AWS Database Blog
Enable Kerberos authentication with Amazon RDS Custom for Oracle – Part 1
Amazon Relational Database Service (Amazon RDS) Custom for Oracle allows you the flexibility to configure the database authentication method that can help you meet your security needs.
A common and traditional method is to use database authentication via user names and passwords, but this method requires more effort from both administrators and users to manage, with the added overhead for security officers to audit and govern.
In this post, we show you how to enable Kerberos authentication with RDS Custom for Oracle, and in future posts we will walk through other authentication methods.
Kerberos is a network authentication protocol that allows resources to verify the identity of one another over an untrusted network. Kerberos provides the option for Oracle databases to integrate with a central authentication service such as Microsoft Active Directory (AD), which has Kerberos built in. Oracle databases work with MIT Kerberos (Kerberos V5), and work with compatible Kerberos 5 key distribution center (KDC) servers.
Similar to the rest of the Amazon Relational Database Service (Amazon RDS) family, like Amazon RDS for PostgreSQL, Amazon RDS for Oracle, Amazon RDS for SQL Server, and Amazon Aurora PostgreSQL-Compatible Edition, you can enable external authentication using Kerberos on RDS Custom for Oracle.
Solution overview
With RDS Custom for Oracle, when users authenticate to the Oracle instance, the authentication request could be forwarded to an AWS Managed Microsoft AD directory or a customer-managed Microsoft AD. Centralizing the storage and management credentials of multiple databases can save time and effort and improve your organization’s overall security profile.
The Kerberos authentication workflow is illustrated by the following steps and diagram:
- The user initiates the authentication process by sending an authentication ticket to the Microsoft AD key distribution center (KDC) via an OS logon process (if Linux/Windows client is joined to domain) or through the okinit command.
- Microsoft AD responds via a Ticket-Granting Ticket (TGT) to the user after a successful authentication.
- The user sends the request to Microsoft AD to request access to the Oracle database service running on Amazon RDS Custom for Oracle instance.
- The Microsoft AD KDC responds with a service ticket for the Oracle database service.
- The user sends the service ticket to Oracle database service for authentication.
- The Oracle database service verifies the service ticket with the KDC.
- The Oracle database service grants the user access through an Oracle client.
In this post, we demonstrate how to enable Kerberos to externally authenticate your users via a Linux and Windows client, through AWS Managed Microsoft AD. This includes the following high-level steps:
- Configure AWS Managed Microsoft AD as a KDC.
- Configure Kerberos on the RDS Custom for Oracle database server.
- Configure the Oracle client on Linux OS.
- Configure the Oracle client on a Windows 2019 server.
Prerequisites
Before starting, it’s assumed that you have deployed an RDS Custom for Oracle 19c database instance and you have access to the Linux OS through SSH or AWS System Manager. For instructions, refer to Creating and connecting to a DB instance for Amazon RDS Custom for Oracle.
Note down the following information from your RDS Custom for Oracle instance to use in subsequent sections:
- DB identifier –
orcl
- Endpoint –
orcl.abcdefghijk.ap-southeast-1.rds.amazonaws.com
- Port – 1521
- Hostname –
ip-10-1-4-113
(output of commandhostname
) - Domain –
''
(output of commanddomainname
) - Fully Qualified Domain Name (FQDN) –
ip-10-1-4-113
(concatenation based on previous hostname and domain values)
Configure AWS Managed Microsoft AD as a KDC
In this post, we use the AWS Directory Service for Microsoft Active Directory as the Kerberos KDC. AWS Managed Microsoft AD enables your directory-aware workloads and AWS resources to use managed Active Directory (AD) in AWS. When you create an AWS Managed Microsoft AD directory, AWS Directory Service creates two domain controllers in different subnets within a VPC. This redundancy increases fault tolerance to your directory services in the event of failures.
You could use similar steps to integrate a self-managed AD with RDS Custom for Oracle, with the onus on the user to verify that the AD stack is configured to meet their businesses availability needs.
Create an AWS Managed Microsoft AD directory
To create your AWS Managed Microsoft AD directory, complete the following steps:
- On the AWS Directory Service console, in the navigation pane, choose Directories.
- Choose Set up Directory.
- Choose AWS Managed Microsoft AD, then choose Next.
