Connecting to an Oracle Database with Liquibase via Kerberos and Active Directory

Kerberos is an authentication protocol that works based on tickets to provide strong authentication for client/server applications by using secret-key cryptography. The Kerberos authentication protocol doesn’t store passwords locally or send them over the Internet.

Kerberos authentication for an Oracle connection is typically used when Kerberos is the standard authentication mechanism that your company supports for accessing resources in your organization.


Before using Liquibase with Kerberos and Active Directory, ensure that you:

  • Installed the latest version of Liquibase. For more information about installation, see Installing Liquibase.
  • Have the following files available:
    • The krb5.conf file.
    • The Kerberos cache file. The example provided later in the tutorial will have the cache file called kerbcache.
    • The sqlnet.ora and tnsnames.ora files. The TNS_ADMIN environment variable will reference the location of those files in the Liquibase url property. If the TNS alias is not defined in the tnsnames.ora file, then use the hostname, port, and database name within the JDBC string instead.

Step 1: Verify the connection to your environment

You can confirm that you have a successful connection to your environment by making that connection with SQL*Plus:

  1. Open your SQL*Plus.
  2. Run the kinit command to obtain and cache Kerberos ticket-granting ticket. An example from the Oracle documentation:
kinit [-fp] [-c <cache_name>] [-k] [-t <keytab_filename>] [<principal>] [<password>] [-help]
Command Option Description
-A Do not include addresses.
-f Issue a forwardable ticket.
-p Issue a proxiable ticket.
-c <cache_name> The cache name (FILE:d:\temp\mykrb5cc).
-k Use keytab.
-t <keytab_filename> The keytab name (d:\winnt\profiles\duke\krb5.keytab).
<principal> The principal name (
<password> The principal's Kerberos password (do not specify on the command line or in a script).
-help The option that displays instructions.
  1. Run klist to see a Kerberos ticket.
  2. Run sqlplus /@<alias_name> to connect to your Oracle database via Kerberos authentication.

Step 2: Connect to an Oracle database using Liquibase

Run a Liquibase update with the following arguments: liquibase update 
--url=jdbc:oracle:thin:@<tns alias name>?TNS_ADMIN=/path/to/oracle_files