starting oracle work

README.md

@@ -8,14 +8,15 @@ The docker compose environment sets up a KDC , Database (DB2), and an applicatio
 
 May require OpenJ9 Java 8. Tested with OpenJ9/OpenJDK 1.8.0_232
 
+### WebSphere traditional 
+
 Bring up the WebSphere traditional environment with:
-```
-./gradlew libertyPackage
+
+``` sh
+./gradlew libertyPackage #create app and copy database drivers
 docker-compose build
 docker-compose up
 ```
-### WebSphere traditional 
-Also needs `./gradlew libertyPackage` run to copy the db2 driver and app to the correct directory.
 
 `keberos.py` is the admin script for configuring kerberos and datasources  
 `installApps.py` is the admin script for installing the application
@@ -35,10 +36,16 @@ WSAdmin testing:
 `/opt/IBM/WebSphere/AppServer/bin/wsadmin.sh -conntype NONE -lang jython`
 
 ### Liberty
+
 **Liberty doesn't support accessing databases using kerberos**
 
-The Liberty environment is in liberty.yml
-```
+The Liberty environment is in `liberty.yml`
+
+#### DB2
+
+The compose environment for Liberty with DB2 is `liberty-db2.yml`
+
+```sh
 ./gradlew libertyPackage
 docker-compose -f liberty.yml build
 docker-compose -f liberty.yml up
@@ -49,36 +56,122 @@ http://localhost:9080/was-kerberos-database/example
 Which will respond with:  `java.sql.SQLInvalidAuthorizationSpecException: [jcc][t4][201][11237][4.25.13] Connection authorization failure occurred. Reason: Security mechanism not supported. `  
 This shows that DB2 won't accept user/password, because it is expecting kerberos authentication.
 
-### Liberty with SQLServer
-**Liberty doesn't support accessing databases using kerberos**
+#### SQLServer
 
-The compose environment for Liberty with SQL Server is liberty-mssql.yml  
+The compose environment for Liberty with SQLServer is `liberty-mssql.yml` 
 Currently there is no kerberos configured for SQLServer
 
+```sh
+./gradlew libertyPackage
+docker-compose -f liberty-mssql.yml build
+docker-compose -f liberty-mssql.yml up
+```
+
 SQLServer cmd line  
 /opt/mssql-tools/bin/sqlcmd -S localhost -U SA -P P@ssw0rd
 
-```
+```sql
 SELECT auth_scheme FROM sys.dm_exec_connections  
 GO
 ```
 
 Currently getting the following when trying to login locally without user/pass:
-```
+```txt
 2020-03-03 21:32:10.75 Logon       Error: 18452, Severity: 14, State: 1.
 2020-03-03 21:32:10.75 Logon       Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. [CLIENT: 10.5.0.5]
 ```
-`Error: 18452, Severity: 14, State: 1 - The login may use Windows Authentication but the login is an unrecognized Windows principal. An unrecognized Windows principal means that Windows can't verify the login. This might be because the Windows login is from an untrusted domain.`
+
+```txt
+Error: 18452, Severity: 14, State: 1 - The login may use Windows Authentication but the login is an unrecognized Windows principal. An unrecognized Windows principal means that Windows can't verify the login. This might be because the Windows login is from an untrusted domain.
+```
 
 My guess is this is due to the lack of Active Directory server, and that this will not be possible without one.
