Liquibase Enterprise was formerly known as Datical DB.
Kerberos authentication for an Oracle database
Kerberos authentication for Oracle is available in Datical DB versions 7.6 and later.
Kerberos is an authentication protocol that works based on tickets to provide strong authentication for client/server applications by using secret-key cryptography. The Kerberos authentication protocol doesn’t store passwords locally or send them over the Internet.
As a Datical DB user, you can use the Kerberos authentication with Oracle without having to present passwords or certificates to it.
All Datical DB operations that are available for Oracle databases support the Kerberos authentication in the GUI and CLI.
Prerequisites
Before configuring Datical dbDefs to use Kerberos authentication for an Oracle connection, ensure that you performed the following:
Configured the
krb5.conforkrb5.inifiles.Created a new Kerberos ticket. Alternatively, you can use an existing one but pay attention to the expiration date of the ticket and whether it is valid.
Configured
sqlnet.ora.Set the following environment variables:
ORACLE_HOME,TNS_ADMIN,DDB_KRB5_CONFIG, andDDB_KRB5_CC_NAME.DDB_KRB5_CONFIGandDDB_KRB5_CC_NAMEare optional if theKRB5_CONFIGenvironment variable is set and the path to the Kerberos ticket exists inkrb5.conf.
Uses
Kerberos authentication for an Oracle connection is typically used when Kerberos is the standard authentication mechanism that your company supports for accessing resources in your organization.
Configuring Datical dbDefs to use the Kerberos authentication for Oracle databases
There are several ways to configure Datical dbDefs to use the Kerberos authentication for Oracle databases:
Creating a new project with the project_creator.groovy script
The project_creator.groovy script reads information from a set of input files and generates a project directory in your workspace containing the required configuration files. The project_creator.groovy script is executed using the hammer command.
To use the project_creator, perform the following steps:
Ensure that the Datical DB CLI directory is in your path. Otherwise, specify the full path to the CLI tool –
hammer.Select a sample input file for Oracle named ProjectNameOracle.dbdefs.tsv.txt that is delivered with the Datical DB installation. It is located in the following directory:
<DaticalDB-Installation-Directory>/repl/scripts/examplesProjectNameOracle.dbdefs.tsv.txt field names and their description
Field Headers (case-sensitive) | Description |
|---|---|
name | The name for the dbDef. It is used as an alias for the connection. |
DbDefClass | Inline Credentials: OracleDbDef |
hostname | The hostname/IP of the target database server. |
port | The port number for JDBC connections to the target database server. |
username | The database user name to use for the connection. |
sid | The name of the Oracle SID to which you want to connect. |
serviceName | The name of the Oracle Service to which you want to connect. |
useWallet | The name of the Oracle Wallet to connect to the Oracle database through an SSL connection. See Using Oracle Wallet for SSL Connections to Oracle Databases. |
tnsName | The directory that contains configuration files for Oracle Wallet. |
defaultSchemaName | The name of the schema/catalog you want to manage. |
contexts | A comma-separated list of contexts to associate with the new dbDef. |
labels | A comma-separated list of labels to associate with the new dbDef. |
storageOptions | A TRUE or FALSE value that determines if Datical collects Storage Options. |
dbDefType | The value that is set to If you specify a |
scriptExecutionTimeout | The value that limits the time to wait for a script to execute in seconds. The default value is 0, which means there is no limit. |
kerberos | A TRUE or FALSE value that determines if Datical uses the Kerberos authentication. Set to true if you want to use the Kerberos authentication to connect. |
3. Next, run the script on your Windows system:
% hammer groovy project_creator.groovy "F:\drivers\jdbc_drivers" "F:\provisioning_files" "C:\Users\TestUser1\datical" "new_project" testConnectionsUse the following example to run the script on the Linux system:
% hammer groovy project_creator.groovy ignore /opt/datical/provisioning_files /opt/datical/workspace "new_project" testConnectionsUsing the newDbDef hammer command
The newDbDef hammer command is another way to create a new project by specifying all the values directly in the CLI. Running the newDbDef hammer command, ensure that the kerberos value is set to true.
Running the set dbprop or show dbprop commands
The set dbprop or show dbprop commands are typically used when you have an existing project and want to use the Kerberos protocol as an authentication method by just adding the kerberos attribute. The format of these commands is the following:
set dbprop <DbDefName> kerberos true/false
show dbprop <DbDefName> kerberos true/false
An example of using the set dbprop and show dbprop commands:
Using the Datical DB GUI
The Datical DB GUI can also be used to create a new dbdef for an Oracle database with an option to connect through the Kerberos authentication protocol.
Whether you are creating a new dbdef or editing an existing one, you can configure it to use Kerberos for authentication in the Connection Settings.
The following image shows the Datical DB GUI with the configuration properties for the Kerberos authentication:
To use the BASIC connection with the Kerberos authentication, specify your hostname, port, identifier, and the additional information if required, and then select Kerberos.
To use the TNS/LDAP and Kerberos authentication, specify your name, TNS alias, and the additional information if required, and then select Kerberos.
Copyright © Liquibase 2012-2022 - Proprietary and Confidential