Configuring Enterprise User Security for Kerberos Authentication

The configuration steps in this section assume the following:

• You have registered your databases with the Kerberos authentication server and configured your Oracle Net Services as described under "Configuring Kerberos Authentication" in the Oracle Database Security Guide.

• You have prepared your directory by completing the tasks described in "Preparing the Directory for Enterprise User Security (Phase One)".

• You have configured your Enterprise User Security objects in the database and the directory by completing the tasks described in "Configuring Enterprise User Security Objects in the Database and the Directory (Phase Two)".

• You have configured an SSL instance with no authentication for Oracle Internet Directory as described in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. If you are using an ldap.ora, then also ensure that the port number for this SSL with no authentication instance is listed there as your directory SSL port.

To configure Enterprise User Security for Kerberos authentication, perform the following tasks:

• Task 1: Configure Oracle Internet Directory Self-Service Console to display the Kerberos principal name attribute

• Task 2: (Optional) Configure the Kerberos Principal Name Directory Attribute for the Identity Management Realm

• Task 3: Specify the Enterprise User's Kerberos Principal Name in the krbPrincipalName Attribute

• Task 4: (Optional) Enable the Enterprise Domain to Accept Kerberos Authentication

• Task 5: Connect as a Kerberos-Authenticated Enterprise User

Task 1: Configure Oracle Internet Directory Self-Service Console to display the Kerberos principal name attribute

By default, the Oracle Internet Directory Self-Service Console user interface does not display the field where you can configure Kerberos principal names. The first time you create Kerberos-authenticated users in the directory, you must configure this tool to display the krbPrincipalName attribute in its Create User page by using the following steps:

1. Log in to the Oracle Internet Directory Self-Service Console.

   Enter the URL to access the Oracle Internet Directory Self-Service Console in a browser window. For example:

   http://myhost1:7777/oiddas
   

   Log in as the orcladmin user.

2. Click the Configuration tab. Click the User Entry subtab.

3. Click Next until the Configure User Attributes page appears.

4. In the Configure User Attributes page, click Add New Attribute.

   The Add New Attribute page appears.

5. In the Add New Attribute page, select krbPrincipalName from the Directory Attribute Name box (or the attribute that you have configured for orclCommonKrbPrincipalAttribute in your identity management realm) and perform the following steps on this page:

   1. Enter a value, say Kerberos Principal Name, for the UI Label.

   2. Select Searchable and Viewable.

   3. Select Single Line Text from the UI Type.

   4. ClickDone.

6. Click Next to navigate to the Configure Attribute Categories page. Select Basic Information and click Edit.

   The Edit Category page appears.

7. Perform the following steps on the Edit Category page:

   1. Select krbPrincipalName in the left category list.

   2. Click Move, to move krbPrincipalName to the right-hand list.

   3. Click Done.

8. Click Next until you reach the last step. Click Finish to save your work.

Task 2: (Optional) Configure the Kerberos Principal Name Directory Attribute for the Identity Management Realm

Use Oracle Internet Directory Self-Service Console to enter the directory attribute used to store the Kerberos principal name for the identity management realm you are using in the directory. By default, Kerberos principal names are stored in the krbPrincipalName attribute but can be changed to correspond to your directory configuration by changing orclCommonKrbPrincipalAttribute in the identity management realm. For more information about this task, see "Setting Login Name, Kerberos Principal Name, User Search Base, and Group Search Base Identity Management Realm Attributes".

Task 3: Specify the Enterprise User's Kerberos Principal Name in the krbPrincipalName Attribute

Use Oracle Internet Directory Self-Service Console to specify the enterprise user's Kerberos principal name (Kerberos_username@Kerberos_realm) in the krbPrincipalName attribute of the enterprise user's directory entry. For more information about this task, see "Creating New Enterprise Users".

Task 4: (Optional) Enable the Enterprise Domain to Accept Kerberos Authentication

By default, OracleDefaultDomain is configured to accept all types of authentication. If this has been changed or if you are using another domain, then use Oracle Enterprise Manager to enable Kerberos authentication for your enterprise domain by performing the following steps:

1. Log in to Enterprise Manager Cloud Control, as an administrative user.

2. To navigate to your database, select Databases from the Targets menu.

3. Click the database name in the list that appears. The database page appears.

4. Under the Administration menu, select Security, Enterprise User Security. The Oracle Internet Directory Login page appears.

5. Enter the distinguished name (DN) of a directory user who can administer enterprise users in the User field. Enter the user password in the Password field. Click Login.

   The Enterprise User Security page appears.

6. Click Manage Enterprise Domains.

   The Manage Enterprise Domains page appears. This page lists the enterprise domains in the identity management realm.

7. Select OracleDefaultDomain. Click Configure.

   The Configure Domain page appears.

8. Click the Configuration tab.

9. Under User Authentication Types Accepted, select Kerberos.

10. Click OK.

Task 5: Connect as a Kerberos-Authenticated Enterprise User

If the KDC is not part of the operating system, such as Kerberos V5 from MIT, then the user must get an initial ticket with the FORWARDABLE flag set by using the okinit utility. See "Obtaining the Initial Ticket with the okinit Utility" in the Oracle Database Security Guide.

If the KDC is part of the operating system, such as Windows 2000 or some versions of Linux or UNIX, then the operating system automatically picks up the user's ticket (with the FORWARDABLE flag set) from the cache when the user logs in.

The user connects to the database by launching SQL*Plus and entering the following at the command line:

SQL> connect /@<net_service_name>

The database uses Kerberos to authenticate the user. The database authenticates itself to the directory by password.

If your connection succeeds, then the system responds with Connected to:.... This is the confirmation message of a successful connect and setup. If an error message is displayed, then see "ORA-# Errors for Kerberos-Authenticated Enterprise Users".

If you do connect successfully, then check that the appropriate global roles were retrieved from the directory, by entering the following at the SQL*Plus prompt:

select * from session_roles

If the global roles were not retrieved from the directory, then see "NO-GLOBAL-ROLES Checklist".

You have completed Kerberos-authenticated Enterprise User Security configuration.