Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. IT Analytics Help
  3. Section XVI. System Administration
  4. Appendix F. Kerberos based proxy user's authentication in Oracle
  5. Modifications for Oracle

Modifications for Oracle

Following are the steps to perform the Oracle related modifications:

Oracle modifications

  1. Copy /etc/krb5.conf from KDC to Oracle server /etc/krb5.conf path.
  2. Copy the keytab file from KDC to Oracle as /etc/v5srvtab

    Note:

    The exported keytab file can be removed from KDC once it has been copied to oracle server.

    Note:

    For more information, see See Exporting service and user principal's to keytab file on KDC.

  3. Grant appropriate permissions to files and directories so that Oracle service can read those files/directories mentioned in sqlnet.ora
    # chown <oracle user>:<oracle group> /etc/krb5.conf /etc/v5srvtab 
    # chmod 444 /etc/krb5.conf /etc/v5srvtab
    

    For example: # chown aptare:dba /etc/krb5.conf /etc/v5srvtab

  4. Add the following entries to /opt/aptare/oracle/network/admin/sqlnet.ora file.
    • SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)

    • SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=scdb

    • SQLNET.KERBEROS5_CONF=/etc/krb5.conf

    • SQLNET.KERBEROS5_CONF_MIT=TRUE

    • SQLNET.KERBEROS5_REALMS=/etc/krb5.conf

    • SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab

    • SQLNET.FALLBACK_AUTHENTICATION=TRUE

    • SQLNET.KERBEROS5_CC_NAME=/tmp/kcache

    • SQLNET.KERBEROS5_CLOCKSKEW=300

    Note:

    The Oracle server and KDC should have the same time and Timezone settings. If there is slight time mismatch, add the below entry to sqlnet.ora to cover the time mismatch. For example within 20mins. The default value is 300. SQLNET.KERBEROS5_CLOCKSKEW=1200. Cohesity recommends to configure both the servers to sync time from time servers.

  5. Create a user in Oracle to be used with Kerberos. We created k1portal user principal in KDC.
    # su - aptare (login as Oracle service user)
    # source <INSTALL_PATH>/aptare/bin/aptare_env.sh
    # sqlplus / as sysdba 
    SQL> alter session set container=scdb; 
    CREATE USER <kerberos user name> PROFILE DEFAULT IDENTIFIED EXTERNALLY AS 
    '<Kerberos user name>@<domain realm name>' DEFAULT TABLESPACE 
    APTARE_TBS_DATA_1M TEMPORARY TABLESPACE APTARE_TEMP_TBS;

    For example:

    SQL> CREATE USER k1portal PROFILE DEFAULT IDENTIFIED EXTERNALLY AS 
    'k1portal@EXAMPLE.COM' DEFAULT TABLESPACE 
    APTARE_TBS_DATA_1M TEMPORARY TABLESPACE APTARE_TEMP_TBS; 
    SQL> EXIT;
  6. Verify the parameter OS_AUTHENT_PREFIX="" is added in the parameter file ("pfile" or "spfile") of the database.

    If not added, the parameter needs to be added to the parameter file.

    For example: In the /opt/aptare/oracle/dbs/initscdb.ora file (initialization file for the service) add the following entry OS_AUTHENT_PREFIX=""

  7. In the /opt/aptare/oracle/dbs/initscdb.ora file (initialization file for the service) add the following entry

    OS_AUTHENT_PREFIX=""

  8. Restart Oracle service.
  9. Note:

    This step is optional if using pre-stashed Kerberos ticket.

    Execute the following commands to verify and to fetch initial TGT for k1portal user; login as Oracle service user
    # su - aptare (login as Oracle service user)
    # source <INSTALL_PATH>/aptare/bin/aptare_env.sh
    # oklist -k -t /etc/v5srvtab 
    # okinit -k -t /etc/v5srvtab k1portal
  10. Connect to Oracle DB using the following command.

    # sqlplus /@scdb

  11. Create a trigger for the Kerberos users corresponding to portal to alter the session which will set current schema as PORTAL
    # su - aptare ( login as Oracle service user)
    # source <INSTALL_PATH>/aptare/bin/aptare_env.sh
    # okinit -k -t /etc/v5srvtab k1portal; 

    The above command is optional for pre-stashed Kerberos ticket.

    # sqlplus /@scdb
    SQL> show user; # This must return k1portal
    SQL> CREATE OR REPLACE TRIGGER set_portal_schema 
    after logon on k1portal.schema begin execute immediate 
    'alter session set current_schema=PORTAL'; 
    end; 
    /
  12. Grant RO user to connect through PORTAL user
    sqlplus / as sysdba 
    SQL> alter session set container = scdb; 
    SQL> alter user aptare_ro grant connect through k1portal; 
    SQL> GRANT CREATE SESSION to aptare_ro; 
    Verify with RO user login 
    SQL> sqlplus [aptare_ro]/@scdb;
    SQL> show user; 
    This must return aptare_ro
    SQL> exit;
    

Feedback

Was this page helpful?
Previous

Exporting service and user principal's to keytab file on KDC

Next

Modifications for Portal

Feedback

Was this page helpful?