 
 https://github.com/microsoft/mssql-docker/issues/165
 
+#### Oracle
+
+The compose environment for Liberty with Oracle is `liberty-oracle.yml`
+Currently there is no kerberos configured for Oracle
+
+```sh
+./gradlew buildOracleBase
+./gradlew libertyPackage
+docker-compose -f liberty-oracle.yml build
+docker-compose -f liberty-oracle.yml up
+docker-compose -f liberty-oracle.yml down -v #Bring down and remove volume (so oracle data is not persisted)
+```
+
+Access oracle using sqlplus:
+```sh
+# Access oracle using default (BEQ) authentication
+docker exec -it --user oracle was-kerberos-database_oracle_1 /bin/sh -c 'sqlplus / as sysdba'
+
+# Access oracle using Kerberos Authentication
+docker exec -it --user oracle was-kerberos-database_oracle_1 /bin/sh -c 'sqlplus /@XE'
+
+# Interactive access to oracle using Kerberos Authentciation 
+$ docker exec -it oracle was-kerberos-database_oracle_1
+sh-4.2$ su oracle
+[oracle@oracle /]$ sqlplus /@XE
+```
+
+Access oracle container:
+`docker exec -it was-kerberos-database_oracle_1 /bin/sh`
+
+#### Current Status
+When trying to authenticate with Kerberos using `sqlplus /@XE` sqlplus returns the error:
+```txt
+ERROR:
+ORA-01017: invalid username/password; logon denied
+```
+
+Looking at the kerberos logs we see the authentication transaction take place:
+```sh
+# Oracle user was authenticated and a the AS_REQ was issued
+Mar 23 21:35:22 99364b92d0d9 krb5kdc[28](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.0.11: NEEDED_PREAUTH: XE/[email protected] for krbtgt/[email protected], Additional pre-authentication required
+Mar 23 21:35:22 99364b92d0d9 krb5kdc[28](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.0.11: ISSUE: authtime 1584999322, etypes {rep=18 tkt=18 ses=18}, XE/[email protected] for krbtgt/[email protected]
+# A request for the TGS came through, and was issued
+Mar 23 21:35:40 99364b92d0d9 krb5kdc[28](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.0.11: ISSUE: authtime 1584999322, etypes {rep=18 tkt=18 ses=18}, XE/[email protected] for XE/[email protected]
+Mar 23 21:35:40 99364b92d0d9 krb5kdc[28](info): TGS_REQ (1 etypes {18}) 10.5.0.11: ISSUE: authtime 1584999322, etypes {rep=18 tkt=18 ses=18}, XE/[email protected] for krbtgt/[email protected]
+```
+
+Then on the oracle side we get the following error output (After 2 minutes):
+```sh
+oracle_1    | ***********************************************************************
+oracle_1    |
+oracle_1    | Fatal NI connect error 12170.
+oracle_1    |
+oracle_1    |   VERSION INFORMATION:
+oracle_1    | 	TNS for Linux: Version 18.0.0.0.0 - Production
+oracle_1    | 	Oracle Bequeath NT Protocol Adapter for Linux: Version 18.0.0.0.0 - Production
+oracle_1    | 	TCP/IP NT Protocol Adapter for Linux: Version 18.0.0.0.0 - Production
+oracle_1    |   Version 18.4.0.0.0
+oracle_1    |   Time: 23-MAR-2020 21:37:40
+oracle_1    |   Tracing not turned on.
+oracle_1    |   Tns error struct:
+oracle_1    |     ns main err code: 12535
+oracle_1    |
+oracle_1    | TNS-12535: TNS:operation timed out
+oracle_1    |     ns secondary err code: 12606
+oracle_1    |     nt main err code: 0
+oracle_1    |     nt secondary err code: 0
+oracle_1    |     nt OS err code: 0
+oracle_1    |   Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=35334))
+oracle_1    | 2020-03-23T21:37:40.003997+00:00
+oracle_1    | WARNING: inbound connection timed out (ORA-3136)
+```
 ### Kerberos
+
+Access Kerberos admin tooling
+```sh
+docker exec -it was-kerberos-database_kerberos_1 /bin/sh -c kadmin.local
+```
+
 Realm: EXAMPLE.COM  
 User: [email protected]  
 User: [email protected]  
-WAS Service: wassrvc/[email protected]  
+WAS Service: wassrvc/[email protected]
 DB2 Service: [email protected]  
 DB2 User: [email protected]  
 
@@ -97,4 +190,5 @@ DB2 Logs: /database/config/db2user/sqllib/db2dump/DIAG0000/
 
