How to make Kerberos authentication in Oracle? - windows

I have Windows Server 2008 r2 with myora.local domain and AD. There is server Oracle. And I have client on Win7.
On server:
-C:\krb\krb.conf
MYORA.LOCAL
MYORA.LOCAL myora.local admin server
-C:\krb\krb5.realms
[libdefaults]
default_realm=MYORA.LOCAL
[realms]
MYORA.LOCAL= {
kdc=DomainController.myora.local:88
}
[domain_realm]
.local.myora=MYORA.LOCAL
-sqlnet.ora
SQLNET.KERBEROS5_CONF= c:\krb\krb.conf
SQLNET.KERBEROS5_REALMS = c:\krb\krb5.realms
SQLNET.KERBEROS5_CC_NAME = C:\krb\v5srvtab
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS, KERBEROS5)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SQLNET.KERBEROS5_CONF_MIT = TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = krbtgt
okinit work for Kefir#MYORA.LOCAL (user name on computer-server)
I do all the same steps on client (except sqlnet.ora), but okinit trows error:
From local name user1 it can't find, from computer name It has credential problems.
What should I change or add?

The error may be telling you that for your database service principle (the account you issued the keytab from ) you haven't selected "pre-authentication not required" in account properties.
For your client you should remove beq from the list of authentication services in sqlnet.ora. If you aren't using them also remove NTS (windows native) and TCPS (certificate).
In your krb5.conf file add upper-case to your domain realm, as well as an alias not prefixed by a period - like this:
[domain_realm]
.local.myora=MYORA.LOCAL
local.myora=MYORA.LOCAL
.MYORA.LOCAL=MYORA.LOCAL
MYORA.LOCAL=MYORA.LOCAL
You might want to take a look at this video - there's a chance it will answer other questions you are likely to run into
https://www.youtube.com/watch?v=d_d0j9ssQys&ab_channel=OracleDevelopers

Related

What are the best practices for troubleshooting Heterogeneous ODBC connections?

I am trying to establish a heterogeneous ODBC connection from an Oracle 21c XE database to a Progress OpenEdge 11.7 database. I have installed a 32 bit ODBC driver on the Windows 2019 server where the 21c XE DB resides. I have set up an ODBC System DSN, tested it and it works.
I created a initTIMEDATA.ora file in the C:\app\Administrator\product\21c\homes\OraDB21Home1\hs\admin folder.
It contains;
HS_FDS_CONNECT_INFO = TimeData
HS_FDS_TRACE_LEVEL = 4
HS_FDS_TRACE_FILE_NAME = TimeData.trc
Where TimeData matches the ODBC System DSN name.
I modified the listener.ora adding;
(SID_DESC=
(SID_NAME=TimeData)
(ORACLE_HOME=C:\app\Administrator\product\21c\dbhomeXE)
(PROGRAM=C:\app\Administrator\product\21c\dbhomeXE\bin\dg4odbc)
(ENVS = LD_LIBRARY_PATH=C:\Progressx86\OpenEdge\lib:C:\app\Administrator\product\21c\dbhomeXE\bin)
)
I modified my tnsnames.ora file adding;
TIMEDATA=
(DESCRIPTION=
(ADDRESS=
(PROTOCOL=TCP)
(HOST=10.254.10.41)
(PORT=4621)
)
(CONNECT_DATA=
(SID=TimeData))
(HS=OK))
I created a DBLink like;
CREATE PUBLIC DATABASE LINK time_data_link CONNECT TO "sqluser" IDENTIFIED BY "myPassword" USING 'TIMEDATA';
After restarting everything (DB, Listener...) the listener shows;
Service "TimeData" has 1 instance(s).
Instance "TimeData", status UNKNOWN, has 1 handler(s) for this service...
When I try to run a query;
SELECT * FROM employee_view#time_data_link;
I get;
ORA-28545: error diagnosed by Net8 when connecting to an agent
Unable to retrieve text of NETWORK/NCR message 65535
ORA-02063: preceding 2 lines from TIME_DATA_LINK
28545. 0000 - "error diagnosed by Net8 when connecting to an agent"
*Cause: An attempt to call an external procedure or to issue SQL
to a non-Oracle system on a Heterogeneous Services database link
failed at connection initialization. The error diagnosed
by Net8 NCR software is reported separately.
*Action: Refer to the Net8 NCRO error message. If this isn't clear,
check connection administrative setup in tnsnames.ora
and listener.ora for the service associated with the
Heterogeneous Services database link being used, or with
'extproc_connection_data' for an external procedure call.
Error at Line: 1 Column: 29
I see no errors in the listener.log, I cannot find TimeData.trc. In poking around the DB trace files I found a trace file related with multiple copies of;
HS connect: nscall returned status ffffffff (-1)
ns main err code: 12569
ns (2) err code: 0
nt main err code: 0
nt (2) err code: 0
nt OS err code: 0
*** 2022-04-03T17:01:07.758909-04:00 (XEPDB1(3))
HS: Unable to establish RPC connection to HS Agent...
HS: ... Agent SID = (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.254.10.41)(PORT=4621))(CONNECT_DATA=(SID=TimeData))), NCR error = 65535 Unable to retrieve text of NETWORK/NCR message 65535
I have reached the end of my troubleshooting skills and hope someone else may be able to point me in the right direction.
I had two problems.
The TNSNAMES.ORA file needed to point to the Oracle DB server, running on localhost in my case. Once I changed this, the error changed to
Error;
ORA-28500: connection from ORACLE to a non-Oracle system returned this message:
[Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application {IM014}
New TNSNAMES.ORA;
TIMEDATA=
(DESCRIPTION=
(ADDRESS=
(PROTOCOL=TCP)
(HOST=localhost)
(PORT=1521)
)
(CONNECT_DATA=
(SID=TimeData))
(HS=OK))
Once I saw this error it became apparent I needed the 64 bit version of the ODBC driver which I acquired.
After making these changes everything seems to work.

