Connecting to an Oracle Database with Liquibase via Kerberos and Active Directory

Kerberos is an authentication protocol that works based on tickets to provide strong authentication for client/server applications by using secret-key cryptography. The Kerberos authentication protocol doesn’t store passwords locally or send them over the Internet.

Kerberos authentication for an Oracle connection is typically used when Kerberos is the standard authentication mechanism that your company supports for accessing resources in your organization.

Prerequisites

Before using Liquibase with Kerberos and Active Directory, ensure that you:

• Performed all steps to prepare the environment that can connect to the database. You need to set up Active Directory and integrate it with Kerberos.

Note: For more information, see Configuring Kerberos Authentication and Azure Active Directory documentation.

• Installed the latest version of Liquibase. For more information about installation, see Installing Liquibase.
• Have the following files available:
  • The krb5.conf file.
  • The Kerberos cache file. The example provided later in the tutorial will have the cache file called kerbcache.
  • The sqlnet.ora and tnsnames.ora files. The TNS_ADMIN environment variable will reference the location of those files in the Liquibase url property. If the TNS alias is not defined in the tnsnames.ora file, then use the hostname, port, and database name within the JDBC string instead.

Step 1: Verify the connection to your environment

You can confirm that you have a successful connection to your environment by making that connection with SQL*Plus:

1. Open your SQL*Plus.
2. Run the kinit command to obtain and cache Kerberos ticket-granting ticket. An example from the Oracle documentation:

kinit [-fp] [-c <cache_name>] [-k] [-t <keytab_filename>] [<principal>] [<password>] [-help]

Command Option	Description
-A	Do not include addresses.
-f	Issue a forwardable ticket.
-p	Issue a proxiable ticket.
-c <cache_name>	The cache name (FILE:d:\temp\mykrb5cc).
-k	Use keytab.
-t <keytab_filename>	The keytab name (d:\winnt\profiles\duke\krb5.keytab).
<principal>	The principal name (duke@example.com).
<password>	The principal's Kerberos password (do not specify on the command line or in a script).
-help	The option that displays instructions.

3. Run klist to see a Kerberos ticket.
4. Run sqlplus /@<alias_name> to connect to your Oracle database via Kerberos authentication.

Step 2: Connect to an Oracle database using Liquibase

Run a Liquibase update with the following arguments:

JAVA_OPTS=-Djava.security.krb5.conf=/path/to/krb5.conf
-Doracle.net.kerberos5_cc_name=/path/to/kerbcache 
-Dsun.security.krb5.debug=true 
-Doracle.net.kerberos5_mutual_authentication=true 
-Doracle.net.authentication_services=KERBEROS5 liquibase update 
--changelog-file=path/to/changeLog.sql 
--url=jdbc:oracle:thin:@<tns alias name>?TNS_ADMIN=/path/to/oracle_files 
--classpath=path/to/ojdbc8.jar