{"id":2125,"date":"2016-07-06T00:16:58","date_gmt":"2016-07-05T22:16:58","guid":{"rendered":"http:\/\/www.oradba.ch\/?p=2125"},"modified":"2017-01-23T15:32:34","modified_gmt":"2017-01-23T14:32:34","slug":"using-kerberos-in-oracle-standard-edition","status":"publish","type":"post","link":"https:\/\/www.oradba.ch\/wordpress\/2016\/07\/using-kerberos-in-oracle-standard-edition\/","title":{"rendered":"Using Kerberos in Oracle Standard Edition"},"content":{"rendered":"

Since the release of Oracle 12cR1 mid 2013 the network encryption and strong authentication services has been removed from the Oracle Advanced Security Option. Both feature are now available for any licensed editions. Corresponding section in the Oracle Licensing Guide for 11g R2<\/a> and 12c R1<\/a> has been updated. <\/p>\n

Network encryption (native network encryption and SSL\/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.<\/p><\/blockquote>\n

Oracle Network Encryption does work quite well for Standard or Enterprise Edition even with the Instant Client. But there is no Kerberos support available Oracle 11.2.0.4 Standard Edition or any other 11g SE release. This can be verified on the command line with the command adapters:<\/p>\n

\r\noracle@urania:\/u00\/app\/oracle\/product\/11.2.0.4se\/lib\/ [TDB11B] adapters\r\n\r\nInstalled Oracle Net transport protocols are:\r\n\r\n    IPC\r\n    BEQ\r\n    TCP\/IP\r\n    SSL\r\n    RAW\r\n    SDP\/IB\r\n\r\nInstalled Oracle Net naming methods are:\r\n\r\n    Local Naming (tnsnames.ora)\r\n    Oracle Directory Naming\r\n    Oracle Host Naming\r\n    Oracle Names Server Naming\r\n\r\nInstalled Oracle Advanced Security options are:\r\n\r\n    RC4 40-bit encryption\r\n    RC4 56-bit encryption\r\n    RC4 128-bit encryption\r\n    RC4 256-bit encryption\r\n    DES40 40-bit encryption\r\n    DES 56-bit encryption\r\n    3DES 112-bit encryption\r\n    3DES 168-bit encryption\r\n    AES 128-bit encryption\r\n    AES 192-bit encryption\r\n    AES 256-bit encryption\r\n    MD5 crypto-checksumming\r\n    SHA-1 crypto-checksumming\r\n<\/pre>\n
There is a MOS Note 2145731.1<\/a> which describes how to enable the Radius adapter. The same method can be used to enable Kerberos as well, event if an other MOS Note 2028070.1<\/a> specifies that Kerberos is not available in Standard Edition.<\/p>\n
Radius and Kerberos adapters is part of the object file nautab.o. In $ORACLE_HOME\/lib<\/code> are two object files. nautab.o<\/code> and the nautab_ee.o.dbl<\/code>:<\/p>\n
\r\noracle@urania:~\/ [TDB11B] ls -al $ORACLE_HOME\/lib\/naut*\r\n-rw-r--r--. 1 oracle users 4864 Jul 15  2013 \/u00\/app\/oracle\/product\/11.2.0.4se\/lib\/nautab_ee.o.dbl\r\n-rw-r--r--. 1 oracle users 4520 Jul  1 18:01 \/u00\/app\/oracle\/product\/11.2.0.4se\/lib\/nautab.o\r\n<\/pre>\n
To get Kerberos support you just have to replace the nautab.o<\/code> with nautab_ee.o.dbl<\/code>…:<\/p>\n