Connecting Oracle Autonomous Database to .net entity framework

I need help on connecting Oracle Autonomous Database to my .net core mvc app,
has any one tried it or aware about it.
Thanks in Advance
Thank You
Shubham Pratap
Too long for comments.
Download and extract Oracle cloud wallet.Make a backup copy of tnsnames.ora file.Shorten the names of your autonomous database entry(this step is optional.
Add the path of cloud wallet directory in sqlnet.ora
SQLNET.AUTHENTICATION_SERVICES= (NTS)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SSL_SERVER_DN_MATCH = yes
WALLET_LOCATION =
(SOURCE =
(METHOD = file)
(METHOD_DATA =
(DIRECTORY = "c:\OracleCloudWallet")
)
)
2) Shorten name of autonomous database entry of your choice in tnanames.ora (this step is optional just for convenience sake)
tnsnames.ora file (actual instance name is lengthy over 50 characters)
adw_high = (description= (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=xxx))(connect_data=(service_name=xx))(security=(ssl_server_cert_dn="CN=xxx,......")))
adw_low = (description= (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=xxx))(connect_data=(service_name=xxx))(security=(ssl_server_cert_dn="CN=xxx,......")))
adw_medium = (description= (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=xxx))(connect_data=(service_name=xxx))(security=(ssl_server_cert_dn="CN=xxx,............")))
3)Create system variable for TNS_ADMIN and directory path to cloud wallet directroy
If you set up tns_admin variable properly
from command prompt C:\echo %TNS_ADMIN% should print correct path
4)If all above steps setup properly then you should be able tnsping each entry in tnsnames.ora
Connection string in your code shoulld be like this
// Configure ODP.NET connection string
//Data Source is nothing but adb entry in tnsnames.ora i,e adw_high
optionsBuilder.UseOracle(#"User Id=xxx;Password=xxxxxx;Data Source=adw_high");
// Set TnsAdmin value to directory location of tnsnames.ora and sqlnet.ora files
OracleConfiguration.TnsAdmin = #"c:\OracleCloudWallet";
// Set WalletLocation value to directory location of the ADB wallet (i.e. cwallet.sso)
OracleConfiguration.WalletLocation = #"c:\OracleCloudWallet";
Edit:-
Today Fired up ADW instance and connected without any problem.I have Oracle 19c local instance.
ASP.NET Core Web Application relevant code
OracleConfiguration.TnsAdmin = #"C:\app\oracle\product\19.3.0\db_1\network\admin";
OracleConfiguration.WalletLocation = #"C:\app\oracle\product\19.3.0\db_1\network\admin";
string conString = "User Id=scott;Password=xxxx;Data Source=adw_low";

ODBC Data Source Connection Successful but TNS Unresolved in VBScript

I am trying to make a connection to Oracle DB from VBScript. I've added all the environment variables and the code can locate the file of TNSNAMES.ora but cannot resolve the connection.
When I test the connectivity from the ODBC Data Source Administrator, I get a 'Success' result, but I still cannot access this from the code.
con.ConnectionString = "DSN=DATA;Uid=wh;Pwd=pwd;"
con.Open 'This is where it fails
I have tried many connection strings but all fail
OracleConnString = "Driver={Oracle in instantclient_18_3};server=server;database=db;trusted_connection=Yes;"
DB_CONN_STRING = "Driver={Oracle in instantclient_18_3}; " & _
"(DESCRIPTION=" & _
"(ADDRESS = (PROTOCOL = TCP)(HOST = host)(PORT = port)" & _
"(CONNECT_DATA=(SERVICE_NAME=srv_name)))"
CONN_STRING = "CONNECT wh/pwd#//host/db"
How can I connect to the database from the script?
You mix several topics.
You hide the DSN name and the "Data Source Name", this makes it impossible for use to provide you the correct connection string.
If you like to use the ODBC DSN then the connection string must be
DSN=▇▇▇▇DATA;Uid=myUsername;Pwd=myPassword
However, you must create a System DSN, not a User DSN (see ODBC DSN). However, typically you don't use the ODBC DSN because you have to create the DSN on the target machine which is additional configuration work.
Connection string without DSN would be
Driver={Oracle in instantclient_18_3};Dbq=?????;Uid=myUsername;Pwd=myPassword;
or
Driver={Oracle in instantclient_18_3};Server=?????;Uid=myUsername;Pwd=myPassword;
see https://www.connectionstrings.com/oracle-in-oraclient11g_home1/
If you use full DB name like (DESCRIPTION=... then you don't need any tnsnames.ora file. The purpose of this file is to resolve an alias to this full DB name.
Ensure that the ODBC driver is the same architecture, i.e. 32-bit or 64-bit as your VBS environment.
Either use %windir%\system32\odbcad32.exe + %windir%\system32\cscript.exe
or %windir%\SysWOW64\odbcad32.exe + %windir%\SysWOW64\cscript.exe

