Oracle Kerberos Authentication — Part 2: RAC Integration

-

 

Introduction

In Part 1, we covered the fundamentals of Kerberos authentication with a single Oracle instance. But in real-world enterprise deployments, most mission-critical databases run on Oracle RAC (Real Application Clusters). RAC introduces complexity: multiple nodes, shared services, SCAN listeners, and failover scenarios. Kerberos must be configured consistently across all nodes to ensure seamless authentication.

This guide walks through the step-by-step RAC integration process, enriched with lessons learned from production environments.

Step 1: Synchronize Kerberos Configuration Across Nodes

Every RAC node must have identical Kerberos configuration files.

  1. Distribute krb5.conf

    scp /etc/krb5.conf racnode2:/etc/krb5.conf scp /etc/krb5.conf racnode3:/etc/krb5.conf

  2. Distribute Keytab

    scp /etc/krb5.keytab racnode2:/etc/krb5.keytab scp /etc/krb5.keytab racnode3:/etc/krb5.keytab chmod 600 /etc/krb5.keytab

  3. Verify Consistency

    md5sum /etc/krb5.conf /etc/krb5.keytab

Step 2: Configure sqlnet.ora on Each Node

Each RAC node’s $ORACLE_HOME/network/admin/sqlnet.ora must include Kerberos settings:

SQLNET.AUTHENTICATION_SERVICES = (KERBEROS5) SQLNET.KERBEROS5_CONF = /etc/krb5.conf
SQLNET.KERBEROS5_KEYTAB = /etc/krb5.keytab

Step 3: SCAN Listener Integration

RAC environments use SCAN listeners for client connections. These must be Kerberos-aware.

  1. Create Service Principal for SCAN On AD/KDC:

    ktpass -princ oracle/rac-scan.example.com@EXAMPLE.COM -mapuser oracleuser \ -pass <StrongPassword> \ -ptype KRB5_NT_PRINCIPAL \ -out racscan.keytab

  2. Deploy Keytab to All Nodes

    scp racscan.keytab racnode1:/etc/krb5.keytab scp racscan.keytab racnode2:/etc/krb5.keytab scp racscan.keytab racnode3:/etc/krb5.keytab

Step 4: srvctl Configuration

Update RAC services to use Kerberos authentication.

  1. Register Service

    srvctl add service -d ORCL -s HR_SERVICE -r racnode1,racnode2

  2. Enable Kerberos Modify listener.ora to reference Kerberos keytab. Example:

    ENCRYPTION_SERVICES = (KERBEROS5)

Step 5: Testing RAC Kerberos Authentication

  1. Obtain Ticket

    kinit hr@EXAMPLE.COM klist

  2. Connect via SCAN

    sqlplus /@HR_SERVICE

  3. Failover Test Shut down one node:

    srvctl stop instance -d ORCL -i racnode1 Reconnect — Kerberos authentication should succeed via another node.

Step 6: Common Pitfalls in RAC + Kerberos

  • Keytab Drift: If one node has an outdated keytab, authentication fails.

  • SCAN Principal Misconfiguration: Ensure SCAN FQDN matches Kerberos principal.

  • Ticket Expiration During Failover: Automate ticket renewal for long-running sessions.

  • Firewall Rules: All nodes must reach KDC on port 88.

Step 7: Best Practices

  • Automate Distribution: Use Ansible or Puppet to push Kerberos configs to all nodes.

  • Centralize Documentation: Maintain a single source of truth for principals and keytabs.

  • Monitor Tickets: Implement scripts to check ticket validity across nodes.

  • Audit Regularly: Ensure compliance with enterprise security policies.

Real-World DBA Insights

  • In one deployment, failover consistently failed because the SCAN principal was registered with a short hostname instead of FQDN. Always use fully qualified domain names.

  • Another case involved mismatched keytabs across nodes after a patch cycle. Automating distribution solved this permanently.

  • RAC environments amplify Kerberos issues — what works on one node must work identically everywhere.

Conclusion

Kerberos authentication in RAC environments requires discipline and consistency. By synchronizing configs, properly registering SCAN principals, and automating distribution, you can achieve seamless passwordless authentication across clustered databases.

This not only strengthens security but also ensures high availability without compromising compliance.

Comments

Post a Comment

Please do not enter any spam link in comment Section suggestions are Always Appreciated. Thanks.. !

Popular posts from this blog

How to clone Pluggable Database from one container to different Container Database

-
Image
How to clone Pluggable Database from one container to different Container Database Cloning and Refresh are day-to-day activity which DBA perform on regular basic. In today blog , We will discuss about Cloning of the pluggable database from one container database to different container database. Oracle offers to unplug a PDB from one CDB and then plug into a different CDB. This will be another additional feature of PDB to give the highest availability and scalability the database systems may need in a cloud infrastructure environment.  1)We have two container database cseeddb(Source Container DB) and ctestdb1 (target container DB). NOTE: We have created container DB ctestdb1 and it does not have any PDB(Pluggable DB). 2)Verify you are in the correct container database root namespace(CDB). NOTE: We are on first container (cseeddb) database where we have clonedb pluggable database which we will move in to another empty container ctestdb1. SQL> set echo on SQL> SET LINESIZE 20...
Read more

Oracle Block Corruption - Detection and Resolution

-
Oracle Block Corruption - Detection and Resolution Any kind of corruption in database can  lead to stand still operation of the organization and can cause sever impact to organisation. In this blog , We are going to discuss about Block Corruption of the oracle database. Block Corruption :  Oracle Block Corruption occurs due inconsistent block Header ,Footer ,Checksum or Structure. Depending on the kind of insistency ,We can divide corruption into Physical and Logical corruption. Physical Corruption is due to Bad header, header or footer mismatch ,Invalid Block checksum & misplaced block. Usually this kind of the block corruption are due to external reason and difficult to resolve by oracle utilities alone.  Logical Corruption is due to corrupt or invalid Block structure when block checksum is valid. This kind of the Corruption can be resolved by the Oracle Utilities. Detection of Block Corruption Whenever a corrupt block is read Oracle reports an error in the alert l...
Read more

Restore MySQL Database from mysqlbackup

-
Image
 Restore MySQL Database from mysqlbackup  In todays world, One of the most common activity is to perform database restore using old backup or performing PIT recovery for database.  In this blog , We will show you how to perform restore and recovery of the MySQL database using backup taken via mysqlbackup. In order to restore Mysql database from MySQL backup , We will follow below steps: 1) Shut down MySQL Database Server/Service Check the status of the mysql service using command : systemctl status mysql Shut down mysql service using command : systemctl stop mysql 2) Delete all existing file of MySQL Server Delete all files inside the server's data directory. Also delete all files inside the directories specified by the --innodb_data_home_dir, --innodb_log_group_home_dir, and --innodb_undo_directory options for restore, if the directories are different from the data directory. 3) Restore full Backup mysqlbackup  --defaults-file=/etc/mysql/mysql.conf.d/mysqld.cnf --d...
Read more