Connect Liquibase with Oracle Database via Kerberos and Active Directory

Last updated: July 14, 2025

Kerberos is an authentication protocol that works based on tickets to provide strong authentication for client/server applications using secret-key cryptography. It doesn’t store passwords locally or send them over the Internet.

Kerberos authentication for an Oracle connection is typically used when Kerberos is the standard authentication mechanism your company supports for accessing resources in your organization.

Before you begin

Before using Liquibase with Kerberos and Active Directory, ensure that you:

Install Liquibase.
Perform all steps to prepare the environment that can connect to the database. You need to set up Active Directory and integrate it with Kerberos.

Have the following files available:

The krb5.conf file.
The Kerberos cache file. The example provided later in the tutorial will have the cache file called kerbcache.
The sqlnet.ora and tnsnames.ora files. The TNS_ADMIN environment variable will reference the location of those files in the Liquibase url property. If the TNS alias is not defined in the tnsnames.ora file, then use the hostname, port, and database name within the JDBC string instead.

Procedure

Verify the connection to your environment.

You can confirm that you have a successful connection to your environment by making that connection with SQL*Plus:

1. Open your SQL*Plus.

2. Run the kinit command to obtain and cache Kerberos ticket-granting ticket. An example from the Oracle documentation:

kinit [-fp] [-c <cache_name>] [-k] [-t <keytab_filename>] [<principal>] [<password>] [-help]

Command Option	Description
`-A`	Do not include addresses.
`-f`	Issue a forwardable ticket.
`-p`	Issue a proxiable ticket.
`-c <cache_name>`	The cache name (`FILE:d:\temp\mykrb5cc`).
`-k`	Use keytab.
`-t <keytab_filename>`	The keytab name (`d:\winnt\profiles\duke\krb5.keytab`).
<principal>	The principal name (`duke@example.com`).
<password>	The principal's Kerberos password (do not specify on the command line or in a script).
`-help`	The option that displays instructions.

3. Run klist to see a Kerberos ticket.

4. Run sqlplus /@<alias_name> to connect to your Oracle database via Kerberos authentication.

Connect to an Oracle database using Liquibase.

Run a Liquibase update with the following arguments:

JAVA_OPTS=-Djava.security.krb5.conf=/path/to/krb5.conf
-Doracle.net.kerberos5_cc_name=/path/to/kerbcache 
-Dsun.security.krb5.debug=true 
-Doracle.net.kerberos5_mutual_authentication=true 
-Doracle.net.authentication_services=KERBEROS5 liquibase update 
--changelog-file=path/to/changeLog.sql 
--url=jdbc:oracle:thin:@<tns alias name>?TNS_ADMIN=/path/to/oracle_files 
--classpath=path/to/ojdbc8.jar