Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. IT Analytics Help
  3. Section XVI. System Administration
  4. Appendix F. Kerberos based proxy user's authentication in Oracle
  5. Modifications for Portal

Modifications for Portal

Following are the steps to perform the portal related modifications:

Portal Modifications

  1. Create a copy of /etc/krb5.conf from KDC to Portal server /etc/krb5.conf path.
  2. Copy the keytab file from KDC to Portal at /etc/v5srvtab.

    Note:

    The exported keytab file can be removed from KDC once it has been copied to portal server.

    For more information, see See Exporting service and user principal's to keytab file on KDC.

  3. Modify the owner and permission of above copied two files using the following commands:
    chown <oracle user>:<oracle group> /etc/krb5.conf /etc/v5srvtab
    # chmod 444 /etc/krb5.conf /etc/v5srvtab
    

    For example: # chown aptare:dba /etc/krb5.conf /etc/v5srvtab

  4. Add the following entries to /opt/aptare/oracle/network/admin/sqlnet.ora file
    • SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)

    • SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=scdb

    • SQLNET.KERBEROS5_CONF=/etc/krb5.conf

    • SQLNET.KERBEROS5_CONF_MIT=TRUE

    • SQLNET.KERBEROS5_REALMS=/etc/krb5.conf

    • SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab

    • SQLNET.FALLBACK_AUTHENTICATION=TRUE

    • SQLNET.KERBEROS5_CC_NAME=/tmp/kcache

    • SQLNET.KERBEROS5_CLOCKSKEW=300

  5. Modifications in the property file is required because when JDBC try to make multiple connections to Oracle DB, Oracle application treats this as a replay attack and errors out.

    To avoid the error, ensure that the [libdefaults] section in the Kerberos configuration file /etc/krb5.conf on KDC and client machine is configured forwardable = false.

    To update, restart kdc and admin service on KDC server using the following commands:

    systemctl restart krb5kdc.service

    systemctl restart kadmin.service

  6. Create cache file for portal user.

    For example, the command to generate cache file: kinit -k -t <Key Tab File> <kerberos user@domain realm name> -c <cache file name>

    kinit -k -t <Key Tab File> <kerberos user name>@<domain realm name>
     -c <cache file name> 
    # su - aptare (login as oracle user)
    #source <INSTALL_PATH>/aptare/bin/aptare_env.sh
    # kinit -k -t /etc/v5srvtab k1portal@EXAMPLE.COM 
    -c /tmp/portal_kcache;
  7. Tomcat user must have read privileges to the cache file. To ensure that the Tomcat OS user is able to make a JDBC connection to Oracle DB, use the following commands:
    .
    # chown <portal user>:<portal group> /tmp/portal_kcache;
    # chmod 444 /tmp/portal_kcache;
    

    For example: chown aptare:aptare /tmp/portal_kcache;

  8. The following properties must be added or updated in /opt/aptare/portalconf/portal.properties
    • db.url=jdbc:oracle:thin:@(DESCRIPTION=

      (ADDRESS=(PROTOCOL=tcp)(HOST=localhost)

      (PORT=1521))(CONNECT_DATA=(SERVICE_NAME=scdb)))

      Host and Service name could be different here.

    • db.user=<kerberos user name>@<domain realm name>

      For example: db.user=k1portal@EXAMPLE.COM Combination of kerberos portal user name and domain realm name

    • db.auth.scheme=kerberos

      This property must be defined to enable kerberos authentication and is case-insensitive

    • db.kerberos.keytab.path=/etc/v5srvtab

      This is absolute path of keytab file

    • db.driver=oracle.jdbc.OracleDriver

    • db.kerberos.portal_kcache.path=/tmp/portal_kcache

      This is absolute path of portal user cache file

    • db.connection.max=25

    • db.connection.min=25

    • db.connection.expiration=5

  9. Similar changes are required in the Data-receiver property file /opt/aptare/datarcvrconf/datrarcvrproperties.xml.

    Add or updated the bold perperties.

    <dataSource>
    <Driver> oracle.jdbc.driver.Oracle</Driver>
    <URL>jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)
    (HOST=localhost)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=scdb)))</URL>
    <UserId><kerberos user name>@<>
    <domain realm name></UserId>
    
    For example: <UserId>k1portal@EXAMPLE.COM</UserId>
    
    <Password>Z0Q5W+lQD2jreQaLBoYsviYO21WGOq5iTEo0Ad2uUj/e0GtqPkOtXFblKxCse
    KXO4VhpIQwwfrSfe59nGy156DV8lYoa7HWmL0hF+kAZXOoXfIN5YRAGfqDbCwrKQdtPY7pQh
    uTkZMPLl0d9Kzy6sLGMb/33L4hKuEl0ZZN2FG5US26JZ/uSOBF7T69ppqxGqXMleZ19QBcv
    UElLwJTn52SurL+K3RjCY7Xi0VJb4wLkax07xCkpSK9dJ6NMFJS3ybWP4jNs3rC3roudZak8
    wGqLNhAacyXgW4pMpgigVjGwNr0N8rJIgcGmXgAxSNs0qmQItuXPIyqGf+nWWEfScQ==
    </Password>
    
