Linux-UNIX: Configuring the Kerberos plugin

To monitor database traffic on a server that uses Kerberos authentication, including identifying the DB_USER, you must configure the guardtap.ini and guardkerbplugin.conf files appropriately.

About this task

All customization settings for the Kerberos plugin are located in the file guardkerbplugin.conf. The default contents of this file are: 

# Kerberos values
KRB5RCACHETYPE=none
KRB5_KTNAME=/path/to/kerberos/krb5.keytab
KRB5_CONFIG=/path/to/kerberos/krb5.conf
# Plugin values
KRB5_PLUGIN_CCACHE=/path/to/kerberos/krb5cc_*
KRB5_PLUGIN_GSSAPI_LIBRARY=/path/to/lib/libgssapi_krb5.so
#KRB5_PLUGIN_DEBUG=0

Lines beginning with a #, as well as blank lines, are treated as comments and ignored. Invalid entries cause errors and prevent the Kerberos plugin from running.

When any configuration entry is changed, the S-TAP must be restarted for the updated values to take effect.

Configuration entries are:

KRB5RCACHETYPE
KRB5RCACHETYPE=none
KRB5_KTNAME
This is the path to the keytab file; this can either be a keytab file already in use by the system, or one generated by Kerberos utilities specifically for use by the plugin. In general this file will have the name krb5.keytab. for example:
KRB5_KTNAME=/home/oracle11/krb5/keytabKRB5_KTNAME=/home/sybase15/kerberos/keytab
KRB5_CONFIG
This is the path to the Kerberos configuration file in use by the system. In general this file is named krb5.conf. for example:
KRB5_CONFIG=/home/oracle11/krb5/krb5.conf KRB5_CONFIG=/home/sybase15/kerberos/krb5.conf
KRB5_PLUGIN_CCACHE
This is a wildcard path to where the Kerberos system cache files are located. For example:
KRB5_PLUGIN_CCACHE=/tmp/krb5cc*
The value can also be a name if it is on the standard lib path, for example:
KRB5_PLUGIN_CCACHE=<library name>.so
Multiple paths can be specified, separated by a colon (':'), for example:
KRB5_PLUGIN_CCACHE=/home/sybase16/krb5cc*:/tmp/krb5cc*
Note: Specifying more files than needed (for instance, specifying /tmp/*) impacts performance.
KRB5_PLUGIN_GSSAPI_LIBRARY
This is the location of the Kerberos GSSAPI dynamic library. On most systems this is named libgssapi_krb5.so.
The location can be specified by a full path, for example:
KRB5_PLUGIN_GSSAPI_LIBRARY=/usr/lib64/libgssapi_krb5.so KRB5_PLUGIN_GSSAPI_LIBRARY=/opt/freeware/lib64/libgssapi_krb5.so
Alternately, if the library is located on the standard library search path for the system, you can specify only the file name, for example:
KRB5_PLUGIN_GSSAPI_LIBRARY=libgssapi_krb5.so
Note: Any libraries that are needed by the GSSAPI library (typically libkrb5.so, libk5crypto.so, libkrbsupport.so) must also be on the system.
Important: If the Kerberos libraries are NOT in the standard library paths, you need to use the parameter KRB5_PLUGIN_GSSAPI_LIBRARY. Uncomment it and update its value with full path of libgssapi_krb5.so.
KRB5_PLUGIN_DEBUG
This parameter is used for debugging the plugin only. For normal operation this line must be commented out, or plugin performance is impacted.

Procedure

  1. In the guard_tap.ini file, change the value of kerberos_plugin_dir parameter to the full path to the Guardium S-TAP, since that is where the plugin is located.
    • GIM installation: kerberos_plugin_dir=<guardium_base>/modules/STAP/current
    • S-TAP shell installation: kerberos_plugin_dir=<guardium_base>/guard_stap
  2. Configure these in the guardkerbplugin.conf file that is also located in S-TAP installation directory:
    • KRB5_KTNAME=<full path to kerberos krb5.keytab file>
    • KRB5_CONFIG=<full path to kerberos krb5.conf file>
    • Optional parameters as described above. This configuration parameter for ticket cache might be required if the Kerberos plugin does not recognize the user. This parameter accepts wild cards as there is usually more than one cache file. You can specify multiple paths, separated by colons. KRB5_PLUGIN_CCACHE=<full path to kerberos krb5cc_* files:additional full path to kerberos krb5cc_* files:etc>
    Note: In Guardium releases previous to V. 10.1.2, the parameters allow_weak_crypto = 1 and clockskew = 600 were required. In most cases these parameters are no longer required