Subject
How to authenticate Artifactory to OracleDB with Kerberos rather than user/password
Affected Versions
Artifactory 6+, Artifactory 7+
Resolution
Connecting Artifactory to OracleDB via Kerberos is a fairly herculean task compared to username/password. It requires knowledge of 3 mechanisms; kerberos authentication, Oracle authentication, and Artifactory authentication. This guide will cover connecting Artifactory to Oracle - it is expected that the user is already able to connect Oracle directly via Kerberos only, which can be tested via sqplus /@<DB service name>:
$ /opt/oracle/product/18c/dbhomeXE/bin/sqlplus /@XEPDB1
SQL*Plus: Release 18.0.0.0.0 - Production on Tue Mar 30 23:05:25 2021
Version 18.4.0.0.0
Copyright (c) 1982, 2018, Oracle. All rights reserved.
Connected to:
Oracle Database 18c Express Edition Release 18.0.0.0.0 - Production
Version 18.4.0.0.0
SQL>
Please also verify that you are the correct user, in my case I will be using ‘kerb7’
SQL> show user
USER is "KERB7"
Once this is verified, we can begin Artifactory integration.
Artifactory 6
provide the following JVM parameters in your artifactory.default/default file:
export JAVA_OPTIONS="$JAVA_OPTIONS -Doracle.net.kerberos5_mutual_authentication=true -Djava.security.krb5.conf=/etc/krb5.conf -Doracle.net.kerberos5_cc_name=/etc/krb5cache -Doracle.net.authentication_services=\"( KERBEROS5 )\""
Ensure that the artifactory user is able to read the ticket cache file and the krb5.conf file. If you need debug, add this too: -Dsun.security.krb5.debug=true
You’ll get debug logging in catalina.out. Its quite verbose. In db.properties, remove the username and password fields. I like to use a shorter JDBC url with the DB service name in it:
type=oracle driver=oracle.jdbc.OracleDriver url=jdbc:oracle:thin:@oracle-kerb-6.internal:1521/XEPDB1
Artifactory 7:
In addition with the LD_LIBRARY_PATH requirement for oracle, the setup will be similar. The system.yaml will be the point of focus on the Artifactory side of things:
shared: env: LD_LIBRARY_PATH: /var/opt/jfrog/artifactory/oracle-client-lib extraJavaOpts: > -Doracle.net.kerberos5_mutual_authentication=true -Djava.security.krb5.conf=/etc/krb5.conf -Doracle.net.kerberos5_cc_name=/etc/krb5cache -Doracle.net.authentication_services="( KERBEROS5 )" database: type: "oracle" driver: "oracle.jdbc.OracleDriver" url: "jdbc:oracle:thin:@oracle-kerb-7.internal:1521/XEPDB1"