This is an experimentation environment for Database access on WebSphere with Kerberos. Practices demonstrated here are not necessarily recommended or secure. Use at your own risk.
The docker compose environment sets up a KDC , Database (DB2), and an application server (WebSphere traditional or Liberty) with kerberos configured in each image.
May require OpenJ9 Java 8. Tested with OpenJ9/OpenJDK 1.8.0_232
Bring up the WebSphere traditional environment with:
./gradlew libertyPackage #create app and copy database drivers
docker-compose build
docker-compose upkeberos.py is the admin script for configuring kerberos and datasources
installApps.py is the admin script for installing the application
The application can be accessed at the endpoint:
http://localhost:9080/was-kerberos-database/example
username: dbuser
password: password
Admin Console: https://localhost:9043/ibm/console/
User: wsadmin
Password: password
WSAdmin testing:
/opt/IBM/WebSphere/AppServer/bin/wsadmin.sh -conntype NONE -lang jython
Liberty doesn't support accessing databases using kerberos
The Liberty environment is in liberty.yml
The compose environment for Liberty with DB2 is liberty-db2.yml
./gradlew libertyPackage
docker-compose -f liberty.yml build
docker-compose -f liberty.yml upOnce the environment is up (db2 usually takes the longest to start) this endpoint can be used to access the database:
http://localhost:9080/was-kerberos-database/example
Which will respond with: java.sql.SQLInvalidAuthorizationSpecException: [jcc][t4][201][11237][4.25.13] Connection authorization failure occurred. Reason: Security mechanism not supported.
This shows that DB2 won't accept user/password, because it is expecting kerberos authentication.
The compose environment for Liberty with SQLServer is liberty-mssql.yml
Currently there is no kerberos configured for SQLServer
./gradlew libertyPackage
docker-compose -f liberty-mssql.yml build
docker-compose -f liberty-mssql.yml upSQLServer cmd line
/opt/mssql-tools/bin/sqlcmd -S localhost -U SA -P P@ssw0rd
SELECT auth_scheme FROM sys.dm_exec_connections
GOCurrently getting the following when trying to login locally without user/pass:
2020-03-03 21:32:10.75 Logon Error: 18452, Severity: 14, State: 1.
2020-03-03 21:32:10.75 Logon Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. [CLIENT: 10.5.0.5]Error: 18452, Severity: 14, State: 1 - The login may use Windows Authentication but the login is an unrecognized Windows principal. An unrecognized Windows principal means that Windows can't verify the login. This might be because the Windows login is from an untrusted domain.My guess is this is due to the lack of Active Directory server, and that this will not be possible without one.
The compose environment for Liberty with Oracle is liberty-oracle.yml
Currently there is no kerberos configured for Oracle
./gradlew buildOracleBase
./gradlew libertyPackage
docker-compose -f liberty-oracle.yml build
docker-compose -f liberty-oracle.yml up
docker-compose -f liberty-oracle.yml down -v #Bring down and remove volume (so oracle data is not persisted)Access oracle using sqlplus:
# Access oracle using default (BEQ) authentication
docker exec -it --user oracle was-kerberos-database_oracle_1 /bin/sh -c 'sqlplus / as sysdba'
# Access oracle using Kerberos Authentication
docker exec -it --user oracle was-kerberos-database_oracle_1 /bin/sh -c 'sqlplus /@XE'
# Interactive access to oracle using Kerberos Authentciation
$ docker exec -it oracle was-kerberos-database_oracle_1
sh-4.2$ su oracle
[oracle@oracle /]$ sqlplus /@XEAccess oracle container:
docker exec -it was-kerberos-database_oracle_1 /bin/sh
When trying to authenticate with Kerberos using sqlplus /@XE sqlplus returns the error:
ERROR:
ORA-01017: invalid username/password; logon deniedLooking at the kerberos logs we see the authentication transaction take place:
# Oracle user was authenticated and a the AS_REQ was issued
Mar 23 21:35:22 99364b92d0d9 krb5kdc[28](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.0.11: NEEDED_PREAUTH: XE/oracle@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required
Mar 23 21:35:22 99364b92d0d9 krb5kdc[28](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.0.11: ISSUE: authtime 1584999322, etypes {rep=18 tkt=18 ses=18}, XE/oracle@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM
# A request for the TGS came through, and was issued
Mar 23 21:35:40 99364b92d0d9 krb5kdc[28](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.0.11: ISSUE: authtime 1584999322, etypes {rep=18 tkt=18 ses=18}, XE/oracle@EXAMPLE.COM for XE/oracle@EXAMPLE.COM
Mar 23 21:35:40 99364b92d0d9 krb5kdc[28](info): TGS_REQ (1 etypes {18}) 10.5.0.11: ISSUE: authtime 1584999322, etypes {rep=18 tkt=18 ses=18}, XE/oracle@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COMThen on the oracle side we get the following error output (After 2 minutes):
oracle_1 | ***********************************************************************
oracle_1 |
oracle_1 | Fatal NI connect error 12170.
oracle_1 |
oracle_1 | VERSION INFORMATION:
oracle_1 | TNS for Linux: Version 18.0.0.0.0 - Production
oracle_1 | Oracle Bequeath NT Protocol Adapter for Linux: Version 18.0.0.0.0 - Production
oracle_1 | TCP/IP NT Protocol Adapter for Linux: Version 18.0.0.0.0 - Production
oracle_1 | Version 18.4.0.0.0
oracle_1 | Time: 23-MAR-2020 21:37:40
oracle_1 | Tracing not turned on.
oracle_1 | Tns error struct:
oracle_1 | ns main err code: 12535
oracle_1 |
oracle_1 | TNS-12535: TNS:operation timed out
oracle_1 | ns secondary err code: 12606
oracle_1 | nt main err code: 0
oracle_1 | nt secondary err code: 0
oracle_1 | nt OS err code: 0
oracle_1 | Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=35334))
oracle_1 | 2020-03-23T21:37:40.003997+00:00
oracle_1 | WARNING: inbound connection timed out (ORA-3136)Access Kerberos admin tooling
docker exec -it was-kerberos-database_kerberos_1 /bin/sh -c kadmin.localRealm: EXAMPLE.COM
User: dbuser@EXAMPLE.COM
User: wsadmin@EXAMPLE.COM
WAS Service: wassrvc/websphere@EXAMPLE.COM
DB2 Service: db2srvc@EXAMPLE.COM
DB2 User: db2inst1@EXAMPLE.COM
The Dockerfile installs kerberos libs, and copies docker-entrypoint.sh and createschema.sh into the image.
docker-entrypoint.sh creates the krb5.conf and starts the database.
createschema.sh updates the database configuration for kerberos, runs kinit with the user, and starts db2 admin.
The db2 user account is db2inst1@EXAMPLE.COM The db2 kerberos service is db2srvc@EXAMPLE.COM
We call kinit before db2start because db2 looks for credentials in the ccache.
DB2 Logs: /database/config/db2user/sqllib/db2dump/DIAG0000/
Configure Kerberos in WAS
Configure Kerberos in DB2
Configure Kerberos in Oracle