ARTIFACTORY: How to connect Artifactory to Oracle via Kerberos

ARTIFACTORY: How to connect Artifactory to Oracle via Kerberos
AuthorFullName__c
Loren Yeung, Ino Choi
articleNumber
000005039
FirstPublishedDate
2021-06-29T19:47:39Z
lastModifiedDate
2025-05-15
VersionNumber
8
Introduction 

Connecting Artifactory to OracleDB via Kerberos is a fairly herculean task compared to username/password. It requires knowledge of 3 mechanisms; kerberos authentication, Oracle authentication, and Artifactory authentication.

This guide will cover connecting Artifactory to Oracle - it is expected that the user is already able to connect Oracle directly via Kerberos only, which can be tested via
sqplus /@<DB service name>:
$ /opt/oracle/product/18c/dbhomeXE/bin/sqlplus /@XEPDB1

SQL*Plus: Release 18.0.0.0.0 - Production on Tue Mar 30 23:05:25 2021
Version 18.4.0.0.0
Copyright (c) 1982, 2018, Oracle.  All rights reserved.

Connected to:
Oracle Database 18c Express Edition Release 18.0.0.0.0 - Production
Version 18.4.0.0.0

SQL>

Please also verify that you are using the correct user. In my case, I will be using the user kerb7. You can verify this by running the following command:
SQL> SHOW USER

This should return:
USER is "KERB7"

Once this is verified, we can proceed with the Artifactory integration.


Resolution 

Artifactory 6
Provide the following JVM parameters in your artifactory.default/default file: 
export JAVA_OPTIONS="$JAVA_OPTIONS -Doracle.net.kerberos5_mutual_authentication=true -Djava.security.krb5.conf=/etc/krb5.conf -Doracle.net.kerberos5_cc_name=/etc/krb5cache -Doracle.net.authentication_services=\"( KERBEROS5 )\""

Ensure that the Artifactory user is able to read the ticket cache file and the krb5.conf file. If you need debug, add this too: 
-Dsun.security.krb5.debug=true

You’ll get debug logging in catalina.out. Its quite verbose.
In db.properties, remove the username and password fields. I like to use a shorter JDBC url with the DB service name in it:
type=oracle
driver=oracle.jdbc.OracleDriver
url=jdbc:oracle:thin:@oracle-kerb-6.internal:1521/XEPDB1


Artifactory 7
In addition with the LD_LIBRARY_PATH requirement for Oracle, the setup will be similar. The system.yaml will be the point of focus on the Artifactory side of things: 
shared:
    env:
        LD_LIBRARY_PATH: /var/opt/jfrog/artifactory/oracle-client-lib
    extraJavaOpts: >         
        -Doracle.net.kerberos5_mutual_authentication=true
        -Djava.security.krb5.conf=/etc/krb5.conf 
        -Doracle.net.kerberos5_cc_name=/etc/krb5cache
        -Doracle.net.authentication_services="( KERBEROS5 )"
    database:
        type: "oracle"
        driver: "oracle.jdbc.OracleDriver"
        url: "jdbc:oracle:thin:@oracle-kerb-7.internal:1521/XEPDB1"


Artifactory 7.90x and above
For Artifactory version 7.90.x and above, please add the following configuration under the access section:
shared:
    env:
        LD_LIBRARY_PATH: /var/opt/jfrog/artifactory/oracle-client-lib
    extraJavaOpts: >         
        -Doracle.net.kerberos5_mutual_authentication=true
        -Djava.security.krb5.conf=/etc/krb5.conf 
        -Doracle.net.kerberos5_cc_name=/etc/krb5cache
        -Doracle.net.authentication_services="( KERBEROS5 )"
    database:
        type: "oracle"
        driver: "oracle.jdbc.OracleDriver"
        url: "jdbc:oracle:thin:@oracle-kerb-7.internal:1521/XEPDB1"
access:
    extraJavaOpts: >
        -Doracle.net.kerberos5_mutual_authentication=true
        -Djava.security.krb5.conf=/etc/krb5.conf 
        -Doracle.net.kerberos5_cc_name=/etc/krb5cache
        -Doracle.net.authentication_services="( KERBEROS5 )


This configuration is necessary because starting with version 7.90.x, the Access service runs on a dedicated JVM (more information here). To ensure that Kerberos authentication functions correctly, these JVM parameters must be applied to the Access service separately.