Modifications for Oracle
Following are the steps to perform the Oracle related modifications:
Oracle modifications
- Copy
/etc/krb5.conffrom KDC to Oracle server/etc/krb5.confpath. - Copy the
keytabfile from KDC to Oracle as/etc/v5srvtabNote:
The exported keytab file can be removed from KDC once it has been copied to oracle server.
Note:
For more information, see See Exporting service and user principal's to keytab file on KDC.
- Grant appropriate permissions to files and directories so that Oracle service can read those files/directories mentioned in sqlnet.ora
# chown <oracle user>:<oracle group> /etc/krb5.conf /etc/v5srvtab # chmod 444 /etc/krb5.conf /etc/v5srvtab
For example: # chown aptare:dba /etc/krb5.conf /etc/v5srvtab
- Add the following entries to /opt/aptare/oracle/network/admin/sqlnet.ora file.
SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=scdb
SQLNET.KERBEROS5_CONF=/etc/krb5.conf
SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.KERBEROS5_REALMS=/etc/krb5.conf
SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab
SQLNET.FALLBACK_AUTHENTICATION=TRUE
SQLNET.KERBEROS5_CC_NAME=/tmp/kcache
SQLNET.KERBEROS5_CLOCKSKEW=300
Note:
The Oracle server and KDC should have the same time and Timezone settings. If there is slight time mismatch, add the below entry to sqlnet.ora to cover the time mismatch. For example within 20mins. The default value is 300. SQLNET.KERBEROS5_CLOCKSKEW=1200. Cohesity recommends to configure both the servers to sync time from time servers.
- Create a user in Oracle to be used with Kerberos. We created k1portal user principal in KDC.
# su - aptare (login as Oracle service user) # source <INSTALL_PATH>/aptare/bin/aptare_env.sh # sqlplus / as sysdba SQL> alter session set container=scdb; CREATE USER <kerberos user name> PROFILE DEFAULT IDENTIFIED EXTERNALLY AS '<Kerberos user name>@<domain realm name>' DEFAULT TABLESPACE APTARE_TBS_DATA_1M TEMPORARY TABLESPACE APTARE_TEMP_TBS;
For example:
SQL> CREATE USER k1portal PROFILE DEFAULT IDENTIFIED EXTERNALLY AS 'k1portal@EXAMPLE.COM' DEFAULT TABLESPACE APTARE_TBS_DATA_1M TEMPORARY TABLESPACE APTARE_TEMP_TBS; SQL> EXIT;
- Verify the parameter OS_AUTHENT_PREFIX="" is added in the parameter file ("
pfile" or "spfile") of the database.If not added, the parameter needs to be added to the parameter file.
For example: In the
/opt/aptare/oracle/dbs/initscdb.orafile (initialization file for the service) add the following entry OS_AUTHENT_PREFIX="" - In the /opt/aptare/oracle/dbs/initscdb.ora file (initialization file for the service) add the following entry
OS_AUTHENT_PREFIX=""
- Restart Oracle service.
- Execute the following commands to verify and to fetch initial TGT for k1portal user; login as Oracle service user
Note:
This step is optional if using pre-stashed Kerberos ticket.
# su - aptare (login as Oracle service user) # source <INSTALL_PATH>/aptare/bin/aptare_env.sh # oklist -k -t /etc/v5srvtab # okinit -k -t /etc/v5srvtab k1portal
- Connect to Oracle DB using the following command.
# sqlplus /@scdb
- Create a trigger for the Kerberos users corresponding to portal to alter the session which will set current schema as PORTAL
# su - aptare ( login as Oracle service user) # source <INSTALL_PATH>/aptare/bin/aptare_env.sh # okinit -k -t /etc/v5srvtab k1portal;
The above command is optional for pre-stashed Kerberos ticket.
# sqlplus /@scdb SQL> show user; # This must return k1portal SQL> CREATE OR REPLACE TRIGGER set_portal_schema after logon on k1portal.schema begin execute immediate 'alter session set current_schema=PORTAL'; end; /
- Grant RO user to connect through PORTAL user
sqlplus / as sysdba SQL> alter session set container = scdb; SQL> alter user aptare_ro grant connect through k1portal; SQL> GRANT CREATE SESSION to aptare_ro; Verify with RO user login SQL> sqlplus [aptare_ro]/@scdb; SQL> show user; This must return aptare_ro SQL> exit;