The dbWatch server can be configured to authenticate to Oracle databases using Kerberos.

  • Create a kerberos config file.
  • Create a vmoptions file telling dbwatch where to find the kerberos config.
  • If you want to authenticate using a ticket cache use the kinit command to create one.

The kerberos config file.

This file can be placed anywhere, but we recommend placing it in the config folder in your dbwatch installation.
config/krb.conf:

CurrentUser {
	no.dbwatch.server.managers.KrbDbwLoginModule required 
	client=TRUE 
	principal="USER01@EXAMPLE.COM" 
	useTicketCache=TRUE 
	ticketCache="C:\\Users\\user01\\krb5cc_user01"
	dbw_realm="EXAMPLE.COM" 
};
OtherUser {
	no.dbwatch.server.managers.KrbDbwLoginModule required 
        client=TRUE 
        dbw_realm="EXAMPLE.COM"
};

The section named CurrentUser contain the configuration used when authenticating as the current user. This is used when dbWatch is
connecting using kerberos authentication with an empty username.

If the username is not empty dbWatch uses the configuration named OtherUser.

The example should be configured to suit your needs.

  • “no.dbwatch.server.managers.KrbDbwLoginModule required”
    shoul always be there.
  • client=TRUE
    shoul always be there.
  • principal=“USER01@EXAMPLE.COM”
    Should be configured to describe which user is to be used as the default user when no username is provided. This user must match the user in the ticket cache.
    It is important to uppercase the principal. If not you will get errors when connecting to oracle.
  • useTicketCache=TRUE
    Should be true when dbWatch is ment to authenticate without providing a password.
  • ticketCache=“C:\\Users\\user01\\krb5cc_user01”
    Optional. If dbWatch does not find the ticket cache use this to specify where kinit stores its tickets.
  • dbw_realm=“EXAMPLE.COM”
    Should be configured to match the telm in the principal.

The vmoptions file.

Create a file named dbWatchService[version].vmoptions in your installation directory. The name should match the name of the service executable.
If you would like to run dbwatch server as a console app create a file named dbWatchConsole[version].vmoptions.

dbWatchService[version] .vmoptions
-Djava.security.auth.login.config=config\krb.conf
-Dsun.security.krb5.debug=true
  • -Djava.security.auth.login.config=config\krb.conf
    This line describes where the kerberos config file is located. As mentioned above we recommend placing it in the dbWatch config folder.
  • -Dsun.security.krb5.debug=true
    Optional. This line turns on debugging of the kerberos authentication. This is quite usefull when setting up your system or when debugging. It also produces lots of text an can quickly fill upp your log files.

Creating a ticket cache.

A ticket cache can be created using the commandline tool kinit.

C:\...jre\bin>kinit.exe  USER01
Password for USER01@EXAMPLE.COM:
New ticket is stored in cache file C:\Users\user01\krb5cc_user01

When doing this remember to uppercase the username. Kerberos doesn’t care about the casing but oracle does, and it is possible to get a valid tgt that is unusable in Oracle if the casing is wrong.

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment