Configuring Kerberos Authentication with an Oracle Database Server

This procedure describes how to configure Kerberos authentication between Control-M/EM, Control-M/Server, and Workload Archiving with an Oracle database server.

Before You Begin

Ensure you have met the following requirements:

Install Control-M/EM, Control-M/Server, and Workload Archiving with an Oracle database.
Verify that the Active Directory manager has created a user and has provided to you the domain name, AD IP address, AD port, and the AD user password.
Verify that the site Oracle DBA has re-defined the existing Control-M database user so that it is authenticated externally.
Verify that the Kerberos client is installed by running the following command:

$CONTROLM_SERVER/exe_Linux-x86_64/DBUData/scripts/kerberos_klist.sh -V

Begin

Navigate to the following directory:

$CONTROLM_SERVER/exe_Linux-x86_64/DBUData/scripts

Run the following commands:

- setenv AD_PASSWD <mypass>
- kerberos_setup.sh -AD_DOMAIN <domain_name> -AD_HOST <AD_IP_address> -AD_PORT <AD_port>
Log out of your UNIX account and log back in.
Run the following commands again:
- setenv AD_PASSWD <mypass>
- kerberos_setup.sh -AD_DOMAIN <domain_name> -AD_HOST <AD_IP_address> -AD_PORT <AD_port>
Test the connection by running the following command:

kerberos_api.sh --TEST_CONNECT

To disable this configuration, run the following command:

kerberos_api.sh --DISABLE_KERBEROS
To maintain the Credentials cache (TGT file), BMC recommends the following:
- The file is located in $ORACLE_HOME/network/admin/krbuser_cc.
- Refresh the file every two hours by running kerberos_kinit.sh -r
- Renew the file week by running kerberos_kinit.sh (password required).
- Replace the file with a symbolic link to an enterprise maintained file.
The configuration file is located in $ORACLE_HOME/network/admin/krb5.conf and you cannot edit it. You can replace the file with a symbolic link to an enterprise maintained file.