\r\noracle@urania:~\/ [TDB11B] cp $ORACLE_HOME\/lib\/nautab.o $ORACLE_HOME\/lib\/nautab_se.o.dbl\r\noracle@urania:~\/ [TDB11B] cp $ORACLE_HOME\/lib\/nautab_ee.o.dbl $ORACLE_HOME\/lib\/nautab.o\r\n\r\noracle@urania:~\/ [TDB11B] ls -al $ORACLE_HOME\/lib\/naut*\r\n-rw-r--r--. 1 oracle users 4864 Jul 15  2013 \/u00\/app\/oracle\/product\/11.2.0.4se\/lib\/nautab_ee.o.dbl\r\n-rw-r--r--. 1 oracle users 4864 Jul  1 19:54 \/u00\/app\/oracle\/product\/11.2.0.4se\/lib\/nautab.o\r\n-rw-r--r--. 1 oracle users 4520 Jul  1 19:54 \/u00\/app\/oracle\/product\/11.2.0.4se\/lib\/nautab_se.o.dbl\r\n<\/pre>\n
… and relink the binaries:<\/p>\n
\r\noracle@urania:~\/ [TDB11B] relink all\r\nwriting relink log to: \/u00\/app\/oracle\/product\/11.2.0.4se\/install\/relink.log\r\n<\/pre>\n
As you can see the command adapters now shows Radius and Kerberos adapters:<\/p>\n
\r\noracle@urania:~\/ [TDB11B] adapters\r\n\r\nInstalled Oracle Net transport protocols are:\r\n\r\n    IPC\r\n    BEQ\r\n    TCP\/IP\r\n    SSL\r\n    RAW\r\n    SDP\/IB\r\n\r\nInstalled Oracle Net naming methods are:\r\n\r\n    Local Naming (tnsnames.ora)\r\n    Oracle Directory Naming\r\n    Oracle Host Naming\r\n    Oracle Names Server Naming\r\n\r\nInstalled Oracle Advanced Security options are:\r\n\r\n    RC4 40-bit encryption\r\n    RC4 56-bit encryption\r\n    RC4 128-bit encryption\r\n    RC4 256-bit encryption\r\n    DES40 40-bit encryption\r\n    DES 56-bit encryption\r\n    3DES 112-bit encryption\r\n    3DES 168-bit encryption\r\n    AES 128-bit encryption\r\n    AES 192-bit encryption\r\n    AES 256-bit encryption\r\n    MD5 crypto-checksumming\r\n    SHA-1 crypto-checksumming\r\n    Kerberos v5 authentication\r\n    RADIUS authentication\r\n<\/pre>\n
As of now kerberos can be configured and used as usual. If for a reason okinit<\/code> and oklist<\/code> are also required, they must be copied from an existing Oracle 11g Enterprise Edition installation. By default they are not part of a Standard Edition. So let’s copy the binaries and the corresponding message files:<\/p>\n
\r\n] cp 11.2.0.4\/bin\/okinit 11.2.0.4se\/bin\/okinit \r\noracle@urania:\/u00\/app\/oracle\/product\/ [TDB11B] cp 11.2.0.4\/bin\/oklist 11.2.0.4se\/bin\/oklist\r\noracle@urania:\/u00\/app\/oracle\/product\/ [TDB11B] cp 11.2.0.4\/bin\/okinit 11.2.0.4se\/bin\/okinit\r\noracle@urania:\/u00\/app\/oracle\/product\/ [TDB11B] cp 11.2.0.4\/bin\/okdstry 11.2.0.4se\/bin\/okdstry\r\noracle@urania:\/u00\/app\/oracle\/product\/ [TDB11B] cp 11.2.0.4\/network\/mesg\/naukus.msb 11.2.0.4se\/network\/mesg\/naukus.msb\r\noracle@urania:\/u00\/app\/oracle\/product\/ [TDB11B] cp 11.2.0.4\/network\/mesg\/naukus.msg 11.2.0.4se\/network\/mesg\/naukus.msg\r\n<\/pre>\n
Now you can use Kerberos as you want. You just have to struggle with the usual kerberos issues and bugs \ud83d\ude42 But more on them here kerberos<\/a>.<\/p>\n
References<\/h3>\n
Some links related to this topic.<\/p>\n