How to connect Artifactory to Oracle via Kerberos

How to connect Artifactory to Oracle via Kerberos

AuthorFullName__c
Loren Yeung
articleNumber
000005039
ft:sourceType
Salesforce
FirstPublishedDate
2021-06-29T19:47:39Z
lastModifiedDate
2021-06-29
VersionNumber
5

Subject
How to authenticate Artifactory to OracleDB with Kerberos rather than user/password

Affected Versions
Artifactory 6+, Artifactory 7+

Resolution
Connecting Artifactory to OracleDB via Kerberos is a fairly herculean task compared to username/password. It requires knowledge of 3 mechanisms; kerberos authentication, Oracle authentication, and Artifactory authentication. This guide will cover connecting Artifactory to Oracle - it is expected that the user is already able to connect Oracle directly via Kerberos only, which can be tested via sqplus /@<DB service name>:

$ /opt/oracle/product/18c/dbhomeXE/bin/sqlplus /@XEPDB1
SQL*Plus: Release 18.0.0.0.0 - Production on Tue Mar 30 23:05:25 2021
Version 18.4.0.0.0
Copyright (c) 1982, 2018, Oracle.  All rights reserved.

Connected to:
Oracle Database 18c Express Edition Release 18.0.0.0.0 - Production
Version 18.4.0.0.0
SQL> 

Please also verify that you are the correct user, in my case I will be using ‘kerb7’

SQL> show user
USER is "KERB7"

Once this is verified, we can begin Artifactory integration.

Artifactory 6
provide the following JVM parameters in your artifactory.default/default file:

export JAVA_OPTIONS="$JAVA_OPTIONS -Doracle.net.kerberos5_mutual_authentication=true -Djava.security.krb5.conf=/etc/krb5.conf -Doracle.net.kerberos5_cc_name=/etc/krb5cache -Doracle.net.authentication_services=\"( KERBEROS5 )\""

Ensure that the artifactory user is able to read the ticket cache file and the krb5.conf file. If you need debug, add this too: -Dsun.security.krb5.debug=true

You’ll get debug logging in catalina.out. Its quite verbose. In db.properties, remove the username and password fields. I like to use a shorter JDBC url with the DB service name in it:

type=oracle
driver=oracle.jdbc.OracleDriver
url=jdbc:oracle:thin:@oracle-kerb-6.internal:1521/XEPDB1


Artifactory 7:
In addition with the LD_LIBRARY_PATH requirement for oracle, the setup will be similar. The system.yaml will be the point of focus on the Artifactory side of things:

shared:
   env:
       LD_LIBRARY_PATH: /var/opt/jfrog/artifactory/oracle-client-lib
   extraJavaOpts: >         
       -Doracle.net.kerberos5_mutual_authentication=true
       -Djava.security.krb5.conf=/etc/krb5.conf 
       -Doracle.net.kerberos5_cc_name=/etc/krb5cache
       -Doracle.net.authentication_services="( KERBEROS5 )"
   database:
       type: "oracle"
       driver: "oracle.jdbc.OracleDriver"
       url: "jdbc:oracle:thin:@oracle-kerb-7.internal:1521/XEPDB1"