "DB11G/plutone@EXAMPLE.COM".  Type "?" for a request list.
kadmin.local:  addprinc -randkey DB11G/plutone@EXAMPLE.COM
WARNING: no policy specified for DB11G/plutone@EXAMPLE.COM; defaulting to no policy
Principal "DB11G/plutone@EXAMPLE.COM" created.


Next the principal for the Oracle user, named marco, is created

[root@plutone krb5kdc]# /usr/local/sbin/kadmin.local 
Authenticating as principal root/plutone@EXAMPLE.COM with password.
kadmin.local:  addprinc marco
WARNING: no policy specified for marco@EXAMPLE.COM; defaulting to no policy
Enter password for principal "marco@EXAMPLE.COM": 
Re-enter password for principal "marco@EXAMPLE.COM": 
Principal "marco@EXAMPLE.COM" created.


Extract the service table from kerberos. This file will be used on sqlnet.ora configuration.

kadmin.local:  ktadd -k /tmp/keytab DB11G/plutone
Entry for principal DB11G/plutone with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/keytab.
Entry for principal DB11G/plutone with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/keytab.
Entry for principal DB11G/plutone with kvno 4, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/keytab.
Entry for principal DB11G/plutone with kvno 4, encryption type arcfour-hmac added to keytab WRFILE:/tmp/keytab.


Create the Oracle user on the Oracle Database Server. According to Oracle documentation (Oracle Advanced Security Administrator's Guide) "This username must be created in uppercase and must have the realm specified."


idle> startup
ORACLE instance started.

Total System Global Area  626327552 bytes
Fixed Size                  2215944 bytes
Variable Size             427823096 bytes
Database Buffers          188743680 bytes
Redo Buffers                7544832 bytes
Database mounted.
Database opened.
idle> create user "MARCO@EXAMPLE.COM" identified externally;

User created.

idle> grant create session to "MARCO@EXAMPLE.COM";

Grant succeeded.


The authent parameter should be as following:

idle> show parameter authent

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
os_authent_prefix                    string      ops$
remote_os_authent                    boolean     FALSE

idle> alter system set os_authent_prefix='' scope=spfile;

System altered.



Copy the service table file from /tmp directory to elsewhere and give Oracle permission

[root@plutone krb5kdc]# cp /tmp/keytab /etc/
[root@plutone krb5kdc]# chown oracle.oinstall /etc/keytab


Now it's time to configure sqlnet.ora file to point to kerberos. The following are the parameters added on sqlnet.ora file:

[oracle@plutone admin]$ pwd
/u01/app/oracle/product/11.2.0/db_1/network/admin
[oracle@plutone admin]$ vi sqlnet.ora 
SQLNET.KERBEROS5_KEYTAB=/etc/keytab
SQLNET.KERBEROS5_CONF=/etc/krb5.conf
SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=DB11G
SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)


Let's get a ticket from Kerberos server

[oracle@plutone admin]$ okinit marco

Kerberos Utilities for Linux: Version 11.2.0.1.0 - Production on 05-JAN-2011 16:02:02

Copyright (c) 1996, 2009 Oracle.  All rights reserved.

Password for marco@EXAMPLE.COM: 
[oracle@plutone admin]$ oklist

Kerberos Utilities for Linux: Version 11.2.0.1.0 - Production on 05-JAN-2011 16:02:15

Copyright (c) 1996, 2009 Oracle.  All rights reserved.

Ticket cache: /tmp/krb5cc_500
Default principal: marco@EXAMPLE.COM

   Valid Starting           Expires            Principal
05-Jan-2011 16:02:06  06-Jan-2011 00:02:03  krbtgt/EXAMPLE.COM@EXAMPLE.COM


And now it's time to log in

[oracle@plutone admin]$ sqlplus /@DB11G

SQL*Plus: Release 11.2.0.1.0 Production on Wed Jan 5 16:10:11 2011

Copyright (c) 1982, 2009, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

marco@example.com@DB11G>


What does it happen if I remove the ticket ?

[root@plutone krb5kdc]# rm /tmp/krb5cc_500 
rm: remove regular file `/tmp/krb5cc_500'? y


Pf course I'm not able to authenticate the user.

[oracle@plutone admin]$ sqlplus /@DB11G

SQL*Plus: Release 11.2.0.1.0 Production on Wed Jan 5 16:19:52 2011

Copyright (c) 1982, 2009, Oracle.  All rights reserved.

ERROR:
ORA-12638: Credential retrieval failed


Enter user-name:
3 comments:

Support Position for Oracle Products Running on VMWare Virtualized Environments

Today on Oracle website I discovered this interesting announcement on Oracle support status for VMware environments.
On my company we have a VMWare support and already several VMWare virtualized environments, but we never thought to use those envs to virtualize some Oracle databases. We already need to virtualize Oracle databases, especially those for development and pre-production platforms, but we were waiting for just a IBM blade order.
In my opinion I think to still suggest and implement the Oracle VM solution to my CTO because there are some issues not clear on the document and, at this moment, this VMware support position doesn't fit at all to our requirements because we would like to implement a RAC virtualized environment formed by 10gR2 nodes.

This is the position of Oracle at 8 november 2010 (see doc id 249212.1 on metalink for more details and news). In bold I have highlighted my doubts.
What's your opinion ?

Regards.



Support Status for VMware Virtualized Environments
--------------------------------------------------
Oracle has not certified any of its products on VMware virtualized
environments. Oracle Support will assist customers running Oracle products
on VMware in the following manner: Oracle will only provide
support for issues that either are known to occur on the native OS, or
can be demonstrated not to be as a result of running on VMware.

If a problem is a known Oracle issue, Oracle support will recommend the
appropriate solution on the native OS. If that solution does not work in
the VMware virtualized environment, the customer will be referred to VMware
for support. When the customer can demonstrate that the Oracle solution
does not work when running on the native OS, Oracle will resume support,
including logging a bug with Oracle Development for investigation if required.

If the problem is determined not to be a known Oracle issue, we will refer
the customer to VMware for support. When the customer can demonstrate
that the issue occurs when running on the native OS, Oracle will resume
support, including logging a bug with Oracle Development for investigation
if required.

NOTE: Oracle has not certified any of its products on VMware. For Oracle RAC, Oracle will only
accept Service Requests as described in this note on Oracle RAC 11.2.0.2 and later
releases.
2 comments: