Skip to content

Latest commit

 

History

History
194 lines (147 loc) · 7.56 KB

README.md

File metadata and controls

194 lines (147 loc) · 7.56 KB

was-kerberos-database

This is an experimentation environment for Database access on WebSphere with Kerberos. Practices demonstrated here are not necessarily recommended or secure. Use at your own risk.

Overview

The docker compose environment sets up a KDC , Database (DB2), and an application server (WebSphere traditional or Liberty) with kerberos configured in each image.

May require OpenJ9 Java 8. Tested with OpenJ9/OpenJDK 1.8.0_232

WebSphere traditional

Bring up the WebSphere traditional environment with:

./gradlew libertyPackage #create app and copy database drivers
docker-compose build
docker-compose up

keberos.py is the admin script for configuring kerberos and datasources
installApps.py is the admin script for installing the application

The application can be accessed at the endpoint:
http://localhost:9080/was-kerberos-database/example
username: dbuser password: password

Admin Console: https://localhost:9043/ibm/console/
User: wsadmin
Password: password

WSAdmin testing:
/opt/IBM/WebSphere/AppServer/bin/wsadmin.sh -conntype NONE -lang jython

Liberty

Liberty doesn't support accessing databases using kerberos

The Liberty environment is in liberty.yml

DB2

The compose environment for Liberty with DB2 is liberty-db2.yml

./gradlew libertyPackage
docker-compose -f liberty.yml build
docker-compose -f liberty.yml up

Once the environment is up (db2 usually takes the longest to start) this endpoint can be used to access the database:
http://localhost:9080/was-kerberos-database/example Which will respond with: java.sql.SQLInvalidAuthorizationSpecException: [jcc][t4][201][11237][4.25.13] Connection authorization failure occurred. Reason: Security mechanism not supported.
This shows that DB2 won't accept user/password, because it is expecting kerberos authentication.

SQLServer

The compose environment for Liberty with SQLServer is liberty-mssql.yml Currently there is no kerberos configured for SQLServer

./gradlew libertyPackage
docker-compose -f liberty-mssql.yml build
docker-compose -f liberty-mssql.yml up

SQLServer cmd line
/opt/mssql-tools/bin/sqlcmd -S localhost -U SA -P P@ssw0rd

SELECT auth_scheme FROM sys.dm_exec_connections  
GO

Currently getting the following when trying to login locally without user/pass:

2020-03-03 21:32:10.75 Logon       Error: 18452, Severity: 14, State: 1.
2020-03-03 21:32:10.75 Logon       Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. [CLIENT: 10.5.0.5]
Error: 18452, Severity: 14, State: 1 - The login may use Windows Authentication but the login is an unrecognized Windows principal. An unrecognized Windows principal means that Windows can't verify the login. This might be because the Windows login is from an untrusted domain.

My guess is this is due to the lack of Active Directory server, and that this will not be possible without one.

microsoft/mssql-docker#165

Oracle

The compose environment for Liberty with Oracle is liberty-oracle.yml Currently there is no kerberos configured for Oracle

./gradlew buildOracleBase
./gradlew libertyPackage
docker-compose -f liberty-oracle.yml build
docker-compose -f liberty-oracle.yml up
docker-compose -f liberty-oracle.yml down -v #Bring down and remove volume (so oracle data is not persisted)

Access oracle using sqlplus:

# Access oracle using default (BEQ) authentication
docker exec -it --user oracle was-kerberos-database_oracle_1 /bin/sh -c 'sqlplus / as sysdba'

# Access oracle using Kerberos Authentication
docker exec -it --user oracle was-kerberos-database_oracle_1 /bin/sh -c 'sqlplus /@XE'

# Interactive access to oracle using Kerberos Authentciation 
$ docker exec -it oracle was-kerberos-database_oracle_1
sh-4.2$ su oracle
[oracle@oracle /]$ sqlplus /@XE

Access oracle container: docker exec -it was-kerberos-database_oracle_1 /bin/sh

Current Status

When trying to authenticate with Kerberos using sqlplus /@XE sqlplus returns the error:

ERROR:
ORA-01017: invalid username/password; logon denied

Looking at the kerberos logs we see the authentication transaction take place:

# Oracle user was authenticated and a the AS_REQ was issued
Mar 23 21:35:22 99364b92d0d9 krb5kdc[28](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.0.11: NEEDED_PREAUTH: XE/[email protected] for krbtgt/[email protected], Additional pre-authentication required
Mar 23 21:35:22 99364b92d0d9 krb5kdc[28](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.0.11: ISSUE: authtime 1584999322, etypes {rep=18 tkt=18 ses=18}, XE/[email protected] for krbtgt/[email protected]
# A request for the TGS came through, and was issued
Mar 23 21:35:40 99364b92d0d9 krb5kdc[28](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.0.11: ISSUE: authtime 1584999322, etypes {rep=18 tkt=18 ses=18}, XE/[email protected] for XE/[email protected]
Mar 23 21:35:40 99364b92d0d9 krb5kdc[28](info): TGS_REQ (1 etypes {18}) 10.5.0.11: ISSUE: authtime 1584999322, etypes {rep=18 tkt=18 ses=18}, XE/[email protected] for krbtgt/[email protected]

Then on the oracle side we get the following error output (After 2 minutes):

oracle_1    | ***********************************************************************
oracle_1    |
oracle_1    | Fatal NI connect error 12170.
oracle_1    |
oracle_1    |   VERSION INFORMATION:
oracle_1    | 	TNS for Linux: Version 18.0.0.0.0 - Production
oracle_1    | 	Oracle Bequeath NT Protocol Adapter for Linux: Version 18.0.0.0.0 - Production
oracle_1    | 	TCP/IP NT Protocol Adapter for Linux: Version 18.0.0.0.0 - Production
oracle_1    |   Version 18.4.0.0.0
oracle_1    |   Time: 23-MAR-2020 21:37:40
oracle_1    |   Tracing not turned on.
oracle_1    |   Tns error struct:
oracle_1    |     ns main err code: 12535
oracle_1    |
oracle_1    | TNS-12535: TNS:operation timed out
oracle_1    |     ns secondary err code: 12606
oracle_1    |     nt main err code: 0
oracle_1    |     nt secondary err code: 0
oracle_1    |     nt OS err code: 0
oracle_1    |   Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=35334))
oracle_1    | 2020-03-23T21:37:40.003997+00:00
oracle_1    | WARNING: inbound connection timed out (ORA-3136)

Kerberos

Access Kerberos admin tooling

docker exec -it was-kerberos-database_kerberos_1 /bin/sh -c kadmin.local

Realm: EXAMPLE.COM
User: [email protected]
User: [email protected]
WAS Service: wassrvc/[email protected] DB2 Service: [email protected]
DB2 User: [email protected]

DB2

The Dockerfile installs kerberos libs, and copies docker-entrypoint.sh and createschema.sh into the image.
docker-entrypoint.sh creates the krb5.conf and starts the database.
createschema.sh updates the database configuration for kerberos, runs kinit with the user, and starts db2 admin.

The db2 user account is [email protected] The db2 kerberos service is [email protected]

We call kinit before db2start because db2 looks for credentials in the ccache.

DB2 Logs: /database/config/db2user/sqllib/db2dump/DIAG0000/

Links

Configure Kerberos in WAS
Configure Kerberos in DB2 Configure Kerberos in Oracle