Configuring Control Center to use Kerberos based Authentication with Oracle database server for existing installs
It is not possible to enable Kerberos based authentication with Oracle database server
for existing Control Center instances. But the following, high level, steps can be followed to
achieve the same result without monitoring activity data(i.e retain an existing configuration,
without any collected monitoring data and have a Kerberos connection to the database).
- Export Control Center configuration data from the existing Control Center instance.
- Copy the exported data to the new target Linux server that has Kerberos enabled and where Control Center will be installed.
- Create new base install directory at the desired location.
- Example: /opt/ccenter
- Extract/copy the exported configuration under the base directory
- After extracting, you must see a directory structure as
below:
<<CCBase>>/confExample/opt/ccenter/confThis conf directory must contain the Control Center configuration data.
- After extracting, you must see a directory structure as
below:
- Install the Control Center that is bundled with IBM OpenJDK JRE and specify the base directory
as the install location. Example:
/opt/ccenter - Edit the existing file named
InstallationInfo.propertieslocated under<<CCBase>>/confdirectory.Example:/opt/ccenter/InstallationInfo.properties - Append the following contents to
<<CCBase>>/conf/InstallationInfo.propertiesfile.KERBEROS_CONFIG_FILE=/etc/krb5.conf (change it to your location) KERBEROS_CREDENTIAL_CACHE=/tmp/krb5cc_1017 (change it to your location) ORACLE_KERBEROS_CONNECTION=true KERBEROS_DEBUG=false - Save the
<<CCBase>>/conf/InstallationInfo.propertiesfile. Run configCC.sh script to configure Control Center. Run runEngine.sh script to start Control Center.
Note: The above steps must be repeated for each CC instance in the cluster. During additional
CC instance configuration, do NOT initialize the database.
SQL commands to create Kerberos authenticated database user
CREATE USER "CCDBUSER@KRB.IBM.COM" IDENTIFIED EXTERNALLY DEFAULT TABLESPACE "DEV_PERM_TS01" TEMPORARY TABLESPACE "DEV_TEMP_TS01" ACCOUNT UNLOCK;
GRANT CREATE PROCEDURE TO "CCDBUSER@KRB.IBM.COM";
GRANT CREATE SEQUENCE TO "CCDBUSER@KRB.IBM.COM";
GRANT CREATE TABLE TO "CCDBUSER@KRB.IBM.COM";
GRANT CREATE TRIGGER TO "CCDBUSER@KRB.IBM.COM";
GRANT CREATE VIEW TO "CCDBUSER@KRB.IBM.COM";
GRANT UNLIMITED TABLESPACE TO "CCDBUSER@KRB.IBM.COM";
GRANT "CONNECT" TO "CCDBUSER@KRB.IBM.COM";
GRANT "RESOURCE" TO "CCDBUSER@KRB.IBM.COM";
Note: For the above example, operating system user name must be ‘CCDBUSER’ (without quotes).
Sample content of Kerberos configuration file (krb5.conf) for Linux server
Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = KRB.IBM.COM
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
dns_lookup_kdc = false
dns_fallback = yes
default_keytab_name = /etc/v5srvtab
[realms]
KRB.IBM.COM = {
kdc = CD2761L1.krb.ibm.com
admin_server = CD2761L1.krb.ibm.com
}
[domain_realm]
.krb.ibm.com = KRB.IBM.COM
krb.ibm.com = KRB.IBM.COM