- Choose either Standard Edition or Enterprise Edition, based on your business requirements.
- For Directory DNS name, enter the fully-qualified name for the directory, such as
corp.example.com
. - For Directory NetBIOS name, enter the short name for the directory, such as
CORP
. - For Directory description, enter an optional description for the directory.
- For Admin password, enter the password for the default administrative user named
Admin
. - Choose Next.
- For VPC, choose the VPC that contains your RDS Custom for Oracle instances.
- For Subnets, choose two subnets for your directory servers (they must be in different Availability Zones).
- Choose Next.
- Review the directory information and make any necessary changes, then choose Create directory.
It may take several minutes for the directory to be created. When it has been successfully created, the Status value changes to Active
.
- Note down the DNS address for the newly created AWS Managed Microsoft AD.
- Configure the security group inbound rules to allow the Oracle database server and clients to communicate with AWS Managed Microsoft AD.
Create a database service account and keytab file
The database service account is a regular Active Directory user account, which is used by the Oracle database to communicate with the KDC during Kerberos authentication. Because it’s only used by the Oracle database service, typically it’s configured with the account option Password never expires, although it’s not a requirement for Kerberos authentication.
When creating a user in AWS Managed Microsoft AD, we recommend following the naming convention db
+<hostname>
as the service account name, so that each service account maps to one RDS Custom for Oracle instance. See the following steps:
- Create a user in
corp.example.com/CORP/Users
. - For Full name, enter
db-ip-10-1-4-1113
. - For User logon name, enter
db-ip-10-1-4-113@corp.example.com
. - For User logon name (pre-Windows 2000), enter
CORP\db-ip-10-1-4-113
. - Choose Next.
- For Password, enter a complex password meeting your password policy.
- For Account options, select Password never expires.
- Choose Next.
- Generate the keytab file for the service account.
You can use the ktpass command to configure the service principal name for the RDS Custom for Oracle instance in AD, and generate a keytab file that contains the shared secret key of the service. See the following code:
The code uses the following parameters:
- -princ – The principal name is the format of
"oracle/" + "<FQDN>" + "@CORP.EXAMPLE.COM"
. It’s case-sensitive. - -mapuser – The service account created in previous section.
- -pass * – Promotes for the service account password.
- -out – Specifies the name of the Kerberos version 5 keytab file to generate.
The ktpass
command generates a keytab file with the name of your host suffixed with the extension keytab
(for example, ip-10-1-4-113.keytab
) in the current directory. You can upload this file to the RDS Custom for Oracle database server in subsequent steps.
Create a demo user for Kerberos authentication
Next, you will create a demo user in AWS Managed Microsoft AD, which we use to log in to the database through Kerberos authentication.
- Create a user in
corp.example.com/CORP/Users
. - For Full name, enter
krbuser
. - For User logon name, enter
krbuser@corp.example.com
. - For User logon name (pre-Windows 2000), enter
CORP\krbuser
. - For Password, enter a complex password meeting your password policy.
Configure an RDS Custom for Oracle database server
To enable Kerberos authentication, you will first need to configure the database server to resolve the DNS lookup requests with the DNS servers, followed by installing the Kerberos client, and lastly configuring the database, as documented in the following steps.
Configure default DNS servers
By default, RDS Custom for Oracle uses the default DNS server in the VPC. To allow DNS lookup to obtain the realm for the KDC and map realms to KDC hosts, you can change the default DNS servers with the following steps. If your Linux host running RDS Custom for Oracle has already joined the domain corp.example.com
, you can skip these steps.
- Edit the file
/etc/resolv.conf
by replacing entriessearch
andnameserver
with DNS records obtained from the previous step: - Edit the file
/etc/dhcp/dhclient.conf
to ensure DNS changes are persisted after reboot: - Verify connectivity. If your DNS servers are configured correctly, the
ping
command resolves the hostname to an IP address and runs successfully.
Install Kerberos client packages
Install the packages with the following code:
Configure Kerberos for the Oracle database server
To configure Kerberos, complete the following steps:
- Switch to the OS user (rdsdb) running the Oracle database instance:
- Create directories for Kerberos configuration and log files on the mount point
/rdsdbdata
:Files in these directories are persisted and not impacted by RDS Custom for Oracle database version upgrades.
- Copy the keytab file generated from the previous steps into the database server and store it as
/rdsdbdata/config/security/db-ip-10-1-4-113.keytab
. - Verify that the keytab file contains valid service principals using the oklist command:
- Create the Kerberos configuration file (
/rdsdbdata/config/security/krb5.conf
) containing the Kerberos realms and domains for your user and service accounts. Refer to Kerberos documentation krb5.conf for a detailed explanation. - Add the following parameters to
sqlnet.ora
(/rdsdbbin/oracle/network/admin/sqlnet.ora
):
Configure Oracle initialization parameters
Changing the parameter os_authent_prefix requires restarting the database to take effect. Follow the steps in Pausing and resuming RDS Custom automation to pause the automation before database shutdown in step 3, and resume the automation once database startup.
- Log in to the database as
SYSDBA
or another privileged user with the required permissions: - Change parameter os_authent_prefix:
- Restart the database to take effect:
Create an external authenticated Oracle user
Create a database user that maps to your demo user previously created in Active Directory:
Configure the Oracle client on Linux OS
In this section, we assume you have an Oracle 19c client installed on a Linux OS host that’s ready for Kerberos integration. Refer to Database Client Installation Guide for Linux for detailed installation steps.
The Oracle client has the following configuration:
- Linux OS – Amazon Linux 2
- Hostname –
ip-10-1-4-29.ap-southeast-1.compute.internal
- Oracle Base –
/u01/app/oracle
- Oracle Home –
/u01/client
- Oracle Version –
19.13
Although this post is based on Amazon Linux 2, the same steps apply for RHEL7 clients as well.
Configure default DNS servers
By default, an Amazon Elastic Compute Cloud (Amazon EC2) instance running your Oracle Client uses the default DNS server in the VPC. To allow DNS lookups to obtain the realm for the KDC to map realms to the KDC hosts, you can change the default DNS servers with the following steps. If your Linux host running the Oracle client has already joined the domain corp.example.com
, you can skip these steps.
- Edit the file
/etc/resolv.conf
, and replace the entries forsearch
andnameserver
with the DNS records obtained from the previous step: - Edit the file
/etc/dhcp/dhclient.conf
to verify that the DNS change remains after reboot. - Verify connectivity. If your DNS server is configured properly, the
ping
command resolves the hostname to an IP address and runs successfully:
Install Kerberos client packages
Install the packages with the following code:
sudo yum install -y krb5-workstation krb5-libs
Configure Kerberos for the Linux Oracle database client
To configure Kerberos, complete the following steps:
- Connect to the Linux client using the Oracle client software owner (
oracle
). You can verify your Oracle client software owner using thels
command: - Modify the Kerberos configuration file (
/etc/krb5.conf
) containing Kerberos realms and domains for your user and service accounts. Refer to Kerberos documentation krb5.conf for a detailed explanation. - Add the following parameters to the
sqlnet.ora
file (/u01/client/network/admin/sqlnet.ora
): - Change the permission on the Oracle database Net Services configuration files to allow read access to other users:
Obtain an initial Kerberos ticket
To connect to the database using Kerberos authentication, you will need to request a Kerberos ticket from the KDC. If your Linux client has already joined the domain and you have logged in to the Linux client using Kerberos authentication, you can ignore these steps.
- Log in to the Linux client with user
krbuser
. Although it’s not mandatory to have the same OS and AD username, having such conventions provides better consistency and avoids confusion. - Set environment variables for Oracle:
- Obtain a Kerberos ticket using okinit:
List the Kerberos ticket
List the Kerberos ticket from the Kerberos ticket cache using the command oklist:
Connect to the database
Use the following code to connect to the database:
Configure an Oracle client on a Windows 2019 server
In this section, you need a pre-installation of an Oracle 19c client on a Windows 2019 server that’s ready to integrate with Kerberos. Refer to Database Client Installation Guide for Microsoft Windows for detailed installation steps.
You must have administrator rights on the Windows server running the Oracle client to perform the following steps. One option to do this is by adding the account krbuser@corp.example.com
to the Administrators
group.