    <oracle_service_name>scdb</oracle_service_name>
    
    <ro_user>aptare_ro</ro_user>
    
    <ro_password>U9a7a+af94q0CUaIfzaVmYl1P1DhdQW96CQiYWgxUGSV5sfVVsxoWF5Riy
    V85MD8V0Ogy7UJo1sFmAL36KjDy8LA61pKeO4X39hRK/g8vvl/xNnG5bBYIF04/1LwD2FTz
    0lJERWopKVZ6pd6TkT0mGeKrnu2oYi97GtlW4J73tPGTFRhHyVw7yZKMmaxbs/FBwrz5aIf
    je3rT0w85m7Obtrjf2nJ2HjsaHnmToh0Ua96xlshjrE75UbaLMu0QEcF3PYF3qufYVIegn
    4VGSHcpsU/AFzurKpr0JTsU/6VqvdE4veBLv4FH5D05bRetaOA0SGKCazWA50
    xiirwocvgyw==
    </ro_password>
    
    <MaxConnections>125</MaxConnections>
    
    <MinConnections>5</MinConnections>
    
    <ConnExpirationTime>5</ConnExpirationTime>
    <authScheme>kerberos</authScheme>        
    <portalKcacheFile>/tmp/portal_kcache</portalKcacheFile>
    <kKeyTabFile>/etc/v5srvtab</kKeyTabFile>
    </dataSource>
Before the upgrade

The following are the steps to be performed before the upgrade.

  1. Provide dba grant to Kerberos portal user.

    # su - aptare ( login as Oracle service user)
    # source <INSTALL_PATH>/aptare/bin/aptare_env.sh
    # sqlplus / as sysdba
    
    SQL> alter session set container=scdb;
    SQL> GRANT DBA TO k1portal;
    SQL> GRANT EXECUTE ON SYS.DBMS_JOB TO k1portal;
    SQL> GRANT EXECUTE ON SYS.DBMS_LOB TO k1portal;
    SQL> GRANT EXECUTE ON SYS.DBMS_SCHEDULER TO k1portal;
    SQL> GRANT SELECT ON DBA_OBJECTS TO k1portal;
  2. Ensure portal cache file is valid and Tomcat user must have read permission.

    # chmod 444 /tmp/portal_kcache;
    chown <portal user>:<portal group> /tmp/portal_kcache
    

    For example:# chown aptare:aptare /tmp/portal_kcache

Post upgrade

The following are the steps to be performed after the upgrade.

  1. Revoke DBA role and grant a specific list of privileges to Kerberos users after a successful upgrade. k1portal is the Kerberos username here. It can be varied from environment to environment.

    Under sys user performs below revoke tasks:

    # su - aptare (login as oracle user)
    # source <INSTALL_PATH>/aptare/bin/aptare_env.sh
    # sqlplus "/ as sysdba"
    
    SQL> alter session set container=scdb;
    Session altered.
    
    SQL> REVOKE DBA FROM k1portal;
    Revoke succeeded.
  2. Again under sys user runs individual PLSQL scripts to grant a list of required privileges to Kerberos-enabled users for the normal functioning of ITA application.

  3. Ensure that the correct Kerberos username is given as arguments to the script.

    # su - aptare
    # source <INSTALL_PATH>/aptare/bin/aptare_env.sh
    sqlplus "/ as sysdba"
    SQL> alter session set container=scdb;
    SQL> @/opt/aptare/database/ora_scripts/kerberos_grants_portal.plb;
    Enter value for db_object_schema: portal
    Enter value for kerberos_schema: k1portal
    SQL> @/opt/aptare/database/ora_scripts/
    metadata_grants_to_kerberos_user.plb
    Enter value for kerberos_user_name: k1portal
    SQL> exit;
  4. Restart tomcat-portal and tomcat-agent and verify NBU ITA portal.

    /opt/aptare/bin/tomcat-portal restart
    
    /opt/aptare/bin/tomcat-agent restart

Note:

Kerberos cache file should not be expired, Tomcat and Aptare users must have access to the cache file, for this add a script in crontab to re-generate cache file as below :

# cat krb_cache_refresh.sh
su - aptare (login as oracle user)
source <INSTALL_PATH>/aptare/bin/aptare_env.sh
okinit -k -t /etc/v5srvtab k1portal
kinit -k -t /etc/v5srvtab k1portal@EXAMPLE.COM
 -c /tmp/portal_kcache
chmod 444 /tmp/portal_kcache;
chown <portal user>:<portal group> /tmp/portal_kcache

For example: chown aptare:aptare /tmp/portal_kcache

Feedback

Was this page helpful?
Previous

Modifications for Oracle

Next

Appendix G. Configure TLS-enabled Oracle database on IT Analytics Portal and data receiver

Feedback

Was this page helpful?