Re: Oracle Advanced Services with Kerberos - Kerberos

This is a discussion on Re: Oracle Advanced Services with Kerberos - Kerberos ; Hi, Oracle has most of these kerberos issues fixed in 11g which was recently released. Thanks, Preetam --- Markus Moeller wrote: > So it sounds Oracle uses a very old MIT 1.2.x > release. It seems the best is > ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Oracle Advanced Services with Kerberos

  1. Re: Oracle Advanced Services with Kerberos

    Hi,

    Oracle has most of these kerberos issues fixed in
    11g which was recently released.

    Thanks,
    Preetam

    --- Markus Moeller wrote:

    > So it sounds Oracle uses a very old MIT 1.2.x
    > release. It seems the best is
    > to wait for Oracle 12 which is hopefully based on a
    > newer MIT release or
    > uses independant GSSAPI libraries (e.g. Solaris 10).
    > When will release 12
    > with ASO be available ?
    >
    > Thank you
    > Markus
    >
    > "smelt" wrote in message
    >

    news:1192702258.818566.314770@v29g2000prd.googlegr oups.com...
    > On 17 oct, 22:10, "Markus Moeller"
    > wrote:
    > > Has anybody experience using Oracle Advances

    > Services with Kerberos ?
    > >
    > > Markus

    >
    > Hi Markus,
    >
    > We want to start to using it in the next months. We
    > have made some
    > tests and reported errors to Oracle.
    >
    > Some of them are typical errors already reported by
    > other people in
    > the group. Also the Oracle impletantion of Kerberos
    > is very old.
    >
    > They told me that in the 12 release they will solve
    > some problems and
    > will add new functionality (more encryption
    > algorithms, etc..).
    >
    > We have tested it with an Oracle 9.2 versión and AIX
    > MIT based
    > kerberos server. The problems reported were:
    >
    > Typical KRB5CCNAME parsing problem.
    >
    > If you user the Oracle implementation you could have
    > problems if you
    > use aliases in network interfaces as this
    > implementation include the
    > addresses in the requests to the KDC. In our case
    > the addresses were
    > duplicated and the aliases of the NIC's don't appear
    > in the requests.
    > As our clusters uses the alias of the NIC like a
    > service address we
    > can't get tickets.
    >
    > If we decide to get the initial credentials with the
    > OS Kerberos
    > software we must use the ccache_type = 3 parameter
    > in the krb5.conf
    > file. Then we get initial tickets with kinit and we
    > can see them with
    > oklist after exporting the correct KRB5CCNAME
    > variable.
    >
    > The last problem is that only des-cbc-crc encryption
    > methods is
    > supported.
    >
    > This is a quick review , if you want details about
    > some of the
    > problems tell me and I will try to give you more
    > details.
    >
    > Otto
    >
    >
    >
    >
    >
    >

    --------------------------------------------------------------------------------
    >
    >
    > > ________________________________________________
    > > Kerberos mailing list Kerberos@mit.edu
    > > https://mailman.mit.edu/mailman/listinfo/kerberos
    > >

    >
    >
    >
    > > ________________________________________________

    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >



    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around
    http://mail.yahoo.com

  2. Re: Oracle Advanced Services with Kerberos

    Markus,

    I am very sorry, Preetam is right.

    In theory (I couldn't test it) Oracle solves the problems in 11gR1
    versión. Also some of them are solved with patches in previous
    versions.

    These were my question (I have eliminated detailed information):

    1.- We configure the environment variable

    KRB5CCNAME=FILE:/var/krb5/security/creds/
    krb5cc_oratest@AIXPRU.BDE.ES_201

    but Oracle doesn't parse correctly this variable using like the
    credentials cache the following value:

    file:var/krb5/security/creds/krb5cc_oratest@AIXPRU.BDE.ES_201

    producing and error because sqlplus is not able to locate the file. We
    know this error has already been reported to Oracle and we would like
    to know when we can expect to have this error (it seems very easy to
    solve) fixed.

    2.- Oracle uses internaly addresses in the Kerberos tickets. We use
    MIT style configuration style but Oracle doesn't undestand the option
    (VERY IMPORTANT):

    noaddresses = true

    That means that we can't disable the use of the address in the TGT
    tickets so if we use the okinit command to get the initial ticket in
    an IBM HACMP cluster environment the command is not working correctly.
    In this environment there are several network interfaces with IP's and
    aliases. The problem is that Oracle is not able to construct the list
    of addresses correctly.

