Child pages
  • Enable Kerberos in Database Standard Edition
Skip to end of metadata
Go to start of metadata

How to enable Kerberos in Oracle Database 11g Standard Edition (SE)

 

Since the release of Oracle 12cR1 mid 2013, network encryption and strong authentication services are available for any licensed editions. The corresponding section in the Oracle Licensing Guide for 11g R2 and 12c R1 has been updated.

Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.

Oracle Network Encryption does work for Standard or Enterprise Edition even with the Instant Client, but there is no Kerberos support available Oracle 11.2.0.4 Standard Edition or any other 11g SE release.

This can be verified on the command line with the command "adapters":

 

oracle@oracle:/u00/app/oracle/product/11.2.0.4se/lib/ [DB11G] adapters 
Installed Oracle Net transport protocols are:

    IPC
    BEQ
    TCP/IP
    SSL
    RAW
    SDP/IB

Installed Oracle Net naming methods are:

    Local Naming (tnsnames.ora)
    Oracle Directory Naming
    Oracle Host Naming
    Oracle Names Server Naming

Installed Oracle Advanced Security options are:

    RC4 40-bit encryption
    RC4 56-bit encryption
    RC4 128-bit encryption
    RC4 256-bit encryption
    DES40 40-bit encryption
    DES 56-bit encryption
    3DES 112-bit encryption
    3DES 168-bit encryption
    AES 128-bit encryption
    AES 192-bit encryption
    AES 256-bit encryption
    MD5 crypto-checksumming
    SHA-1 crypto-checksumming

There is a MOS Note 2145731.1 which describes the process of enabling the Radius adapter. The same method can be used to enable Kerberos as well, event though an other MOS Note 2028070.1 specifies that Kerberos is not available in Standard Edition.

Radius and Kerberos adapters are part of the object file nautab.o. In $ORACLE_HOME/lib, there are two object files: nautab.o and the nautab_ee.o.dbl:

 

oracle@oracle:~/ [DB11G] ls -al $ORACLE_HOME/lib/naut*
-rw-r--r--. 1 oracle users 4864 Jul 15  2013 /u00/app/oracle/product/11.2.0.4se/lib/nautab_ee.o.dbl
-rw-r--r--. 1 oracle users 4520 Jul  1 18:01 /u00/app/oracle/product/11.2.0.4se/lib/nautab.o

To get Kerberos support you have to replace the nautab.o with nautab_ee.o.dbl:

oracle@oracle:~/ [DB11G] cp $ORACLE_HOME/lib/nautab.o $ORACLE_HOME/lib/nautab_se.o.dbl
oracle@oracle:~/ [DB11G] cp $ORACLE_HOME/lib/nautab_ee.o.dbl $ORACLE_HOME/lib/nautab.o

oracle@oracle:~/ [DB11G] ls -al $ORACLE_HOME/lib/naut*
-rw-r--r--. 1 oracle users 4864 Jul 15  2013 /u00/app/oracle/product/11.2.0.4se/lib/nautab_ee.o.dbl
-rw-r--r--. 1 oracle users 4864 Jul  1 19:54 /u00/app/oracle/product/11.2.0.4se/lib/nautab.o
-rw-r--r--. 1 oracle users 4520 Jul  1 19:54 /u00/app/oracle/product/11.2.0.4se/lib/nautab_se.o.dbl

… and relink the binaries:

 

oracle@oracle:~/ [DB11G] relink all
writing relink log to: /u00/app/oracle/product/11.2.0.4se/install/relink.log
oracle@oracle:~/ [DB11G] adapters
 
Installed Oracle Net transport protocols are:

    IPC
    BEQ
    TCP/IP
    SSL
    RAW
    SDP/IB

Installed Oracle Net naming methods are:

    Local Naming (tnsnames.ora)
    Oracle Directory Naming
    Oracle Host Naming
    Oracle Names Server Naming

Installed Oracle Advanced Security options are:

    RC4 40-bit encryption
    RC4 56-bit encryption
    RC4 128-bit encryption
    RC4 256-bit encryption
    DES40 40-bit encryption
    DES 56-bit encryption
    3DES 112-bit encryption
    3DES 168-bit encryption
    AES 128-bit encryption
    AES 192-bit encryption
    AES 256-bit encryption
    MD5 crypto-checksumming
    SHA-1 crypto-checksumming
    Kerberos v5 authentication
    RADIUS authentication

Kerberos can now be configured and used as usual. If the comamnds okinit and oklist are also required, they must be copied from an existing Oracle 11g Enterprise Edition installation. By default they are not part of a Standard Edition.

Copy the binaries and the corresponding message files:


oracle@oracle:/u00/app/oracle/product/ [DB11G] cp 11.2.0.4/bin/oklist 11.2.0.4se/bin/oklist
oracle@oracle:/u00/app/oracle/product/ [DB11G] cp 11.2.0.4/bin/okinit 11.2.0.4se/bin/okinit
oracle@oracle:/u00/app/oracle/product/ [DB11G] cp 11.2.0.4/bin/okdstry 11.2.0.4se/bin/okdstry
oracle@oracle:/u00/app/oracle/product/ [DB11G] cp 11.2.0.4/network/mesg/naukus.msb 11.2.0.4se/network/mesg/naukus.msb
oracle@oracle:/u00/app/oracle/product/ [DB11G] cp 11.2.0.4/network/mesg/naukus.msg 11.2.0.4se/network/mesg/naukus.msg

References

  • Oracle® Database Licensing Information User Manual 12c Release 1 (12.1) Oracle Advanced Security
  • Oracle® Database Licensing Information 11g Release 2 (11.2) Oracle Advanced Security
  • How To Enable Radius Adapter In Oracle Database 11g Standard Edition [2145731.1]
  • Kerberos Authentication On Standard Edition [2028070.1]
  • Configuring ASO Kerberos Authentication with a Microsoft Windows 2008 R2 Active Directory KDC [1304004.1] 

Source: http://www.oradba.ch/2016/07/using-kerberos-in-oracle-standard-edition/