The following is an example of the Oracle client install configurations:
- Windows OS – Windows Server Datacenter
- Hostname –
EC2AMAZ-7RRI139
- Domain –
corp.example.com
- Oracle Base –
C:\Oracle\Base
- Oracle Home –
C:\Oracle\Client
- Oracle Version –
19.15
Special settings on the service account in AD
To avoid error ORA-12638: Credential retrieval failed
while authenticating with Kerberos using the Oracle client on Windows, change the account setting for the service account with the option Account is sensitive and cannot be delegated.
Configure Kerberos for the Windows Oracle database client
Create the Kerberos configuration file (C:\Oracle\Client\network\admin\krb5.conf
) containing the Kerberos realms and domains for your user and service accounts. Refer to Kerberos documentation krb5.conf for a detailed explanation.
Add the following parameters to the sqlnet.ora
file (C:\Oracle\Client\network\admin\sqlnet.ora
):
List the Kerberos ticket
Log in to the Windows server with user krbuser@corp.example.com
, start a command prompt with Run as Administrator, and list the Kerberos ticket from the Kerberos ticket cache using the command oklist:
Connect to the database
Use the following code to connect to the database:
Additional considerations
In this section, we discuss other considerations when implementing this solution.
Restore RDS Custom or create a new read replica
When you restore RDS Custom for Oracle, it restores into a new RDS Custom instance (host) with a different hostname. Similarly, when you create a read replica, RDS Custom for Oracle restores it from a snapshot, using a different host and a new hostname. In these scenarios, perform the following additional steps if Kerberos authentication is required for the restored databases:
- Create a service account for the new host.
- Generate a keytab file and copy it to the new host.
- Update the
sqlnet.ora
file on the new host to point to the new keytab file. - Delete the old keytab file on the new host.
If Kerberos authentication is no longer required in the restored environment, update the Oracle database sqlnet.ora
file by removing the settings related to the Kerberos configurations and delete the keytab file.
Automation based on RDS DB instance events
Amazon RDS events are created automatically during RDS Custom instance creation and deletion. Together with Amazon EventBridge and AWS System Manager, you can automate steps such as service account creation, keytab creation, and RDS Custom for Oracle database server configuration using an automation runbook. With automation, you can minimize the manual effort required for configuring Kerberos authentication, as well as verifying that obsolete service accounts are removed from your managed AD after the deletion of the RDS Custom for Oracle instance.
Troubleshooting
If you encounter the error ORA-12638: Credential retrieval failed
on your Windows platform running your Oracle client, check the flag for the service account in the Kerberos cache and verify that there is no F
(forwardable) in it.
In the following working example, the Flags
for oracle/ip-10-1-4-113@CORP.EXAMPLE.COM
is RA
(renewable and pre-authenticated), without F
(forwardable). If there is an F
flag, refer to the earlier steps to configure an Oracle client on a Windows 2019 server to fix it.
If the error message isn’t clear enough to identify the possible root cause, you can enable Oracle SQL*Net trace to examine the connection details for diagnostic purposes. Beware of performance overheads and the extra storage space consumed by these trace files.
The following is a sample sqlnet.ora
file for an Oracle database server:
The following is a sample sqlnet.ora
file for an Oracle database client on Linux:
The following is a sample sqlnet.ora
file for an Oracle database client on a Windows 2019 server:
Conclusion
In this post, we showed you how to use AWS Managed Microsoft AD and Kerberos to centralize the storage and management credentials of your RDS Custom for Oracle users, improve your organization’s overall security profile, and reduce time and effort operationally. For organizations with self-managed Active Directory either in AWS or on-premises, you can adopt a similar pattern with minimal alterations.
In Part 2 of this series, we look into how we can take advantage of a new feature named Oracle Centrally Managed User (CMU) to authenticate and authorize Microsoft AD users with the database directly.
If you have any comments or questions, leave them in the comments section.
About the Authors
Donghua Luo is a Senior RDS Specialist Solutions Architect. He works with AWS customers to migrate and achieve higher flexibility, scale, and resiliency with database services in AWS cloud.
William Wong is a Principal Database Specialist Solutions Architect with Amazon Web Services based out of Australia. He is passionate around all things data and works closely with customers to help improve and modernize their database workloads on AWS. William brings 20+ years of experience in the field, from migrating legacy applications, to modernising with open source engines, or innovating with purpose built databases.