Oracle Kerberos Authentication — Part 3: Exadata Integration

-

 

Introduction

Exadata is Oracle’s flagship engineered system, designed for extreme performance and scalability. With its storage cells, compute nodes, and InfiniBand fabric, Exadata environments are often the backbone of financial institutions, telecoms, and government workloads.

When deploying Kerberos authentication here, the stakes are higher: auditors expect airtight compliance, and DBAs must ensure that authentication works seamlessly across all tiers. This guide explains how to integrate Kerberos into Exadata, with practical steps and lessons learned from real deployments.

Step 1: Understand Exadata Architecture

Exadata consists of:

  • Compute Nodes: Run Oracle RAC instances.

  • Storage Cells: Manage smart scans and storage offload.

  • InfiniBand Network: Provides high-speed interconnect.

Kerberos authentication primarily impacts compute nodes (where Oracle Database runs), but proper integration requires awareness of the entire stack.

Step 2: Install Kerberos Packages on Compute Nodes

On each compute node:

yum install krb5-workstation krb5-libs

Ensure NTP synchronization across all nodes:

systemctl enable ntpd systemctl start ntpd ntpdate pool.ntp.org

Step 3: Configure Kerberos Realm

Edit /etc/krb5.conf on all compute nodes:

[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false

[realms]
  EXAMPLE.COM = {
    kdc = adserver.example.com
    admin_server = adserver.example.com
  }

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM

Distribute the file consistently:

scp /etc/krb5.conf exadata2:/etc/krb5.conf scp /etc/krb5.conf exadata3:/etc/krb5.conf

Step 4: Keytab Management in Exadata

Keytabs must be consistent across all compute nodes.

  1. Create Service Principal for Exadata

    ktpass -princ oracle/exadata-scan.example.com@EXAMPLE.COM \ -mapuser oracleuser \ -pass <StrongPassword> \ -ptype KRB5_NT_PRINCIPAL \ -out exadata.keytab

  2. Deploy Keytab

    scp exadata.keytab exadata1:/etc/krb5.keytab scp exadata.keytab exadata2:/etc/krb5.keytab scp exadata.keytab exadata3:/etc/krb5.keytab chmod 600 /etc/krb5.keytab

Step 5: Oracle Net Configuration

On each compute node, update $ORACLE_HOME/network/admin/sqlnet.ora:

SQLNET.AUTHENTICATION_SERVICES = (KERBEROS5) SQLNET.KERBEROS5_CONF = /etc/krb5.conf SQLNET.KERBEROS5_KEYTAB = /etc/krb5.keytab

Step 6: Testing Kerberos in Exadata

  1. Obtain Ticket

    kinit finance@EXAMPLE.COM klist

  2. Connect via SCAN

    sqlplus /@FIN_SERVICE

  3. Failover Test Shut down one compute node:

    srvctl stop instance -d ORCL -i exadata1 Reconnect — Kerberos authentication should succeed via another node.

Step 7: Compliance Considerations

Exadata deployments often undergo PCI DSS, SOX, and GDPR audits. Kerberos helps by:

  • Eliminating password storage in Oracle.

  • Centralizing authentication in Active Directory/KDC.

  • Providing audit trails of ticket issuance.

Tip: Document every principal, keytab, and configuration file. Auditors frequently request evidence of Kerberos integration.

Step 8: Performance Considerations

Kerberos introduces minimal overhead, but in Exadata environments:

  • Batch Jobs: Ensure tickets are renewed automatically.

  • Connection Pools: Middleware must handle ticket refresh.

  • High Throughput: Test Kerberos under peak loads to validate performance.

Real-World DBA Insights

  • In one Exadata deployment, Kerberos tickets expired during overnight ETL jobs, causing failures. Solution: automated ticket renewal via cron.

  • Another case involved mismatched keytabs across compute nodes after patching. Automating distribution solved this permanently.

  • Auditors often ask for proof of Kerberos ticket usage. Keep klist outputs and trace logs as evidence.

Conclusion

Kerberos authentication in Exadata environments is not just about security — it’s about compliance, scalability, and operational resilience. By synchronizing configs, managing keytabs carefully, and automating ticket renewal, you can ensure that your Exadata deployment remains secure and audit-ready.

Comments

Post a Comment

Please do not enter any spam link in comment Section suggestions are Always Appreciated. Thanks.. !

Popular posts from this blog

How to clone Pluggable Database from one container to different Container Database

-
Image
How to clone Pluggable Database from one container to different Container Database Cloning and Refresh are day-to-day activity which DBA perform on regular basic. In today blog , We will discuss about Cloning of the pluggable database from one container database to different container database. Oracle offers to unplug a PDB from one CDB and then plug into a different CDB. This will be another additional feature of PDB to give the highest availability and scalability the database systems may need in a cloud infrastructure environment.  1)We have two container database cseeddb(Source Container DB) and ctestdb1 (target container DB). NOTE: We have created container DB ctestdb1 and it does not have any PDB(Pluggable DB). 2)Verify you are in the correct container database root namespace(CDB). NOTE: We are on first container (cseeddb) database where we have clonedb pluggable database which we will move in to another empty container ctestdb1. SQL> set echo on SQL> SET LINESIZE 20...
Read more

Oracle Block Corruption - Detection and Resolution

-
Oracle Block Corruption - Detection and Resolution Any kind of corruption in database can  lead to stand still operation of the organization and can cause sever impact to organisation. In this blog , We are going to discuss about Block Corruption of the oracle database. Block Corruption :  Oracle Block Corruption occurs due inconsistent block Header ,Footer ,Checksum or Structure. Depending on the kind of insistency ,We can divide corruption into Physical and Logical corruption. Physical Corruption is due to Bad header, header or footer mismatch ,Invalid Block checksum & misplaced block. Usually this kind of the block corruption are due to external reason and difficult to resolve by oracle utilities alone.  Logical Corruption is due to corrupt or invalid Block structure when block checksum is valid. This kind of the Corruption can be resolved by the Oracle Utilities. Detection of Block Corruption Whenever a corrupt block is read Oracle reports an error in the alert l...
Read more

Restore MySQL Database from mysqlbackup

-
Image
 Restore MySQL Database from mysqlbackup  In todays world, One of the most common activity is to perform database restore using old backup or performing PIT recovery for database.  In this blog , We will show you how to perform restore and recovery of the MySQL database using backup taken via mysqlbackup. In order to restore Mysql database from MySQL backup , We will follow below steps: 1) Shut down MySQL Database Server/Service Check the status of the mysql service using command : systemctl status mysql Shut down mysql service using command : systemctl stop mysql 2) Delete all existing file of MySQL Server Delete all files inside the server's data directory. Also delete all files inside the directories specified by the --innodb_data_home_dir, --innodb_log_group_home_dir, and --innodb_undo_directory options for restore, if the directories are different from the data directory. 3) Restore full Backup mysqlbackup  --defaults-file=/etc/mysql/mysql.conf.d/mysqld.cnf --d...
Read more