My Oracle Support Banner

JDBC Modifies Kerberos Config (Doc ID 2714659.1)

Last updated on OCTOBER 21, 2022

Applies to:

JDBC - Version 18.0.0.0.0 and later
Information in this document applies to any platform.

Symptoms

When an application authenticates its connectivity to Oracle and one other component both using Kerberos, the Subject in JAAS policies is reset when Oracle establishes a connection.
It appears that the javax.security.auth.Configuration (and underlying HashMap) that holds the config for both components gets completely recreated by the code in Oracle driver, so the Config of the other component disappears when invoked in that sequence: 1) Other component 2) Oracle. 

Example config:

KerberosOracleContext {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache = true
doNotPrompt=true
debug=true
ticketCache="<krb5cache_location>";
};
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
  doNotPrompt=true
  debug=true
ticketCache="<krb5cache_location>"
  useTicketCache=true;
};


~~~

The workaround via WLP config for Jaas, looks as follows:


    className="com.sun.security.auth.module.Krb5LoginModule"
  controlFlag="REQUIRED"
  libraryRef="oracle-lib" >
    useTicketCache="true"
  ticketCache="<Ticket_cache_location>" />
  
    name="JASS_LOGINCONTEXT"
  loginModuleRef="JAAS_KRB_JDBC"/>
  
  
  ALTER SESSION set CURRENT_SCHEMA = …..
  
  
    connectionProperties="oracle.net.authentication_services=(KERBEROS5);oracle.net.kerberos5_mutual_authentication=true;"
  />
  

Without the above WLP configuration, Oracle Kerberos doesn’t honor multiple env settings from JaaS config file and instead overrides it with its own hard coded Map in oracle.net.ano.AuthenticationService
The workaround seems to be using a particular method "doAs" when adding the configuration.

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.