 ### Links
 [Configure Kerberos in WAS](https://www.ibm.com/support/knowledgecenter/en/SSEQTP_9.0.5/com.ibm.websphere.base.doc/ae/tsec_kerb_setup.html)  
-[Configure Kerberos in DB2](https://www.ibm.com/support/knowledgecenter/en/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0058525.html)
+[Configure Kerberos in DB2](https://www.ibm.com/support/knowledgecenter/en/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0058525.html)
+[Configure Kerberos in Oracle](https://docs.oracle.com/en/database/oracle/oracle-database/20/dbseg/configuring-kerberos-authentication.html#GUID-39A6604D-35DD-40E5-A71E-079EE7C9DF15)

build.gradle

@@ -39,23 +39,28 @@ dependencies {
     libertyRuntime group:'io.openliberty', name:'openliberty-runtime', version:'[17.0.0.4,)'
     runtime group: 'com.ibm.db2.jcc', name: 'db2jcc', version: 'db2jcc4'
     runtime group: 'com.microsoft.sqlserver', name: 'mssql-jdbc', version: '8.2.1.jre8'
+    runtime (group: 'com.oracle.ojdbc', name: 'ojdbc8_g', version: '19.3.0.0') { transitive = false }
 }
 
 task copyDependenciesLiberty(type: Copy) {
    from configurations.runtime
    include 'db2jcc*'
    include 'mssql*'
+   include 'ojdbc8_g*'
    rename 'db2jcc(.*)', 'db2jcc.jar'
    rename 'mssql(.*)', 'mssql.jar'
+   rename 'ojdbc8_g(.*)', 'ojdbc8_g.jar'
    into 'liberty/build/dependencies'
 }
 
 task copyDependenciesWebSphere(type: Copy) {
    from configurations.runtime
    include 'db2jcc*'
    include 'mssql*'
+   include 'ojdbc8_g*'
    rename 'db2jcc(.*)', 'db2jcc.jar'
    rename 'mssql(.*)', 'mssql.jar'
+   rename 'ojdbc8_g(.*)', 'ojdbc8_g.jar'
    into 'websphere-traditional/build/dependencies'
 }
 
@@ -99,6 +104,7 @@ clean.dependsOn 'libertyStop'
 libertyPackage.dependsOn 'libertyStop'
 libertyPackage.dependsOn 'copyDependenciesLiberty'
 libertyPackage.dependsOn 'copyDependenciesWebSphere'
+composeBuild.dependsOn 'oracle:prebuildOracle'
 composeUp.dependsOn 'libertyPackage'
 composeUp.dependsOn 'composeDown'
 composeUp.dependsOn 'composeBuild'

kdc-server/Dockerfile

@@ -1,3 +1,4 @@
+# This is the Kerberos KDS
 FROM gcavalcante8808/krb5-server
 COPY docker-entrypoint.sh /
 ENTRYPOINT ["/sbin/tini", "--"]

kdc-server/docker-entrypoint.sh

@@ -93,6 +93,9 @@ EOT
 
     echo "Creating dbuser Account"
     kadmin.local -q "addprinc -pw ${KRB5_PASS} dbuser@${KRB5_REALM}"
+
+    echo "Creating XE/oracle Account"
+    kadmin.local -q "addprinc -pw ${KRB5_PASS} XE/oracle@${KRB5_REALM}"
 
     echo "Creating wsadmin Account"
     kadmin.local -q "addprinc -pw ${KRB5_PASS} wsadmin@${KRB5_REALM}"

liberty-oracle.yml

@@ -0,0 +1,61 @@
+version: '3'
+volumes:
+    krb5kdc-data:
+services:
+  # Liberty service
+  liberty:
+    build:
+      context: ./liberty
+      dockerfile: oracle.Dockerfile
+    ports:
+      - "9080:9080"
+      - "443:443"
+    environment:
+      - KRB5_REALM=EXAMPLE.COM
+      - KRB5_KDC=kerberos
+    depends_on: 
+      - "oracle"
+    networks:
+      krbnet:
+        ipv4_address: 10.5.0.4 
+    volumes:
+      - ./trace/liberty:/logs
+  # Oracle service 
+  oracle:
+    build:
+      context: ./oracle
+    hostname: oracle
+    ports:
+        - "1521:1521"
+        - "8080:8080"
+    environment:
+        - KRB5_REALM=EXAMPLE.COM
+        - KRB5_KDC=kerberos
+    depends_on:
+        - "kerberos"
+    networks:
+        krbnet:
+            ipv4_address: 10.5.0.11
+  # Kerberos service (KDC)
+  kerberos:
+    build: kdc-server
+    ports:
+      - "88:88"
+      - "464:464"
+      - "749:749"
+    environment:
+      - KRB5_REALM=EXAMPLE.COM
+      - KRB5_KDC=localhost
+      - KRB5_PASS=password
+    volumes:
+      - krb5kdc-data:/var/lib/krb5kdc
+      - ./trace/kerberos:/var/log
+    networks:
+      krbnet:
+        ipv4_address: 10.5.0.9
+# Network (Ensure they are on the same network)
+networks:
+  krbnet:   
+    ipam:
