Configure Kerberos Authentication with Autonomous Database
Describes how to configure Kerberos to authenticate Oracle Autonomous Database users.
- About Kerberos Authentication
You can configure Oracle Autonomous Database to use Kerberos network authentication protocol to authenticate database users. Kerberos is a strong network authentication protocol. It uses secret-key cryptography to enable strong authentication by providing user-to-server authentication. - Components of the Kerberos Authentication System
Provides an overview of the Kerberos authentication system. - Enable Kerberos Authentication on Autonomous Database
Shows the steps to enable Kerberos authentication on your Autonomous Database instance. - Disable Kerberos Authentication on Autonomous Database
Shows the steps to disable Kerberos authentication for your Autonomous Database instance. - Notes for Kerberos Authentication on Autonomous Database
Provides notes on using Kerberos Authentication for Autonomous Database.
Parent topic: Manage Users
About Kerberos Authentication
You can configure Oracle Autonomous Database to use Kerberos network authentication protocol to authenticate database users. Kerberos is a strong network authentication protocol. It uses secret-key cryptography to enable strong authentication by providing user-to-server authentication.
-
Oracle Autonomous Database support for Kerberos provides the benefits of single sign-on and centralized authentication of Oracle users. Kerberos is a trusted third-party authentication system that relies on shared secrets. It presumes that the third party is secure, and provides single sign-on capabilities, centralized password storage, database link authentication, and enhanced PC security. It does this through a Kerberos authentication server.
-
The Kerberos system revolves around the concept of a ticket. A ticket is a set of electronic information that identifies a user or a service. A ticket identifies you and your network access privileges.
-
In Kerberos-based authentication, you transparently send a request for a ticket to a Key Distribution Center (KDC). The Key Distribution Center authenticates you and grants you a ticket to access the database.
Components of the Kerberos Authentication System
Provides an overview of the Kerberos authentication system.
-
A realm establishes an authentication administrative domain. Each realm has its own Kerberos database which contains the users and services for that particular administrative domain.
-
Tickets are issued by the Key Distribution Center (KDC). Clients present tickets to the Database Server to demonstrate the authenticity of their identity. Each ticket has expiration and a renewal time.
-
Keytabs stores long-term keys for one or more principals. A keytab file is generated by invoking the tool
kadmin.local
(for MIT Key Distribution Center) orktpass
(for Active Directory Key Distribution Center). -
Principals are the entries in the Key Distribution Center database. Each user, host or service is given a principal. A principal is a unique identity to which the Key Distribution Center can assign tickets.
-
Kerberos support in Autonomous Database uses these values for various components that make up a service principal's name:
Component of Service Principal | Value in Autonomous Database |
---|---|
kinstance |
You can obtain this value from the
attribute Use the following query to obtain
the
|
kservice |
On Autonomous Database you have two options for
the
After Kerberos is enabled on your Autonomous Database instance, use the following query to view the Kerberos service name:
|
REALM |
Any realm supported by your KDC. REALM must always be in uppercase.
|
To enable Kerberos authentication for your Autonomous Database, you must keep your Kerberos
configuration files (krb.conf
) and service key
table file (v5srvtab
) ready. For more
information on these files and steps to obtain them, please see
Configuring
Kerberos Authentication.
Enable Kerberos Authentication on Autonomous Database
Shows the steps to enable Kerberos authentication on your Autonomous Database instance.
To run DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION
you
must be logged in as ADMIN user or have the EXECUTE
privilege on
DBMS_CLOUD_ADMIN
.
To use DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION
to
enable Kerberos authentication:
To enable Kerberos authentication for your Autonomous Database, you must obtain the
Kerberos configuration files: krb.conf
and the service key
table file v5srvtab
. For more information on these files and
steps required to obtain them, see Configuring Kerberos Authentication .
See Navigate to Oracle Cloud Infrastructure Object Storage and Create Bucket for more information on Object Storage.
See ENABLE_EXTERNAL_AUTHENTICATION Procedure for more information.
Disable Kerberos Authentication on Autonomous Database
Shows the steps to disable Kerberos authentication for your Autonomous Database instance.
Notes for Kerberos Authentication on Autonomous Database
Provides notes on using Kerberos Authentication for Autonomous Database.
-
If you enable Kerberos authentication for your Autonomous Database, you can still use password-based database authentication for your database.
- Kerberos authentication is not supported for these tools:
-
Oracle Database API for MongoDB
-
Oracle REST Data Services
-
Oracle Machine Learning
-
APEX
-
Oracle Graph Studio
-
Oracle Database Actions
-
-
You can enable Kerberos authentication to authenticate the ADMIN user. You can use the Reset Password functionality on the Oracle Cloud Infrastructure Console to reset the ADMIN user's password and regain access if a corrupted keytab file causes ADMIN user's authentication to fail.
-
The default value for the maximum clock skew in Autonomous Database is 300 seconds (5 minutes). You cannot change the default clock skew value.