    3.- Oracle is not supporting other encription and checksuming methods
    apart of DES-CBC-CRC. Is
    that right? We have tried to configure other methods and the Oracle
    Kerberos libraries always use DES-CBC-CRC.

    When we can expect to have more security encription and checksuming
    algoritms?

    4.- When willl Oracle use external MIT or Kerberos software to avoid
    the dependency we have in Oracle Kerberos software and his
    development?

    5.- In general we would like to complain about the old implementation
    that Oracle uses, we are not sure if it is MIT or not compliant, it
    uses credentials cache format = 3 , instead we use now in our clients
    (ccache_type=4), it is not support the most of the configuration
    options in a MIT style software. When Oracle will move forward with
    Kerberos
    authentication?



    And here attach a LAB answer about the following points:

    1. This has been fixed in 11gR1. Patches are also available for
    certain previous versions (bug#5031220)
    2. Oracle's version of kerberos is based on an old version of MIT
    kerberos and is a
    reduced functionality version.
    Hence, doesn't support all options that are available in the latest
    MIT version.
    3. 11gR1 has support for other algorithms
    4. you can create a ticket with kinit and use with oracle 11gr1, but
    it will not support all the newer MIT additions.
    5. This has been fixed in 11gR1. Please check bug#5095984


    Sorry again for the mistake....

    Otto




    On 19 oct, 10:25, preetam R wrote:
    > Hi,
    >
    > Oracle has most of these kerberos issues fixed in
    > 11g which was recently released.
    >
    > Thanks,
    > Preetam
    >
    > --- Markus Moeller wrote:
    >
    > > So it sounds Oracle uses a very old MIT 1.2.x
    > > release. It seems the best is
    > > to wait for Oracle 12 which is hopefully based on a
    > > newer MIT release or
    > > uses independant GSSAPI libraries (e.g. Solaris 10).
    > > When will release 12
    > > with ASO be available ?

    >
    > > Thank you
    > > Markus

    >
    > > "smelt" wrote in message

    >
    > news:1192702258.818566.314770@v29g2000prd.googlegr oups.com...
    >
    >
    >
    > > On 17 oct, 22:10, "Markus Moeller"
    > > wrote:
    > > > Has anybody experience using Oracle Advances

    > > Services with Kerberos ?

    >
    > > > Markus

    >
    > > Hi Markus,

    >
    > > We want to start to using it in the next months. We
    > > have made some
    > > tests and reported errors to Oracle.

    >
    > > Some of them are typical errors already reported by
    > > other people in
    > > the group. Also the Oracle impletantion of Kerberos
    > > is very old.

    >
    > > They told me that in the 12 release they will solve
    > > some problems and
    > > will add new functionality (more encryption
    > > algorithms, etc..).

    >
    > > We have tested it with an Oracle 9.2 versión and AIX
    > > MIT based
    > > kerberos server. The problems reported were:

    >
    > > Typical KRB5CCNAME parsing problem.

    >
    > > If you user the Oracle implementation you could have
    > > problems if you
    > > use aliases in network interfaces as this
    > > implementation include the
    > > addresses in the requests to the KDC. In our case
    > > the addresses were
    > > duplicated and the aliases of the NIC's don't appear
    > > in the requests.
    > > As our clusters uses the alias of the NIC like a
    > > service address we
    > > can't get tickets.

    >
    > > If we decide to get the initial credentials with the
    > > OS Kerberos
    > > software we must use the ccache_type = 3 parameter
    > > in the krb5.conf
    > > file. Then we get initial tickets with kinit and we
    > > can see them with
    > > oklist after exporting the correct KRB5CCNAME
    > > variable.

    >
    > > The last problem is that only des-cbc-crc encryption
    > > methods is
    > > supported.

    >
    > > This is a quick review , if you want details about
    > > some of the
    > > problems tell me and I will try to give you more
    > > details.

    >
    > > Otto

    >
    > ---------------------------------------------------------------------------*-----
    >
    >
    >
    > > > ________________________________________________
    > > > Kerberos mailing list Kerbe...@mit.edu
    > > >https://mailman.mit.edu/mailman/listinfo/kerberos

    >
    > > > ________________________________________________

    > > Kerberos mailing list Kerbe...@mit.edu
    > >https://mailman.mit.edu/mailman/listinfo/kerberos

    >
    > __________________________________________________
    > Do You Yahoo!?
    > Tired of spam? Yahoo! Mail has the best spam protection aroundhttp://mail.yahoo.com- Ocultar texto de la cita -
    >
    > - Mostrar texto de la cita -




+ Reply to Thread