Kerberos Authentication Setup for Oracle Database in XDM

Overview

To enable Kerberos authentication for a database integrated into XDM (e.g., Oracle), several configuration steps are required. This guide outlines all necessary preparations and adjustments to your Helm chart and runtime environment.

Prerequisites

Before proceeding, ensure the following components are available:

  • A valid Kerberos KeyTab file for database access

  • A correctly configured krb5.conf file

  • A correctly configured jaas.conf file referencing the KeyTab

  • A current JDBC driver that supports Kerberos authentication (e.g., Oracle JDBC driver)

  • Root CA certificates if required by your environment

  • Helm deployment access to the XDM application

  • Access to modify the values.yaml configuration file

  • Kubernetes access to create Secrets and ConfigMaps

Step-by-Step Configuration

1. Mount the Kerberos KeyTab File

The Kerberos KeyTab file must be provided to both the core and runner pods via Kubernetes Secret and mounted into the containers.

About the KeyTab File

A KeyTab file stores encrypted credentials (like username and password) for Kerberos authentication. It allows automated services to authenticate with the Kerberos Key Distribution Center (KDC) without human interaction.

Update values.yaml

core:
  volumes:
    - name: kerberos-keytab
      secret:
        secretName: kerberos-keytab-secret
  volumeMounts:
    - name: kerberos-keytab
      mountPath: /etc/security/keytabs
      readOnly: true

deployer:
  configuration:
    volumes:
      - name: kerberos-keytab
        secret:
          secretName: kerberos-keytab-secret
    volumeMounts:
      - name: kerberos-keytab
        mountPath: /etc/security/keytabs
        readOnly: true

2. Add krb5.conf and jaas.conf

krb5.conf

This file defines the Kerberos configuration, including KDCs, realms, and defaults.

Example:

[libdefaults]
  default_realm = EXAMPLE.COM

[realms]
  EXAMPLE.COM = {
    kdc = kdc.example.com
    admin_server = kdc.example.com
  }

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM

jaas.conf

Specifies the Java Authentication and Authorization Service (JAAS) login module configuration.

Example:

com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="/etc/security/keytabs/your.keytab"
  principal="your_principal@EXAMPLE.COM"
  storeKey=true
  useTicketCache=false;
};

Ensure the keyTab path and principal match your actual configuration.

Update values.yaml (continued)

Both files can be added to the container as ConfigMaps and mounted similarly to the KeyTab.

core:
  volumes:
    - name: kerberos-conf
      configMap:
        name: kerberos-config
  volumeMounts:
    - name: kerberos-conf
      mountPath: /etc/krb5
      readOnly: true

deployer:
  configuration:
    volumes:
      - name: kerberos-conf
        configMap:
          name: kerberos-config
    volumeMounts:
      - name: kerberos-conf
        mountPath: /etc/krb5
        readOnly: true

3. Set Environment Variables for Java

In the next step we need to tell the Java application where to find the Kerberos configuration files.

Set this environment variable in both core and runner pods of your Helm chart:

core:
  environment:
  - name: "_JAVA_OPTIONS"
    value: "-Djava.security.krb5.conf=/etc/krb5/krb5.conf -Djava.security.auth.login.config=/etc/krb5/jaas.conf"

deployer:
  configuration:
    environmentVariables:
      _JAVA_OPTIONS: "-Djava.security.krb5.conf=/etc/krb5/krb5.conf -Djava.security.auth.login.config=/etc/krb5/jaas.conf"

Replace the paths if your mount locations differ.

4. Add Root CAs

If the database requires trusted root certificates, store the CA files into a Kubernetes secret. These secrets must be mounted into the core and runner pods. XDM checks all files in the /xdm/certs directory at start time, and imports the certificates into the Java keystore.

The certificates are must be registered as follows:

xdm:
  certificates:
      - <certificate-secret-name-1>
      - <certificate-secret-name-2>
Once all these steps are completed, you need to redeploy the helm chart to apply the changes.

5. Update Connection URL

In the XDM web interface, you define a database connection object. As part of this configuration, you are required to specify a JDBC URL for the database connection. For Oracle databases, you must instruct the JDBC driver to use Kerberos authentication. This is achieved by adding the following properties to the JDBC URL:

?oracle.net.kerberos5_mutual_authentication=true&oracle.net.authentication_services=(KERBEROS5)

Example:

jdbc:oracle:thin:@//db.example.com:1521/ORCL?oracle.net.kerberos5_mutual_authentication=true&oracle.net.authentication_services=(KERBEROS5)