+      config:
+        - subnet: 10.5.0.0/16

liberty/oracle.Dockerfile

@@ -0,0 +1,23 @@
+FROM open-liberty
+USER root
+
+# Update and install Kerberos (client head) and depenedency apps
+RUN apt-get update
+RUN apt-get install -y krb5-user libpam-krb5 libpam-ccreds auth-client-config
+
+# Make excutable
+RUN chmod 777 /etc
+RUN mkdir /etc/krb5
+RUN printf 'add_entry -password -p XE/[email protected] -k 1 -e aes256-cts\npassword\nwkt /etc/krb5.keytab' | ktutil
+
+# Add startup script
+ADD docker-entrypoint.sh /
+RUN chmod a+x /docker-entrypoint.sh
+
+# Copy server.xml, application, and jdbc driver
+COPY oracle.server.xml /opt/ol/wlp/usr/servers/defaultServer/server.xml
+COPY ./build/libs/was-kerberos-database.war /opt/ol/wlp/usr/servers/defaultServer/apps/was-kerberos-database.war
+COPY ./build/dependencies/ojdbc8_g.jar /opt/ol/wlp/usr/shared/ojdbc8_g.jar
+
+# Set entrypoint
+ENTRYPOINT ["/docker-entrypoint.sh"]

liberty/oracle.server.xml

@@ -0,0 +1,54 @@
+<server>
+
+    <featureManager>
+      <feature>servlet-4.0</feature>
+      <feature>jdbc-4.2</feature>
+      <feature>appSecurity-2.0</feature>
+      <feature>jca-1.7</feature>
+      <feature>cdi-2.0</feature>
+    </featureManager>
+
+    <library id="oracleLib">
+      <fileset dir="/opt/ol/wlp/usr/shared/" includes="ojdbc8_g.jar"/>
+    </library>
+
+    <library id="loginLib">
+    </library>
+
+    <webApplication id="was-kerberos-database" location="was-kerberos-database.war" name="was-kerberos-database">
+      <application-bnd>
+        <security-role name="Manager" id="Manager">
+          <user name="user1"/>
+        </security-role>
+        <security-role name="Employee" id="Employee">
+          <user name="user2"/>
+        </security-role>
+      </application-bnd>
+    </webApplication>
+
+    <basicRegistry realm="defaultRealm">
+      <user password="password" name="user1"/>
+      <user password="password" name="user2" />
+    </basicRegistry>
+
+    <!-- Must be named JaasClient for the JCC driver -->
+    <jaasLoginContextEntry id="JaasClient" name="JaasClient" loginModuleRef="krb5LoginModule" />
+      <jaasLoginModule id="krb5LoginModule" className="com.ibm.security.auth.module.Krb5LoginModule" controlFlag="REQUIRED" libraryRef="loginLib">
+      <options credsType="both" useKeytab="/etc/krb5.keytab" principal="oracle/[email protected]"/>- <!-- debug="false" useDefaultCcache="true" -->
+    </jaasLoginModule>
+
+    <dataSource id="oracle" jndiName="jdbc/oracle" jaasLoginContextEntry="JaasClient">
+      <jdbcDriver libraryRef="oracleLib"/>
+      <properties.oracle databaseName = "XE" serverName="oracle" driverType="thin" portNumber="1521"
+        user="oracle/[email protected]" password="password"/>
+    </dataSource>
+
+    <dataSource id="noKrb5" jndiName="jdbc/nokrb5">
+      <jdbcDriver libraryRef="oracleLib"/>
+      <properties.oracle databaseName = "XE" serverName="oracle" driverType="thin" portNumber="1521"
+      user="system" password="oracle"/>
+    </dataSource>
+
+    <logging traceSpecification="*=info:RRA=all:WAS.j2c=all:WAS.database=all:com.ibm.ws.db2.logwriter=all"/>
+
+  </server>

oracle/.gitignore

@@ -0,0 +1 @@
+/docker-images

oracle/Dockerfile

@@ -0,0 +1,18 @@
+FROM oracle/database:18.4.0-xe
+
+# Update and install Kerberos (server head)
+RUN yum update -y
+RUN yum -y install krb5-workstation krb5-libs krb5-auth-dialog
+
+COPY setup/ /opt/oracle/scripts/setup
+COPY startup/ /opt/oracle/scripts/startup
+
+ENV ORACLE_PWD=password
+
+RUN mkdir /etc/krb5
+RUN printf 'add_entry -password -p XE/[email protected] -k 1 -e aes256-cts\npassword\nwkt /etc/krb5.keytab' | ktutil
+
+RUN chmod a+x /opt/oracle/scripts/setup/1kerberos.sh
+RUN chmod a+x /opt/oracle/scripts/setup/2oracle.sh
+RUN chmod a+x /opt/oracle/scripts/setup/3kerberos.sh
+RUN chmod a+x /opt/oracle/scripts/startup/oracle.sql