Connect Liquibase with Oracle Database via Kerberos and Active Directory
Last updated: July 14, 2025
Kerberos is an authentication protocol that works based on tickets to provide strong authentication for client/server applications using secret-key cryptography. It doesn’t store passwords locally or send them over the Internet.
Kerberos authentication for an Oracle connection is typically used when Kerberos is the standard authentication mechanism your company supports for accessing resources in your organization.
Before you begin
Before using Liquibase with Kerberos and Active Directory, ensure that you:
Install Liquibase.
Perform all steps to prepare the environment that can connect to the database. You need to set up Active Directory and integrate it with Kerberos.
Have the following files available:
The
krb5.conf
file.The Kerberos cache file. The example provided later in the tutorial will have the cache file called
kerbcache
.The
sqlnet.ora
andtnsnames.ora
files. TheTNS_ADMIN
environment variable will reference the location of those files in the Liquibaseurl
property. If the TNS alias is not defined in thetnsnames.ora
file, then use the hostname, port, and database name within the JDBC string instead.
Procedure
Verify the connection to your environment.
You can confirm that you have a successful connection to your environment by making that connection with SQL*Plus:
1. Open your SQL*Plus.
2. Run the kinit command to obtain and cache Kerberos ticket-granting ticket. An example from the Oracle documentation:
kinit [-fp] [-c <cache_name>] [-k] [-t <keytab_filename>] [<principal>] [<password>] [-help]
Command Option | Description |
| Do not include addresses. |
| Issue a forwardable ticket. |
| Issue a proxiable ticket. |
| The cache name ( |
| Use keytab. |
| The keytab name ( |
<principal> | The principal name ( |
<password> | The principal's Kerberos password (do not specify on the command line or in a script). |
| The option that displays instructions. |
3. Run klist
to see a Kerberos ticket.
4. Run sqlplus /@<alias_name>
to connect to your Oracle database via Kerberos authentication.
Connect to an Oracle database using Liquibase.
Run a Liquibase update with the following arguments:
JAVA_OPTS=-Djava.security.krb5.conf=/path/to/krb5.conf
-Doracle.net.kerberos5_cc_name=/path/to/kerbcache
-Dsun.security.krb5.debug=true
-Doracle.net.kerberos5_mutual_authentication=true
-Doracle.net.authentication_services=KERBEROS5 liquibase update
--changelog-file=path/to/changeLog.sql
--url=jdbc:oracle:thin:@<tns alias name>?TNS_ADMIN=/path/to/oracle_files
--classpath=path/to/ojdbc8.jar