Using nxlog to ship logs in to logstash from Windows using om_ssl

I have been looking at options to ship logs from Windows, I have already got logstash set up, and I currently ship logs from Linux (CentOS) servers to my ELK stack using the logstash-forwarder and ssl encryption.
For compliance reasons encryption is pretty much essential in this environment.
I was hoping to use logstash-forwarder in Windows as well, but after compiling with Go I ran in to issues shipping Event Logs, and I found some people saying that it wasn't possible because of file locking issues, which the logstash-forwarder people appear to be working on, but I can't really wait.
Anyway, eventually I found out that nxlog seems to be able to ship logs in an encrypted format using ssl, I've found a few posts about similar topics and while I've learned quite a bit about how to ship the logs across and how to set up nxlog, I am still at a loss with how to set up logstash to accept the logs so I can process them.
I've asked in the #nxlog and #logstash irc channels, and got some confirmation in #nxlog that it is possible, no further information on how it should be configured.
Anyway, I have taken the crt file created for use with my logstash-forwarder (I will create a new one if needed when I am happy that this will work) and renamed it with a pem extension, which I believe should work as it is readable in ASCII format. I have created the environment variable for %CERTDIR% and put my file in there, I have written the following config file for nxlog from the other articles I have read, I think it is right, but I am not 100% sure:
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
# Enable json extension
<Extension json>
Module xm_json
</Extension>
# Nxlog internal logs
<Input internal>
Module im_internal
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog
# Uncomment im_mseventlog for Windows XP/2000/2003
# Module im_mseventlog
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
<Output sslout>
Module om_ssl
Host lumberjack.domain.com
Port 5000
CertFile %CERTDIR%/logstash-forwarder.crt
AllowUntrusted TRUE
OutputType Binary
</Output>
<Route 1>
Path eventlog, internal => sslout
</Route>
What I want to know is what input format to use in logstash I have tried shipping logs in to a lumberjack input type (using the same config as my logstash-forwarders use) with the following config:
input {
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
But when the service started I get the following in the nxlog logfiles:
2014-11-06 21:16:20 INFO connecting to lumberjack.domain.com:5000
2014-11-06 21:16:20 INFO nxlog-ce-2.8.1248 started
2014-11-06 21:16:21 INFO successfully connected to lumberjack.domain.com:5000
2014-11-06 21:16:22 INFO remote closed SSL socket
2014-11-06 21:16:22 INFO reconnecting in 1 seconds
2014-11-06 21:16:23 INFO connecting to lumberjack.domain.com:5000
2014-11-06 21:16:24 INFO reconnecting in 2 seconds
2014-11-06 21:16:24 ERROR couldn't connect to ssl socket on lumberjack.antmarketing.com:5000; No connection could be made because the target machine actively refused it.
When I turned the logging up to DEBUG I see a massive amount of logs flying through, but I think the key part is:
2014-11-06 21:20:18 ERROR Exception was caused by "rv" at om_ssl.c:532/io_err_handler(); [om_ssl.c:532/io_err_handler()] -; [om_ssl.c:501/om_ssl_connect()] couldn't connect to ssl socket on lumberjack.domain.com:5000; No connection could be made because the target machine actively refused it.
I assume this points to me using the wrong input method on logstash, but I guess it could also be an issue with my ssl certs or the way it is configured. I don't appear to be getting any logs on the logstash server being generated at the time I make the connection from my Windows machine.
Thanks to b0ti for the help, there were a number of issues, my logstash config was crashing the service, but I also had issues with my nxlog setup as well as my ssl certs being set up in the correct way.
I found this post about creating ssl certs, which covers the way they are set up really nicely for self signed certs for use as a web service.
The main thing wrong with nxlog was as b0ti pointed out I was trying to ship in binary when that will only work when shipping to nxlog server. I also noticed in the docs that the default for AllowUntrusted is false, so I just had to delete it once I was happy ssl was working.
<Output sslout>
Module om_ssl
Host lumberjack.domain.com
Port 5001
CAFile %CERTDIR%\nxlog-ca.crt
OutputType LineBased
</Output>
Creating the CA key, and secure it as this needs to be kept secret (cd to /etc/pki/tls):
certtool --generate-privkey --bits 2048 --outfile private/nxlog-ca.key
chown logstash:logstash private/nxlog-ca.key
chmod 600 private/nxlog-ca.key
And then Self Signed CA Cert, which will need to be transferred to your clients:
certtool --generate-self-signed --load-privkey private/nxlog-ca.key --bits 2048 --template nxlog-ca-rules.cnf --outfile certs/nxlog-ca.crt
The cnf file is standard only with this option modified:
# Whether this is a CA certificate or not
ca
The logstash input method:
input {
tcp {
port => 5001
type => "nxlogs"
ssl_cacert => "/etc/pki/tls/certs/nxlog-ca.crt"
ssl_cert => "/etc/pki/tls/certs/nxlog.crt"
ssl_key => "/etc/pki/tls/private/nxlog.key"
ssl_enable => true
format => 'json'
}
}
Generate the private key:
certtool --generate-privkey --bits 2048 --outfile private/nxlog.key
chown logstash:logstash private private/nxlog.key
chmod 600 private/nxlog.key
Generate the CSR (Certificate Signing Request):
certtool --generate-request --bits 2048 --load-privkey private/nxlog.key --outfile private/nxlog.csr
Sign the Cert with the CA private key
certtool --generate-certificate --bits 2048 --load-request private/nxlog.csr --outfile certs/nxlog.crt --load-ca-certificate certs/nxlog-ca.crt --load-ca-privkey private/nxlog-ca.key --template nxlog-rules.cnf
Again the only important part over the standard inputs for the cnf file will be:
# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is preferred to use different
# keys for encryption and signing.
encryption_key
# Whether this certificate will be used for a TLS client
tls_www_client
I've tested this and it works well, I just need to get the filters set up now
The binary data format is nxlog specific, you should only use it if you send to nxlog.
OutputType Binary
If this doesn't help, check the logstash logs since it's the remote end (logstash) which closes the connection.

Tomcat JDBCRealm using Oracle database over SSL (PROTOCOL=TCPS)

I'm trying to implement JDBCRealm in tomcat (as described in http://tomcat.apache.org/tomcat-4.1-doc/realm-howto.html#Configuring%20a%20Realm) to check credential agains Oracle Database. The thing is that I want database to communicate over SSL. So I configured listener to use TCPS. Like that:
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=<hostname>)(PORT=1521)))<br>
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=<hostname>)(PORT=1512)))
Generated certificates, etc. I have no problem connecting to database using tcps from sqlplus or from WLS (I can use connection property oracle.net.ssl_cipher_suites=(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA) there without any problem).
However, I cant get JDBCRealm to work with the database over TCPS. If I configure realm like this:
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99" driverName="oracle.jdbc.driver.OracleDriver" connectionURL="jdbc:oracle:thin:#(DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = <hostname>)(PORT = 1512)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = <service name>)))" connectionName="<login>" connectionPassword="<password>" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" />
I'm getting following error:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I imported certificates in JKS store which I configured in Tomcat like this:
With no success.
I'm not a professional in Tomcat (more in databases). I'll appreciate any help or pointing me in right direction. Thanks in advance!
Error seems to indicate that SSL certificate is not trusted.
I suggest to verify that you indeed have certificate in your trust store (there is a command line tool in JDK to list trust store content, you can Google it) and then add following parameter in Tomcat startup script:
javax.net.ssl.trustStore=<path to trust store>

Resources